Friday, August 24, 2018

Threat Roundup for August 17-24


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 17 and 24. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive, and current is as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Win.Dropper.Delf-6652911-0
    Dropper
    This family is a generic malware that is generally the first step of a more deep infection. Once the payload is executed on the machine, it downloads and runs new binaries. The malware is interested in credentials and focuses its attention on well-known applications such as Outlook, Thunderbird and Firefox, among others.
     
  • Win.Malware.Generic-6652641-0
    Malware
    These samples are generic trojans that establish persistence using the autorun key, contact a command and control (C2) server, and try to steal information from the infected host.
     
  • Win.Dropper.Generickdz-6652226-0
    Dropper
    This family is a generic malware that is generally the first step of a deeper infection. Once the payload is executed on the machine, it downloads and runs new binaries, such as Gandcrab.
     
  • Win.Dropper.Ponystealer-6652151-0
    Dropper
    This malware is a dropper for PonyStealer, a bot that attempts to steal passwords from web browsers, email clients, instant messaging applications, and other software.
     
  • Win.Dropper.Zbot-6651705-0
    Dropper
    Zeus (aka Zbot) is a trojan horse malware package used to carry out many malicious tasks. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
     
  • PUA.Win.Adware.Ibryte-6651661-0
    Adware
    Ibryte appears to be a dropper for adware. It reaches out after installation to download adware and prompts to install them, including anti-virus programs and media players.
     
  • Win.Dropper.Razy-6651608-0
    Dropper
    Razy is oftentimes a generic detection name for a Windows trojan. Although more recent cases have found it attributed to ransomware that uses the .razy file extension when writing encrypted files to disk, these samples are the former case. They collect sensitive information from the infected host, format and encrypt the data, and send it to a C2 server.
     
  • Win.Dropper.Cloud-6651616-0
    Dropper
    The initial binary contains an AutoIt script. The script is obfuscated. It creates several in-memory DLL structures with AutoIt's DllStructCreate and DllStructSetData. The script then executes the shellcode injected into these DLL structures.
     
  • PUA.Win.Adware.Dotdo-6651541-0
    Adware
    This adware that sets up a proxy to deliver advertisements to the machine's browser. In some variants, the adware also prevents security software from being downloaded to hinder removal of the adware.
     
  • Win.Dropper.Fareit-6651429-0
    Dropper
    Fareit is malware designed to steal sensitive information, such as stored login information. You can read more about it on our blog.
     

Threats

Win.Dropper.Delf-6652911-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • 3749282D282E1E80C56CAE5A
IP Addresses
  • 216[.]146[.]43[.]71
  • 103[.]63[.]2[.]227
Domain Names
  • checkip[.]dyndns[.]org
  • ajmanz[.]gq
Files and or directories created
  • %LocalAppData%\Temp\P8g.exe
  • %LocalAppData%\Temp\-1260536341.bat
File Hashes
  • 11392aee8e563b31a4dd14051611148e6ec0d03b2ebcceb37631f27e4bbfcd88
  • 12baa8549b752fb6446d498a6d9e1f1ca1b5cbefc97ae9902010a79d15165c6e
  • 23fd50159c2daee2a9495400a08c67e92378b287b6635e30efb18b4f16acbf74
  • 2b5f4ab8058a74d55a02d8cc6a0a8367263a1068472a2ad63092c2f1a8c825a0
  • 2f30c3be0665864ce736acfc093553cc5b0af50146688b0b783982a336ca95c0
  • 306a4a7a9a936a2e7aea01f9ae79e595aef2080abcf350a3c7ece41811509e84
  • 41192d3dd2635bcd40c92ff46913842b00ac28e5f3d743ea9c79328070ed52cb
  • 44114d762126e81487716a964ca2fe0d0fd0e4dba3dea72d619b0f4b32a26ead
  • 45c4d4333c17ad765dfa4094e7552e11434b09c4a4274431ceb04bdbb362eddc
  • 55ce8c73a62ccee965d023e48243d1f982c77d9fa9c34fd17f2893dd873681b0
  • 5f4db44965a523643ad99b7fa7d28221d124a2e2c8c4be8273208b5819db78a0
  • 6209350a55e20a0e38a65c0075c66f5e650926f9cce4ee31edb4f69aadaf5f11
  • 63b2702c9458be0c53ac24668116946a584b5a96fe9c3379d2477374dc2ae014
  • 76180cb564deace04d7c027d17c3297221d72abdd59dec55025507d92458076b
  • 8650fb73b188371b1ee7c009b03267c03c3870e673f10d273291ee670d006ccc
  • 89dbccfdb0048341d5b3ddb2af5bd8af2fff80a50799545c043bfbeee0d2fef5
  • 8f3aaf0ed0a63e6156ab338ebe95e607b779c4ef1d3f99b2a9bf4f1ac25cf857
  • a3be5e9da533c35fd20bdbc1a8c4f6821c6117f63f29c6f844a4af93e2bb5a16
  • a6d7fc06cbf14af546b91253b55951fea195716bd40196226510b4dfc4a3cf59
  • ab740b4fa20b8d8c27dfba02e04d6b4f772cd3b44aa2f1d4d1e3f76ea4631f29
  • c57e8eb0fa71df68e6f1f8b4274d1b87f33ad7fab2ea9c3c9b9cf1ef7b572dc6
  • d6ec082e1da8b63e3384bce47f2b058af2acd88526964db194ce794bc5830298
  • d99b29fdd8fc6cb24f408feeff49fdc50fdfe79aaad541947f291ce2505a16b8
  • e59d68db3399185b85bff7a0538fbf6d52a81783f9cfcd48a851be7a5d00e374
  • e91767a779860ae57b777a1e8b6c97022556c8b36c908bba99c5b68157abd46b

