Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.
This week's most prevalent threats are:
- Win.Worm.Pykspa-6057105
This malware installs itself to maintain persistence, listens on an incoming port for additional commands, and drops executables on the system. Pykspa creates files in alternative data streams and may be able to perform recon operations such as reading clipboard data and keyboards keys pressed. Pykspa also contains evasive mechanisms such as cursor move detection and disables Windows Defender. - Win.Trojan.Drivedos-6042667
This malware uses a Domain Generation Algorithm (DGA) to communicate with a C&C server to download additional files. It may infect USB devices and is able to infect the boot sector. It also contains features to read data from the clipboard and log keystrokes. It drops executable files with the .PIF file extension. - Win.Virus.Virut-5898123-1
Virut is a polymorphic file infector. Its bearing trait is its obfuscation of code immediately following the entry point, and such code continues to change over time as it attempts to avoid detection. Once unpacked, it will hook relevant Windows API calls in order to start infecting other files on the host. It will also set up a backdoor, allowing it to download & execute additional malware. - Win.Virus.PolyRansom-5704625-0
PolyRansom is a polymorphic file infector. What's more, it also acts as ransomware, locking access to the infected host after some time has passed. Upon execution, it will create a large number and a wide variety of new process instances. Finally, it will lock down the Windows host and demand a ransom payment in the form of Bitcoins. The ransom note replaces the desktop wallpaper, and it's designed to trick the user into believing that they've committed copyright infringement, thus requiring a Bitcoin fine. - Doc.Dropper.ZwMacros-6057750-0
This malicious document installs TOR and PHP on the system. The PHP executable is set to autorun with a link in the Start Menu Startup. From the dropper document itself there is code to perform interprocess memory operations. - Win.Downloader.Mupad
Mupad beacons out to a series of domains in an attempt to download and execute a payload. It enumerates the system to get information like installed antiviruses, and whether the system is running in a Virtual Machine. - Doc.Dropper.Agent
This sample is a word document that uses VBscript within the document to execute a PowerShell payload that is used to download and execute other malicious payloads. - Win.Trojan.Redirect-6055402-0
The malware is a dropper, which unloads other malware. It drops a dll and an executable file. The dll is preloaded into every started process, and in turn launches the executable, the actual threat. Currently the dropper is used to deploy Cerber. - Win.Trojan.Zusy-6041926-0
Zusy is a trojan that injects itself in other Windows processes and in the browser to steal valuable information. The malware has also anti-debugging and anti-vm capabilities and it contacts an hardcoded C&C server. - Win.Trojan.PasswordStealer
This sample is a VB-packed binary that tries to steal passwords from, at least, the Firefox web browser, the FileZilla FTP client, Chrome, Internet Explorer, and a number of other applications such as PokerStar, VNC, Foxmail, vnc clients, and others. - Doc.Macro.ObfuscatedObj-6059281-0
Word document uses obfuscated macro to contact C2 server to download payload and execute it.
Details
Win.Worm.Pykspa-6057105
Registry keys created-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: [a-z]{12,18}
- Value data: [a-z]{12,18}.exe
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: [a-z]{12,18}
- Value data: %TEMP%\[a-z]{12,18}.exe
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- Value name: [a-z]{12,18}
- Value data: [a-z]{12,18}.exe
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- Value name: [a-z]{12,18}
- Value data: %TEMP%\[a-z]{12,18}.exe
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- Value name: [a-z]{12,18}
- Value data: [a-z]{12,18}.exe
-
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
- Value name: [a-z]{12,18}
- Value data: [a-z]{12,18}.exe
-
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce
- Value name: [a-z]{12,18}
- Value data: [a-z]{12,18}.exe
-
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System
- Value name: DisableRegistryTools
- Value data: 1
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Value name: DisableRegistryTools
- Value data: 1
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
- Value name: NoDriveTypeAutoRun
- Value data: 1
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- Value name: AntiVirusOverride
- Value data: 1
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- Value name: FirewallOverride
- Value data: 1
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- Value name: UacDisableNotify
- Value data: 1
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- Value name: AntiVirusDisableNotify
- Value data: 1
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- Value name: FirewallDisableNotify
- Value data: 1
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
- Value name: UpdatesDisableNotify
- Value data: 1
Registry keys modified
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Value name: Shell
- Old Value: explorer.exe
- New Value: Explorer.exe
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Value name: ConsentPromptBehaviorAdmin
- Old Value: 5
- New Value: 0
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Value name: ConsentPromptBehaviorUser
- Old Value: 3
- New Value: 0
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Value name: EnableInstallerDetection
- Old Value: 1
- New Value: 0
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Value name: EnableSecureUIAPaths
- Old Value: 1
- New Value: 0
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Value name: EnableVirtualization
- Old Value: 1
- New Value: 0
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Value name: PromptOnSecureDesktop
- Old Value: 1
- New Value: 0
-
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- Value name: NoDriveTypeAutoRun
- Old Value: 145
- New Value: 1
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- Value name: CheckedValue
- Old Value: 1
- New Value: 145
Mutex Created
- \Sessions\1\BaseNamedObjects\[a-z]{23}
Files Created
- %TEMP%\[a-z]{10}\[a-z]{12,18}.exe
- %TEMP%\[a-z]{7}.exe
- %TEMP%\[a-z]{7}.exe\:Zone.Identifier:$DATA
- N/A
- sayapo.info
- dga [a-z]{6,16}(.biz|.cc|.com|.org|.info|.net)
- 754de992cb2fbd82f19ee1995f9bb55eea570a3b9943758f651a330fec9d26e5
- 531ce14a93b47b8f69eac108d4465af69053a9470a35ff267e4efdeebd4d995c
- 26c7a51105bcef9bba665a249cdd2b3b74fa7ab1cfcac06df92910630c1036aa
- 04e839b3d350b9c8d451593f20eaaf5b8768c8d6874fd9026bf9b23b9c9fc975
- 604ff7d77ea2415ff4aecd22c3c83285a3b516d0186809b7841e074fc488d108
- d7e2866ee4094c2a63e2e14186966713143fae4c1d2fac1346b7c12ec4444154
- fc359947e53d484866a43caf2da2d8005b68446581e3f3bab4913f57cd545a7f
- 957659bf309e485197115bbdec68c62d75433d6b64fe480a35f7bec5a372fdc7
- 117f0b08c48a7e158d44ba94b4fe7b47982e53372dd9b1b55f5f4eed90e58ce7
- 754de992cb2fbd82f19ee1995f9bb55eea570a3b9943758f651a330fec9d26e5
- 117d791e685972b6524f739d26908ddbe8ed3470702d04134a955f357b1185d0
- 36c28c31b0987ed74eed3a930a885d7bfb21aabed27a313f5b5e96f84e898f68
- a9c3ac8773bb6cad7b1b3f3465622f65368aca72d662d3451e882a9a793041a9
- 04be7f72bea90aa7df0448a3bcde7f28e912533556e9a7860c766d2438f504be
- dc3ed0f17ea7cc2d27047d978c82d7964fbc78df14fce653cc00e5c6f5da1fd6
- d49d7c53e52d4c3b786582523ca8212da5f10356ea92d578035d21fe38cf30af
- 615754a3a05b95a42403435bf6ae1e2e1959f8b975bc691b144b1cfb5cf50a1b
- 433d74c69c5bbe305028333b57fd69f97291858f49cd43ef4982cd2daa30b1a3
- 31433f840a8db9884c9387f7f0c9a78c17be7902a41fbdfd8bb994cebd3aaa4d
- c227b3c4a1266a8e1066222bcd486eea541ae13167b39fd5f41e7f3a50f7df2d
- 76c155b1b90d23eca76a4083085635cc905b32ce71d0218529bd8363a2dc0362
- f9f763d928686b246417916406e676a198dfe1975b7b50a5aac55b553f302f98
- 8ead2aa687a818fe86bd2e89f08f6abedda3767108ea4c758d3997ec68e89da9
- ca795997ee736f7719e50a334746a5065b007f00983fb70bf88fa3d7f5acaa9d
- 423d415ced7de7c51ab52ed176a91777a4075450c1253323c2edc8485c2bcad9
- 484bbaef80deaf32e39bbe5cc242f320544cadbf47d7dedfcf47e910ce1899aa
Coverage
Detection Engines
AMPThreatGrid
Umbrella
Win.Trojan.Drivedos-6042667
Registry keys createdDepending on versions, persistence keys may point to differents places.
