Threat Roundup for April 8 to April 15

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 8 and April 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Win.Packed.Zusy-9942975-0	Packed	Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Packed.Upatre-9942982-0	Packed	Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Dropper.LokiBot-9943279-0	Dropper	Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Malware.Lydra-9943052-0	Malware	Lydra will monitor user activity to steal sensitive information like passwords and setups various persist mechanisms to ensure execution at startup.
Win.Packed.CoinMiner-9943551-1	Packed	This malware installs and executes cryptocurrency mining software. Having an unwanted cryptocurrency miner installed on your machine can lead to a loss of computing power, greater electricity consumption and could be a sign of serious vulnerability in your network or machine.
Win.Downloader.Banload-9943209-0	Downloader	Banload is a banking trojan believed to be developed by Brazilian cybercriminals and is used primarily to infect machines in Latin America. One notable aspect of Banload is its use of custom kernel drivers to evade detection.
Win.Trojan.Ursnif-9943207-0	Trojan	Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Trojan.Zbot-9943213-0	Trojan	Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods like key-logging and form-grabbing.
Win.Trojan.Bredolab-9943247-0	Trojan	Bredolab is a trojan that downloads and distributes other malware such as botnets and remote access trojans (RATs).

Threat Breakdown

Win.Packed.Zusy-9942975-0

Indicators of Compromise

IOCs collected from dynamic analysis of 26 samples

Registry Keys	Occurrences
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	25

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`209[.]197[.]3[.]8`	6
`69[.]164[.]46[.]0`	6
`23[.]207[.]202[.]23`	4
`72[.]21[.]81[.]240`	2
`23[.]207[.]202[.]17`	2
`8[.]250[.]91[.]254`	1
`8[.]253[.]141[.]91`	1
`23[.]199[.]71[.]185`	1
`69[.]164[.]46[.]128`	1
`8[.]253[.]157[.]121`	1

Files and or directories created	Occurrences
`%TEMP%\iobit.cab`	25

File Hashes

00ca7c4cda670300bc65fe22249647c4a673e0e0106a5a795e62b06613bc50c8
0151858f4f8f1af97eb69cce0fa6aab8d67eae55e4cfba4d65f03d43b38693a9
064269c3ec0dab07c31ea17e3fc746cd4bc26e5f8666d004a70169ba49e8d5da
064d96c0cebcf1fef5ad3c1ed915e8ad2d24206616db968373fb44275f239830
0819aa1b0a3572faafde9bc9034a0ae04c67a8ee45b3c2345a3e9766559497c5
0b84a6040d3d228ab0b3c53f22ab54f7399a1988d13dec2b7db8916dc6067116
119f29c6cb168d5e25c9153b04ea66bda5d0f4cdf497d23bb1a5594803039e68
18e4586225c1d561e2f4107363dfb8f85a46b93a3e6aa5b4c8f492cfa7392188
2048b090182f5b71af99969b467d522243d045cd0b4cc7436a7b5234a5bba139
24fd1f0e5d8a10c1062fdc0cc8ab0340ce44265e3030e25207a753e7dcfd7aba
2779990ef256a393a026859decf091a510df5e836d29a1b967735ea5a66cbb4f
28b9c3f7e98ceaa8f21fcc2b99e4545fc0e53d0ed5915ebf8b84cbfda27f2c8f
29b801745d23c51aa03ad2bfbeef901b7f0c53184579975454730fc5e08ab020
31edf87cbeddde14b6c67bffa884003b227dbe3644affed8f01661aa289ec6a8
38fd87934ceafb3cfce6523309af48fbfefc55282e31625d9dee93d7cf67e432
3f8d5ce55c1c841fd7a0e9e61b77242b39a0f9a6025db404f49e9d4f010bef39
43da4bb856e1e42804dcfeb3ad43bb271bea0ad56d7ed032d532d56cc95156c3
4a967cdab24007d669cd001a55d10caa8f189122d6cb85461a366598f53b7c6a
4b91d04f375264cac5e56781d60afd8dc8e56ad5671ab5c74ba7095d8a9298ba
4e563ffc56777cd3a52527192a73194db7833930fe91b07245c875a90deaa536
4f9dc0dc48926623160616b091aeb284cf83859a435e4cd77d9e4cb5fa6e9974
50430dfc474b22f41776e5227277f053cf234a76eebea29743428577f9971abb
576c79c2826d2f8f90ed0bc715c757ee0ca20c29d8963ac16d344f7bc12f54fe
5b7c45a42f8c3e19c62a641bd57bd9c1f6a15122b4d3292d6eed29338f5ca49f
62e51f707e0a4eba266478889d34098d902290184224a3c52a1dd158fb6308bc

*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint	✓
Cloudlock	N/A
CWS	✓
Email Security	✓
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics	✓
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Upatre-9942982-0

Indicators of Compromise

IOCs collected from dynamic analysis of 51 samples

Registry Keys	Occurrences
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	43

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`209[.]99[.]40[.]222/31`	8

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`chinasemservice[.]com`	44
`abaseenexpress[.]com`	44
`chinasemservice[.]com[.]example[.]org`	1