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Malware.Generic-6652641-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
  • <HKCU>\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2
  • <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
  • <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
Mutexes
  • 91RB0O61SEBW01Fz
  • O51OB0RQTC73272z
IP Addresses
  • 255[.]255[.]255[.]255
  • 209[.]15[.]20[.]214
  • 217[.]70[.]184[.]50
  • 75[.]130[.]124[.]158
  • 205[.]178[.]189[.]131
  • 183[.]90[.]245[.]33
  • 52[.]204[.]47[.]183
  • 91[.]195[.]240[.]82
  • 195[.]201[.]179[.]80
  • 67[.]228[.]43[.]214
Domain Names
  • www[.]zexpar[.]com
  • www[.]themonkeygrindervintage[.]com
  • www[.]unsubchef[.]com
  • www[.]xn--vhq6e39ls7w[.]net
  • www[.]marryingmaldonado[.]com
  • www[.]shiqiyingli[.]com
  • www[.]mywdn[.]com
  • www[.]win[.]link
  • www[.]risu-nursery[.]com
  • www[.]sicknessfitness[.]com
  • www[.]saurabh[.]online
  • www[.]1113sophie[.]info
  • www[.]kacakbahisfirmasi[.]com
  • www[.]cryptocoindigital[.]com
  • www[.]41230319[.]net
Files and or directories created
  • %AppData%\O51OB0RQ\O51log.ini
  • %AppData%\O51OB0RQ\O51logim.jpeg
  • %AppData%\O51OB0RQ\O51logrv.ini
File Hashes
  • 01ff22b56231012c85e52d2b78024bd4b9c7bc33fc73bb3e2a83a5840911002f
  • 04f33361dc741051ae4b67475d747d8e4b60e0add47e0a2a03137a5423edf511
  • 09578c66fa6950eb62bd7d0890546a3640878a7347ebd986911dddd9f305b867
  • 0a4b87f413a8c8812977a80601790ecfa4429a4dc844db644a6716dce37f3240
  • 10909a5c51633fe85233e741ed870b43c01c497a16f28baec778586bd4a5e577
  • 149ef4c77df95084d134c13fa6a09b7695926fadf685cf3c8bf02946618125c1
  • 15de8d526570f470f010c7dd88d1863bef27f4c62fce08fcd82d1f6651577089
  • 163eda0df0d03eb61e15bf9e36339bb0bc76e587bcdb0aa8d6c747d039e93e29
  • 17bcfff4f3284163944c5a027a1fef4969d2f5f53dc7437bc3b4204c35de09ab
  • 1b0b85e1822dbd3db1b7e3459a5e0b00c195cb08f37b0ad814cc1f63aacf7252
  • 1e4f76adc700b02c55bd1c5a084356babb407f242dece68cf9ba5ebf61f1d508
  • 1fc76f62000f876b6994859ae31112b789851ff02750f621159ed18c303eec3e
  • 203e94abc7b9c527b65c2217c7e2105b429c8a3552e126d1eca91fff0e41ec8d
  • 22f482a7cee3ae84ef6e261f3cce4693534a58fd73d846b26870bf933ee80232
  • 2a49c01fdd02032dd24b7b1c1fcb9b3aa335d269e69fa8f2a4a4424b1f3079d0
  • 30580ba2618aa386ec975baf0b749d342c4ead3be18dd3d42dfbf7aab7321d0c
  • 306bea0dfa73d5f76beec04ae3ba1fe4457c343f758c181ca90f91344853560e
  • 34f40b1487afaa02bb6e0bc9c2ac5ceb0842acd09a3143a368f3c1959d9667fe
  • 38fecd8713e3914e745e751e9c6c5d62d8caef09c46ce4742f5583ce463b0d55
  • 3f00f59978a2af3e8f8076c4d33a626f8c4d26ef6a4bc7ae1c72544755fa5dd8
  • 407252416a323a0dc9435d8b418137c211892db049b6e1797e2f2f506f6d7145
  • 426a170dea0f17f430ec265efadeafad52afcf0355ebc5696259d155a48aef40
  • 4a29cce7f2f330b801afbd3f1490f786e0786dc651100eface068576e52bc948
  • 4e5249655b852066bb5f6213b638574625a7b60b2c6dfac3bb2e80ec9f72bc2d
  • 4f27d56cd4f2aad7b16d568a14fad510ba816319f14006b247b09ba2c6b5d881

