Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 6 and May 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Trojan.Qakbot-9949393-1 Trojan Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Packed.Upatre-9949356-0 Packed Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables such as banking malware.
Win.Dropper.Cerber-9949361-0 Dropper Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Trojan.Hupigon-9949365-0 Trojan Hupigon is a trojan that installs itself as a backdoor on a victim's machine.
Win.Dropper.LokiBot-9949439-0 Dropper Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Malware.Barys-9949519-0 Malware This is a trojan and downloader that allows malicious actors to upload files to a victim's computer.
Win.Trojan.Ursnif-9949968-0 Trojan Ursnif steals sensitive information from an infected host and can act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Malware.Gh0stRAT-9949686-0 Malware Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.

Threat Breakdown

Win.Trojan.Qakbot-9949393-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 20
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bd63ad6b
20
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bf228d17
20
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: f7b512d3
20
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO 20
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: ff0b3567
20
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: fd4a151b
20
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\ProgramData\Microsoft\Ecrirfryzd
20
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Xtuou
20
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: b5dd8adf
20
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 79eea72
20
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 7a96a5f8
20
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 45f6727e
20
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 38fe3df4
20
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: ca94e529
20
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 80425a91
20
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: c22ac29d
20
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 5dfca0e
20
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 88fc7d25
20
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 47b75202
20
MutexesOccurrences
Global\{06253ADC-953E-436E-8695-87FADA31FDFB} 20
{06253ADC-953E-436E-8695-87FADA31FDFB} 20
{357206BB-1CE6-4313-A3FA-D21258CBCDE6} 20
Global\{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D} 20
{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D} 20
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
computer[.]example[.]org 20
wpad[.]example[.]org 20
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 7
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 7
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 6
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Xtuou 20
%ProgramData%\Microsoft\Ecrirfryzd 20
%System32%\Tasks\bbunkyn 1
%System32%\Tasks\hvtbnwcjlh 1
%System32%\Tasks\hntmwfospx 1
%System32%\Tasks\iiyfllwcgr 1
%System32%\Tasks\unfkmadrc 1
%System32%\Tasks\dxbgapbyrx 1
%System32%\Tasks\dlaiqiccus 1
%System32%\Tasks\rwskwjizy 1
%System32%\Tasks\xciomqaxl 1
%System32%\Tasks\bfaozvxhj 1
%System32%\Tasks\sxdadktqjh 1
%System32%\Tasks\qvujuvdhi 1
%System32%\Tasks\uiawgherg 1
%System32%\Tasks\ltrtmoto 1
%System32%\Tasks\zabdiwevod 1
%System32%\Tasks\wcdjtlq 1
%System32%\Tasks\qyxbolgs 1
%System32%\Tasks\bwnxbcwpdh 1
%System32%\Tasks\ccvgfmnfi 1
%System32%\Tasks\jiuofxtmvk 1

File Hashes

0e1ecd8bb0d6b2aa8ad8d870399f83a1845f4422cb0259174d625fd4969f26bc
194e95a5fca78bd3d650691ba8fa8e95300b425e217a8966e7d8e8dac4990775
208e240cee08c65dd169e984db3d74358d18a3561266bfef204c9584fc6d40c9
23af4f949ae3894208f042a879755ddcd9db4db7f44221baea3250c9616abd4e
280fefd1ee9a63be73f06e0e2cd3a56b26e9bd5fe20e821ccf3dcb5a9aa8a83e
2bc1b2b88825a47935687709b72ecf378acee5168a4b06eb21fe62d6de815b9f
2f2002c559a94ffe0d3d21cf7b694658d5875b657a072e18fffc8da20427d1ca
53aed422d0d0ccf5be31e57c618514b8164b8ab9150487d09b848ad920d6b2f1
72683e2315b5c3ddcbcbadb9604fd862899ed915c4212b37fcc764b8331df9a7
84a30368c5437d228200dc150c80e6d6fb9d707c848afb39f7af04968cc005ee
84bec89658602090ba8cfe99ac3b344146a01dd37cc192f5e6db7ec644d3d048
919851b34dc359b5b6297ef6555680d968abe9ce406d2c1f2d049ae6ea1c09a5
9d87d19b45a63dc1a308d5bbc2cb1683372c6d94ffd6473f2929de91f0a28605
b490c2128a69f6c354228fcd6c6fbff330820e41170e42d8dbe01395dbc20e0e
be90989d192bed076c12bcd06836e7c2a1e5345fe89546eb7a2ffb9c5cbb12a0
c59aee55339a7ab8c535a3724187f19fc46013a21688a4f7e2a8f967af35789e
d42a4979d508374efb49a6449d96f36f92ff0616a92dd536566732fdf83adfbd
e81de13b5b59747f58e25862a09be9eca5a50fe0b46228236eff00628de6c96f
eef8d7592eaa435fb11599283160be28f54eb0112363c8eaa737e1c5fcc86b9b
fa89f2031112558d9bc7d01fe653168aa1ede6e65d08a1e96c0fdb7ff94e973d