Files and or directories created	Occurrences
`%TEMP%\codecsupdater.exe`	51

File Hashes

0150aa5e83bee1a3f65aaf09f416d9a23b343ce5aefe55fc6c8994723610e8ab
03115338d5e9fe28bd51851b94131369b7d24dd76ba5c6d2e3885a3c4f148309
031cfb505caf6c25ab0ee17f729b8a7e0937abf39de0061346e7ab6315fbbb49
0337f132d6bc4a6b8ea59e139d1656bec47c930c6bd2dc941e77c9526b19f2e4
04480a1f6babfd85e7eeb367b9165e3db6a3f88d22146e0798f420c3180f536c
061955b79210fb116e3ad0ade3de3f96d6b22b0511ee0c356563814c70541816
065622668b5d7b788f7e32bb2873687d82f49bdff652aa9c3eb6179c2f95cd08
06909fc9acfe5c34a54c3fdc7c4e0c45e555751396326106beb87c568d60fdc0
075e03f0c33a116c950ee18b57fab3c1f17407a770bd83900a864b188e2af952
078855820c1e0459c5749e88ad4e521a0fa8202a1dc67ce102414231678ad7b3
082f16da4cce0ff924c17a2199aabf920f6f7aa0cd11f73922fa13aa50cb95ba
085fa2f0520d3169f46209a44609a0914044b6e3b6c96904ed39d9daeca4958b
0a0d6756018143c7eff17b1e6f3810f3e4d06073abe9340a846315c17adce8ba
0bd43ca569025cced584acd820f3d53dba4d983167fced0d3aecb9d4738f8153
0c12866c0b930a21049b5de56f00a4c78d756323201a2f244575ddf077fe56e9
0d7a7252e6cad31f8bef88b8e5fbdac911113ebfbf9af4128c6ce4f0a7ff47ae
0de47f13c38b0f689a54bc3fc0414370373cef6f6b629ed186fdef46eb82a13a
0e2f01836457ceb98651bbb57ea7d086578c06a0f2d02fbe7b695b994467ae94
0f48d8be6715621198fb92557ac94dc1a7f1a90de66e6faa2c0ddfb94e69a6b5
0f4a594fdd04e460e540b5a5ee640577eafbb54ba9968a0d0bae50d6e483a575
11c1e38faf94c073efac2ddd73951a8478302602ebd8bdd54163603ef33d3119
12ebef92f7fa14b27e5f4c984b43f84709f53f8b37459be900b198e695942f5d
13f15e6cc3d1c1b1e05465d4c271c601bd68036b8653bd29669d5c3df04bc274
148b3324b42a162c3865902a3e9aca00dbf50876aa0047a28a649a67364b5ca5
18c684116653e4e7e23897c7c1217c521d33d665e1e6d44fdf3b64e8504719ed

*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint	✓
Cloudlock	N/A
CWS	✓
Email Security	✓
Network Security	✓
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics	✓
Umbrella	N/A
WSA	✓

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.LokiBot-9943279-0

Indicators of Compromise

IOCs collected from dynamic analysis of 15 samples

Registry Keys	Occurrences
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	13
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\LMSNJ3K19A`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\UAEQ4XP3BO`	1

Mutexes	Occurrences
`3749282D282E1E80C56CAE5A`	5
`A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A`	1
`ShfUyrjkgxS`	1
`GOcpDrmRrr`	1
`1Q428U018XW5JGMZ`	1
`L44ORQ279W4VWGXB`	1
`J77NCD60FWYVYWLG`	1
`NN9A51T1C0YGG3LD`	1
`XTKgIkviKodtOHP`	1
`Global\d38f5721-b7de-11ec-b5f8-00501e3ae7b6`	1
`RcYZAldLNwbOFxN`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`127[.]0[.]0[.]1`	4
`132[.]226[.]247[.]73`	3
`52[.]168[.]117[.]173`	3
`164[.]90[.]194[.]235`	3
`34[.]102[.]136[.]180`	2
`91[.]193[.]75[.]183`	2
`198[.]71[.]232[.]3`	1
`192[.]64[.]119[.]254`	1
`172[.]67[.]188[.]154`	1
`104[.]21[.]19[.]200`	1
`142[.]250[.]80[.]115`	1
`193[.]122[.]6[.]168`	1
`193[.]122[.]130[.]0`	1
`132[.]226[.]8[.]169`	1
`217[.]160[.]0[.]195`	1
`13[.]250[.]255[.]10`	1
`3[.]64[.]163[.]50`	1
`199[.]59[.]243[.]200`	1
`34[.]205[.]248[.]193`	1
`193[.]42[.]113[.]194`	1
`62[.]197[.]136[.]176`	1
`195[.]133[.]10[.]94`	1
`163[.]44[.]185[.]222`	1
`156[.]226[.]250[.]151`	1
`164[.]155[.]213[.]132`	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`wpad[.]example[.]org`	14
`computer[.]example[.]org`	4
`clientconfig[.]passport[.]net`	4
`checkip[.]dyndns[.]com`	3
`checkip[.]dyndns[.]org`	3
`onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com`	3
`freegeoip[.]app`	2
`vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com`	2
`vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com`	2
`sempersim[.]su`	1
`www[.]eduardoorosc[.]club`	1
`www[.]toarugakusei[.]com`	1
`www[.]galabet0350[.]com`	1
`www[.]consumerproducts[.]guide`	1
`www[.]lasikcomplications[.]online`	1
`www[.]payerick[.]com`	1
`www[.]microbankingsoftware[.]com`	1
`www[.]gclwxs[.]com`	1
`www[.]michael-grant-ii[.]com`	1
`www[.]evcs4[.]com`	1
`www[.]stripmywalls[.]com`	1
`www[.]trithucmo[.]com`	1
`www[.]tangoespasion[.]com`	1
`www[.]migummi[.]com`	1
`www[.]payments-gate-325r[.]xyz`	1

*See JSON for more IOCs

Files and or directories created	Occurrences
`%APPDATA%\D282E1`	5
`%APPDATA%\D282E1\1E80C5.lck`	5
`%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5`	5
`%System32%\Tasks\Updates`	5
`\Users\user\AppData\Roaming\7C7955\5D4644.lck`	5
`\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1`	5
`%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp`	5
`%TEMP%\37FFCBBC\api-ms-win-core-rtlsupport-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-core-string-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-core-synch-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-core-synch-l1-2-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-core-sysinfo-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-core-timezone-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-core-util-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-crt-conio-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-crt-convert-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-crt-environment-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-crt-filesystem-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-crt-heap-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-crt-locale-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-crt-math-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-crt-multibyte-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-crt-private-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-crt-process-l1-1-0.dll`	1
`%TEMP%\37FFCBBC\api-ms-win-crt-runtime-l1-1-0.dll`	1

