Thursday, February 24, 2022

Threat Roundup for February 18 to February 25


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 18 and Feb. 25. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Trojan.Qakbot-9939731-1 Trojan Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Malware.Upatre-9939730-0 Malware Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Trojan.Expiro-9939354-0 Trojan Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Unix.Dropper.TinyBanker-9939395-1 Dropper TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Trojan.Zusy-9939468-0 Trojan Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Gh0stRAT-9939670-1 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading or executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Ransomware.TeslaCrypt-9939746-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm allows victims to decrypt their files without paying the ransom. The developers have since released the master key, allowing all encrypted files to be recovered easily.

Threat Breakdown

Win.Trojan.Qakbot-9939731-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bd63ad6b
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 79eea72
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bf228d17
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: f7b512d3
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO 24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: ff0b3567
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: fd4a151b
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\ProgramData\Microsoft\Ecrirfryzd
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Xtuou
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 45f6727e
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 7a96a5f8
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: c22ac29d
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 38fe3df4
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 80425a91
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 5dfca0e
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: b5dd8adf
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: ca94e529
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 47b75202
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 88fc7d25
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE
Value Name: data
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\\SIGNATURES
Value Name: pvzqofnent.job
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\\SIGNATURES
Value Name: pvzqofnent.job.fp
1
Mutexes Occurrences
Global\{06253ADC-953E-436E-8695-87FADA31FDFB} 24
{06253ADC-953E-436E-8695-87FADA31FDFB} 24
{357206BB-1CE6-4313-A3FA-D21258CBCDE6} 24
Global\{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D} 24
{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D} 24
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 25
computer[.]example[.]org 21
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 9
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 9
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 4
Files and or directories created Occurrences
%APPDATA%\Microsoft\Xtuou 24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml 24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml 24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml 24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml 24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml 24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml 24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml 24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml 24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml 24
%ProgramData%\Microsoft\Ecrirfryzd 24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\ErrorPageTemplate[1] 24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\green_shield[1] 24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\red_shield[1] 24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\securityatrisk[1] 24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\background_gradient_red[1] 24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\shield[1] 24
%System32%\Tasks\vyotdhyh 1
%System32%\Tasks\hnypxogp 1
%System32%\Tasks\ombvkhjgdu 1
%System32%\Tasks\fgyaiqe 1
%System32%\Tasks\zobkeqp 1
%System32%\Tasks\imzyuyhzi 1
%System32%\Tasks\lounontbs 1
%System32%\Tasks\sgcqrfmdyl 1
*See JSON for more IOCs

File Hashes

0b1034fdf30e8a99253b90e4f2533be12dafc0c05c4934e9e96887048da5c5b4 14754945b1a1735dcb3705fea6219c3c1b7b0b33ddb6952b78d6709016aaf062 1a6128adee1d9bf8887e8fe8f8f4c7e73d53a7bc66eda5f6c7e17e1741678154 1dfd0cd7f3f96c78d6b547bd521229ea732566d7425125822c6fd4d050f919d8 23caabe4b10b9b32aa1092ccf7f570047846fed914aba65c6e4cafdadb4d7bd1 241a809c25c16e3fd47000a11c0a5cb67b34602fab2ea92408760209f86f1ace 2d7541057665c01a71ac38348bd09227c8fa81703738ea331a75674df9791f50 2eb010c78155ab191d8763303ab042028e55071283e596be4fb27479b86b88f1 32fc51a410971fe31f694f40bc36669f365daf6cfece52c552d808a42a657a98 3524142def7ecb8d5d5ded8b2974de205db172a786b2af6423ce7d6f08b73516 382e4e634308270fcced951152d5bc7ad07ad0bce5d4377ae19a011fb4bc3461 44136d6048bc63b3c8b796e3992777525be05013408c32afb99c88078ed26a75 4f01d53a34aa4596ed8f61cde53a1bf717411d6c42decaae5dd18872e1e02737 505979715f1f8b9e9611382553279f1f35728878b0ac4f7103d45b4bff4876dc 6fc9494cc0725723105372bafc59c93c13cfc349c179c5cc149c459149d936a5 8f07d58a67b81cbc4cf0b8879888136938ea3815342439b45fad6c0af203ca9f 8fbd48b9a8b5bd122a76552e79f8b104e60f57b08f61e18e2ba8fe5dc31d3a65 96e5d1f75af0ca91f3bdcc5c79c470a06816e6234d079ab45548d233f25e3c8e a2ddb37801e023c205a255dbf68886b642ac8c596917c7f7ba57e6eaa67ef01c aaaac7add78fd2f9eb7638559958432498ed11480acf706d6023923fc75a48ec abb9d447ca12e6333782aec5bdc9e39dab17fae30eba8437a6c43600eb422476 bcdecf8b43d8ed3c3faff97989ddf1aea315b4dd8c6db67f012b1b10b45bc7f4 c80164413e5f4f1748df022218f2122f869ca36196245d638ed8c9e7d011c977 cc15388524dd09ef8178eba8039ac15d67c84548aab2cc75de0746a1a05f455c e586a9c8cc23c9ce9bcea5709f4c3204aaae765d2218ada53945fb6f6b4f4485
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Malware.Upatre-9939730-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
artschoolwiki[.]com 25
homevisitor[.]co[.]uk 25
Files and or directories created Occurrences
%TEMP%\winupdate.exe 25

