Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 18 and Feb. 25. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Trojan.Qakbot-9939731-1
Trojan
Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Malware.Upatre-9939730-0
Malware
Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Trojan.Expiro-9939354-0
Trojan
Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Unix.Dropper.TinyBanker-9939395-1
Dropper
TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Trojan.Zusy-9939468-0
Trojan
Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Gh0stRAT-9939670-1
Dropper
Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading or executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Ransomware.TeslaCrypt-9939746-0
Ransomware
TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm allows victims to decrypt their files without paying the ransom. The developers have since released the master key, allowing all encrypted files to be recovered easily.
Threat Breakdown Win.Trojan.Qakbot-9939731-1 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: bd63ad6b
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 79eea72
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: bf228d17
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: f7b512d3
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: ff0b3567
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: fd4a151b
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\ProgramData\Microsoft\Ecrirfryzd
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Xtuou
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: 45f6727e
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 7a96a5f8
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: c22ac29d
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: 38fe3df4
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: 80425a91
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 5dfca0e
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: b5dd8adf
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: ca94e529
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: 47b75202
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 88fc7d25
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE Value Name: data
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\\SIGNATURES Value Name: pvzqofnent.job
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\\SIGNATURES Value Name: pvzqofnent.job.fp
1
Mutexes
Occurrences
Global\{06253ADC-953E-436E-8695-87FADA31FDFB}
24
{06253ADC-953E-436E-8695-87FADA31FDFB}
24
{357206BB-1CE6-4313-A3FA-D21258CBCDE6}
24
Global\{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}
24
{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}
24
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
25
computer[.]example[.]org
21
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
9
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
9
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
4
Files and or directories created
Occurrences
%APPDATA%\Microsoft\Xtuou
24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
24
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
24
%ProgramData%\Microsoft\Ecrirfryzd
24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\ErrorPageTemplate[1]
24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\green_shield[1]
24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\red_shield[1]
24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\securityatrisk[1]