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Packed.Upatre-9949356-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 70 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
75[.]2[.]18[.]233 59
154[.]80[.]152[.]80 10
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
intarefc[.]com 69
faithmentoringandmore[.]com 69
wpad[.]example[.]org 54
computer[.]example[.]org 43
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 18
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 17
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 10
www[.]msftncsi[.]com 2
Files and or directories createdOccurrences
%TEMP%\budha.exe 69
\Users\user\AppData\Local\Temp\budha.exe 54

File Hashes

008e9007abacd17469bdd19b7b7289dc2ef810e5b424234c4b37521ea60cb52f
00daa4da1496b9e8a5f5c67bfbcf7c195fff91cf848e2e1d6a5b358234db3652
0136fb9f09ac45f8902efa415bfb9672a954fd77f0aee84894de540ec480ed97
0227ad35909931237bba8b7728a2052b2238cbe93bf860adc245e928bb4bb4d6
02e7a9dadf12d5b93386ceb471a2af98898f72b35855f42a91f3799256f8147b
0312059e5625d61de88e315af848ce990dbf46d7d7ff68e562c0422f4e7e0ac9
0384483086bf6fe2eedae350d35edb2ccc75249adcdb497061fe92181b7004ae
041a749478724585174d780031388cd2c2947998d15ca26e7d068cbeab27e67b
0449ddc41910d65914bc4b6badd94bafc80a3b3d6ea5acd7f6ad22aad596a4ad
0497eb74d4cf4857e1d9653b61855c6bc1f3441ac29809d9a79fad3629e5a134
0656bf2db4c1fe35cd82ce987e0b5eb78508e8a979d572b8d66d0654a3165052
06fce4b6fc0b00b29a0eaf5860a7e00cb45ce92760bd11bb762428813347d047
0813b7746ce561344167f83024bb353156b3bb3bfa4d557da090bcc1b4126602
086dd6fc31d9ba2551056117122204b49c455cd78e696d58333d40979f0bed9f
08b4fc05fd797828f8200414eb01b1bb9228fd428c0b6191670b970b5c9f8746
099d70bd8992262fb8127115ec9fa75fbc552a2deb0b7a3ea855a00b258b4c20
0b2d650d8dca8e7ad7571194e58f9c6fd6f013e6cfabc94d93a5b1b280ca32a6
0b83cfe5493a51c65c59b942b2175371e7157ebc9c0dcb83cdd1b5fd1e0d490b
0bdf41b5429bba69b53140f518d7c78c84b8babac5433f8160dbce57e3a7aac8
0d5801e824b099ebdf406d6e07666b035157b560c191357a1b7c8878f6dbf38d
0dcaa02bbbcafb06a101f81616fb9885918c74b3cc4888b19b982e4bf92990e6
0ddeab2e94586b8286b06a7813343bfcff0b93a61008aa70f7d588b6332120fd
13053fb5f25057f4def0b3d9b7940311e1162c4d5ce384d5adf2138359d2e2af
13b04596f471657b8a5d3494345e029e16be5922237c23b97cd691be030fd30f
13c39542cc41c8595a8c94ecb93bd55a08dc95196d5569d70fd2253b7bbb805c

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.Cerber-9949361-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run
19
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun
19
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} 19
<HKCU>\PRINTERS\DEFAULTS 19
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_01
19
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_00
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {32382BC4-48A5-6DE8-F0EE-B8109DEC3228}
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xwizard
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: xwizard
3
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Installed
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: DWWIN
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: DWWIN
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winrs
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: winrs
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AdapterTroubleshooter
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: AdapterTroubleshooter
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Utilman
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Utilman
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: perfmon
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: perfmon
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: TCPSVCS
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: TCPSVCS
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lodctr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: lodctr
1
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 19
shell.{2DA495A3-711D-597E-268E-77F8D29EB324} 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]95[.]112[.]1 19
127[.]0[.]0[.]1 18
31[.]184[.]234[.]0/23 18
104[.]26[.]15[.]73 8
104[.]26[.]14[.]73 8
172[.]67[.]75[.]176 8
69[.]195[.]146[.]130 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
wpad[.]example[.]org 22
computer[.]example[.]org 21
ip-api[.]com 19
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 10
ipinfo[.]io 8
freegeoip[.]net 8
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 6
www[.]msftncsi[.]com 5
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 4
Files and or directories createdOccurrences
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2} 19
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\Component_00 19
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\Component_01 19
<dir>\# DECRYPT MY FILES #.url 19
<dir>\# DECRYPT MY FILES #.vbs 19
<dir>\# DECRYPT MY FILES #.txt 19
<dir>\# DECRYPT MY FILES #.html 19
\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx 18
\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx 18
\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx 18
\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\15\# DECRYPT MY FILES #.html 18
\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\15\# DECRYPT MY FILES #.txt 18
\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\15\# DECRYPT MY FILES #.url 18
\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\15\# DECRYPT MY FILES #.vbs 18
\Users\user\AppData\Roaming\Microsoft\Publisher Building Blocks\# DECRYPT MY FILES #.html 18
\Users\user\AppData\Roaming\Microsoft\Publisher Building Blocks\# DECRYPT MY FILES #.txt 18
\Users\user\AppData\Roaming\Microsoft\Publisher Building Blocks\# DECRYPT MY FILES #.url 18
\Users\user\AppData\Roaming\Microsoft\Publisher Building Blocks\# DECRYPT MY FILES #.vbs 18
\Users\user\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.html 18
\Users\user\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.txt 18
\Users\user\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.url 18
\Users\user\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.vbs 18
\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033\# DECRYPT MY FILES #.html 18
\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033\# DECRYPT MY FILES #.txt 18
\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033\# DECRYPT MY FILES #.url 18

