Saturday, September 22, 2018

Threat Roundup for September 14 to September 21


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 14 and 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Win.Dropper.Genkryptik-6690044-0
    Dropper
    This threat attempts to spread via removable drives and spam email. It uses legitimate SMTP servers to send spam from its victims.
     
  • Win.Dropper.Dofoil-6689818-0
    Dropper
    Dofoil, aka SmokeLoader, is primarily used to download and execute additional malware. Read more about this threat on our blog here.
     
  • Doc.Malware.Nastjencro-6688356-0
    Malware
    Nastjencro uses PowerShell to download and execute additional malware.
     
  • Win.Dropper.Kovter-6689163-0
    Dropper
    Kovter uses mshta and PowerShell to minimize its presence on the victims harddrive. It uses the registry to execute a malicious script any time a file with a specific file extension is opened (e.g. *.clUQwv).
     
  • Win.Dropper.Coinminer-6688928-0
    Dropper
    This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog.
     
  • Win.Dropper.Fareit-6688124-0
    Dropper
    The Fareit trojan is primarily an information stealer with the ability to download and install other malware.
     
  • Doc.Downloader.Pederr-6686124-0
    Downloader
    Pederr uses malicious PowerShell scripts to download and execute a malicious executable. It has been seen installing banking malware such as Emotet.
     

Threats

Win.Dropper.Genkryptik-6690044-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • smtp[.]yandex[.]com
Files and or directories created
  • %AppData%\Windows Update.exe
  • \??\E:\Sys.exe
  • \??\E:\autorun.inf
File Hashes
  • 0b6d3eb6dba7730fdfcaf892eb153c1cf9762419eaf0a29689ec929cc7e57aff
  • 27b205b99c01b6ef21c8ee0df5dce9a970790d61b48da3d6a8be8c8845289db5
  • 3069631a8410decb34e6210a8fc4b36de03d1635baac8655035365076a3613e4
  • 3b6ec2629747f8ddb0b244a686f29f7001b030f0ba86ab7b76961bfff0f6c151
  • 3ccba4f06849edeefe60f8a25f4752f89b9ccf8ca62378f7e6108980b244ac2c
  • 3e2a97b7d366e255fcfd2f470da800e9e5aae08a3c1d75916870f8e42ad6160a
  • 492064ef6226b2b174046c07987dfe09afcd9e2f3f69f80bb109dd8b151ea49d
  • 4b50bda6c3fe41f6c930ec701d851781e1664b720e6fc65ab2fbb6c28916f24b
  • 5325cf98bf3080c9846aba8bc76d5cb49de5ac4cf10e337e12a1945cc9a4763d
  • 5a0a5181cf8be2be6fda2be77eca48030d64ad6f737f4c911eba52219537b746
  • 5f7c12cefe681ce32304c1944da6a14e47de36d83ecb47101873d8702f041b76
  • 656a97b7d3481ebf79887b691637f45ec54c494832f5b83774f35dc2c8d8bba2
  • 714f0773cd6a55310527aa10eba1905284c42ace7a5cc063443fd8a00c9868fb
  • 73efa5fd117d51ffd6d2f51e0a946ed3455ad29334f5899b39ff338d0b72edf8
  • 825f8902a8a8ae4852ff5c2351efbc83140203473b2d90eb8526c9b8eb88faca
  • 896e7407427fdb945e2f09b65095d80c79cae041db31a16bcd5979668bcd14ec
  • 8a6fe46554f345d8e5001bff5b8147edb2570fab335bfef28d9f5cff661d6e2c
  • 8eef0b06ac1bc9445e752d851dd2ed905494df8741ae22cc3acee2af1d2ef36f
  • 9cbe3c887a94b6a4fb47f3ec3d1e329cb90b291c39f14179337c52eb3a6228a0
  • 9fb4cd041ff2bb0cbbf2e62f3633aadcbf9513ff12a449a9db8c69aee048c387
  • a52367db8f3e58f122222d22b62072ad827389760e6cf179382b29e5d5478152
  • a80cb2444eaa865fc268874e90ab7af658335159e6c6d0ffd939662f9f7b82e6
  • af8e4c150fe96ee59d7a9ef0dc5d97624fa94bc4dd6a6bcb947b7c5820b9f47b
  • b906ab1e3606cd64670fa1ad6c308a63f10b6d71d1758f3f58cf72947ce4d836
  • c9a8eefdca421af7871d7dd3bccbb56a64fc1b7c0721260286a5c5e4d3c0ef67

