Friday, February 18, 2022

Threat Roundup for February 11 to February 18


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 11 and Feb. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Malware.Zusy-9938804-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Malware.Phorpiex-9938809-0 Malware Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide-range of payloads, from malware to send spam emails to ransomware and cryptocurrency miners.
Win.Packed.Tofsee-9938852-1 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in to infect additional systems and increase the size of the botnet under the operator's control.
Win.Dropper.BazarLoader-9938865-0 Dropper BazarLoader is used to drop follow-on malware on an infected system, most commonly the Trickbot banking trojan or Ryuk ransomware. BazarLoader is named in part because its command and control communications typically occur to domain names using the .bazar top-level domain.
Win.Trojan.Gh0stRAT-9939087-1 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Gh0stRAT's source code has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Dropper.Remcos-9938935-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Emotet-9938961-0 Packed Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Downloader.Upatre-9938981-0 Downloader Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Trojan.Zegost-9939089-0 Trojan Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.

Threat Breakdown

Win.Malware.Zusy-9938804-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER 24
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL 24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0 24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: DisplayName
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: WOW64
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: DeleteFlag
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: Start
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNETEXPLORER 24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNETEXPLORER\MAIN 24
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\MAIN 24
<HKCU>\CLSID 24
<HKCU>\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} 24
<HKCU>\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELL 24
<HKCU>\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELL\OPENHOMEPAGE 24
<HKLM>\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\POLICIES 24
<HKLM>\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\POLICIES\MICROSOFT 24
<HKLM>\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER 24
<HKLM>\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL 24
<HKLM>\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL
Value Name: Homepage
24
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\MAIN
Value Name: Start Page
24
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\MAIN
Value Name: Search Bar
24
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\MAIN
Value Name: Search Page
24
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\MAIN
Value Name: Default_Page_URL
24
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
112[.]124[.]100[.]244 24
47[.]93[.]205[.]92 24
8[.]25[.]82[.]214 24
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
cs[.]kulove123[.]com 24
sp[.]kulove123[.]com 24
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\100F23.dll 23
%TEMP%\~abcWKVJC.sys 1
%TEMP%\~abcjXEQb.sys 1
%TEMP%\~abc3hzqj.sys 1
%TEMP%\~abclKysK.sys 1
%TEMP%\~abc8fZDS.sys 1
%TEMP%\~abcoS5Rq.sys 1
%TEMP%\~abcicTYD.sys 1
%TEMP%\~abcxibJ8.sys 1
%TEMP%\~abc8IpGm.sys 1
%TEMP%\~abcb8mpa.sys 1
%TEMP%\~abcWnrDa.sys 1
%TEMP%\~abccv9Ig.sys 1
%TEMP%\~abcIkwIU.sys 1
%TEMP%\~abcs19ff.sys 1
%TEMP%\~abcDFiEI.sys 1
%TEMP%\~abcMH98n.sys 1
%TEMP%\~abc2A0m3.sys 1
%TEMP%\~abcrx5Cw.sys 1
%TEMP%\~abcHdj4I.sys 1
%TEMP%\~abcK3x6p.sys 1
%TEMP%\~abcPFKlh.sys 1
%TEMP%\~abcjelYg.sys 1
%TEMP%\~abc7mikT.sys 1
%TEMP%\~abcoZVM8.sys 1
*See JSON for more IOCs

File Hashes

0621cb3054e2ff90ada6d884a9c2c61f8d4660e515ca8f17cd628efbacee3cc0 15014188c58c936fc1369fb29ad1109bcd0789bfcb4ef7b42fc3ae203fe5f416 25ffb952666c55b4761e69a53b2d9d4347cc94904e9a1e87bd4cb566adb24531 2ce267492ef0165583181959f86c6c26c17e2c572878fee547090be6a274e4d6 3fe2b07312854af3617765533d6486505158cb5216ef1fb1eaf4f4a2ed2b24ea 3ff8402cf6d5138599038544393cb804cadc0899e0ea5348ee8937c5f8cf010d 43c045a2c3d4e774be0d5afb11c4e4370bdd5d880f17e6c63c61cd02aeca6195 451ebe11cc512bf97af7c6e094505c8d14f9e5c046b96dcdcb6a438bea42f0bb 4ffd929261164f699519ab7ba9b012731cf43fa110ead8d317f988e986402202 631606c4980ea457a93af841fb3e307ca1a574fc8e04c1c7a42601a2470a2885 731e794d791f5011af9a6f58bbe980fed0468225e8a9d0ba59455d17316ff089 8c7219649c620f8a6fe2cda43927a5f321b4039ab28bb6e92e2a2fd4bf625aba 8f56ffbd75db54c780693ee5f110170216282222fae22474853c1854cd59a6fc 969daf4485e46e75c725f8ce4e3d6d16f73b3f463f14e7b7c6330fae037f451c a093784506fc60cf4264385ff1bf7f306f77f0d6e6f681b6e13294b4c0ce26da a3a3f2240e7fabc00bc54657f412174e456d77a7482f4bc8fbd1029cbf756c7a a446e348b32eca7e2ec394f488ab680caf3ed550ce6591856b42658c57d5c912 baf709b728eee8803cca70030929191818d9b865e748bb16030c911d96bb9624 bba587df9731bf0a539576437ce8e25a1a73721e72c87c227b6eab57b1997b43 c91ee5659cd7654c77645cf052d31c99253f75f934efa4eb9f3ffdc186b42555 d24e4a4471c7ee008feb4fc5012f65a19930c11d42bb82302d22b53a4045052f d541c8f4681bd46c90234d17b0aa4f78ee0b4d8778d119ba51ee4255b0651e9a d845c630394c370efac748ac0e2330d7feeda5ffd11e44bc707d15f86c3670a5 f1ebcb3892d763ea67bab1f7357d2d6e88c686053daa539e99a2ed0a190adc68