*See JSON for more IOCs

File Hashes

127c0944ee4981a982237bf284781004ac12ae379f1c08f5e85a04bcbf6e7769
253dd693a5e012b86f8988be750eba91a6323e9f0e64573502836a3cf671d9c8
2fa6df2bacddddc15524cb40c13f797d791948d16293eb8bcfe6a625e0ca946f
330c7fcf7b4ae9af4d727868aaf54f55b156343817eca9c40d36179244273683
456318ce3f621dd0ce3211bc163402c9c9b058e0b6c8f996ffc1819442c7f773
4c87c3612b51781669c78ac9b95b6efba95b7a824867df2fc23229085e125a3b
4ce94edac8e3c6439f970e37aba4db4b330f5010ad903e3f3e8fa80374b45395
6e1bd927f6c10186e6ed6fa80fff8660c4f616ae2cc83405c27a5128ae9e1652
739e2a5ad30fcd975f7b862e5ef11cae15744ccf7e0feda6057f979fe2abe25a
90efcc21d406dda3ba61a9e21469477773c48a64aebf17d2ec2510f348211485
918c9deb21f439f587db3ffd7e38ce0ce5af812e8a0938d06903144f1a9ee6f8
91f33fb79c7cfc7a4b8ed043ba677b4397e681728ed1d450594ac43562c348e2
ad27ef02fedac6822f49369e09d736fbd156a7f683e9e8db55885621663ccaf2
b4a093ca575e3ac6596db51631c8695ad993ec31c3674671345fd4454b304ec6
bf05bad1fc4586f5da3ca5cf0d9523af9d20fb25ad4233336bf86fe8e360dc5b
d0b73aaa4c84aac9334f72687611aaa13708432ae19d9a2f52e6d395d6b43c16
deaec42ca4dfecb337bb74c9d556919c131aec4ff829af57ce697b3358c102c4
df83667361487c078bc202d008124531769055f86a6be69b8826e9ac4807f5d7
e3ca7f1095dbfcb149e8901b2ea15f660ac834bb94e78a3d3eabfcb0e9bee1c0
e3ef6acb30b2623a1b2bebd6cd15564ea62bef5837bf0420bb7578561a6705b9
e8c62cfcf8920197335b0373925b95ff968630925d1289da39c39ed860b803e7
edb28644ec8e8d4b82a93d7a756f36c0e9ccae4ed518f010099f865b0d05cf7b
f77406f0fc83887b6a4fb3f21ffe052f09a58cec65ff1a8a7f913b2ae1177d9c
f916d5fcc4b76b27ee2ac1cd52fcc931c030d0c095e26dd706246e651fb6315d