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name:
- Value data: %ALLUSERSPROFILE%\Application Data\winaddrss.exe
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name:
- Value data: %SYSTEMROOT%\M-505045058025025030484340240\winmgr.exe
- N/A
- \Sessions\1\BaseNamedObjects\qazwsxedc
- %PROGRAMDATA%\winaddrss.exe
- %ALLUSERSPROFILE%\Application Data\winaddrss.exe
- %ALLUSERSPROFILE%\Templates\cvmonts.exe
- %SYSTEMROOT%\M-505045058025025030484340240\winmgr.exe
- %APPADATA%\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif
- 220.181.87.80
- nt13.net
- [a-z]{18}.ru
- wdokwuroouaklzwudo.ru
- wurzuqeozoueztuzqe.ru
- abdzwuazduroowdufa.ru
- opunamurwueodhsheu.ru
- trikhaus.info
- 16c6db5a6b9ab04aac6fe2d38bcee4543a2bd650a37693a3d449a7d411b02bdf
- fe8c4878488eec138c635317dbb7e82fec2fad7c549df60182adae0d5ae7e774
- 0f932d9b1698dc98e89817f52ad7ca80f2578535c9bac8f311a34ce43eee625d
- 96c5a42526706c8ba31b1fc2c60b7bcc9fd11286d586fb81ccecb17bbe9501a1
- 6763222c1d8f93b7c84771487cc1a16ca70766d6222503cf3f20a78838fb1153
- 49fda7e75fa833795dd416228eec9016261c6755260aa2ac0bfc629595ec2b3d
- 3f6c8c5753dc4cc4d662cd1519034cb79be63d2192ed2e1995fe05d7b823621e
- d7dc5f282f2c8d5a3cde29c2aa999cc2825bfaf5739d7ce85b81ff84b25dc71c
- 792f06ffc67477d268292f1a1f51679fbfbc6364f0a6c7ca09314fa6b8f2f027
- 6b5220f76c9d8dc82ce0882689036b886ff3b8518d7f2fcacbdd0f400f6ead59
- e657dc7ffe72e46136592dccb5a1d6d3f6caa46ccf68e92a8cfe242b437f9c7c
- 1ca6ea2752a0bb807715720916ec2c96b5c6d65760001a148e5ec18cba5b0a07
- 4f9d401aa1795945428725856b170bbe8a2ea8ae51d1fe1c79d47db140d097bf
- 39a1049145c63171863b3b3934c0cb57b7df14b8935b672322d21ac7881a73ae
- 3534232b1c45f9c4708040a448abdf0b2f7536eb145fa68933f9f864b987355a
- cf69f52b7361c19afaad789b9928682d9821bebcf5c3f46722cc853f02144275
- 70d21eb4e53b696ec8fc4c28917d5dc4a9a1b9eae14701b1af4fee2f35e2fbe5
- 1c8de52e1c5fc3925f1f78d4086d7ebec0e303886b2baafd4de6e61fcf93bfe7
- 2b771e4c052cafea99e9ccd224975692d55905b3d3413c5eb06e4717e1a19d86
Coverage
Detection Engines
AMPThreatGrid
Umbrella
Win.Virus.Virut-5898123-1
Registry keys created-
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- Value name: \??\C:\WINDOWS\system32\winlogon.exe
- Value data: \??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1
Registry keys modified
-
HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- Value name: ParseAutoexec
- Old Value: 1H
- New Value: 1.
-
HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- Value name: ParseAutoexec
- Old Value: 1.
