Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 12 and April 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
Win.Malware.Dvee-6943598-0 Malware This generic malware cluster is packed with Kryptik. It persists through the registry and modifies system settings to enable other actions on the targeted machine.Win.Worm.Vobfus-6943588-0 Worm Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.Win.Malware.Trickster-6943552-0 Malware Trickster (aka Trickbot) is a banking trojan targeting sensitive information for select financial institutions. This malware is being distributed through several malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as the VBS Scripts. Win.Packed.Razy-6943334-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence. Win.Ransomware.Cerber-6941980-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."Win.Malware.Tofsee-6940401-1 Malware Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control. Win.Malware.Ponystealer-6939264-0 Malware Ponystealer is known to be able to steal credentials from over 100 different applications and may also install other malware such as a remote access trojan (RAT).Doc.Downloader.Emotet-6938868-0 Downloader Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails.Win.Malware.Fareit-6938631-0 Malware The Fareit trojan is primarily an information stealer with functionality for downloading and installing other malware. Win.Malware.Ircbot-6938570-0 Malware Ircbot, also known as Eldorado, is known for injecting into processes, spreading to removable media, and gaining execution via Autorun.inf files.Threats Win.Malware.Dvee-6943598-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
13
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
13
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
13
<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bikfir
13
Mutexes Occurrences NetRegistry
13
NetworkLighter
13
OMXBJSJ3WA1ZIN
13
OneiricOcelot
13
OnlineShopFinder
13
P79zA00FfF3
13
PCV5ATULCN
13
PJOQT7WD1SAOM
13
PSHZ73VLLOAFB
13
QuantalQuetzal
13
RaringRingtail
13
RaspberryManualViewer
13
RedParrot
13
RouteMatrix
13
SSDOptimizerV13
13
SoloWrite
13
StreamCoder1.0
13
Tropic819331
13
UEFIConfig
13
UtopicUnicorn
13
VHO9AZB7HDK0WAZMM
13
VRK1AlIXBJDA5U3A
13
VideoBind
13
VirtualDesktopKeeper
13
VirtualPrinterDriver
13
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 216[.]218[.]206[.]69
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences N/A
-
Files and or directories created Occurrences N/A
-
File Hashes
2d5b33a32e4df1169b09c06fe13f98e93cb108cc9163f322001a2db3b8a76519
2d5deb963cf9cef62da59687e75f27ffd4d71db18272add942a93952a8920eb2
33a36a0172595eedf4a682ffe173662b3092bfe71fbdfdf4e5f4dcd365513564
357208a511d7d0277e467719036d801c91ae6b66a9988a5092db9b6af99603b8
45aeda204fa240e37b87d8c183343aa617ba7e8fd42bedbfc4ebcf7e3385e3be
4859cb4bc26d257e2720dacb777895b2541f72a8848dfa554665e1b04e1a9f7a
566e1ee0d6ab08685f722c041c635894d0169f30accf5325d5f0413717c1beab
600b00554ff77da736f199efa7338cabc92307d32dc527f096e00ec718039778
767fab90d7e27102d3208766baa0f5956073c36fc31b93b854c2afbdc25b6c15
ad1a5597477817161619ea4b0dbdf92186260947f808ced5e18f60990b229795
c3c4acdb0f7164a8c3095df6fa5932d5d8617254856576372b86238c092dac80
ef87f15fb3383455cbd86bb5c1c792535d06c334499025ab8c5091c33a722f1c
fdf5bae149683eff434f734295693723dd83b3769b63e5317e137c4ac4aff6ae
Coverage
Screenshots of Detection AMP ThreatGrid
Win.Worm.Vobfus-6943588-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate
44
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
44
<HKLM>\SOFTWARE\WOW6432NODE\Policies
44
<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU
44
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU
44
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU
Value Name: NoAutoUpdate
44
<HKLM>\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
44
Mutexes Occurrences \BaseNamedObjects\A
43
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]11[.]56[.]48
43
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ns1[.]helpupdated[.]com
44
ns1[.]helpupdates[.]com
43
ns1[.]helpupdated[.]net
43
ns1[.]helpupdater[.]net
43
ns1[.]helpupdates[.]org
43
ns1[.]helpupdated[.]org
42
ns1[.]helpupdates[.]net
42
Files and or directories created Occurrences \autorun.inf
44
\??\E:\System Volume Information.exe
44
\System Volume Information.exe
44
\$RECYCLE.BIN.exe
44
\Secret.exe
44
\??\E:\Passwords.exe
44
\??\E:\Porn.exe
44
\??\E:\Secret.exe
44
\??\E:\Sexy.exe
44
\??\E:\x.mpeg
44
\Passwords.exe
44
\Porn.exe
44
\Sexy.exe
44
\??\E:\autorun.inf
41
\??\E:\$RECYCLE.BIN.exe
40
%HOMEPATH%\tuoopiv.exe
1
%HOMEPATH%\yeeideg.exe
1
%HOMEPATH%\xoaqoz.exe
1
%HOMEPATH%\fooucax.exe
1
%HOMEPATH%\doohuoh.exe
1
%HOMEPATH%\maasie.exe
1
%HOMEPATH%\hoila.exe
1
%HOMEPATH%\rwfiik.exe
1
%HOMEPATH%\luuaj.exe
1
%HOMEPATH%\komaq.exe
1
See JSON for more IOCs
File Hashes
0825d12566ab439528f23e43a5268df5134fc940a710b9a54327c5369ff1d779
08d7d577fd9e974f243d39882b99c9416da3d8831e6238e2ef106c71a085c302
0956747c94a2b20b1dae5aed1abe13027da1b1f28035bdf93d8d5d8f5f659819
1145bd1a3139aa595289cdeb70cc33cf5bde8a6c2119011047d70be952fbc6d5
11999ae5f6b5b76ac23baeba3bbcae5e4221fe668fb1c49d682ba1443cb9259a
154a71548012d1e77bebdd8d281065e30674e9baa11ef4c5329e152531d2327f
18c99727bdf696c45c0ba482a0c6cb79b73db287ab22f8df80fec32a2f1058b1
20eaee1add9c704bf9f371bb8fee3c1a2a5038cd30092a99fc0a106fdf6183b5
2144a184f0b1a3ef768942be09775cbdfd84c467a4bd397165a18d7a5ae8e267
236572e8b2d5319387857ecdb6b4ba967fe5e981c68af50bee606ccb539c434c
24515511e533db6e0e92aec65514245f4e406fe627dc3b913d8726f82d9af7fc
266379bcf89611d7d42aa3226b02f7184f2feac15112574586ceeb2611ddf211
2808712ea60de5e30f5106e69bef8a536f42c712d9c98ae0ebbc6fc1f44fbcd7
28eeb9fcb82a4063d33cb67cdda99b9b253d7b0f5cdb4970dba6ab823dca0c6f
2c61c72f6244f95c47ed4322724341584f52935af862d12fca3f59392a229b97
30bc3619ccb44ee0bcadfd87c8df627404f4d550974f0a16bdd6d77fa5d608bd
