Friday, May 3, 2019

Threat Roundup for April 26 to May 3


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 26 and May 03. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Shadowbrokers-6958490-0
    Malware
    Uiwix uses ETERNALBLUE and DOUBLEPULSAR to install ransomware on the infected system. Encrypted file names include "UIWIX" as part of the file extension. Unlike the well-known WannaCry ransomware, Uiwix doesn't "worm itself." It only installs itself on the system.
     
  • Win.Malware.Fareit-6958493-0
    Malware
    The Fareit trojan is primarily an information stealer that downloads and installs other malware.
     
  • Win.Malware.Ursnif-6957672-0
    Malware
    Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
     
  • Win.Ransomware.Cerber-6957317-0
    Ransomware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
     
  • Win.Dropper.Nymaim-6956636-0
    Dropper
    Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
     
  • Win.Dropper.Qakbot-6956539-0
    Dropper
    Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
     
  • Win.Malware.Tovkater-6956309-0
    Malware
    This malware is able to download and upload files, inject malicious code and install additional malware.
     
  • Doc.Downloader.Powload-6956274-0
    Downloader
    Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing Emotet malware.
     
  • Win.Dropper.Kovter-6956146-0
    Dropper
    Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
     
  • Win.Trojan.Razy-6956092-0
    Trojan
    Razy is oftentimes a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.
     

Threats

Win.Malware.Shadowbrokers-6958490-0


Indicators of Compromise


Registry Keys Occurrences
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABC\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963} 19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB7
Value Name: _FileId_
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB7\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: 100000000928D
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB7
Value Name: AeFileID
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB8
Value Name: _FileId_
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB8\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: 1000000009511
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB8
Value Name: AeFileID
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB9
Value Name: _FileId_
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB9\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: 1000000009362
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB9
Value Name: AeFileID
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: _ObjectId_
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: _FileId_
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: _Usn_
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: _UsnJournalId_
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: 1000000009363
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: AeFileID
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: AeProgramID
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: _ObjectId_
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: _FileId_
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: _Usn_
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: _UsnJournalId_
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: 10000000095D4
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: AeFileID
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: AeProgramID
19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABC
Value Name: _ObjectId_
19
Mutexes Occurrences
Global\2f6e8021-6b52-11e9-a007-00501e3ae7b5 1
Global\2f7cc861-6b52-11e9-a007-00501e3ae7b5 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
69[.]55[.]1[.]146 18
69[.]55[.]1[.]100 18
69[.]55[.]4[.]196 18
69[.]55[.]2[.]201 18
69[.]55[.]4[.]155 18
69[.]55[.]2[.]131 18
69[.]55[.]4[.]179 18
69[.]55[.]4[.]178 18
69[.]55[.]2[.]130 18
69[.]55[.]4[.]217 18
69[.]55[.]1[.]36 18
69[.]55[.]1[.]37 18
69[.]55[.]4[.]171 18
69[.]55[.]4[.]170 18
69[.]55[.]4[.]173 18
69[.]55[.]4[.]172 18
69[.]55[.]1[.]30 18
69[.]55[.]4[.]174 18
69[.]55[.]4[.]177 18
69[.]55[.]4[.]176 18
69[.]55[.]5[.]75 18
69[.]55[.]5[.]74 18
69[.]55[.]5[.]79 18
69[.]55[.]5[.]78 18
69[.]55[.]5[.]81 18
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
v4[.]ipv6-test[.]com 11
sex[.]kuai-go[.]com 4
ilo[.]brenz[.]pl 1
teetah[.]com 1
thmqyo[.]com 1
iadaef[.]com 1
yvyqyr[.]com 1
yyhhwt[.]com 1
yoiupy[.]com 1
abvyoh[.]com 1
evoyci[.]com 1
nzooyn[.]com 1
niulzo[.]com 1
meadgz[.]com 1
yxpwly[.]com 1
cberyk[.]com 1
xuvvie[.]com 1
nfgesv[.]com 1
rjodmz[.]com 1
ygjuju[.]com 1
iauany[.]com 1
zopkpn[.]com 1
ubnuov[.]com 1
kroqzu[.]com 1
uxmaie[.]com 1
See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\Fonts\Mysql 21
%SystemRoot%\Fonts\Mysql\bat.bat 21
%SystemRoot%\Fonts\Mysql\Doublepulsar.dll 20
%SystemRoot%\Fonts\Mysql\Doublepulsar2.dll 20
%SystemRoot%\Fonts\Mysql\Eter.exe 20
%SystemRoot%\Fonts\Mysql\Eter.xml 20
%SystemRoot%\Fonts\Mysql\Eternalblue.dll 20
%SystemRoot%\Fonts\Mysql\Eternalblue2.dll 20
%SystemRoot%\Fonts\Mysql\NansHou.dll 20
%SystemRoot%\Fonts\Mysql\cmd.bat 20
%SystemRoot%\Fonts\Mysql\cnli-1.dll 20
%SystemRoot%\Fonts\Mysql\coli-0.dll 20
%SystemRoot%\Fonts\Mysql\crli-0.dll 20
%SystemRoot%\Fonts\Mysql\dmgd-4.dll 20
%SystemRoot%\Fonts\Mysql\exma-1.dll 20
%SystemRoot%\Fonts\Mysql\file.txt 20
%SystemRoot%\Fonts\Mysql\libeay32.dll 20
%SystemRoot%\Fonts\Mysql\libxml2.dll 20
%SystemRoot%\Fonts\Mysql\loab.bat 20
%SystemRoot%\Fonts\Mysql\load.bat 20
%SystemRoot%\Fonts\Mysql\mance.exe 20
%SystemRoot%\Fonts\Mysql\mance.xml 20
%SystemRoot%\Fonts\Mysql\nei.bat 20
%SystemRoot%\Fonts\Mysql\p.txt 20
%SystemRoot%\Fonts\Mysql\poab.bat 20
See JSON for more IOCs
File Hashes
  • 00e8030802e8f6b32c9e9b5167ba6854797af91947d605889b5dba3b2a29b74e
  • 054441dbcac05960e2ba1ae81903f4ed48786be51aeb346f4c2cc1162ba1749f
  • 0fa0b6d80e850f42f7d17681b2ff2147694053aa4680ddfcf632ee89d183a6fc
  • 16488c72a0c92c8a72dc78ee9d52cfc4ebf8a6392d9f91f2c966fc99abe05a03
  • 181ce9db0dea2a3a2e08860620c3015e61995a93729cb07e0b157d0e75c73343
  • 229ab5a9502a4f9efaf6b1ae193d49cd529479e4adf0475caa80f0086dd20c31
  • 23e3a6d9ce11a9ceef4f1a0731368a85587d612063d67fb518156fa88e20a277
  • 5a831048eaeed5fa07ae830ebe1ac176cdffd0764a978c89228f45125a8c07c3
  • 749cdaf3de5490da6a5c1900b415e1a10cba45d19593ca98378781d9488b6bee
  • 77f5a8b8c3d9091b5d3f050b2ac6183a9bfb86e8fd1085e96926c513c69cbffb
  • 811fc3535e7e4e67164d12a3a8a5d839365873b53e20f1ac3b5638cba279d0e9
  • 96799361f9e214dcdb35d14f3b93e35736d4f5e11a25e4672989c9b436ee6cdc
  • a013f2631ac35d43652d5ab7fd30e71187398b5c6ede6081fa6c73fb3f0b469a
  • ac80e17388fbd1f59b80c411d1449ce90a4ce5ada9d6ced63dc9890bfe5249ea
  • c29ae0b2992a0320c5d584a7af6ff8dfc590140d0652aa22b374a8b6946a76f3
  • c74a2a95439224bdef39354f37ccb4ded7ce7ba071aac9d5efe505cdb7a828ac
  • db1b669b7daffcb3b6be5ba635afe5890d85e3f734a74e9a97c864ebb23ffd30
  • dc814196d52db10a9231754a3c33b58af9c995490a16c20328a954d8c1918589
  • e3e7c5bcb49da52952d85f30efbc86830536593e96e6b29f05f22ac14e208ce5
  • e6d879189c9cfe58aa9f83856eb4849caee841eb71557522c14d38bdd8bc8efe
  • fcad77aba9a0290e0f25b0512ceadf102aff36c955a319275b3f44565d53c383