- New Value: 18
-
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- Value name: SavedLegacySettings
- Old Value: 3C 00 00 00 01 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- New Value: 46 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Mutex Created
- \BaseNamedObjects\shqq
- %SYSTEMROOT%\Prefetch\240848539.EXE-0BA5D3C2.pf
- %SYSTEMROOT%\system32\config\SysEvent.Evt
- %SYSTEMROOT%\system32\drivers\etc\hosts
- %SYSTEMROOT%\system32\wbem\Logs\wbemess.log
- \EVENTLOG
- \lsass
- \ntsvcs
- 148.81.111.121
- sys.zief.pl
- bc11480f1900f19229113e575f4b46c4036b9b273154ee99e0e39811f4cc1a67
- 65a3a41c6de83a108586c9206b92730e9110590a49bccfd828b5e9c0834b9a2c
- cfe496ec011574bbe342cc433b0db3b9b3b5237c6628bbe863244428a76e064e
- 16c27585adacc893b2e707c84a295028026fdd8b1f7fda34390f8323a8d681e0
- 64bff8e6a772614a8ec0e6fd29f286fcac6cb7635df5c8df176d1fcc7a8b8931
Coverage
Detection Engines
AMPThreatGrid
Umbrella
Win.Virus.PolyRansom-5704625-0
Registry keys created-
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
- Value name: hYUIgYUw.exe
- Value data: C:\Documents and Settings\Administrator\uyooEMMY\hYUIgYUw.exe
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Value name: gyAEkwAM.exe
- Value data: C:\Documents and Settings\All Users\VeookAAk\gyAEkwAM.exe
Registry keys modified
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Value name: Userinit
- Old Value: C:\WINDOWS\system32\userinit.exe,
- New Value: C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\VeookAAk\gyAEkwAM.exe,
Mutex Created
- \BaseNamedObjects\mMkUAokE
- \BaseNamedObjects\lEwoEIAg
- %TEMP%\JOYckAoI.bat
- %TEMP%\jOUQoscQ.bat
- %SYSTEMDRIVE%\Documents and Settings\Administrator\WywoYQwk\VyIEwAQs.exe
- %SYSTEMDRIVE%\Documents and Settings\Administrator\aEkoggMo\BCQAQkUU.exe
- \ROUTER
- N/A
- N/A
- ec2a9993e2ca725f7339e9a55be553df9a90ca65c6ba244e5bede7f535c53ee8
- 9646e43ca46f7fb0b9e38e9ad7a8baf11a5d1e0a38e9aa32f1970b4ffeca647d
- 07681725d504a43e09b7ccf67b9772d4804b5ebb06c6454a5e5012c406388694
- 1b93c96533e29413dc508deb7de16176d82876cc03ea67c9fc292e8a702ad3bd
- 64a5d4e837de315208093596e330104ef5b864fa5551b32acfd3467739a1caee
Coverage
Detection Engines
AMPThreatGrid
Doc.Dropper.ZwMacros-6057750-0
Registry keys created-
CURRENT_USER\Software\Microsoft\[A-Z][a-z]{3}
- Value name: [A-Z][a-z]{4}
- Value data: <<Large Base64 Binary Blob>>
Mutex Created
- Local\!IETld!Mutex
- Global\%{GUID}%
- Global\MTX_MSO_AdHoc1_S-1-5-21-1202660629-583907252-1801674531-500
- Global\MTX_MSO_Formal1_S-1-5-21-1202660629-583907252-1801674531-500
- Local\_!MSFTHISTORY!_
- Local\mtxLogMeInIgnition.IgnitionMutex
- %USERPROFILE%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk
- %APPDATA%\Eliq\otke.gub
- %APPDATA%\Imom\xauf.hya
- %APPDATA%\[A-Z][a-z]{4}\php.exe
- %APPDATA%\Lyeb\php5ts.dll
- %APPDATA%\Lyeb\wuerhyy.php
- %APPDATA%\Moaf\aldok.wai
- %APPDATA%\libeay32.dll
- %APPDATA%\libevent-2-0-5.dll
