Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 8 and Oct. 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Trojan.Zbot-9899961-0 Trojan Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Packed.Tofsee-9900223-1 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Dropper.NetWire-9900023-0 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Lokibot-9900252-1 Dropper Lokibot is an information-stealing malware that siphons off sensitive information stored on an infected device. It is modular in nature, and contains the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Remcos-9900255-1 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.Fareit-9900344-0 Trojan The Fareit trojan is primarily an information stealer with the functionality to download and install other malware.
Win.Packed.Passwordstealera-9900629-0 Packed This malware has the ability to harvest stored credentials, keystrokes, screenshots, network activity and more from computers where the software is installed.
Win.Ransomware.TeslaCrypt-9901319-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Packed.Cryptbot-9901331-1 Packed Cryptbot is an information-stealing trojan that attempts to siphon off passwords and other credentials on an infected machine. It typically masquerades as legitimate software to trick users into installing it.

Threat Breakdown

Win.Trojan.Zbot-9899961-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 22
<HKCU>\SOFTWARE\MICROSOFT\IKCUPIZOYJI 1
<HKCU>\SOFTWARE\MICROSOFT\IKCUPIZOYJI
Value Name: 9c6ce2j
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Obofor
1
<HKCU>\SOFTWARE\MICROSOFT\IKCUPIZOYJI
Value Name: 1e3a7hgh
1
<HKCU>\SOFTWARE\MICROSOFT\IKCUPIZOYJI
Value Name: e3d4491
1
MutexesOccurrences
GLOBAL\{<random GUID>} 1
Local\{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]245[.]217[.]122 1
60[.]244[.]81[.]6 1
207[.]251[.]45[.]31 1
84[.]59[.]129[.]23 1
27[.]54[.]110[.]77 1
81[.]148[.]242[.]90 1
36[.]2[.]242[.]186 1
81[.]149[.]16[.]130 1
81[.]130[.]77[.]220 1
107[.]196[.]239[.]26 1
180[.]10[.]151[.]221 1
58[.]1[.]158[.]10 1
81[.]136[.]182[.]103 1
88[.]104[.]169[.]182 1
142[.]250[.]80[.]100 1
62[.]49[.]180[.]189 1
124[.]5[.]53[.]61 1
121[.]6[.]46[.]119 1
61[.]32[.]242[.]131 1
110[.]233[.]103[.]240 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]google[.]com 1
ydilzdwgciqtsfuaiixknorc[.]ru 1
kfnvidqvobiojwguwtgdehau[.]com 1
yxxcwgqgrwibkvlzfehyhmtsjrrg[.]net 1
inrcsclzprjeixkwbqifzmtsfi[.]biz 1
ovlvaxytsgqgzxeaobhlbheukukkr[.]info 1
dxprmnlvswqohhifdqemfrs[.]com 1
wggmcazzdxgjzozllfaixsocmkj[.]ru 1
aexhilzfqgqcakjlrpvuxskjsc[.]com 1
ceptqsbpbrgbajbqssccmrey[.]biz 1
nzxvoautaehugapjpzsodyzhl[.]org 1
fakfxkltovknvddhdxh[.]net 1
ausorwaqircmusgumfqctgcawoobaeci[.]com 1
xzlvxukhzmwktprqspyphxw[.]ru 1
eanzuotopfjfxcavkjbnrnxcjbto[.]biz 1
wsdqgxwwkbujbxylvqgrxs[.]net 1
fpzmnlgmqdaqodaxspfqf[.]org 1
cqxtoyfusdacewccqtlncexdt[.]info 1
nbuoqpjlfapvuktdeucscdysoln[.]com 1
qgcqpeqaerfdmbsjfyxdehmr[.]ru 1
dmfugxksklrcelgemzaskgq[.]com 1
tbqakdifzhhqhpxdyylt[.]info 1
futgijlbvwlnzpttdhayxdfqeu[.]org 1
vcltwldqugijsovgxcvtxroay[.]net 1
fynfvoswvoddegyiambucmgqrx[.]biz 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\NSO9414.bat 1
%HOMEPATH%\AppData\LocalLow\ytbaom.igy 1
%APPDATA%\Etqai 1
%APPDATA%\Etqai\obofor.exe 1
%TEMP%\ADA997F.bat 1
%APPDATA%\Evhye\mizadi.exe 1