Coverage


Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Fareit-6958493-0


Indicators of Compromise


Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
3
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASAPI32 2
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASMANCS 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: EnableFileTracing
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: EnableConsoleTracing
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: FileTracingMask
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: ConsoleTracingMask
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: MaxFileSize
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: FileDirectory
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: EnableFileTracing
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: EnableConsoleTracing
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: FileTracingMask
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: ConsoleTracingMask
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: MaxFileSize
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: FileDirectory
2
<HKCU>\Software\Microsoft\Windows Script Host\Settings 2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: AGP Manager.job
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: AGP Manager.job.fp
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER
Value Name: Index
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: AGP Manager Task.job
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: AGP Manager Task.job.fp
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER TASK
Value Name: Index
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER
Value Name: Id
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER TASK
Value Name: Id
2
Mutexes Occurrences
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A 2
Remcos_Mutex_Inj 1
rdyboost_Perf_Library_Lock_PID_210 1
usbhub_Perf_Library_Lock_PID_210 1
.NET CLR Data_Perf_Library_Lock_PID_5b8 1
.NET CLR Networking 4.0.0.0_Perf_Library_Lock_PID_5b8 1
.NET CLR Networking_Perf_Library_Lock_PID_5b8 1
.NET Data Provider for Oracle_Perf_Library_Lock_PID_5b8 1
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_5b8 1
.NET Memory Cache 4.0_Perf_Library_Lock_PID_5b8 1
.NETFramework_Perf_Library_Lock_PID_5b8 1
ASP.NET_1.1.4322_Perf_Library_Lock_PID_5b8 1
ASP.NET_4.0.30319_Perf_Library_Lock_PID_5b8 1
ASP.NET_Perf_Library_Lock_PID_5b8 1
BITS_Perf_Library_Lock_PID_5b8 1
ESENT_Perf_Library_Lock_PID_5b8 1
Lsa_Perf_Library_Lock_PID_5b8 1
MSDTC Bridge 3.0.0.0_Perf_Library_Lock_PID_5b8 1
MSDTC Bridge 4.0.0.0_Perf_Library_Lock_PID_5b8 1
MSDTC_Perf_Library_Lock_PID_5b8 1
Outlook_Perf_Library_Lock_PID_5b8 1
PerfDisk_Perf_Library_Lock_PID_5b8 1
PerfNet_Perf_Library_Lock_PID_5b8 1
PerfOS_Perf_Library_Lock_PID_5b8 1
PerfProc_Perf_Library_Lock_PID_5b8 1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
47[.]254[.]132[.]217 2
5[.]8[.]88[.]213 2
91[.]192[.]100[.]4 1
185[.]165[.]153[.]19 1
91[.]193[.]75[.]33 1
194[.]5[.]99[.]4 1
103[.]200[.]5[.]186 1
185[.]165[.]153[.]135 1
105[.]112[.]98[.]98 1
129[.]205[.]112[.]132 1
212[.]7[.]192[.]241 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
snooper112[.]ddns[.]net 1
harryng[.]ddns[.]net 1
popen[.]ru 1
hfgdhgjkgf[.]ru 1
rtyrtygjgf[.]ru 1
icabodgroup[.]hopto[.]org 1
Files and or directories created Occurrences
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 3
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 3
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 3
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 3
%ProgramFiles(x86)%\AGP Manager 3
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 3
%System32%\Tasks\AGP Manager 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat 2
%APPDATA%\Install 2
%APPDATA%\Install\Host.exe 2
%System32%\Tasks\AGP Manager Task 2
%ProgramData%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol 1
%LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol 1
%APPDATA%\remcos 1
%APPDATA%\remcos\logs.dat 1
%APPDATA%\remcos\remcos.exe 1
%System32%\drivers\etc\hosts 1
%APPDATA%\Screenshots 1
%TEMP%\install.vbs 1
\??\scsi#disk&ven_red_hat&prod_virtio#4&2556063a&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} 1
%TEMP%\MyttloApp 1
%TEMP%\tmpD22A.tmp 1
%TEMP%\subos 1
%TEMP%\tmpD4E9.tmp 1
%TEMP%\subos\subose.exe 1
See JSON for more IOCs
File Hashes
  • 0758f55d7c977e33b0c64c6bdf273d1fc639440505d3f015c5d519dc6200017f
  • 17537f41d384c9a3fe385e6ec51feacf23dcab755b26e274bddcb25ad51f3b20
  • 3409a0970239cd2fc61b66db3c6e7c49921b2c828b59530e37dc34504ee46081
  • 446166d1a9e7e1b7e12547510f7de7bc4c281681cce1f9f8576fce9de7b1dc05
  • 5c0016d2122382734395929696e2d737162f797bb4e21ab1cb9af7c9429823bf
  • 63053625336da966b1c41eae9b39dfc6dd6829be50852d657f48cf6351102955
  • 71795cda989e98003d22a59a88951ce0c2b1dd472b5c1bea4f79f03e0f22747c
  • 7634476cf6e1d538bbf9b5dc0b2dad3f55d78a7a0699f0aa3ec1a926867b602d
  • b0ab801164d28470c2e76fa775ace286b9c218eed099373ba6a6b879cb9473f4
  • c433ec83fd1ab4c370c218feda1fde4514573278464cff96c053479d5c6aea95
  • c68c68c512cd5b66fbc56df273f55bc8e9db9e5c3840dc28d905ca676029f86b
  • dfaf92e94e698ded2dfec6fde877118a2ed30d2709ce8c431d35ca3ce9d7f836
  • e6a4c246c552c5152b500443a603304bac2edbeb2925c4da2e3bf457351b66c1
  • f08bf06ef32de3aea50ded12434753f08c336408715fdcc7ab263cf95892bd5b
  • f5f336ac45dec2fa199ce54cc93035967037f7550ad9ddc89f9dfc91918d57c8