- %APPDATA%\libgcc_s_sjlj-1.dll
- %APPDATA%\libssp-0.dll
- %APPDATA%\ssleay32.dll
- %APPDATA%\tor.exe
- %APPDATA%\tor\cached-certs
- %APPDATA%\tor\cached-microdesc-consensus
- %APPDATA%\tor\cached-microdescs.new
- %APPDATA%\tor\lock
- %APPDATA%\tor\state
- %APPDATA%\zlib1.dll
- %TEMP%\certutil.exe
- %TEMP%\cuukzaag.crt
- %TEMP%\freebl3.dll
- %TEMP%\libnspr4.dll
- %TEMP%\libplc4.dll
- %TEMP%\libplds4.dll
- %TEMP%\msvcr100.dll
- %TEMP%\nss3.dll
- %TEMP%\nssdbm3.dll
- %TEMP%\nssutil3.dll
- %TEMP%\smime3.dll
- %TEMP%\softokn3.dll
- %TEMP%\sqlite3.dll
- %TEMP%\~DF[0-9A-F]{4}.tmp
- %TEMP%\710796.cvr
- %TEMP%\BND.tmp
- 151.80.42.103
- 184.72.248.171
- 185.158.153.228
- 192.42.113.102
- 216.146.38.70
- 216.146.43.70
- 46.165.230.5
- 54.235.135.158
- 60.43.178.142
- 62.210.213.17
- 85.10.213.104
- 91.198.22.70
- 91.219.236.222
- 91.219.237.244
- 95.175.98.222
- 95.215.44.105
- 7hoshi.co.jp
- api.ipify.org
- api.ipify.org.herokudns.com
- athentitevent.com
- checkip.dyndns.org
- henjoharlet.ru
- himlehesdidn.ru
- littmautrow.com
- www.annelizeheyns.co.za
- 62e6e5dc0c3927a8c5d708688ca2b56df93848b15a4c38aab173c5a8384395f9
Coverage
Detection Engines
AMPThreatGrid
Umbrella
Malware screenshot
Win.Downloader.Mupad
Registry keys created- N/A
- N/A
- N/A
- N/A
- 185.14.29.162
- 5.9.43.174
- 185.20.186.51
- fellowrat125.gdn
- impressvalley.gdn
- lundrhoaxvym.sandwichdrip.gdn
- g.licenceviolet.gdn
File Hashes
- b999e7ddcf337fb1cac4f701fa92fe2989ec915e50ef74cf1a92f9ac304201ae
- 624b830432a3aef2fd083769ae8fafed0e44a654ba5b0e8748cb88d9c3fa0c0d
- c27528d19bef0996cd9d673e461566db5bff79aec576da86150477386f159d74
- 938ede37610dc0d8b2ebbefc84c68abbd6d12248ee74727706ed9caa8ff1a201
- 2b9e88fa320e0202fdd9f70fddc6e54fdf25f29b99f0a0c7fe47098417509a29
- f6fc5c333cc6dd9f28038c96ff0eadc6035d882e0cb6aa0fa9c82bd2caac2238
- 68695c4b762ba5f0a28cc3697ffae36b1a1c853fae79693dfd48af632cc35cd1
- aa1c68db99e6bfbc80912c7fe1384cce8e37302bd0f0bc2f3a1f2dd0fbc24c29
- 2e1e599f47b8946d7352b4f311deac88659644ebe99228b712a3dfd70676d177
- fd399dad89188ec66d0e5abaa07ad9930a6593b5618bba0f7205ea489401cb34
- 84542607705c3b6b71c6dfa3357e391e8847d742ca0c0fc456f7af0b525cfbe7
- c70f6beab00e9a04fd931554a6ca577b09bf5211a4bbd217b2baea5f852d2718
- b603bb6cba61c46e204c91cbb505961def5a1a761e6400ec2376a9bf7a135cc6
- bbeec648b4efd53b7bc30813c2bfa37a1e13733f917abc304fb6fd2c381c8b40
- bbf546dbaa0d3518bb137f6cd57894248075632aa31f652f4bb518ee18231de4
- b22c3d312b85fa38b8126b896b9619638abc1c1e607f27d5c0ee18f82b5ca050
- 2c8196dc8447d6cc5c97abf9cb10bbe3aa5c59a329b01a66fd7d7dbaa917deea
- 0365e9072efcdfd79b387a5c0ba8b502234e30db869af48b3593a596c5fdd400
- 803b0dd10b18e2596df5be19ae16538a60a5f85539a3c69b3763484f578c7b24
- 065c5d863c32cf4d59685ceb0c3fc1c10085aa9fc2909a660c31eb4b4d2837e6
- 0179111af9b0ba0335924a4c3b38b23fa4033b88c06e270c0dbbf276d63d23be
- 21226e9c1c83f4bc6af95bea342173a05e14b7403b350343275ea894b231ec01
