Friday, October 26, 2018

Threat Roundup for October 19 to October 26


Today, Talos is is publishing a glimpse into the most prevalent threats we've observed between Oct. 19 and Oct. 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Virus.Sality-6727001-0
    Virus
    Sality is a file infector that establishes a peer-to-peer botnet. Although it's been prevalent for more than a decade, we continue to see new samples that require marginal attention in order to remain consistent with detection. Once a Sality client bypasses perimeter security, its goal is to execute a downloader component capable of executing additional malware.
     
  • Win.Malware.Nymaim-6726894-0
    Malware
    Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
     
  • Win.Malware.Xcnfe-6725509-0
    Malware
    This cluster provides generic detection for the Dridex banking trojan that's downloaded onto a target's machine.
     
  • Doc.Dropper.Stratos-6724145-0
    Dropper
    This is an obfuscated Microsoft Office macro downloader that attempts to download a malicious payload executable. The sample was unable to download the next stage, so no further analysis is available.
     
  • Win.Downloader.Upatre-6726679-0
    Downloader
    Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
     
  • Win.Malware.Cerber-6725830-0
    Malware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
     
  • Doc.Malware.00536d-6731394-0
    Malware
    Doc.Malware.00536d-6731394-0 is a malicious Word document that drops malware. It attempts to download and run a second-stage executable from a number of known malicious domains and IP addresses.
     

Threats

Win.Virus.Sality-6727001-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • uxJLpe1m
  • \BaseNamedObjects\uxJLpe1m
IP Addresses contacted by malware. Does not indicate maliciousness
  • 206[.]189[.]61[.]126
  • 195[.]38[.]137[.]100
  • 213[.]202[.]229[.]103
  • 217[.]74[.]65[.]23
  • 199[.]59[.]242[.]151
Domain Names contacted by malware. Does not indicate maliciousness
  • dewpoint-eg[.]com
  • suewyllie[.]com
  • 724hizmetgrup[.]com
  • www[.]ceylanogullari[.]com
  • cevatpasa[.]com
Files and or directories created
  • %SystemDrive%\autorun.inf
  • %System16%.ini
  • %LocalAppData%\Temp\ose00000.exe
  • %SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@dewpoint-eg[1].txt
  • %SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@dewpoint-eg[2].txt
  • %SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@www.ceylanogullari[1].txt
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kokfo.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ogtfa.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plkvrx.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qwet.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vfhqbt.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wdieh.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winauey.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbmfbc.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winehogdk.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wineplbg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfeas.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wingwtgg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winhsgjxg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winiiff.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlamr.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winmucoe.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winoyjfrn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winqvpnb.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winskeoqt.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintilmn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwlbet.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwnwhq.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winybmal.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wooydt.exe
  • %LocalAppData%\Temp\jlwdt.exe
  • %LocalAppData%\Temp\ssink.exe
  • %LocalAppData%\Temp\ukpvl.exe
  • %LocalAppData%\Temp\winlobd.exe
  • %LocalAppData%\Temp\winmjeu.exe
  • %LocalAppData%\Temp\wintqpup.exe
  • %AppData%\Microsoft\Windows\Cookies\XTNNC6UJ.txt
  • %LocalAppData%\Temp\winlobd.exe
  • \sgfdr.pif
  • \vqwf.exe
File Hashes
  • 007474f524c04bcfef7bff656f7d673e22496caff0490a111596b5c1a60b61ef
  • 0abf15a831537bd86b7e16ae5032a4813c6e9e9df4f1da7c074c4daa3672c3dd
  • 0e82ae0199228f54e8308755024fa78e0a568f1423cec3cf21d9341a7c99dcb9
  • 18a859dee990feefdcc6196052c1d2becba64fb43d07623e1e573b0f39e63095
  • 18bce4611a9668a2660b0471459cd070361c85d71a4989c1bc967fe04bc54795
  • 2642e382a6a216b518471ac182891b6973a4f4eb569ad4d13cb02b8a840d3f07
  • 5b4c4e796a0e1c9344c3165af210d2b9edd2980de25bfec656bc918809b0be4c
  • 689bdd8a91c2bfaa00de235933b38ca9477ea9aa2eaa880cba50235641376add
  • 865e10fa2439380d7048a0ec2eebdef487f706239e464c47dadf930b22028b11
  • 905e701032eaaa944ccb70d3db97a200d85befefe7faf99d525c9767e5c5d615
  • a2ca43843f5c03adbdb03b91e4cafc162781d8c7e707c7bc161b03f4163218e2
  • ad68745733f455935188c0100aaf057bf1d3454a24e0be0ffff262d2318f6265
  • b535ea6cc31dd9f8a66fbbedb61ed021520ff74f5b42f815eb84022cfb3e4435
  • c38b955f4a4eee3cca1c1bf1ae0f915f75080772c4ae597c2ed76649a056a5dc
  • c40d8c58cc63dc606a9fa854f1774d7f17546170fdfc2679c3b8f6387fa4be6d
  • c5fb97f7e577795bdc7a6076efca8f09e83bd4fb9e68c40916c6784040dbb485
  • d0381f5c52b605b7b43c8b9dce2341b622ed2528df6bd65d527104f3fc1f2f16
  • da77ddf6e01c4cb2694f055a5c69f48bf6546b6831f145297a5cfbb5f64c5563
  • f001f25a35fb04298750c58f37ca4158085c454d784778f9a9c601d9bbbf6b40
  • f0d47851346c738dd836fb6f43005a57305f04e078d07af3a6d84ee586dfdfc0