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Trojan.Hupigon-9949365-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER
Value Name: Type
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER
Value Name: Start
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER
Value Name: ErrorControl
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER
Value Name: DisplayName
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER
Value Name: WOW64
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER
Value Name: ObjectName
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER
Value Name: ImagePath
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER
Value Name: Description
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER
Value Name: Description
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE
Value Name: WOW64
2
MutexesOccurrences
GRAYPIGEONVIP_MUTEX 9
VIP20060122MWTEX 2
GQJ0929_MUTEX 2
GSJ0929_MUTEX 2
H_G_Z_1.22_MUTEX 2
KQJ0929_MUTEX 1
IRAYpigeONVIP_MUTEX 1
J0929_MUTEX 1
klsdjfhqweiubvsa 1
Global\ce0436c1-cd16-11ec-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
118[.]184[.]184[.]8 6
183[.]236[.]2[.]18 1
52[.]182[.]143[.]212 1
185[.]255[.]121[.]5 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
wpad[.]example[.]org 22
computer[.]example[.]org 20
vip[.]huigezi[.]com 13
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 10
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 7
ns1[.]3322[.]net 6
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 3
65004[.]huigezi[.]org 3
60049[.]huigezi[.]org 2
diy[.]qyun[.]net 2
clientconfig[.]passport[.]net 1
onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com 1
35176[.]huigezi[.]org 1
ljj78423[.]yeah[.]net 1
goofar[.]com 1
95570[.]huigezi[.]org 1
66034[.]huigezi[.]org 1
home[.]goofar[.]com 1
h2k3[.]3322[.]org 1
22217[.]huigezi[.]org 1
13732[.]huigezi[.]org 1
myth995[.]yeah[.]net 1
25551[.]huigezi[.]org 1
71261[.]huigezi[.]org 1
46355[.]huigezi[.]org 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\G_Server1.2.exe 4
%SystemRoot%\G_Server1.2.exe:Zone.Identifier 4
%SystemRoot%\Nevwoek.exe 2
%SystemRoot%\erve.exe 2
%SystemRoot%\erve.exe:Zone.Identifier 2
%SystemRoot%\Nevwoek.exe:Zone.Identifier 2
%CommonProgramFiles%\svchost.exe 1
%SystemRoot%\system32.exe 1
%SystemRoot%\setup.exe 1
%CommonProgramFiles(x86)%\svchost.exe 1
%SystemRoot%\Microsoft WebServer.exe 1
%SystemRoot%\SysWOW64\shellext 1
%SystemRoot%\SysWOW64\shellext\services.exe 1
%SystemRoot%\W_Server.exe 1
%SystemRoot%\serivces.exe 1
%SystemRoot%\se.exe 1
%SystemRoot%\Servers.exe 1
%SystemRoot%\G_Server.exe 1
%SystemRoot%\MgSmPtmg.exe 1
%SystemRoot%\windons.exe 1
%SystemRoot%\setup.exe:Zone.Identifier 1
%SystemRoot%\system32.exe:Zone.Identifier 1
%System32%\shellext\services.exe 1
%System32%\shellext\services.exe:Zone.Identifier 1
%SystemRoot%\W_Server.exe:Zone.Identifier 1

*See JSON for more IOCs

File Hashes

07d5c5e817a04a24afe129e3f05c42ca0ed9c4fba0f8c8ed464ef49aba1b2319
114a95b36d5eb06500920fab99ae2827515af308635d2b61b62563badf1414c4
13e4ffd70d314bd55ff275c34c8c0e17b68d0ade75a5a36d304e30a18e3695c5
168fa17b19acbe49071979316b3d71b64eb1a28bf340cca9b5537fe6e7f872f7
1850ed9626ce5dcae67338227f1596364cf5497bd43706b20f9867bf44bf734e
1afa8bf0e717c709e3793ad09bd1a5c84eb55d492c6c3b79e91eb9e9626ff1e4
1efc883750179e5b3bde866fc14b92a89231be24ae854a7a038781b0b927879e
30371f13135df527a7454ec9e77df9692b96e40fd53d84ec34d3e4f5a5f572f1
371852ac7b74eb35be9852a914a103b8033138adea0850c7f101b2945da538b5
51972f701179f2a3d00afe06fa2cf44c70c9cc2e52b4825e443b51c631ca5c28
55e93fe87b94d76f69d454de62dfed8dc7c0d97e2f3369aa346a27ba5f071534
568c2616afc3c02bc1ecdd56e794e7518241337abb250e23d7d058c94e1c3a4d
651b5e5f4f933fe94ae0d5438ed7af2f051db6c718150ab1538e41f4effc9f09
66b1d91bade1537ceb60419cfa294cdf8c00f1a7479e0b87838aa8ea4ce645d2
6ab58b19fa30990b48550fb6bdb26c8b4dbab5e03c15764f23c2d86aba65dac9
780f97f11b68ba98658bbf5fc5716af7a303c76a02348fef98792b1065b96c46
7834e2a91eea26e48e98a6b04d28f4f1432f808bb6c7d41e6a2a896f45c2bb46
7edf7c40ae4faca38743888c32ea5f0ca9ba738de120ec6c21f08b46a2561e1a
b83679856384e21172278479a81d0ccefb0b849f2643b65cf2f823b9c25dee7c
cb4fcfdc6c787b264971a83772af1ecb872d45a07e8e28933a563366804f16b0
cb94d6ac6f0200280bacb3a5436d2b768a8b5bb3f18a275853e9b6a4d577a794
dc3b95c3c45f8aa3c95d58686b90492637cfc2dffbd0a553e6b0afefd0716c75
e5c2cf38779a1bc5bc9837f32547153083a3fc890cab311ded8109bc72d8b3f5
f75acca5bc2009ef78b856541bfac9e60d30298e742d781f07843a2330209415

