Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 21 and 28. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

  • Doc.Downloader.Powload-6697736-0
    Downloader
    Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing the Emotet banking trojan.
  • Doc.Malware.Sagent-6697297-0
    Malware
    Sagent downloads and executes a binary using PowerShell from a Microsoft Word document.
  • Win.Malware.Tspy-6698228-0
    Malware
    The Tspy trojan is used to steal sensitive information, such as banking credentials, and installs a remote-access backdoor.
  • Win.Ransomware.Gandcrab5-6697262-1
    Ransomware
    Gandcrab V5.0 is the latest version of the ransomware family that encrypts documents, photos, databases and other important files.
  • Win.Trojan.Razy-6697101-0
    Trojan
    Razy is oftentimes a generic detection name for a Windows trojan. Although more recent cases have found that it attributed to ransomware that uses the .razy file extension when writing encrypted files to disk — these samples are the former case. They collect sensitive information from the infected host, format and encrypt the data, and send it to a command and control (C2) server.
  • Win.Malware.Ursu-6696608-0
    Malware
    Ursu is a generic malware that has many functionalities. It contacts and C2 server and performs code injection in the address space of legitimate processes. It is able to achieve persistence, as well, and seeks to collect confidential information. It is spread via email.
  • Win.Virus.Sality-6696580-0
    Virus
    Sality is a file infector that establishes a peer-to-peer botnet. Although it's been prevalent for more than a decade, we continue to see new samples that require marginal attention in order to remain consistent with detection. The end goal is to execute a downloader component capable of executing additional malware after a Sality client compromises perimeter security.

Threats

Doc.Downloader.Powload-6697736-0

Indicators of Compromise
Registry Keys

  • N/A Mutexes
  • N/A IP Addresses contacted by malware. Does not indicate maliciousness.
  • 190[.]147[.]53[.]140
  • 81[.]177[.]139[.]193 Domain Names contacted by malware. Does not indicate maliciousness.
  • stalfond-n[.]ru Files and or directories created
  • %UserProfile%\692.exe
  • %LocalAppData%\Temp\02rp2yuh.rgu.ps1
  • %LocalAppData%\Temp\bsiltcdz.yqo.psm1 File Hashes
  • 011fd5d669884b2770c80a0427417418e0d1807132924c323ae951d09fca0806
  • 0daef21240d620d0560a464273ef4d6ddffb954d555e123d21daa38ecf97ab71
  • 3764038477dc8bbe6c588bae1c0c3856b7cf392fe8df04eb98673f5f7fbc0bd6
  • 6298261a5ccb038673a2ebb1a10bc242440c23b6b99c70a480ad91f2b7fc2d9f
  • 6dd09f3c6a26e8b2225a86b8e941d6283dad33603dc5ec6a0c4ed80162da5d3c
  • 7030b39dcbf2498dd38e9980769bf8a52e517d6330917c22b1a0a55aa7199fd1
  • 8eb4e3317dfad2c94e3c1f3c1267635aaf1c0202738948b80bf012398942377f
  • 9541ab72a2fe2bef02fa0c1d288357719c445c1eb82fcb5d2ee3c59b47238c5b
  • a77778354f829c8674431fa6a2a1a36f6989537e25ac8823117cfbfb5a14564f
  • b5aeb7cd38f02215471aac4960d29342d9e75c1a188a79d5c635f1e4943e0451
  • c13a146928c2d0b87c44283aa7c06483039b149c6e93618dbffdc4e1c1695dd6
  • e7bd379dd6bd70b10ed492642db1f9a26cf44c0928b101208421e9e6863c98a7
  • f349dcd66a084e8b9b503b274d9128d22931497b78675b8e8ab424977db22275