Coverage


Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Ursnif-6957672-0


Indicators of Compromise


Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\JAVASOFT\JAVA WEB START\1.6.0_41
Value Name: Home
19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY
Value Name: AddToFavoritesInitialSelection
19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY
Value Name: AddToFeedsInitialSelection
19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\WINDOWSSEARCH
Value Name: Version
19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\PENDINGRECOVERY
Value Name: AdminActive
19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP
Value Name: ChangeNotice
19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MINIE
Value Name: TabBandWidth
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
Value Name: NewInstallPromptCount
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
Value Name: CompatBlockPromptCount
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Value Name: NewInstallPromptCount
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Value Name: CompatBlockPromptCount
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
Value Name: NewInstallPromptCount
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
Value Name: CompatBlockPromptCount
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Value Name: NewInstallPromptCount
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Value Name: CompatBlockPromptCount
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
Value Name: NewInstallPromptCount
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
Value Name: CompatBlockPromptCount
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{DBC80044-A445-435B-BC74-9C25C1C588A9}
Value Name: NewInstallPromptCount
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{DBC80044-A445-435B-BC74-9C25C1C588A9}
Value Name: CompatBlockPromptCount
19
<HKU>\Software\Microsoft\Internet Explorer\Recovery\Active 19
<HKU>\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d} 19
<HKLM>\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32 19
<HKU>\Software\Microsoft\Internet Explorer\Suggested Sites 19
<HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links 19
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore 19
Mutexes Occurrences
!PrivacIE!SharedMem!Mutex 19
Local\VERMGMTBlockListFileMutex 19
Local\!BrowserEmulation!SharedMemory!Mutex 19
Local\URLBLOCK_DOWNLOAD_MUTEX 19
Local\URLBLOCK_HASHFILESWITCH_MUTEX 19
UpdatingNewTabPageData 19
{5312EE61-79E3-4A24-BFE1-132B85B23C3A} 19
{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D} 19
{A7AAF118-DA27-71D5-1CCB-AE35102FC239} 18
Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269} 18
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1} 18
Local\{B1443895-5CF6-0B1E-EE75-506F02798413} 18
CommunicationManager_Mutex 15
SmartScreen_AppRepSettings_Mutex 15
SmartScreen_ClientId_Mutex 15
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1760 6
{33B6645E-F685-DDC4-9817-8A614C3B5E25} 6
{9FB8F914-72AD-292E-7443-C66DE8275AF1} 4
{EF2CA93C-8275-F9B6-0493-D63D78776AC1} 3
{1FE6DE6D-F2FC-A937-F4C3-46ED68A7DA71} 3
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1916 3
{27CB7058-5ACE-F149-9C4B-2EB590AF42B9} 3
\BaseNamedObjects\Local\{FCAA51DD-2B0A-8E99-95F0-8FA2992433F6} 3
\BaseNamedObjects\Local\{6AE7CB31-C1EF-2C06-9B3E-8520FF528954} 3
\BaseNamedObjects\Local\{72534A3F-299C-7437-43C6-6DE8275AF19C} 3
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]79[.]197[.]200 19
185[.]193[.]141[.]60 19
208[.]67[.]222[.]222 18
194[.]147[.]35[.]95 18
13[.]107[.]21[.]200 13
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
vmelynaa[.]club 19
resolver1[.]opendns[.]com 18
222[.]222[.]67[.]208[.]in-addr[.]arpa 18
myip[.]opendns[.]com 18
ciemona[.]top 18
zwbaoeladiou[.]xyz 16
fqwalfredoesheridan[.]info 16
Files and or directories created Occurrences
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred 19
%LOCALAPPDATA%Low\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico 19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V0100008.log 19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V0100009.log 19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000A.log 19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000B.log 19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000D.log 19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000F.log 19
%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\MSHist012018082820180829\container.dat 19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\suggestions[2].en-US 19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[2].ico 19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\views[2] 19
%LOCALAPPDATA%\Microsoft\Internet Explorer\imagestore\aowwxkh\imagestore.dat 19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\favicon[1].ico 19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\favicon[2].png 19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\views[1] 19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[1].ico 19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2 19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW 19
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\desktop.ini 19
%TEMP%\www2.tmp 19
%TEMP%\www3.tmp 19
%TEMP%\www4.tmp 19
%HOMEPATH%\Favorites\Links\Suggested Sites.url 19
%HOMEPATH%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms 19
See JSON for more IOCs
File Hashes
  • 0870f99237954ec3b6c5d2bef78a68484ec211bdd3f98439570d6a316c8a15ee
  • 395a5bb5a15f3d0c277835b62372c985cf718cdd2b1a5a504b5e9433c5dab8a5
  • 44e6613a20fda10678242f331152b6377edc18a3bbece8a7546ef54fe2dbb9d2
  • 4509bfad5dacb2f5ac43483fb991fa5bba25b90a46a1829d5d812be529dff930
  • 5bdab30c2318e1a15917c5a5fa5a970845e473c3df7e3baf134393d9fe7dd1c5
  • 6c29026c61c2bcf1502ffa77b56d2b41504598e6b660cb4f4aadeef547248861
  • 8caac9f128ef6d7cd20ad6395b16fc180456eed45d86b68b49b87b4b57aa0142
  • 8cc7ec0c3662c3e68a0063f9aa37943eb83ac6cd472a76f9f047e0fad21f9875
  • 8df6c10dd50118b2fc7bd380d0423ad0d7a36630f2f6be81fe508eb0b7d409cb
  • b824f4bb9174eda6738710e1fed13a74088e2c23d8c31ce81ecde3cd03260396
  • c3f72c971d83fd3ac32d8bbee2d94fe78bcbde553212f3e4c3d626a8d124ccb6
  • d1d54cc60dfc5957d76c37218d89bf59aaa45c4cc45067af83429280463923e5
  • e450ad1c3dad95a579f43bf2deb9b58acc8c661e0090a162da75dd66ef608e8b
  • e7f7e41a55b11e5aee84f519b267c19c5943ca923b8c05d3aff99a47ab074f58
  • f1fc8274b0155470b6983ba68c70ea5df59196ae8b89366fc4fe922575719536
  • f58c95835e8a08cbef55c00ae86d03399302cdf7d500ab499f312156f275f2f9
  • f5e3128f71497dd5ee29c05296c3815466fd2eacc714ce914771d0ede672639c
  • fb7592a3c2994ba426046328c87f08574c7d367b0c75e206ddfd32cc5d7bfcd0
  • fb76a896e5ead6658b589c20e715fe18ffec03b9f57f895e14a0d43574de71e3