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.LokiBot-9949439-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WebMonitor-8c8b
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Office Manager
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Word
1
<HKCU>\SOFTWARE\WINRAR 1
<HKCU>\SOFTWARE\KHEMLYSFDOU 1
<HKCU>\SOFTWARE\KHEMLYSFDOU
Value Name: EXEpath
1
<HKCU>\SOFTWARE\UOKWVPDWFRAZMZA 1
<HKCU>\SOFTWARE\UOKWVPDWFRAZMZA
Value Name: EXEpath
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Logon
1
<HKCU>\SOFTWARE\DIMSOMHOSTS 1
<HKCU>\SOFTWARE\DIMSOMHOSTS
Value Name: EXEpath
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
1
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
1
MutexesOccurrences
3749282D282E1E80C56CAE5A 6
QSR_MUTEX_TUu2OxJvqHDQ2EbXPq 5
3BA87BBD1CC40F3583D46680 4
Remcos_Mutex_Inj 3
67ab8950-dc02-4a30-86c0-9a25a6f4b9ca 2
OXnpIgq5T09XE6k9UDSulFt669J2Q1qh2.00 2
khemlysfdou 1
dimsomhosts 1
uokwvpdwfrazmza 1
e6b19085-8d32-4797-ac8c-64b83fb9b463 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]95[.]112[.]1 5
80[.]209[.]240[.]47 5
91[.]235[.]116[.]227 3
114[.]114[.]114[.]114 2
1[.]2[.]4[.]8 2
131[.]153[.]37[.]4 2
185[.]243[.]215[.]214 2
127[.]0[.]0[.]1 2
192[.]169[.]69[.]25 1
91[.]184[.]0[.]100 1
217[.]12[.]210[.]23 1
91[.]235[.]116[.]232 1
198[.]54[.]117[.]218 1
104[.]26[.]8[.]44 1
162[.]210[.]199[.]87 1
104[.]21[.]74[.]43 1
198[.]54[.]116[.]183 1
15[.]197[.]142[.]173 1
3[.]130[.]204[.]160 1
104[.]21[.]24[.]209 1
18[.]118[.]182[.]0 1
67[.]195[.]197[.]24 1
34[.]77[.]10[.]20 1
162[.]241[.]253[.]57 1
96[.]45[.]83[.]56 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
wpad[.]example[.]org 19
ip-api[.]com 5
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 5
bosser[.]duckdns[.]org 5
computer[.]example[.]org 4
www[.]franklinegroup[.]ru 3
franklinegroup[.]ru 3
0 2
sdns[.]se 2
foobosmy[.]example[.]org 2
foobosmy 2
sararamirezdaily[.]com 2
378fad9658154c287c09623c4b8570ba[.]se 2
phprat[.]wm01[.]to 2
qbz[.]ddns[.]net 1
pxv[.]ddns[.]net 1
kzi[.]ddns[.]net 1
www[.]britanniapharmaceutical[.]net 1
schoolaredu[.]com 1
www[.]choductdy[.]com 1
www[.]sumarank[.]com 1
www[.]vinfastmienbac[.]com 1
www[.]sweetcity39[.]com 1
www[.]productionvideo[.]agency 1
www[.]asyh120[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 18
%APPDATA%\D282E1\1E80C5.lck 6
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 6
\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log 5
\Users\user\AppData\Roaming\Logs\05-06-2022 5
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rpeecmnyjxmaamy.eu.url 5
\Users\user\AppData\Roaming\hkwxchtvsa\rpeecmnyjxmaamy.exe 5
%APPDATA%\Logs\05-06-2022 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\rpeecmnyjxmaamy.eu.url 5
%APPDATA%\hkwxchtvsa 5
%APPDATA%\hkwxchtvsa\rpeecmnyjxmaamy.exe 5
%APPDATA%\D1CC40\0F3583.hdb 4
%APPDATA%\D1CC40\0F3583.lck 4
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1258710499-2222286471-4214075941-500\a18ca4003deb042bbee7a40f15e1970b_8f793a96-da80-4751-83f9-b23d8b735fb1 4
%APPDATA%\D1CC40\0F3583.exe (copy) 4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.eu.url 4
%APPDATA%\windows\taskmgr.exe 4
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.eu.url 4
\Users\user\AppData\Roaming\windows\taskmgr.exe 4
%TEMP%\install.bat 3
%APPDATA%\Imminent 2
%APPDATA%\Imminent\Logs 2
%SystemRoot%\assembly\Desktop.ini 2
\Users\user\AppData\Local\Temp\DB1 2
\Users\user\AppData\Roaming\7C7955\5D4644.lck 2