Coverage


Screenshots of Detection AMP



ThreatGrid



Doc.Malware.Sagent-6697297-0

Indicators of Compromise
Registry Keys

  • N/A Mutexes
  • N/A IP Addresses contacted by malware. Does not indicate maliciousness.
  • 172[.]106[.]32[.]205
  • 192[.]48[.]88[.]236
  • 192[.]48[.]88[.]5 Domain Names contacted by malware. Does not indicate maliciousness.
  • owieoqkxkals[.]com
  • iwoqiwuqoeuowei[.]com Files and or directories created
  • %AppData%\39281.exe
  • %LocalAppData%\Temp\vp33msdr.cx4.psm1
  • %LocalAppData%\Temp\w5lg3lem.ise.ps1
  • %LocalAppData%\Temp\tfkiykcl.c4i.psm1
  • %LocalAppData%\Temp\xjkqhrqd.vw5.ps1
  • %AppData%\32089115502559.exe.exe File Hashes
  • 00c949029e29b4f0222846e9a40f4160ab2f4920dd5f8fe77ce617543f7ce6b2
  • 010d7399d9cda5b1d4f351d81d6bd4a1ec7ea87b17f869f93ca6372b5350360f
  • 01b4fa260b4d29a687bb7bb428b58c898d1882b05de199f17390d83c1936918a
  • 04c4c5b10bb23c21ad187eb45b94c064960be5c94a097bfe46be804f33c4355a
  • 04e9882cea77d5613a36d6e2f8e22d32188242e8ba76adaf04ddc4258c519145
  • 0883677c6d3c749d06834f8c39567cfb0a2df4f1ec92aebc7935c9dfc0b1dcb8
  • 09b8d49329d695fa757f6019177ce64a0c3714ac0f5c24fd8133360b8a9e4f54
  • 13d5fb27fb148f038c8373b16a35bed7e87c282c5920480406d71310356c9721
  • 16380e6168e31a0098a70f629c0d5a1ade9f3230b322ec4a358fd85cf6bffd56
  • 16555b75a521b0903484f0d3f4f6359b7509601f75172bc7be7d8bf950d03729
  • 1b355a43396766838fb28181a989d9537b088ecc259218cfc72cdd3e2f6c6307
  • 1c45152a5b9bd58507201b553f9e37fd70dc2d801ad979150b55ed99fc5a9fbd
  • 1cc91a7cbfabb4f9ffad1cee71e634d3d484d8b60d7a3f89961a1a6354b8e5ab
  • 25b408184567aa32716d67b542bfd51bc66f665d5d0a5bdb34946eefe1dddfa3
  • 315fbd4598e7c9cdfed8b1035edd49d7c8b84a02687ff7722b94febfdc2a62a1
  • 3213877a8ca57ae183aa3ba925bede665cd51ff9394944cbaff7f7910b83561d
  • 3218afccd21656fefb2cebaedff13cd95b22cee4163f51a3189280cc7b342f45
  • 391797762b247bdcf2d00431c18655b3ed5c56e3dca484e3da6ac3d7d5a17426
  • 3b2c998477788cbe3e2a8b562ca9bcaaf99bf34173946eb35d982b0791818c4d
  • 3b540e0d41baa0cae3ed5c2cde1fdf3973332ae22d5a37c90b804cc8acdb7d2f
  • 410176eebc6ad926d379a05a0797ffe79d2b1eb2277e2a0178215eb7b759b32e
  • 419396e33483bc3c538d2cb26837871abacedc886d72d46298054ff243ccc429
  • 42f968acaea98c5b06aa3a35a2e70d9b170ea9e9c1c043a41be536b26f30ee62
  • 4643c3cdfc6c2e479b2fdfa3662932d627c335e6fed94dfbc601f775880a9e88
  • 48fb581864c03d49fc1a51f58e73bdbfb4ddb2b9d7f5ccbe2c08af1b6bc38bb4