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Dropper.Generickdz-6652226-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Shadow Copy Optimization Writer
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: 2951328147.exe
Mutexes
  • N/A
IP Addresses
  • 93[.]125[.]99[.]121
  • 94[.]231[.]109[.]239
  • 87[.]236[.]16[.]31
  • 80[.]77[.]123[.]23
  • 89[.]252[.]187[.]72
  • 87[.]236[.]16[.]29
  • 77[.]104[.]144[.]25
  • 87[.]236[.]19[.]51
  • 95[.]213[.]173[.]173
  • 87[.]236[.]16[.]208
Domain Names
  • www[.]lagouttedelixir[.]com
  • www[.]cakav[.]hu
  • www[.]mimid[.]cz
  • www[.]fabbfoundation[.]gm
  • relectrica[.]com[.]mx
  • topstockexpert[.]su
  • unnatimotors[.]in
  • vjccons[.]com[.]vn
  • royal[.]by
  • www[.]toflyaviacao[.]com[.]br
Files and or directories created
  • \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I9DT02V.lnk.id-98B68E3C.[backmydata@cock.li].bip
  • %UserProfile%\Desktop\KRAB-DECRYPT.txt
File Hashes
  • 03a05565633d1a7b916339b179d2998ba0f2391a5f804076eac1bdabd58073db
  • 0d25e78ac27d0ae33177d32ba505eb27b662e5b47eb349e3bc90ff4922912100
  • 17d8faad65cc55ba4145d3948f2d6d8af553a20863b8e31332390e0b264fe304
  • 19a55c08e9253b1cfb5e75ba0cc963006c4e121e6f0ae165b25c243c66f74971
  • 27ef40a53faad7f9d08ff2e8e2649f878a3965b4e5edaf052a6fd63c52fe3da6
  • 282482f92deecb3e6bb43aa72c39151bccc672907b4bd7e9afb51ded04ac949b
  • 28738ba1c8191f4d4119e651436f3ab9740ee22fea8a3b877a0c1f90a7744d93
  • 2bf26fe0f26585989ff9c23160867c05fbb817f6565266ce9faeda9291b4b89b
  • 344fa6fe96fba331c89ca98a6b739813370519355720670d5d468a49fd9191f9
  • 354f463a00be356335dfb1fd6d95f9888a2df87f2299a2ec78366ed983700294
  • 3f6fba76a23b0bd34b239cb66df5d491e2ea4a3c199dee39e5f3bd1b303f201e
  • 557e03989b74264f90a6e6e8843b7f1e2da369b83e571b31cb051fc19ec005ca
  • 565b34697c4d45072a94a442419110f80192ac7cd093a2d695e36505c6a38574
  • 81b55b7be0d97d2da88fc1bbb78300ed2dbded9785c8d66db42197b15707136b
  • 8b1bb0d2446648f30b9b4847816556fc5a4ca2c3636f612cdb76a5b75c23a00c
  • abcf13758ac9ae41a26efaa28431aab8fa704f34f13c629b47c87188ed75ea4b
  • b334e0410ccb3f5a27d39ba2f55a87f491a9c18ab9fd7b935d88a4702c7412e2
  • c73f8c3f7133426f096b19b3354d3a4512f193c74cf36fc57878c27b318a91b8
  • c96689d58b7f9978aea91266888a76d7887932b65a4a257fb8bc9095469a4415
  • cba59594fdd4ca6932d28404abc4b0b7b41f873a45f2d47ffe5292e81094a99f
  • d5c1c03969093df8ded59a8f030b52a6e0b50a16b72874edeb0b1afe1341a09f
  • f0dab3e88bce05940f6bab366953093efc1393e76d6390225da335f70f674743
  • f9b03b0475e4d75742e6404e2726fc418f1af36feeded66d0d6fa05cc1dc52ab