24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\background_gradient_red[1]
24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\shield[1]
24
%System32%\Tasks\vyotdhyh
1
%System32%\Tasks\hnypxogp
1
%System32%\Tasks\ombvkhjgdu
1
%System32%\Tasks\fgyaiqe
1
%System32%\Tasks\zobkeqp
1
%System32%\Tasks\imzyuyhzi
1
%System32%\Tasks\lounontbs
1
%System32%\Tasks\sgcqrfmdyl
1
*See JSON for more IOCs
File Hashes 0b1034fdf30e8a99253b90e4f2533be12dafc0c05c4934e9e96887048da5c5b4
14754945b1a1735dcb3705fea6219c3c1b7b0b33ddb6952b78d6709016aaf062
1a6128adee1d9bf8887e8fe8f8f4c7e73d53a7bc66eda5f6c7e17e1741678154
1dfd0cd7f3f96c78d6b547bd521229ea732566d7425125822c6fd4d050f919d8
23caabe4b10b9b32aa1092ccf7f570047846fed914aba65c6e4cafdadb4d7bd1
241a809c25c16e3fd47000a11c0a5cb67b34602fab2ea92408760209f86f1ace
2d7541057665c01a71ac38348bd09227c8fa81703738ea331a75674df9791f50
2eb010c78155ab191d8763303ab042028e55071283e596be4fb27479b86b88f1
32fc51a410971fe31f694f40bc36669f365daf6cfece52c552d808a42a657a98
3524142def7ecb8d5d5ded8b2974de205db172a786b2af6423ce7d6f08b73516
382e4e634308270fcced951152d5bc7ad07ad0bce5d4377ae19a011fb4bc3461
44136d6048bc63b3c8b796e3992777525be05013408c32afb99c88078ed26a75
4f01d53a34aa4596ed8f61cde53a1bf717411d6c42decaae5dd18872e1e02737
505979715f1f8b9e9611382553279f1f35728878b0ac4f7103d45b4bff4876dc
6fc9494cc0725723105372bafc59c93c13cfc349c179c5cc149c459149d936a5
8f07d58a67b81cbc4cf0b8879888136938ea3815342439b45fad6c0af203ca9f
8fbd48b9a8b5bd122a76552e79f8b104e60f57b08f61e18e2ba8fe5dc31d3a65
96e5d1f75af0ca91f3bdcc5c79c470a06816e6234d079ab45548d233f25e3c8e
a2ddb37801e023c205a255dbf68886b642ac8c596917c7f7ba57e6eaa67ef01c
aaaac7add78fd2f9eb7638559958432498ed11480acf706d6023923fc75a48ec
abb9d447ca12e6333782aec5bdc9e39dab17fae30eba8437a6c43600eb422476
bcdecf8b43d8ed3c3faff97989ddf1aea315b4dd8c6db67f012b1b10b45bc7f4
c80164413e5f4f1748df022218f2122f869ca36196245d638ed8c9e7d011c977
cc15388524dd09ef8178eba8039ac15d67c84548aab2cc75de0746a1a05f455c
e586a9c8cc23c9ce9bcea5709f4c3204aaae765d2218ada53945fb6f6b4f4485
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Malware.Upatre-9939730-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
artschoolwiki[.]com
25
homevisitor[.]co[.]uk
25
Files and or directories created
Occurrences
%TEMP%\winupdate.exe
25
File Hashes 01c03c9fb51fab5731ac9feda67c2dca9d5c8a9f20cce906e95d04f467c1247b
032ff0c6822c9fe662f4e88d8f69084ed5c2afb5e8aaa25d491f92733a769f0e
04141d2e5d523c9330c38319bf65c09d7457b2b1a76e7947a82bae6a0bb2e2b9
04dc647aa68e81a3302871b5c8f6ab9e39dbc78e86baee4ef89f05b384248dd8
067a8e4694cbc300b95655215f2d06c5fe1ae13bc24c6d26767f9872fcf4b99a
0920f2c5b661ab515b5dc458525728687d7c8491eb11ff82f793b7ef393961df
09434688944692bf143c160e4fb7f4ddde0fba701962c9a6df264a3e681551af
0a06e0cb78d71eb675b248748b6f15e70521799828f2c9f70b5b250fea85dc36
0bc5da698c2302e513a97f23ed0da0459ce7d2ea2b13ba192a502f896ad8220a
0c4cf436eed580d2d6fb56bfdeb6392aa3781920950e2499423267f90b63623a
0db800525adecac2927171b194b8631ce3db32cb24ec7c30a7f09d106f168967
0ec47acfaca9fa0ddbdfb369beff09dd474c08ffa3948bc699363dd79133c0f1
0f29ecab24ba1ec2315e3bc95d931a5fa2f9c93194a860594028a08ea4a50e1e
10f259a20caa96d5b671a1d92598bcfeca0ca6c809ee88375fc77384dd2a1cb1
112aa1481783d285eb9cc1e138085b7043aeb746b329714881e5c0409fab13bb
124be4b51d3cdebf5cee5dd28eccdcd69671f30ccba97a4fe07977235b3dc942
13297bb21b20fe077052834ad1e19a60774846b69994cc7958140bf40de18e03