File Hashes

01c03c9fb51fab5731ac9feda67c2dca9d5c8a9f20cce906e95d04f467c1247b 032ff0c6822c9fe662f4e88d8f69084ed5c2afb5e8aaa25d491f92733a769f0e 04141d2e5d523c9330c38319bf65c09d7457b2b1a76e7947a82bae6a0bb2e2b9 04dc647aa68e81a3302871b5c8f6ab9e39dbc78e86baee4ef89f05b384248dd8 067a8e4694cbc300b95655215f2d06c5fe1ae13bc24c6d26767f9872fcf4b99a 0920f2c5b661ab515b5dc458525728687d7c8491eb11ff82f793b7ef393961df 09434688944692bf143c160e4fb7f4ddde0fba701962c9a6df264a3e681551af 0a06e0cb78d71eb675b248748b6f15e70521799828f2c9f70b5b250fea85dc36 0bc5da698c2302e513a97f23ed0da0459ce7d2ea2b13ba192a502f896ad8220a 0c4cf436eed580d2d6fb56bfdeb6392aa3781920950e2499423267f90b63623a 0db800525adecac2927171b194b8631ce3db32cb24ec7c30a7f09d106f168967 0ec47acfaca9fa0ddbdfb369beff09dd474c08ffa3948bc699363dd79133c0f1 0f29ecab24ba1ec2315e3bc95d931a5fa2f9c93194a860594028a08ea4a50e1e 10f259a20caa96d5b671a1d92598bcfeca0ca6c809ee88375fc77384dd2a1cb1 112aa1481783d285eb9cc1e138085b7043aeb746b329714881e5c0409fab13bb 124be4b51d3cdebf5cee5dd28eccdcd69671f30ccba97a4fe07977235b3dc942 13297bb21b20fe077052834ad1e19a60774846b69994cc7958140bf40de18e03 1396d81a0a31fab7221eeefe585769a032720e2b4ea90c4b7450861d3de30f15 144e0c1dae8ed0b853eea34b149a5e6342ad3a0df34608f76e34785c688047f3 14acab8a75afd0716cc60db5adf5814c480ca48295b9744afcb1498d4e39f09f 154e98492b50e53b1a47bb1dc3056235748f2b894047a2aebf1b90fcb3005d0a 161ee7b220fcad2a1bedb5f8ca97f332407afe3c822027617003066067aa3c1d 167bbdfc8339451383a68970e67c674f770f997780098b4b1e6ad7b3902589ea 17111baa599385e339e4e4b0cc439d2a81396433a374d3fad2044a9230186d95 172e1a79c2e996be4315281b37ae2a26884fb9a4b86d009c05bb2c256b0e88d0
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Expiro-9939354-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 16
Mutexes Occurrences
Global\Multiarch.m0yv-98b68e3c311dcc78-inf 16
Global\Multiarch.m0yv-98b68e3c311dcc78493cd690-b 13
Files and or directories created Occurrences
%TEMP%\FXSSVCDebugLogFile.txt 16
%TEMP%\FXSTIFFDebugLogFile.txt 16
%APPDATA%\98b68e3c311dcc78.bin 13