*See JSON for more IOCs

File Hashes

1d7686bf0c4f51528d014a03515453ee7c319e644b103c358642a59c145ade47
220e3ca77a6f3d13c9bf0f8b4dafff2972e5228b007aa62a28243d3d397177e4
4c6fa78a344f5159a1716a88ccc7a60bb5c4968afc5546246e706233c466ba67
619660f86b0a3c1235ff2ee32a7e0630d73b525d51cc55c46579fff056f56e2d
66f15d02e1f4757719f48e0df25b23be59e28e75dc60d14c3e72849d7dd8bbcb
68d1045538ff855af1e8f66b2cdb90366ff2d9b5af575f69fb3595d572f3aa97
6e7acb19c316bacd560b5efc5a125ab3967cfeed4cecda43ed25390a94e1606f
7f414bfd987dac4f682629fee5918f2b9de11758e6ec76b8a7671a9b4ab2873c
80d8c85722c2bf596c6108bb925b339587e2745807edb4662a7262f5c032d65f
acd3ea42be1e0468298581b9c980deb91bf158ebb63914131ba17a5c8574a2fa
adc2cf718b9db8041d383770e67d18a71d3549a5cb6c51855b954b744b7a245f
bbd056c56160a6da8a80cc61e434cbdb27c4c58e297cbd60e07d34726cf0ff3f
bd8f1c3bae94984db5490181562ac60895c17f5d2782e2e9066d23f20a2fa5f5
c69d37c34fb68ff713c76d84b4027475ed8ff7ecc0f0f6aa9760f5e873f5c21c
c82b031981d9be3ec0b0516a4e77de3fd56dcca14dc4b916e7f6cf38265a3638
cb1b5480b48011cea19ba3d49bb9359b7f25c4ebd462148fa9cba67e8f456984
d507fba6ac7b28bb4d44b1fb2b98a5e5dcb3afa225e0284694e36bf34b6df200
e27106c5805b34a508bb3ba49ceaae312b31513cb59daf08316a52bc3bab369e
e3be29e3103854227c5b0567b25c45c5ba906a7b3663c0ef6b15f2970657f0ce
ee88c52a644e1393da73ec2a4d4a0ce36eb38be0bbfa67b4e1c8d15ebe501dea
f283e4265be559d1a93e48e26d6d235053121fed3a4d0d6b5c0a1e80e28169a1
f38a8efbfb8f978bcec0955ac8f730fb102e2247f82fd0d73ed9ee43e9daf9cd
f4b1526a1a78005bbd916ffb29c54c8eb03866ab27daedaac4ab58fc0c8fff73
f7a9e13b7c7c1816b6097ddfde5a53b662c7bd58e9d7bd633a7a33c0733f4f1d
ffefad3067653eae8ac4edab1cb37531841a7d850be89fae38f1f72a4e25ac68

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Malware.Barys-9949519-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 30 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL
Value Name: {871C5380-42A0-1069-A2EA-08002B30309D}
30
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU 30
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
Value Name: {871C5380-42A0-1069-A2EA-08002B30309D}
30
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter
30
MutexesOccurrences
Q-$-EEE 30
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
wpad[.]example[.]org 30
computer[.]example[.]org 25
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 13
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 7
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 5
Files and or directories createdOccurrences
%CommonProgramFiles(x86)%\Microsoft Shared\WSF.dat 30
\xpx.bat 30
%CommonProgramFiles%\microsoft shared\WSF.dat 30
%CommonProgramFiles%\microsoft shared\WSF.dat:Zone.Identifier 30
\dayjbg.lnk 1
\ufhexg.url 1
\bwbggw.url 1
\mklwts.lnk 1
\bnkoum.url 1
\moluuh.lnk 1
\aovrgq.lnk 1
\jawywn.url 1
\bqbcfp.lnk 1
\yursdb.url 1
\algkcg.url 1
\gbblfn.lnk 1
\qxmhlh.lnk 1
\xsftjc.url 1
\fnjrdc.lnk 1
\qgabfu.url 1
\hlefpb.url 1
\myfabg.lnk 1
\bykwvy.url 1
\qkmmpw.lnk 1
\ewblii.lnk 1