Coverage

Screenshots of Detection

AMP
ThreatGrid
Umbrella

Win.Dropper.Dofoil-6689818-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
Mutexes
  • N/A
IP Addresses
  • 99[.]12[.]215[.]168
  • 98[.]217[.]41[.]219
  • 99[.]152[.]6[.]105
  • 98[.]66[.]233[.]28
Domain Names
  • N/A
Files and or directories created
  • N/A
File Hashes
  • 09b128c59e326c83d4c51cab9cbdd5be2e94dbfb6f10ec8c6a2624e209c72e48
  • 0c2b53607f9a654193bd746068de1ddf9d5bf6b7bc6f3971f72fae2f3ff9a285
  • 16153bfbe50ea0565dcdf55151483f47dda327a367883a26848e2a5d89205aae
  • 17b672d424c62eeebf742068e1c1e38404d2ec0d28349265ee14b546aa6adbb7
  • 21785834f2d808fa9c19956b9c4f24ddc22730e69ca4c781cc006541a4807e5d
  • 23edd474e7fbdb77e2125cc41c70d79959b8ebc764108a230dbfa2843f6993ba
  • 2664dd574bb2115864e4d9ca72f8ad0acf53bfc6b02697795ad980c05e2d4127
  • 27c1d0d72d43e3af324ce52ccdceae142f404f7636862654a8e9da9890de4099
  • 29e59373e62a2c41003cf065865b07f847003467f70dc50d67a6c8592dd4303c
  • 31609ceba86711fe540c4aa7beca78dba4c0f72f41c15251fe98fb9b6d099b01
  • 394a644677da56ac14dbc5b3c72db0f60f77158ead598f3dc9af3564a326f7a1
  • 3e72c6843feadb36dadf0e34551762164a1f24554584c9cca7e1629d6b8f027e
  • 3fc9444d1ee0fa180d761646db3828b1e5f97e2db46a4fc613ee4bc9eb1211c7
  • 41f3fc180ba3c26cf716adff8ae07a9d509d621390d4733cf4b4d8b68f0ec49e
  • 475fec4512fa00322e723ba1a687a01ffe9c64532f6d8d9899d2c8ffbe0a3088
  • 4d905057797bdddd0f17bc62bbd051bb34c08a095e563fb56c30ab08c67398e2
  • 578e81265a2a78e97cb088b34c45f78c1a75ad1515b0a4720592bd4b061d3f0f
  • 5cb179313e277a4d50a637f69d1277fdb63d3b713d3df37c0f7289814d4f04ca
  • 5f3d2fbdaead02e440ad43475cc6411e08738495129eb83c8897cca10379d180
  • 60d91c1223b66c03b82223ac156437e1d299d51a9cb5e6c0e8b4eb8f383d1982
  • 6bd7d37e7dc72a6681c97abf4e315e780325de849159ac9bcd44174b79048d82
  • 6c6afd4ee02aab0050696b157e6db5b14b5a94c84b10c6475e34b0a544668e72
  • 7209b1b807534e03c3ca7fc12df9b74b5cbebc66f834eef37a22b1764476acbb
  • 73b5f2e591f089008a0b2711adc80e38b83f759d4d2e576bc742ea10734466fb
  • 74b13ba6c7a4e340386826c97b1cb5492e7b2f8b662e4e01b643c817d9866c2c