*See JSON for more IOCs

File Hashes

2e89152cfb3f9aaee24b467599484e40217244eb78f741a8a2674bfe0cfd08c1
3cd1556b34b6a2bb1cc150fb4be1ea3a5a0f45b1e69d196a4dfc3474cd5db89d
3ea19f45dd5b9c5ed0e6f371d7e92afda076c69e6a43eafc3c83337819eee56a
4ab5f981c833f0d1fc59d09841e2f0abbd274737150becd71c17c6aabe1c5039
557388a8f638f4237c3db3317dd8c0033e042778735ab0109ed8471eb0045ecf
5cc3e095833d249e531097b871ac3eabd9c2c3df1b21c2d781ccdd353a3ec91e
86f47e6d0a37b35eab11fdb845471d0ccd44d2d25be5a519b6914f45630cc15a
9063f6b4b4021db3c623e82b3834036c5ad99e56563bdb06ad26374de8e843ba
9d5d8e53fb73ba5454d56d0eac87db697e680f4d6f5e21bf01059ba43fe35668
cb17dbe8ccea9008ff815274c4288c3af751f475b67605d9117aadaf0d333997
d554dc985ea0f449a75725476124148e883d83d167245617a981c4d73cc199fd
d576c8213ccfc3512483f2667fdc7a9926746369aa06b2982522adf21bb736d6
d65712c07c5f14c0c4be8d3f67fb71db5e80c1ac41832ba018304f3b73dec719
d88a68b1ab516aa6ef3bdf0f5eb025ebd2da3201e2cd4afe049ca5fd3dfe05cd
f96d98b236e079d747cd75e6b0f6beb4054479e59c7e1c93dfd48b0e35b2f66d

Coverage

Product	Protection
Secure Endpoint	✓
Cloudlock	N/A
CWS	✓
Email Security	✓
Network Security	✓
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics	✓
Umbrella	✓
WSA	✓

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Lydra-9943052-0

Indicators of Compromise

IOCs collected from dynamic analysis of 30 samples

Registry Keys	Occurrences
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	30
`<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A} Value Name: ThisEXE`	20
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: lsassv`	18
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: msrpc`	18
`<HKCU>\SOFTWARE\WINRAR\GENERAL Value Name: Sound`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST Value Name: c:\windows\servicew.exe`	18
`<HKCU>\SOFTWARE\WINRAR`	18
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN`	18
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST`	18
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES`	18
`<HKCU>\SOFTWARE\WINRAR\GENERAL`	18
`<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}`	17
`<HKCU>\SOFTWARE\SMART_SCAN`	16
`<HKCU>\SOFTWARE\SMART_SCAN\SMART_SCAN`	16
`<HKCU>\SOFTWARE\SMART_SCAN\SMART_SCAN\RECENT FILE LIST`	16
`<HKCU>\SOFTWARE\SMART_SCAN\SMART_SCAN\SETTINGS`	16
`<HKCU>\SOFTWARE\SMART_SCAN\SMART_SCAN\SMART_SCAN`	16
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSORCVP`	15
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: msorcvp`	15
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: msorcvp`	15
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES Value Name: msorcvp`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSORCVP Value Name: DependOnGroup`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSORCVP Value Name: DependOnService`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSORCVP Value Name: Description`	15

Mutexes	Occurrences
`Global\59439441-b6f3-11ec-b5f8-00501e3ae7b6`	1
`Global\68ab0f81-b6f3-11ec-b5f8-00501e3ae7b6`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`wpad[.]example[.]org`	25
`computer[.]example[.]org`	19
`vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com`	12
`vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com`	12
`www[.]msftncsi[.]com`	9
`vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com`	6

Files and or directories created	Occurrences
`%SystemRoot%\iecomn.dll`	20
`%SystemRoot%\servicew.exe`	20
`%SystemRoot%\setupiwz.dll`	20
`%SystemRoot%\unrar.dll`	20
`%SystemRoot%\viaud.dll`	20
`%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\AdobeGammaLoader.scr`	18
`%SystemRoot%\calc.exe`	18
`%SystemRoot%\lsassv.exe`	18
`%SystemRoot%\msrpc.exe`	18
`%SystemRoot%\mui`	18
`%SystemRoot%\mui\rctfd.sys`	18
`%SystemRoot%\regedit2.exe`	18
`\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S1K2FD68\www.bing[1].xml`	18
`\Documents and Settings\All Users\Start Menu\Programs\Startup\AdobeGammaLoader.scr`	18
`%SystemRoot%\ole32.dll`	18
`%SystemRoot%\pool32.dll`	18
`%SystemRoot%\Temp\tks1.tmp\META-INF\signatures.xml`	17
`%SystemRoot%\Temp\tks1.tmp\message.xml`	17
`%SystemRoot%\Temp\tks1.tmp\mimetype`	17
`%SystemRoot%\msorcvp.exe`	15
`%SystemRoot%\smart_scan.exe`	12
`%SystemRoot%\smart_scan_eng.exe`	4
`%SystemRoot%\woron_scan_1.09_eng.exe`	4
`%SystemRoot%\servms.exe`	3
`\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\INetCookies\CD26LHZL.txt`	1

