Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 05 and April 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

• Win.Malware.Eyooun-6931755-0
  Malware
  Eyooun downloads and installs additional malicious and non-malicious programs onto the system.
  
• Doc.Malware.Sagent-6932497-0
  Malware
  Sagent launches PowerShell through macros in Microsoft Office documents. The PowerShell then downloads unwanted software from remote websites.
  
• Win.Malware.Emotet-6933520-0
  Malware
  Emotet is a banking trojan that remains relevant due to its ability to evolve and bypass antivirus products. It is commonly spread via malicious email attachments and links.
  
• Win.Worm.Scar-6934835-0
  Worm
  Scar will download and execute files to the system while attempting to spread to other machines by copying itself to removable media.
  
• Win.Worm.Aspxor-6935052-0
  Worm
  Aspxor botnet has the capabilities to send spam, download and execute other samples. This botnet is known for collecting credentials from infected computers.
  
• Win.Malware.Vbkeylog-6935273-0
  Malware
  This generic family will attempt to deceive the infected computer's users into receiving a payment or getting personal data.
  
• Win.Malware.Zbot-6935412-0
  Malware
  Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.
  
• Win.Ransomware.Cerber-6935713-0
  Ransomware
  Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
  
• Win.Trojan.Winwebsec-6935682-0
  Trojan
  Winwebsec installs itself to a compromised system as a "anti-malware" software with desktop links and various persistence techniques (Windows service, Registry Run key, etc.). This family is known for using fake alerts for malware found on the system to deceive users into buying services before the "malware" can be removed.
  
• Win.Malware.Tovkater-6936213-0
  Malware
  This malware is able to download and upload files, inject malicious code and install additional malware.
  

Threats

Win.Malware.Eyooun-6931755-0

Indicators of Compromise

File Hashes

• 002a3ee5d238a80bd8c3759d8478d7d9098af54cbcbd264bcd78ad172c7fded5
• 0066dccf58f6d2ea4e303e870aea20c25d0c945a4b5c6796548acb20ae2dd268
• 015d9a05e3595d8902031dda87e999396a9a2b5267195e35f3752cef08a37b50
• 0181a703fa74afdd4640b52de9338b0dd6e14446c0635bebf8883999cfa0be01
• 090f9030986cdb1413bc9f5c6901952e23be5f6c48b7ce0f9858e92e91142d26
• 09d3b0027fba2e0419841177734b811e506aed12d758d75d77a1f71ebb1b16bf
• 09f0116a571ccf405cf2b83507fb2d3c139a8f9fe7ce9fc77595c7c66d4f9a53
• 0f0d5f033b1096e209857c255edb94e30306087a172edb5816f4464c92a9870c
• 1029ddb2e83f17e8318199afb81a4434de65e12728552f66255cd7814b7cce0f
• 159a0f8cc9ed369de6b89806b3d29a287183dc15deb59ea916d246d736385684
• 179662d10fbf28f36e7fbf9d61e20ecf01ea0efe03223e19aad2e24a4ae56bb0
• 19fb21319fb6479eb23cf06f3298f991466dbd1954c320db749e6f4ee727a27c
• 1ac81f029e1fc5c7c11045d910ba3882946bd6535369675c6b443c35ef2e5c18
• 1f78e240a8cdfda72e443b39cbfdf4faab1ed8092cdf9b02bdc7456dffbe1f47
• 1fb5ec3d10289d0f00460070da92853ba1d90dbebd6dc6a8266a09ad3c36a154
• 208d2e1fdf8b87f1b37644e57f340b984c8d68de8ba02525c61b6158b9d6e539
• 24b4b426368e29fe933d6b427d1ae47e31fb346b2392e2161a67add890bae196
• 2d60ced2eef863bc23232f4c3a80be8545902f2efa4dd9eab7f680a5643d8289
• 2ec0873e6ce50626bccb3217c8fe10fd421604dd5fe45fa58c6f54b90b369d6b
• 30944e432f0f25fda774cfe7090a9cef872b02bd754636a1176e98f7298c5780
• 3291d369e4f69353b221ef184731f93c80f3762de2114d4b4f1a6b200f66aab8
• 388259027de10322e1da522901d84a83bc8a5585d2d61a47b4ecd9c87cc30d26
• 3960aa9d31ec0dacc0f11edbebc8820e4f929bdfc2943aec52dea840c456e264
• 39d8b6f916b96060c7e55c468fb066a51ccd5a8c1e0f3d43fa29dc12dad129f0
• 3a328a6515c449cf1f1807ede10f790014b5905cda161828d3eea7750a7d2264
• See JSON for more IOCs
  