1396d81a0a31fab7221eeefe585769a032720e2b4ea90c4b7450861d3de30f15
144e0c1dae8ed0b853eea34b149a5e6342ad3a0df34608f76e34785c688047f3
14acab8a75afd0716cc60db5adf5814c480ca48295b9744afcb1498d4e39f09f
154e98492b50e53b1a47bb1dc3056235748f2b894047a2aebf1b90fcb3005d0a
161ee7b220fcad2a1bedb5f8ca97f332407afe3c822027617003066067aa3c1d
167bbdfc8339451383a68970e67c674f770f997780098b4b1e6ad7b3902589ea
17111baa599385e339e4e4b0cc439d2a81396433a374d3fad2044a9230186d95
172e1a79c2e996be4315281b37ae2a26884fb9a4b86d009c05bb2c256b0e88d0
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Trojan.Expiro-9939354-0 Indicators of Compromise IOCs collected from dynamic analysis of 16 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
16
Mutexes
Occurrences
Global\Multiarch.m0yv-98b68e3c311dcc78-inf
16
Global\Multiarch.m0yv-98b68e3c311dcc78493cd690-b
13
Files and or directories created
Occurrences
%TEMP%\FXSSVCDebugLogFile.txt
16
%TEMP%\FXSTIFFDebugLogFile.txt
16
%APPDATA%\98b68e3c311dcc78.bin
13
File Hashes 0ff6e486fa6096a58d91904f94c2210b539071594f02c90f725c306e56b809ef
459807d060d38e3c515e64a17074523c3e41b71d2301bd2c1d36318977465095
48843a863fc193f31dce6cf373cf389249ce9cb5b555dbaf47882feba4d64288
4fd445e421f8e2e23ae58e32347ccea6e023465d83c62968f962f429c1a5046f
61202fdc14d409685f302421b622c3e61a531ad678247550448a58b15f25d2dd
6954e2ea12f155812f2f91c4535fc1f2714feda9943ad7562f6b755563cce80b
78724b55009f6fd996136a6efc08b6a4c01be337a3785b582d370bdb52639c5f
87b6dbc7e8831f06cc4dadec931e38c4a16f4c5ba32a32d8dd1237896a9abc54
a2551415213a98a6ac993d4784498b2c353b456cc00308c23bb62e513e4479f7
a3c659d02ea1289ae9589a82b670b0815f76fb77899295b3f07ab0bc14a798c9
b10ecc3ca476d9947467c504b8ab5486bc51c29f09fd28d3339df68fb9ff90d0
c42b9422a1364a8bb1f6df2119b624f1a2b1be62e8df90347be6cda769842943
c5ff29244b135a44da3af5ff6645a85f6e9138ce1a0c9bf3f3318d9a98ce19bf
ca50b13ed8a65adc693ad86c6ef5dd371fc31a69e98707695576f942604b082c
e8516eafe5f48ec2ccb5a5e9e44da1a7bf35c1f2fdb1eed922c9e3c3c48e3cfe
f0a6898e0fe37d7e9f7e519415a6d2f2ff24795b9c0ce5123cfd8c351d261dc1
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Unix.Dropper.TinyBanker-9939395-1 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: EEFEB657
25
Mutexes
Occurrences
EEFEB657
25
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
216[.]218[.]185[.]162
24
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
qytufpscigbb[.]com
21
brureservtestot[.]cc
21
wpad[.]example[.]org
21
qytufpscigbb[.]net
20
computer[.]example[.]org
19
qytufpscigbb[.]in
18
ghoyvkjbnldc[.]com
16
qytufpscigbb[.]ru
16
ghoyvkjbnldc[.]net
12
ghoyvkjbnldc[.]in
11
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
8
mqrvhcolvvnu[.]net
8
mqrvhcolvvnu[.]com
8
ghoyvkjbnldc[.]ru
8
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
6
fettlijyycee[.]com
6
mqrvhcolvvnu[.]in
6
mqrvhcolvvnu[.]ru
6
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
5
fettlijyycee[.]net
5
fettlijyycee[.]in
5
ibyxedcowwot[.]com
4
fettlijyycee[.]ru
4
hkleofepnyvv[.]com
3
dtdqmlwwyekt[.]in
3
*See JSON for more IOCs
Files and or directories created
Occurrences
%HOMEPATH%\AppData\LocalLow\EEFEB657
25
%APPDATA%\EEFEB657
25
%APPDATA%\EEFEB657\bin.exe
25
\Users\user\AppData\Roaming\FBF202B5\bin.exe
1
\Users\user\AppData\Roaming\0E82D169\bin.exe
1
\Users\user\AppData\Roaming\10F13085\bin.exe
1
\Users\user\AppData\Roaming\B16F0CF5\bin.exe
1
\Users\user\AppData\Roaming\D2C7E796\bin.exe
1
\Users\user\AppData\Roaming\C4D0C038\bin.exe
1
\Users\user\AppData\Roaming\67EE96FA\bin.exe