File Hashes

0ff6e486fa6096a58d91904f94c2210b539071594f02c90f725c306e56b809ef 459807d060d38e3c515e64a17074523c3e41b71d2301bd2c1d36318977465095 48843a863fc193f31dce6cf373cf389249ce9cb5b555dbaf47882feba4d64288 4fd445e421f8e2e23ae58e32347ccea6e023465d83c62968f962f429c1a5046f 61202fdc14d409685f302421b622c3e61a531ad678247550448a58b15f25d2dd 6954e2ea12f155812f2f91c4535fc1f2714feda9943ad7562f6b755563cce80b 78724b55009f6fd996136a6efc08b6a4c01be337a3785b582d370bdb52639c5f 87b6dbc7e8831f06cc4dadec931e38c4a16f4c5ba32a32d8dd1237896a9abc54 a2551415213a98a6ac993d4784498b2c353b456cc00308c23bb62e513e4479f7 a3c659d02ea1289ae9589a82b670b0815f76fb77899295b3f07ab0bc14a798c9 b10ecc3ca476d9947467c504b8ab5486bc51c29f09fd28d3339df68fb9ff90d0 c42b9422a1364a8bb1f6df2119b624f1a2b1be62e8df90347be6cda769842943 c5ff29244b135a44da3af5ff6645a85f6e9138ce1a0c9bf3f3318d9a98ce19bf ca50b13ed8a65adc693ad86c6ef5dd371fc31a69e98707695576f942604b082c e8516eafe5f48ec2ccb5a5e9e44da1a7bf35c1f2fdb1eed922c9e3c3c48e3cfe f0a6898e0fe37d7e9f7e519415a6d2f2ff24795b9c0ce5123cfd8c351d261dc1

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Unix.Dropper.TinyBanker-9939395-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: EEFEB657
25
Mutexes Occurrences
EEFEB657 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
216[.]218[.]185[.]162 24
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
qytufpscigbb[.]com 21
brureservtestot[.]cc 21
wpad[.]example[.]org 21
qytufpscigbb[.]net 20
computer[.]example[.]org 19
qytufpscigbb[.]in 18
ghoyvkjbnldc[.]com 16
qytufpscigbb[.]ru 16
ghoyvkjbnldc[.]net 12
ghoyvkjbnldc[.]in 11
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 8
mqrvhcolvvnu[.]net 8
mqrvhcolvvnu[.]com 8
ghoyvkjbnldc[.]ru 8
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 6
fettlijyycee[.]com 6
mqrvhcolvvnu[.]in 6
mqrvhcolvvnu[.]ru 6
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 5
fettlijyycee[.]net 5
fettlijyycee[.]in 5
ibyxedcowwot[.]com 4
fettlijyycee[.]ru 4
hkleofepnyvv[.]com 3
dtdqmlwwyekt[.]in 3
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\AppData\LocalLow\EEFEB657 25
%APPDATA%\EEFEB657 25
%APPDATA%\EEFEB657\bin.exe 25
\Users\user\AppData\Roaming\FBF202B5\bin.exe 1
\Users\user\AppData\Roaming\0E82D169\bin.exe 1
\Users\user\AppData\Roaming\10F13085\bin.exe 1
\Users\user\AppData\Roaming\B16F0CF5\bin.exe 1
\Users\user\AppData\Roaming\D2C7E796\bin.exe 1
\Users\user\AppData\Roaming\C4D0C038\bin.exe 1
\Users\user\AppData\Roaming\67EE96FA\bin.exe 1
\Users\user\AppData\Roaming\3DAF51BE\bin.exe 1
\Users\user\AppData\Roaming\20BCD40E\bin.exe 1
\Users\user\AppData\Roaming\A5EF12A4\bin.exe 1
\Users\user\AppData\Roaming\30223BD6\bin.exe 1
\Users\user\AppData\Roaming\0D6A1947\bin.exe 1
\Users\user\AppData\Roaming\1AAE87A0\bin.exe 1
\Users\user\AppData\Roaming\45227357\bin.exe 1
\Users\user\AppData\Roaming\55051539\bin.exe 1
\Users\user\AppData\Roaming\C6E861EA\bin.exe 1
\Users\user\AppData\Roaming\EFB191B3\bin.exe 1
\Users\user\AppData\Roaming\A742215F\bin.exe 1
\Users\user\AppData\Roaming\316BAA75\bin.exe 1
\Users\user\AppData\Roaming\D0D2530A\bin.exe 1
\Users\user\AppData\Roaming\088CE389\bin.exe 1
\Users\user\AppData\Roaming\220AF200\bin.exe 1
*See JSON for more IOCs