Coverage


Screenshots of DetectionAMP



ThreatGrid



Umbrella



Win.Malware.Tspy-6698228-0

Indicators of Compromise
Registry Keys

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: internat.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: MyOtApp Mutexes
  • N/A IP Addresses contacted by malware. Does not indicate maliciousness.
  • 216[.]146[.]38[.]70  Domain Names contacted by malware. Does not indicate maliciousness.
  • checkip[.]dyndns[.]org Files and or directories created
  • %AppData%\MyOtApp
  • %AppData%\MyOtApp\MyOtApp.exe File Hashes
  • 08d6bf7a2e121cb3f42c5da6dd8675c494eda1bff1846609690f4c938fbe261c
  • 13b777c7fae7df5e6d97ee5a0c1c15c863bcfe7de4aa03a48379a27b3bd7b755
  • 2602400c743bcf09a1f2c4a9f313f54c4c27e46c29cefb211c7a15c4aa769ad0
  • 2ec84185946db48799de6a71dfe036c25d9bf7cbef8e7f37c125da467d7c1262
  • 2f7e7ed4974db01250d17e09caf9c3725aba7318acb835cfec1238c6df242d0d
  • 35174fabe3bcb8510cd6492238f67e632b8d4be1f80b221275772d7ecadb6435
  • 39733dd17e8ba00a486f8dea9c39ca5aaee050f4f3cef792b792a547d3b1c8bb
  • 47ff0e1ac6d99e1d3809267d6d6db6dd39ce3c42f1315a701cef340bc99f6559
  • 4e45d72f9846ecd10586241de4e47248d7bfe2fa9577bad4b1265db406574d83
  • 62e94bc8400153e5927a52f14c997782acf705eac748d176cda197767751fd4a
  • 6ccf99e260f9a2b3115fa228c1ef909b612d05f1922aa148ef21646757a08bf0
  • 6d9a7acb5f5d21ba333a56bdb1d3db19b61833ddcb6f28706ec6f4f48904d1f1
  • 6f94d32cf71a60105bc0d7ababa784930805a435f58f8acc5147394373cdd961
  • 991c3f32a3be04f65767befb063f4250b0dc7f7a68dd08375ef2792a78578b61
  • a60b6009eae0d1106c9206467fd2ab1f4085c3af042326f2866c0b83124c4426
  • af5bf956991e77162cb826f1c82f72eb608bfca26b9a7359bb05a9eb24558ad0
  • b59f4e2a60f33c618b232dfaab4c40f1d617fd3f281c70707d72787cf1c150e4
  • b784c5b241865ac9677926b37e52fad5b866e8a0fe55c55de100f2b4133e7228
  • e3935ad630e9d4c7aafd5b4aee9f8a052d1279d2587742d92dc935370a02ff2d
  • e7ac6050674af628fd893f0b11c70af20ba529b9406bcd96efc9c32f6b172767
  • e9069351d7bf92c3279930bd25a4c4d88db541da2211faea7acd3a84e613fb0e
  • fa28d5c8403cf180d4e15acd33feecda62f25ae7c4fad3ae145e07003c6d0f0f
  • fe80093fff73e7031c2350baac2bb24131687afcba327762350eb1d37d55b9d5

Coverage


Screenshots of Detection ThreatGrid



Win.Ransomware.Gandcrab5-6697262-1

Indicators of Compromise
Registry Keys

  • <HKCU>\SOFTWARE\KEYS_DATA\DATA
  • Value Name: public
  • <HKCU>\SOFTWARE\KEYS_DATA\DATA
  • Value Name: private Mutexes
  • Global\8B5BAAB9E36E4507C5F5.lock
  • Global\XlAKFoxSKGOfSGOoSFOOFNOLPE IP Addresses contacted by malware. Does not indicate maliciousness.
  • 93[.]125[.]99[.]121
  • 94[.]231[.]109[.]239
  • 87[.]236[.]16[.]31
  • 89[.]252[.]187[.]72
  • 87[.]236[.]16[.]29
  • 94[.]73[.]148[.]18
  • 87[.]236[.]19[.]135
  • 92[.]53[.]96[.]201
  • 95[.]213[.]173[.]173
  • 87[.]236[.]16[.]208 Domain Names contacted by malware. Does not indicate maliciousness.
  • zaeba[.]co[.]uk
  • ZAEBA[.]CO[.]UK
  • www[.]wash-wear[.]com
  • yourmine[.]ru
  • www[.]poketeg[.]com  Files and or directories created
  • %UserProfile%\Desktop\ASZNJ-DECRYPT.html
  • \PerfLogs\ASZNJ-DECRYPT.html
  • \Recovery\ASZNJ-DECRYPT.html
  • \TEMP\ASZNJ-DECRYPT.html File Hashes
  • 0f929521a468c4998256c074b5f5b3db085e0e8a200672a7ec18c8d626f41e88
  • 241c85b8452824030096aa18d04ee84e464a44fa116ff0212d47c5f17f4fc259
  • 3f46a274979208f967357bc2fe776b38cef0f39578299070f029cf492f394cde
  • 644f43f1a6c55695a1616265cc8bd701c0f1447ac334ab61bec61de64bfb6622
  • 68c0f0aab240c1cea01c5c7c3ec9f2cb9ae65136127e1b889542ad176b259172
  • 6f559120f36b4699ed3f3668bac0b699efb1f8623bf511256f82bfd5b0c9ee9c
  • 77dd53de29eac87ade3ff7a7fca47d3a8906feebd70876b23b220a6a61806765
  • 85822d86e64e4d677b83662b44140c7e70ff80ed7e255b39de579bb18e54e858
  • 8b8e36cca05ccdf78d60ea71be4d75f4b077dd729237420a78ac6c5442bd3263
  • 8cc12fff598c2e32e04cc72198a5c39c2b1cebe1e343ff15ed5b069056f040b9
  • 919c39d2c2494b9f275496d3b77c99c439b0a87e4ec200165fcdbc6fcade3a12
  • aec69b1f8630db4fd1ca605319cf1b6186c33640f06c4fb6e97a8ebb69652caa