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Malware.Phorpiex-9938809-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 22
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesOverride
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiSpywareOverride
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Update Service
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Settings
9
Mutexes Occurrences
<random, matching [a-zA-Z0-9]{5,9}> 18
Global\b20c9981-8ab3-11ec-b5f8-00501e3ae7b6 1
Global\b0d1e701-8ab3-11ec-b5f8-00501e3ae7b6 1
Global\b16cdee1-8ab3-11ec-b5f8-00501e3ae7b6 1
Global\b1681c21-8ab3-11ec-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]215[.]113[.]84 18
20[.]109[.]209[.]108 12
20[.]72[.]235[.]82 6
42[.]248[.]182[.]125 4
42[.]248[.]183[.]250/31 4
46[.]70[.]200[.]184 3
186[.]88[.]255[.]32 3
31[.]59[.]189[.]4 3
188[.]211[.]196[.]192 3
2[.]184[.]139[.]149 3
5[.]232[.]28[.]65 3
100[.]89[.]1[.]141 3
109[.]110[.]169[.]72 3
46[.]224[.]180[.]246 3
37[.]255[.]99[.]93 3
109[.]122[.]236[.]177 3
217[.]77[.]127[.]138 3
94[.]183[.]31[.]150 3
188[.]158[.]148[.]183 3
2[.]61[.]176[.]216 3
39[.]41[.]234[.]182 3
117[.]210[.]133[.]155 3
46[.]225[.]106[.]121 3
185[.]105[.]229[.]81 3
42[.]248[.]182[.]234/31 3
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 5
www[.]msftncsi[.]com 3
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 2
isatap[.]example[.]org 2
computer[.]example[.]org 1
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 1
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 1
Files and or directories created Occurrences
E:\Unnamed volume (0GB).lnk 18
\x45\x3a\x5c\xffff 18
\x45\x3a\x5c\xffff\x5c\x56\x6f\x6c\x44\x72\x69\x76\x65\x72\x2e\x65\x78\x65 18
\Unnamed volume (0GB).lnk 18
\x5c\xffff\x5c\x56\x6f\x6c\x44\x72\x69\x76\x65\x72\x2e\x65\x78\x65 18
%APPDATA%\Microsoft\Libs 9
%APPDATA%\Microsoft\Libs\WR64.sys 9
%APPDATA%\Microsoft\Libs\sihost64.exe 9
%HOMEPATH%\nodesinfo.dat 9
%HOMEPATH%\tnodes.dat 9
%TEMP%\fefegf7ed7g.txt 9
%HOMEPATH%\wincsvns.exe 9
%System32%\Tasks\wincsvns 9
\Users\user\nodesinfo.dat 5
%SystemRoot%\wedrvcsvc.exe 3
%SystemRoot%\drvcmsm.exe 3
%SystemRoot%\wapmsvcr.exe 2
%SystemRoot%\wlpmsvcr.exe 2
%SystemRoot%\drvamwr.exe 2
%SystemRoot%\wcvpsvcr.exe 1
%SystemRoot%\wdrvmgrmp.exe 1
%TEMP%\75658822.exe 1
%TEMP%\3479624253.exe 1
%TEMP%\3412621604.exe 1
%SystemRoot%\wrsnvnc.exe 1
*See JSON for more IOCs