File Hashes

06fc89139134d666ecb63b8d8424369b2e430ec8c1ab3627604bec9ec290e84f
0cb01840fad8fc67e35e605ef678c8736a01f2e26dbc8de5c5ca9cd41b8ed504
34d9bd87c62de80966f17159843d5fbd4b73cbb73920f5b4d583093d88e91c8d
435597b4851952338f1cea3ff0921e83d7d6ba526b6162c45b0701b247c749ee
4eb76e2435962519e254c6340d610b29e58bdc310df2b1e2b090bb70efa3ec09
5441f7781ac766e5d41e1c0a47b5840e6ea29a2b1b589d7610351b406d0d2f4f
58c3e7d4d7db837100d6aafc739066ed0b913cec9562e104c04eeec28adceb96
5e2ac43c4a2bf2a555a4af963036b824cd0f4b41a02655a20427ceccc65caaa8
5e5515ea30e8d86c7c31f01b223aadd4213f3b56faf7578ba375846df189eb01
6688741221a384dca9c9101abf7da2e2d60fb6f8e1e1c06f49eb2fa9a3f681c8
74c4ab4ddbac32a33caa989cf83a4809534409e8671ccc03c79dc52a85407acc
76e8b95cf47146e70798803063acbf44856ac829dc74bc58cedb8ca759ce8971
a0b2c7f633b19cae26651472228c38a38ce2732ee537860794cca12a6402ad95
aeeb3b332819c870791ca9af32ffe698d6b1fc7353a7c4f90448ce687630d528
af44c034319285e5e80e688360ae7546f628d983311a88b607c190380a8d1ef4
c21d16c98ba7e278cadb033ce10ef94e098007ece1a24624b36580b32f83ced7
d070ba7763258fc643ac23b3148e773c28470d3c07736ee8cd86a8cc171d7c81
d970e6c91a2894cf8bd7ca454cd9e173a25c199cf1be60977b76cd96029bd060
dba87f9c4f743944d3cc41746cc5c0804a2e0e7c5db2376809068c78f55d5ec8
f2bee2cd800b05408cd918ca8dad8076d9435f0ee4ade64642780359e5b5abc8
fd3395c065898fc2bc1a809652b3e88b90e498ae34f1caa8a65d9c725348239a
fe1b587eb2ff65101b410ce28bd23489f411a6208a6aca45e0df5c9910709c67

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Packed.Tofsee-9900223-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 42 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 22
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yikfbtso
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\oyavrjie
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vfhcyqpl
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\eoqlhzyu
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xhjeasrn
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nxzuqihd
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mwytphgc
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wgidzrqm
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\pzbwskjf
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
193[.]56[.]146[.]42/31 36
213[.]91[.]128[.]133 31
64[.]233[.]186[.]26/31 28
74[.]208[.]5[.]20/31 26
77[.]75[.]78[.]42 25
157[.]240[.]2[.]174 25
209[.]85[.]201[.]106 25
211[.]231[.]108[.]46/31 23
67[.]195[.]204[.]72/30 23
216[.]163[.]188[.]54 22
193[.]56[.]146[.]188 22
193[.]56[.]146[.]41 22
185[.]253[.]219[.]200 22
51[.]158[.]144[.]223 22
91[.]219[.]63[.]95 22
193[.]222[.]135[.]150 21
34[.]223[.]6[.]127 20
51[.]81[.]57[.]58/31 20
209[.]85[.]202[.]26/31 19
194[.]25[.]134[.]8/31 19
144[.]160[.]235[.]143 18
67[.]231[.]149[.]140 17
211[.]231[.]108[.]174/31 17
62[.]141[.]42[.]208 17
96[.]114[.]157[.]80 16

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
nam[.]olc[.]protection[.]outlook[.]com 27
emig[.]freenet[.]de 25
freenet[.]de 24
mailinator[.]com 23
www[.]google[.]com 22
windowslive[.]com 22
defeatwax[.]ru 22
www[.]instagram[.]com 20
aspmx[.]l[.]google[.]com 20
mail[.]h-email[.]net 20
mx[.]tlen[.]pl 20
alt2[.]aspmx[.]l[.]google[.]com 19
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 19
mx76[.]mb1p[.]com 18
al-ip4-mx-vip1[.]prodigy[.]net 18
gmlil[.]com 18
mx0a-00191d01[.]pphosted[.]com 17
ameritrade[.]com 17
mxa-000cb501[.]gslb[.]pphosted[.]com 17
naver[.]com 16
comcast[.]net 16
wp[.]pl 16
park-mx[.]above[.]com 16
mx1[.]comcast[.]net 16
mx00[.]mail[.]com 16

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\<random, matching '[a-z]{8}'>.exe 36
%System32%\config\systemprofile:.repos 35
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 35
%SystemRoot%\SysWOW64\config\systemprofile 22
%SystemRoot%\SysWOW64\config\systemprofile:.repos 22
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 21
%TEMP%\glhzxam.exe 1
%TEMP%\fkgywzl.exe 1
%TEMP%\otphfiu.exe 1