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella



Win.Dropper.Ponystealer-6652151-0


Indicators of Compromise


Registry Keys
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce
Mutexes
  • N/A
IP Addresses
  • 45[.]76[.]142[.]81
Domain Names
  • salako[.]net
Files and or directories created
  • %LocalAppData%\Temp\Xazern\xauzcer.exe
  • %LocalAppData%\Temp\Xazern\xauzcer.vbs
File Hashes
  • 09dee688fc80457daa589b91ad03e7ba97f886f906fd6b0cfe3007871af29b95
  • 33be45cba28b09e3898172e85677970fa8be1efcdabf46b763e4d1e040cee857
  • 3671ae9c4921bd8dcd9d5e4cb3328615fbd50d6150e19b2ffa7c8d7d82d44840
  • 429f93e374501717c87819fb9da3438817f6bbb2f4078fe8b8f3bc39ce720998
  • 42bfe2c5da9a771a2aa3fd92e0ab8ad306d9469db287e223fb06a5b2f6411c9e
  • 4bf08911cf7b7111429f7e6cce41816b34098755a3b04ee74f1b4d3638f367d3
  • 6b814d2ce74af70810c0a462dfad452489862cd4aab1d51cec38b15b3e4e207a
  • 7aaed756dc1d45f2123909cde875ae3468b321235ae94034990b1f41e9ff6f70
  • adc247428e07b419c929f8483f99c062beddfdd172af7cdcd40176abd0c1a7ed
  • c376469a6e1e1c5bd0a455b2a3e0436d2cf8e2f9bf7a482726ad393ccc3945d3

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella


Win.Dropper.Zbot-6651705-0


Indicators of Compromise


Registry Keys
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Run
  • <HKCU>\SOFTWARE\MICROSOFT\Loxu
Mutexes
  • {8EEEA37C-5CEF-11DD-9810-2A4256D89593}
IP Addresses
  • N/A
Domain Names
  • www[.]crossatlantictrades[.]info
Files and or directories created
  • %AppData%\Zyiv\opxoh.uzo
  • %AppData%\Ihvywo\ratib.exe
  • %LocalAppData%\Temp\tmpb488b983.bat
File Hashes
  • 1ba6b7755498310936c49e2b704d8aa5d22848d845aeecff0a7c680466ff6010
  • 3213b7273cec771dce3f249d069d955c71472e049c6d5471d7a1094ee48b03bc
  • 3eed5033e3d096b0430ddba825e5ab883e6277e1bb7b8d26fac512b508572830
  • 45f3c9a100dc1bef357158a3c648dabbb5002169b65c30e22d6cf84a622d7f2f
  • 523993e65033cbd402d4b7d5a460be0a91f83c7f849ecc2d594f77d3c6d7ec3f
  • 61a138b11a4720e5a48c4f9e7134cc812db28189d603fe2971a4f1c3af7bc94b
  • 860f2a54c4541c8c4f288223f586171bcf7bd34f516e2945ef2a677c422fb9ed
  • a27334fbd63647786367229c83fa4726f8accb19c9daa1585e6396fb010312d6
  • a4a5bcb01343e9597e6a2e683eb23f457c2c8136ed0a93f2e9d65629824458e0
  • b8db41e6dfffda29c0776b25c9ca1a9cd3e171fde6a940b269de942a121bb650