Coverage

Screenshots of Detection

AMP
ThreatGrid

Doc.Malware.Nastjencro-6688356-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 185[.]159[.]130[.]242
  • 185[.]228[.]232[.]143
Domain Names
  • N/A
Files and or directories created
  • %LocalAppData%\Temp\qqqqqqqqq_qqqqq_qqqqqq_qqqqqqq74.exe
  • %LocalAppData%\Temp\handler.bat
  • %LocalAppData%\Temp\j55xmasb.5xy.ps1
File Hashes
  • 0064cc856676d9530b8a8ef988ebf0f0e85941eeb03e92d048bdb61cfd221044
  • 0386cc5236fb5503511727f90f74b5eef0568ca375acbd34b8cef4a873503f50
  • 05d309d7f97a3fb941eecff000a4e552c92765075aa3bfd462c17bea3898d208
  • 05de2abe6e7cbcbd01d9be985eae7fcf874ecbb1479abf6d48ce5ae9f84a8824
  • 07d9423510851c706ae4a8a5f7732e649aa9a9b1bbc2616cffcb6d3c6a49323a
  • 08a032433b81c351cf503ba89954fd93c7b9414d6f63d0253302a23e94ed4f5d
  • 08d284ffcfa51ffc67b769213b211c22390475f614a715e9eec6a494be4eb7ad
  • 0a08e09efa13b5337d6b64b7b7cff355e5ca5eaafc35a50acf0b5032b17c25a3
  • 0a4712cb76c18cf69d9d18d6ba2f3e36a7a8e57ecdb55e588751618e38f999f9
  • 0e177a278f491afa651957dc5df685bb5204e23b46850efa4873cd36a8b0ce9d
  • 0ebde3a80d2d1d0bbe20fab28afb4a956afd685adf750da27122b0a619d2d299
  • 13674ec6f804aad27306cb7100c09630d097fee38f8033fa5b65ffa156d4d9e4
  • 14798d7f311744799d24804d03214f816d553739c90629de1c484f04fc4cda01
  • 17c28bdbd648b237b705687564612a5844ae2898c3b2f8d7af7d244bdc21afba
  • 18b76a5575b1d7dea98eca66d48057e0855c55aa9b6766b2cc0a61b30de55fdf
  • 18bdc01b7d8eb340255dc17d761ae5f444587df4262cbe936cce1a0a0bbf3869
  • 18e3faccf8f62cd05f0b396c2af7501975d0710d2d16318bc65f1e8f6f3654f1
  • 1badce6bf66a310c2deebd61e4d168e11ccf6a045f3b5a4621abced338c6ad0a
  • 1c02f4358e2564f843ba59fa93787f9250e028e7f6bbddd2d5bb8ef56d739347
  • 1ce16aea648c94342a24cab22c33228d0d951fd4e478791ed61d02a511e6f8e6
  • 1f36192c1b9e670836c411bc2bf855ecdb1d5a6eff5052fa9f65251dde011e85
  • 21797bc7f67e06f1e3bb6d63a6e471121ae2ba5227219cd8d7518c39038e892d
  • 247386e46a27fe5a805201d0d8a7547701b344533be725dbaf52c814d9c698a1
  • 24ae782268b91d62055e9b7b39a57cd99707c03de5df953a598c457f998a1a31
  • 24f23bf843af4a7af0bf10aac5763c5d54dedfc0f97caefced30d911cae334df

Coverage

Screenshots of Detection

AMP
ThreatGrid


Win.Dropper.Kovter-6689163-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: \x008567f942
  • <HKCR>\DR2V\SHELL\OPEN\COMMAND
  • <HKCR>\.CLUQWV
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: \x0070f54730
Mutexes
  • N/A
IP Addresses
  • 98[.]228[.]140[.]122
  • 98[.]228[.]140[.]122
  • 99[.]78[.]177[.]117
Domain Names
  • find-dentalimplants[.]com
Files and or directories created
  • %LocalAppData%\ejybag\i3f1uvT.clUQwv
  • %LocalAppData%\Temp\y4os1u24.vgj.ps1
File Hashes
  • 03b8ab67bdd073132062dbd0f2583168a2d8a0f7ac5b91723d6b1258764ea64f
  • 0a6d5badc010d69326d9761b09b572cc80a309538e28d5fd9cac5c86a57bbc28
  • 11fa307845aee1ddfedcfe32a79e4e0bc2316c0997a06e46e07604ac99b63f79
  • 266fa02dda9470019421609062197911910f0501731b9b9eebddc5a14d9915ec
  • 594c3cb58030b08b5d444a91de2c470d23424a35dd46269939c49cf0a81613e1
  • 61fb82e5b7db8ab7d7bbdafa8a4a908a365c2c33a14f57fab7675997dea4ba20
  • 770f1ef50284455627ce75f2dc169cb8826948201656cab957108120832b01cf
  • 86d45d0596a37611f88855c879e0be52a3732f233b86c4370a592806481ab1aa
  • 8d06806978eb998acef0904676f1e0664fbf5ceec468eb157981f4b3937e865c
  • a0440a5d2e393efec2fb8f257671622b202c726dc8f76682c02db915e1d7318d
  • ba952b2c15317cda9fabfd4928c99a33d45c9e674a0a9f6bb045353021b45624
  • e507665160772d9c8d22a2564bad14a5d4126972a3168145dbe2d30f46d4f84f
  • ef502a248c1a09734b05842f98053d2e184d4f02cd75318eba97fa00af001ecd