1
\Users\user\AppData\Roaming\3DAF51BE\bin.exe
1
\Users\user\AppData\Roaming\20BCD40E\bin.exe
1
\Users\user\AppData\Roaming\A5EF12A4\bin.exe
1
\Users\user\AppData\Roaming\30223BD6\bin.exe
1
\Users\user\AppData\Roaming\0D6A1947\bin.exe
1
\Users\user\AppData\Roaming\1AAE87A0\bin.exe
1
\Users\user\AppData\Roaming\45227357\bin.exe
1
\Users\user\AppData\Roaming\55051539\bin.exe
1
\Users\user\AppData\Roaming\C6E861EA\bin.exe
1
\Users\user\AppData\Roaming\EFB191B3\bin.exe
1
\Users\user\AppData\Roaming\A742215F\bin.exe
1
\Users\user\AppData\Roaming\316BAA75\bin.exe
1
\Users\user\AppData\Roaming\D0D2530A\bin.exe
1
\Users\user\AppData\Roaming\088CE389\bin.exe
1
\Users\user\AppData\Roaming\220AF200\bin.exe
1
*See JSON for more IOCs
File Hashes 04138e25fc560307c0582f6211be0c75da12e3e17a8f1677685019a75a41d625
06a00475c77cb3909941c9c35b5a5e62b4d4e3fc58b13eaf96551c6c730825f1
0907248f4ccd42f068f129618c3fbc3a5260ba02e8eccd5fe0bd47db5ddec462
0e8a192c8610411cbda47ed381ef6ce44f521325a109b248a4796f10b8a9685c
0f769435693488a4fd8a32a6036ece4426d3f899666234349b1f245fb3adac86
10603b3a80377aae714c3ea2c77f6bbff8440e193884299cfdc729098c44606a
11f6114fa7579b0ce1210c9c5c70775c276bbf0480d7210df10b068f63509492
129a5322990bec5cac83cfae70dda0e73fa699b82addf75519687f5ba4e5230d
130977be9a64e5e4b0b2ea10cd1633ac8caf1a157aea14883424f99ec1b58793
139857b0fe76248d1bc12b53ddad04a52bd63f2267bac47b523d46c0919bd4bf
173b4cb0f5ba2a20f51c58e278ad141b7381d7d91a059348d94da53e10525974
1afcfd5865ae7360adb16fe1be7e985b7aa6f0d10b4c4aaead50ff76c2f08eac
1da5aea3b0e85e4909c255314b7038712ef1151ce8285b5ade856bac912b730b
1e687747fbb35a0b5a717c2e4e57180bfe3766b88163e3ed6bc069b595632889
1f99ac80de3628d5336d45bb1f198cb402b840f46e2206be018dfe025c5910da
23ab27d3b5f7b9296870678ee61c3ff7222b3e5e8889340230a8b5dd8ef4e9de
25e534b280b562b7e332663689ca5a958c5b92c6f40d3489d299835609e56be7
29a9ca02e614f670f8b3d9ecbf95f91ce4b74593ec1013a6126d82affaf0ec88
2ff7c641e755009fc4dae7fe04dda40f4bb569b49c5e6e7bd26bd4f5816c2f2f
32d1bb53a4e0d37d6f7f67c083e35adc2a32304889167529aa48aaa59c50e9cb
3344590809af9700d8354de14e06f88fe74f1af24c5554be6ee9a85f33c4e1d9
3359c89dec92af87c6d2ab20189c435a39920f3a635f4f7289b8b3ad12bf3b50
39fc44b6cae7fe9f4a4fe9bc7a0ff666dbdfae855c1b11f6f1b74103c6bc08ea
3ee46fe75e3998f650fed1780cbf42712cbe324b359a2b33e786656ca6d1b889
451bbe6b787620f9f8d12a967203e3433bc359f4753310c16d5fed20642b4cf9
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
✓
WSA
✓
Screenshots of Detection Secure Endpoint Secure Malware Analytics Umbrella MITRE ATT&CK Win.Trojan.Zusy-9939468-0 Indicators of Compromise IOCs collected from dynamic analysis of 23 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: MSConfig
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: LANDrivers
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: Microsoft
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: Mozilla
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: enujava_ruapp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: Adobe
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: syslib
1
Mutexes
Occurrences
379F2CEB14B75F818C01D1BDBB9EFD5698B68E3C
3
Global\syiuidsjis
1
mumumumumu
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
188[.]190[.]120[.]102
16
103[.]9[.]150[.]244
16
104[.]47[.]53[.]36
10
40[.]112[.]72[.]205
7
104[.]47[.]54[.]36
6
204[.]79[.]197[.]203
3
104[.]215[.]148[.]63
2
40[.]76[.]4[.]15
2
40[.]113[.]200[.]201
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