Coverage

Screenshots of Detection AMP

ThreatGrid

Umbrella

Doc.Malware.Sagent-6932497-0

Indicators of Compromise

File Hashes

• 310c672343531ecc8fb2bc22b979a34f6e3c3d6c56eaad0dadeecade3e6c64d9
• 60973bfc7ccac458d9ac4b7192a40774316b04d86cdb106b0c205d75778b7c65
• b3ff81bf64f077e1b466d3696c3528f9c644d503b515473b16803610f240dd05
• d1d756451258f60d10e1c46540438f9a7c9ad84bfe7b4a1cb944ae02e456d3aa
• dfcb889cbff15a54eab56367f8f5da6855cf534ad732938eb4cc472a77c231a0
• e39863e66ab0f1bf0b8d35f2715d3de220f6bb3d0c28b68d8f14d53ed1acb7e4
• e8ca6c66c79cca9404a9f6a6920ff02010dc799435381a97fd5c57cf0c3abb41
• e9a0aabcf4e854ca4b16e9ebd2d228b2e581abc12d27ef34b9f8a5978d224128
• eba143b8f9ea163949037b683622c1cf9672e9a4e63513ecd20ebe1aff4e3ff5
• f4282b6fc250485ebd045d3008195a5c3e2b385c5caaada93ea221f53326d3ec
  

Coverage

Screenshots of Detection AMP

ThreatGrid

Umbrella

Malware

Win.Malware.Emotet-6933520-0

Indicators of Compromise

File Hashes

• 07bb6313dc4e4e47fffe542787f7e5f085f7a0b827a3614a666b8ba122895a5b
• 1317735faa4586cd57e311b7fa5462675b19b6767898bbc9fd1ea438e9b269a1
• 1cfb22555921bcd42ea2976527cedebe9b0a70a24ca2f4695d61496956a9fb65
• 34dc74f395344d40e6ce6e08f73ea822d83107c276e230862aa7f20ec24677d9
• 5bcbb702d1936de97fc26a33767f7d1b1973455d7a783dae80246fae99024b98
• 6123a5957f13a02e1752a9242f68f2cec27443ea0e4fbea65edde4c05a48ec38
• 642b1802bb2c429da4521e8fd159498cf814ab43df41d2213ccf4c8e7bf3a58f
• 67121ec06c244e75ba3c217b6ec7c9ea795f71bb673c87ced115a7bae939b6a2
• 67b8cdfe8f7b193723a6db03fb8f2246710ba6b4bfd2681134175f98150d307a
• 7581c79cd28ae473538de22e69f00d8a0642937621a08d6a304e7bae7cc1f467
• 86630ccb5c7e8d248e28446f27f2faf21d2712e18b3b6fb7749c9dd0d82c2752
• 87989bca4fcdaf8bde36f1893ce293da2f11c330cdd0f9746956241d6fac63da
• a8caf1e24c6972c1338eb4cc5d061fe7b6618657720b375e43385c9118b3aad9
• bdc575561b7b6ccd315cc5aa6c0f05d346201917e05490ff9203ee804b9d4fd7
• c6f1c07bbf320307ab784db15f0dc7ecc09c2f96150cda7126569a2d77935b2a
• e1226793b90a2c765d227e365b24271282c85ba9b7b5eb642f9f4b145ba0b932
  

Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Worm.Scar-6934835-0

Indicators of Compromise

File Hashes

• 0801e6c88de29d1418e3c7e89c72ff0e9147607f1c36ea657f60c557bc2ca91c
• 08c755993f57b3c2adb4893504683394b81e9dba822ccd6bdad9dc9710155078
• 096b4a3371120250dbd0c85c19730f92d0beaa3af16d73a44c6c81e81e0371f8
• 11566d54a186019e24e0fe51ecfcc8a6e954c3ff0ec58e89130c81c2c9fe3652
• 18bc9b638b1770d6b76de5be46ecc50d2b2a428053b131b02cf76d9feac9566f
• 22afe3eae9acd98fa25f5e06a7f3fa2716aa6af527d1232e5ba4c95e199b851b
• 25fb8e7a4039c200fa74246ae62629e6a1db5400e2c8ebe14b041f0dc2bc60f7
• 391483fc42fa770ae9a6e0bb615536b9c3f1a908931d5222d4f1eab68a50c91f
• 3b62f8abfdb792b3419ac346fcbc5d004a9b67dc1b5a93b2eda4da53fc27263d
• 3be4799debfab2081853244700668d7303752272978941b551d21e6cfc476a69
• 424c3baead90385b2fd8cc6ef98534119ce5ea41f9488c0e64d1829ae61ec957
• 453b4a1818de6d3e8d67632e31bcca085cd8f5e44e775a7959246eaa4c925d2d
• 4a800c7c54850630561ffe6d54a3390a93192c7fa6301f5d6ea9368f2c6421bb
• 4ec4bcca36e92304469192ab25d97cacb192413f4092a37a5f1e76575beaa0de
• 55562749de33d7cc4f93d0342514467c31b975907d9f0dcd8ec78f735ce6b1d8
• 5b642baf8e06c96a72ee7e8e55f98bd25a6180fce57fa25c2691782a23c76794
• 5efacdb03391aa114a6dcac90a6f8f8562c0a2e666185f1f8f63065364993143
• 6178e5bcda89cd0c4760545b3208cf56ce26fc9fe51551d1389505d30de75830
• 621bc4bb35821d5a7784bda820acd368d863b2430974952f83a14051693c2fda
• 75504f094939ab33f14cdf1a6c1be3cad5ae7f89d48d925fca65222062ea27e5
• 8320a5187226606270a82f0acf50449a11d3bc6bfed10618e7a7d79ea4564401
• 86ebccdb2f90a5b5ca49911155eac4d05769138d8f72856d4cd9be2323037b29
• 871aaaf9a80009c78539d2a8b1bbfee432c1afc08511d25e057373731f06a061
• 8fd6c4a70953f044073299ad6ba883d94d7be1a723d8aaa908435318509cda05
• 915c2d8d8bf3391aee7ee8a4d732cd861aa30eba8219b240b66041a860a32cc0
• See JSON for more IOCs
  