Coverage

Screenshots of Detection

AMP
ThreatGrid

Win.Dropper.Coinminer-6688928-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZENUPDATE
    • Value Name: Type
Mutexes
  • N/A
IP Addresses
  • 94[.]130[.]64[.]225
Domain Names
  • xmr[.]pool[.]minergate[.]com
Files and or directories created
  • %LocalAppData%\Temp\RarSFX0\mexas.exe
  • %LocalAppData%\Temp\RarSFX1\Support.exe
  • %LocalAppData%\Temp\RarSFX1\system.exe
  • %WinDir%\Windows\1.exe
  • %WinDir%\Windows\1.vbs
  • %WinDir%\Windows\sistem.bat
  • %WinDir%\Windows\sistem.exe
  • %LocalAppData%\Temp\RarSFX2\3.bat
File Hashes
  • 0231bcbb139118577233fb1f7f656259fbf8333a778f6a08bf4313b399a7eda4
  • 0a4759f4397f7002e27ed2a94413e7f2bd2e93af429a344c05243d180ee9db3f
  • 177a90400bef5873f86edccb9644f7aabad085cfb3956358fd47a67d85030d66
  • 1c7aa82bb86c73a7763481af80ab563a58126141dd67a428ff906a216c23acb3
  • 20213d423c8cb20b2cd27ca9068b783ae88d25c8b4132e7398b3e39dc749bc84
  • 208998f4c61a63a06bffc006f6ca72d53a3d26d25ed18a91a729f8d885f3d434
  • 2b4c8855bb8a7886650975150357a7c14ec1f3f79512944e5d96020f2662b3dd
  • 2ce35940413042879446fb3b42d02f959bf88d758635e2b24839a2bb8f5ba5e5
  • 2ec3f6dbbd5265568fb79504311eea752aec5d976f471bb7271845b6715d41d8
  • 3cb153a58e43434c05c3bc78b19cf0d88c598e1a28669a3e695671e0fef20342
  • 45708626b424d9f5671d2985ec6a8b8c0a2ef1ed286615814edef67cd02e5e8f
  • 457c27931565b6f7161d9dcbd55307a931a61eedbee947928c66fcc5f27cf562
  • 4639bb6af2aa32540f966c3bd8bfbf939baabe9e05c6068317c5758731c474e2
  • 4878a5a116e333961832264f2df37d2b6087fd718e2ff813af07c8bd452cff4a
  • 496458dcba5b888e4cc55b96e1662b49cb42504e7d61d99f915c5bd859b6cc51
  • 5486eabfd8ff09c353b1daf1dc3e0897345743d9d6eac8f30a659c57cf8990f9
  • 63f6c26b6336b0e7e589bce24e5e8e59bc7de20bcd3dc4e2f0a4b32518bc9821
  • 6e124f148d16d85b5185c938ce87f10615f40650960c4a8def1aad9a6f6aa517
  • 84350051e0e3f2c397fb6a76ac42ef8982642bc088b8e7776e583233fe4b7163
  • 8e6fe70d98d5cc923be3053d1320812893286182bc03acf2bc1526b4c86de3c1
  • 8e806b7b90b38b45d5d8513e2f3feade0db7e07bb0939617dcb8e5de611eb53a
  • a515905e42ab3f174ffa76bb06963f7d441977da38b536e70ca207749cc10bb2
  • a6303c6d4fb8fdabb3804e537c61e6ceb03729c89481213060ed0747efa18dcb
  • adcfa5fde1d1126cf0091e5fbb2a8960d6d12bab9895169cf09ab9da68917897
  • ce69632177a83f629b2da597bf011904952be92e084872f58f2c9649082ce0cc