Coverage


Screenshots of DetectionAMP



ThreatGrid



Umbrella



Win.Trojan.Razy-6697101-0

Indicators of Compromise
Registry Keys

  • N/A Mutexes
  • 3749282D282E1E80C56CAE5A IP Addresses contacted by malware. Does not indicate maliciousness.
  • 91[.]234[.]99[.]41 Domain Names contacted by malware. Does not indicate maliciousness.
  • mazeedkyabar[.]com Files and or directories created
  • %AppData%\D282E1\1E80C5.lck
  • \PC*\MAILSLOT\NET\NETLOGON File Hashes
  • 0ce54c69a1bccd215380f3b4de8691264dd44e70688ed0ac6d0bf81f1e9eeb40
  • 10f32f95f44868f70681a2333ad6a6c9a5abb65733b7534a2b223e09a7138d99
  • 14df5201043d4c810c732ed7acf517c41d5e3591a689bbb0d27c2b4fcb426afd
  • 4ba2236755c18e45f720170deca60c17bcdae837a921b210e5e9e5493be3dc22
  • 78372b53ba801d6de3d9a8a0cccf8b52d2b37853bb562092c296064f9284f7f5
  • a5d264aac354f4f95b0338e81ed51d655fe98983134e10666f58a78b2f766c62
  • aa81268a74a3521e5a52c697e161bee84137fd96d2f7b13a0f2d0e541fe418fb
  • b4b56cb72d176a8bfb23b7254d7702a4ec6efc8ed6663256699805b53df116e5
  • c55b8a161364c3326dfa6c70274f1290c839add21a43e86b4b5d13728fb034ea
  • dc71f3c1600d0ff268db18a77d7a11d23ee48e4167ec65589656369922217fec
  • dd10835ba1d74e1d5700b2ab547f57cee0203033f0b6db35afeeb71f5b3ffa50

Coverage


Screenshots of Detection AMP



ThreatGrid



Umbrella



Win.Malware.Ursu-6696608-0

Indicators of Compromise
Registry Keys

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: internat.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: Windows Update Mutexes
  • N/A IP Addresses contacted by malware. Does not indicate maliciousness.
  • N/A Domain Names contacted by malware. Does not indicate maliciousness.
  • smtp[.]zoho[.]com
  • whatismyipaddress[.]com Files and or directories created
  • %AppData%\WindowsUpdate.exe
  • %LocalAppData%\Temp\holderwb.txt
  • %AppData%\pid.txt
  • %AppData%\pidloc.txt
  • %LocalAppData%\Temp\holdermail.txt File Hashes
  • 0296041fc0f243e34ca6c827c2085d9061301eb703769e2eac17c7962994d701
  • 123adc0c7eebe5d9ad13f2d7097f5b6be248cd33e0c52158bdf5ce6b934b8c4f
  • 12d7e1038baa1825cfe9ae38cc70ad4ce72952ff00460c7e633fb690c27d91ca
  • 3eb7a917c937f7068b4cb71585f828fa24a619dce7ee6dd907a84fe26e78bbcb
  • 50158998d1c51e90b6380f7d4b5eef27572cc3d1ea864cedf91f20f5aaf6ea2c
  • 581f3d139547523a5ab8a16c6403bb1319a19d81bb908098bf89f7c38d80bb79
  • 8bde6d65663cac076b7cec03fc444e3c19ae8c9a7d2849094a2103d1e9187e98
  • 991bf6843f78bd0c67380fe07d78d5c97405a49a1a7ed42b13f9456a80ae8f28
  • 99c7733e5328fe2d77526e1f3a09400425078ae4035883aaa965f6e5752a2668
  • 9dd5cfe5160e7d757d631b832643f83b66caf5c7c44f21391add4ce8692510b6
  • aab0dc518c4eae880bf148805b23493d73d7164f0970655d4159e1ca7bac009d
  • b209df425de16a8fade136f2e3de9cd8c5ba6729cd47144ced562fae0273a753
  • cbabc1094d0f2f1a45477ee3cfc91425384d10a546e4a54f9aa260d47c704d0d
  • cc84984c43abe66d1bf1d93ecabaae132cc61e40998751e1c34b9d485565b05c
  • e7627baacd38980106dbbdef4f3525c8af7452554373c56eb484d1414f84b74f