File Hashes

04138e25fc560307c0582f6211be0c75da12e3e17a8f1677685019a75a41d625 06a00475c77cb3909941c9c35b5a5e62b4d4e3fc58b13eaf96551c6c730825f1 0907248f4ccd42f068f129618c3fbc3a5260ba02e8eccd5fe0bd47db5ddec462 0e8a192c8610411cbda47ed381ef6ce44f521325a109b248a4796f10b8a9685c 0f769435693488a4fd8a32a6036ece4426d3f899666234349b1f245fb3adac86 10603b3a80377aae714c3ea2c77f6bbff8440e193884299cfdc729098c44606a 11f6114fa7579b0ce1210c9c5c70775c276bbf0480d7210df10b068f63509492 129a5322990bec5cac83cfae70dda0e73fa699b82addf75519687f5ba4e5230d 130977be9a64e5e4b0b2ea10cd1633ac8caf1a157aea14883424f99ec1b58793 139857b0fe76248d1bc12b53ddad04a52bd63f2267bac47b523d46c0919bd4bf 173b4cb0f5ba2a20f51c58e278ad141b7381d7d91a059348d94da53e10525974 1afcfd5865ae7360adb16fe1be7e985b7aa6f0d10b4c4aaead50ff76c2f08eac 1da5aea3b0e85e4909c255314b7038712ef1151ce8285b5ade856bac912b730b 1e687747fbb35a0b5a717c2e4e57180bfe3766b88163e3ed6bc069b595632889 1f99ac80de3628d5336d45bb1f198cb402b840f46e2206be018dfe025c5910da 23ab27d3b5f7b9296870678ee61c3ff7222b3e5e8889340230a8b5dd8ef4e9de 25e534b280b562b7e332663689ca5a958c5b92c6f40d3489d299835609e56be7 29a9ca02e614f670f8b3d9ecbf95f91ce4b74593ec1013a6126d82affaf0ec88 2ff7c641e755009fc4dae7fe04dda40f4bb569b49c5e6e7bd26bd4f5816c2f2f 32d1bb53a4e0d37d6f7f67c083e35adc2a32304889167529aa48aaa59c50e9cb 3344590809af9700d8354de14e06f88fe74f1af24c5554be6ee9a85f33c4e1d9 3359c89dec92af87c6d2ab20189c435a39920f3a635f4f7289b8b3ad12bf3b50 39fc44b6cae7fe9f4a4fe9bc7a0ff666dbdfae855c1b11f6f1b74103c6bc08ea 3ee46fe75e3998f650fed1780cbf42712cbe324b359a2b33e786656ca6d1b889 451bbe6b787620f9f8d12a967203e3433bc359f4753310c16d5fed20642b4cf9
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