Coverage


Screenshots of Detection

AMP






ThreatGrid




Umbrella



Win.Malware.Nymaim-6726894-0


Indicators of Compromise


Registry Keys
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKCU>\Software\Microsoft\GOCFK
  • <HKCU>\Software\Microsoft\KPQL
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • IOCXRQNM[.]COM
  • ZJGGMKGGA[.]COM
  • YEFHBEVI[.]PW
  • DCORFRLWW[.]NET
  • kercnnlwtg[.]in
  • JYWVEW[.]PW
  • ZQQSUQRPEJK[.]IN
  • xhphblba[.]pw
  • FSHAJK[.]COM
  • maffuwnln[.]net
  • RQMNLOKS[.]COM
  • MRHNDJI[.]IN
  • hbdfmtj[.]pw
  • GZKISDVBZQFE[.]IN
  • efntvrhq[.]net
  • QGWKUGNMSJF[.]PW
  • MAFFUWNLN[.]NET
  • dcorfrlww[.]net
  • NWAFZV[.]IN
  • usrhd[.]com
  • HBDFMTJ[.]PW
  • fshajk[.]com
  • QCNRQ[.]NET
  • iocxrqnm[.]com
  • firohrakais[.]in
  • nizrjl[.]in
  • vnouya[.]in
  • EFNTVRHQ[.]NET
  • zqqsuqrpejk[.]in
  • srdhfsdiju[.]com
  • gzkisdvbzqfe[.]in
  • OHMAQTXG[.]IN
  • jywvew[.]pw
  • jpltxxpcojo[.]in
  • MNEZKYAK[.]NET
  • euqsvd[.]net
  • jtcesxohkgm[.]net
  • JPLTXXPCOJO[.]IN
  • QMNMG[.]NET
  • swvpzwktpdxs[.]net
  • dzwuczn[.]net
  • bsedcx[.]pw
  • KERCNNLWTG[.]IN
  • FIROHRAKAIS[.]IN
  • myxnowb[.]com
  • jhfahntxtnus[.]in
  • JTCESXOHKGM[.]NET
  • XHPHBLBA[.]PW
  • zjggmkgga[.]com
  • iknvjbze[.]in
  • QGMBJF[.]IN
  • EUQSVD[.]NET
  • NIZRJL[.]IN
  • rwxryhij[.]net
  • qmnmg[.]net
  • nwafzv[.]in
  • USRHD[.]COM
  • mrhndji[.]in
  • IKNVJBZE[.]IN
  • ohmaqtxg[.]in
  • cprdqjxpp[.]net
  • SRDHFSDIJU[.]COM
  • yefhbevi[.]pw
  • VNOUYA[.]IN
  • LNTBF[.]COM
  • DZWUCZN[.]NET
  • cmmwoqknklxn[.]com
  • rqmnloks[.]com
  • mnezkyak[.]net
  • BSEDCX[.]PW
  • MYXNOWB[.]COM
  • qgwkugnmsjf[.]pw
  • RWXRYHIJ[.]NET
  • qcnrq[.]net
  • CPRDQJXPP[.]NET
  • qgmbjf[.]in
  • lntbf[.]com
  • JHFAHNTXTNUS[.]IN
Files and or directories created
  • %AllUsersProfile%\ph
  • %AllUsersProfile%\ph\eqdw.dbc