Coverage


Screenshots of Detection AMP



ThreatGrid



Win.Virus.Sality-6696580-0

Indicators of Compromise
Registry Keys

  • <HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007
  • Value Name: 1768776769
  • <HKCU>\SOFTWARE\AASPPAPMMXKVS
  • Value Name: A1_0 Mutexes
  • DBWinMutex
  • csrss.exeM_284_
  • csrss.exeM_328_
  • dwm.exeM_288_
  • explorer.exeM_1060_
  • lsass.exeM_428_
  • lsm.exeM_436_
  • services.exeM_412_
  • smss.exeM_204_
  • spoolsv.exeM_1044_
  • svchost.exeM_840_
  • taskhost.exeM_1140_
  • uxJLpe1m
  • wininit.exeM_320_
  • winlogon.exeM_356_
  • wudfhost.exeM_1644_
  • 3c419d67f98c8fd495eff616bb94d3e5de8c22d34b94124e1f3f0cfec8f3566M_1932_
  • dllhost.exeM_1376_
  • wmiprvse.exeM_1456_ IP Addresses contacted by malware. Does not indicate maliciousness.
  • 195[.]22[.]26[.]248
  • 206[.]189[.]61[.]126
  • 64[.]29[.]151[.]221
  • 63[.]249[.]150[.]76
  • 23[.]253[.]126[.]58
  • 195[.]38[.]137[.]100 Domain Names contacted by malware. Does not indicate maliciousness.
  • www[.]akpartisariveliler[.]com
  • tn69abi[.]com
  • abb[.]ind[.]in
  • www[.]3pindia[.]in
  • 1s2qvh91x[.]site[.]aplus[.]net
  • gim8[.]pl
  • acemoglusucuklari[.]com[.]tr
  • a-bring[.]com
  • aci[.]gratix[.]com[.]br
  • aclassalerts[.]comFiles and or directories created
  • \??\E:\autorun.inf
  • %SystemDrive%\autorun.inf
  • %LocalAppData%\Temp\fdqr.exe
  • %LocalAppData%\Temp\winarxu.exe
  • %LocalAppData%\Temp\winopfmni.exe
  • %LocalAppData%\Temp\winpwho.exe
  • %LocalAppData%\Temp\winyunh.exe
  • %SystemDrive%\xwouo.pif
  • \??\E:\vrbf.pif
  • \vrbf.pif
  • \xwouo.pif File Hashes
  • 0bcbac5dff686bb605adadb225fa540aab73bb3fb3251ba4226eb071cac6f0f1
  • 0cdb71323cdf0ab4ec462f74b3830b87ae8d8212f6bfdb427ec12c06cc524220
  • 14cbde97cb6d3df9841c8251884b664f689514d2ea8fa813fc95b323dd7ef8dd
  • 3c419d67f98c8fd495eff616bb94d3e5de8c22d34b94124e1f3f0cfec8f3566d
  • 3dac8250c89686244d433a9739bd59e719af950b60659d93e34b8b17cd72d0c4
  • 7c544889d588ae668f13ff9e05eabc9ea048fa026b3a5af4882de10da8f8640c
  • 7dc3fc8b4a572c0980b9de6ffc716fa422f627f48f8fcbc1720604e226346dff
  • 919668829270d79de177615abf848bc09be41afd1877ef6682f8f0bbd3096880
  • b57206a74a8dbce03e991a5855c8c16aac2bffea69da9ebbc64c39932d886ec5
  • bd12db3c5dcc16b35cbb3cd42bbf9719ac8e69da6449c32659fc2a066d42265e
  • c85d9321a025a39c5b6facb12dd663b9623a4f43a73e2be409e9e3d04f132d4c
  • ea5e7e60a45331e504dcb30b29f6d9c7d438fb343aa2ae897047369b6863d712
  • f6efc4a323520ba88ccb8f678f3c9167010c6c575afcd8225393bc0f664fc96b

Coverage


Screenshots of Detection AMP



ThreatGrid



Umbrella