File Hashes

04830708e90327c85948d87d866c4e509cc3a73048012c674cbb86d01a9b03a2 11868eb16085d6bf4d620e718ddced265efcb4a7fe504e9879cb21f90fbfdf16 122a9255be691a812552f2a8c57860e9355082d9cd376634dc575e235f90e118 143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682 1dec39358473852b8300d14f3f617ba989e8b178480da5b44904807b323e4d65 243c90195cebca47fa0117505ee07d5b93cb7f16792978b5335f0051eb11a96f 4837627122c12bd98874703a66d434025b3226b3facae6129b4aefb59ca05f4b 48540cf45fb2bca228f438efa2f904346126d0248ac116c1b01e3f3b1ef5ca1e 48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2 4b355796a710bec51e37958a39ca0fb28f462f80b15b3e42162bf47cdf0fca79 4ea6e76ad7328dbb2bbab9fcc4f23b47556e4751fb965c6b8f69ddbb05a4da7c 63ee602b2df6b4ed3f040dd4de41b68a8581e2da2f8850fa87d283ef482319db 72bc906c3d572bde3e6ed96eb65bb1229a5dd89ec66ef4d6bd6e568d17ee9aaf 7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506 748e5c4f719938040ef7a276da33a01a22db319dd88521336ab161c115677c33 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e 8c87a59f94986b0fc9086c725f1f3a8e9ec4d813fbb79381a9d72114a07e1f2e af6655e2d0e07a4f7a2043fad6260562e168dba8f6f1ef5b0633af6575469663 bb91283896b122504885551f20c6cdd2743c7a7bf82a164ed2f63d4455430063 bc79a037e5c077b51693119155c74802687579f9f4b57a6b4586b4ba21a758d1 e90f20a72ae8f31bae3917569ff69279bd292f77461773ab961b9306da30d577 e984143006b71acda193fce1ab6397030e8dd7ff28e32d82353c499cb5d33eaa f0a5b1ae7ce5b24220d8d60445573b164f87a45bed6226ba89b9fddf2d182e01 f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Tofsee-9938852-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 18
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dlugqvrt
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\hpykuzvx
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ltcoydzb
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jramwbxz
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nveqafbd
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ygpblqmo
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\cktfpuqs
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xfoakpln
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ksbnxcya
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
91[.]243[.]33[.]5 18
62[.]204[.]41[.]45 18
62[.]204[.]41[.]48/31 18
62[.]204[.]41[.]46/31 18
35[.]228[.]103[.]145 18
62[.]204[.]41[.]50 18
192[.]0[.]47[.]59 17
216[.]146[.]35[.]35 16
96[.]103[.]145[.]164/31 16
208[.]76[.]51[.]51 15
208[.]76[.]50[.]50 15
216[.]146[.]36[.]36 14
37[.]235[.]1[.]174 13
208[.]71[.]35[.]137 13
202[.]137[.]234[.]30 13
193[.]0[.]6[.]135 13
31[.]13[.]64[.]174 13
142[.]251[.]40[.]196 13
199[.]5[.]157[.]131 12
67[.]195[.]204[.]151 12
117[.]53[.]116[.]15 12
142[.]250[.]80[.]46 12
211[.]231[.]108[.]46 11
23[.]90[.]4[.]6 11
125[.]209[.]238[.]100 11
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 18
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 18
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 18
249[.]5[.]55[.]69[.]in-addr[.]arpa 18
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 18
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 18
microsoft-com[.]mail[.]protection[.]outlook[.]com 18
microsoft[.]com 18
www[.]google[.]com 18
patmushta[.]info 18
whois[.]arin[.]net 17
whois[.]iana[.]org 17
aspmx[.]l[.]google[.]com 16
ianawhois[.]vip[.]icann[.]org 14
fastpool[.]xyz 14
m[.]youtube[.]com 13
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 13
mx1[.]seznam[.]cz 13
seznam[.]cz 13
mail[.]h-email[.]net 13
ameritrade[.]com 13
mxa-000cb501[.]gslb[.]pphosted[.]com 13
mx[.]rediffmail[.]rediff[.]akadns[.]net 13
mta5[.]am0[.]yahoodns[.]net 12
mx01[.]oxsus-vadesecure[.]net 12
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 18
%SystemRoot%\SysWOW64\config\systemprofile:.repos 18
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 18
%TEMP%\<random, matching '[a-z]{8}'>.exe 17
%System32%\config\systemprofile:.repos 14
\Users\user\AppData\Local\Temp\lviqauyz.exe 1
\Users\user\AppData\Local\Temp\pbkdttxo.exe 1
\Users\user\eksafncr.exe 1
\Users\user\AppData\Local\Temp\afazxbts.exe 1
\Users\user\AppData\Local\Temp\lzacejwz.exe 1
%TEMP%\dqieqjm.exe 1
\Users\user\AppData\Local\Temp\qdzbycdk.exe 1
\Users\user\AppData\Local\Temp\rzusqfap.exe 1
\Users\user\AppData\Local\Temp\vntucuvk.exe 1
\Users\user\AppData\Local\Temp\gsbukkof.exe 1
\Users\user\AppData\Local\Temp\bxzeflgr.exe 1
\Users\user\AppData\Local\Temp\oovagzif.exe 1
\Users\user\AppData\Local\Temp\qdvrdwz.exe 1
\Users\user\AppData\Local\Temp\fnigetod.exe 1
\Users\user\AppData\Local\Temp\8380.bat 1
\Users\user\AppData\Local\Temp\hmhgeiaz.exe 1
\Users\user\AppData\Local\Temp\lxgzpptk.exe 1
\Users\user\AppData\Local\Temp\yemuzhwl.exe 1
\Users\user\edxssgta.exe 1
\Users\user\AppData\Local\Temp\otonlphg.exe 1
*See JSON for more IOCs

File Hashes

0885de67ebb6dd4e748523ed44c7835ecd04a9f7d3d7a18e30a6b162fbd2e3f0 0dbcc161e8cd0f9d3a96b62e0b0da7d70e6754803a1d4fa4fb08d26fbf86ab82 17d0d3e3a5512e17644e718c4cec6eb5afced95120cf7d91b7746779f1e9c1b1 2acb54616daff042ff7f8cef0208874789aa26ac632c5e291c7ef4506336b5dd 3fdcfcb78f2059ea32467c9d71109c9317dd5d2611e161ebea041e70f66801d7 54f92f8fe642af27bce35ccbc3e4aba7cf6e56d7d2accd9de8b10a2b547b774f 5dd2ccc302895459d8b0a5bd54280c41ddc3c91187dda6b4747f8831912876c2 6838a563c8d61d20f1905924a166032069bca8cfbc84057c21f3f477f474eccf 8fc272efa814e3204bc4b11def654a205b0f69861d635cf778f293a92279a33f 90165e1fea0ee0e50ee71babdbfe79f4889da3afcf26b7761709e6b38d017f74 9342faa77ed92cd17d84d7967871f70276e2cefc4719f5e8b6a24a6d7dbaf7d5 95e124b35529d63f67d557175792ebaca1bc1202bdf0519470a0637395fe5c38 9b37a6b77295553080ca7edef670ba8df051bce9f8d29f92a847e74befb64cf7 9f5834a75299f969ae7406b0c1a90cc6abecd7320650118e7574b7c03b5f0399 b43d420725c1fc8b886b3c1586f2ac8615cc75679dd537996a7d5349db2336f2 b7e2a685aff9c9cfef3faf0c76a65b6d3000ce002b746b4648a2a74b469cd3e5 d250b1a2bde4334e3bbff2c16508523810da0ba5e7974fe68b2fce420c235937 f86961f1b2818916f5aea0e40c78bfb4149bfdf4d50b51d7794ab8725e8798f5