*See JSON for more IOCs

File Hashes

09f2388dacbe3d50df9f104bba77ffc8866e2d71827eba15a53f8fc943c1d59e
0dc3f18cd8840916c3cc6e481ba39e9dd35e7b410816e7bc82133bb7e05d3e6e
0f166551e865da185662a2f71ef0d64521f1554be174c0f7e2bd8d44d02ccc69
128f9fad1fd6d4c61a2f5fb3ee5bbd5bcabf15f73c89ceddd816102e52156bc3
14b9ceba92c03832303b4e168ae02040808d4627ae7eec3d9ae6f10d548c3de0
15d97d53e293b73f3d0337d6ce94554159fa686f831f0adaf7acb0ef5851c3e3
1cc4db7bd0b80b86907654bc7cffad4cb075836a47386324cffa3090ec26ce85
2b46dd145a0ce192005b3810dbcccf4e954fdeb83e447dcada03b899b0ed9ae4
2cddab879e997d08b85ac4ccafeac2ff7433ab5d48e52dd5dd930fd471485e03
313b0792573b08e5ad6266858c45d624da6b759f0cd36e7a140b60479a192a12
31c50e33c2f46b0e3fd16769df950caae32d0b0f39e2dfd9352e4ad610566608
3acbb8c2603812159c09e2d8a55bf0d0f51caea52bc478c7ce25c13c019bcf78
5241f116904a6bd6a6165f3b017683209c3dd0da1f4cc6f618a766a9c3b20827
53545c5ae81ea8b75a6fa94331aa906271adcaddeae675817a25650e8a874e43
552324621c91b8b07255d6bf8ff8a5b3aa4deb196a9e226e53cf0f6f7cd75bce
5e1caf77eec956a0a0ca4f1698852d697a8bc01cda546ac447e089844a32de4e
5e2082ca86065448d21059b22422a3923d020c2a1b2e54b863b73adf4a8aa04a
6a39d49f4272bd1d308f3c1528d086a83e88763461211576f78f669a0b2e0401
7fe37752b63ba470bc8a520b1c78c1a220dd42dea63d4328b2fc02ebf8edd819
810591beb27efe7b5a6e052247f872a128c6b2e08b6d2f02bf9ad3760293807f
8792514fda528bf940612e6dd3e7b6c146d112c858e7c234e3eb4178e23a5cba
9024c00da7dede2b35fcb56b31ab2fd863ee21bd0544b242823585af7b6edff7
9479afa1493073b4eaeb85046180765e880c7b8858758ddc4417e543f495e890
9c4d6fc8aaa59ed09f3e086746a0c97a91116200952baa2e57148136d30c5868
9fa0d09b0a36620f5a192d51a0a60b7273f7bb87e7c238d5b30801dc21d4566a

*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint	✓
Cloudlock	N/A
CWS	✓
Email Security	✓
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics	✓
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.CoinMiner-9943551-1

Indicators of Compromise

IOCs collected from dynamic analysis of 22 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Driver`	22
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	16
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\160`	1

Mutexes	Occurrences
`Local\SHResolveLibrary:C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Libraries/Music.library-ms`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`91[.]106[.]207[.]25`	22
`107[.]189[.]6[.]214`	22

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`xxx01xzb[.]beget[.]tech`	22
`wpad[.]example[.]org`	10
`vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com`	5
`vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com`	4
`vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com`	2
`computer[.]example[.]org`	1
`clientconfig[.]passport[.]net`	1

Files and or directories created	Occurrences
`%APPDATA%\Sysfiles`	22
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url`	22
`%APPDATA%\Sysfiles\Driver.exe`	22
`%ProgramData%\MinerFull.exe`	22
`\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url`	21
`\Users\user\AppData\Roaming\Sysfiles\Driver.exe`	21
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571842.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571850.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571856.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571858.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571860.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571862.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571872.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571868.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571876.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571878.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571884.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571888.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571894.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571896.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571900.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571864.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571870.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571880.exe.log`	1
`\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\517571882.exe.log`	1

*See JSON for more IOCs

File Hashes

03507f8d08e3b244af93c195fadc91d49bd064540da0b01e8f3c27beb408f8ed
0884bbce5dc7970bff62bbcdf705111476ef7ce97e7f9fce5571dbad5204e3b5
12b5daa93d2530d2bede239359da5d8fd3df493e03eb835c74a3f83e24edce9d
1a121158f346bf5b8aebecd8091b4da83d7df336040b9bf34b55f79cf9775ab5
3487379791f3ee7152b86e560cd8fbdd26cd67b2ec5b4aec1fd9bd3301419c29
3a9d3ffdd474145daa7f1294c8bcda93ebaf344f9689dc50a24e09bf48c5ffbf
46394ebc93d17977605ef39be9d34a2ba3b4511d4236bfb852246fcddfe6bbd6
6d974f8f6a3d24b212c699d0ab41df730955ebdf3c97caeeb7996d6f27ec4b28
7e209952589d813a04e17ff18632c388b4cebac44330d09c6e68249328e757ca
823e861813c4dc5fd4b1c2e1e1ae6d45ff7e1a9c18117e61e912db61b2c2553b
8f3b73f1f3ac7cf2179839be5192e70ffeef6cfd420a366b9abbc2cda22cc6d5
a059e3493f0686830a6f0685110485faf41dacb6b870de2237f6797a88e85b2f
a49cf546bf6bc8147d8145877b9b78b516537b90f4d9a42a6dca4816dc73772e
a599eabac8b44b2ae4f49f1ca8609709c267ff66727e7d4f37d800357ca22e12
a59fce1ba639046a1b2495e2905fb2910840ae684cb684b59d8fc6f9eec74256
ac239d27b0230be4d0014ec0d25b765f6f44ad8c734163d26aed7b1ab3e50f18
c8b4798cf8c444b3dcc37d8f2a63a9ac3498abe9cdcf7f14cb0715746e845a9d
c972e14e6407ecbb71f4e5cd3a95ca5137e353dcac976093fde3f5da1ebe2c20
cfee4ac47ed2f10d6b68be098c09435bad1b953dac2883f9a4e819a1cb168b7b
d45fe69d2b8abea7cf560bcc5ccf3a8def3ca285c4c8fef1f4ef1c239cf83320
dc9022e022cc009449688d9f55c96dffdb3a1e4d33587d501b8cbd7b739afb45
e929be6849e4241a1f25b057a741b59c6d467fc6beac8ec32031a70b0bf028b4

Coverage

Product	Protection
Secure Endpoint	✓
Cloudlock	N/A
CWS	✓
Email Security	✓
Network Security	✓
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics	✓
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Downloader.Banload-9943209-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

Registry Keys	Occurrences
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	25

