Friday, February 22, 2019

Threat Roundup for Feb. 15 to Feb. 22


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 15 and Feb. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Doc.Downloader.Emotet-6861668-0
    Downloader
    Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
     
  • Win.Packed.Nymaim-6860565-0
    Packed
    Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
     
  • Win.Malware.Icloader-6860563-0
    Malware
    Icloader is a generic malware that largely behaves like adware. The samples are packed and have evasive checks to hinder the analysis and conceal the real activities. This family can inject code in the address space of other processes and upload files to a remote server.
     
  • Win.Malware.Bublik-6860562-0
    Malware
    Bublik is a downloader that targets Windows hosts. Although it's primarily used as malware to distribute various banking trojans, it's also capable of extracting and exfiltrating sensitive information from the host.
     
  • Win.Ransomware.Razy-6860532-0
    Ransomware
    Razy is oftentimes a generic detection name for a Windows trojan. They collect sensitive information from the infected host, format and encrypt the data, and send it to a C2 server. In this case, some of the samples in certain identified clusters can be attributed as Cerber samples, although the detection remains the same.
     
  • Win.Worm.Vobfus-6860533-0
    Worm
    Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.
     

Threats

Doc.Downloader.Emotet-6861668-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2580483871-590521980-3826313501-500
IP Addresses contacted by malware. Does not indicate maliciousness
  • 189[.]236[.]235[.]73
  • 70[.]184[.]86[.]103
  • 76[.]113[.]130[.]72
  • 117[.]52[.]20[.]53
  • 66[.]216[.]234[.]131
Domain Names contacted by malware. Does not indicate maliciousness
  • bazee365[.]com
  • serhatevren[.]godohosting[.]com
  • mediarox[.]com
Files and or directories created
  • %UserProfile%\405.exe
  • %WinDir%\SysWOW64\E7LYsu6obSo.exe
  • %LocalAppData%\Temp\kfcdv0jf.wos.psm1
  • %LocalAppData%\Temp\lu4nllxj.0of.ps1
  • %UserProfile%\Documents\20190218\PowerShell_transcript.PC.gVgu3PJN.20190218204843.txt
File Hashes
  • 0349453748c3c3fe4631e5c17665a702f7ca1ba8cc2c7508a91d686e17d41098
  • 069185a0da074e0ece155c5cda364e5092b2573131fdc2c95002b18c44937a1d
  • 0946a30abd52ef463b6a390efba6595d2a7917df95d3739df77e3ca57d1ecc8b
  • 0966f1271c4cdd0f66bca3520ffe406d4ba14aaa06a7b14aa505c78958fead20
  • 09fe30dd8b953d25af163fc4db119afd7387cc4b5109f331e1651927bf61cc63
  • 0a091593757cd2d16b4ca2ed1806b73f1222f4367d6d78e0df8ee98c247ef1f6
  • 0b6003563af9034d9a22f96adb0559f04b3753d0d4d9e6e76dd49504a427317e
  • 0f25037f951fd8f0f1c2f4b94ec84d3aa8daa3f7d5774056136769ecb800dc6e
  • 106b4d87576a07cc74f8ba9519d9730b50dc7309e69d0e7764822af981d98e61
  • 1328ac0cb151437871e7f39f72b20c13fb9fc292adb78054f30a8f958404e4c6
  • 1caa72377c62835653e1c1b062e418c62b689f8b6e600b739201a1300bae1bf5
  • 265a6869c2a2f0b3f35b316eda5e78492ae2a574530c39a1673845245a342d67
  • 27b0bd35f9ee7752e45d40707a3a777d20c8563e7067007101ec8de9d1c271da
  • 2a1ca1f2eb72dd935b9ae4594eb332d9ee7363b70f1fa40e6b3a1a4dbdb44e1f
  • 2cc2fbcac3c4262c49e3ad49903d4e9ebc5fbaaf9a2ad65ff53f808380b70a12
  • 2dda30d522c1b72d38f8609a3bde18de25aa57ad7ba7d90cffdfc0db5cf6e977
  • 327c64ca7348a0e2e4651a332776d10216cd77f77761766a12094cabe446ca4d
  • 335b40ff58a6cf92f16ad95349e2cb9dc42d71654cebaff642fbbc168749bf26
  • 380111d3408eed7a855ef759d4304570286eb4478d35b0ad1f35cb17b853b353
  • 4392d56f6bda858b04d0a4cfe1112fba4a80c56bd916618b804e02b703465dea
  • 4a5fe09fd3f776a86ecdbfdd0c6fe9abfd962a16444ec8bdd2dd03704fbdac6d
  • 4bc0ebf4e04816770e0176a8f1ba04404a6d8b09150d21bcfaf3387ffed06606
  • 4be4a46ef25e71de87371345da22d043385a72a479adf2ed56326cd69b2d500d
  • 4db8c7a64afa55409a39042cd1ba8561230da23185f0b62a6e2243ad3efef4be
  • 52a1a1863cc969cd93d48371e9d24e59cb691a8442477a4d8b1c25c51e71eb13

Coverage


Screenshots of Detection

AMP


ThreatGrid






Umbrella



Malware





Win.Packed.Nymaim-6860565-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • wmmjykpublbk[.]com
  • yvnnzvdcqs[.]com
  • yugejra[.]in
  • xriuhkmec[.]pw
  • zhvar[.]net
Files and or directories created
  • %AllUsersProfile%\ph
  • %AllUsersProfile%\ph\eqdw.dbc
  • %AllUsersProfile%\ph\fktiipx.ftf
  • %LocalAppData%\Temp\gocf.ksv
  • %LocalAppData%\Temp\kpqlnn.iuy
File Hashes
  • 016fcb5281374301a886e62512c80bace5093baa28317392fa47b41c3fc9c209
  • 04f643c92239dd1c24928a3da8a7ffc6974223fdce4c64f74ed16f77e606d1a9
  • 06fa8ba73421f80a6b6a872832bc5fd37dd045280dfbab48d18af291c4f3a0b6
  • 086685fc1ad9812ad986639b77db52cf570c63fef36b6220dfae184a4da20aa9
  • 0e37a6e0bc2078eb99991da03dd81d85a169b0646637b8d16240887e8fb50f57
  • 0fd6c83045db3b972b5329f11e6160251b53d1cbbf61f8b065421b8231982f2c
  • 0ff32246d64c9529c01cd62b5ce2474ba77f11422d4aa14becf0b34ebc1d9b40
  • 139572026f38ccfb8fb615a0a202d9b315cca46bb0ae31870e60aaa1b7db1d23
  • 1655c03b41b2a5ac72829eb3b4867de87c3643f2e7cdaefb9e88392f8dff916d
  • 175398f6a76bfb59c31c9c46c2d7c452be9f146451197042c5e0ef39a42f07b8
  • 179c96674980e6ed485fe00d82141c3729274b5d6e13129801d445c981264e23
  • 1a47d3a4951a6955fee9f29e0e6629b6e29dd4db58378e7ffa8aca948688175e
  • 1b6d29d704243956e14ea5a259398b9e0b52544bc8ba3b6ca1c172273416517b
  • 1cb1a09aec8926e8df8dd7edb1ccc63ea7192330ee36704ae3b2b706a6630cb8
  • 1d99c9bfce431b2422370607430efd5b155b76ad58dc615d79076b8e0f2a7e6a
  • 1e07e0277acf86c37ef6753ba1a2532e933044c7656ecc063c236c585b83c26f
  • 1e5d95ea42bfc038d4513fa688336cd73622ed707ed188d66aed4cf6ac1086a1
  • 1eec7c86d30be19611b16bd5e17fd747da9df96fa2907ca23acf1801b6c383c9
  • 20d599362a7f80b9964569df6e07d2f18e434be47fc01dafa7e7d73831677a42
  • 216a5552de53349bbaee2f121538c7b66783f1752a3d190f5b978fae27a77ed0
  • 21c85e5768071487832d29e9661f68033e9f7baa30597535ded88439cb67796b
  • 231d98cb92d4affea6db88d42b31f8b0d001a933c97ce2e670423fc1d185d6fe
  • 2361248d5291c923b8763530dd5c551accda742d6e7d15660534ab56aff11ffe
  • 23e28028a5392440dc99a040a0043cb3de50bdd678ed26777b72437819657d14
  • 2472ef7f75de9881f4c6269de9093721147918a3ae94fed19e8078d9f42695ce

Coverage


Screenshots of Detection

AMP


ThreatGrid






Umbrella



Win.Malware.Icloader-6860563-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\localNETService
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %AllUsersProfile%\localNETService\localNETService.exe
  • %LocalAppData%\Temp\tsc131118.dat
File Hashes
  • 01d804f3bb30a0082396eaecdcdd0e9e329ea3ee585b8e0fa4f24210be9b644e
  • 02f50ce46cb615461dbf0edf1b795f76a0cd8e9126ef8938a6a02266a98ecbbc
  • 0827b4fed47eb0605a345f1e733b3b1937756c28254913fc8a36d4ba28b83541
  • 0d572da25a4bc1db88843cc8610fe56e4a336dbe322c26248b594f7622113cf5
  • 0e3a72fdb86ff31b61661a473db0863143c0f7c8e8aa659b7cf318ec6756e1ab
  • 0ef73d5cc5afb4c6ad73cfd27724af99b562e0dab76485aa73414bd25fa0eac0
  • 106b0659bddd2b26246fc00b929e8004dffe15fb9389fc7bae7cc1bec7f76a62
  • 164966f0b65f4c0816a6b2af88f4846f15e92b0c2f4b76dee98baf875e4deede
  • 20b1446c4d8190ecd749d995113c5bc6ce8375da14c73f7ee3c8f717e6d42e07
  • 288a80d10c4d1a42eef45f92c1fd786009c10f8a54b1cebdf6790c6f1d0b06b8
  • 29fb858feaf6614d5e5eccf68f7fe3446b11fcac0067b2bd1e24a53a23f2b9cc
  • 2d7bda9823c838009d950022e78b9abf49246be6dd25c72c32eae10f43276c3b
  • 2fa1d8b8719ea8528bde7c3ecd421d79a1e5ecf63612ec52b4c8cedfb5f6e1ed
  • 2feec8571fb27548f20dc65efa838283c0f7be39dd8502bacd7472148f1f32b1
  • 30361d76097bc679434e488157c98625d6961a936340947894f7f105c3d406b0
  • 338d97248b5ff7489157822d0b0c413d550a46ce6da712e2fb838290bf7697a5
  • 34099d3b62bb8baefde01a72f6921063d81dcd33c2512df3755aedd5524f19cf
  • 349c06fedb963107c3dc825075c9517eb05df25091bcbb9d6407843b745409da
  • 36064556c3b25426b42b43e8ebdd7b9ca3b6d02a54f0eb20ccbce62e4818a6da
  • 39afaf2f57b8a1c6ed2ebe4072d0e81832d94d31e1c1f3a016cd65b500e14d62
  • 3c603d3673c795fc13f7440c38908ea9cc4283a3d79e9f03bf2bb775162e0a8d
  • 465fa07297f1aefff4acdc99cdc1e17583f57d29a0437f21e94c967ee2b6e838
  • 4c4807efed90553e868ef794b9d7218ab7a635c1d95f6e56c45b8c0e6ecb1bee
  • 4ca27d52b58f33e8a99d68509cb9487417844ea5501056177ebac910eb329c1f
  • 4eb6179bff74cbc8625448c010aeabadf5bb7ee1fe1329e80f54f062f67af426

Coverage


Screenshots of Detection

AMP



ThreatGrid


Win.Malware.Bublik-6860562-0


Indicators of Compromise


Registry Keys
  • <A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\IndexTable
  • <A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList
  • <A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
Mutexes
  • Global\e02ef461-32f6-11e9-a007-00501e3ae7b5
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %LocalAppData%\CrashDumps
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7A9E.dmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7e9a_appcompat.txt
File Hashes
  • 0077f54220e81d1351a81a51f7089e1e0344b0e0c7e1db2baed69fc42d212eef
  • 02f3a6dd7ec83508d644551b34f082a47597d91b70befc75662fa7afd2c1a4b8
  • 0f155a227bf791b43ee66c51e5c3d6ff7edb46a70476239e7e3eac2af083b942
  • 253c1e82213e8075144aaa722abe1786110d36c845f3ab62a67383ac53d33298
  • 2565901fbf675dc8bf6bcff213ddde8f274a96f016dad4ed8d6bb04131fe2ae3
  • 2623f7ef229170bed9265f02b4570b272b2913154800d42a493404d8fb412500
  • 267298bf98507e02c999c1d38407d3f295d86f48f40e98fd33e8735861886011
  • 3244e9cc8b1d9d3cc7d5073544bfa675876d423e57edadbcb033b949a8c811c0
  • 327ffee4d88231c1b3efed3baed72a736fe7e1a3cacd02a83059774dca35e9e2
  • 34e85051b9718edc52253faccd1a85e09ccdb118ae289a24c5b3eb660abd4b63
  • 39854854e613965c6cf22e0380163f187867e6d1e25b8b85890c62fab1cf0224
  • 3ab69a728aafea29c3a1de3a419efd93b889aafc7eacaeb3a3f9d7c632dfa8c1
  • 3ee8339543fd72e79f03c5878520e9d0058e11ee49765e9ca73a7236e9c7b8ce
  • 4342cc9cb045b6c87fb822345e7dee6d9e46bec385de4ae7be1ff6ce6061572f
  • 444dd5b17528c2dbd05d8afb1bf633b4cde0855deb0338a52a17df67e7efcf06
  • 4c56d62c2af1fda0af9be1f377ad7d737e7db306e7dc684df5a7c0163f10ebf2
  • 4de35a78adab9e0f79a88a1452916719f42641155de80f6c90e5a152561cdaa3
  • 4f011f91715575b91312eb8a29509d9c2aa4950127efc98e88d44d08ce143efc
  • 52a6cbca15c3805effa45b474a732f9b74d38d35a78e3763380735cc6a685f63
  • 5a73cda9b407ce518c1d5a9c4965d6287e2e2b4193e8fa702542c684c050c130
  • 6fd9000a376b03dac177252a2e2879aa70c3f3365fff351d637f7b36aa2df385
  • 7081050e0504735e2f48c098f5758a5a01c8972011478b6c5b2fcc5e33ea4932
  • 8265acaed3a210ec5999474da742f447a23b407d5a0bc9ce1c42a48f609e6b61
  • 852d1d4ee1c4a04fc7ea5b849d6c663725fa89ae6358e251325c636e81a47a5b
  • 895e9a298dce50a19cd158de7f8a504d07948713a042e356d4207d6650815fd0

Coverage


Screenshots of Detection

AMP





ThreatGrid


Win.Ransomware.Razy-6860532-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
Mutexes
  • Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7
  • shell.{381828AA-8B28-3374-1B67-35680555C5EF}
IP Addresses contacted by malware. Does not indicate maliciousness
  • 178[.]33[.]163[.]80
Domain Names contacted by malware. Does not indicate maliciousness
  • hjhqmbxyinislkkt[.]1j9r76[.]top
  • hjhqmbxyinislkkt[.]1bxzyr[.]top
Files and or directories created
  • %UserProfile%\documents\_R_E_A_D___T_H_I_S___9FWW7OX_.txt
  • %UserProfile%\documents\_R_E_A_D___T_H_I_S___MHSXUD0_.hta
File Hashes
  • 00cd7c1116f489b0cb66d67b3fde935928f891ae96656b6cba08563e3bc37e36
  • 00d74b27e8660696a3e9f23585fd484e01c96c6ce6fed3a06082adffea90423c
  • 01b9a1ab489f0499eeb7e8d67d75b42faad1c6fe6f4a1e4353f2e79c5d92f5cd
  • 02b7190116a9bb98467f28d92495c1bee74c60af05fb58fff8199909260bacd9
  • 04331cdca654e951f24f524d5d624f7137a197c99ab63aa9aafab67b56fec248
  • 05863f8c9b9608169db2678d0cae1bce91a80819c091b9b762dd05cab2dac6ce
  • 05c0678a044fab83eb77232a298f9114df78b1084b709a2dae59fded201919e4
  • 071e548c39279c6ca7fed247213cd877ddf2fa106e5b8892a85cad4d2605ade0
  • 07a40a71471037198a9e8c5c5a4e45e52115f772f598a2db0eb8bb187c914c40
  • 07ce564ba06045026ce86faa30ff216f21398427e300131f202896441fbdf1fb
  • 07d6477d260ce2bc3477902ece2c2bb6e290f1b36f04594c40292b049d42c6fb
  • 08b07947fdf606f894e94678574056641da5db8f4db7f5774449fd21bebad29d
  • 09fffb50fd033e16a63834d62e2ab5b3227abc57252e87509398cf6ad8b06458
  • 0ae803d152f2cb6bb68e10c0c9244b4aac63a11a43153f2285c2b674fe9fc657
  • 0b77399249b1ce25a8e408de81e3e46951a5eed52043069d1e48a407c0a05a47
  • 0bd766bfedd04e188ee3885d523f6cd170d0c36bc159bb82d3772b51d8a36022
  • 0c26799f75d7d16b8ebdf13ec6940cf3182af53e9cd451540901769380de6079
  • 0d5d73215146991e0b32224281c6b8bc01248674f993d5d9fc90f5bed45d0d2e
  • 0e23f0c0cab7a1e82a2909ee3abce4f88dbd7c54b7a748bd7966b9b1997ed09b
  • 0f5d5c8840b06cf60283ad399e55b6bbe7f20edcfb26d332fa72c4103e155e68
  • 1360e01b934cbc6ba2db60091ee38fd23efc5321a5aaf17563dc61a7824cad96
  • 144506736eac91ec05d88315c8b74f2582a5238e48b41a716d55190b5942befc
  • 16256930f1ee4e254193804f4741a81b427537e666aced7ff823ed582359ce2d
  • 165010fd8c29e7947144e776dbe81a84816a322c29c72ac21dbf6d436648e382
  • 17304b3bfb5ab40bc65b53ec39294bdbaa8e032dff44f2032a0b5a7c0b96879f

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella



Malware



Win.Worm.Vobfus-6860533-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Local\ZonesLockedCacheCounterMutex
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • 49161[.]dnst2[.]net
  • 49161[.]DNST2[.]NET
  • 88818[.]dnst2[.]net
Files and or directories created
  • N/A
File Hashes
  • 002c51db9009f2207dd0398defbc9a9f391f327f07105b19ea5c7c9c69ffd674
  • 0096449116e4ebcd77a9e7c43723e793765974813475ed99aac513bc3d71b5b5
  • 012ce7db1325159874f9b8925e524ce18b2c62dd230f1b2a674543bd74856137
  • 0133c6d934996d6ea32ef17d0a6df96dc86a4b45d9e51e702230b167d87a9ed7
  • 02b3e2b1723573274b6e91e53cd973ed8d5e242f3ddb44369deac8cfb2368778
  • 06ef151d2aab329341ce68ce7a8b2e7c3b463ca940f47cdd6ce51a864af3266d
  • 075e36642d1e37cc11c500a2cd2f3ad3fb2af73bce45a1b6e905078f00adac18
  • 098cee9f87724372cad66c0d7797c8f3cc6832aded95235513799aa8f6061d2c
  • 0b7af27bf47a48843e14aae81cd6f8c99e82da02c352f34d50d0fb2cca03b66f
  • 11ef099b691e051efb1eca27aa5d8606157b0e7f0eb83216733e48f82c52ffc1
  • 139c385377c85ac709c77857adfbed6ac46e0e5f57e4b947d730ab871cea6154
  • 1b456b78b84fcc6137bc85f0203e29e558c3888c74d610a0ecce19c9008197d4
  • 1da4ccd179876bcc378ebc4b1f3597e393e3b976cd0f0a7c24c51b9855d3fa91
  • 21cc803b77f7413c781bcc21a7681470ad926289c28f6d126efb899aac482988
  • 21ecefddb6898cc39ae277c119f47a84869afa5a798e70dcb58059dcb75c87bb
  • 25fd3bf11d2ab30e74ccb67cc0ba7563ccbd0a1502b077da80d13239c9ea3b02
  • 269f9b6e264729a3ff2c71abcb320e07d4ff4e76acf6be1b294c6a4b687beebd
  • 27d60e838ac4e142d5799628e95138a959bdc9358af047937f1d42f45ab093ca
  • 27e3fb1689f0fb0ab76d217909cd52a78dd290ce12a13ffe234542c675769eeb
  • 283293ffdb4838e037561e8ac0df74cdd9181ef046ffb3e5ae0ae2d3614f4b27
  • 2d2fab79f6d87e2994a60e3a982804fb8d05aa75dc13e9b4bdc9705a9db6247a
  • 2d60ca16f74ffe613981c2c27d40992f3d309cbe7b4a693f1fb632590f06e278
  • 2f3f0fabb06ce1a8d3c5bc6c120473a2f597f4050fd4b92747c766ac3af07881
  • 30755cf5b6934d725fd87dc667fe82b3fd4964d6c55cfdcb327a29e95dd3435d
  • 313fbcc0ce24e2c0d2c5c6870842feac4f1f2722101037f0c421ac0a9185ea16

Coverage


Screenshots of Detection

AMP


ThreatGrid




No comments:

Post a Comment