File Hashes

05b295f76210a5c35f81b1401e3dbaec82f586af2bdda6097e3018b3b5a582f8
098897160bb68ec7517929378d806c33427b23fa993d29ac1be9480c7c51b013
0d3fb154fd7e60a3dfe9427c3fdd15e7ae236a628100325ec951c76528f260f1
1d1275c73beab966955c8b12aa9abf544975cb2b10d3960136654a125058be29
1e0402ee6bffcfe8bc2fe71b72deba5e06e472710f73b6994becfcf3054fecdc
210501712b0477ab9961cb03d568016a71fcef37dd3c37753ebd5a101806c914
224b7c63bdf72f9846fb62b03d24c40e1ee77b8d0e4cc24f85aa5bf458a32c7d
2af4a58ee4988b8e75c4e204220ff35feda0f4a4155d1392adad97a2f6fcbf78
32dc3fd796aeb1f0850a7cb6bdfd78d87cb3c6bac47c6f95bd2ec788f8048e38
3647324458d4da70731307298684c543bb3a87da0a016a4c5ecf1aa306dacff0
36d9b2a3ebc3169cc671a8da349859fa1f89e86cc1bdb0455f61df2701377096
3b123ccf9b71071283d19a3508e29c2fdcea95d235501b45f466e1b36464c940
406f17dd277c82957844f527c305aedeb35f191316f8f7f446de2bd2b61318a7
4901044317c39e936e5dd8a8b3adced74b24678cbc0c63bd335a919bca53c786
4c2fbaa5ce4e314c380861ccd3fc4ce32a8da8cbe1ee687ac9f1ed401bd1aa84
4e984dbad4076087c12a33c0a45ee198eb219ceb25e63b30bb5f44aafcc9dc65
4f51f71233d3419b614829f6ccf6428e5e0e0fadfee8b0f8e43e5fb2d81a19ba
5171f07405ec0bf0a9efe5db173bfe5488e20eebaa3c6487826bffa3a7a4d31c
56be72e50d0c5d1d2bac4591430834b9026321043fd05cfcbea0a8be9fa9b108
5862134fc6f0e8c499763918f32b4e83f3eb1451e20b26aac3125c7b72bdc5d9
59e7b8479490aa1c94ce8f99a2752836c395388eaf55edb3e048fffd00a40975
5aa3c6fed81b079e11da4b83d5af438649d54eaa97c3a58a5f2521ffefe4ec79
5fb8d8a4fe8087758141af18cf014ba8ff05974521bcfb1ae7f831d8b4624cb7
610917410ad66c33d27504568bcef08caebfc3999f6baa2b83a13212d50aae09
614d040ab4a282da5a66381e58230d81962cb2f5551cb8b13ed6e5c212eb32cd

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.NetWire-9900023-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bfsvc.exe
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: displaykey
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: sdiufsdoufbosdfusdf
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MSBuild
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: siucxyviusdddss
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: slidnfousdbnfousdfnsdf
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svhost
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Skype
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: notepad
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Fenrir
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ssssfdgvsdVCaWDEWFEGFDSVSDFGVSD22225R2WER
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Window
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: asiuydyxcyccc
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: otuuzbek
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost0982374-2390487
1
MutexesOccurrences
- 3
9DAA44F7C7955D46445DC99B 2
OWZCEN323F 1
Remcos_Mutex_Inj 1
vPrrgJFBbFCMmRUhAAGLuHLEYE 1
owGYbEgeDqGveNidINrSFcoig 1
QDHTMSVRYiErLTwFAkbXeSovWEgc 1
gSioxDHMmpAClwRUURwVFgNXbNJ 1
grLGSEYGsNmDzYoikpeuiegAHb 1
aozZhEtRlqmIFFBMlmiEGFxSAJ 1
WavvxbajmYFqTEIJmcJwmYEOGpMjB 1
gqpTIzHLPzoNMEdnaQAcEILEclD 1
JwLTUxlnbqnMViQskymNhEXZIKo 1
vLMEQNzQeVTgibLFhAFuHmztiJcByR 1
Remcos-LKK4DE 1
JVSTrufO 1
Rhuuhhrhhrggdgeyeyey-NJ0NI8 1
Remcos-5JSLAN 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
cb7cb7[.]ddns[.]net 3
myp0nysite[.]ru 1
striker99[.]webhop[.]info 1
gamestrones54[.]myvnc[.]com 1
andybestbbcllc[.]eu 1
saferlife[.]tk 1
myshadyte[.]ru 1
0x0[.]ignorelist[.]com 1
ddns[.]njegidi888[.]xyz 1
gobishopa[.]ddns[.]net 1
Files and or directories createdOccurrences
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\<exe name>.log 19
%APPDATA%\Oracle\svhost.exe 5
%APPDATA%\Oracle 3
%APPDATA%\7C7955\5D4644.lck 2
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1 2
%APPDATA%\OWZCEN323F 1
%APPDATA%\OWZCEN323F\bfsvc.exe 1
%APPDATA%\Install\.IgHiJkLiO 1
%APPDATA%\remcos\logs.dat 1
%TEMP%\~$fil.xlsx 1
%TEMP%\fil.xlsx 1
%APPDATA%\OWZCEN323F\winhlp32.exe 1
%TEMP%\94218.bat 1
%APPDATA%\Install\MSBuild.exe 1
%APPDATA%\lkjhs.dat 1
%TEMP%\97156.bat 1