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.BazarLoader-9938865-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 19
Mutexes Occurrences
{38ff1d10-6e17-4758-8c2a-db803cea696c} 19
{82069246-7ff4-46e3-8ffa-f10162278757} 19
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]99[.]132[.]248 19
23[.]160[.]193[.]217 19
74[.]6[.]143[.]26 13
74[.]6[.]231[.]20/31 12
176[.]32[.]103[.]205 10
40[.]112[.]72[.]205 6
205[.]251[.]242[.]103 5
98[.]137[.]11[.]164 5
54[.]239[.]28[.]85 4
13[.]225[.]230[.]232 4
23[.]56[.]10[.]219 4
40[.]76[.]4[.]15 3
74[.]6[.]143[.]25 3
13[.]226[.]32[.]216 3
98[.]137[.]11[.]163 3
104[.]215[.]148[.]63 2
40[.]113[.]200[.]201 2
104[.]87[.]86[.]196 2
45[.]14[.]226[.]23 2
96[.]16[.]29[.]235 1
23[.]193[.]217[.]119 1
104[.]102[.]254[.]32 1
23[.]62[.]25[.]178 1
18[.]67[.]60[.]164 1
104[.]106[.]10[.]176 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft[.]com 19
www[.]amazon[.]com 19
www[.]yahoo[.]com 19
amazon[.]com 19
yahoo[.]com 19
wpad[.]example[.]org 19
computer[.]example[.]org 10
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 4
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 4
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 2
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 19

File Hashes

0e6653b06dd4313c0c5292d26a241d6446841e378a84d56c98b44d6d7113197c 1eea013e5e82310923f4a6b1bff67d681f064068d652ed45b2bb90406c0def5d 4099da780fe519855b547292faee3919ddb5b91723a7e8d09846afa0813d0294 678cfb8bcee9b33c610fcd3760ae420b7a976bb75a1d2a5ed569dad618345618 6d9c9732de671f201b3146ce5c03c79bb84c3d425a4325b76f782775ca477873 7b8f4e0701d45bbfb0b2235a849dbc35d235b35883a201b0d968bec91bbf2ba4 80616a89a44a9a98e08726fa653af2b7e73b83f227f38ff87457f0b935f0768a 8b84a358e1ff54a18f194e03eedfa448edbd1d5c7ee9734af9d18c666edf118f 96e9d9081fa34ad14e811ff124f920de53566d9401942920078f29f071e5da24 b354e0b8e50b6a1e4c0a2feb1779fdb4e39a981212492b03b9330e4ae76e2932 bec5ce6d717cfdc079e6438c4a09a636e96e90ba7cfd8b804d9b0d1dc42586dc c375679c9ea40b272f56f8bd08654740295788cba46fa44b670a2ccca029c4e7 c9364b28a51d8b15cb23532e32df3180d2d4f7d78625ae9410457f5d7457b76d ca911704993883257974de9710b444593190ce114a2d85094a068c08d51ab96e d241ae455e7455d96e3c335f86bde3d53b97f37dd2a86ad6f81aa5257aca9ec7 d322fecf2d49a664b0cdff6b76cd07db05744f07cd666da3ee6df831fb016f72 f0c295f616d54752a91a3216157bb96cd40c91107ac6273da1f0a82f0228ff13 f388ccc95a1eb746306e0da20a42f2c1bdf73718a6ca16e425a3b6514bbf4752 f61cd8bc66ff96c8b12814808033ba93aa39fa18da954897b6b6f20da7b665ce

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics N/A
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Gh0stRAT-9939087-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: NextAtJobId
25
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: EFA2246D
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS
Value Name: Path
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS
Value Name: Hash
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS
Value Name: Triggers
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS
Value Name: DynamicInfo
1
Mutexes Occurrences
155.d78b.com:1555155.q9p6.com:1555127.0.0.1:2012 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
127[.]0[.]0[.]1 22
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
155[.]d78b[.]com 25
155[.]q9p6[.]com 25
wpad[.]example[.]org 22
computer[.]example[.]org 6
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 4
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 2
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 1
Files and or directories created Occurrences
%System32%\Tasks\At1 25
%System32%\Tasks\At10 25
%System32%\Tasks\At11 25
%System32%\Tasks\At12 25
%System32%\Tasks\At13 25
%System32%\Tasks\At14 25
%System32%\Tasks\At15 25
%System32%\Tasks\At16 25
%System32%\Tasks\At17 25
%System32%\Tasks\At18 25
%System32%\Tasks\At19 25
%System32%\Tasks\At2 25
%System32%\Tasks\At20 25
%System32%\Tasks\At21 25
%System32%\Tasks\At22 25
%System32%\Tasks\At23 25
%System32%\Tasks\At24 25
%System32%\Tasks\At3 25
%System32%\Tasks\At4 25
%System32%\Tasks\At5 25
%System32%\Tasks\At6 25
%System32%\Tasks\At7 25
%System32%\Tasks\At8 25
%System32%\Tasks\At9 25
%SystemRoot%\Tasks\At1.job 25
*See JSON for more IOCs