Coverage

Screenshots of Detection AMP

ThreatGrid

Malware

Win.Worm.Aspxor-6935052-0

Indicators of Compromise

File Hashes

• 0212de9641f40da0e6bdad747f807eca71356ddc298263c20676321863326f70
• 098631c475084bd57815d245af1252c70bb4b918df059844aa167ec189bc955b
• 0c5634fd44849ef51ac6f7133cdea66da960a64a6c165bf038f17d97610ce5d9
• 195b4c47c63c9d6fbd745da31721b086e931c0d60c1759e414c564cea4e1d6c2
• 1ccb17748bc70035a00a5ea94d223e1e425163e191bfb92271d191d7ced3347d
• 1f5286c16b783ebbcf24cd92cae2f1eb50d69e6f4cc0d0c97408f03abe1de161
• 29614ffd96412f26a5cf2fee3648e4954c2ac095543b3633e03dfaab12d1ff60
• 29de1a963a1f1bf15435da9020a2eadfa9d3054160e545b49b89135a6eaac2a9
• 2c85e5a8a1c3e5c0e6fcf4902780824c9014298ff01f823ae8f4d2633f64c0b4
• 2ebd4a5e0954ef8cfa8f338caf6bc6763e6519c9be2b71e31186f91b29312e13
• 37d5963a73acccd5b60d59e27c19fc30c1806679724338e1d4962d04748934f9
• 386ecf6b47b1f1d71b3797adb0335a806452d3346e108b758594f07dfcb49f97
• 3b03b188ac995d7fcab65e70b9ada8d2b126313318a981ec396a2111a34bfd64
• 40ebfa0f7b15bd9a0827c9c597340b1ab91a0b352232052094dbbf6e951617b9
• 4ad58e6014e62529af11bdc456bd4fec94ee3138f6e8c679a963512709a72452
• 5147b90fa72506bd6c47bed8b03f82f8eab5e6ab6f6216289680429ed915422e
• 543cb5dba99c251147551c65e8db498b1b16f2084933596159006482ce1be633
• 5d19478d27e1697220d54e158ecbe4190287c34f507d46717f06195acee8507d
• 601d8a181beb7451b6d45b6938a398b8c09bfba4d858b5de52d79ad55ff733fc
• 64816d8573edd50f3ba63d0c1b9e491e461dea9f4dab78b85986959346d7769c
• 65f8b7cf030977bb60ae0e21b3514d4407090de968c505ccdaed0ea73d2b882d
• 66bff41b7bad9cd835e0e698cfc574a576caf819a3c9abecc473eb8ec31a53a2
• 68e6f59b6c52c804dcebebbc2eb54ad7a00c9e0302f429bfef2300d33abdc4a3
• 6d610fd8891c60bd39978d90f76e803a878fd1bb36061e7a970ad79af20accd2
• 70d71ecfbb763f5e97379bc3d75412e56aec4574affadc1d4bcb09a2fc70d923
• See JSON for more IOCs
  

Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Malware.Vbkeylog-6935273-0

Indicators of Compromise

File Hashes

• 44414ef55e3f6368f1df92f06a5f29f4dda15554720b7cb4a7ad22ef73023ce6
• 5164b6fd11a2fb210d88ee920b95a62e8ba0904797c015f2edf20fe519678777
• 64ab1d27afd0c17215e56c0c97b2de6e8862573cf8663e60832d5d14ab9f635c
• 940f6e0c84f2ea9db97ce376fdfd8b111f3fd50ddcac3d303b5b9d69a7a89dd5
• 98408e5c6a013289ce93486234965b89f164c568f5f772d9082d6ddbfab7c506
• 99773cfde40fbf0a2e681cbb27b64616c4e401b47ad88255be843c3084e41e29
• b698ccf0db3ef9d598333cdb998beabbc0e59ba6a528e02a2870687b863ff0a3
• dce28ef0578d3d8d14159a098ef4f8f15995996c2c2e512caa456d8c0f5114dd
• f0b0138e46957c77c6b40f7c2ed6b16bf7aea25cd02ac62e4298b559de2b385b
• f1632ccc48b023eeab044ed42093e748e501c0afdde9b97d22d27ad09b01dbea
• f51e016793c920faad2abe8da9d14a6d6ecd1f73b8ccd68d583b4ddcbf9341fa
  