22
computer[.]example[.]org
20
www[.]msftncsi[.]com
19
microsoft-com[.]mail[.]protection[.]outlook[.]com
16
microsoft[.]com
16
www[.]msn[.]com
3
google-analytics-record[.]net
3
cyka-rar[.]ru
2
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
2
zh53dtcjlmx6fwp6oz1hbw8oyg1jlhm[.]example[.]org
2
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
1
c0p1[.]com
1
dgaf2v43[.]com
1
dgaf2v[.]com
1
zh53dtcjlm5wym0hfw94lhfzlhq6mcp5yxdxb2mnc2p8[.]example[.]org
1
lovf43ast[.]com
1
astfv43kol[.]com
1
Files and or directories created
Occurrences
%TEMP%\<random, matching '[0-9]{4}'>.bat
16
%APPDATA%\dhjwctvs
3
%APPDATA%\dhjwctvs\jisgivdt.exe
3
\TEMP\index.htm
2
%HOMEPATH%\dewuuogt.exe
2
\Users\user\zasqqkcp.exe
2
\Users\user\rejwbohp.exe
2
%HOMEPATH%\lydqvibj.exe
1
%HOMEPATH%\efxvvphu.exe
1
%HOMEPATH%\obgtylem.exe
1
%HOMEPATH%\ivansfyg.exe
1
%HOMEPATH%\rejwbohp.exe
1
%HOMEPATH%\lmeccwob.exe
1
%HOMEPATH%\stljjdvi.exe
1
%HOMEPATH%\kldbbvna.exe
1
%System32%\windi32.exe
1
%HOMEPATH%\yzrppjbo.exe
1
%HOMEPATH%\fgywwqiv.exe
1
%HOMEPATH%\tglydqjr.exe
1
%HOMEPATH%\cdvttnfs.exe
1
%HOMEPATH%\vinafslt.exe
1
%ProgramFiles(x86)%\enujava_ruapp\_enlocsigntwain.exe
1
%HOMEPATH%\zasqqkcp.exe
1
%ProgramFiles(x86)%\syslib\appedit64_.exe
1
\Users\user\AppData\Local\Temp\WAX56DC.tmp
1
*See JSON for more IOCs
File Hashes 003d07a8459158e9e15ebf55124ad90f013bc8bbc121016284ff3b37f9ac6d43
18d35d50cd1b9edf9c305e93206f043da99b4d5472a813f0b6eef9c1080128ec
1b85cf3c0f4b8a087b3b77f3d55986f4c8775ac38d2060136eee379598598ecb
1dd28a1ea2dd0c8de9d6420772a3e5a8ed641f522efa988bbe80653d346c58d0
25743004b080d0db5120d357d096145aec0ea873cb6a47e1641812364a958672
26bb20b92ed05a6b862529b7f99f39aa1f33fe753813a9ee49fe888a232cd56d
2e4fd705c684de66c1594af0f29f1a1b2e044557d3db32eedea2c7fec5299cfd
2e78f3956144122d7ff881ad43eb1897ee7ddf187c10440f59c80239a91a0bb7
36cb63ed97d7cf08e083c8b3e926b65e16fa11319c888684c745d2ecb623f57b
4dfe72dc2a4fde76d5c251135da4091fb21379b322be6f935fbd0ea515edd4a9
6a090952cb43a0a4aaca20c9ff0364d7a4ceb6c7c140c1c4036bbb1ffbfe4555
77fe46413fb20ca7466e6626559bf5d90e5c097faef3090275f2a921ee46139a
836350dbe4078f74af31adb8fa5e7621f72d7a8f9160f5cc2363055398699adc
855ee865c08971e8e8250d9d9551df49a710e30684b8e84f280eec74b3b83495
8cda59344da4863d591c651c0d3dd9ce4c5f7c381ca9360e40c389929e9969ea
99ad785c1c454dbedcf96a74a6587838bec9c2a0c5af7c47631db0a6b88e93db
ad56c3634dd10f95b0fa51ff3208daac2167b81846723ee2960fd03a81dcf4f2
af045cd61762f087051f150871802dd4cb998da5e405cbfa132277883b650ff2
bd51a2afec4c871cb4562e742ca84012331aef286b0cfbdad5dc7a9cac389acf
bf4e1b334bbd70d3956e581e68d35a84d0f9b731f0feb1bf77ce38d2991399e5
d865fb25f874704a463a8f507d6f1979cc6e56f15419190fa76f955047382904
e0a2716995090339d0dbf78b9fc9a74ddd39b7ce6a8b8a040a63e16da906a288
e5fbd1effabc1b0990ecb6a5b713dae6fc3a76cfd68730d9e0cdd139ece6ac63
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
✓
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Gh0stRAT-9939670-1 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: D3D
25
Mutexes
Occurrences
107.163.56.251:6658
25
M107.163.56.251:6658
25
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
107[.]163[.]56[.]251
25
107[.]163[.]56[.]246
25
107[.]163[.]56[.]243
25
Files and or directories created
Occurrences
\1.txt
25
%TEMP%\<random, matching '[a-z]{4,9}'>.exe
25
%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.dll
25
%ProgramFiles%\<random, matching '[a-z]{5,8}'>
25
%ProgramFiles%\mqcdw\11061317
1
%ProgramFiles%\skolq\11061317