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`162[.]125[.]8[.]15`	5
`162[.]125[.]6[.]15`	5
`66[.]228[.]55[.]6`	3
`23[.]218[.]129[.]107`	2
`51[.]254[.]152[.]94`	2
`201[.]33[.]26[.]76`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`wpad[.]example[.]org`	25
`dl[.]dropbox[.]com`	5
`edge-block-www-env[.]dropbox-dns[.]com`	5
`www[.]divixonde[.]com[.]br`	5
`computer[.]example[.]org`	3
`www[.]exnetworksolucoes[.]com`	3
`www[.]acreunagoias[.]com[.]br`	3
`www[.]encontragoiania[.]com[.]br`	3
`acreunagoias[.]com[.]br`	3
`x1[.]i[.]lencr[.]org`	2
`ceyfad[.]com`	2
`triatlon[.]org`	2
`www[.]triatlon[.]org`	2
`vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com`	1
`vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com`	1
`vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com`	1
`www[.]bancodados[.]com`	1
`www[.]fotosimbox[.]com`	1
`bamcodedados[.]com`	1
`arquivos2011[.]net`	1
`encontragoiania[.]com[.]br`	1

Files and or directories created	Occurrences
`\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506`	3
`\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506`	3
`\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D`	2
`\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D`	2
`\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\ieplor_ju[1].htm`	2
`\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\ieplorer_fisc[1].htm`	2
`\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\ieplorer_ita[1].htm`	2
`\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A`	1
`\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A`	1
`\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\iiexplorer[1].htm`	1
`\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\360O69FP.htm`	1
`%System32%\arquivobol`	1

File Hashes

061f5fbc2bd1520c16d7f44644ff3dafa1e6a3d54968a9cb14597a6f6600f2cf
08f4433c7d01f6ab5e7913900e2b01107108bedd1a616836ad06659622fd6031
117bdceaa7d909bda125a9bf75c94d43c14801fcfb2be2103f840c819ba1bc93
14f30b9128a38b31ade71a6e8a94bb1aee6c361e92c7c24dae9fb9b36e027edf
1cb3411d3b74e5b641c87d836c23bd3e4488fbfd68168e550f93f5e0a952b99a
1eef3dccbe68b4fe916f8300a17f3e7113128fc70339d0cb44d5037a8f282233
219eacfdeef7b353ece6c4c8565d117724b4eaf8a386744291e62850b6397a0f
2accb3de127578d3cbf8693a40cd754e8b4085f91404137929c9e4a362b450cb
2f6024bfebce0b14fc299832f636092ceae3f3c9c34232dc78d43e2a7b44c85d
357e7e3938085403df07804b7df5bfb204383383e471dcc8fadc621e0827fae6
372c47dbe69f8d2e4b17307d0e2217e03f2ff58d919cf190ead55f8f82471a76
375259b9f3d308a8617b072a915381a636a715ea81978ddedb6f2499bbb46f02
381dcc8dfcbad074115ba93780a7275ec0d3a3004850597a4dafa7a29851e2e7
39c7d0a1168f924b67a457bf741540fe4d1e3b14723cec4898c700f42ee3f75f
3a40c2b7f384ca5ae335e394b944778eae4c0138ec56e01b0656be9025ae6951
417cf798b17f929ae6d5649841770df707e89dbd2433958633512edf665056bd
4768068b2d5b009ed00ab89f3e828fb3baa396118c18e5c3f53831c15542bded
4b9d9c9e82e7f214a76bf0f2953ec60f40af4b028e9e431db156df40cf96ea94
578415c1ead7c074899c39062af2afcb3dfd614b564b2cfbc459bbeae8e950ce
5cb4672e1fdec37c22b06e3f4eb6ade056d96967811818c1a66066c52184783d
5d0d5ff7e8f13ec20a843639956327ab5dd568cce99e92e0ac10ad7223617a45
6e88c0fc568192968be1ea2c0242bce09141b8b151b469a9d378b66c32909207
72e2512c5f40728072de1ebb947f8933dfb2b2db39a94c95c18e83b27f290d01
7a81b340e62044d7611d4a6a105b1d1eea78a259513d5767dbe4931c6e6e5504
7e1ace12bcf1af8fff3754ddb8c9d87f2b354e39d50322fead9336e0ac1bdc6f

*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint	✓
Cloudlock	N/A
CWS	✓
Email Security	✓
Network Security	✓
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics	✓
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Ursnif-9943207-0

Indicators of Compromise

IOCs collected from dynamic analysis of 24 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\00559239-5F44-3246-E934-03862DA8E71A`	24
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\00559239-5F44-3246-E934-03862DA8E71A Value Name: CharBlack`	24
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\00559239-5F44-3246-E934-03862DA8E71A Value Name: MemoryFile`	24
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\00559239-5F44-3246-E934-03862DA8E71A Value Name: StopList`	24
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\00559239-5F44-3246-E934-03862DA8E71A Value Name: GlobalMelody`	24
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\00559239-5F44-3246-E934-03862DA8E71A Value Name: ComputerWhite`	24
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\00559239-5F44-3246-E934-03862DA8E71A Value Name: {574A5BD5-CA63-A180-8C7B-9E6580DFB269}`	24
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\00559239-5F44-3246-E934-03862DA8E71A Value Name: {B4321FE1-833E-0652-AD28-679A31DC8B6E}`	24
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\00559239-5F44-3246-E934-03862DA8E71A Value Name: StartManager`	24
`<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\00559239-5F44-3246-E934-03862DA8E71A Value Name: DateList`	24
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	2

Mutexes	Occurrences
`{1C4BA893-CBEB-AECE-3510-2FC23944D316}`	24
`Local\{49BBC729-148C-6308-668D-8847FA113C6B}`	24
`Local\{56E17D89-BDA8-F8D2-F7EA-41AC1BBE05A0}`	24
`Local\{FC6866F9-2BB0-8E07-95F0-8FA2992433F6}`	24
`{<random GUID>}`	24