Coverage


Screenshots of Detection

AMP

ThreatGrid

Win.Ransomware.Cerber-6957317-0


Indicators of Compromise


Registry Keys Occurrences
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas 25
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs 25
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 25
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI 25
<HKLM>\System\CurrentControlSet\Control\Session Manager 25
<HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache 25
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: Wallpaper
25
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
25
<HKLM>\SYSTEM\ControlSet001\Control\Session Manager 25
<HKLM>\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\189271E573FED295A8C130EAF357A20C4A9F115E 9
<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel 6
Mutexes Occurrences
Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7 25
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 25
\BaseNamedObjects\shell.{718951EE-6DB9-E41A-53AA-8B715AE18B45} 2
\BaseNamedObjects\shell.{493BC5E1-8EB5-5EFC-281D-65B759CEECC3} 2
\BaseNamedObjects\shell.{B1A92788-E01E-5F0F-2EBD-8C1B64B4440E} 1
\BaseNamedObjects\shell.{3B5BBD57-DC86-C667-6198-1ED86151C492} 1
\BaseNamedObjects\shell.{3290A7F9-5947-C52F-A9C4-FFC568696593} 1
\BaseNamedObjects\shell.{A90EDFAB-A502-430E-BDBC-2A277AABA37D} 1
\BaseNamedObjects\shell.{FCDAE584-CD77-B6D4-3AF3-33D1E72CBBA2} 1
\BaseNamedObjects\shell.{5ED88314-B21B-6A1E-9E28-1194C46E655A} 1
\BaseNamedObjects\shell.{0382099C-AC13-59BE-3A2C-B533D776D30C} 1
\BaseNamedObjects\shell.{8A1F6AB1-121B-A240-F2AC-6815C5405429} 1
\BaseNamedObjects\shell.{6B956E68-ABAA-AB50-EB9F-299C556E0FC1} 1
\BaseNamedObjects\shell.{D593CF55-EF38-7E41-B3D1-189932BF5ACA} 1
\BaseNamedObjects\shell.{6E8CD1E8-3AA4-8152-A1AC-9DF81B4CF52F} 1
\BaseNamedObjects\shell.{CA80F6A6-97F3-B746-F936-72E156EADCA1} 1
\BaseNamedObjects\shell.{77337C05-6A9D-48D8-548B-5BC4EDE52644} 1
\BaseNamedObjects\shell.{5F59AF38-9EAC-3B8F-A08E-700EC4307348} 1
\BaseNamedObjects\shell.{1DEF893E-C150-B52C-8B2C-18DC50905097} 1
\BaseNamedObjects\shell.{114716B6-D98A-FB35-E73B-ABDB1C2ECBE3} 1
\BaseNamedObjects\shell.{940BFEC0-D658-3349-9964-7D4820AF7C5D} 1
\BaseNamedObjects\shell.{DCA07E8B-8FF0-AAD5-5A30-43E0A4FC3355} 1
\BaseNamedObjects\shell.{9F3E7036-D399-5D1C-15F0-27F90C81CEA7} 1
\BaseNamedObjects\shell.{4D979936-6ECD-C1FC-8B7E-C65E6397B59E} 1
\BaseNamedObjects\shell.{2981A90C-3618-499B-5205-FD704DC8D53D} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]33[.]160[.]176 25
178[.]33[.]160[.]175 25
178[.]33[.]160[.]178 25
178[.]33[.]160[.]177 25
178[.]33[.]160[.]179 25
178[.]33[.]160[.]170 25
178[.]33[.]160[.]172 25
178[.]33[.]160[.]171 25
178[.]33[.]160[.]196 25
178[.]33[.]160[.]195 25
178[.]33[.]160[.]198 25
178[.]33[.]160[.]197 25
178[.]33[.]160[.]199 25
178[.]33[.]160[.]190 25
178[.]33[.]160[.]192 25
178[.]33[.]160[.]191 25
178[.]33[.]160[.]194 25
178[.]33[.]160[.]193 25
178[.]33[.]159[.]31 25
178[.]33[.]159[.]30 25
178[.]33[.]159[.]29 25
178[.]33[.]159[.]28 25
178[.]33[.]159[.]27 25
178[.]33[.]159[.]26 25
178[.]33[.]159[.]25 25
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 25
chain[.]so 13
bitaps[.]com 13
btc[.]blockr[.]io 13
hjhqmbxyinislkkt[.]1j9r76[.]top 12
www[.]coinbase[.]com 9
p27dokhpz2n7nvgr[.]1j9r76[.]top 6
hjhqmbxyinislkkt[.]1bxzyr[.]top 3
Files and or directories created Occurrences
%HOMEPATH%\Documents\OneNote Notebooks\Personal\General.one 25
%HOMEPATH%\Documents\OneNote Notebooks\Personal\Unfiled Notes.one 25
%HOMEPATH%\Documents\Outlook Files\Outlook.pst 25
%HOMEPATH%\Documents\RILLReturn.ppt 25
%HOMEPATH%\Documents\SerialsOverview.ppt 25
%HOMEPATH%\Documents\TSR_Observations_2-14-2007.doc 25
%HOMEPATH%\Documents\VISSpring13Schedule.pdf 25
%HOMEPATH%\Documents\booklaunch_e.doc 25
%HOMEPATH%\Documents\featureb0906.pdf 25
%HOMEPATH%\Documents\genealogy.ppt 25
%HOMEPATH%\Documents\greenpaper.doc 25
%HOMEPATH%\Documents\james_harrison_public_forum_presentation_e.doc 25
%HOMEPATH%\Documents\self-guided_SoE_Tour.pdf 25
%HOMEPATH%\Documents\sshws_2012rev.pdf 25
%HOMEPATH%\Documents\timeentrylimit.xlsx 25
%HOMEPATH%\Documents\workshopagenda10may2001_e.doc 25
%TEMP%\d19ab989 25
%TEMP%\d19ab989\4710.tmp 25
%TEMP%\d19ab989\a35f.tmp 25
%LOCALAPPDATA%\Microsoft\Office\Groove\System\CSMIPC.dat 25
\DAV RPC SERVICE 25
\Device\Null 25
%APPDATA%\Microsoft\Outlook\Outlook.srs 25
%APPDATA%\Microsoft\Outlook\Outlook.xml 25
%HOMEPATH%\Local Settings\Application Data\Microsoft\Office\ONetConfig\21d4feba3519c30e149fdf62432f198a.xml 25
See JSON for more IOCs
File Hashes
  • 0536d5867571e0ed9998dfe458e7cf42334a9abc67e1cbd9ea3004507f899e3c
  • 17f6fab817ae1a1ac4478c121c3dcfed044924ba4beac8cae734cd14d453596b
  • 212ef6edb374b8aab38ad19fa15e2e2f4674b7d2cbb024f36b9477fc71c71769
  • 276438f97b45ccd5ff93586ae0adfa3c4e4ba92f1adc87fca607eb6d6bd17919
  • 2b7669616638e5976b1c65b492d9e775ab668648d0b2ca5df81bcbe26b7e1123
  • 33dcb7c8ce845f1840cb6508a67595d415227babe474eae0f3a06383eab16e63
  • 3d5bab5798ad6d27131075732d829b90f3f37d5e63bab43b53a071c002678fce
  • 418a712f9e44f3adba6125d9f3d7ad4a52ffef9d8ad5b485e903a984a4cd8c63
  • 420dc43a8c9200df4138d720415304017b861b3cfddfb5de16af50099f3b0e37
  • 436e308c38fb3872fe1a64be90eed2a86d7f9806cd163c83e83fbfd0edf3f8d8
  • 55e8cb67e967b51aacd85258cc4c5a2d8c7c2ad48e44d6f4ecf9c0a721d4fbfe
  • 57de16edb0bd7e590ad1adf4474b18eb968d72781f0d34f33ee51cf6ed71763e
  • 5da318b569c3cbad701f06f4b26905c5ac95048b748481fae2552653acdeb25b
  • 629c1b76328b10077af530bfc5526fcb5592eefd8fb0b618179a8429bf6b6259
  • 64b193a1fcdd2d2ec2444e989ecb9283a5f7679abfc5dc3efa9a248793e0197c
  • 6e7bc2af711eac2a82384b3738229d3b69f60f1522a0c59f781f4d6731b1f198
  • 763b5c07061e6f306399991efd08ac8b9efb74c37ab6280c840a779fb7ca929c
  • 77ee427b01cecdc4adcdee50b679ddab7ae6175a9ec3ec199b81cbfb3684a172
  • 7e93d6b812b9ba8833a2f6727e35714ae301c8ab8ac9988ae540f4a993e41c05
  • 84d4734cd55e627870c58fe07bd29895cc40726ea235de6980c1ebe73c8f838c
  • 9d60618b662ed064573688abf10cb3eb562b46baceb864a4343e8851b2e6686e
  • a2dd530ea97e84d507d13eccef73f736ef1c7c2722b82c84e6d84c61f9406f9b
  • a6943fd03952cc9d1b7a492ca30cc75ecaefdb54e20af0fc0dcbbcc93483d031
  • a9efbbec61b1901e23bd5d29f2e1c34e9d0e7c41dbd216386ec52489239068fe
  • b0ba2997331995d24a85a7d4f586fcaaeb4e6b62de46f068d165ef0d13b172cc
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP

ThreatGrid


Umbrella

Malware

Win.Dropper.Nymaim-6956636-0


Indicators of Compromise


Registry Keys Occurrences
<HKCU>\Software\Microsoft\GOCFK 19
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\tapi3 19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: EnableFileTracing
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: EnableConsoleTracing
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: FileTracingMask
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: ConsoleTracingMask
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: MaxFileSize
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: FileDirectory
19
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
19
<HKCU>\Software\Microsoft\FROD 18
Mutexes Occurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} 19
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 19
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} 19
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} 19
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4} 19
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A} 19
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D} 19
Local\{B888AC68-15DA-9362-2153-60CCDE3753D5} 19
Local\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E} 19
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
N/A -
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
otmqa[.]in 18
nuyfyp[.]in 18
omctebl[.]pw 18
qxqdslcvhs[.]pw 18
eyhwvkyswsts[.]in 18
lqeyztwnmqw[.]pw 18
tgkddewbn[.]in 18
bibmbkjvelox[.]net 18
mpoghxb[.]net 18
zglevl[.]net 18
cixhrfbok[.]com 18
yqxpvvbvncxr[.]com 18
vhmfwvrbln[.]net 18
pyioepars[.]com 18
iwxbgsvj[.]net 18
Files and or directories created Occurrences
%ProgramData%\ph 19
%ProgramData%\ph\fktiipx.ftf 19
%TEMP%\gocf.ksv 19
%TEMP%\fro.dfx 18
\Documents and Settings\All Users\pxs\pil.ohu 18
%LOCALAPPDATA%\7z2 5
%APPDATA%\s269 5
%ProgramData%\hm94p64 3
%LOCALAPPDATA%\2870 3
%APPDATA%\710i5v8 3
%ProgramData%\05n3 3
%ProgramData%\0m2 3
%ProgramData%\j91z 2
%LOCALAPPDATA%\9b8 2
%APPDATA%\mb31 2
%ProgramData%\6745h 2
%ProgramData%\63h6c 2
%LOCALAPPDATA%\546byxl 2
%APPDATA%\k5f5 2
%APPDATA%\1ok411c 1
%ProgramData%\84q9q 1
%LOCALAPPDATA%\6b0d19t 1
%APPDATA%\9980c 1
%ProgramData%\2p077d 1
%LOCALAPPDATA%\ja68siv 1
See JSON for more IOCs
File Hashes
  • 0a79d985e81449aeabc401545955323e3d9fa0951a6fabe8727370679cee362c
  • 2d7e1dee56892ffe3fa7b85e33ef512e8017ce690a1118ad743736ba03c70c29
  • 2f017b1f3b3d430266be3da2be7b050dad8d2bbdfe457d6d053f2ca312c90691
  • 33c2883874a24e9abbd993f5d06b8596483d33a388b4832f7e8ed3585dab0f80
  • 4268fb8266c18ba7392e2ac655dad69b952bcfce10a71b34a821f0ea32a02954
  • 470dad272252de1d8631e7026ee324fa9238f722707a26f56b6377f2588a7b16
  • 4ff4835419292e13a5d7be1fe2b3b6a000a07f733948e5865b09082e91ef364b
  • 50bc7a1d67f67fbe4faaa7e1968addc631ee65c05dffdac6decfd021306d17c7
  • 5814f51e35d047cfd4e2b4d76bb2b401d70a860747b7ba817fe3bb035dea1b98
  • 68e743d3ab393a17a9120260b6e2c1a1fcea3ba32cebc06aa1970d62198f266d
  • 7e95831b38b1a32402ba5b6251180aca1b1cad457be756612b3ffe1ebf40dce2
  • 8b307748efc603648524dc47202a550bfcaee9a3a23da4f99802aef2e789d6cd
  • 9260c5ea2694dd47cbe563d7d39518d4b4f1249499dcae387e2da9955723286f
  • a92aec525fddbe52002ba700344043cd99b8d1323728b9cc2114e64bf83c7ce3
  • aca7c6cb8d0edcb41b44a0f53460ee8ac3078aca97f03979da0b1d4d5dfb860b
  • b01ecd3e51d9efea860568d3ae336c7d3514f08bca6d3ba9c5cfd3ad069ec3fe
  • d618459cbcf86c6797850757003d53db2f8bcc89364bf7de806f89f1736bf1cd
  • d6a5f0855e7e2c8968e90159b42853361187b41d692626273807361c27bd5a37
  • db421df81c436e54428bcaddcb394568afcd6769e88809a2634ea678643ec811