- a6cf136da14215e3e6f3c546e8c5920779ba1487b1d53b06373fd6ee5e1bd0dd
- 77aa0f4a65677410f727ea0c71c875e3f118684a8adb0c862d54fcb0a5034d9e
- fdc82c10ab30dde05433b6590caecfbe2a6abed46ebbbd466a83f57bea8895f7
Coverage
Detection Engines
AMPThreatGrid
Umbrella
Doc.Dropper.Agent
Files Created- c:\~$runme.doc
- 104.199.9.203
- ponmaredimare.top
- 070b14ec00ad9faca340e36b89bd30de2092ce2b8e0e19b336c548e900a59185
- 07fcb3af9fb7b9d0d691676d7a280dc0cbbb89b88b4fa164deacd4cf65081fee
- 09a69c30306cc6fa29a60c921038ad800c198823c920d8fa2da41a4e239c074b
- 2ccbbbfd14237aa7659150cf42a4b937f65c2cab0f076d2338f4e7ba2fa4e56a
- 2f8ddd343edcedd94a2aa768ad925818685bc642b36d02857fdbb48f0787d3b5
- 3315d79fe3de644c07746d0761d9028394725c70ed17a2c1da9373e4fd8e04e0
- 3aa20f9ffd39710b7a415188c08a3be7192341f07595571bb2b562e735d81898
- 3afd65321b17f889778fff1fab48b7238d7f34535811f21a809f5a543d3fead7
- 554f57e7dee6f038eb6d53df1e692d4075d659a06d0830a3baba93ef12a290e5
- 559a42967989df5f0d761bfd0775e303331bbcfa08bf0ad44a360b1363bf4f5d
- 69ccf61cce81afeda495c943fb2942fb42977db696f1e2bda3f70fd31699b459
- 80a427db08abb3a06fef425a9795ff1339a01ec01ab721659f5bd86dff02ee21
- 8172c355647916aeec15bc9285cdf559c87e8c4a4ce84151bfd7e4ff2fec0839
- 88e7d9fbb716abd6a5fcaef71823c71cfe6ecf4eb37a2f2a232f8bc9c8ab8bdb
- 8b1b49374289311298e3f4487940ba524b468550769588f4bb10a8c22791665d
- 8b3244ec2a4635b5a028f71a81282d9d4f85af139063b6aaa593257569993e70
- 8b8567e0cf4b6e810db74985b9e782ebbae34c9d4fcf880ba2b7efa8bc8b829e
- 90a6738734ab7a225e58ce9b373bde7a335aeda409ec3b5803bef8a64bdf0bc5
- 9252876a74596562c63791a3a4d5ecc4afc39ef8a43471b17eefae2777cf07b9
- a8fac0597f4edb4d4a4a72610bf62df20498dc5b429789b405fd255944d9d66c
- ac14a2578eca7575a68c4581fd77601bf0adc5e139d1fa5e468a257ba7863876
- b64cbf393324349974002cb72799464b5af101017911e1a512108a3c674708da
- b7ce841739cdf3a6691be5630195e922dd801d665e5495b54f26cf18c3ff989a
- bb7560cfba2ce80c1e79c239e114ccb6ad4fac0fdaa41d51421630b733bc45a8
- bdf3a30c9796f8d44bbbc45653d9d03388e63a8d0d61a4dd307108a1ebf49b8b
- bff6b0f56fd50918b935478c926ee6fd9ee1bebf24da1c78db0836897aab1def
- c3c4c03761a3b296ef4c62946ae467086a3d6ee9618a36e0d713e14c4fa03c49
- d1062a29aa474a14debd7149d780e9e427acc455f3fd87ce49066c1e7338b368
- d8b945e5adfc9cd90006974df40c28bce50baf046b4603002e229068f2aeeb30
- e330fe11577b0346d4368511a3598a1b84e7c151b959643bacd6ce118f63ebcf
- e7c91fa0582ec2d34d9f7f6cc058773abbf943fc99e48368b18b5c2336ffc91a
- e9c11dfd0127e4347113baab50003ff1cba82c110168da5f930d31a57c1a6368
- e9de9b4f4262d500f372261c915fee93975057b87b977985fe5e048a5f115b3f
- ef3be7348603088c70254a85dee348358b74b7ad2e19e09ae56d1c435373ff9b
- f7b720c688dbf25632bbdb5a5c029a0d790cae3dd422b8e8c0f94ca41b8759aa
- fbf8101890d359612281d87ad69801ec5ecb633d5e455619c64691e1ac1c1bb2
Coverage
Detection Engines
AMPThreatGrid
Umbrella
Malware screenshot
Win.Trojan.Redirect-6055402-0
Registry keys modified-
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