Coverage

Screenshots of Detection AMP

ThreatGrid

Malware

Win.Malware.Zbot-6935412-0

Indicators of Compromise

File Hashes

• 038925296d4fdaa55efcfa1ad8c02ce08d6f3673bc042fed1bd20d9f29fad5d3
• 0ca97f5d0c9e6de090568cb7285db362d7210c45e2213be617fdd4ba2ae8dc7d
• 109de4dba47129449293624f674a90a8d6381d5f827e4192f1efc97e4b08748e
• 4155d902b22a775b172e7d86d4958e9088d571bfda7810fd6eceaa5bfb44e847
• 56d02ae6de618c67968b5c6ca583372e1388c89424f2c2118aac6a8548b909ce
• 5880016db066b6d864c72234d1404cb0ac8953a0ca35b1edae8fc1c8c6c8a7b2
• 591e2322c4e4a65b02694f0066ef6c18ceff25c50ea0c118591170af3e4e9cce
• 5a48b66eb3c6581073bd8b85f9a8151364f089dd91997d82ec42709f3f813def
• 697000ba4047468f1005194dcbd2ae90e444a7e1a8b52c3904a3001358387af9
• 89a3ecc59f1bd6d62f71b2dccbf03e433d99cee9f9e8d961e19d5e3ca7bb3f15
• 95ce736766aa931ba16df831dabc530f64e9e9a6d1a134e6931987fa1c8fd544
• a3309cb7bf90a6f6220bbf9a6b018d5f41334407a431b5101874e4d3436382ff
• b28ca331d6466f83028b9e8c4e9fd6511dad0a599859ea21f8dd02618eabc1d4
• c27265eca8f4f1d0606e3e6acc971721410f7430d3b8c487b128fee5a910f8cd
• c6b0d5b496baca826833a12e9863292ecdd92931ce682d61a74ee62e97c39382
• cf9e75a01b1ee5093c7ca244f5568becd535c6e9f56885a11a25dc1e9621d502
• d5587aef2b6a77a22904f8cff993d6e35a832f7552f8f3124c772b1700077622
• d7fb034de95b8ef46570d15391cb1c8181e2145076831813563a947d8d1616db
• dc68ea18ef5b981d2fefd632a9e7fe51bc03c5058dcff708b9aa255e9ebbfe06
• e1c784eada950c0b8a9ff1a533d95252bf4cf36314b8b52aaef1ce51c3fe3704
• eb84091df0b6ea62d38e2240201dc93fbb5db4b878c595937cd9ff77508dacc1
• ec5dd84f2cd6083165187eff18bb55f382719977092eaeea642868d062926970
• ed8887e64560574df7491a6ba7feff32433fed157e02f39ce86fb8689d5a2207
• f443021ba52b571fa16f440f171e85430eb6d925882bdffc339de6917b6e13b6
• f4fd6c5f9fdeb3196e09b5ee9854f0c06d320c8cfe8c7fc04e234c35cfcc26b7
• See JSON for more IOCs
  

Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Ransomware.Cerber-6935713-0

Indicators of Compromise

File Hashes

• 0209aa718b9b606b5cad5f9783ef1eb441ab1b6ff63283855e8b6d74f4649ec5
• 03050ca0e3c1e6fc7a9782b5791aeccc77a1f07a7a8a675feb6e756226174410
• 04043499a4936537e774dc6a381ccaeab8bb853d84819b9be12de2931d6646de
• 0468b2231ea7059a58566e1a77d170f9c3a7e417d0221e8d7ca0747607bba2c3
• 0680c78425029623806a8fd8f305523564e52bb68779ccffd698b78e218e249e
• 087fa7d28264fc9c06eb7031891b68794c67b7b571176194e313c227437a1ea8
• 09b4791e9e2eed217cf3df60f0386b010dccfc12a0b8c67b3cd2007fdbfb8e74
• 0adb55a70a4c9f9e2bfcd33bb7c7b7b2f5d309b5ad006e7364aca2fbcda6c505
• 0ca6bf5961f23df78cd48d7cde29d58b7d23e22598f784d04a1ca0676a466c0a
• 0cf92c126ff4860a912d3e5d9d21c546edf434b46a1ea8bdddaf1eace91bc7ce
• 0d7b033bd7734735b8e101b820be42c37e6957dd556da8b26f05f50edc3cb96f
• 0dc0bfebad2716cfc4eb1b6d2853929d110fa2589af4d662d0c35231e9e1e291
• 0eb148582c01d74361a630671d8c4d7f2577cbf09bea123f16df962e4b7d3df8
• 0fa00710b9232318f7288b3723436ccc51714089030fabe581a00cd057b71865
• 0fcb3e096368ecbe9d96c2c88ef721c29b596db298a6790a27ccab7bffe5a12b
• 103517b74d9bc58c6a54d0a635ef45417540aeb5d8b5809ad110abb4685b0c2b
• 10de95456a338a6f0edc9cd277ed314380a335dcc8e921e6eb7b40b526bca0fc
• 130cd09e0e050acf6b75411b57c1146cd6f177f765e8cde272bd45b641e068d8
• 13f983ebe9787626f1fe2e6615ad9c8cbc997b363ad9c2f91a1295a9a1db65db
• 1677324000e28746b206c781a6b653f87b69e144c18d5f366aa9f0f2af83a8b7
• 1768e3f32fe5c938f3baed815000b18020b10dd8ac440aa4bef7258cab863395
• 177644a4e59f0f0b468e176972895a55b724fc19db205f555e98c06851982084
• 179f11a15d4a284bf8e10002663f744bee9903bb2c8eae9e22308a49bca9ff03
• 17f46c0701439f25126d59dd4b3b8c4cb131e260cc199bb8bb61414128fd3aef
• 18adeddd8205122987da070c640e8eaf72e2e4bc5f2f58491a5e83f7ed6c2c25
• See JSON for more IOCs
  