Umbrella



MITRE ATT&CK





Win.Trojan.Zusy-9939468-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MSConfig
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: LANDrivers
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Microsoft
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Mozilla
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: enujava_ruapp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Adobe
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: syslib
1
Mutexes Occurrences
379F2CEB14B75F818C01D1BDBB9EFD5698B68E3C 3
Global\syiuidsjis 1
mumumumumu 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
188[.]190[.]120[.]102 16
103[.]9[.]150[.]244 16
104[.]47[.]53[.]36 10
40[.]112[.]72[.]205 7
104[.]47[.]54[.]36 6
204[.]79[.]197[.]203 3
104[.]215[.]148[.]63 2
40[.]76[.]4[.]15 2
40[.]113[.]200[.]201 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 22
computer[.]example[.]org 20
www[.]msftncsi[.]com 19
microsoft-com[.]mail[.]protection[.]outlook[.]com 16
microsoft[.]com 16
www[.]msn[.]com 3
google-analytics-record[.]net 3
cyka-rar[.]ru 2
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 2
zh53dtcjlmx6fwp6oz1hbw8oyg1jlhm[.]example[.]org 2
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 1
c0p1[.]com 1
dgaf2v43[.]com 1
dgaf2v[.]com 1
zh53dtcjlm5wym0hfw94lhfzlhq6mcp5yxdxb2mnc2p8[.]example[.]org 1
lovf43ast[.]com 1
astfv43kol[.]com 1
Files and or directories created Occurrences
%TEMP%\<random, matching '[0-9]{4}'>.bat 16
%APPDATA%\dhjwctvs 3
%APPDATA%\dhjwctvs\jisgivdt.exe 3
\TEMP\index.htm 2
%HOMEPATH%\dewuuogt.exe 2
\Users\user\zasqqkcp.exe 2
\Users\user\rejwbohp.exe 2
%HOMEPATH%\lydqvibj.exe 1
%HOMEPATH%\efxvvphu.exe 1
%HOMEPATH%\obgtylem.exe 1
%HOMEPATH%\ivansfyg.exe 1
%HOMEPATH%\rejwbohp.exe 1
%HOMEPATH%\lmeccwob.exe 1
%HOMEPATH%\stljjdvi.exe 1
%HOMEPATH%\kldbbvna.exe 1
%System32%\windi32.exe 1
%HOMEPATH%\yzrppjbo.exe 1
%HOMEPATH%\fgywwqiv.exe 1
%HOMEPATH%\tglydqjr.exe 1
%HOMEPATH%\cdvttnfs.exe 1
%HOMEPATH%\vinafslt.exe 1
%ProgramFiles(x86)%\enujava_ruapp\_enlocsigntwain.exe 1
%HOMEPATH%\zasqqkcp.exe 1
%ProgramFiles(x86)%\syslib\appedit64_.exe 1
\Users\user\AppData\Local\Temp\WAX56DC.tmp 1
*See JSON for more IOCs

File Hashes

003d07a8459158e9e15ebf55124ad90f013bc8bbc121016284ff3b37f9ac6d43 18d35d50cd1b9edf9c305e93206f043da99b4d5472a813f0b6eef9c1080128ec 1b85cf3c0f4b8a087b3b77f3d55986f4c8775ac38d2060136eee379598598ecb 1dd28a1ea2dd0c8de9d6420772a3e5a8ed641f522efa988bbe80653d346c58d0 25743004b080d0db5120d357d096145aec0ea873cb6a47e1641812364a958672 26bb20b92ed05a6b862529b7f99f39aa1f33fe753813a9ee49fe888a232cd56d 2e4fd705c684de66c1594af0f29f1a1b2e044557d3db32eedea2c7fec5299cfd 2e78f3956144122d7ff881ad43eb1897ee7ddf187c10440f59c80239a91a0bb7 36cb63ed97d7cf08e083c8b3e926b65e16fa11319c888684c745d2ecb623f57b 4dfe72dc2a4fde76d5c251135da4091fb21379b322be6f935fbd0ea515edd4a9 6a090952cb43a0a4aaca20c9ff0364d7a4ceb6c7c140c1c4036bbb1ffbfe4555 77fe46413fb20ca7466e6626559bf5d90e5c097faef3090275f2a921ee46139a 836350dbe4078f74af31adb8fa5e7621f72d7a8f9160f5cc2363055398699adc 855ee865c08971e8e8250d9d9551df49a710e30684b8e84f280eec74b3b83495 8cda59344da4863d591c651c0d3dd9ce4c5f7c381ca9360e40c389929e9969ea 99ad785c1c454dbedcf96a74a6587838bec9c2a0c5af7c47631db0a6b88e93db ad56c3634dd10f95b0fa51ff3208daac2167b81846723ee2960fd03a81dcf4f2 af045cd61762f087051f150871802dd4cb998da5e405cbfa132277883b650ff2 bd51a2afec4c871cb4562e742ca84012331aef286b0cfbdad5dc7a9cac389acf bf4e1b334bbd70d3956e581e68d35a84d0f9b731f0feb1bf77ce38d2991399e5 d865fb25f874704a463a8f507d6f1979cc6e56f15419190fa76f955047382904 e0a2716995090339d0dbf78b9fc9a74ddd39b7ce6a8b8a040a63e16da906a288 e5fbd1effabc1b0990ecb6a5b713dae6fc3a76cfd68730d9e0cdd139ece6ac63