- Value name: LoadAppInit_DLLs
- Old Value: 0
- New Value: 1
-
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
- Value name: AppInit_DLLs
- Old Value:
- New Value: %AllUsersProfile%\Mozilla\[a-z]{7}.dll\\0
Files Created
- %WinDir%\Tasks\[a-z]{7}.job
- %AllUsersProfile%\Mozilla\[a-z]{7}.exe
- %AllUsersProfile%\Mozilla\[a-z]{7}.dll
- 0157b9f5e0501add8d176834aafba15648e4b432de286e23d23ffc34b1b1a2d2
- 01afd34cc1f81a4c5ecff3d4ce643b2b39cf376380d9779238bf9120f9ac811f
- 05b24fa3ee65b437d746d2e23bd6bd4cfb5ec24250f596a62a4bad34529e93d9
- 0751263bbd732b7518aa95136109a83cb697a1ac371e09a882a74445ddda1042
- 091fd8707f15a0194bce66dbfa28c3fbf62f1cc9d6067eb3d5bccba8d81132ad
- 0d0ba24dd2a1bf194157e15ae140eee4f92f23d21d4c27389717a184ee287196
- 2b8b26419a14f51f780ca90e31fc5ec3f457cb401c01c26347b54a1997021be1
- 2e4b1bec4c938ffb316fccf7f6082e724e8e4f862b28f2c7efc54afe53b2808a
- 315a74f15b2d7f7fd827ee320546d318634937e7f5631e5052fce18ae7ef98f5
- 31623af9a40dc03495446986c6b28069cf029c49ba8955ab2e5d71fd3193bf85
- 352fcef98bb1490fe51b5137c52e96dddc0ca040ab6f07d0c9e73a16d79e3f4c
- 4efb833c35236afb69a970a05045d8ca90d5c49ff062d08dfb6b99476cb7434e
- 5423b85ca897c8134b7d4d80638def37af93893dbc64945541dde9639d78dd80
- 58329fa8743b69f32cdf7b720bef4e0003ff4dd131aa233056bc57015c70cc19
- 58d7fe0fff3b01713c0b7ea19222dd8dcaf3b69f7a2f5f9e8790dd458211b695
- 5d85217a675866ed1eb04268e303ea1ef81a85205515cb30c24f0eac41cfc0a1
- 5ef756e9d441a8641d084156908fff471ca395baf378bb4bf05eb95a15a9410b
- 61f67c90b8a12eaa29ec1bb4510d81325336db8d93969bf0198e71f16e0965c9
- 6782a7d484c51abb172274b18c459566e1852c37a8aabc5a123b8f5853111f44
- 88f36546fa348840d6126d4e15b0a6e0829ab967d8d18dc2ae15777c27febb27
- 8ea8e2549758741ab0af003be402b5ea2d26f1fb50ddbbf7c57458585b9de81f
- 999ea3ebb13a2d9bbc95cb21d26ab4efdd67cb6698931fee5eaecbd9f13b6dc3
- aa14043425bae6e1c749787312d305755598996cba2bd0abc7a75cf82b6c37e9
- c181bff4a62c59f1eecfef310af404a2af4c1362a42346aa2e8ea0b9f2066fbb
- c2e993a677086536ea345e61d858c43108134d374d069f33c5cf30105770c3eb
- cda72c562a8a5f48718246a37c0ae695dcbe2e56ef72e60be375472160d853fe
- d87ca352d2a5ecd6245f3762d93d541a9f82633eea7a7214f7384341c82d9eec
- e990487d605cc847d47e50ad1ecb8fd2c970364500e7f2c221ca0987695d4e9d
- f1eff0a071c51ffb44d7a3f4cef90295537e478b9340b4a0b62f143bfbbfe51b
- fbac04e0fc2a3419a0bf039b1576fb9ef60b05ac33c7d665834b7cc167240187
Coverage
Detection Engines
AMPThreatGrid
Win.Trojan.Zusy-6041926-0
Registry keys created-
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- Value name: 82.146.51.22
- Value data: 2
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Value name: Run
- Value data: C:\WINDOWS\system32\[a-z]{10}.exe
Registry keys modified
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
- Value name: InprocServer32
- Old Value: -
- New Value: C:\WINDOWS\system32\rasmsinfo.ocx
Mutex Created
- \BaseNamedObjects\Global\48C56927-A0DB-4e31-8C32-FE15FBA45043