Coverage


Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Qakbot-6956539-0


Indicators of Compromise



Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe
25
<HKCU>\Software\Microsoft\SystemCertificates\UserDS 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\aqejpwsx 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ErrorControl
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ImagePath
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DisplayName
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnService
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnGroup
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: WOW64
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ObjectName
25
<HKLM>\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931 3
<HKLM>\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6 3
Note that other Registry Keys are leveraged that may contain unicode characters. See JSON for more IOCs
Mutexes Occurrences
Global\eqfik 25
llzeou 25
eqfika 25
Global\epieuxzk 25
Global\ulnahjoi 25
Global\utjvfi 25
bzqjzpdrfpamvq 25
\BaseNamedObjects\Global\uvesyw 2
\BaseNamedObjects\Global\vqxcpp 2
\BaseNamedObjects\hxsgmprzlpnnqw 2
\BaseNamedObjects\Global\imyuiwlg 2
\BaseNamedObjects\Global\vtqux 2
\BaseNamedObjects\imyuiwlga 2
\BaseNamedObjects\yspopald 2
\BaseNamedObjects\Global\rhjga 2
\BaseNamedObjects\afalya 2
\BaseNamedObjects\iykps 2
\BaseNamedObjects\Global\ilkcmoq 2
\BaseNamedObjects\Global\afaly 2
\BaseNamedObjects\Global\dgialgoh 2
\BaseNamedObjects\Global\yvbnyn 2
\BaseNamedObjects\Global\knpog 2
\BaseNamedObjects\crcbzy 2
\BaseNamedObjects\Global\esroi 2
\BaseNamedObjects\knpoga 2
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]12[.]174 25
69[.]241[.]80[.]162 21
209[.]126[.]124[.]173 21
69[.]195[.]124[.]60 20
162[.]144[.]12[.]241 20
50[.]87[.]150[.]203 19
181[.]224[.]138[.]240 19
35[.]225[.]160[.]245 18
172[.]217[.]164[.]142 18
45[.]38[.]189[.]103 18
68[.]87[.]56[.]130 18
85[.]93[.]89[.]6 10
209[.]126[.]124[.]166 6
207[.]38[.]89[.]115 5
85[.]93[.]88[.]251 5
69[.]241[.]74[.]170 3
69[.]241[.]108[.]58 3
69[.]241[.]106[.]102 3
64[.]34[.]169[.]244 2
208[.]100[.]26[.]234 1
216[.]218[.]206[.]69 1
216[.]58[.]217[.]142 1
173[.]227[.]247[.]49 1
173[.]227[.]247[.]54 1
69[.]64[.]56[.]244 1
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
jpfdtbmvuygvyyrebxfxy[.]info 25
hknkmwfdngcfavzhqd[.]biz 25
ywubouysdukndoakclnr[.]org 25
uwujtnymeyeqovftsc[.]org 21
kaaovcddwmwwlolecr[.]org 21
ijdlykvhnvrnauvz[.]com 21
www[.]ip-adress[.]com 21
stc-hstn-03[.]sys[.]comcast[.]net 21
boston[.]speedtest[.]comcast[.]net 21
houston[.]speedtest[.]comcast[.]net 21
sanjose[.]speedtest[.]comcast[.]net 21
jacksonville[.]speedtest[.]comcast[.]net 21
lunkduuumhmgpnoxkbcjqcex[.]org 19
hsyglhiwqfc[.]org 18
forumity[.]com 18
zebxhuvsz[.]com 18
yxssppysgteyylwwprsyyvgf[.]com 18
fcptxaleu[.]net 18
olosnxfocnlmuw[.]biz 18
cbqjxatxrumjpyvp[.]biz 18
sproccszyne[.]org 18
uschunmmotkylgsfe[.]biz 18
wgysvrmqugtimwhozoyst[.]biz 18
tkpxkpgldkuyjduoauvwoiwcg[.]org 18
cufgghfrxaujbdb[.]com 18
See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Cookies\QA752KCC.txt 25
%APPDATA%\Microsoft\Windows\Cookies\QP9V2VPK.txt 25
%APPDATA%\Microsoft\Windows\Cookies\QTOORX9Q.txt 25
%APPDATA%\Microsoft\Windows\Cookies\RPE3LD3D.txt 25
%APPDATA%\Microsoft\Windows\Cookies\RYU7B1BB.txt 25
%APPDATA%\Microsoft\Windows\Cookies\RZ1EYTQG.txt 25
%APPDATA%\Microsoft\Windows\Cookies\SCT1A3Q5.txt 25
%APPDATA%\Microsoft\Windows\Cookies\SL2DQ447.txt 25
%APPDATA%\Microsoft\Windows\Cookies\SUA0P3GL.txt 25
%APPDATA%\Microsoft\Windows\Cookies\T28YM23R.txt 25
%APPDATA%\Microsoft\Windows\Cookies\TC61OXS2.txt 25
%APPDATA%\Microsoft\Windows\Cookies\TWNEP5LZ.txt 25
%APPDATA%\Microsoft\Windows\Cookies\TX9TW6ML.txt 25
%APPDATA%\Microsoft\Windows\Cookies\U5T0RELM.txt 25
%APPDATA%\Microsoft\Windows\Cookies\UCPG9KND.txt 25
%APPDATA%\Microsoft\Windows\Cookies\UD8XCJVS.txt 25
%APPDATA%\Microsoft\Windows\Cookies\UGY2NFKJ.txt 25
%APPDATA%\Microsoft\Windows\Cookies\UOVVJUXY.txt 25
%APPDATA%\Microsoft\Windows\Cookies\UVFN9CGJ.txt 25
%APPDATA%\Microsoft\Windows\Cookies\V6G9AWM4.txt 25
%APPDATA%\Microsoft\Windows\Cookies\VFVD9E5C.txt 25
%APPDATA%\Microsoft\Windows\Cookies\VK4YOOAG.txt 25
%APPDATA%\Microsoft\Windows\Cookies\VP01LDK3.txt 25
%APPDATA%\Microsoft\Windows\Cookies\VPK8RY5C.txt 25
%APPDATA%\Microsoft\Windows\Cookies\VYUA6F7D.txt 25
See JSON for more IOCs
File Hashes
  • 04a19e4e2d700292ba4ce5659e97413112bd079dacdbaf8a2387e6f6559dcba3
  • 117466b3e9dabd69d510d9e034eec875d9ca2ad9dbb8c5d123b388ac2a65ebbf
  • 17d23f910311aeb341ee348586bb212d1cddb70152bc4d1bc31ac579693d7741
  • 1b0573fb381b291b12cf7db4bfb6deb78e688c9c3076908e8581199169b8514a
  • 1c0c7d00ccfb9f12299fd7df7ec2ad497cb6c8fa60b903694f2d2bf54af7c30c
  • 278bc2f23ef0a5a79e36f1dca261bbf67f87aef637e76373061654353fc3f716
  • 33ba38fa1bfaab98c6ba48eb2a2fb3155b51118e9ef79642418e0903e2b2e008
  • 51390b6bde9196f7c0319c1253d08233202f6b4110b8c33557a2d2895f868769
  • 548c5b819c109a61e1ff6bc74bd43ad2702ed44e479dd6600da3bb9d5a9ca72e
  • 5b3cd274c3c0349f7d67238994e53e4a842a82e9e15905510a93b4d6643621e7
  • 611f34dcdcce11b0e48779e0fcfd950437614e603673903c8b342bdd2a34ce1a
  • 620e4f53e698c59971f4633cad4c7966f3432aeec0a6315b82a5dae8c13577c9
  • 6f6e53de5fb48c34cce494113f04e1b32d3dd85d8071023b2dff1febb1686c7f
  • 6fd63887adf0e0d4894d3b648e8be0d20474579f60138915b5e3e3a9761f43bc
  • 783a7e50bddf9b5c9547a8fabc7470fabdbe4410df76148dd6c5c81dfb7e6506
  • 7e7e09137fda05e6292d8d9646ab5bc18fd136b06aa77833819ccc46d79c4859
  • 7e9ab6bf4ee2141f4702e0cf4348340293c429416f7676c7946e940321220375
  • 8412cd2e7e60ac2d32bf43f350f8ce806876f54c2ed9b6d0f895179d289a1803
  • 84e0ad1b2d1ca15e2ea16d6d57b81a63af18f664b171ad9d144e710ad2e3cb75
  • 8786a734c5f7fccca5b87c04c5531bff6ec323a29860063c2ba31941706c83a3
  • 914960db7ffbdd3a5a5a98b740f724c0ab9469fcbdd547561622809e5d3c6396
  • 93ac57e8f8e341c84e25dd0c14f014d23f55e24a175b443f4cd399a086e70965
  • 98170c08d421f79a308074befb2c4e799db06e28ce10cea9d435c5868d1e6f36
  • 9d8dfe92711ea955120f4fdbb3b2d0cf37ff79ac74572c867c44da7d404213fa
  • a0903affbe9bd3176863d83a9e57808aa55a3ea8695d09dbbd2d8f3f1d22e812
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Tovkater-6956309-0