317081b5d0d9097985f8682d1433633fc7ac4a26dd2be1b4c60c67f282ca87f9
4adb34d87cdfae0d680ad483f94a809165151d3f0dbb3943dd0851038e40b9ac
4ee4b51be1b2333b8e75608db3401b5f30f18b4ce805fd1291caa11660e2e8f2
4ffd7a68634b4e0a28407e6755d288cb29e19780b10e874aff0286dee745427a
5e785cf0e1bba5392c31815cf1f8e46f5f5757f0a0364dc4ef949bf30c97dc91
631e4dd3820d5ff217e521ea60af0e886846d38a576b1e1a2b9a34d6c0218bc1
642d7d5280ca3ac5e18f1c2b9a9de7e5137fb477b5dac9299cd54d76752fcae4
6e660d002f74fb282d2913c0cb340e3c9adc607a2b6b6d24aff0b625c0ce014a
731c3e7ca6703700fefd3461f6191bf69808adac97274fe15f83a5a48ed3f415
See JSON for more IOCs Coverage
Screenshots of Detection AMP ThreatGrid
Umbrella
Win.Malware.Trickster-6943552-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
25
<HKLM>\SOFTWARE\Wow6432Node\ODBC\ODBCINST.INI\ODBC Connection Pooling
25
<HKLM>\SOFTWARE\WOW6432NODE\ODBC\ODBCINST.INI\ODBC CONNECTION POOLING
Value Name: Retry Wait
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: DefragWinSysTask.job
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: DefragWinSysTask.job.fp
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\DEFRAGWINSYSTASK
Value Name: Id
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\DEFRAGWINSYSTASK
Value Name: Index
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\DEFRAGWINSYSTASK
Value Name: Id
25
<HKLM>\SOFTWARE\ODBC\ODBCINST.INI\ODBC Connection Pooling
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{63696C4F-E894-414D-8EDD-EC59133E665B}
12
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F95BF9F7-D3F3-4AC5-8A3F-4B59850DD369}
Value Name: Path
12
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{C6E23691-91D5-4EF1-9A0F-35831712CA4D}
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6FBD3206-3711-4788-B386-E054AB1B035A}
Value Name: Path
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{A2E3CD1A-FC1F-429E-AE42-F10FC0FE5F62}
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{DD4D0EA2-1AA6-4E9E-8929-8DA13093B023}
Value Name: Path
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{B78E9CED-C151-484D-9668-62B5883DF1B7}
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{39B6E100-0C7A-4C93-B02D-9BC71BBE7971}
Value Name: Path
3
Mutexes Occurrences Global\316D1C7871E10
25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 216[.]218[.]206[.]69
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences N/A
-
Files and or directories created Occurrences %APPDATA%\SysDefrag
25
%System32%\Tasks\DefragWinSysTask
25
%APPDATA%\SysDefrag\151d29112be976edc69713a9269b5562e18a31ade8c9b98a5ae60f09cb2f858b.exe
1
%APPDATA%\SysDefrag\3f87dc3b929d5e58c30e15da96dd77c21fa9aefb3ddc087f109d6680bf997f3a.exe
1
%APPDATA%\SysDefrag\53c7b976b0d39d8dd909a9038e677ac2d7cb970a721565fbdcfbb30d97830a1a.exe
1
%APPDATA%\SysDefrag\57c93c6821a88699c08a1929fcd808b1da5b80a569216763c9c9d3a06bed1df1.exe
1
%APPDATA%\SysDefrag\62aedc09e819fea0f5319805cba90ce295053770ea3235393109c5ebcdb76589.exe
1
%APPDATA%\SysDefrag\9e1707e022f96e7bb30ec79e7703bcb8b1007ca9da320533290a95021a36399e.exe
1
%APPDATA%\SysDefrag\e91f21aa3b75d5c3aae321e81005199f85722179aa16921afb8fc12b30558d3d.exe
1
%APPDATA%\SysDefrag\8c2ae5c96c7e6e895b618260bab3eba68a02a7363dc712eff67939a0fa7839dd.exe
1
%APPDATA%\SysDefrag\96fe099171c5f9fb6982cb999b2becc60920c1d03308ee70680dd28e0a97d92d.exe
1
%APPDATA%\SysDefrag\29116de521ff86e6a59e92399b19a99f6e053b85b962e1b816c8c727c890a397.exe
1
%APPDATA%\SysDefrag\32a0138dad1d09a3cf8b697788bd3393e37d6f6a95383ac7d91885987990f29e.exe
1
%APPDATA%\SysDefrag\69275638617690fc15a678c89d00eb3611660b95e653ff7c72686209ffff2b5b.exe
1
%APPDATA%\SysDefrag\8957796c69be68666c6fb97ca9dce0c22b7b9ca1f6efe02fd196cb12f55f07ad.exe
1
%APPDATA%\SysDefrag\9889c90b3091da0fdd1e071bcd9f2797cb38619fde119707ab260852ae50eb65.exe
1
%APPDATA%\SysDefrag\caa17a1902c1eaac7d569a772237ae18e968c1cf87a9599e6578982ccc0bf05d.exe
1
%APPDATA%\SysDefrag\f288eaba7c1f39f12bd260056b2cde93c93cc26750039e788ae128382ea2fb38.exe
1
%APPDATA%\SysDefrag\35e93b5912e9b821eac37a208cb6d3aa2d68d9ff8ab886e1ee80f7673b1e16e1.exe
1
%APPDATA%\SysDefrag\07611835c7de0d9a33e818d9f18d863cde06a0f135d36f87d2bf698db0092ff7.exe
1
%APPDATA%\SysDefrag\017ee1979fd82e3b35b79cf6e856a698eb20e9b8eea8979960651dbb6138f9d2.exe
1
%APPDATA%\SysDefrag\2518d5b9b191b697770b317a9eed51e193b6bf6d9cdf0e92ec165ef80e80a519.exe
1
%APPDATA%\SysDefrag\39858ba2395da39a12c59cd8653e80179f65b53b7216c278da215989ea922a9d.exe
1
%APPDATA%\SysDefrag\51916f6519d320dceb1fe899cf93279ba9b5d2a896bdc9fdb7692969a62b9fa3.exe
1
%APPDATA%\SysDefrag\66d3703ef85b217fd5af05b99eb87e0930d8bef9a9261b51e183a5ee9c3d7997.exe
1
See JSON for more IOCs
File Hashes
016ee1969fd72e3b34b68cf5e745a597eb20e9b7eea7968850541dbb5137f8d2
06511734c6de0d8a33e717d9f17d753cde05a0f134d35f76d2bf597db0092ff6
141d28112be865edc58613a8258b4452e17a31ade7c9b87a4ae50f09cb2f747b
2417d4b8b181b596660b316a8eed41e183b5bf5d9cdf0e82ec154ef70e70a418
29115de421ff75e5a49e82389b19a88f5e043b74b952e1b715c7c626c790a386
32a0137dad1d09a3cf7b586677bd3393e36d5f5a84373ac6d81774976890f28e
34e83b4812e9b721eac36a207cb5d3aa2d57d8ff7ab775e1ee70f6563b1e15e1
38747ba2394da38a12c48cd7543e70168f54b43b6215c267da214878ea922a9d
3f76dc3b828d4e47c30e14da95dd66c21fa9aefb3ddc076f109d5570bf996f3a
41915f5418d320dceb1fe798cf83268ba8b4d2a795bdc9fdb6582958a52b8fa3
43c6b865b0d39d7dd808a8037e566ac2d6cb960a621454fbdcfbb30d86730a1a
46c83c5721a77598c07a1828fcd707b1da4b70a458215653c8c8d3a05bed1df1
52aedc08e719fea0f4318704cba80ce294043660ea3234393108c4ebcdb65479
55d3603ef74b216fd4af04b98eb76e0830d7bef8a9251b41e173a4ee8c3d6886
59264537516580fc14a567c79d00eb3511550b94e543ff6c62575208ffff2b4b
7846685c58be57555c5fb86ca9dce0c22b6b9ca1f5efe02fd185cb12f44f06ad
7c2ae4c85c6e5e784b517250bab3eba57a02a6353dc612eff56838a0fa6738dd
8779c80b3081da0fdd1e061bcd9f2686cb37518fde118606ab250742ae40eb54
8f033f102dc0118bbd47521a8ccd7726434d48efb335de3e35deeaabc33432f8