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`208[.]67[.]222[.]222`	24
`13[.]107[.]42[.]16`	24
`193[.]56[.]146[.]189`	24
`185[.]154[.]53[.]214`	24
`20[.]189[.]173[.]22`	7
`185[.]154[.]53[.]58`	6
`52[.]182[.]143[.]212`	4
`52[.]168[.]117[.]173`	2
`20[.]42[.]65[.]92`	1
`20[.]189[.]173[.]20`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`222[.]222[.]67[.]208[.]in-addr[.]arpa`	24
`myip[.]opendns[.]com`	24
`resolver1[.]opendns[.]com`	24
`config[.]edge[.]skype[.]com`	24
`wpad[.]example[.]org`	24
`computer[.]example[.]org`	15
`clientconfig[.]passport[.]net`	15
`vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com`	9
`onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com`	7
`vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com`	4
`onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com`	4
`vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com`	3
`onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com`	2
`onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com`	1
`onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com`	1

Files and or directories created	Occurrences
`%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\prefs.js`	24
`%APPDATA%\Microsoft\StartManager`	24
`\{3814D960-374A-2AA2-81EC-5BFE45E0BF12}`	24
`%TEMP%\RES<random, matching '[A-F0-9]{3,4}'>.tmp`	24
`%TEMP%\<random, matching '[a-z0-9]{8}'>.dll`	24
`%TEMP%\<random, matching '[a-z0-9]{8}'>.out`	24
`%TEMP%\<random, matching '[a-z0-9]{8}'>.0.cs`	24
`%TEMP%\<random, matching '[a-z0-9]{8}'>.cmdline`	24
`%TEMP%\CSC<random, matching '[A-Z0-9]{32}'>.TMP`	24
`%TEMP%\<random, matching [A-F0-9]{4}>.bi1`	23
`%HOMEPATH%\DateList.lnk`	22
`%HOMEPATH%\StartManager.ps1`	22
`%TEMP%\CSCEA29AFD2619A4667BF3A2D945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A4667BF393B945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A4667BF353D945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A46679F382B945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A46679F372D945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A46679F342B945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A46679F3B3D945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A46679F3825945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A46679F3723945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A46679F3921945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A46679F3829945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A46679F3725945CCF93.TMP`	1
`%TEMP%\CSCEA29AFD2619A4667BF3739945CCF93.TMP`	1

*See JSON for more IOCs

File Hashes

008c30f6dbb4a59bab29f6bf4fbbe9b73dc939a5fc077eedc2dbb8f0cea7f68c
08fe7f87ef6e77de34cf38ea50f8cfe0c569d38bec8965c349d1010c5fb4b1c6
1e94d9694ad17022b56d5af163b2ca0874eb1312e103c16c960480405e1ffd91
247fa8e9e456196dfe5f4a8175507359b882545566995e28ae32b19c975b11fe
30004306e74eaecdaf76b29b5c822668dabe09ad4e7af8e45b0fedf5654bbda7
535ab8f44afca6bd621049c23b3ba0b15fcb0f8d0d3c1a7ab1712f13bf344d99
5935bf023983db8bdab81f23f30805591f2bdbefedde08fc09bb0d54025f5fd9
5eefc0f35da4c235f6ef75709e546f47bfd3fef00a7d371b6f019591e29082f7
621ce4c79af3c9f4cf8a18289268d8500d4d1340fc26d1d9b542670397d267de
6d9b759d3dd595b62b9a8e21d934fd8d5b0d06c0210e5b430060bf41de23f2fd
80865d94305efe3c5309cc925a55901dbadb6c4d90fb35074a3fbd88933d1abe
82ce18068cad6dc8d1476b0e16b791fc9e9a2f7fc3886d8383c9bd7479a4d160
84a15f3e8e08af1929568879bcb6d9b916542b4ed23a9ffdaeb40fbe99bc8c26
87144de13a86ccc8cca74d27cfd57adb8a91954597319581db2b9d7ead27c048
936af22b6dd1a2d53423ace4ed6f1b61ef91540f44bde7cd9988a0c8a1d349a1
9f1726bcf904de21195baee12c9e794e72aa7af04e891cd6733ea7520650195b
a367e32ce4b41d2a43bbeab5792a4fa2ae51f673d00df6fc73d078c0ed22c68a
ada4cda9115dba8f84f076aad9dcd2df8ecbb4c33c0eda7ebaefd7a895090a76
b17c6ec21a13b344aaf1fb417fc14f8df5ea0d98bde896acc892b42e92b502ea
bffa68d493126c7f9013c2a0158a311da26583aaf37af296ac30c97c590a63a1
c5631b6061c39a2f1d0becfff7a4bb7a027f22f9d2e3a612efe3dcff46a334a4
e557db4d778fc9696a081f8e8e6cf61f9d7448e5448e1215752b775d05606480
f56de0c6b5ddb3797b887c9f164135d888930171ec8bb65a2718400fd340015f
f7575777106978a67676877f26255f97261b86fffdcd4c41046081814801f684

Coverage

Product	Protection
Secure Endpoint	✓
Cloudlock	N/A
CWS	✓
Email Security	✓
Network Security	✓
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics	✓
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Zbot-9943213-0

Indicators of Compromise

IOCs collected from dynamic analysis of 22 samples

Registry Keys	Occurrences
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	22
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 Value Name: CheckSetting`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 Value Name: CheckSetting`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 Value Name: CheckSetting`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 Value Name: CheckSetting`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 Value Name: CheckSetting`	2
`<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY Value Name: CleanCookies`	1
`<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER Value Name: EnabledV8`	1
`<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER Value Name: ShownServiceDownBalloon`	1
`<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY Value Name: ClearBrowsingHistoryOnExit`	1
`<HKCU>\SOFTWARE\MICROSOFT WINDOWS`	1
`<HKCU>\SOFTWARE\MICROSOFT\AKCUY`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: {214826B3-41E9-63D9-C331-768E7863BF99}`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: WH7V8J9F7XYDWAVGKDKFDH`	1
`<HKCU>\SOFTWARE\MICROSOFT WINDOWS Value Name: 000002FCDEE2B336`	1