File Hashes

13304da65628452d7e3a3fe1ce72bdc8790af401895055935e689b7606fc4353 1701657ae3c6326c3b3210c42c374c8e8b2ba9d46798344335617a832b831b29 20c881d1eda1810046d4b413a79e1b66d2036a3401afc7c16d5b4082cc416033 2c2e600370840223d6013b802babc42643919d2347cd25272a10e5b422443c64 3b1442d3e7c447bf1e4e6bd276f0db02111cc04791590f312606410d0daf69dc 3fcf29cdcb37fd335d72547a7408e81deecff0bd81ba382a243c016306afdf65 4f55ce425329dace7f9c79295edc54ce2ca4e4582a1a971ba7b71e50d5a71986 5397ac711614be096761569c4d19b5e5e2e224be19cf4ce7b3207064664a15ba 5b3d2a2d98c1b001b4b8508eadfbb1d51f27346f97a6028e7fb8f2df3cf76d33 5b8ebac74cec8f126243796974af7245daf5b68a9bd55bb4d029d936e9058af6 7e41521f8a7d68d8ec3c9b5db11b20d5255b6a4144b1e1737283761506aa7f04 84821d0de866272826d5495a6033fb5dbadeeae6b1102ca83abce3fe87b7c322 8aa7892d0b782c376a179070f26e9ac10ce25a20160b4701eedf3897a0d69c44 9340b44e5b6617cde6086d2f268c5ed7209c227d0944596a9a68e1c07f648bde 9cd3bf8f4b91fe5716b2ff69dd0aaac9092649379d14c9d32496a7abd5ebba36 a72c829f809e675f0d7393a879c314db7012ebeeb61e825d4db0ec37dd6c711f a9f0119cc4c0b5ec9c602349be2a81f75610e752e2dd92a83e94eb3e1b99b00d b63c87d3ecd2d9ab60a91669fd7b634eaa7ca5dccd6390717ea192082d9d6e4e bcff843933c1e7ecb44a353b37983313f9e7b850f45f04442119d33776f5014f bd0c02441648fbc67a90b2f4d89215d62575aec2e10703c9bd324c5379034bea d5b47fe374d314b14135e1872ca3bcf336e251a1fbade91c0023a8dbf1328c09 d9dcafcf8fd74872f92f00761d395e1c0cf105418d5fb309d32a4dcabb3adcda dd8bed5bc941d08c68cfdfaa0f617e5597ff1d07cdf506bc9cc92afe1d8a1187 edeaf00c72d050844d89b3da06c50059c05c2bb4beff956f09c95e7b5bc985af fbb0afd17953da9d3eefd050432d0068400a6cade99c8403819768c5a24fd558
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Remcos-9938935-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Remcos
2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Pbgoxwgreg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Mxxedzdebs
1
<HKCU>\SOFTWARE\REMCOS-CH29JD 1
<HKCU>\SOFTWARE\REMCOS-CH29JD
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-CH29JD
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ilwoydzy
1
<HKCU>\SOFTWARE\REMCOS-M16C59 1
<HKCU>\SOFTWARE\REMCOS-M16C59
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-M16C59
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Nqpgexap
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Nvysjdajzh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Yfwdbmmdbr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Holvwtgyju
1
<HKCU>\SOFTWARE\MEDIAGALLERY-2RVG7S 1
<HKCU>\SOFTWARE\MEDIAGALLERY-2RVG7S
Value Name: exepath
1
<HKCU>\SOFTWARE\MEDIAGALLERY-2RVG7S
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Olsuteurif
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Wemxmruvlf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ztazezjgeq
1
Mutexes Occurrences
Remcos_Mutex_Inj 1
3cedd7db13072b36cc978a222f714e31 1
Global\4c20ad11-8440-11ec-b5f8-00501e3ae7b6 1
Remcos-CH29JD 1
Remcos-M16C59 1
Global\f2b8a701-8b8d-11ec-b5f8-00501e3ae7b6 1
Global\f2256f81-8b8d-11ec-b5f8-00501e3ae7b6 1
MediaGallery-2RVG7S 1
Global\f3569c81-8b8d-11ec-b5f8-00501e3ae7b6 1
KM6Q40ERRCF6GIDZ 1
1ML69US60S746Z1Z 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]42[.]12/31 4
185[.]33[.]54[.]16 3
162[.]159[.]129[.]233 2
13[.]107[.]43[.]13 2
23[.]199[.]63[.]11 2
179[.]43[.]175[.]171 2
64[.]44[.]167[.]199 2
198[.]54[.]117[.]210 1
192[.]0[.]78[.]25 1
79[.]134[.]225[.]74 1
162[.]159[.]133[.]233 1
162[.]159[.]135[.]233 1
34[.]102[.]136[.]180 1
13[.]225[.]230[.]20 1
40[.]126[.]28[.]12 1
20[.]190[.]151[.]68 1
40[.]126[.]26[.]134 1
20[.]190[.]154[.]139 1
23[.]199[.]63[.]83 1
15[.]197[.]142[.]173 1
104[.]215[.]112[.]107 1
66[.]29[.]154[.]157 1
166[.]88[.]19[.]180 1
104[.]168[.]190[.]126 1
172[.]67[.]68[.]31 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
onedrive[.]live[.]com 13
cdn[.]discordapp[.]com 4
login[.]live[.]com 4
apps[.]identrust[.]com 3
tothproject[.]hu 3
private0091113[.]duckdns[.]org 2
rwrd[.]org 2
buike[.]ddns[.]net 1
buike[.]duckdns[.]org 1
rbltd[.]ddns[.]net 1
febbit1[.]ddns[.]net 1
qwhqig[.]am[.]files[.]1drv[.]com 1
ws25gw[.]dm[.]files[.]1drv[.]com 1
io69iw[.]am[.]files[.]1drv[.]com 1
2sdfsdfwer23424sdxcvxc4ewrwerwer[.]publicvm[.]com 1
3sdfsdfwer23424sdxcvxc4ewrwerwer[.]publicvm[.]com 1
lvi03q[.]dm[.]files[.]1drv[.]com 1
0ziptg[.]dm[.]files[.]1drv[.]com 1
qk8afw[.]dm[.]files[.]1drv[.]com 1
xxxanonymous147[.]duckdns[.]org 1
generem2022[.]hopto[.]org 1
www[.]swedishnerd[.]com 1
www[.]mobilesignin-wellsfargo[.]com 1
generem1[.]hopto[.]org 1
yuondw[.]db[.]files[.]1drv[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramFiles%\Microsoft DN1 3
%SystemRoot% 3
%SystemRoot% \System32 3
%SystemRoot% \System32\propsys.dll 3
%SystemRoot% \System32\ComputerDefaults.exe 3
%SystemRoot% \System32\KDECO.bat 3
%HOMEPATH%\Contacts\ComputerDefaults.exe 3
%HOMEPATH%\Contacts\KDECO.bat 3
%HOMEPATH%\Contacts\Null 3
%HOMEPATH%\Contacts\propsys.dll 3
%APPDATA%\remcos 1
%APPDATA%\remcos\logs.dat 1
%HOMEPATH%\Contacts\Pbgoxwgreg.exe 1
%HOMEPATH%\Contacts\gergwxogbP.url 1
%HOMEPATH%\Contacts\Mxxedzdebs.exe 1
%HOMEPATH%\Contacts\MxxedzdebsO.bat 1
%HOMEPATH%\Contacts\Mxxedzdebst.bat 1
%HOMEPATH%\Contacts\sbedzdexxM.url 1
%TEMP%\wwlfjvtezmzgkwkhmuqinf.vbs 1
%HOMEPATH%\Ilwoydzy.exe 1
%HOMEPATH%\yzdyowlI.url 1
%TEMP%\wlooejgdzgttzksfkctnbizp.vbs 1
%HOMEPATH%\Nqpgexap.exe 1
%HOMEPATH%\paxegpqN.url 1
%HOMEPATH%\Contacts\Nvysjdajzh.exe 1
*See JSON for more IOCs