  • %LocalAppData%\Temp\gocf.ksv
  • %LocalAppData%\Temp\kpqlnn.iuy
  • %AllUsersProfile%\ph\fktiipx.ftf
  • %LocalAppData%\Temp\gocf.ksv
File Hashes
  • 00570d9bd558b25ac628d4de140897954e3cc1ed3dae8818e3ef580544626e8f
  • 006e51c87642cb26a7d6fb534d37c1d4c4d015934e67284e8e35053b0da8971c
  • 007b40dab88434b29a0c3b92cca04cb13d9f1ddb29202770a2f657becfc939d2
  • 01e202a72e6bf3954e98acf6c4cd8fe660de710e129cd9de425e1e5dcc876232
  • 01fc65a13f2f8f6033e55f860b835361442dfd0ec1443c134b2a6558964a2a2d
  • 0340d472ea1bf41f75e1cf94fc499ca3960518d5dc9fe8cc85f6f56a955ad702
  • 03d97452886804d0bc32e0723b4024d91cc1a64357a74b529452ca007f1b07d4
  • 0491517063ca33e47b325ba2c304f4c8fc3b45956b1bfdff0555936a3bb3678f
  • 064173410c2ca5781a785fccc9457fdd59b25ba2c14aca5bee71f83f136c279d
  • 0679f7d954654a74c02dca0754cffacdce6d4c7887f4976c85b6148033b9942d
  • 06f001ddf5d2c3827b6f28936b2939f16df62745699551a155572433827ec381
  • 07814f096bd2a889317ac70e66cadfe443df1ad96ed2b6452d4252d11d60c8b3
  • 088dce2464cfa134fd0317a2e75f0057de8d60b547d72e66fc1926e9ad355074
  • 08b4430a48bdebc89092cb4f90ad407e51002098a0eeb08574f92a8327e5a140
  • 09007a9eedbb6b7116add49671499f238301ccd3fa763904512517d003cd3625
  • 0d42e7f0984ea9b0be200420bd7221a92c76466c85ded7321cb69a8386db17ff
  • 0de3ad246b5c52c96135f5804ae1118f7df1af1c6f937740d598334214fc1943
  • 0e5b9ae6ee3041d89eefb88c6c868a1c9931391e91068de26720008c6b0c0bf2
  • 0f59a622eb9998369364b47ddae969698a7975b877ce025b1214ccff8b59e7a7
  • 0f724bbd47c80a2feb1f376d282ed84f39306293522656241abbf19532154928
  • 0fa66bd126cb02a367d8ad392b6c446cc8f50922930804526d245784be001c51
  • 0fff0dad13446c46cd2ff79c4fcc6e545df3e6e269917892d3d22bcbdbb7b741
  • 140aa25448483a45722b1c874fbed44f70e2dd8ea9fe9ce1fb479de397c8a95e
  • 1532bc5fd39a7f0a35d9f94bcbf0be36d5f04acfb46829d4163b00abb3c5eb04
  • 15c03875c741546f5eb5d843c7515b1b10201ad5f9495b2f1eb91de5473602f1