1
%ProgramFiles%\mtbhfy\11061317
1
%ProgramFiles%\sgfves\11061317
1
%ProgramFiles%\qxdtcp\11061317
1
%ProgramFiles%\uczmq\11061317
1
%ProgramFiles%\pobbhq\11061317
1
%ProgramFiles%\qdicd\11061317
1
%ProgramFiles%\uvxrx\11061317
1
%ProgramFiles%\erchxkj\11061317
1
%ProgramFiles%\hxfvk\11061317
1
%ProgramFiles%\uafif\11061317
1
%ProgramFiles%\mhpmj\11061317
1
%ProgramFiles%\lxzsp\11061317
1
%ProgramFiles%\crsga\11061317
1
%ProgramFiles%\kpyzlr\11061317
1
%ProgramFiles%\zuxrj\11061317
1
%ProgramFiles%\njjuodp\11061317
1
%ProgramFiles%\erzda\11061317
1
%ProgramFiles%\rbeuduh\11061317
1
%ProgramFiles%\ssivu\11061317
1
*See JSON for more IOCs
File Hashes 0006e56691b554313415b3bec7e6ae78a1593ae941a8128b70d0d04b87d1656e
01a3241a3de53248801fd021d1d992a3f34b2399a87b950e1e0a6d9aff72a646
033240c5d927012b65b0adea538188bf81a2568b8923f3a615b4f28d901a1633
03fe86bb3ed7c4544c82bc9af45325fbba537c49043a39d052a86dab6c64a2c4
04f00148544dc5e6bd03d97c93e9bb339019c72b45d8717a4b04129ee2430cb9
0a1c2dcde823e973decc0492a5a542d70b1c7680097dc94d50cb7d4b90af3f0c
12b1e48007fd27de51f938e9e517edc0f3e009f91a9aab962c5fe8c9afca0368
154073bdd6a1bcc93f82d5f15cd9f0ab73996875cf62e70e7dcb8291bdce080b
1804cf522dc1a0d1751620fda04312cf5d527e7bef91d3c3343ae40f8b801f1b
240234de8278b856a4d95b2943ef9fb12caf36cf3e5036ffd055b4c4e371b2b7
24cb731ccc166964eb5cee3fd03b8e7d71c8d333cb257324eba6590af67070f4
2d95eba16a5954d2334d6b2c31b75f74156a01487d07b27103321e88ca121705
2f1ec03c19ac0e62040228e49b4b1917123bba600505f7140c2f189e216353db
36e02ebb6d4a38a14fbe07e8f90e5bf6ec19a298e6a4cdf6c9d50211e2cf3bcd
48f93b161839a866968dd679b4072b6682438aa488f9882e44f7eb830a499b13
60348c7971fbbe69d4ff495731e0c230a3528b592e7644310f4e34f8c6291ea0
632823e9015d6d1d4f18ae100ebc46aac42181185470ad203f16d28e8ddeaeb0
69277907ac690ba149574cb7353de1d05ed8eddc656cf2d535f541ccd3d9474f
7204ef65384aadcc08793f385e34894acb4ba1003727c2ead856503fb4a28e0b
809c2155d3067ca87879b41b7350fc5b5686946b4b060228ff5ff5e1f62f2e74
8186ee33d3054619582cc511b46d59cf8de2826afe45b53a24dc903fd9520a10
8458105ea443f87903173f381b3b011b2e81b34b5b1837d42e3e523d08eb5692
8a2fdc3eb1065efdd51d1daf1129dd9d1074a40b22273f6341e3e51a8296110a
9b72a0680d942658cd764b6ad4b50fb7ead192f44676f80d97e47f043baec298
adc017ca4348f84c0daa8550c2ef4fa32de847e79e9515b5622469c30169fbf3
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Ransomware.TeslaCrypt-9939746-0 Indicators of Compromise IOCs collected from dynamic analysis of 22 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
22
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: EnableLinkedConnections
21
<HKCU>\SOFTWARE\ZSYS
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 Value Name: CheckSetting
21
<HKCU>\SOFTWARE\ZSYS Value Name: ID
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Acronis
21
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
20
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> Value Name: data
20
<HKCU>\SOFTWARE\7B4192AC0D16A
1
<HKCU>\SOFTWARE\7B4192AC0D16A Value Name: data
1
Mutexes
Occurrences
2134-1234-1324-2134-1324-2134
21
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!1646210
1
Global\133ba461-9308-11ec-b5f8-00501e3ae7b6
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
166[.]62[.]27[.]55
21
35[.]195[.]98[.]220
21
89[.]161[.]139[.]233
21
46[.]17[.]10[.]6
21
34[.]117[.]59[.]81
21
81[.]18[.]219[.]6
21
23[.]199[.]63[.]83
17
78[.]47[.]139[.]102
6
82[.]150[.]140[.]22
6
217[.]170[.]198[.]100
6
173[.]201[.]96[.]1
6