*See JSON for more IOCs

File Hashes

0813062f846161ed50fdd541140e686da20cfd91cd4d72bc2132ba80b0e73e22
0958347a07cf14b3f28386eed1927a2d266ff0d13654bdc1fe1560beb30a3d96
0b98e3bb6a35694af91bf306d618181048f86fe704a73969462a41587c3b7876
17ea197b18ead5f24875c49d4570843d8c98c423a2179cb396b098c792b73dfc
19d1c45f27913695000cf1a6a95b21f3db084c9a57f2435e7417c36304a098cd
1a3fb2785a1b4e2fbcf762f4eb00400d829937a4b9695a44d9100af4c6b436dc
21d52cdd871785ccb716b636eb0d21f7a3abdf6129fcfce33f1ed779443f863e
3df2f26126935556a9f484683b4ba5f9c1dadf672e8e8192e74b80100b31e142
4ff4025593526b24717b7ef06c2c17498ee20c28616aa4bd65500b684963dec4
511c17b08fbe6e20f7db8997771196ae3b374398b708dfbd32736882edda5e3e
5b3afb7f0a404cfe5a874dfb1b8280497e2120cbe97ebc82c5bbce3045de79aa
6058f03073d79e51868c9171bcd669c8f94c891ad3218fc6d2d251f5bc2cc46f
71586be8c3b7d3f5d6941ecffba6945d14f706a4d257d73bf27709550837fbd8
71f5421ef04ae05d883a1dddc3be55a3a3b4b8bc3273daaf4274c464494704eb
76a9f5dedfadb3eb31ba87c8675fecf589901abacabbe0b668b53b5da075a4e4
7a7dd3dc7c8406fd9ff080a5d257d39a380cfed75f637bf379c4299a01341781
7b06a02e12e4d29139ef9b7e0214f9e0da663ff63768aa381badefdd44f27f24
835c71fbf9a931bff52d01449913d43f019eac255264b1f4e74434cc7f84d4b6
876cd4901754ed356fa8f205b4dfa6e915edc5cfee8659b5d2e993c22a27ae9a
8f319fcc9958b6cd4a029f7bfe33d0d36f7678803105e0383730b3fa729c65ae
923649d9126f92da2b0d8f9b522766068207724950a61f40bea6c677e6abda73
9f762428f1e64805ef0e622c492bb610a811f5bd85c0d859052efc10ce63819a
a09bbfbead2195ca3619967ae4b5ce99eaa02b916b40bb18ef98420fe6391473
bb820fbdf6453f1e896b50a577dec3b7bc00254a036bec399e0e0238240a6d2e
c80982d896c4bd21a4b3bd0be472f45ce2b32590ef21678dbe8f257d99efd15e

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Trojan.Ursnif-9949968-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
18
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
18
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 11
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: FaviconPath
1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: Deleted
1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER
Value Name: TabBandWidth
1
MutexesOccurrences
Global\<random guid> 5
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
142[.]250[.]72[.]110 20
87[.]106[.]18[.]141 18
142[.]250[.]80[.]100 17
13[.]107[.]21[.]200 8
20[.]189[.]173[.]20/31 3
172[.]217[.]9[.]196 1
13[.]107[.]22[.]200 1
131[.]253[.]33[.]200 1
142[.]250[.]31[.]99 1
20[.]189[.]173[.]22 1
52[.]168[.]117[.]173 1
142[.]251[.]40[.]132 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
computer[.]example[.]org 25
wpad[.]example[.]org 25
www[.]bing[.]com 20
www[.]google[.]com 20
google[.]com 20
d33ounorbertoui[.]top 19
hclement28[.]com 19
wngtdpablo[.]com 19
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 11
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 10
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 5
clientconfig[.]passport[.]net 5
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com 2
onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com 1
onedsblobprdwus16[.]westus[.]cloudapp[.]azure[.]com 1
onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com 1
windowsupdatebg[.]s[.]llnwi[.]net 1
Files and or directories createdOccurrences
\Users\user\AppData\Local\Temp\JavaDeployReg.log 20
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml 20
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml 20
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml 20
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml 20
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml 20
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml 20
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml 20
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml 20
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml 20
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata7.sqm 20
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata8.sqm 20
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\errorPageStrings[1] 19
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\httpErrorPagesScripts[1] 19
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\NewErrorPageTemplate[1] 19
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata9.sqm 19
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\googlelogo_color_150x54dp[1].png 19
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\robot[1].png 19
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\httpErrorPagesScripts[1] 18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\NewErrorPageTemplate[1] 18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\errorPageStrings[1] 18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\dnserror[1] 18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\dnserror[2] 18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata0.sqm 16
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E28F2047-D00B-11EC-93F9-00007D696965}.dat 1