File Hashes

16ab66fb13e33162cc1fff06910e9dfe519047e57f8db7e9168ffcac8dfc2023
2f89de6cbb7627c7126e1d9d3c52caae9db40dba49d8da8aace4af95f4b51f43
48afbdfad9120c807565d8b5bc059b48eb46da249a49e23034cec0239d0275f4
50eb9ee080ec53eb7f28421437461c87fd5c3c8dfb886951fc716c21e055b7dc
57bdc5098f339386a61494dc55866d940962ec5549b12646360dc3be8da40bb3
5ab39930697efa755d80a8731ac9b00090de4a2063133969d879183bc109ccd8
5dc3e14513b09a5bfe3569e6df3e69cf5b5252c079ae7ae7d5291a226e728b49
6d10b98d537d39c0b756ad4c015c132d54d7fe1e79d9fd47bf50e2fa29eb5c4b
75a540fa5ca0d41da3b672a41a32f21d81a5afb3b4a4d5f2e4236840c0fa1e11
9c512a0e999eb8b28fa2517d0cac29c5784e225cd3c70416c68d018f7c95b1cc
9eabb24bf7de07062560284a4a709980608646d67ddacde158cb652d9e04b80d
af0b12ff1e123364beea9e42b5978b176bbfde2a7c9c186b895d214be5eb943c
b08403ecf17daa804a05d806e4c08e3d743665de738668f4ec5decd77f99c149
b14f9b96e395a34cb150c5bea059cf07a70eb843c3ca8047a2b45c98399e5ff8
b34d982450dc9d794f9cf3a03bd08e71472e2d165c2c97f07bf175a4b89f356b
d57cfdba7d7bd8960781096927de972b1e2848353cb95115091cbb8e067901e0
dc5d43376b8ce662043dffe0e84a1009bcfb711c87f206bfbe1add9ca71c35cf
e3b995145da9f749ff132292c0c9db031dc83599c092ba247c5faacbd1e0b63e
ee908ab8413736089d1569e8035c2a8e1486894745579dbd1382425dcfe6fc1b

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.Lokibot-9900252-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 49 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 49
MutexesOccurrences
3749282D282E1E80C56CAE5A 42
9DAA44F7C7955D46445DC99B 22
Global\ae937b61-224a-11ec-b5f8-00501e3ae7b6 1
Global\73856101-224a-11ec-b5f8-00501e3ae7b6 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
phoenixdevs[.]ir 42
Files and or directories createdOccurrences
%APPDATA%\D282E1 42
%APPDATA%\D282E1\1E80C5.lck 42
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 42
\TEMP\test.exe 42
\test.exe 22
%APPDATA%\7C7955\5D4644.lck 22
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1 22
%APPDATA%\7C7955\5D4644.exe (copy) 22

File Hashes

0932df20b7fdba719fb12c42cf8e753c3a1991a03659d9016acfd350fce2e532
0be94df5efaa043004cf38f490e43cdd89de6efe46494e78343bdc35a82fdb72
0f4ad6c9e4dff4a6573c348536c4786f422cfafe9e32a2ff51f4a67ec0ac840c
14b59ddcec314d8a8827718c8c2ab1813e94fdbfcb9a9c2c83f8c9ca6f9ba607
16d1712c08aa27e463bd85001dac5bf25e1acbb3fa243093d11c3eec07f9e749
1dca4fd969ab57d61313673b99bc108a5cd618890ee204ef305d24276b307ad4
229efecf5666e40cfecd81a99219077332e33416a6b884417c9bdc7bda0060e6
27fabcbad58433e7359c62e483c137cb7f2cb24986c9fcf32a225d5d24ba541a
2e2f8ba4f8c92ec3265704f714281786914843eb63688392c5f36c53545f1156
2e450e37398fdf1f7b490b36ae8cdd028834d1920d88c0f6ebf58a77bbac36a3
306c15b9bf889cb4d73188a8659ba31823297c790afb69c20c203c888e16166f
30efc5f88fdb54d1c5c45291406c90bff9fe92f88cd9c338b7f1dc511bdc4994
318659e42020f1797d332c189c9eb7eb514748e4b4328a8307fbda3ee0cf5406
32d9664ea2a9feb4c3c9c7411e1e3ef2193bb65497520b46a2604013988f7124
3e05f082c6d538dbe9cf4a855cca7c48e2945de4fd0ebc2efc2df112812fcb34
44390f488bf5485b3eea9afea88adbf1899e4016f7999b1ea147c5a4d2f5be12
47d596618ac6f3e42a481a4f1b83618f6e63f06273ab3aeac5c55642bb597e85
4ea4c184c38296c29f041118524781d9b21331d72e966512cdd2f7b168b98321
518820ad0bbf4bed36c43b8eae49ea6253b8745b2755aca589a3f6ddb00db511
521e74284712326ad8acdb1dced9220abdc8d5cc80882ed9db621ed64a47944b
5696b51d3466d90dc619bcd3942d9648577a87e59de4e5d89ec2ccd11cd94e48
5c093a78cab8e5e07047ac3377d57a5ae0266d1a098de01ee4193c7e31c706f0
5c110becd3b774f8c0a249398a01a3e92f04c0a9881a700a45fe94016f55428f
5d796aa204229a3ac9e7d37b1e27618541af33ce3a34b1a43298bfc85807efcf
641ffdc5e6da4b2e32f6591e3e43f0edd71fb8483fe098a22cd90ba2f8df8203