95fe099161c4f8fb5872cb898b2becc50920c1d03307ee60570dd27e0a86d92d
9e1606e022f95e6bb30ec68e6603bcb7b1006ca9da320433280a94021a35399e
ae65a52a9a6300794ef837776a979abeaf9901d6250ac6531a50c0668dac1213
caa16a1902c1eaac6d459a662236ae17e857c1cf76a9489e5467972ccc0bf04d
e81f21aa3b64d4c3aae321e71004188f74622168aa15921afb7fc12b30447d3d
f277eaba6c1f39f12bd250045b2cde83c93cc25640038e677ae127372ea2fb37
See JSON for more IOCs Coverage
Screenshots of Detection AMP ThreatGrid
Win.Packed.Razy-6943334-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: LoadAppInit_DLLs
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: aybbmte.job
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: aybbmte.job.fp
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
Value Name: Index
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: AppInit_DLLs
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
Value Name: Id
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{F2B28AC6-1443-43F4-9832-8315397F35E8}
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FF46FC7D-1E0D-46F8-87EC-94D0FDA83668}
Value Name: Path
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FF46FC7D-1E0D-46F8-87EC-94D0FDA83668}
Value Name: Hash
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FF46FC7D-1E0D-46F8-87EC-94D0FDA83668}
Value Name: Triggers
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{F2B28AC6-1443-43F4-9832-8315397F35E8}
Value Name: data
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FF46FC7D-1E0D-46F8-87EC-94D0FDA83668}
Value Name: DynamicInfo
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F95BF9F7-D3F3-4AC5-8A3F-4B59850DD369}
Value Name: Triggers
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{088B2EE3-A639-491E-B1E6-84AE447D785F}
Value Name: DynamicInfo
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{94669170-5F40-43E0-9D77-69BC9146DF72}
Value Name: data
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9C9693B0-E894-414D-8675-6B58133E665B}
Value Name: DynamicInfo
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{6E1FF505-4705-412B-825D-ECE026885614}
Value Name: data
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{ADB65317-3AC3-40D4-B863-464193D5CE9A}
Value Name: data
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F95BF9F7-D3F3-4AC5-8A3F-4B59850DD369}
Value Name: DynamicInfo
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{63696C4F-E894-414D-BED2-EC59133E665B}
Value Name: data
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 216[.]218[.]206[.]69
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences N/A
-
Files and or directories created Occurrences %ProgramData%\Mozilla\thfirxd.exe
18
%System32%\Tasks\aybbmte
18
%ProgramData%\Mozilla\lygbwac.dll
18
%HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll
18
%HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe
18
%SystemRoot%\Tasks\kylaxsk.job
18
File Hashes
35710fe9a0ec701c957212d177d324fdd050832eac5cb442e436b7bdcb26f392
77fd8af54d16227311e6ca62676bf962af369f6d075e5a6a3dedc265af0bab0c
83ea8be6378a758ec38762fe40592c84239e4ebe3b510ab1df01ec921dfe8b07
9ffc7b464bf4765508d05add71f1f10dfc66e517559d8363921aa57fbe7696b6
b892d7bb57e4ee61445909254f25572c610bafd2cdf3408fa9f8ea236791dae3
be5b92a7e91b011a21c17c3c32129a54af5230b23d1f1ad2a775501e322fa775
d902082b5f30414b39ef79518073f8773d0bfaca11ba9beba6441ee4ffe21aba
db5d2eced0976f4197f8758a1691c114085d53dd5385750435e45327c2516ea0
dec4f733431b69f73148544a081af866fd9a03cf0ff5f65c348c7d8dbcc47289
e25612c0c5772ccf29413be32a6b01e41bd631c4b184f04b47c0ba086aee17d1
e3286f3d9925e28013ecaa3d5ccda334334f459419a1bd059d86ed8ffc2fb23c
e36e6d8efe3baf2a42b195b59088c0344381047d90d4f01d992d502b49ff0a38
e75ffd7b1bd0b66bd2ebe13c700968347992b4660155eab5f4013076ae6d86fd
e8a7ff6379cd66dfb2da571b3cd44e2949ed96cefa033159405cea7a37c0f9fb
eec0bbaf2fd315ffa23175f0e1825b57e9770bd212406efd0fa288d5f37853c9
f3522c4d6ce273c536daef88b0d7700f24a311a5a03670b6524f341beb42dbaf
f6e6a821eba38e8aed36ad58e628b1aae848bb5ef0397298705e3fc98a77ae08
fd7540d177ec11cfa63ba3d2328a57b53d614d91f63fc10be65f93360df8aa81
Coverage
Screenshots of Detection AMP ThreatGrid
Win.Ransomware.Cerber-6941980-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
15
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
15
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
15
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASAPI32
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: EnableFileTracing
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: EnableConsoleTracing
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: FileTracingMask
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: ConsoleTracingMask
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: MaxFileSize
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: FileDirectory
15
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
15
<HKCU>\SOFTWARE\Microsoft\Speech\Voices
15
<HKCU>\SOFTWARE\Microsoft\Speech\CurrentUserLexicon
15
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\AppLexicons
15
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}
15
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files
15
<HKCU>\SOFTWARE\Microsoft\Speech\AppLexicons
15
<HKCU>\SOFTWARE\Microsoft\Speech\PhoneConverters
15
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\VOICES
Value Name: DefaultTokenId
15
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON
Value Name: CLSID
15
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON
15
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON
Value Name: Generation
15
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\PHONECONVERTERS
Value Name: DefaultTokenId
15
Mutexes Occurrences Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7
15
Local\MSIMGSIZECacheMutex
15
shell.{381828AA-8B28-3374-1B67-35680555C5EF}
15
Local\30F1B4D6-EEDA-11d2-9C23-00C04F8EF87C
15
Local\HKEY_CURRENT_USER_SOFTWARE_Microsoft_Speech_CurrentUserLexicon_Mutex