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Gh0stRAT-9939670-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: D3D
25
Mutexes Occurrences
107.163.56.251:6658 25
M107.163.56.251:6658 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]163[.]56[.]251 25
107[.]163[.]56[.]246 25
107[.]163[.]56[.]243 25
Files and or directories created Occurrences
\1.txt 25
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 25
%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.dll 25
%ProgramFiles%\<random, matching '[a-z]{5,8}'> 25
%ProgramFiles%\mqcdw\11061317 1
%ProgramFiles%\skolq\11061317 1
%ProgramFiles%\mtbhfy\11061317 1
%ProgramFiles%\sgfves\11061317 1
%ProgramFiles%\qxdtcp\11061317 1
%ProgramFiles%\uczmq\11061317 1
%ProgramFiles%\pobbhq\11061317 1
%ProgramFiles%\qdicd\11061317 1
%ProgramFiles%\uvxrx\11061317 1
%ProgramFiles%\erchxkj\11061317 1
%ProgramFiles%\hxfvk\11061317 1
%ProgramFiles%\uafif\11061317 1
%ProgramFiles%\mhpmj\11061317 1
%ProgramFiles%\lxzsp\11061317 1
%ProgramFiles%\crsga\11061317 1
%ProgramFiles%\kpyzlr\11061317 1
%ProgramFiles%\zuxrj\11061317 1
%ProgramFiles%\njjuodp\11061317 1
%ProgramFiles%\erzda\11061317 1
%ProgramFiles%\rbeuduh\11061317 1
%ProgramFiles%\ssivu\11061317 1
*See JSON for more IOCs

File Hashes

0006e56691b554313415b3bec7e6ae78a1593ae941a8128b70d0d04b87d1656e 01a3241a3de53248801fd021d1d992a3f34b2399a87b950e1e0a6d9aff72a646 033240c5d927012b65b0adea538188bf81a2568b8923f3a615b4f28d901a1633 03fe86bb3ed7c4544c82bc9af45325fbba537c49043a39d052a86dab6c64a2c4 04f00148544dc5e6bd03d97c93e9bb339019c72b45d8717a4b04129ee2430cb9 0a1c2dcde823e973decc0492a5a542d70b1c7680097dc94d50cb7d4b90af3f0c 12b1e48007fd27de51f938e9e517edc0f3e009f91a9aab962c5fe8c9afca0368 154073bdd6a1bcc93f82d5f15cd9f0ab73996875cf62e70e7dcb8291bdce080b 1804cf522dc1a0d1751620fda04312cf5d527e7bef91d3c3343ae40f8b801f1b 240234de8278b856a4d95b2943ef9fb12caf36cf3e5036ffd055b4c4e371b2b7 24cb731ccc166964eb5cee3fd03b8e7d71c8d333cb257324eba6590af67070f4 2d95eba16a5954d2334d6b2c31b75f74156a01487d07b27103321e88ca121705 2f1ec03c19ac0e62040228e49b4b1917123bba600505f7140c2f189e216353db 36e02ebb6d4a38a14fbe07e8f90e5bf6ec19a298e6a4cdf6c9d50211e2cf3bcd 48f93b161839a866968dd679b4072b6682438aa488f9882e44f7eb830a499b13 60348c7971fbbe69d4ff495731e0c230a3528b592e7644310f4e34f8c6291ea0 632823e9015d6d1d4f18ae100ebc46aac42181185470ad203f16d28e8ddeaeb0 69277907ac690ba149574cb7353de1d05ed8eddc656cf2d535f541ccd3d9474f 7204ef65384aadcc08793f385e34894acb4ba1003727c2ead856503fb4a28e0b 809c2155d3067ca87879b41b7350fc5b5686946b4b060228ff5ff5e1f62f2e74 8186ee33d3054619582cc511b46d59cf8de2826afe45b53a24dc903fd9520a10 8458105ea443f87903173f381b3b011b2e81b34b5b1837d42e3e523d08eb5692 8a2fdc3eb1065efdd51d1daf1129dd9d1074a40b22273f6341e3e51a8296110a 9b72a0680d942658cd764b6ad4b50fb7ead192f44676f80d97e47f043baec298 adc017ca4348f84c0daa8550c2ef4fa32de847e79e9515b5622469c30169fbf3
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.TeslaCrypt-9939746-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 22
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
21
<HKCU>\SOFTWARE\ZSYS 21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
21
<HKCU>\SOFTWARE\ZSYS
Value Name: ID
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Acronis
21
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 20
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
20
<HKCU>\SOFTWARE\7B4192AC0D16A 1
<HKCU>\SOFTWARE\7B4192AC0D16A
Value Name: data
1
Mutexes Occurrences
2134-1234-1324-2134-1324-2134 21
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!1646210 1
Global\133ba461-9308-11ec-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
166[.]62[.]27[.]55 21
35[.]195[.]98[.]220 21
89[.]161[.]139[.]233 21
46[.]17[.]10[.]6 21
34[.]117[.]59[.]81 21
81[.]18[.]219[.]6 21
23[.]199[.]63[.]83 17
78[.]47[.]139[.]102 6
82[.]150[.]140[.]22 6
217[.]170[.]198[.]100 6
173[.]201[.]96[.]1 6
23[.]199[.]63[.]11 5
216[.]239[.]36[.]21 1
82[.]150[.]140[.]67 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
myexternalip[.]com 21
crown[.]essaudio[.]pl 21
gjesdalbrass[.]no 21
graysonacademy[.]com 21
apps[.]identrust[.]com 21
homeopathischdierenarts[.]nl 21
e-slubneobraczki[.]pl 21
www[.]graysonacademy[.]com 18
Files and or directories created Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I08BO8F.xlsx 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I11KHR4.doc 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QKHLN.doc 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I62TWBD.ppt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I6FZORX.doc 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IABMX83.pdf 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAJ2Y6R.pdf 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IALGTCS.xlsx 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGTBBSA.accdb 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH49RPF.ppt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH71GGR.ppt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJKODPH.pdf 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJP965K.accdb 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKY5R3M.pdf 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IMYCSIT.pdf 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISLP722.doc 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXLC77A.pdf 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXUL2U1.doc 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IYSR1FU.ppt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ2GMJW.XLSX 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R5QKHLN.doc 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R62TWBD.ppt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R6FZORX.doc 21
*See JSON for more IOCs