Coverage

Screenshots of Detection AMP

ThreatGrid

Umbrella

Malware

Win.Trojan.Winwebsec-6935682-0

Indicators of Compromise

File Hashes

• 10b34c1a0b739cd6c12e2926372afcd0cbf6f95be9d1b45038144bd3efb5eb79
• 1a448e78d2668f4dad016aca5092107f4d1ee19dadf8886e8a0ec4e2b550b317
• 26a08a46deffe995ba67d9aaf547b55a265fe513a8293d51f3f9f0b3d944808c
• 72f94e87b1fa1393360d9cacbdebb1ffebd5754c7d93121e0e887eacb8529c87
• 8725d076eb421b4e4737792ad07647db9a263e4da2f0436bccd6c8ff9f752d39
• b18e5830f0e557d72ba6ba2dbb59da23cf8e2539148efc51ed01a0364210b06d
• b4b5fdc7fcf6f86a9ffba97a9d2e159f0078e9ffc090deb948660a3c8e5cdd07
• d45ba937d7d532907d5da3fc979a96b1efa5e9c9a4c6b5c45f683925a9524ac2
• d54730e93be5c4d17de56a904aa56610c06fdf425083277343c9ece4ecc922df
• e165145377ae247117657cb0172fd7767907dd1ee5d4a698cbf58a6f4af03624
  

Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Malware.Tovkater-6936213-0

Indicators of Compromise

File Hashes

• 4f8cf035324575449ee73dcfcc1ecededc5d1f3f8a4cec2f0e85455516207eb0
• 9fc837165be91f7c7042e1dbcc4db8dd38d002f9214b861db6214c636055bac4
• a40c7290af61e7f34282faf839982f9fbb33db423751ce59d11a156140e711ef
• bd9f2de34957bcd509e47fcd7cd7e7f2af01b0e5078c0823680cdcd1d753341a
• c880d5254c7e1d5723862100c2d57bd3cbcaad6560437ac59bd1071172980197
• cd69efb3bb139a1675b90690635f8584896fc10c1f85be17f92206f8d856289d
• d6dc00609f709cc451cb61f1d77fc84e8572494ebc3ba0de80518f7ab234384e
• e82dd6108b2272e13f6365d75943de81b4196cfa4d885a78a2ac3665249ba2c5
• f102bc0d0ebe8adf4486b0567c9ab493faa619aa1ae48ac3572ecb23b2de9836
• f997bc9973d1bac7be25513c9ef80783949069a00732fd630e74876a3019dd3b
• fcec660083595a7956cc13f9815ce23edcfbfa3e82c150a2f0fe6c0449433ce0
• fd7696f075bb712bd4d7f14dad9c297d99669d3b1c61e51ee2dae4cfa897b9ff
• fdac4b0e291a27c91cd3050c4e811d4fe33bb2189e44015d0d5a88f168441815
• fef0d09e80bce24d232f60977972934eb9b1a984f4b42fac5a9d9ebd93757127
  

Coverage

Screenshots of Detection AMP

ThreatGrid

Umbrella