15
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_PhoneConverters_Tokens_Chinese_Mutex
15
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_PhoneConverters_Tokens_English_Mutex
15
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_PhoneConverters_Tokens_French_Mutex
15
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_PhoneConverters_Tokens_German_Mutex
15
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_PhoneConverters_Tokens_Japanese_Mutex
15
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_PhoneConverters_Tokens_Spanish_Mutex
15
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_PhoneConverters_Tokens_TraditionalChinese_Mutex
15
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_PhoneConverters_Tokens_Universal_Mutex
15
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_Voices_Tokens_MS-Anna-1033-20-DSK_Lex_Mutex
15
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_Voices_Tokens_MS-Anna-1033-20-DSK_Mutex
15
Local\{12F67A48-DB8F-46C1-A266-4AD55A97951D}-Mutex
15
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_AudioOutput_TokenEnums_MMAudioOut_Mutex
1
\BaseNamedObjects\shell.{E34ADEF1-7E97-F83F-B563-5CB2AEB03228}
1
\BaseNamedObjects\shell.{5ED88314-B21B-6A1E-9E28-1194C46E655A}
1
\BaseNamedObjects\shell.{009333F1-551C-9DAC-1759-5B4919375F70}
1
\BaseNamedObjects\shell.{AC607669-1359-523E-095D-A88DA96FD1D1}
1
\BaseNamedObjects\shell.{5D9CA089-73FE-FB93-A29C-5A0F541ABED9}
1
\BaseNamedObjects\shell.{1095E0BC-41F3-CF2A-1232-3CB5F90C4677}
1
\BaseNamedObjects\shell.{573F0F01-C284-E3E4-B166-E3C39544ED56}
1
\BaseNamedObjects\shell.{18D0266F-2D74-3F5C-79BE-40E45584D13C}
1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 149[.]202[.]251[.]65
14
149[.]202[.]251[.]64
14
149[.]202[.]251[.]67
14
149[.]202[.]251[.]66
14
149[.]202[.]251[.]69
14
149[.]202[.]251[.]68
14
149[.]202[.]251[.]61
14
149[.]202[.]251[.]60
14
149[.]202[.]251[.]63
14
149[.]202[.]251[.]62
14
149[.]202[.]251[.]76
14
149[.]202[.]251[.]75
14
149[.]202[.]251[.]78
14
149[.]202[.]251[.]77
14
149[.]202[.]251[.]79
14
149[.]202[.]251[.]70
14
149[.]202[.]251[.]72
14
149[.]202[.]251[.]71
14
149[.]202[.]251[.]74
14
149[.]202[.]251[.]73
14
149[.]202[.]249[.]207
14
149[.]202[.]249[.]208
14
149[.]202[.]249[.]209
14
149[.]202[.]250[.]8
14
149[.]202[.]250[.]7
14
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences p27dokhpz2n7nvgr[.]1j9r76[.]top
15
api[.]blockcypher[.]com
14
chain[.]so
14
bitaps[.]com
14
btc[.]blockr[.]io
14
crl[.]comodoca4[.]com
9
crl[.]usertrust[.]com
9
w3z5q8a6[.]stackpathcdn[.]com
9
Files and or directories created Occurrences %APPDATA%\Microsoft\OneNote\14.0\Preferences.dat
15
%TEMP%\d19ab989
15
%APPDATA%\Microsoft\Speech
15
%APPDATA%\Microsoft\Speech\Files
15
%APPDATA%\Microsoft\Speech\Files\UserLexicons
15
%TEMP%\d19ab989\4710.tmp
15
%TEMP%\d19ab989\a35f.tmp
15
%LOCALAPPDATA%\Microsoft\Office\Groove\System\CSMIPC.dat
15
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\1016d7ceff188e9fe32e68e9761bd811f354cfb31d7d106ec3c4f3ebce7f7a50[1].json
15
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\all[1].json
15
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt[1]
15
%APPDATA%\Microsoft\Outlook\Outlook.srs
15
%TEMP%\8f793a96\4751.tmp
14
%TEMP%\8f793a96\da80.tmp
14
\I386\DRVMAIN.SDB
14
\I386\EULA.TXT
14
\I386\HWCOMP.DAT
14
\I386\SECUPD.DAT
14
\I386\SETUPLDR.BIN
14
\I386\WIN9XMIG\ICM\SYMBOLS.PRI\RETAIL\DLL\MIGRATE.PDB
14
\I386\WIN9XMIG\ICM\SYMBOLS\RETAIL\DLL\MIGRATE.PDB
14
\I386\WIN9XMIG\IEMIG\SYMBOLS.PRI\RETAIL\DLL\MIGRATE.PDB
14
\I386\WIN9XMIG\IEMIG\SYMBOLS\RETAIL\DLL\MIGRATE.PDB
14
\I386\WIN9XMIG\PWS\SYMBOLS.PRI\RETAIL\DLL\MIGRATE.PDB
14
\I386\WIN9XMIG\PWS\SYMBOLS\RETAIL\DLL\MIGRATE.PDB
14
See JSON for more IOCs
File Hashes
065ac3b439cf9dfb68574e401b22b854cdded61d57ae9894b0a99915e8f76ee5
308c49353001e49e9fbeca1718de74fa0a53d060685f5eeb38fcc0f7c92aac86
47e1595cd742e27fa1d89d3bf0de13a1063a44fda27c18fa163da61305953c77
4afe49d7696926c71f2a702b16fab4525b19eacfa533deff7c7a6222b25b1cc0
608a69274b844a4917b03476b84253fbb4dbf98b6f78fd04bb184fc8155fcc50
611f4163f797a393b0820f38b72f0ccd4a3d4d2f2606c3bc444f5d850f1b4a58
7cd8be5830f54b0ac9edf6ef52bcb1aec00527470c615b2eb789085dcadf24e7
956ecfd8da6da76db5fd5d3cf0cfdbe9713ee420bcf4d95252e74a834c1b6f04
a217aea41ad86b341541765ae803df9bcc4dfda4152eceb576faeb697ebbe970
a4573c6717b09a88b1e96037778d1744012990520f26deefd75770a2505b4d4c
ad8293b33649f28b8d0557ec8ef250d10e1879d20d8ca12bb06f1cd7f18f20e2
b276202d46ee89c90e0accfa1998666b0960aa8dc44689ff065d8343698b7ad2
c4b25bcea6a8abf8bdff79259c70f7618343550f1d89dd5181467a694e1dc299
e16be5f2bc24c321b206ad34563a6f69987dd2ed6884763d01c95cccf66f8ca6
eb332302914a3e098767fcca4a9836cab1d87947e56c946301bc0605dbf003f9
Coverage
Screenshots of Detection AMP ThreatGrid
Malware
Win.Malware.Tofsee-6940401-1 Indicators of Compromise Registry Keys Occurrences <HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
29
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
29
<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel
29
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig
29
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
29
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
29
<HKU>\.DEFAULT\Control Panel\Buses
29
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
29
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
29
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IBPVUCIX
Value Name: DisplayName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IBPVUCIX
Value Name: WOW64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IBPVUCIX
Value Name: ObjectName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IBPVUCIX
Value Name: Description
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\haoutbhw
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\HAOUTBHW
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\HAOUTBHW