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.Remcos-9900255-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 47 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\REMCOS_EWBKENDENHPKPEP 31
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: remcos
30
<HKCU>\SOFTWARE\REMCOS_EWBKENDENHPKPEP
Value Name: EXEpath
30
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 13
MutexesOccurrences
Remcos_Mutex_Inj 30
remcos_ewbkendenhpkpep 30
Global\{176627fc-9b6d-4f0a-ab26-654a31d03cfd} 13
Global\be11e4e1-f6ea-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]140[.]53[.]37 30
185[.]244[.]29[.]216 13
Files and or directories createdOccurrences
\TEMP\test.exe 44
%TEMP%\install.bat 31
%SystemRoot%\remcos\remcos.exe 31
%APPDATA%\remcos 30
%SystemRoot%\remcos 30
\test.exe 22
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 13
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 13
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 13
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 13
%APPDATA%\24E2B309-1719-4436-B195-573E7CB0F5B1\run.dat 5
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache-child-new.bin 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache-child.bin (copy) 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache-new.bin 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache.bin (copy) 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\startupCache.4.little 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\urlCache-new.bin 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\urlCache.bin (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\addonStartup.json.lz4 (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\addonStartup.json.lz4.tmp 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\broadcast-listeners.json (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\broadcast-listeners.json.tmp 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\crashes\store.json.mozlz4 (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\crashes\store.json.mozlz4.tmp 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\datareporting\aborted-session-ping (copy) 1

*See JSON for more IOCs

File Hashes

022a2cb6f5838cb49260a8b177499bda54bd7ed92ec5e290fdd47624c650af9b
05a7b78c6b8c171f82b3a2e1ac43d3b8aa78d107f79556d170df3102482db73c
0860b556bb282f9f9746caa2c6f5f23e2eb5b4b8362b1d9deeeb39a0d785b7ad
1905fe04658a3f434b10af04ee702dd473ac62fcd5fb0d3084a2af056d7de155
226242c64be090bfcb938be1a68441d3d9234a7bc26ce586c65f39e1263acfcd
23e0aeb3ffb49ed80b16ac75f6a722fcfc238ab1db044293f6b6085ea8f445e3
26fe21adb4ee339f55e93c486902ad4c669ddc3dc5a65e838b7ffbe9c821fba6
296dee6aaacf6487f012fd18d41a77d57b9e6fa2bc7d30389962ea7e2baa32c3
2cdb0d0750ce70881719d471cb73f63affeb75e541d59f1a5a2cf906c0772d86
3cfe8e7b07ba2f578cf713fdf0679b8200350fea26dedf49c3e8287f4ba27b95
417b02147a4e2c55f7bcb8528b0d4f518e0b66bf0297d99afeaaa29dde4b4396
4aa970f737da2718ea873f13aab46a776da93a40d27313e2ce387e947f717b89
4e81342e03ac707a88e057c53171e17665cd5d8b15899ec3931427f9d867815e
506a3f315ca523aeb00110c0c7aa95a28a324d8eb665535b4dfb5bb7f5769d1a
543b4dcac214eeaa006469df0697a9259a745a3c4c65b6bc64dd7639104a473b
5e8eb7511596acb43df64b54ba844024783bbb2a38cb458799cb939800ffb2eb
637cebab33df49e938eedf24c0e9c37a36aeb84b861d6bd59ea28db466b7f54f
6477663119f215e6f17f65697146f48e043a513b9bc38323ee71379bc669054e
6ca78e8e4072c5de888c5f6f84752f136a6886b9246f9b172fb5a7f59aa39d26
6cf9dcdc0ec7de7595858e857eb31c91ced6602247f110c34ad34143c7db54c0
6dcd3d0919c8536128cf6e34cca0e5d3b5e574404dcf82ec463e123e2f4b5f45
71968d577cc9a2e571373a4cacbdeb6f7385274e482326be2fd407c6ad1a1db7
756a97af1cbb171ed55725b2d188944498476bc589c562af3c0c9110b4aec4d2
7590c06c2c654eecd955d5921120287e5423dc2cba57d451d980a9f4b74cb3ad
7f7493bd79fd3e7ca293581ca2129c6c45e9617050dd921a0c75fc53d408cf89