File Hashes

01a5e09f30d4178f2cc421cc0bf1aada3d5f951586f7acc3c5145232231062b8 09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92 0a44dd66eb25b89d1f0b12a108b8cfe1b2b0eb60c0975ad2137158a3d6bf8095 2299b5742aedb4e8402cfbbae5719399cfe072aedec7fd7b7da6ccb3437fb80b 28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1 2d42d32d9020f456e5d6771baaaaad2a2f42f2512a7513951528751855b287f2 4f3a4d7da000a9a1103649f0381adf22cc42ed26806ac019ca2742565a932d8e 71ab1c23478d5328368aa417b75ca6a06d7bae4efd6afb628db2c35d555f4411 771bea571ae5e519f77cf83ee0cee812cb7e662a797fa116045b9d83e3f3c3b6 904fe01b64886e6019be3eb6f45023db2f163a543ba1ba46d99beef5208cdc00 a43f97e7ccadcd0ed55ed857fef4bd6bb80dd0e6434178e534cd3a6f15d7d338 a4f495f04650c9c0d6c6089f41b4bb5be24accc42e2652526243cdf89eaf24a9 ab7cbeee2b75365f69967e3b468e0c99ad2977226128464ba440eaa9de27e4c7 c30fda5736ebf0da7a34486b3c55b82032476e5006c66005439cbd488b7a3d9b c61c1d89520d2da756706d397e8e491dec9b4f28fe657f92e16c2ce86096641b c6a2bd0609eddf5fc97d69105bb5a48aebb5190fcc17e20f68dbf576de6e6b3e d2cf3be43e06066949649f60ef43f815b8492201db7c254ddddd7be9fd76d86c d4071f28f73d92395ab561e3cbbbcd2de0df56dcb16695b2ef11fc9bcf254e74 d9b043074983254568cc5e3a8071cc3232df048ed8c53c64206c2ed5a6898c36 e32335a3a077dd27bd589e61d0d6ec39c66505c0410715c71fe1a5522b20198f eb43f6fc78bb9d18c94dbb865bb674e3a7528050a965ec6b8d97dcbfd7e32be5