File Hashes

239999ba2bbb65a2455250369fc2dd1a28af528c316b9e641e53382eef742f13 2abea49198f00aa04525e5eb217ebb0e21c7d2eff279cda3e706997ade1999a0 318519a02150b5c6537af0708cef2e5afe371db861beb57b8089e77521fce87b 39994cfe45cc59c2f615b798ef951532eeeba13ffa91ed261afa832d7411a8a4 3c1467cc457aa0522cffe3567d96581e8462789ab64366850e61e3a60c586961 400bd4d15aaa491a3b5d0fb550e2070fea87524b1c87dfafabebe955bf9b72b8 49f1a6657d08ffa82b9add00a8a7b3449375b86267240090c1eb84853041b924 69cc34331ffd42a22e3c617bf595a79a5bb718adc07b321073570e068607b140 69e25e65f16099212f46325fff0dffac3892d3bb7c031ceed9c5b508c82a6632 7021a8c4e87f42314dca73eeb550f50b301f271a5fce3ed700f31fd9de4bd14c 865c739166951d94791aebcb4e4513e170c85b474ea78a7b5474bdcfb97b3732 9e60f0b0745ab98dd82dcf81fc57537b5e507f85dc41356da811cf5fb9cb7bc0 a0230e2dba1bb15fd8ced03a7357dba5de56f75efba77440632a08a051d6f706 b50e26d3da907fbe7e5cf034a75ae3664259a59c09002804243466f0d153fe6a b6c84dccff68ff1a536620002947e1564ad84134bc6396a03d14ad694de99d2a c00e53cb0a7fc20e5ac9068607eaa253c8d27e2e9674bcfd960cb5459de6ad75 c184fd7fdbac355ecdd586b00facfbc5c339be0a7cc85e085477fc3b6e2dca0e df33751b9a341057ab8a9840273e81409ab686a78a7836319a773222ef2e76b7 e592fe2c08d2f9a334dd5d7815d836733f4084e4d3aaecd627932ccbf1285117 f0d18117b7dcf74b860fe1bd90640adc836897d3abe28fbb0bbdc01c69c90e7d fb3d78953676a472dc3fefcb7ac87326c6f2613ff4ab7b4b32926e18c0a07d93 fec28438569030986b18f7df95bab52208cafe8b4186be5dbbc8e72feb42da6f

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



Malware



MITRE ATT&CK





No comments:

Post a Comment

Note: Only a member of this blog may post a comment.