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



PUA.Win.Adware.Ibryte-6651661-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\RAS AUTODIAL\Default
Mutexes
  • N/A
IP Addresses
  • 204[.]11[.]56[.]48
  • 185[.]53[.]179[.]7
Domain Names
  • imp[.]fusioninstall[.]com
  • downloadfastfree[.]com
  • install[.]oinstaller2[.]com
  • secure[.]oinstaller6[.]com
Files and or directories created
  • %LocalAppData%\Temp\nsy34B9.tmp\image.png
  • %LocalAppData%\Temp\nsy34B9.tmp\nsisdl.dll
File Hashes
  • 0cc4df786af790678de7d97a9f8b3219113b21f5bac09bb6c9bdae6f465f9bcd
  • 1897bf161100612c0d15e16b5b7dd80060fb91ee651346c80728ec83f01d7f45
  • 5bb6145d308cfd1996c3255f0e5939b74c7f252aff90d160ccb1e005254b20de
  • 5ee45058a8b7c48ef494003aa0f132d1c403ada040da8ca97ae004e57e1bb0cc
  • 608778c41ca1522c315889cf5e3c0f1c2f114c881f3254044740f2aa34461e11
  • 69ff0daad305242e0f30e431b7d3d717496a16ebdecd639c5deb42f504ac4fc6
  • 73f7c7ef6e2866b9647106ec68696e8e3c7d4a88dd3cd4f979894da25e3caa90
  • 861ea30e5b455525de47bf4818fe8b9a27aa05a494535feb999455b3c80390d8
  • 9c74e5e01edbafcfae16ceaa240138e50ff5e7d4ef81809cb052212c313ad781
  • cb79344e72e17249005a0087be94a84698604d9ba0ff394d56299b85d7f4818f

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella



Win.Dropper.Razy-6651608-0


Indicators of Compromise


Registry Keys
  • <HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASAPI32
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: Windows Update
Mutexes
  • N/A
IP Addresses
  • 104[.]16[.]16[.]96
  • 213[.]180[.]204[.]38
  • 217[.]66[.]226[.]116
  • 104[.]16[.]18[.]96
  • 104[.]16[.]19[.]96
  • 65[.]154[.]166[.]201
Domain Names
  • whatismyipaddress[.]com
  • smtp[.]yandex[.]com
  • ns7[.]hadara[.]ps
  • smtp[.]zoho[.]com
Files and or directories created
  • %AppData%\pid.txt
  • %AppData%\pidloc.txt
  • %LocalAppData%\Temp\holdermail.txt
  • %LocalAppData%\Temp\bhvDCAA.tmp
  • %LocalAppData%\Temp\holderwb.txt
  • %AppData%\WindowsUpdate.exe
File Hashes
  • 00ca8e4068f0759ef4e7828cbac93cc8e6768891c8c4cd8f6d642514464f8302
  • 16fc7578dae6e8014d5d074e13b2adde3fbd2553bbefee50202f5bf60e547fbd
  • 1b9d906012164cf39573d4f8651165742d02ee30ade241947f2917f533da345a
  • 232f90e65054b1d251a88b963dd9b05289657e6930b3770d8ff58636ff0e487e
  • 42ef9786694483987e92146817745bab9e56209cc35051f158c5ccc6bffa51b7
  • 4476a70d770a83f111902b7b0308dbb5cc749f747f2dcca1e1c9a2f0d884b2a0
  • 4bd8522ff7e8cf87a89667cf1e0b42a26889487c16fdc6abe69d0ac823e25b6a
  • 603487769c60730c697f30717b2093f84451557b251e2d187cdb1842e8db9d4e
  • 634f44b01ae79874f4b08ff130a6ab8a04fdd7196812a4300bb55039d56638ca
  • 63573bfd0e8c03f42b9194a77acb7da2765396ad4e9ec75b1b853a7245d58600
  • 735d19fbf1a9f8a34bcb445d204e51e854c1463072ac01149a8e67c08b97307d
  • 75af93db078e56bea18101170b02ce450a9e0216f2b8c3dcff23b83ba76f3a56
  • 760065e0657bfb7a952c199fe8a6f15a2bbd5843f1902a4d37c8411d7b9c9d9b
  • 777c42471101c9048be523cced54a807c56fab6504e0cc578f4934b4c56c4de9
  • 7d113888ef4821c893a078acd7d7e40bd44f150aa4b575987ee4fb802ce35224
  • 8fa0f87391d3ee93f16ae5c6a5ea116d2a67d0a2b5c60ed801e53e96aa9a32d8
  • a4bf29f13f50d6f4f0e0bfa95af5e89944d0297271b34b77b9a4c915e6ca2b55
  • c9dd220291b6542aa9ef92e2872f02de4c323c47f9b4e9730a1c97aab2e2c763
  • cfdb62ff82215a70edc66f5593cc06d2e0a0f3d842af5b726a95a5debb765176
  • d1dce43c9ff30383a0928cc2423a7370636088a8135c94f905ad37c7dae910aa
  • d2ddd1c35d5037984c0885dd411c64361f97738fa041590794e23f073bb1e0ab
  • e00e64c5b25507d7323653736da4cd9775816fea7bfd67f9532462b1ec531b32
  • eabe6d32b9e2ec97c2fe909e5d0f3a89f974c63dcc2ce43bce5a9c0121ca781e
  • f793a4aa08d82d3f3719a8fb376df98f2d2d8dc102af7a0d479bc479c26649a1