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\HAOUTBHW
Value Name: ErrorControl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\HAOUTBHW
Value Name: DisplayName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\HAOUTBHW
Value Name: WOW64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\HAOUTBHW
Value Name: ObjectName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\HAOUTBHW
Value Name: Description
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jcqwvdjy
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\jcqwvdjy
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JCQWVDJY
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JCQWVDJY
Value Name: Start
3
Mutexes Occurrences Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7
29
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 239[.]255[.]255[.]250
29
69[.]55[.]5[.]250
29
5[.]9[.]32[.]166
29
46[.]4[.]52[.]109
29
176[.]111[.]49[.]43
29
85[.]25[.]119[.]25
29
144[.]76[.]199[.]2
29
144[.]76[.]199[.]43
29
43[.]231[.]4[.]7
29
65[.]20[.]0[.]49
29
192[.]0[.]47[.]59
29
64[.]98[.]36[.]4
29
172[.]217[.]12[.]164
28
96[.]114[.]157[.]80
28
74[.]208[.]5[.]20
28
74[.]208[.]5[.]4
28
207[.]69[.]189[.]229
27
208[.]89[.]132[.]27
25
148[.]163[.]156[.]1
25
213[.]33[.]98[.]149
25
117[.]53[.]114[.]15
24
213[.]209[.]1[.]129
21
47[.]43[.]18[.]9
21
212[.]54[.]56[.]11
20
64[.]136[.]52[.]37
18
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 250[.]5[.]55[.]69[.]in-addr[.]arpa
29
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
29
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
29
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
29
whois[.]iana[.]org
29
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net
29
whois[.]arin[.]net
29
mx[.]bt[.]lon5[.]cpcloud[.]co[.]uk
29
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
29
cxr[.]mx[.]a[.]cloudfilter[.]net
29
microsoft-com[.]mail[.]protection[.]outlook[.]com
29
gmx[.]net
29
mx[.]lycos[.]com[.]cust[.]b[.]hostedemail[.]com
29
btinternet[.]com
29
lycos[.]com
29
cox[.]net
29
earthlink[.]net
29
mail[.]com
29
ntlworld[.]com
29
victoria1999[.]hotrusgirls[.]cn
29
irina1993[.]hotlovers[.]cn
29
hot-beauty[.]cn
29
hotladies[.]cn
29
mx1[.]comcast[.]net
28
comcast[.]net
28
See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SysWOW64\config\systemprofile:.repos
29
%SystemRoot%\SysWOW64\config\systemprofile
29
%SystemRoot%\SysWOW64\IPHLPAPI.DLL
7
%SystemRoot%\SysWOW64\dhcpcsvc.dll
5
%SystemRoot%\SysWOW64\nlaapi.dll
5
%SystemRoot%\SysWOW64\winnsi.dll
5
%SystemRoot%\SysWOW64\dhcpcsvc6.dll
5
%SystemRoot%\SysWOW64\NapiNSP.dll
5
%SystemRoot%\SysWOW64\mswsock.dll
5
%SystemRoot%\SysWOW64\pnrpnsp.dll
5
%SystemRoot%\SysWOW64\dnsapi.dll
3
%SystemRoot%\SysWOW64\ibpvucix
3
%SystemRoot%\SysWOW64\haoutbhw
3
%SystemRoot%\SysWOW64\jcqwvdjy
3
%SystemRoot%\SysWOW64\mftzygmb
3
%SystemRoot%\SysWOW64\winrnr.dll
3
%SystemRoot%\SysWOW64\wpdjiqwl
2
%SystemRoot%\SysWOW64\zsgmltzo
2
%SystemRoot%\SysWOW64\buionvbq
2
%SystemRoot%\SysWOW64\yrflksyn
2
%TEMP%\npkbsmtm.exe
2
%TEMP%\wdqqtewr.exe
1
%TEMP%\fvbuvdtc.exe
1
%TEMP%\resvxxvi.exe
1
%TEMP%\wngjqdpo.exe
1
See JSON for more IOCs
File Hashes
04ad7dc786eee3e32597af6e50c2305f8b47dedd301d2b9fb721a3419c20125e
0eabacede3f60e0d1b08c067d12235f47aa610430e47942f570384204d628ce5
168db0956ca974da7a3bea33079602dc86341864e7e035a759809a3876544a11
2934437617803ab26d7e3c836dd1f86c2239302858dbd4cea975dc16932cb530
31f71a927a3121b3708e882fe7d7b464abd72ac9833e6a73aade0c2dffe764fb
33b9a9b19767a412b37562a9afa071fd6f5590bd4c5c4f25601ac7f7f7aeae21
34ab18dbba7d262495b87c114771c62cfe0bdfcb2a70a97a44518280755393e9
40cc91ab3a8622bca860e93c1048708db75adfc3ceb599e94976115e42f65015
43d0885a552ae3eef56ea141745368119a8532577c9c83004c68a03f89c7d27c
5257a586503417963b3191e628a4031e9f6c0898310f4c249aa0f3225279e429
54234890364c48ea705b30e13e259190259ee4f576e5398e817d6da1fe3fa963
59270c4ff4bf0587dc14b4f4430d6d6992e812d966cfa5501af0ca2aaf49c162
5b57bf741ac611232855c94a3bae104606940df4f44790178f14e8c3561b7a5a
5ce7c6c51748e96f7e233ba3d5bd5a9739a55ca39b86e5c8de41d835c91e3b6c
5eda0d87fb85b91dc15c23aecb339cfa8bffefee25b634fe7101d8783a6e99a5
61a0c30166cab5d8786e060c44c683377f8e94feb66ccd79416c64e8c5a4e931
6481910b15bfaee39bc53aa2cb3058e8f93eb40ba1b7f9a63672b7486c0306eb
649954ed70b3840321ac3414bdbd8b855c1871d466550d51c9c86bcd8e208c45
65279c4a75937f653d2c0085eba669da128d354770c88e50281a583caa8418f3
65410da84d1f3e53d6f79b15f20ebada17bcbf3c33712c7c7031b807c85e45c3
6aa1731105b6c97e17511811233db5d76ba52b814a73725412af8076d3f921df
6ea680d3d212e30b3e7980643c928aee25acd508cca40191bafcd0db4804a13d
75704499b50651600e0df6451e1347bd306d623eed175f64c9e35f77b9b9ee9e
7a74f27ca0c5448590d25125d3cf8b5cc2229295a26200fcf3e9144b1d2f9a9b
7ae435cdd61433c743865c8e6c042fc9f5e7c1b896faaf7cf0d02d6fa397748a
See JSON for more IOCs Coverage
Screenshots of Detection AMP ThreatGrid
Umbrella
Win.Malware.Ponystealer-6939264-0 Indicators of Compromise Registry Keys Occurrences <HKCU>\Software\Remcos-2EVC58
25
<HKCU>\SOFTWARE\REMCOS-2EVC58
Value Name: EXEpath
25
<HKU>\Software\Remcos-2EVC58
1
Mutexes Occurrences Remcos_Mutex_Inj
25
Remcos-2EVC58
25
\BaseNamedObjects\Remcos-2EVC58
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 216[.]58[.]218[.]238
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences sammorisok55[.]ddns[.]net
25
Files and or directories created Occurrences %APPDATA%\remcos
25
%APPDATA%\remcos\logs.dat
25
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\notepad.vbe
25
%APPDATA%\notepad.exe
25
%HOMEPATH%\Start Menu\Programs\Startup\notepad.vbe
1
File Hashes
3df9897978b990410d530cebb46dca6b9acebfe6d25c89ca5ccadded65382bee
402c2d2e333274e70fe04c5a3784b122d11115a37125a2726a5150baceb83b9d
4b5996517061fc375ed46ee7ac47a2b562fa15b0a27394cc3eaa5957d3129515
4ba609c949ff60a4cb2745733dd910f12cac8c4a5c70949a3494d1aae5cfae06
4f032372da2e85f0d8ab81544dcdb83dc86939b351cffbaea4f430ceac9ca585