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics




MITRE ATT&CK





Win.Packed.Emotet-9938961-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 48 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 48
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU 48
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: Type
48
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: Start
48
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: ErrorControl
48
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: ImagePath
48
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: DisplayName
48
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: WOW64
48
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: ObjectName
48
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: Description
48
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
103[.]42[.]57[.]17 48
198[.]199[.]126[.]144 48
116[.]124[.]128[.]206 30
104[.]131[.]62[.]48 30
195[.]154[.]146[.]35 30
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 25
computer[.]example[.]org 20
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 10
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 9
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 8
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\Qohugesysvrubfz 48
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\ErrorPageTemplate[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\green_shield[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\red_shield[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\securityatrisk[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\background_gradient_red[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\shield[1] 25
\Users\user\AppData\Local\Temp\~DFDC2C39424F9DA509.TMP 1
\Users\user\AppData\Local\Temp\~DFDED47B87937D63B6.TMP 1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A9A1FFC5-8C1E-11EC-93F9-00007D818143}.dat 1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A9A1FFC7-8C1E-11EC-93F9-00007D818143}.dat 1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B99AD950-8C1E-11EC-93F9-00007D818143}.dat 1
\Users\user\AppData\Local\Temp\~DF4DA0E9DAC9F0E48E.TMP 1
\Users\user\AppData\Local\Temp\~DFC37042A21CC32FB8.TMP 1
\Users\user\AppData\Local\Temp\~DFC83FE2B5A09576A6.TMP 1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B13870DC-8C1E-11EC-93F9-00007D696926}.dat 1
*See JSON for more IOCs

File Hashes

01c30b6d638e543604e665b8bba7cab8b2245099497b1201944e79fefac875f2 0345b98ce96799d545c2e898ec63a42552f87b525d580bfc9f927e685c0232af 04edc7778fb47e806b9f9dd530aff94adfe9a8c774f81b7e33306819bd8208e9 054ce8c3742070d28122173b7b2d4cfa59f7b0292244b30bfa64602273b4785a 08121e92557cc5d9e1bdbc378a3ef75a7ee4c09b4f49fb55f5654d332b72a2d0 0e5f631b3873af5cb5c577043a6ed333de4a1595ec54247464d9ba51bd55b6c7 10d976e9229f6a2a0d514076b78fbb879a28e1e76f8f09aa74ace5d99dd418a4 1ca2b6885334e73617b9686446ddb5c629c2282d02767dd3bbfe44f7638644f0 1cbd434b014d2d6996993352ddf094fe0fb9e404b0b33e56d8c855fcdec9b941 1f40bcdab5cc2bda5b5e7c07f5a36bdaaaa42bf0c6d8a3bdd8f88baed6051f2d 1f6061e03f4464b70b90438d6ded834b552daa8545b483b696f22f8c79ca68ba 1f84ffa06e07e25b874ea8571893386b9022e4b995a58cd945802effa683f53f 1fecc37b22d029dec895974567cf5683be2ef5dc2bbd611e6c66be942b0a3e7e 2561f84f108dd331b7aa02a0539c05b98043b87e8a0457c66836a16689ebc725 2a8ae4c3ecc8b2d0dd947ea8bea6e6b1a47937a8697140519cd135678fe1be67 2e635efab78b319e444f52aeb1eebda089116e5fa23fc314306b37ee98a0b415 2ef92ca23dbe99f15fe7e50966e0fd953462d0f9e5bac4a34a196550f455b448 30b8527b901768262badd9cfad5df43291be76ea8707499958fb4b15566ba225 310cbaede42857662bb81a3cbfa837e2160151b409bbad0e3189d82efd43b1d5 350456756dafdbd38e9d7f80e32d597bcdefcf32778568fa513655e42ba6b3be 358465bbcaa2d4962f15164149d10635c65e7787f6e7a41e147453dab94f6cee 364d5dc407b8e4d734885dc05693053794f53e7c27e5bbbd08f19634d5a96dc0 389dd4bc7e02fb9c92ab011d7aabedf0ee968f040e5b8dfa52a667e049c5fd72 39afb573b1652f3a20e57993514fb201956a06c5c10aa35fe7ef95b16bcfa821 3c9357729823ed61731a9efaf842d4167ba8427b85f0d4470dce842b9b4368b4
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Downloader.Upatre-9938981-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]218[.]129[.]107 25
204[.]93[.]178[.]227 25
35[.]208[.]217[.]200 25
23[.]199[.]63[.]11 13
23[.]199[.]63[.]83 12
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
x1[.]i[.]lencr[.]org 25
apps[.]identrust[.]com 25
bizaroob[.]com 25
faneema[.]com 25
Files and or directories created Occurrences
%TEMP%\realupdater.exe 25