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella




Win.Dropper.Cloud-6651616-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • DENEK
IP Addresses
  • 204[.]95[.]99[.]176
Domain Names
  • spectrun2008[.]no-ip[.]org
  • joaosgk03[.]sytes[.]net
Files and or directories created
  • %LocalAppData%\Temp\Pa7Y5giSl017
  • %LocalAppData%\Temp\aut6F2A.tmp
File Hashes
  • 1497ef726ad9a29b9b64cf16c21fb5b80610e52683de177f9d9ece346788dfc0
  • 1dd1fc2ed544f68ba727ed4a02caf935e45ecfa86b02944fbd937680025f2379
  • 21ed019435f9541eafae5ef372ac33fdb1c967ecbbd17919d31f152bf858888f
  • 485e5121db35bec9dccc93580c470779c01bdad591df7c1d7a40473c0ffd6e73
  • 4b7aa109189b3f2738747216ba49d0bb4c9b97b44df3932ad1189b74dcb409c1
  • 557c69500e9cdecd65c402f309b414abc9777fe9fd36236eeaf9d533025f6e66
  • 58115870df165c7031e5304cba8e059366ae1ee935484f67154ccacf0eae62ee
  • a9427d85c27aea20ba8fdecd7d6dae561dc676dd2e106261e8108fcc4005ed97
  • c771d4c4de77633786c355722f784bac0665cd457ff19c6441ef99730b8d76f3
  • df0a6ff9574bb522ca340fd83a24cc096f1c3ea36b66097155862b71f4383c34
  • e4b90714b55aaa69027eaf3e0bf52a3f392aa09e3e4463744d5e8d3ed64837f7
  • f66dcfa6695042e6050dee3cea7948a80b217e8345919f6b90cef22f1ecddc4a
  • f9c5dcf920e1ba39fbe35cc7dc9dcabea6c6f67d533559c06664aa3665cd4bd4

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



PUA.Win.Adware.Dotdo-6651541-0


Indicators of Compromise


Registry Keys
  • <HKLM>\Software\Microsoft\Tracing\po3v5cyhl_RASAPI32
  • <HKLM>\Software\Microsoft\Tracing\po3v5cyhl_RASMANCS
  • <HKLM>\Software\Microsoft\Tracing\3v5cyhl_RASMANCS
Mutexes
  • N/A
IP Addresses
  • 198[.]54[.]117[.]200
  • 52[.]205[.]106[.]49
  • 34[.]202[.]10[.]177
Domain Names
  • www[.]lubricantshaffey[.]win
  • s841[.]datarating[.]com
Files and or directories created
  • %LocalAppData%\Temp\nsnBDF8.tmp\sph9d7jl1.exe
  • %LocalAppData%\Temp\nsnBDF8.tmp\extss.txt
  • %LocalAppData%\Temp\nsnBDF8.tmp\po3v5cyhl.exe
  • %LocalAppData%\Temp\nsnBDF8.tmp\dsph9d7jl1.exe
File Hashes
  • 16aa5f4db1485896a6dfd2cef40a6243c0371a213c18d2832c7a9070b7e9002a
  • 434a7a324719c74ce3fa0dfd96bfdc14379ca8a0af954247320a1a76e80f995c
  • 70fd79d11821428a90b1c3869f846329af646e014887d72b1f4df531f8d33ab7
  • 8a4f468b126f0c309f5a64cd694a503aa7269d03372d3946e643005b30986475
  • 99ba03979407568ba6b1ed32184a043661608e039c9a3511c9a910a31dcd0ccf
  • 9adbf86b70ad8d487a1f67b4650b68b0dc03bdc84a7e84b1654fe8ff61a7cb88
  • b105d0c22989e4856995573a59ff1034ee6ef4ead24c2573ca688da4c94c60ee
  • cd18a0939f808496f5e05d3b996ed2a8d13dc94261ce329ac209ae086e7b9d5d
  • d399c525b8da116f8ab17333b78a88f20401ddd960405631e2cc52e7054bbcc4
  • da1842c44891d3ca1229ef8b8959edd4f974d21c700fec7ca64f3124a6493be4
  • dc7d530a26e005dd8766fd52c5d62c06c458a9018828a3ec4c8f80832ebae221
  • fae36f1c522c56bace27be915fd9e23748ec01ac9e87810348cbdfcf53a2a87b
  • fb388f3cd64b8a65db9584f1526eef8d4b876b5bc61c8674b4caf8bccf78a4e4