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Xcnfe-6725509-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • HOejWmqMur
  • HPN518Ik4R
  • Lat3nHFoEE
  • OaLnVql4Xa
  • RsyK1I3lWG
  • V7BLDkG8tf
  • XQeR5Zn1SJ
  • hND27SW0LW
  • qJkjChBhfG
  • vXnp0AXNfH
  • wDSifyYhV5
  • wbQpF7mWCE
  • wcX8yaYh6B
  • wfwyjaJYsW
  • wxK54uwMfc
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]brmbyczdra[.]com
  • www[.]pn8mtahzna[.]com
  • www[.]tqttwzog79[.]com
  • www[.]ril14w0qvn[.]com
  • www[.]mvbkhpmqux[.]com
  • www[.]uyrhnkdozb[.]com
  • www[.]nutatq5wla[.]com
  • www[.]tpu9fiuayd[.]com
  • www[.]5bc5xh1p5p[.]com
  • www[.]we3jnll0va[.]com
  • www[.]hrwzs9ake4[.]com
  • www[.]knx3hbiwyu[.]com
  • www[.]txovxotdxc[.]com
  • www[.]ean1heykxa[.]com
  • www[.]qjfvz6swvg[.]com
  • www[.]stq1ji6cas[.]com
  • www[.]xoiejztmpo[.]com
  • www[.]cldhtlfyhs[.]com
  • www[.]zhya3boggv[.]com
  • www[.]qvchgu0aax[.]com
  • www[.]brh6bbhql8[.]com
  • www[.]dirmuszaet[.]com
Files and or directories created
  • %SystemDrive%\345791583.exe
  • %SystemDrive%\old_345791583.exe (copy)
  • %SystemDrive%\TEMP\55ddbadda5fe5c7f86a8f8ea7c9405413682686f8057e2b5369adee284e2ace2.exe
  • \TEMP\old_55ddbadda5fe5c7f86a8f8ea7c9405413682686f8057e2b5369adee284e2ace2.exe
File Hashes
  • 0462beb83c7410501f0fe309335b63bdb2197c828d8b3cac860329613fb92f18
  • 07f0c7d1726aa998261db29451ea668364bd226080caf6ebc1e7cd1f65de1864
  • 0eddfc2b11eabf9cf0186363f4727270cdc5ed3619cf8318caaeaf7370da5e10
  • 1748dd5f70ed569ec358f707587718e8a980871e076aa1b1f344f84b7eee0587
  • 255c3d259351d43392c8b01db2a830f50515e0c2672f5421934ade0433cbd6c3
  • 3ea74553c24024b94412137d0337f1b22226af398579bb7f44e674649c18b480
  • 55ddbadda5fe5c7f86a8f8ea7c9405413682686f8057e2b5369adee284e2ace2
  • 68b35209e61e6558069706af6cfda39cbe24366c28e68d36279ce314f922d9b4
  • 6af842bca80ca04a5c65e6fa9fbf85a3c7bf34a49b580397cc5955a0b9aa1134
  • 6c75d30fa43d15ca9f2632e6a794d26de4fc35fcc1ba9fc250afea06f27ad653
  • 719e40a705ffe31bff643a5254f52ca051d0657b59ee920f4b3e75fc83e3fe0c
  • 77b11d472658825617c8520bc75e5084fa3a26a85f90b845270615ddff6622f4
  • 8689c50f5e4cd1fd590a9c5eebc28ba81b5f0a1b52e357811975ac0f59d278db
  • 95e82e623d7f1b34725c1c11026f8149741a4c506379954c6c9d171791302df6
  • 9a624de996ba6e99eb59b50b2631e86057feb3bee9c54d1282705c4486530fbf
  • c556d0c97ae7b7be22f685e829394652401971a0e468eb0824b5ba5537928b96
  • f392f2e34534ef1e74cb911124ebfb531dbd045e4b6e20afc30e878674459131
  • ffc643e3c595c64053e50e0a1ccc2dace32134c3892fbb1a60e215410cdaf428