Coverage

Screenshots of Detection

AMP
ThreatGrid

Win.Dropper.Fareit-6688124-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: K4XD4XP0OPG
Mutexes
  • 8-3503835SZBFHHZ
  • OMM-7UQ942T0D7yz
IP Addresses
  • 217[.]160[.]223[.]46
  • 98[.]124[.]199[.]17
  • 52[.]54[.]24[.]134
Domain Names
  • www[.]businessintuitive[.]expert
  • www[.]instrovate[.]com
  • www[.]meesebyte[.]com
  • www[.]mxauny[.]men
  • www[.]anotherlscreation[.]com
  • www[.]maisonlecallennec[.]com
  • www[.]weltho[.]com
  • www[.]ybnonline[.]com
  • www[.]mufflerbrothersbellbrook[.]net
  • www[.]aerolitigate[.]com
Files and or directories created
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\h.vbs
  • \TEMP\transfer application.exe
File Hashes
  • 1865f1902c9f9244dbed9f0610885533d06aba815de58e921fcf67af8b9cfec4
  • 187201a91fb47052f6c8b01310ae17f6fa84bff20b5653a1b0b8af54dc96da50
  • 20517fb0a924314f16246bda9b1ba2e3fdf2f8cf2d541f7a4088f8a63bc6b268
  • 2832d3cceb2392df0b331c96355d91876d3b53d76d2dabcd98cd77df0b3a1c09
  • 3c79a984a1598c9260bc6897f46fc207d3aecdb6b67180d0fa62804128621ca9
  • 4384907852405b4de4c95a6fb4e8f4a8090dcf4efb69f9efe5615752d7518c85
  • 5e8f46ecabd431d173e046a69cd45c30e0855794dc2572226454cca3d97155c6
  • 63ebdc567b8e3633fdbe3f16a1693b79a98dfe901a1f4a3fd59de361286b00e8
  • 68489889e574e1b76cf511a9fdb19d083517d810f29865f58d84816407d6cb5f
  • 69bffa8bfcde33890bbbbcb4df72fee8f455c38decfe78ffbce62cc297ed80f2
  • 6ec3a026ec2847aac11f9be2f033e8a46262cb9cfd0c9bfd93cf35a025986505
  • 9ddfd64d03cee5171560734ebadb29b90a6f152cc77ce01c3748713be7d643bc
  • b82e68bce9ba7a4c081a1f7abf60a8f74677da099ca28b16b35e8eb6265b293f
  • ba61fad6518e22448d52520ab7d1fcff23a341cdc9b8b7d90dd512145a45b659
  • bd988f2f34f4270e16cb477d30672c293a7178a61f0c834cb088a0cc06a70b58
  • dd49e3acf25c03cfd8596f78e58407fce8186e7c95d6ff2b3d0b411b85b0ff0a
  • e2222669d455bb76359e6334c46a76603b7967f54e5bebcd1c29c0ce1a9c1409

Coverage

Screenshots of Detection

AMP
ThreatGrid
Umbrella


Doc.Downloader.Pederr-6686124-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 220[.]253[.]68[.]95
  • 69[.]70[.]248[.]98
Domain Names
  • familiekoning[.]net
Files and or directories created
  • %UserProfile%\480.exe
  • %LocalAppData%\Temp\zaybh0yp.m4u.ps1
File Hashes
  • 0b0f79a09a323f618f566f99cda0e16661e635cda47c4958e0eba33ead354962
  • 43e4d5a9bba1328664912ceb46f5028da57ba14ca0246ff0f0ead90d3c488c11
  • 4b749e172456275d8acfbd0110645198b0f02157f0c8527f3c119d231ad1e364
  • 4f17ac54dae3d4bd6c6d2b7371d7f00ad2a68f662513a75c59678103b328fef0
  • 59d38c5f0fc8779756c2b586a4caa0161949298a03fba80c6253ade7747ba7d5
  • 5e885baff145db23dd14b15a489f174316c39e5bbfaf9b523498fd735920fd45
  • 76b69f93b5532b1d050b38537035eee5c1aae94690d716aa96a1b926c36e6816
  • 7c377ced751e3dfe1b62e337e5aa8835e4a16cf0b4bad8c975c92f5a04b7b434
  • 7db86c3f63c8319cef1a15b85ac2099e9943d27ce8e70c7e756b5ce065e30448
  • 8b3e7b0cd5c83967782bb2aa41996b97e8badd89b43171a48e7b28f94f443c7c
  • 8ea59348fabec29d76e8c9c3c72d08cfe3bb9080ba5e8504afea9af72cf2040e
  • 9a719afc937416f57b260e195384cb89fd72388fb25afe7e392063e5d06d4696
  • 9acc1502c8a145e569fb80ec294f4077f10c7a668f7c8032aaf4464e1d8293ef
  • a6c8b64eb83808c413d4866d6881643c62c28ab583ec848f9445dcacc49870ad
  • b61476ae5ec49be90033eaac7b45d27581b89873191a05da5cfa1594d96085a5
  • bb475f796deb9e2f64f7dbc6561b0b0a929b1eb171becd6cb19bed64bb006a8f
  • bf1e0abe4078554cbc7de5e3d8f8d87f120beb9c803c2cde9f21640c1e629ac1
  • c844112b2b7649bb5e54b2a053f1177ce074725e651160291c1e6d2a1941f697
  • c9d351497963b1f6c24c8d3d1d7e9634cd043f45ebeb211eec99810486afdca9
  • cdb87125ba3ab9416efa180784b9d8d3edc4785166438a54b02917358bf5c9c9
  • e24bad80d42293433fd0bb506319b237d29da100a25c250095af1c1bf09ce02b
  • f7af8177aae877691ea3a6ea290b8a3e29c4613b5038dbb417cf960f10625ff7
  • fd8780f8d82ad7c64e0035a9fe3468342aec9f8c145d9e3e3536d12926133573

Coverage

Screenshots of Detection

AMP
ThreatGrid

Umbrella


No comments:

Post a Comment