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella


Win.Dropper.Fareit-6651429-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • NMYQsgquQO
IP Addresses
  • 78[.]47[.]139[.]102
  • 212[.]112[.]245[.]170
  • 154[.]35[.]32[.]5
  • 193[.]23[.]244[.]244
  • 62[.]210[.]204[.]55
  • 185[.]106[.]154[.]118
  • 51[.]15[.]44[.]251
Domain Names
  • myexternalip[.]com
Files and or directories created
  • %AppData%\tor\lock
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\cc.exe.vbs
  • %AppData%\tor\cached-microdescs.new
  • %AppData%\tor\unverified-microdesc-consensus
File Hashes
  • 02c77b65bd25f4708f6b7f82b60689f3ace02639e4d262f172633e73f1e18071
  • 0587813e2d50a8bc2a3b6cca7749c3d134b51826ae7f13f832eeffc283306110
  • 06af72696ebe7994f9542af787dd5cb357b4348248c72038c7880fbeb67110be
  • 079f068987d7c53e2e47c39b89ca6f412a7a17e34992eaa33757aa99e29a47d8
  • 0ba6e0f83d3c3239cef5f30d2600c2e4d3e9b9ddb45a40cfbfcd86622a47b610
  • 0e12f2bc801777198026a86c920edac32b1eb874670730cf3f033a8e9fdba2b0
  • 13c96d7301e2b6bf3c9c9cde9199bbb538caee0ca068a9f54190af1f43059400
  • 16f755b71840a1e6c8de8a4bc6920cf2af1e8e821c2a77df2e3151dbba679a13
  • 195e09cca7a53e51250418e1c75157d5aab8269186dc68ba98fb5e934c2bc15c
  • 1b8e74fa84432c944ec2b239ab67abfac39b496a1e96dca7c0a7e92255457ecd
  • 1e53faedd0d111860b9eeabac7d61f0306c1d516fec0d11d043e83b361ab8e95
  • 202a7444df57d7f3846d3b58a2a887f28dc64d2727569af2255b26aa395ac441
  • 2128405a27110cf86a1f9f41ca06717ad3c9a2598302cdf19531932e51c4ece4
  • 222ad72cf417a849ec0d96199345cbe7340d3978d3c396dd45444f12ae8415e5
  • 22e4fde98af07c792e71e81a003f5472c868e5a05eb7c45c4eac9622d4c03345
  • 2623021afd3dca853fa09e36d31539ff55b9843cbec915dd64375ca31943ddca
  • 2666e5aae4ecb9ed923a4e16d5c9af953bd4a2082295df3724b7bf2697b36616
  • 27990924f27b7fc60db6fef7323ee841507f94c2fdd3bc27a446d537fb3989cc
  • 28083fe9ca79c1e20e4fc1f38cb8cdc7061bcef37e255bca5971e33feadb414f
  • 28bcac13100c3b048b9ce179f7896a729889af0b3461306f1f7d48f1baa3b212
  • 2b8825719d8001c42affc76b776d266aed8055cb40eced293632515f8841664d
  • 2d7a16ee5f9c2bfd89651b044accd40a49581bb5dd1ca8a58d46f986ea73be72
  • 2ff7012e08a2a95c39e56df2e0a5f8d9d6c82e1da218d89e35d4da770b8c6d54
  • 32ee9fdd809fc9e467f23b69bf961d9a79a5dae849219df99da1e443a621a015
  • 413f4a778b3edd7577b62165d567b2c438d1bbde941c0fe05875e775bd13ac4d

Coverage


Screenshots of Detection

AMP



ThreatGrid



No comments:

Post a Comment