Coverage


Screenshots of Detection

AMP




ThreatGrid



Doc.Dropper.Stratos-6724145-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 88[.]217[.]189[.]35
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]kum[.]net
Files and or directories created
  • %UserProfile%\Documents\20181025
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\PowerShellTrace.format.ps1xml
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\QsheHY.exe (copy)
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\Registry.format.ps1xml
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\System.Management.Automation.dll-Help.xml
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\WSMan.format.ps1xml
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\about_execution_policies.help.txt
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\powershell.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\powershell.exe.mui
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\powershell_ise.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\powershell_ise.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\pspluginwkr.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\pwrshsip.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdinwwrgg\ONSEXGA\types.ps1xml
  • %TEMP%orary Internet Files\Content.Word\~WRS{68695D36-6967-4FDB-A2FF-84784E101F5C}.tmp
  • %SystemDrive%\~$4900185.doc
  • %LocalAppData%\Temp\kdinwwrgg\ONSEXGA\powershell.exe
  • \TEMP\~$a24d5a55e3d33b0a4d183141758c409b639fcd077cfcd062dc53cb8d03d378.doc
  • %LocalAppData%\Temp\onexzlc.exe
  • %LocalAppData%\Temp\kdinwwrgg\ONSEXGA\QsheHY.exe
  • %LocalAppData%\Temp\onexzlc.exe
File Hashes
  • 00d3e76c7614df1533cbb40d0b3977cfce6e5f01b8cc0aa6ea858891ef104715
  • 16079ba3e75ebbc34e3ef692277332d41ee0d1aa248a24c7f5ba74d88f28d01b
  • 1ded830b66a15ef7288f088b3b4b1a84fa55bf0700538953614f5e2369128fdc
  • 217d2260555214d8e6e72dd5dd7ade95b206efebdd948ad05a1dd88e4e39730e
  • 33a99f39eb8a1d9fe223b4ca61d21fe8086b2a908e00954959b971868424e46b
  • 35a24d5a55e3d33b0a4d183141758c409b639fcd077cfcd062dc53cb8d03d378
  • 3927bc5e8064ab1fedd6e0b9826aef4fda01e6be3b218b9b482d4ae60d929d67
  • 402a1bd3bd18102d3955b0e5dcab8b76b8c1025fb828d410c1fa93a872a2f1f9
  • 42c74a8a4e195017753e917153702bbd4d6812576cd94f0fc0035bed6aa1ce1f
  • 42ff1fdd87f84e321a4348a5b113ba72634fade79646df750ec72f907d787db9
  • 523de9a89e6d2f5713fcc4b7e3ea1d27fa27d13e5d17a0f08aab6d86d9e2a9b6
  • 55953f034bc3edf5248b9c978916a2eb45bbf641892baffd7744ce0027cdaa2c
  • 5ed8c51ce0a7706599d5f7bbe843fbdb8fed579591012146fb2fbd92bfece4f8
  • 616d166cd0fc20ce5e583b9c0c306833fc4a371214bc9a3b5f9d33deac385c68
  • 781c06eeafa87a7a27b573fde822faae4ac0ebd7a19ad7400ac8595e1a89fcaa
  • 83245b8849c886659767d6227051ea8b48ead681cbe62c12a4557cf8c3a2b61d
  • 934a7d7edf49198d685569e2f5e40e225f90e407a87478243379ef71d7f4f6c2
  • 9653288c0ca91e1b968a39e2f8b2e7c7b5b881e064c0bf2d234ea0b0619911ce
  • b15f383006ceff832ef575057a0a75cba726822864d37aef5feabc43ca316971
  • b41b3a7b83f22af9892cc69801086343924d8ee23f5bf8062cc2748c9301f1a8
  • c08ea9800cdb66012a4adfc3a5bba200f7f1db8cc37f50c133201f5ce46660c3
  • d182a022ed754bb7c963540d0a8d9cd7579b458d4c2057d5f72caeb11566b2b9
  • d3a40ec14f52e1e7e1494ee7e04ad651e38618e29284d3205ec21cef6e9699f2
  • da9f374901e55c225f03ec68dadc672e13e9f0dc36508fe416cec8faf87795af
  • e8c4870bb9d6e7cb597a86c97f2a64c71734aecbd9c72f7302b730dcdeffabe0