Mutexes	Occurrences
`zXeRY3a_PtW\|00000000`	1
`Local\{23590CA1-6BFB-61C8-C331-768E7863BF99}`	1
`Local\{0659EA11-8D4B-44C8-C331-768E7863BF99}`	1
`Local\{54793853-5F09-16E8-C331-768E7863BF99}`	1
`Global\GW9ACMG9cIAMSq7YSo9YYa9OOi5OMu`	1
`Global\gq45g45g235g4`	1
`Global\3Iii5m91Yo7eKOAuEo5mEAiOgEOOIcI`	1
`Global\gq45g45g235gu`	1
`GLOBAL\{<random GUID>}`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`52[.]168[.]117[.]173`	7
`52[.]182[.]143[.]212`	5
`104[.]208[.]16[.]94`	4
`104[.]89[.]3[.]136`	1
`20[.]42[.]73[.]29`	1
`193[.]106[.]31[.]12`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`wpad[.]example[.]org`	22
`clientconfig[.]passport[.]net`	22
`computer[.]example[.]org`	7
`onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com`	7
`vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com`	6
`onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com`	5
`onedsblobprdcus17[.]centralus[.]cloudapp[.]azure[.]com`	5
`onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com`	4
`vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com`	2
`vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com`	1
`onedsblobprdeus15[.]eastus[.]cloudapp[.]azure[.]com`	1
`fr4edxs1231[.]co[.]cc`	1
`biotehnologra[.]com`	1

Files and or directories created	Occurrences
`%TEMP%\tmp2e7de7a5.bat`	1
`%TEMP%\tmp2ee6e6cc.bat`	1
`%APPDATA%\Leboza\usfyum.exe`	1
`%APPDATA%\Ylawfia\kexyhee.yns`	1
`\gwerwqqeg55\F95C1CC1457.exe`	1
`%TEMP%\GA79F67.exe`	1
`\gwerwqqeg55\ABA178D3DDD9E7E`	1

File Hashes

0dfec885404555df3d247427944efa43d00bb87d690caa0a2d76d522186ffe0d
12b78890d30abfaad309dabfafcd479341298abd04c42a3c84f8f1d488e1377e
19c5d3bf558d1f97b9354754b8777cd54b507723a7efa24fd9df89b4c9e72cd5
1d28054f01eac376a879dd05c97191118bcc75f18b9b36af96df1b2f58876cb7
26f985c6d6b5bce1dc52f686648853d967b71879158d93362540cffef0719a99
2860e8249ffa7ee8cb652650901a0b0b13fd64bd9651a5c0d1aa33ed05f28fd1
2a57da57f2f9fd68d20124d0fb5a3279a9da6f8b30747006703f999ba4b400c9
2ef69bc8bc8903458153ad98ceeb67b75bfc9a089923f86aa39d8f7c93e8bc42
432557438162bdbd98af4f4f122da762e4448221d675a0fc57254e6df16c3ebc
4452cdc481e217ff5ac460bf6facc43bad3e786f2727e8140001c90c084ba389
57e934ae7a3d365831fe97fa432d2ceafbb20639bd92ccf7db530d49e68e366b
795290f94cdb5f5cd8439ce56fa7b4d903b9e87abbeab5a527d43a3c3c2aa1e3
88c66fc14818a717b7ca7a5220fcbbddc83c570d5e3954ca78c1c2b76db4b79b
9edf9e157b0c0ccf652026b4c0fd6c3e1641f50f3f612adf9d07cd03776b4eaa
be061212ce5e7660f064dbcab5e9d93b21110de481ee29f9709b0b615ba83d89
c58f538129fc4d3b9d4c691538b26d93d52cf113a860292b3e02ea667e198d5e
c651be672e5254928a551afb4d28cf48f1fa21cdc2c40965cfb324b1bc63bdcd
cd02fb2305ed74baf4f8bad56c11c56827cdaf27f711eedecf59e3fe858d445a
d6823fa42dd7c136ada832e03d988623237ef775f320cb54e3e6e1cc934541d9
de80e8ede175ca50a7b31ee4ddd7b1d370b1b058a0ed80dd09c215ad7aeac441
f1801ece86c71a8a8810291e82b1532f810abad321cf47f1c745aa7fc2b5ce8c
fef0243edcb16b19804e35e2ec1ac591147ea7886839260f6eab2e250c86c49c

Coverage

Product	Protection
Secure Endpoint	✓
Cloudlock	N/A
CWS	✓
Email Security	✓
Network Security	✓
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics	✓
Umbrella	✓
WSA	✓

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Bredolab-9943247-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

Registry Keys	Occurrences
`<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159`	25
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: sniffer`	25