23[.]199[.]63[.]11
5
216[.]239[.]36[.]21
1
82[.]150[.]140[.]67
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
myexternalip[.]com
21
crown[.]essaudio[.]pl
21
gjesdalbrass[.]no
21
graysonacademy[.]com
21
apps[.]identrust[.]com
21
homeopathischdierenarts[.]nl
21
e-slubneobraczki[.]pl
21
www[.]graysonacademy[.]com
18
Files and or directories created
Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I08BO8F.xlsx
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I11KHR4.doc
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QKHLN.doc
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I62TWBD.ppt
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I6FZORX.doc
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IABMX83.pdf
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAJ2Y6R.pdf
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IALGTCS.xlsx
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGTBBSA.accdb
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH49RPF.ppt
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH71GGR.ppt
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJKODPH.pdf
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJP965K.accdb
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKY5R3M.pdf
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IMYCSIT.pdf
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISLP722.doc
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXLC77A.pdf
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXUL2U1.doc
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IYSR1FU.ppt
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ2GMJW.XLSX
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R5QKHLN.doc
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R62TWBD.ppt
21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R6FZORX.doc
21
*See JSON for more IOCs
File Hashes 239999ba2bbb65a2455250369fc2dd1a28af528c316b9e641e53382eef742f13
2abea49198f00aa04525e5eb217ebb0e21c7d2eff279cda3e706997ade1999a0
318519a02150b5c6537af0708cef2e5afe371db861beb57b8089e77521fce87b
39994cfe45cc59c2f615b798ef951532eeeba13ffa91ed261afa832d7411a8a4
3c1467cc457aa0522cffe3567d96581e8462789ab64366850e61e3a60c586961
400bd4d15aaa491a3b5d0fb550e2070fea87524b1c87dfafabebe955bf9b72b8
49f1a6657d08ffa82b9add00a8a7b3449375b86267240090c1eb84853041b924
69cc34331ffd42a22e3c617bf595a79a5bb718adc07b321073570e068607b140
69e25e65f16099212f46325fff0dffac3892d3bb7c031ceed9c5b508c82a6632
7021a8c4e87f42314dca73eeb550f50b301f271a5fce3ed700f31fd9de4bd14c
865c739166951d94791aebcb4e4513e170c85b474ea78a7b5474bdcfb97b3732
9e60f0b0745ab98dd82dcf81fc57537b5e507f85dc41356da811cf5fb9cb7bc0
a0230e2dba1bb15fd8ced03a7357dba5de56f75efba77440632a08a051d6f706
b50e26d3da907fbe7e5cf034a75ae3664259a59c09002804243466f0d153fe6a
b6c84dccff68ff1a536620002947e1564ad84134bc6396a03d14ad694de99d2a
c00e53cb0a7fc20e5ac9068607eaa253c8d27e2e9674bcfd960cb5459de6ad75
c184fd7fdbac355ecdd586b00facfbc5c339be0a7cc85e085477fc3b6e2dca0e
df33751b9a341057ab8a9840273e81409ab686a78a7836319a773222ef2e76b7
e592fe2c08d2f9a334dd5d7815d836733f4084e4d3aaecd627932ccbf1285117
f0d18117b7dcf74b860fe1bd90640adc836897d3abe28fbb0bbdc01c69c90e7d
fb3d78953676a472dc3fefcb7ac87326c6f2613ff4ab7b4b32926e18c0a07d93
fec28438569030986b18f7df95bab52208cafe8b4186be5dbbc8e72feb42da6f
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
✓
WSA
✓
Screenshots of Detection Secure Endpoint Secure Malware Analytics Malware MITRE ATT&CK