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Malware



Win.Downloader.Upatre-6726679-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 83[.]136[.]254[.]57
Domain Names contacted by malware. Does not indicate maliciousness
  • cardiffpower[.]com
Files and or directories created
  • %LocalAppData%\Temp\kgfdfjdk.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kgfdfjdk.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lrtsdnn.exe
File Hashes
  • 02c04966bbd775626d1738bf454148543e8cc4564ff9f1ba3110395f96b05ab9
  • 031edbb534d9bf394bebf4cc7f64338d7212b05a7a7bf2a75f5348feaeabb9c5
  • 11e046d9a88238806a7458c5f17dfec74c1038dcacb7a345f492f5d9b285255f
  • 1273cdf1e5440ec05d61930132df0152be89eff4e28ac59de8e653022f664579
  • 184e4171672a8eba20a357aabd274a454ed1c71a0aed1efbb028b9676c53ccd3
  • 2556e8e75d5c1cb3f6fd2e716242c991dc9af8138561483993ce179c3d50e48b
  • 2eb229efaa5a043263e6546583c811738d5695a8afbb035f3c76fe80929c18eb
  • 32867f896bd20600c6712759889c031984e933ef1b0b4dfa9e061bfa0b6e994a
  • 4b8d61f0af68f03e586773b1226e635df5f6b2a417c88131885aa4201ad96c6b
  • 4caf12084718881f7d0fee2c4655b7afb8c27803f0c1bbeceb4c48a9532cb3c8
  • 4e07e7190e98511ba11637eeff341227aaed60ca58e96bbd69fd5659f808b56c
  • 6d8fabfefcb131b3535940fab547c10e5de430a079113671d2d09cf0c9582ed1
  • 826a5879182924c1f00f72885583baddcb8cd3ce9596a5bdab44abeea5f02ab9
  • 9c7e51d51513e337bba8b4fcb88264203986e387a8b9d820b9d6a0f2cfca26ef
  • c71f83b153fb1e488930375d7a62eb77c34493f617b415447cd6b6e7cefb68e3
  • f1a99a424971247e557d9f2d6c90e1e27f1c3407ced0913701f5f6bd40cdc4bb

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Malware.Cerber-6725830-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • ip-api[.]com
  • ipinfo[.]io
  • freegeoip[.]net
Files and or directories created
  • %SystemDrive%\Temp\HncDownload\# DECRYPT MY FILES #.html
  • %SystemDrive%\Temp\HncDownload\# DECRYPT MY FILES #.txt
  • %SystemDrive%\Temp\HncDownload\# DECRYPT MY FILES #.url
  • %SystemDrive%\Temp\HncDownload\# DECRYPT MY FILES #.vbs
  • %SystemDrive%\Temp\HncDownload\Update.log
  • %SystemDrive%\Temp\HncDownload\Rmp7-WGqEy.cerber (copy)
File Hashes
  • 0015a572f00b8ec6f68bb6a3683f7741a1a35d436c868ef545e016a279c7740d
  • 00200aac1922a420afc4390974ad1f099bf86eb6294e757ab22004628f2be226
  • 00528962871098906eb33d0422c1a9b7bdd0cbe481af1bc058d1c2a09793f055
  • 01ef8b829770bea681075ea9b9ad648c5cf8c9db42aba719d921c6841d0ffa6f
  • 04eb627d86eeff6c9314fac423f535d798ed95d3384df9e0944447af7898ab0a
  • 05506752a964566bc3ec936db6da6e577bf3e1c04d2dadb1143cd137ff66e715
  • 059eced85a1c189ec1eceb9cb642e801db20cc61d40782afd7fc479169e0a799
  • 0655f2a8831b5aaece1fe2af39583c6261564a13fffec7354857ae440c824786
  • 065c909c3c855be6646202eaaaad38e47c234be5927f8b635b9e9a0482c99965
  • 06f20532a0285a7e01634e319a78db15d3eb08e39c72ee92412c161be3c87d33
  • 072114ad12468fb6610c20c9912bd40b5e25e0183dab9edff8b93aff79cfa846
  • 078d4a7287160344439bd701f2fbf027c76dbc85e2d9ae98a586d69ebdca712f
  • 07bbda40f1bfd84bc619fdaa05ac029251d919b8bd100f724905400fb107beb7
  • 07d09bac351855dd383ed882657241b3db150d1a24019af08233b1b73795cdb6
  • 081f9d0b1bd3ea8e7b69d0ff6c93c27e9e76c29124cdb539141a439bdb2bf8ab
  • 08b4cd3370515fe4936d3126b12c738b2acd704ce24830119b1d69faef6c7291
  • 08c0234c26c9b8576d428b2fc177ca4e9140ddfae8c213369a86bb4ae2fc4b06
  • 097db35097f7ef2d8b91a517980e399c92e9938208110846561581d2bf5bb96f
  • 09abc80ec4c160755e133f356e909219b2939f78ebb7896973094c78de55f42b
  • 0b07fbacc4450198d6f430bff653791c43417af9e6d11f46b6ac75711e89c2a1
  • 0b4123bc026cc6ac0282295c5d7bd9271514cdc771c9a84e359f3ee5858bf811
  • 0b62139f8be2e7640c17e4c6ddc5c4c7812fd061480ea112718ac5e12ea70838
  • 0bf510cbc1ee26748f285b6dd9f5e8d96b26ba5d732e6f9b1ad4e6b1695292ed
  • 0c90601d82e2725a11bba65b9eb98c2154d6e2b27aa813936e75e7f740128971
  • 0cdc982e7c0fe5c5d9100ff621c424af79ec3dd49e718a454af3a14f9add4c54