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Trojan.Fareit-9900344-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\WINRAR 11
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 11
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
11
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
11
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
11
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
11
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
138[.]128[.]171[.]170 3
75[.]98[.]175[.]114 2
166[.]62[.]121[.]61 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
manualportia[.]com[.]br 3
superiorbroomproducers[.]com 2
crawfishtx[.]com 1
Files and or directories createdOccurrences
%TEMP%\<random, matching '[0-9]{5,6}'>.bat 11
%TEMP%\1051421727.bat 1
%TEMP%\1051419262.bat 1
%TEMP%\1051422413.bat 1
%TEMP%\1051418217.bat 1
%TEMP%\1051421976.bat 1
%TEMP%\1051423677.bat 1
%TEMP%\1051421025.bat 1
%TEMP%\1051419574.bat 1
%TEMP%\1051418919.bat 1
%TEMP%\1051423302.bat 1
%TEMP%\1051422819.bat 1

File Hashes

0b795bf7b80a397a0ff158f3133b372875057d88d1a33c589a2e919e05615a6c
105b9704073855b7ea84cd814fc8cf0a8a5fbbbe2e5d757731e0157f2cda2a24
129223119c92e31c9f9d47c61f2301f0b568b240b9180361a57e42dcf52cb3dd
2ce7ad2edfed9bf00a5df059bc2e83d4e5570765d1ce3b512926a32ba458b1b6
38ae7ce2ca376b00c6a49911902c6256b74e78611977e538b522596a502d06ba
a59720e7db0f1edc4434365ae7efc1aa2bf820cb8705441f61c177cb001a70c1
cc04e1f5ca1df70aa70bb91d7985e985f7325833da2d3cb7d98847607743d9a7
d83a1c7282f419d9b80292ab8be338b84143fc5b4ca97fb17285721f9aee0065
dc90b17949b1004ea70d7bbf2ec150015f4b2bef9bc1ce588a1aee3a802b4515
f0e6bb54691ec2494c402bdb78853d52ce0e5a314917f03f7ec99823d53256e4
fbdd7b15af60287fbd839399f50d9add20b13dc4265bf10be803c7c72d777fb3

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Packed.Passwordstealera-9900629-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 17
MutexesOccurrences
Global\d7716441-2842-11ec-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
132[.]226[.]8[.]169 13
158[.]101[.]44[.]242 12
132[.]226[.]247[.]73 12
104[.]21[.]19[.]200 8
216[.]146[.]43[.]70/31 7
172[.]67[.]188[.]154 5
198[.]54[.]122[.]60 4
149[.]154[.]167[.]220 2
131[.]186[.]113[.]70 1
208[.]91[.]198[.]143 1
208[.]91[.]199[.]223 1
208[.]91[.]199[.]224/31 1
193[.]122[.]6[.]168 1
193[.]122[.]130[.]0 1
107[.]180[.]56[.]180 1
80[.]253[.]246[.]41 1
162[.]214[.]77[.]81 1
199[.]189[.]104[.]12 1
89[.]252[.]182[.]52 1
162[.]214[.]50[.]135 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
checkip[.]dyndns[.]org 17
freegeoip[.]app 6
mail[.]privateemail[.]com 4
checkip[.]dyndns[.]com 3
api[.]telegram[.]org 2
us2[.]smtp[.]mailhostbox[.]com 1
mail[.]faks-allied-health[.]com 1
mail[.]okurmakina[.]com[.]tr 1
okurmakina[.]com[.]tr 1
mail[.]nclanka[.]lk 1
internal[.]haciendacantalagua[.]com 1
mail[.]haciendacantalagua[.]com 1
mail[.]efeforklift[.]com[.]tr 1
mail[.]aninditaeng[.]net 1
nclanka[.]lk 1

File Hashes

29f7d6ea06b162f3958d90e90f4dca764d61c4a59345014cc82580e6dece68ad
2ce622d500cacf5a2cfce7f8ab41b0942a991a8a4fce32fc7d8984e5ff4eac77
5a7069de34bc25503f1697122ece6e7c4ed8126f91bf54e14ff71376238e111e
5b480b41bc60e4b4ce885c794023fba833c2ebce5404a803d1ccae3c06967157
6e9e6f46101684f027120ad7ad467587899924d49387c7feab1f792342575e4b
88a1ad8026566ae6d5ad0f11bbfa3b67d08866f261a96ead17a97aa4e7a02bd6
894d4ba6d8232d91019f1cb563be4723bc41bb68dcb29c30c6292556c3cfa016
973e111c802eaa32a828ed58e298c5a8efdcd8dba08b24a0e2f14c4766095b21
9e0c82ff4f7cba5681b2961e93054f80aa9cad6fe8a1c8efada8682135b2fcbe
a3ad4554c582908654304ad34c10e5a00cfbe0c06d28117b17fb4acabc8fea72
c81ada1843071c17fbc30d0f486eff38c32e8e99bc20dd9233affb37b82a4556
d4f1a84eedf38127edc741771c3f1edbad8d4fb02fce8a79c4b90bc0a68ad849
d8c0c6009138939fa0d5a1a373e85cc05b8e9c18d83c33f6821d6be92fcca734
dc157362e9c0469b3d8909770c5879a1e5cbaa6ae5e0d8203c536cbce6131901
e3daf05d3602f2d2602bb6d2e9a9d4a24624f882897e14d82ebf0f9bdd9626d5
e56a7b6c398eb2069552234566ff0cb3239502a1fabf2ae7d856958a0782ba4e
ed746deddbbe7a23a1e388211e47ccc40a0595ce3409a919fd5f73308abd9ec2