File Hashes

004f55286434d6132a810999f805777b07fe643a33c14c28b097e06c46a756a2 0089402056ea466cfae5eed5d3b1a587fcb920487015f141c56c9a5a8b0217b2 01ed1aeda7cc301132984b8bc979c73c61bbeba3ba71541df8802d1ebb74ad9b 01f15311a6a96d77f80304bc857dc8c4ec28fd2b36b814faa4a5ccc45d0182cf 01fe54e3f429e7f49994c75f3a445074edd44ae5f52ceb801afd3ae50508bebc 02401789563b95c817e861ccd3a20f1c32012d9182102263c1b517272fa09152 03575078822bcd7a4d5b4b8fef627d0b4768037f8a4994d31b3f6828c8e794ef 03906eeed42e4946a05c869c9fbe284fa83103f8bb045af32301dcf00e5e5e7d 04bb67ab78d3d88dd174a720faa88d2a251750611adc5f7be23f30ba896ddda3 06c4903b4ceea193ef4bea2fb02478d5999ffef424b7f9f9a3dcaf17a1f9e96e 06c71d062ca9ba8dc8ffd503b1da028b9f0b8613a90e1dd807b85fe9049cf672 0768d9dfc668f378e23a3049d50c34ff40fc69d70dc7c51e043b3cec7f0815e0 07e1422a7d5d13ad0dc77eb8080d7b4d09dfddc4431b50b99fd113c1302c26ba 08300cc7a3d695e8f1a9bf6426ad9d367fd2cf644ff74866e3b54af4de8b204d 0907292dad67f91c99011a8f1aa2255726731c5c166f0b14d6b9f81a6fcd4faf 097487d9eebf97f07139774f23e6417febf25f2e4267b5165e1a083f430a8a3b 0a906828e86bf4a38a969fff4dcb75c9a838cdabe6513baecb0c34c9f4dbdd38 0aa3cc1cb1e67d3f7b9177d27c5f55c26150909e39c2b196217e16f4016b844c 0b23421d2a090ecb945c319d87ec893005bf66d72f444da909ca7f8f72acd2e8 0d15010f8810cd2a8716af685fb64d0d60ac0b52301a33bc764b3bba1a176349 0e05839cf8fbf2f0ffbd3e8b565f683cf317d74d2e2fee51e4164a55f94e5bc5 0e229ac599c87bb2b8aad7fde176590c6c6b6f0a8fff50923f2d7655b5766ecd 0ef42014b15b17b0b0a6b50324a1209bf7de24b8a1f4556753af6a0b00253ddd 0f1f7d5472f6ab1381bc00e45f036c43970004e96acaa85f4ddc16b70553bd23 0f96e024bda6c7c4b8225fb288137f5c6e7c9b97ac8cf35f82cc8158240d2d4f
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Zegost-9939089-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: XXXXXX579E5A5B VVVVVVrr2unw==
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: XXXXXX421D9B2A
1
Mutexes Occurrences
AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw== 24
AAAAAA9PT0vfj8/QTp9u/+8+n2vQD8+qmnr6+vnw== 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
154[.]215[.]25[.]177 24
107[.]165[.]232[.]232 24
127[.]0[.]0[.]1 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]fz0575[.]com 24
www[.]wk1888[.]com 24
wpad[.]example[.]org 24
www[.]af0575[.]com 24
computer[.]example[.]org 23
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 10
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 7
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 6
www[.]kongzipatzi[.]com 1
Files and or directories created Occurrences
%SystemRoot%\XXXXXX579E5A5B VVVVVVrr2unw== 24
%SystemRoot%\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe 24
%SystemRoot%\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe:Zone.Identifier 23
%SystemRoot%\XXXXXX421D9B2A 1
%SystemRoot%\XXXXXX421D9B2A\svchsot.exe 1
%SystemRoot%\XXXXXX421D9B2A\svchsot.exe:Zone.Identifier 1

File Hashes

01bcef8aef33c9fed5117010204765eb15935727f5bd2d033a75496b38b2f752 03216ab54392a2738e59e96098390cd45a66e47c37cae1f2652d866fd6191c2b 0bf6287f4e3d3ab71affb5b8c93a0d64ef79302be7ba391b8e483e5978794d6c 0df341a84058a607e05a87adbee0e3a4420629c64aa08c379909a471130114ca 16be4c10636f884b0d0f49c484c74cfff6ee3d1b1f1ac4efd5b73bd137b19207 1a36784e26051d7bbb42f84f58d256f304f76b84843c9a4eb0e131e94dcd417a 297a7bab94de9c638bd995041283d0c138a1fed556c1bb6adb8b3259c01d1183 31d6e5b67f7d3ff6e8999a57a61c3969682bedbd89203868b199d8d486c49729 353cc5166b6a6dd83a2972532af4fc0e14eb991e5539a8056b9ef2daebe8ad72 3817795d5fbe1e84cb7b4fd18ca58a394d5c46d418be2f32ea56f84139d8cb8f 3a6259022334a4b6e1be149d26f3455cb5b796fe1f5d897bb3b89af91af1cbec 3c9e8bc62d3af2c0e19d90638f49482f6fcecf830e9002ec2d2bdbc359841ba0 3fd79e9c51e5a258a08f9afa295884375bda1f18355f9f8f510243413279f99e 405c030a29ba3040ede04fa451c2b27008537adb60a68ff00570025ba76cc633 4719095e1edd925caacc1c3d3229d60d1459f21b89e6a2529e3c0e73fb8e7630 562844e7860c52a2f4c9f41c4c376c90a00f5981f9476df4e159ba57dff98804 6036a45e9086675cc7ab4e1cf88ed2aeda988b457308e60882c98e7b7cb6c67e 824b14272e7b677bde8d172e8e1c20700fe5b9b69281bce4c6339aca0a22237c 838047d0b03b917a014790a9b9bffbbff55586c54dbcd9d280d8e2273e0772b9 85734d17bd8a593181fb462bf13aab791bf389ff3e0c404c50fef1e4d79e8e3b 8951fc109c179cecfa54dd57cf89e18221c1b4aeb9321c4589ed4c9b259a1bae 8df588dee532e623cf1d4f4611646cf0bc645a13fb83b30acadac9814311bb2a 905d0ed169077965fe1d10c33041295edbb3717967c37512e5b602c1e54ca40b 988c7c3f49fb4e14ac759eb20cdcee391cb48b252fb282000529f69dc8c07910 a5ab1c7e194f1f5b1db207c3db41b3fac6d4a95f866ac6c109d5ab3c07e82581
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





No comments:

Post a Comment

Note: Only a member of this blog may post a comment.