55db966fb0bb785b70b9fe8ddf85884f21078df2390b1753eaafd8db5cad4192
5b732616e7563a3053b4e239300e5bcc23806eb34edf2f3a36f858cabd60baf9
67048f4248d2a7ca781df81d1a1805edcea02997f2b669ae59e12020548ab89a
6aabfba3cc6a28b5e8d1ef2d6fdaf1baf2aa8b4ea5e50e1497b393cf7abdbf42
86abc8ddb3c2ee5d144f19fd5136e7204406b623ff62d62000fc02b23940bd4e
93cf058391c6f9a1c08f4e6e3dcc3cf8ffffbdf8ccc53c6f96f1216565f254dc
ab9f396fe8f8f95ead229a868ca8bd4759cda466631b5875aff23947f11af642
b3f8290ab9931c9bc66087ba675090f929ed10a08406e4e777c7510139ff873f
b5e265d77dbbb68dc78e3af0424fc08e557d73b7b7606c74045275cddabf5c1b
b9ba42465c13db17773063cfc38e1af8ae2432f076eb636c2198abb808095531
c35ce41bb8126e2939f6d2e48700cd3c0693ec8c63c320dbd88497e6396981e4
d21e953d19cfd0c341d20a69ab8e0d8c8065d6f8b25a183af68ea15da7179a61
dd19360d5d44f2d11f7d49a6199d3574a59c84b181273f00a98019bc5cc5cb7d
eaffe74478f09ab236b8b2947bc9922b61735bf5aef9bbc3502d1b8349f0b2d3
f3b9f50bb71c876d1d1d0c699e9d6de33c2e72bf43e2737b0f832dae4a869414
f42f148da1774e2a94a281e7f5ccbd1d9acae7e6daad8fee93ee56a53ea3e3d4
fa29a663720797cb031e1edd64879f1841bb90082976c4456d011df4b30037d5
fd51df072b783b2614c811d4915c8ed17ef5f4d45310189a5953ccd77e7737ce
fda04458f2c2aa2da575f8ee68801398d2a1ca8753ef47f21187c49686bdf558
ff6138f7829b95f1d545f3d361a98c1f494fd4c7915ccbc19392d074ae47fda7
Coverage
Screenshots of Detection AMP ThreatGrid
Doc.Downloader.Emotet-6938868-0 Indicators of Compromise Registry Keys Occurrences <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoDetect
25
<HKCR>\INTERFACE\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
25
<HKCR>\INTERFACE\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
25
<HKCR>\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
25
<HKCR>\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
25
<HKCR>\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
25
<HKCR>\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
25
<HKCR>\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
25
<HKCR>\INTERFACE\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
25
<HKCR>\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9}
25
<HKCR>\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
25
<HKCR>\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
25
<HKCR>\INTERFACE\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
25
<HKCR>\INTERFACE\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
25
<HKCR>\INTERFACE\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
25
<HKCR>\INTERFACE\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
25
<HKCR>\INTERFACE\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
25
<HKCR>\INTERFACE\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
25
<HKCR>\INTERFACE\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
25
<HKCR>\INTERFACE\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
25
<HKCR>\INTERFACE\{5CEF5613-713D-11CE-80C9-00AA00611080}
25
<HKCR>\INTERFACE\{92E11A03-7358-11CE-80CB-00AA00611080}
25
<HKCR>\INTERFACE\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
25
<HKCR>\INTERFACE\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
Value Name: DefaultConnectionSettings
25
Mutexes Occurrences Global\I98B68E3C
25
Global\M98B68E3C
25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 103[.]18[.]109[.]161
25
190[.]8[.]176[.]146
25
187[.]188[.]166[.]192
25
88[.]215[.]2[.]29
24
187[.]137[.]162[.]145
19
65[.]49[.]60[.]163
15
72[.]18[.]130[.]128
1
50[.]87[.]144[.]137
1
169[.]61[.]113[.]80
1
74[.]124[.]214[.]228
1
195[.]186[.]120[.]53
1
23[.]229[.]190[.]0
1
200[.]147[.]41[.]245
1
177[.]70[.]110[.]119
1
192[.]185[.]223[.]55
1
200[.]68[.]105[.]32
1
217[.]26[.]49[.]199
1
195[.]186[.]198[.]217
1
158[.]69[.]189[.]204
1
190[.]183[.]222[.]139
1
200[.]58[.]120[.]2
1
167[.]250[.]5[.]2
1
85[.]10[.]205[.]9
1
138[.]118[.]172[.]253
1
192[.]185[.]148[.]208
1
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences aussiescanners[.]com
25
fumicolcali[.]com
25
smtp[.]vendwidias[.]com[.]br
1
smtp[.]cl-seguros[.]arnetbiz[.]com[.]ar
1
mail[.]bhz[.]terra[.]com[.]br
1
imap[.]nazaria[.]com[.]br
1
pop[.]jfwtransportadora[.]com[.]br
1
mail[.]agroconsultsrl[.]com[.]py
1
pop[.]naqua[.]com[.]br
1
mail[.]jroveda[.]com[.]br
1
mail[.]totalms[.]co[.]uk
1
mail[.]haciendachiapas[.]gob[.]mx
1
mail[.]dieselwheels[.]com
1
mail[.]amaralvidros[.]com[.]br
1
smtp[.]vivaceramica[.]com[.]br
1
smtp[.]umbler[.]com
1
mail[.]comerciallyb[.]cl
1
mail[.]negociosinternacionales[.]com
1
mail[.]procegas[.]com
1
smtp[.]sor[.]terra[.]com[.]br
1
pop[.]avante[.]com[.]mx
1
mail[.]abatsa[.]com[.]mx
1
gator4113[.]hostgator[.]com
1
dtcwin055[.]ferozo[.]com
1
uscentral434[.]accountservergroup[.]com
1
See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
25
%APPDATA%\Microsoft\Forms
25
%APPDATA%\Microsoft\Forms\WINWORD.box
25
%HOMEPATH%\480.exe
25
%SystemRoot%\SysWOW64\version.dll
1
%SystemRoot%\SysWOW64\wtsapi32.dll
1
%SystemRoot%\SysWOW64\cryptsp.dll
1
%System32%\en-US\tzres.dll.mui
1
%System32%\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
1
%System32%\WindowsPowerShell\v1.0\HelpV3.format.ps1xml
1
%SystemRoot%\SysWOW64\aY7vprZGHT2Qh.exe
1
%SystemRoot%\SysWOW64\8aP4tvN3RT8.exe
1
%SystemRoot%\SysWOW64\H1r53NRGp.exe
1
%SystemRoot%\SysWOW64\HjMdJgmjW15bz.exe
1
%SystemRoot%\SysWOW64\2E60ntwKpo.exe
1
%SystemRoot%\SysWOW64\OGnsYK.exe
1
%SystemRoot%\SysWOW64\ZH6MNgKJytF.exe
1
%SystemRoot%\SysWOW64\tgRT5a3mCza.exe
1
%SystemRoot%\SysWOW64\Ne3EjNKGuuhmY6jFW.exe
1
%SystemRoot%\SysWOW64\TfGf.exe
1
%SystemRoot%\SysWOW64\rK4xjEqhKGACuL.exe
1
%SystemRoot%\SysWOW64\xmASsy4Qf.exe
1
%SystemRoot%\SysWOW64\4C3Cp6cy40lUnD2SKBU.exe
1
%SystemRoot%\SysWOW64\T5klBSN2QHk.exe
1
%SystemRoot%\SysWOW64\vkU5YM.exe
1
See JSON for more IOCs
File Hashes
061fd00e92e9bc6a34db2a6ab27dad3ec9f759b34c72146c1f0aa2adc3413de7
112278e446cc3c7f538089cae3eaf962b06218cae4bcd8fb9a0b493bc380507f
17a8cd33792dff1c0b4b8cfac6b53461fa2d4f5936215e47897ea73103666c83
1cb1730670ec3dce6db6afa0762f9bfa74d06df041829c68a6f161ec6cf6bdf5