*See JSON for more IOCs

File Hashes

0b4e0d5af6940002dfec2c399eac4654f862165511a8e48a2064de0fc41cac33
18281b8ef8f6aef4d89b2650f0ab99b7eda5c1bea501ee84011d2bd3759c594c
18d28f28e826832ca89b47b8308c3a4e68694e3e5237fb1e209ab99af7e9fce8
1abf885f446ab7a409a8794e24da04e528e13452753c1fd77afd02e30e7e987a
2162f6fefaa85327fbe8ec3efaf6046824408bcac5adca48c8f007aa8d05962c
3369fd5079ed8c89a5e873589432cf54fa694d7be4b49dc9b332699523998f6b
3549fe94e98382fe823a6dbaae3cb3885c4839ae95b50cf3237bf3f631d50341
385ae2eb42a6613002e43925d511367c202946d3d4b3420786b5e2da2bc66cfd
385b2d198ca54e3af73eba0ffb2cbd43ab6c17e053751e7800d0199cbcea19b5
3c59ab329f6f12dcf9137433c14aadd294d1784ef103f4fab4e98d045811817a
4579025a293d21298407f23d6c83526113fa350b537e52ded55494d91cada6cf
47d3a75e436f5c961a2853843241ad8369b5cff45a8c12a5658696c5b7d6c447
5430447e21a21c895167f3d7b03625d72f0729143a3d9775d149198bb74f95bf
573e34d1551fa8c782d9308b00d58682e0a4231304f5210c67c9669032048aaa
579df9e5c79f35d24e76cd0af59d30fc1a5f0c09c6da5fe3b27846949e095a6c
5af001e9a0c4ecf9befd5df025f691fb4636cec049cb643942145f0eb217e3ae
60e982ff5c602f7bc50d2046d73d39c25cec7d1513fbd0526907094de356516f
61ff8d15aed76be54d4d8551cff40d29ee73c50c3e02f680f8d5b81effc94ebb
65312b555f55fe0e82e6b37dcf060084b19743125f42099d8fd8753fb99bea35
6b50d809fa314c3771fe435bc1e3f06bb43deed5b42da64ddc1f272e5016d7bc
7246ed187c270036a7e1adf41930892fa1fef30cd94513bd6c5d5464e649973a
7c45a3d7104841bf1653b1af4380bcf23c059ea29009009519fd5a3f510a85d2
7cef052fc952b9d470fd3ac2822bde8f1c0dedef1dfa2e07f690a6abde232418
8631236776f98489f8601cc12cfa7b5eea05a97fbb80ef3c6be50ce98ee91a90
8c0506d57259b66369035093f3b97845d3a7ea11c89042a92f57d9474126b079

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Malware.Gh0stRAT-9949686-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\MULTIMEDIA\DRAWDIB 15
<HKCU>\SOFTWARE\MICROSOFT\MULTIMEDIA\DRAWDIB
Value Name: 1152x864x32(BGR 0)
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS
Value Name: Type
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS
Value Name: Start
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS
Value Name: ErrorControl
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS
Value Name: WOW64
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS
Value Name: ObjectName
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS 14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS
Value Name: Group
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS
Value Name: ImagePath
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS
Value Name: DisplayName
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS
Value Name: FailureActions
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS
Value Name: InstallTime
14
MutexesOccurrences
ini_read_write 15
1.15.252.63:3339:windows 14
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
1[.]15[.]252[.]63 14
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
computer[.]example[.]org 15
wpad[.]example[.]org 15
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 7
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 5
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 3
Files and or directories createdOccurrences
%ProgramFiles(x86)%\NetMeeting 14
%ProgramFiles(x86)%\Windows NT\csrss.exe 14
%ProgramFiles%\Windows NT\csrss.exe 14
%ProgramFiles(x86)%\NetMeeting\csrss.exe 14

File Hashes

01e3172ff84571f7b1cbb4b28fe59eed1cabf1be8f5d4dc77fef5f11899befcb
1d24852e58f6c3443e7633c897d15a1f22df53a38ac1e936e7e4b538bd80598f
46edc30cf3cb53b76cb985fe5d5d086f42b2790636d15d955a1adbb656be8076
6fcfc7785b990bdb6d976a2ba87b6799c1930980b07dc76a6f203f71d41090f1
780f2faf0f4c0a519238962a30973f51826389b657ad798859935a48847dfdba
8693b8bb5c55b5c3739c767339489ad9554e77b9c4cfd9ae5680d657e74c6dde
88d2a856d6b0d7d1b51474c331e26a88e7514979b8878b43c5d379d410186b18
b1ec0600a9183325664e91b51faf8672a4e1bfe131015e7ff87fae5a7048b2b5
b466bd88c9931cee3e51a5376addf8f5e2967787778427158db38698bd821084
c6aee16f27dd1d3658eb1bd82f6f41727d68e576f7306313c7e1fd061f15c49a
d2cb6f30f58ce03b435e10ba2db2deb501eb426af12e8d35ed7bdd9b29d188f9
e11ecc06c1b8c1bea06b6d5eb2e60b558ad0adf996f4b04a99ea65dccd1b623d
e4a14a9533507ea16eeec69b1144fcb672df7b53c5614039340b41c24ca16a58
e4a2ee5955535358fe53483bf2db58829d353babebd447d4ded4eabc834c51cb
e7a84c29f347a728c06fed91740b8ce72a53beaa51e16f57c8d8fd874b8a2564

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK