Friday, March 22, 2019

Threat Roundup for March 15 to March 22


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 15 and March 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Ransomware.Gandcrab-6900355-0
    Ransomware
    GandCrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB". GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.
     
  • Win.Trojan.Remcos-6898089-0
    Trojan
    Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. Remcos is commonly delivered through Microsoft Office Documents with macros, sent as attachments on malicious emails.
     
  • Win.Malware.Autoit-6897734-0
    Malware
    Autoit is a malware family leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions.
     
  • Win.Ransomware.Cerber-6896901-0
    Ransomware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
     
  • Win.Malware.Zbot-6896522-0
    Malware
    Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.
     
  • Win.Malware.Ursnif-6896385-0
    Malware
    Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
     
  • Win.Packed.Kovter-6895460-0
    Packed
    Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
     
  • Win.Malware.Upatre-6894504-0
    Malware
    Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware.
     
  • Doc.Downloader.Emotet-6894115-0
    Downloader
    Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
     
  • Win.Trojan.NetWire-6893426-1
    Trojan
    NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
     

Threats

Win.Ransomware.Gandcrab-6900355-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
    • Value Name: xbnykvblxlz
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 66[.]171[.]248[.]178
Domain Names contacted by malware. Does not indicate maliciousness
  • carder[.]bit
  • ransomware[.]bit
  • ns2[.]wowservers[.]ru
Files and or directories created
  • %AppData%\Microsoft\jfwwxp.exe
File Hashes
  • 19b5f589a31dd4b6fd6fcda9e529f04adee6628740cfb4354b7fde94ca4c8fe8
  • 2870e29273fac8161c571505e2081afe0aa8c9e198150923f9efcb15a0379e66
  • 31bbc9f6a7d5b5c248c6379afcf7c7026fb0f3b521016d918edba1fad085a9cc
  • 3e9ae9bb1061f2335cbca35ddfe71f7b93d8ff14a79c362b7a5e22a3c19f5af0
  • 3f18aeab0f40e3f957807fdb6142cafcfd4faeac39b0f31df9e869cca981cb70
  • 5a6f4af9f4c0230111b39ff7cf127db182738ed735fa72183f935f272491b53d
  • 635cd9d2065acf51745629ff92e41c8b331d25376868cfde5ec3dfab91cd0026
  • 961b6caacf88d67139309a5dbec806301a1e7fc8eec7db166d9d0d0120346cad
  • a8d145d01780227cecb322d69d173248c122c5c5b5ffe74c28e1ef89958b4dd7
  • c4e78e775a53a51eefc2b5dd4ce161bd1794119a02481e03b9917aba5279d9c0
  • cfb324eb0b95048aa3248b4475902e575da996b63ff86cf78211424ec8c1c561
  • e43d30708069f2ec0b0237144b23e2d337521174530caefd04728fcc0cbbfd6e
  • fcefe7d20db180411dd0f1ae2749e622738d9b8e6cca09a01b870551823ccbd3

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella




Win.Trojan.Remcos-6898089-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
  • <HKCU>\SOFTWARE\IYFIZFIFK-HKLTVU
    • Value Name: exepath
  • <HKCU>\SOFTWARE\IYFIZFIFK-HKLTVU
    • Value Name: licence
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: Wordpads
Mutexes
  • Remcos_Mutex_Inj
  • iyfizfifk-HKLTVU
IP Addresses contacted by malware. Does not indicate maliciousness
  • 194[.]5[.]98[.]147
  • 103[.]200[.]5[.]128
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %LocalAppData%\Temp\install.vbs
  • %TEMP%\pyrogenetic.exe
  • %TEMP%\pyrogenetic.vbs
  • %ProgramFiles%\Wordpads\Wordpads.exe
File Hashes
  • 0a1d151c7170baace5e771feb217ee3a685f8af2ddf5c51571d321b2253fa48a
  • 2b6ea3f861899440039f30018f2593a3202b27e3a7f7adec5d5a3703dce3ed59
  • 2c125850f874973b605b04f2ca76d4ae3476bd495890a55f1be3d74de4ca5015
  • 2ea12c4cf9c0c9a3926e0f77333a5e74faf1f4956ab4a599bfd1be6410a4a348
  • 34ce4dbec1155384abd4eab34fa0bc7ca1ead6ae2c4be9a54299e051100245fa
  • 55f209afba93e7a881ad14761b1349349548843a388af32e084a58fe51bc1d34
  • 616ece9b51f1fead02cbc893af7f76240a84a39a9096b4d6cdb066b6ad8a7f4d
  • 786fd0f58b0731ae1326c434ff77bb3f40405dc0fd9f2814d8b41265325920de
  • b76d7be62eb4b198c540220e8b697e01fa80e42465ba314992002175b6593bae
  • bdeea19cc4255537c110faa58fb74721e6503d8815cc62b0fe14a77eba0c4bef
  • c4d675f3f5941b6488fc4c3ecf540c106ef21aa8b8be858cd9ed750888947032
  • c5d8569dbe75f1725774befcd82f1f0cabd8baf07759d60f9b2691870954408f
  • d414046e1fa2ab58f5cb5ea84db538bec4ccff435a7d7c2aab826ebfd584a518
  • dcedf388c083bb55821749ed00e80c96e2aef01fe0e1a26bfdba8b9b8b3d1556
  • e6d04db2794d86b03d8deb2d8c902f76dda946240dc8fbc82d7509c722fa571a
  • e8649923e071a79f7810eddb32257d5782e39428da217cd5aa34af4c821cb0f6
  • fa73eb7829ef969e79d43f647136bdcac25a9b3739961b0653e7bab640966f12

Coverage


Screenshots of Detection

AMP



ThreatGrid



Win.Malware.Autoit-6897734-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • altspace
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • charlesprofile[.]website
Files and or directories created
  • %UserProfile%\archiveint\adalsql.exe
  • %System32%\Tasks\Gfxv4_0
File Hashes
  • 0df27d70990f8b8ec8b3df25cf1eb9666bf92526095da227080a0372c60aa588
  • 287d43060fcca28466206776b5a147e83d3fd7de4230f1cd909953daa12d0156
  • 43e9ecb0c189695bbb533ec47746edf76778aa1a8b0266f5ac267f79f5cef03d
  • 4634ecfa0699f7408c84fc3c2cdb42601d372777237eec1fe0a58868ef693c1a
  • 5721c80fb52b4db900819b1738db0ad82c502eb7d79e152edb9f2e371f3c9664
  • 6635eb7fc5c7c454b6c5c19018820e249318c34305420cf27392c171df491635
  • 6b327d6a88a18c1167637a8878bf441cfcf567e9c1e19a95c27b93c16e69b45e
  • 7642637e654417d9add1a62ac596cb8d1d84f793749e9e4cc92a117e33d56133
  • 87d5cafaf2e1bb5f56caa5aebd24fbf9941db0e079ba854fb9aaf3bce4c819b2
  • 93cfe8d255a490ac9f173ceb7618a019a25b9246b87e0493acaa20dda799950c
  • d8c4ea9786f6ddc62da7b3555b3efb138ca0c4a0348be83ecec060618db2c276
  • e4503c499e82fa0bce07fd10fdcf132d4a0933d309973b94823366d97a05c4e6
  • e48da123e2e08dd9f62abb56e630b8edfe4ea7977149bda53522bebacfb10d00
  • f51011fa1fbfdf0be75a9300931d33b850b601a01d1a4bfab33c346e3fdde5f2
  • f5bbc3ec89ae91eb6a25cbdb66c4a95b1756298815a50a9e0ce2f27ba57a878f
  • f95c285f6632fecd805fab3e79d018ab4e34e2c230adac317a94ca55b15fd35b

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Ransomware.Cerber-6896901-0


Indicators of Compromise


Registry Keys
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value Name: SCRNSAVE.EXE
Mutexes
  • shell.{381828AA-8B28-3374-1B67-35680555C5EF}
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • cerberhhyed5frqa[.]vmfu48[.]win
Files and or directories created
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.html
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.txt
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.url
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.vbs
  • %AppData%\Microsoft\Internet Explorer\apXmmhm1Ka.cerber (copy)
  • %AllUsersProfile%\Microsoft\Dr Watson\tMYvM36CEP.cerber (copy)
File Hashes
  • 001b33940ee8465748b743f0df809eae3a2a08a78af15243312584cce53393c1
  • 01906006204a9a84fd0dd7d061aacbb093d09a8192c65cc55e3be6edd164c908
  • 02f66c7648b064b49da5218664d1f5abbe954c6a02f46db9dac77358a0d9b92f
  • 0830faf3346becd79a49df77f0d181c66bed86d1771622f0b8315e288ba29e77
  • 0affee8e0b6dce3ec8c453b6a7ac92648bea9006a63c77b7efd36537adabf5b4
  • 0d899afe8df44ba83ee7b02f621100ed721dd0bd9411d6d0a6e3935baa65cc0f
  • 0df1130e9f23b007643dd0ed3375528cb08d0496b195401078fbd27d2fa5de10
  • 0f3c4c70da6c8a58c0f6844eabc40773e0622f8a1e3f13370538112634ae0079
  • 127d0879d93ff4fb65ff40d723480e62e0144483f4be7da0a739ceae9c446d3f
  • 133a9faa5bd0bd157660e67bf208cdea7cde346836df7ed3f0619edf9e652313
  • 1ab65651d3c70301f55f31fa294e215b1c72e9aa7f87d894e493b5e25d2d35d2
  • 1ad4afdcb9a62b69473149a0e70c38822be0f566b6759922f730c074bffcd09c
  • 1cd3e3a997e017a9ad7883dbee9ba8c71f416e56e1113c96d13290dd998ad8da
  • 1df2e8bb31a42361b916a71aa2e816dcc7279b93a80b2613d5dd8681f007cec1
  • 20e0fc147c170e25c8ba1dbb4e6d0dcafa6771659ba101b67e5b2176d41fb81e
  • 2232654770e8440f3d4629753cc78bcc97b054c5df003ac3908da5b20d058659
  • 2b5295639ab89940a16a9b7dc80f7eefbe065fd0bcbdb7d1c783cebd93dd9db8
  • 2dae95760c360eadeba55f370e3e78e9761f436539ffc3cc1e8e91395722ab4b
  • 2e87382ab956e8db123f80f8ecffeb61c4461b5c77d6deed2952c68b9a96f3d8
  • 2ffc4d2116734e50078268c07b7b972d9d127e9d83513d331d13788c7c941990
  • 31235847a5b061a60d79ad9f634455bfc95ce68667ec4df1fc479d147c794649
  • 320281163724c2d356f3ba9e7ccab33fa06b584f841dcbed783cb65432f1498c
  • 3374ca6683d9bb5434fa192eebe615ba6a609cbd8063c47eca42c47bb480e886
  • 3444fa109868538f1b25a0b4e1e8b1b8545ae88e0dc4a71161e64a868826d301
  • 369dc38935f947829cfa4c85e8262a594ef9bd1ece3479c980d90e62ebfeea68

Coverage


Screenshots of Detection

AMP




Umbrella



Malware



Win.Malware.Zbot-6896522-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
    • Value Name: AppInit_DLLs
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 216[.]218[.]206[.]69
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\PROGRA~3\Mozilla\thfirxd.exe
  • %System32%\Tasks\aybbmte
  • %SystemDrive%\PROGRA~3\Mozilla\lygbwac.dll
File Hashes
  • 00ffecb86e72d9357a6bbd15b6354fc9213033f748d9b51b597fcc365a9e1f7d
  • 010d598fc0465864690982eec5f30ef48c713916ef4e45a8d8d49420342df428
  • 018edfb60377a0c076e1297bb407cd42b16ffb2c08d4d2aa32b860b061ca5ed3
  • 01bce31e9de13c804a18643616bc34f64bd1c5b25bf8a10f422e2ad19fb7730c
  • 02701dff6c0a0f71b66c9cf69bd895129e810a1a13bcb18be9a8388ff7821b89
  • 02b10171ce53f9592cb441792f91f1d2a7ea1af92e8a814e3bbc42b647afff2c
  • 02c63a651be113f6b1816a357a97af54141e2bd6d9ce4aa2827a629031b8eaf7
  • 02e7cf905bba1542c36e54c120d57c583f6bf33fc15a4fea4e8a41187801b041
  • 0491fc85d831a1f252b61ad87941db7174c53c1b849bc3fa67604251bdbc7fe0
  • 060b3e97fe90a1c725a41fb0ffd3a01ff7b34c74f1460b68dcf05b668dd5521c
  • 06b7d5b411bc5c2b50aa6a257b0799dfa4e098a249602c39a3a43160539087e3
  • 06dea51ea8ec0bbe9578024339ef207c8cac340ca608b519c22999e109514b47
  • 082549d3ad41312e5014c2ada5b99d6dfabc29f09b19ef4d1d9a7ec1297e8356
  • 08807c13e43fd5d202c97c68e25c6178445a65cb0c8f957ff3dc17a293b11020
  • 08d6916f9a64fc2e725d578d1c11c1f77894edc35373d7d308e039bc85e889a7
  • 0997d72a90fbb50cc4fd395c6d9b5bc38f622f5bd66befc055fad32c19ae686e
  • 0a5e7372e854b6ab82834abfaef00be3a1713ae3c921f3d693112482b8d91dff
  • 0aa62de7c50e0d0498ff66687e0ed5ce905f7fe5014b765586ca64c283c2b595
  • 0bca5fd01e55d40ca9d324e0011f56de76cab17d399f6655019f85cbe16ae060
  • 0c3fea106ea5b2d0f943580279e0ddc729e210716ba82344a619ab901438511e
  • 0d08edbe5a8d68b1a6c29fd0956514036a94638e6443db85c37c8e532d15a2c4
  • 0d9c6fe9e4172a80ad9c912eebeecf2baa094012552267ad70d49d6f583add8f
  • 0e9189428c742936b52149e2579844257ab381570b9c13d440fb3304b7cfd935
  • 0ee3a3afec6551c3cdc20836f7d3ae8ac1b20cd7dfa6a14e379ca975d9b342b5
  • 0f18e6faa5e6bc9e81e5cb5c51a7cbd03589eedae7565d1b270fdb803c78c437

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Ursnif-6896385-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 91[.]134[.]203[.]113
Domain Names contacted by malware. Does not indicate maliciousness
  • kkariannekatrina[.]company
  • f61leeii[.]com
  • qmitchelkp[.]com
Files and or directories created
  • %LocalAppData%\Temp\~DFDEB0FC636A1346E9.TMP
  • %LocalAppData%\Temp\~DFCE77235CFE7E5202.TMP
  • %LocalAppData%\Temp\~DFD0DDA0AA1947567A.TMP
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFA0E5.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFBF00.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFD9FC.tmp
File Hashes
  • 002c189b365fecdd1a985d49bb4fb006c15efc47b1000defbdd6f4af1c11a19a
  • 02a860f30efb515b8c290d7eec3aaacc31e13db934b950c12c46c2b418f44c6f
  • 0698973ada3bb251a5d7d24af6532bfe757f26e21c5ccb4683ea90fa22000d31
  • 0bf3ad196d5c033b96508b82a4627371b410a4171a112fe87749ffa35148e700
  • 4e8a9df93d31b02390be3f76e8092bb8dd1296da7b583f0ef7d1e0a4b621f5c9
  • 50e11389b6a65a77dd2806b0101c00c3ecab05c885904d8ed93fd7d5a22caa29
  • 65365868838db8f45660946e8cf4e48420fef2f191087adff2c8525e1e9b92ab
  • 68ac70dcad46e80bb89338cc239d9c7942a4d7baeb39c783cf7f3f41338afee6
  • 72ea94949e5a93a9470f528c2e19fee632f1c35e6592e7466d230fcd4425adca
  • 8b07ef958d6f3f94cb45580d4aaa99202870f35e6c309d94894c5601c861cfff
  • 8ee22466de53f493c666b1f805bfad58f4b9d33b657e266dd65724efb96002e7
  • 9124364a4c9db508a438403d4742db5ba39542753f2a67e4b1f77854962ca1d2
  • ae0f77690e47a8662efaa1507002e3924c2d0986e6c1cd39d3d775e53ad982d2
  • af421716811ae86cf1b9cb4c1615ae152515f3dcbe3bef603737d663839bf520
  • b6ed38788fd409ada58fb0446d839eed07783e79b829e75ef031d67a53a3b62b
  • b90a9ca23c1b2667d8a8a8e14bd3ccec4f928734e91dc28af26e69dafb991668
  • f5bad2d671dc5b30fdbc93304e2d9b194033cc307099eae1d58cee17a2cb717a

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Packed.Kovter-6895460-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\FC6A75BE78
    • Value Name: b97dea2a
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
    • Value Name: 99297e9b
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: cafa44a6
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: b612d32f
Mutexes
  • C59C87A31F74FB56
  • 1315B41013857E19
IP Addresses contacted by malware. Does not indicate maliciousness
  • 97[.]12[.]118[.]34
  • 95[.]173[.]120[.]56
  • 90[.]243[.]251[.]205
  • 96[.]18[.]11[.]140
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %LocalAppData%\recol\PqIpWoU.asARM
  • %LocalAppData%\Temp\ay35fayo.2m3.ps1
  • %LocalAppData%\Temp\uipfcjr2.khy.psm1
File Hashes
  • 352bc4694ee225e59f50875fbfbe2502a0223daa22b94eafed6e997e71588433
  • ae9789ced159c8fe284e49c8352a66070b8a52bc256847be11ad0890da6b1a99
  • b93e29b1ed93143a85a7d6cff2cd87b5c12e8923bea9f50923dbae429c950f2f
  • dbebf2bbd28c1bf5b327a09fef96cba4078ce033b52488ce936dd53e92302437
  • dffa4d8bbde6b5efbc79a4a05df2e4528f5dc991783e81844685bdf1c175b716
  • e1161786aaf5ce7cf3938e1a105a150f3e7e6c4ab44e1b6dc26004b07dbcc6cc
  • e4d4dfa171983e794cf68492fcfd6bb7312b953d22ae03df64213a5dd6496ee3
  • e79f05d135d2c8524a190bd7d22d20674a21c149cc379299011390b932e056af
  • f7c9f1a37f688b54b3494696c2ac6898fb6945038f4306737299750bec901b20
  • fa6adb0b0a129ada90e2dcef5dcd34c2cae28496689630e7f0415882f12e608a

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Upatre-6894504-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\FC6A75BE78
    • Value Name: 0521341d
  • <HKLM>\SOFTWARE\WOW6432NODE\6C5692EEDA48CF842254
    • Value Name: 4DE9F1CC8F5AEB40A9
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 139[.]59[.]81[.]114
Domain Names contacted by malware. Does not indicate maliciousness
  • ncaappraisers[.]com
Files and or directories created
  • %LocalAppData%\Temp\opera_autoupdater.exe
  • %LocalAppData%\Temp\wadly.exe
File Hashes
  • 15e6ce12614b3b296ddd76343b5703d87beb736b162128aedca6499e40ccdfed
  • 1ad3cf284008b50456bdfd4b8b6bdb0558e5667c34d1406bd7f879b33e8cf6f5
  • 24ebabc590cff41db4261eea662c91d3e3d48bc7da2be03009fddac26861117b
  • 3ea2036f27be61f73ef313f78a094c767164becbcbbfc9c4c7a33f3160d9f2bf
  • 498d367976283785672c2c695e29ad7b20a2b0157dc1dc13acef67426da96e58
  • 4c9b775952a0b574d258a982b0fe3bfca25f450b7e4ddc76a20981432135afa3
  • 5d9721eff25abcb7d7a4af4af2d0dd568b181375186ef20a024cb9408a1b3975
  • 68c841e9b1e4d2b2cb65177913d0a7152decd5ecc15f9d424897f2b277ef75c8
  • 7f26231615eab934cf6cf7d54c9ded34b04fc068fd9ee274b4037843ca22c69d
  • 80e7912b1921cfb610b2b43d5ca74c3aa5c6c3edce4aac9bb554b58dc9ddd6e9
  • 81c52a86cae959eac3382cb9b72a8afb47db16746b9e9c3b9254dc0353174530
  • 886515171b4b044976140bcfe2036796c80320072f54ad60078203d7523aad1c
  • 8a53bf2d3220ef740147699a1a801cc58e4b48052b9c5569f3659ba1a26e3a6f
  • 8b241d4a533f3f6ac4819a22e7c1dd7f18556e1f6f835584973902e63ababb66
  • 945055c780e4f5855616bab1b2b94807ae603c6b2c8cedfb0dd5f32a4c07a784
  • a3438650289b8b3025f6d08414af69cafc016080868a0a30d48239716eea2420
  • a95e1d9364069d02e6f844461cd9e7525f1c3f7a07960486403fee266f0fe8c1
  • abb26593cd2fa77ee16fb0640465ec21592cda8d370c13a2fb74836e065b8f69
  • c036fcf79a071d900b32100d015fc16bff5d82044139b6098eebc98009d2b056
  • ca0bbd8f09581c6c0920c782a06d66e5cad25ce672f22e4ca0dde4ea98b905a6
  • e45189ab53b35195f4676bc9081a605dc28cc79e26047763ccf2661d82120221
  • ed75f96c614623b6c1aaa793cd8239c86049635d75406339ec778e7ba23eb317
  • f9ccc2fe7e013cc9ee47eecc3dde93f6bae4aadc00a421254ed6fe35370b6984
  • fcc0294acfcd7e2231d83841cb31e88363f75efab063c79c4a193f2c0cc26460

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella



Doc.Downloader.Emotet-6894115-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Global\I98B68E3C
  • Global\M98B68E3C
IP Addresses contacted by malware. Does not indicate maliciousness
  • 181[.]197[.]2[.]252
  • 94[.]73[.]147[.]237
Domain Names contacted by malware. Does not indicate maliciousness
  • emseenerji[.]com
Files and or directories created
  • %UserProfile%\208.exe
  • %WinDir%\SysWOW64\SCwdrA.exe
  • %LocalAppData%\Temp\CVR478.tmp
  • %LocalAppData%\Temp\iidzocqo.viy.psm1
  • %LocalAppData%\Temp\oflithzz.nz2.ps1
File Hashes
  • 2ed65e9a1e796862f97eeebdf46152caf4f7f4204b801287bafe5b11e948ee1b
  • 4c9295e6906108f3dc926a9591a148e4e2636a893d4d2505b35a0d030635462a
  • 563991d43d484069890ca97745c1d7267c918afc260d31a52ec5bfc899a30c94
  • 848b0b2455cb049ec8dfa798592de326b67abe036ae7a637c8aa3ab9e91f5cb7
  • a06d630f62bc13cb49c794bf934a4a3dbe8cf63f352304e71c056199a065958f
  • a42af575f713389ca1b0cd0156dceb753c1728cfe7c0e7a6036c53aef2d2d3fc
  • b9f83bd5eebbdabf1cc5ff8587ca2f12a91f4905538e65587b35bd8bf1132e9c
  • bf0ee1f25309aea8e27968f5d927fe8d05a66437cb86102d367305e61ec9f5d6
  • c60eb3d68445ab0471aceef71bf75182d9d2f92e3ef3ab4fb148d8852dd2c5d0
  • c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c
  • d818fd24d2ee5426ca535b7c966021cafbe7bcbb68b9d6ce420b9006859f2df0
  • f3d7d9b36113ffc6aa4388f4d2f3f52349a3ba0984f9adc696b1a6d9db4108e0
  • f832543e87f24eaa23f85c8976b79d7e49d1b4899f5358ba54a71b7c5f803e2d

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Malware




Win.Trojan.NetWire-6893426-1


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
Mutexes
  • AlIgmljN
IP Addresses contacted by malware. Does not indicate maliciousness
  • 194[.]5[.]99[.]194
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %AppData%\Install\Host.exe
  • %UserProfile%\nltest\print.exe
File Hashes
  • 1388ba005085c7a25e2680d0f7ee1d81c49924f3b555b4b6dbec68dddbf9b0e3
  • 189525aa17b231ea223cd3c09443662341f908afc3973d88753ef78570b408ba
  • 1cc74120569cff7c550b730223d0aed91a334c66f4dc2aa751e723e7c2ac2a14
  • 1d9c379630d8d65bed03e26b9564651f0c16ae675ddcbf56ba607a107de27221
  • 24f0f08e4774c2f4d1411ea8b57fcae3b37266830601f6ec30899126d93881f6
  • 26917f6538fa6e8796c3c18c5f018370f6491adc63f4f466365d0c0186e9dd41
  • 286a254ceeb034dc7417e5b9fab7141472a1db6500900f951775b07cd07f22c6
  • 44cf94db97f1af9478f75e1df1afe36931fd741e1717601cc2e3d1d228c8b6c7
  • 47571de1a9a22ae99d0cc5ac1d788a238dc1bdd416d32db63ffde7041bc98d1a
  • 4eea828a9f2ff26440954da153a19d9667592a2c47206b7b5e161751794e3307
  • 50b2adbbbba3fb086169174cd9c64a4f536c455231ae3dc93fb1ed6a71e48cad
  • 530a89d43c4bd1ce99fd7dea8fa148158508653bd56063288da3e1086f274fe9
  • 609676ce7da214d0340436956d1c4733a019811a6ffed5a74e5fa680ccfcdb0b
  • 624b38be3943d4580a7bfe3d22a82dc451e9d5b4e8367886dda182e477e926d3
  • 62b5df538e8e6a1737a0125202ca3a0d99610c08a839bb181cd6abaa9e768ceb
  • 633c5f260bd8794b962c85de11f8eed31bb1bd14b5a11b9de564d6a06796ee7e
  • 7220e58e3625c5d26b7be8450b1d8db9e10cdc4cca9173f372f2e7935fae18c3
  • 7e366ff68193007a80f04d0cf6b33841dfc1a46b815992f241a51120cabab9ba
  • 82a165f62e5c7727289e037c1dc4061aeb894403227a27b7366104ecd5cd08a9
  • 8602358388e40b49cecbbc9e04e9863e95c7b24be53c053098b65553e252d74a
  • 8f1ec1fa3db18ab4d7f716d55f67efb65e126742e7a0b3e276822d516bf53182
  • 9b4f90c1ec5a35213b196fb4e0444f86a5ab394d0111a696ab197fbb5006cdb9
  • a0aeb2aa7b2b833ff153bb372a6e3feadf04cf45035e49168331f26d9c887ec1
  • a2327077fa20fc6c10e72031cb249a874531b376ad335bf5367f6a13566db109
  • a513a5d7c1fcabdd53896d054eac221dcba70f4636b8d3c2f306f121ada943bf

Coverage


Screenshots of Detection

AMP



ThreatGrid



No comments:

Post a Comment