Indicators of Compromise


Registry Keys Occurrences
<HKLM>\System\CurrentControlSet\Control\Session Manager 25
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
25
<HKLM>\SYSTEM\ControlSet001\Control\Session Manager 25
Mutexes Occurrences
N/A -
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
N/A -
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
caribz[.]club 10
fruitnext[.]top 9
mirraclez[.]club 5
liquidmiracle[.]top 4
SMILESAWAY[.]TOP 3
duckandbear[.]top 2
skycrimes[.]top 2
fowlerfootball[.]top 2
gratify[.]triobol[.]ru 1
shipboard[.]dicier[.]ru 1
giroboard[.]top 1
skeleton[.]walforder[.]ru 1
shadeunit[.]club 1
strangerthingz[.]club 1
Files and or directories created Occurrences
imasrr13.exe 22
%TEMP%\nsw2.tmp\nsJSON.dll 3
%TEMP%\nso74D7.tmp\INetC.dll 1
%TEMP%\nso74D7.tmp\nsJSON.dll 1
%TEMP%\nso74D7.tmp\xantacla.exe 1
%TEMP%\nsuC6AE.tmp\INetC.dll 1
%TEMP%\nsuC6AE.tmp\nsJSON.dll 1
%TEMP%\nsuC6AE.tmp\santacla.exe 1
%TEMP%\nsj9A32.tmp\INetC.dll 1
%TEMP%\nsj9A32.tmp\nsJSON.dll 1
%TEMP%\nse1441.tmp\INetC.dll 1
%TEMP%\nsj9A32.tmp\xantacla.exe 1
%TEMP%\nse1441.tmp\nsJSON.dll 1
%TEMP%\nse1441.tmp\santacla.exe 1
%TEMP%\nsa3ED.tmp\INetC.dll 1
%TEMP%\nsa3ED.tmp\nsJSON.dll 1
%TEMP%\nsa3ED.tmp\xantacla.exe 1
%TEMP%\nseEB6D.tmp\INetC.dll 1
%TEMP%\nseEB6D.tmp\nsJSON.dll 1
%TEMP%\nseEB6D.tmp\xantacla.exe 1
%TEMP%\nskC2A9.tmp\INetC.dll 1
%TEMP%\nskC2A9.tmp\nsJSON.dll 1
%TEMP%\nskC2A9.tmp\santacla.exe 1
%TEMP%\nsp547C.tmp\INetC.dll 1
%TEMP%\nsp547C.tmp\nsJSON.dll 1
See JSON for more IOCs
File Hashes
  • 0b1c46b5535b4fc30fd8d813255220d3715d0bd7623e094e684af13a1c12f579
  • 0d806734aacf391b1c304155e8f186d7c354c46d08b5f2cb70c2a6029dba2e0e
  • 1187cf65c782ea451e0a46f8e5ea18f8133cc209d58db1c08793bb086b96df4f
  • 21a9fb85cec099bdc2bf419b9bc07dbe6f9b1dc40b8e2853c119093706d1a3a8
  • 2e23eb71950087f2212e0e591fa462b1706571fe55c87454de7003de4a982d95
  • 30d525e4acb5cbd5dd5fe9508cb0cf053c4b0480ab53168e9a06e58c2e9b323b
  • 35dae148e6507526256336e36eb9858dcf17c73f86c332582cd53af43c887f0a
  • 368e24183133ba0c4a7fb06b255458754e6662d6be0df18f44b7304b7f1438d7
  • 3dc644f5a69d86aeab33c6879bb508b59049d17a74cca73f15b160578ee0a358
  • 42f86e50ca2180192d30c556d001cf8720d17094850164e811872f1c864f10cb
  • 43150f037e396e69ff8e1e1d1da7e33614f100fba6b6133a99174a8bcc56d8c5
  • 46e6b3d8c0cff0c9dca7ee7fae9b15c7b23865f546533ee00be0d594f6d03a40
  • 4b0232b305a8504700570c6e177d0c1815924031908f2f2d5fe61510174804c5
  • 52e70ec3517105cdabea6b3448d4568fbca560683e7e90070d0209ea1a002de7
  • 5b1a72a9d50e9e41662848965957cf3b537a923f12a02d022d7e40bc76d6a59d
  • 5f16228ceca9d4d628bcddf5da07ddd8140b19c3458ba287b5e0a9a4533929c9
  • 626f2dbe08fcf4192f709111ca3f2ce5975cb9ac7bac7b007158b8e74070c403
  • 62bae87f17d56c22f89ec9c41c2e3bf76139df7a4a4c710e088ec9483918cf9b
  • 63d3a47aa0f89009ecc37199d269c8c3184d32e0632c3f1c1857dafd2aee7ae4
  • 67b73d01d619d30bc56d0f772207df38b68a433b1050137bb93a54e746c1c34f
  • 67ffbd39d1ebbceb4936645c822a10b6b71dc289acd026b1b4259f01c2168e8f
  • 6c2eae55f0ff4cb79a53f932a481812c7b8c5d61ff0aadf47c4211d676cc97b4
  • 6d0f17cdc45a3867ec8c89ae3cf9ef2264b4889fc135417857e04d8109ec62ec
  • 7b4c241497ba6cef5a8abc35d4c795e7c8b0b3d4a292a843d14d4389ddef57b7
  • 7dbb52a1de75d201b0565062452e81a210cc597ac4626aa95bf478562aa082cd
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Downloader.Powload-6956274-0