- %SystemRoot%\system32\[a-z]{9-11}.exe
- %SystemRoot%\system32\[a-z]{9}.ocx
- %SystemRoot%\system32\[a-z]{10}.exe
- %SystemRoot%\system32\[a-z]{8-10}.exe
- 82.146.51.22
- N/A
- 83bf2d946bd908ed4124e3c76d508417787d29eb3e6484ac9a61107fe1129efc
- 964274d292c878104f7b6a2ccc35c8a35ea8b496e79d6ddf392453946529f290
- 888c2c6befdd20ba72ddc576c3f27d9ac8882f33a655038118793bb69634097f
- 843fe9e8d238075202cd992fbcd17a23ca0ebcdd653c2ec1fa6768a1112e5046
- 7331d0341ba1f67f29a17877a9bf87e5b18b0195d50e5744b425aa5a717f3497
- 6f3f86b269dfb5636504496cfbb462035f420f82dbe23aa95bc215b0f93c3a30
- b23045f4d9ad9acf9f1810405abb210a47677bde09673b48fbab1d2102fa2629
- 5dc9c97d3a6c7ae4b858b369be84f919f6faef85dd1a056e14cde82b75b3704d
- 34bfec38efca8a19bda8ceb41b1c1040f1a584a16a84b8ce26452808360bf2a1
- 0a6a6797aa917c1b7a9be0389d12d657e6daad9e5e0151af6749889eae11e2e6
- 40553547c962ee0e371590f0160db0482c5bf258fe19bfda81966f1f3fde9a4a
- ed67ad6376f4442b5038844e5f60a3d59cd44f6af1ea541710e76ceda883007c
- e9a5416820dfbb7b87d5ceaa605d7143ee440b5fa3a289bdaff119cb3860c38b
- 2aa410e52a115afaf45727f6235ed3b6b3524e8cb8d6d6e3836949d7a745a8f9
- c4e987a2bd7e9242036a8b19655b030fb3a0fbf81e42e9244fb4b9cfe705628f
- 74708757309b68d06538453d45345fa5507fb9f44e606aceae552e931eea06e5
- f8feec18be72e255f1cd9a461488b3e6c79074255128b165fc3009bcb61b75f9
- 5ed33d729bf23640a61fba70fb7a8a92046c03d08e37eb8ee9ef6676e4a4a6e8
- bef10f8119969479dd93ed0d2c85d0c0666fc055a035b0ddff465afc4a056052
Coverage
Detection Engines
AMPThreatGrid
Win.Trojan.PasswordStealer
Registry keys created
- N/A
- N/A
- \BaseNamedObjects\7CE2238E2413B3A0994E3BB6
- %APPADATA%\Mozilla\Firefox\profiles.ini
- %APPADATA%\Google\Chrome\User Data\Default\Login Data
- %APPADATA%\FileZilla\filezilla.xml
- %APPADATA%\FileZilla\sitemanager.xml
- %APPADATA%\E2413B\B3A099.lck
- 192.187.114.68
- dohneycompanies.com
- 3d784e22b5d6e13bc87f3c4dccb92167f483544d383b71198d42f1c06b9a3841
- 31852579d4c812bfb3d7c15cb4b37d92a36186b5e1429bc86a0b4857e0f73d38
- bd62403e4b5122dff9d3f12ab4d22455f503fc42f30d816b82d0fe490b466593
Coverage
Detection Engines
AMPThreatGrid
Umbrella
Doc.Macro.ObfuscatedObj-6059281-0
Registry keys created
- N/A
- N/A
- N/A
- C:\Users\Administrator\AppData\Local\Temp\scan.exe
- N/A
- denyalfi.com
- 01f9d4276b16af80bb29dd195d343e1844062f0d86115ec5ace3234cd510b403
- 35be7051a7ca2d7839e7012459a8a94d581e2f0bab10ac400fc9a7ef66a93b44
- 71715f32e3cb54756b39716f8dd33c503eabbb054f4a4e82d5e2b9a9b96ed46f
- a69f4d4eddbd656a6ae061cc001ae245db87eced67015365cca1834179845290
- a78ce0fcb12237b7644257df79105baf39c98b9cb7c545e56c3c7727bac6556f
- d58ef1349fe97173a93d136e4fcb7417606ff7f6a40775553a718c9f631f44b2
- d97dc0515c2067049e1a01094c5b1017ddf7b011f0995be4bec894621c9d338f
- f54a9ac86a9d2b59d99f1e6ff4bfb0d0386efdef8b44b8702576680ca7b0feb8
Coverage
Detection Engines
ThreatGrid
Umbrella
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.