Coverage


Screenshots of Detection

AMP




ThreatGrid




Umbrella





Doc.Malware.00536d-6731394-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Local\WinSpl64To32Mutex_e162_0_3000
  • Local\MSIMGSIZECacheMutex
  • Local\VERMGMTBlockListFileMutex
  • Local\URLBLOCK_DOWNLOAD_MUTEX
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1860
  • Local\URLBLOCK_HASHFILESWITCH_MUTEX
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_576
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1224
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1560
IP Addresses contacted by malware. Does not indicate maliciousness
  • 204[.]79[.]197[.]200
  • 144[.]217[.]0[.]194
  • 54[.]39[.]74[.]124
  • 8[.]208[.]9[.]98
Domain Names contacted by malware. Does not indicate maliciousness
  • tt[.]zicino[.]at
  • doom[.]matr[.]at
  • ovellonist[.]com
  • ut[.]ritpur[.]at
  • app[.]xenope[.]at
  • u2[.]tip5top[.]at
Files and or directories created
  • %LocalAppData%\Temp\~DFA1AFEB97E8C0B1FD.TMP
  • %LocalAppData%\Temp\~DFFFF0E8FCA29DD7E1.TMP
  • %AppData%\20938.exe
  • %AppData%\Microsoft\Office\Recent\346748415.doc.LNK
  • %LocalAppData%\Temp\n3j5vfst.vvc.psm1
  • %AppData%\99fc8a68.exe
  • %LocalAppData%\Temp\1fxpdoag.uzv.ps1
File Hashes
  • 4e6c2a6715fd91a76a06321eebd22430fa47e1a298a12e6d5134327e62215c07
  • 57b3f97cf7f8d8bfc4aef53f82cc1b1e154d7fcad2302048192e44afd47cf07b
  • 6ca1773b14b136dd7b3e7906f73d0d05f21d00e1f829303ac9167454f1b22bee
  • 7ca67da6488d5e5acf74919348ebfe4a780a7f70cc3b49455d0f588a2150ad8e
  • 88fe8fc07008bdbd6a87f96184cc3ced3e2df8a1678d7d145ef6affb62683cbb
  • a3c3656b7c7471d26a98acc02233ef906cb3bc20f4225c81fd3ff07111498ce5
  • a72f70f2b0ea6638b3da69ed3807059ec98bc258deeb17fe3fdfa392b3c606a8
  • c9aade2865566b50d1827c45b070f32c1db891101ed4783fcb471f43fa043958
  • ca9b78bb32da00431081f4385ac85ee341e7e668aa934dbea8f5ab44b9621179
  • ce31ffafe8ea619a703e04f7b16559999530f89ddb8fc78545bcee8f4e3c45ec
  • f6feed4b063c2e25fdaf7af79954d78fbd6db361916f512a8e73f6665f8fb3e4

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



No comments:

Post a Comment