Mutexes	Occurrences
`Global\<random guid>`	25
`16ef76cc91244ce82af67fd4f6cb4709a34df7298de6500bf94873ca83ccdd3e.exe_mutex`	1
`31cf541211dbac661329ab63077ed7e4efc5f88ae8cccd9fcd2c2ff5955eca1f.exe_mutex`	1
`07db7193f0d9d970e8b1123f9d1163a3a56f974278f5b9bc3129c0157cdb65ec.exe_mutex`	1
`99da39134fa131ab329e733c7345ec25772f5b41c3779c7c07d65aee5cd89c82.exe_mutex`	1
`7ac15fd35ee748646cd2ad8d61c89e93525c17601c49e9d9582467de66ac4393.exe_mutex`	1
`49b8ce8381efaa6323efbc719e250fbf75242300c00a24a5ab2dc3767a9532fa.exe_mutex`	1
`6ca43e602d0a5c6668ccb596c63d989583576ad092d572cabf41f675b2af6fa0.exe_mutex`	1
`1c61ee11949b31ebe5122de1c616edc305537013e2b87c7984978706ca9f5cd2.exe_mutex`	1
`9e8b057b582e953c76f40449127f2d9fae1e601f3e342b69159a3864538e17d1.exe_mutex`	1
`075172d2a682cf6021906f43330aaaa5c2468ed8daff8d60de86afb035ea9086.exe_mutex`	1
`77188df0569817fa21112484db32c801ee0d4dbdf5c610f1618dc83853950fae.exe_mutex`	1
`7d2d05190eb97b2955b75140ef646ef5e3a5e1c6c08e38142773347e7e4024be.exe_mutex`	1
`145e912d2ff83e874830cf2705de004213af9820914fdc258a2124d7022ca936.exe_mutex`	1
`83286cdbed47e82517e82290e53e58c43d500eef83907e843e9ac6ea96c8766d.exe_mutex`	1
`157b26ee78d1e4a1b83aa3894a248a6dc6c61d88882a84572f8c3ca55b76bb54.exe_mutex`	1
`3dea1fa09fe936837dae7d71cb35d3353b356c24d31c085e995629ba3bae0837.exe_mutex`	1
`31b2c32f57c7c42284e44e1f6a674ace4f2067c550b313dd995ae0eee3905340.exe_mutex`	1
`94acd3968ff71c0641d3e7684d54339a4e97072b633ed0b9c474a36ac3ac7050.exe_mutex`	1
`3b43d6331a0cd02415f72ba40fcbaff70212c186e7ca483e90b710e816f6870d.exe_mutex`	1
`6fcc14d84106bfff52df5f782a758e0a329b61082f0aff46fbde114bbebe89ff.exe_mutex`	1
`4470e5ffa675935fd03e1162cd3733fdda8fdcf15d89a1e715d5a9bb38438c49.exe_mutex`	1
`004103aa1827b09111b5a4f347bd8d2b1ec598216ab0dc501a07d42f68e3a4e1.exe_mutex`	1
`75ee6af8e5f1d25e27433870863e81b4987394f1d3dffa1f84ccab1111557b6e.exe_mutex`	1
`976db917861382ee20433aa89f99941945170c9ac58caa37f8bce64393691439.exe_mutex`	1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`20[.]189[.]173[.]20/31`	6
`20[.]42[.]65[.]92`	5
`104[.]208[.]16[.]94`	5
`52[.]182[.]143[.]212`	3
`52[.]168[.]117[.]173`	3
`20[.]42[.]73[.]29`	2
`20[.]189[.]173[.]22`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`wpad[.]example[.]org`	25
`clientconfig[.]passport[.]net`	25
`computer[.]example[.]org`	5
`onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com`	5
`onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com`	5
`onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com`	4
`vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com`	3
`onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com`	3
`onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com`	3
`vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com`	2
`onedsblobprdwus16[.]westus[.]cloudapp[.]azure[.]com`	2
`onedsblobprdeus15[.]eastus[.]cloudapp[.]azure[.]com`	2
`onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com`	1

Files and or directories created	Occurrences
`%SystemRoot%\SysWOW64\Packet.dll`	25
`%SystemRoot%\SysWOW64\wpcap.dll`	25
`%System32%\Packet.dll`	25
`%System32%\drivers\npf.sys`	25
`%System32%\wpcap.dll`	25
`%SystemRoot%\SysWOW64\drivers\npf.sys`	25

File Hashes

004103aa1827b09111b5a4f347bd8d2b1ec598216ab0dc501a07d42f68e3a4e1
075172d2a682cf6021906f43330aaaa5c2468ed8daff8d60de86afb035ea9086
07db7193f0d9d970e8b1123f9d1163a3a56f974278f5b9bc3129c0157cdb65ec
145e912d2ff83e874830cf2705de004213af9820914fdc258a2124d7022ca936
157b26ee78d1e4a1b83aa3894a248a6dc6c61d88882a84572f8c3ca55b76bb54
16ef76cc91244ce82af67fd4f6cb4709a34df7298de6500bf94873ca83ccdd3e
1c61ee11949b31ebe5122de1c616edc305537013e2b87c7984978706ca9f5cd2
31b2c32f57c7c42284e44e1f6a674ace4f2067c550b313dd995ae0eee3905340
31cf541211dbac661329ab63077ed7e4efc5f88ae8cccd9fcd2c2ff5955eca1f
3b43d6331a0cd02415f72ba40fcbaff70212c186e7ca483e90b710e816f6870d
3dea1fa09fe936837dae7d71cb35d3353b356c24d31c085e995629ba3bae0837
4470e5ffa675935fd03e1162cd3733fdda8fdcf15d89a1e715d5a9bb38438c49
49b8ce8381efaa6323efbc719e250fbf75242300c00a24a5ab2dc3767a9532fa
6ca43e602d0a5c6668ccb596c63d989583576ad092d572cabf41f675b2af6fa0
6fcc14d84106bfff52df5f782a758e0a329b61082f0aff46fbde114bbebe89ff
75ee6af8e5f1d25e27433870863e81b4987394f1d3dffa1f84ccab1111557b6e
77188df0569817fa21112484db32c801ee0d4dbdf5c610f1618dc83853950fae
7ac15fd35ee748646cd2ad8d61c89e93525c17601c49e9d9582467de66ac4393
7d2d05190eb97b2955b75140ef646ef5e3a5e1c6c08e38142773347e7e4024be
83286cdbed47e82517e82290e53e58c43d500eef83907e843e9ac6ea96c8766d
94acd3968ff71c0641d3e7684d54339a4e97072b633ed0b9c474a36ac3ac7050
976db917861382ee20433aa89f99941945170c9ac58caa37f8bce64393691439
99da39134fa131ab329e733c7345ec25772f5b41c3779c7c07d65aee5cd89c82
9e8b057b582e953c76f40449127f2d9fae1e601f3e342b69159a3864538e17d1
c4fd2790c64a4ce43bb01544a2ed5a330668be97ead4e8c76d3377bb58f63519

*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint	✓
Cloudlock	N/A
CWS	✓
Email Security	✓
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics	✓
Umbrella	N/A
WSA	N/A

Cisco Talos Blog

Threat Roundup for April 8 to April 15

Threat Breakdown

Win.Packed.Zusy-9942975-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Upatre-9942982-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.LokiBot-9943279-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Lydra-9943052-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.CoinMiner-9943551-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Downloader.Banload-9943209-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Ursnif-9943207-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Zbot-9943213-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Bredolab-9943247-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Share this post

Related Content

Threat Roundup for November 3 to November 10

Threat Roundup for October 27 to November 3

Threat Roundup for October 13 to October 20