1eb3cc2781765f1c81bdef0390ba79fc2066fd1bd8ff5571baa64f4b0ca3441f
24851bfbaf8226566a06e642ecf7ea697b93a492d0022f82ba7d140ae0378930
3044f43b040d476ac859f7f55a35f0e2332c86b60ae6703054b811e28ac61ed6
38caefbe8cf358d241edef7d33775c6825699282a79bc1eb9691b1f918f277dd
4558edbe3b57be5c595405ba601a13ae09c679a01f851ae43f8c34e6d3c34be0
5017ececeb4d4f7c8483dd8178df693760ad227e94053b560ac60cd81870b199
609fffab37310c162348ebbf3b967e490753d85d08ad725863f98d9cc87582c6
636c93930f056e403a2bdb2298f18c0b14542c0224fd0ba6ba3056d1367f9c75
6962bc3a08ec27c0012e28caea3c39da8e89bd67d8baf383a940b17d6ada848f
69a5f2c702ee4b623edca48860362335c590b4ae3ef2af6aaf3d66875f00461a
7bfa97ac3d0200757d0ea1aa8ef25e6d8babf1d5549e4e1bb269fd08139c5360
8fa2a91359b44c86c77775b3227c8ae0ccf1f882dafaa3309d0b8fb315437274
92e7309c19b46a017c46f81c0d423a581c28e41e3b956b223c3be6834c0251be
96786504ad52978d682b65996187b87e60297bf202a1ef9a9c150a06f0b87e4c
9bb3d3a40c0a57ee9a52bab10b2ec0efbf7d665238c421a68c266d356b81a671
ab80799e4eb0b2f4f44a4ea326b87ca16e2ffd1fb7ca60691cb2e338fca8c147
ac3eb7028c680b1e8810b55350e64a8f30f4de2135fcd6b18ad55a779fd4619d
af77939a3206c6beeb32606423daeb8236413630ddd3846ac300d741d8809108
b9a0e0d4946ccf898e50182d2fd64fb05abfb37aa19b9d66288db57d6a6f8a8c
bb96f404b090c1e4c7853dadaad4846d135969a401747c87ee93b760fc844331
be2ce66817fc6408bbbdfd5d9207a57acb66c190308b5a4a21eab7c1f3846193
See JSON for more IOCs Coverage
Screenshots of Detection AMP ThreatGrid
Umbrella
Win.Malware.Fareit-6938631-0 Indicators of Compromise Registry Keys Occurrences <HKCU>\SOFTWARE\WINRAR
Value Name: HWID
9
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
9
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
9
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
1
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\59af6fd2267a663fcc7f2a9e1e4bc131_RASAPI32
1
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\59af6fd2267a663fcc7f2a9e1e4bc131_RASMANCS
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\59AF6FD2267A663FCC7F2A9E1E4BC131_RASAPI32
Value Name: FileDirectory
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\59AF6FD2267A663FCC7F2A9E1E4BC131_RASMANCS
Value Name: FileDirectory
1
<HKCU>\Software\windowupdate2-4UUS6W
1
<HKCU>\SOFTWARE\WINDOWUPDATE2-4UUS6W
Value Name: Inj
1
<HKCU>\Software\Remcos-EEMFAJ
1
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7616H3MP-B552-KB3O-PIO3-3PP888E55KW5}
1
<HKCU>\SOFTWARE\REMCOS-EEMFAJ
Value Name: licence
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{7616H3MP-B552-KB3O-PIO3-3PP888E55KW5}
Value Name: StubPath
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BOOKS
1
Mutexes Occurrences Remcos_Mutex_Inj
3
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A
3
Global\LOADPERF_MUTEX
1
A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A
1
DSKQUOTA_SIDCACHE_MUTEX
1
-
1
.NET CLR Data_Perf_Library_Lock_PID_640
1
.NET CLR Networking 4.0.0.0_Perf_Library_Lock_PID_640
1
.NET CLR Networking_Perf_Library_Lock_PID_640
1
.NET Data Provider for Oracle_Perf_Library_Lock_PID_640
1
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_640
1
.NET Memory Cache 4.0_Perf_Library_Lock_PID_640
1
.NETFramework_Perf_Library_Lock_PID_640
1
ASP.NET_1.1.4322_Perf_Library_Lock_PID_640
1
ASP.NET_4.0.30319_Perf_Library_Lock_PID_640
1
ASP.NET_Perf_Library_Lock_PID_640
1
BITS_Perf_Library_Lock_PID_640
1
ESENT_Perf_Library_Lock_PID_640
1
Lsa_Perf_Library_Lock_PID_640
1
MSDTC Bridge 3.0.0.0_Perf_Library_Lock_PID_640
1
MSDTC Bridge 4.0.0.0_Perf_Library_Lock_PID_640
1
MSDTC_Perf_Library_Lock_PID_640
1
Outlook_Perf_Library_Lock_PID_640
1
PerfDisk_Perf_Library_Lock_PID_640
1
PerfNet_Perf_Library_Lock_PID_640
1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 62[.]173[.]140[.]44
1
2[.]59[.]41[.]199
1
80[.]90[.]39[.]2
1
178[.]124[.]140[.]134
1
95[.]167[.]151[.]246
1
213[.]226[.]126[.]118
1
89[.]223[.]91[.]211
1
195[.]133[.]144[.]169
1
213[.]226[.]68[.]93
1
167[.]88[.]160[.]146
1
77[.]221[.]144[.]122
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences wellgam[.]com
6
WELLGAM[.]COM
4
frupidgi[.]cn
3
silfa[.]pw
3
SILFA[.]PW
3
wttiredfc[.]com
1
arispedservices[.]eu
1
Files and or directories created Occurrences %ProgramData%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
4
%LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol
4
%TEMP%\37FFCBBC\api-ms-win-core-datetime-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-debug-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-errorhandling-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-file-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-file-l1-2-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-file-l2-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-handle-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-heap-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-interlocked-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-libraryloader-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-localization-l1-2-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-memory-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-namedpipe-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-processenvironment-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-processthreads-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-processthreads-l1-1-1.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-profile-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-rtlsupport-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-string-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-synch-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-synch-l1-2-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-sysinfo-l1-1-0.dll
2
%TEMP%\37FFCBBC\api-ms-win-core-timezone-l1-1-0.dll
2
See JSON for more IOCs
File Hashes
073cb94ad50991e82bfa04d55bc03afdf3a56962ee5dd750dae0719250e8ae65