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Ransomware.TeslaCrypt-9901319-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\TRUEIMG 23
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 23
<HKU>\.DEFAULT\SOFTWARE\TRUEIMG 14
<HKCU>\SOFTWARE\TRUEIMG
Value Name: ID
14
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 14
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
14
MutexesOccurrences
__ms_342234_ 23
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]11[.]56[.]48 23
184[.]168[.]131[.]241 23
198[.]1[.]95[.]93 23
192[.]195[.]77[.]147 23
62[.]75[.]170[.]35 23
198[.]185[.]159[.]144/31 13
198[.]49[.]23[.]144/31 12
23[.]199[.]63[.]11 7
23[.]199[.]63[.]83 4
23[.]63[.]245[.]50 2
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
myredhour[.]com 23
controlfreaknetworks[.]com 23
sappmtraining[.]com 23
kel52[.]com 23
apps[.]identrust[.]com 7
ext-cust[.]squarespace[.]com 7
a1952[.]dscq[.]akamai[.]net 7
konnectadventure[.]com 7
www[.]konnectadventure[.]com 7
a767[.]dspw65[.]akamai[.]net 2
Files and or directories createdOccurrences
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\1JV85UNH.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\6TSOP6FP.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\6UIR535Q.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\778OELZF.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\BDDA1TQA.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\C8UQ3ILV.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\CKFULNYU.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\D3V8ZB0V.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\DFCMI390.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\DNZVO86A.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\EOZBRPJV.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\FF9U33OW.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\FRKK5EC8.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\GRVXVJCO.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\I9JT8I4P.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\JAQ17N5E.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\KBEKKOGQ.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LAYXCVQE.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LCB33LEZ.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LCBHCHSX.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LJTF3CDQ.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LNTPAIO9.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\MJ9G33SY.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\N9FEOE2J.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\O21EX4U8.txt.mp3 (copy) 23

*See JSON for more IOCs

File Hashes

0412ae653465f4f1d04e6488ed21d8bac7fd5fc327d5e4b26392b03e58c7138a
0f08d946632bbac50e9513f48b6227a1f246c7bac4f33f937f0e3adb50f5b6c5
1dc77c4895fa4fe576e81336ec8497d4cac887c75fa9f3bdae54302f51f394e2
399bde9e2eacd20b6304443d5694311376ffc199a53373caa5be5704260388a0
4ce2ce82a2f96f28971d0d34c7b7302bfa540b0087e550d64bba470173866c42
5ec89712a5ca3c6097def18ec885b2aa771ca0708d4a98ee2603c255fbd18a52
67a5551fd8a916862fe5fafd3220dd4e7b24e3006b56e5816ce3de90718bf98b
7af790e5adaa5a59a673f749247873fac5ad35d8455623dfd9ea5581d36d93ae
7d3ac2f7d9298e566d1fdf08900e2fa5924c15e22d76d4fdde12bd464161a42a
7f0e59ae48c2ef18fee133de5820fe5e3c776db50019cb365826ea66bc7fa391
83a3651c76005cc7db6b8c38c3ce46b78c8b688237f298ffd5b21ff70755011a
8b538787662cd5dd0aecb06520f43a7fc2f638acd7299e652168dece1ee44a19
95067347907987c71203d0645155a22f725c87b2bcc882b8bcee2f89f8f6e51f
aff7ee708fec6078948284d581319940a1b98da77e455ae89df9775d61207e1c
b104e819789c544c85751c7b9f41fd8b19eed851c03b9a7f4f7e3984fd8e1932
b4c185a664015106c0fc76273c780b1444ffa291dafda278e71c1d7e14d4f01f
c1b8c297c96d78e1b93a7451b1a6b086f8d9c73385a30919b41d3871be33cc5f
c6d175058f82a22e571297f3a65482fce8a9ce022f3dadac37b0132258622849
cae4544fb037757d0aabcdc24453b469b93e4fd3ddf64333bee68888cff998bf
df7d13b02692189c7b78ce1155b8cce48f9bdad966eb31d9a4dd0eb277221e3e
e5155d78bb1801c688da91dda5d55a4b745e2b137b98fefb9a130b7ff20081ff
e60be7a47db3d2bad1615c32cc2fff36ef52befa1c1ee614ad7f02d56a6ce2ad
f990804b3c6544b0f6e0ab590af585a9057f7bfc8e84e206c21dbaa1d9671a77