1f4b210d95c8579399cd740a2887ad5dcdeceb97833a0be187815b1404cca34a
243079480c0b1b3738c95610a384faf49bf4da2d206938570814d1f7d0a48447
384ccd374a7b0ad96c05c598a8805af2c0171554a8caa56b383b60f7a847e26f
3970c631a11302aa2769cf03e54b7f58fc09f7d8ed1590b48efcdef468cc7af7
3cded376ba5039cedca137403ea8abeae60a98ee666954e2d148f4cd13f446df
6d3088bc9c809f752614aca0bd966758e0bde32ec5e1a7b75d4bbc544ed13cda
79a9506b375a4728a84203ca601f4e561973de51421e28b37d7e56625134d6df
87ae6f32cea09d6664c923e32aa24041fef9787e74a5cd6f5e20c058c16c7ffe
9475131e5c57dbc60beb45669b58a26ee28af7aa65b90bb53b2646a86f4aad39
9b9e07d8b709b5257125bfdc04848d1d28232fcfcc0caf22bb58b9ddb1c3d3ae
a1c1ed52d04468d58c5d51f35718ada1b1f1d7ddb4c637bdb7c887dc0966b407
a552f5070d93037fffaec488750b3f000d46fedc7f70e42c0b0cdd42d4ae4805
b47dd06ed3f8512f0a7dfddd76d6ebce52be75d4bdf7350aa625ae441efe9637
b89daf58637c8023e41b6bac95969df87a2d259187436ba64023a97b8bf2085c
bc6d99b1311f8ecb6b60ba7379c4ab9e568bc4f232d214eb23abfef555929efc
c6d76a61f441862a7b6880c7faf093a185a723825e22ef8df5a772889f7302a7
cd476668e2348c443630d7c52b75f67e8d7ec1b86a5a65a614b52fb62e019928
cf7c5ad0aee65aae567e53cceb53c954712377d4958da6f0a45983b279d279a0
d6996f7c5e6db6805bf893a5d5b1259cf9acf9c30cdca120d25416063c46bd68
e739c021bdd5165827e4c5e2c118bd9a7107487515e4ab182e4b99d03c3701cf
eac79f944bdbd92c73cb179b61d2e34495d050e929e5068143e22bf0d31fa693
ebd9171d7fd10bb3c5234458f33df42a5d4a652a3a1c6bb5a045d94a29c40529
ec681af368a0a3cbbdfea9744ed80ad37bc9166be9a8698310ba18276450047f
fb77150a54a4f0cb5b495bd24927e70cd6a0dd519d9e8192a729d08753a48eef
See JSON for more IOCs Coverage
Screenshots of Detection AMP ThreatGrid
Umbrella
Win.Malware.Ircbot-6938570-0 Indicators of Compromise Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: *-334428029
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: *-334428029
1
Mutexes Occurrences gcc-shmem-tdm2-fc_key
16
gcc-shmem-tdm2-sjlj_once
16
gcc-shmem-tdm2-use_fc_key
16
UPDATE__
16
BACKUP_1295690263
1
MAIN_1295690263
1
BACKUP_-959641963
1
MAIN_-959641963
1
BACKUP_953815319
1
MAIN_953815319
1
BACKUP_2070810229
1
MAIN_2070810229
1
BACKUP_895421598
1
MAIN_895421598
1
BACKUP_1582140582
1
MAIN_1582140582
1
BACKUP_-1913070738
1
MAIN_-1913070738
1
BACKUP_-334428029
1
MAIN_-334428029
1
BACKUP_839036346
1
MAIN_839036346
1
BACKUP_-813287923
1
MAIN_-813287923
1
BACKUP_175490003
1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 104[.]200[.]23[.]95
1
153[.]92[.]0[.]100
1
204[.]74[.]99[.]100
1
88[.]99[.]150[.]216
1
185[.]53[.]178[.]6
1
141[.]8[.]197[.]42
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 3ASH2[.]COM
2
3ash2[.]com
2
www[.]mydomaincontact[.]com
1
iyfsearch[.]com
1
site[.]com
1
www[.]bplaced[.]net
1
bociklocik[.]ye[.]vc
1
f0164361[.]xsph[.]ru
1
wolfayoub[.]3eeweb[.]com
1
MARSON42[.]COM
1
marson42[.]com
1
mydankmemes[.]club
1
myfreedomainlol[.]tk
1
vitusend[.]net84[.]net
1
time-by123[.]esy[.]es
1
argenfull[.]com
1
ARGENFULL[.]COM
1
WWW[.]TOR4FUN[.]FR
1
www[.]tor4fun[.]fr
1
update-sam[.]square7[.]ch
1
urminenow[.]0xhost[.]net
1
holdbet[.]ru
1
HOLDBET[.]RU
1
Files and or directories created Occurrences %System32%\config\SOFTWARE.LOG1
16
%HOMEPATH%\NTUSER.DAT
16
%HOMEPATH%\ntuser.dat.LOG1
16
%APPDATA%\1295690263
1
%APPDATA%\1295690263\unsecapp
1
%APPDATA%\-959641963
1
%APPDATA%\-959641963\realsched
1
%APPDATA%\953815319
1
%APPDATA%\953815319\unsecapp
1
%APPDATA%\2070810229
1
%APPDATA%\2070810229\winsys
1
%APPDATA%\895421598
1
%APPDATA%\895421598\ctfmon
1
%APPDATA%\1582140582
1
%APPDATA%\1582140582\spoolsv
1
%APPDATA%\-1913070738
1
%APPDATA%\-1913070738\realsched
1
%APPDATA%\-334428029
1
%APPDATA%\-334428029\BCU
1
%APPDATA%\839036346
1
%APPDATA%\839036346\winlogon
1
%APPDATA%\-813287923
1
%APPDATA%\-813287923\csrss
1
%APPDATA%\175490003
1
%APPDATA%\175490003\winlogon
1
See JSON for more IOCs
File Hashes
1a8935840e4fa3db5ef5945efdccffcbbb92d569955ee3c0076d41da33845d55
45e7c5547dcb5181ad47ca2e8690e2cb9a024744c3da6159ab3ed1ea39d46013
4a5d82ef0f2ecc204d6c83f837fe6be561a36b58c077e444b9525e42bcf6cb08
4e02e5fc44bba1091e0768b74f551c0a6af232ac0458c5a21006fff81e49bffd
52793b260576e44014dc48d2ef2d8f517b0460542b35070d71b3d12cecbb468e
956936346a4be7bd07369448077a059ae70d270c04e9b3c019e5d7997c084fa6
98be103bf04ceed1678baca10755c149df93c57185c5c387ecd27f3ebb2242cb
a20fb11ec04d7bfadfd1758fa6d6103522fa60b6a590217d48d093655f6ec132
a2da28c09898396c073b3e7078b2bcad1f16b0b22ec8c0727936ffedb45027a4
d8bce14120c6cc44e057a6ef8986fd5cd5a647f2c720051cce7ce6704fef3a56
db2199becac0af02a28f968555d78a6699cf2f13660774616995a08428eba89e
dbd2ea95e8a86edf7ef5b62c266b1746dc9e4936754d7fdd867184c6f13a53da
ea3eb5b6e80c6b3ab6aaa65677ae28426f8bf92439a3f6820ed7ec57f71efebc
ed045c078e29caa8cd44174965c2d5470cbe84a46751bfd7d45a6264d3d59eba
f23f0cf834d3b8d97cb707fae3296787f665c35dd1e7abf27c007e9a50697381
ff7ca213e6af53e15883fc8fd07ec6a1d9b9bc3a99554d7888558680e2238710
Coverage
Screenshots of Detection AMP ThreatGrid
Umbrella
Exprev Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. Madshi injection detected (4097) Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.Kovter injection detected (2923) A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.PowerShell file-less infection detected (1334) A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.Process hollowing detected (494) Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.Dealply adware detected (193) DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.Gamarue malware detected (173) Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.Atom Bombing code injection technique detected (168) A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.Trickbot malware detected (137) Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.Suspicious PowerShell execution detected (114) A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.Excessively long PowerShell command detected (87) A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.