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Packed.Cryptbot-9901331-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 19
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
88[.]99[.]66[.]31 19
208[.]95[.]112[.]1 19
34[.]102[.]136[.]180 19
104[.]192[.]141[.]1 19
69[.]164[.]0[.]128 2
8[.]248[.]153[.]254 2
69[.]164[.]0[.]0 1
8[.]253[.]132[.]120 1
8[.]253[.]45[.]239 1
8[.]249[.]233[.]254 1
8[.]253[.]139[.]121 1
8[.]248[.]163[.]254 1
8[.]249[.]223[.]254 1
162[.]0[.]210[.]44 1
8[.]248[.]167[.]254 1
65[.]108[.]80[.]190 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ip-api[.]com 19
iplogger[.]org 19
bitbucket[.]org 19
2no[.]co 19
saytt06[.]top 19
urep04[.]top 19
ebookreadersoftware[.]com 19
fg[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 9
windowsupdate[.]s[.]llnwi[.]net 3
Files and or directories createdOccurrences
%TEMP%\dghf.txt 19
%TEMP%\fhgfgf.txt 19
%TEMP%\trgd.txt 19
%ProgramData%\Urebe 19
%ProgramData%\Kassee 19
%TEMP%\gvfcdfgv.txt 19
%TEMP%\gvfcgh.txt 19
%TEMP%\hbgf.txt 19
%TEMP%\hbgvf.exe 19
%ProgramFiles(x86)%\Blubnerg 19
%ProgramFiles(x86)%\Blubnerg\sant 19
%ProgramFiles(x86)%\Blubnerg\sant\kartol.exe 19
%TEMP%\gdgrf.exe 19
%APPDATA%\brgvfcdsx.exe 19
%APPDATA%\yhbtgvrfcd.exe 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookiesf 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookiesm 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Dataf 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Datam 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Dataf 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Datam 19
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp 19
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp\nsExec.dll 19
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\UAC.DLL 19
%ProgramFiles%\Blubnerg\sant\kartol.exe 18

*See JSON for more IOCs

File Hashes

03708a2eeb1d04275ab963ae965504701c3eeaf1e3188363533038e3edb5b84e
0f2f5e145bd63005b2457bb741e475e6f34627b8b0e66b12e924a152a4b177f8
2930f3604cf11da9d8a4d2a751b420deaa12e540ab13b7d1f54431a9b51f333c
32d069cf8562d57c41b2fc2a3bc8f0c8ef1f7a3e1e216bf329a6778111351415
3993ddb32e898160739dc00cbffd22590c3fc3977cb9e45faf87979f0d2c1ba0
5e0b61bdee810750efc77fdc4f089c3125a588b01994d470d59e5b83d514ab91
7d589381584c0634a9ff5bbd915aff2f2756affce71d719dfb2e968df4dca929
7e1f66c8b71a7cbed0d3bed0f2267af1a441418a8fbed41416cff4505a41190d
80b426a7370624982647bfe534eddfffdf0bc7c5961009f6390be519ace9dd49
9681de2bf9bd956b5f290a58289efe3b67bafc50eacdc18ee660d70fed1a2e70
9f224c5fb5bdbb3e5ec7766377e702922921f1239fc33202e93d985f780311a3
b2f35992ce1595c623d8d224ab2dae6403789b7303f0b3439c43030983b7647e
c2e4131d9c50ae218478930758889fa1baae4176dda4d7580959098004258b13
c8ff40b80526c837436a03a09a3540458e8167c84f97f0f4cdd3961b01630b51
d7851cbcd4bb0cf7cb3c9bd4f5ab893bf94fa520ccc838cf79a9dd4f0485bf71
e6be86d707caccb0be7b1423fee7ca7ad9268e90b22f53c94c5bf3edac66c8fb
f02cce39d4f9a1fb9a2c146cf3b8add1213d2051f941c558a0626aab5c1073d0
f7987035d0f332dd2b81377dacb1bd02f4e4fcf7ef2f29ecc8e8554b6972aa64
f808cd63e98047562f39e22011d2d14213897d71b50a483326747382fb9b7897

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (45166)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Crystalbit-Apple DLL double hijack detected - (7792)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Expiro Malware detected - (7379)
Expiro malware is unique in that it infiltrates executable files on both 32- and 64-bit Windows systems by appending its viral code to the host. It can be used to install malicious browser extensions, lower browser security settings, and steal account credentials.
Excessively long PowerShell command detected - (4473)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (4364)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
CVE-2020-1472 exploit detected - (2964)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Dealply adware detected - (2084)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Reverse tcp payload detected - (2003)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Squiblydoo application control bypass attempt detected. - (1152)
An attempt to bypass application control via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (663)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.