Indicators of Compromise


Registry Keys Occurrences
<HKCR>\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 29
<HKCR>\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 29
<HKCR>\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 29
<HKCR>\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 29
<HKCR>\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 29
<HKCR>\INTERFACE\{79176FB2-B7F2-11CE-97EF-00AA006D2776} 29
<HKCR>\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9} 29
<HKCR>\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 29
<HKCR>\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 29
<HKCR>\INTERFACE\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} 29
<HKCR>\INTERFACE\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} 29
<HKCR>\INTERFACE\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} 29
<HKCR>\INTERFACE\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} 29
<HKCR>\INTERFACE\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} 29
<HKCR>\INTERFACE\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} 29
<HKCR>\INTERFACE\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} 29
<HKCR>\INTERFACE\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} 29
<HKCR>\INTERFACE\{5CEF5613-713D-11CE-80C9-00AA00611080} 29
<HKCR>\INTERFACE\{92E11A03-7358-11CE-80CB-00AA00611080} 29
<HKCR>\INTERFACE\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} 29
<HKCR>\INTERFACE\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} 29
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\sourcebulk 29
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Type
29
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Start
29
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: ErrorControl
29
Mutexes Occurrences
Global\I98B68E3C 29
Global\M98B68E3C 29
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
159[.]0[.]130[.]149 29
191[.]92[.]69[.]115 29
69[.]25[.]11[.]28 29
88[.]198[.]20[.]57 29
212[.]129[.]63[.]132 24
198[.]58[.]114[.]91 18
74[.]208[.]5[.]15 16
209[.]85[.]144[.]109 10
77[.]111[.]149[.]55 9
74[.]6[.]141[.]50 8
173[.]201[.]192[.]229 8
74[.]208[.]5[.]2 7
209[.]85[.]144[.]108 7
17[.]36[.]205[.]74 7
182[.]50[.]145[.]3 6
67[.]195[.]228[.]95 6
196[.]35[.]198[.]134 6
54[.]88[.]144[.]211 6
149[.]255[.]56[.]242 6
184[.]106[.]54[.]10 5
64[.]26[.]60[.]229 5
173[.]203[.]187[.]14 5
205[.]178[.]146[.]235 5
212[.]227[.]15[.]167 5
212[.]227[.]15[.]183 5
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ises[.]com[.]pl 29
ingenla[.]com 29
hicast[.]tn 24
smtp[.]mail[.]com 16
secure[.]emailsrvr[.]com 14
smtpout[.]secureserver[.]net 14
smtp[.]office365[.]com 13
smtp-mail[.]outlook[.]com 10
smtp[.]1und1[.]de 10
smtp[.]aol[.]com 8
smtp[.]emailsrvr[.]com 7
smtpout[.]asia[.]secureserver[.]net 6
smtp[.]1and1[.]com 6
smtp[.]rediffmailpro[.]com 6
smtp[.]comcast[.]net 6
smtp[.]263[.]net 6
spam[.]pantos[.]com 6
mail[.]longi-silicon[.]com 5
smtp[.]prodigy[.]net[.]mx 5
mail[.]huaqin[.]com 5
betmngr[.]com 5
smtp[.]yandex[.]com 4
smtp[.]zoho[.]com 4
smtp3[.]netcore[.]co[.]in 4
smtp[.]mweb[.]co[.]za 4
See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 29
%HOMEPATH%\423.exe 29
%SystemRoot%\SysWOW64\version.dll 1
%SystemRoot%\Globalization\Sorting\sortdefault.nls 1
\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8 1
%TEMP%\CVR90.tmp 1
%SystemRoot%\SysWOW64\sourcebulka.exe 1
%SystemRoot%\SysWOW64\3HqWfmuWUBgMP.exe 1
%SystemRoot%\Temp\76D.tmp 1
%SystemRoot%\SysWOW64\jq9Mk4Che.exe 1
File Hashes
  • 1e0b73c5ec4b9516709c10ec708fc295df021451f958a89144d79d99604b3664
  • 325701284bf17203d71a9c5b4d46e4f7b651164ab92c643fe64a3e3bc2844dad
  • 3537f5cfc0ad20b8061b67f82dc43a7ac1856391bece8158023fcc3d6699f75a
  • 35965e3b9cff6a78e1331ed07f5e327a91301b5b023b20fb0c107bc3574b3a08
  • 3889458cad2eccfcd7f8ec5c842dd30edec24f36a37abde0e9359dd7117524e7
  • 3eb7c725b886abf672613a63d1c17c479f1144f1262a6c3cd66a44fe74581383
  • 407f21c8583dbf70a0069162b9f7c0ec142b63e05d4d94ec8e4c85345bf759d9
  • 51ee3cc17fa697ec7de8a60ea5ad2af4195de73c95401b1b17e7b9c346ed9c1a
  • 5a33cba1e854fb298486fe6ba6ebb071e045cb698aec109561178b2a66567662
  • 5eefdd75abcd812db0c1fe74f071dcb2c50ac7c9b73144900b9918fe8930af2b
  • 601804d1434691765b258649f0a9c8924bb1b28b5ff0dc2bafb3039b2c78f6a3
  • 65344e20c9e346e62bec15f369fcdbb619d64b362483feb36a6d60e3007c22db
  • 6f5795d34e8fa33548042554f0b05b6e79e9a68783f28a196476261a0de0e068
  • 72966d743059492c8caf5689758cdf98275e087cf5bf9d0e7914db1e4472fc05
  • 751ccbeabee910ea022ebc97fde11d5e1c3bba9f83b6d2df09a927924eb1e60e
  • 77ccc470c377e4a22e0091d0abd3f91cec17b6e06c0e17d8f87dbbbd735bfe0b
  • 7bfa867554a7f1a6a891712cfdaaf519bd44bdf53e0047930890495c9655ab7e
  • 8391f3706e60079dbdbeee083f8bda85915cc763bd683bb00270f694a031c66a
  • 9e40d6af4d13a6d65e179c109b4676c691fbf0b2de6deb0d84625e654989fa0d
  • 9fe28f27c0db9df3580f65069affb7f47171d910f69035ffdeeac5a545ab4ec9
  • a1be08364eef857af56f506b206e780c803c212b76dbac8dc17e7983d08f65ff
  • a50d314e9c13d667641b11c73695980d1fd4cc0020cd7f760bdbd88bf95b1c3c
  • a95ddd15ef6f38762fbc16ca31539aabbf15c3c10d0c103cb4c204c88bfbbadf
  • ac957b3a3b4e8d75ead5dabd4b70e28e27a697a719322071d66cfb796d3b28f6
  • b1709a55b71ba9559aa839eb5304e2fc2388ae6275771b6cbbf8f49ac3e355fa
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Dropper.Kovter-6956146-0


Indicators of Compromise


Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: xedvpa
25
<HKCU>\SOFTWARE\XVYG
Value Name: xedvpa
25
<HKCR>\.8CA9D79 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vrxzdhbyv
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ssishoff
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate 25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUpgrade 25
<HKCU>\SOFTWARE\xvyg 25
<HKLM>\SOFTWARE\WOW6432NODE\xvyg 25
<HKCR>\c3b616 25
<HKCR>\C3B616\shell 25
<HKCR>\C3B616\SHELL\open 25
<HKCR>\C3B616\SHELL\OPEN\command 25
<HKCR>\.8ca9d79 25
<HKU>\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 25
<HKLM>\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\XVYG
Value Name: tnzok
25
Mutexes Occurrences
EA4EC370D1E573DA 25
A83BAA13F950654C 25
Global\7A7146875A8CDE1E 25
B3E8F6F86CDD9D8B 25
\BaseNamedObjects\408D8D94EC4F66FC 24
\BaseNamedObjects\Global\350160F4882D1C98 24
\BaseNamedObjects\053C7D611BC8DF3A 24
\BaseNamedObjects\Global\9F84EBC0DC30D3FA 1
\BaseNamedObjects\CF2F399CCFD46369 1
\BaseNamedObjects\8450CD062CD6D8BB 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]160[.]89[.]93 2
123[.]94[.]5[.]73 1
6[.]179[.]232[.]209 1
132[.]130[.]129[.]202 1
87[.]221[.]222[.]176 1
222[.]187[.]133[.]238 1
126[.]207[.]27[.]58 1
191[.]12[.]150[.]189 1
92[.]253[.]215[.]124 1
53[.]136[.]182[.]72 1
188[.]232[.]142[.]236 1
75[.]134[.]228[.]137 1
15[.]17[.]189[.]214 1
218[.]10[.]226[.]184 1
160[.]60[.]207[.]38 1
107[.]98[.]132[.]113 1
134[.]68[.]158[.]4 1
56[.]177[.]25[.]24 1
52[.]196[.]162[.]138 1
133[.]251[.]164[.]106 1
108[.]118[.]74[.]142 1
33[.]198[.]16[.]9 1
18[.]75[.]88[.]134 1
58[.]184[.]135[.]77 1
77[.]189[.]216[.]194 1
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]cloudflare[.]com 1
bleez[.]com[.]br 1
lojadeunatelha[.]com[.]br 1
revenda[.]lojadeunatelha[.]com[.]br 1
easyfax[.]nrtnortheast[.]com 1
www[.]username[.]n[.]nu 1
www[.]n[.]nu 1
staticjw[.]com 1
www[.]acquia[.]com 1
network[.]acquia[.]com 1
Files and or directories created Occurrences
%LOCALAPPDATA%\4dd3cc\519d0f.bat 25
%LOCALAPPDATA%\4dd3cc\8e9866.8ca9d79 25
%LOCALAPPDATA%\4dd3cc\d95adb.lnk 25
%APPDATA%\b08d66\0b3c0b.8ca9d79 25
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred 25
%LOCALAPPDATA%\4dd3cc 25
%APPDATA%\b08d66 25
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\91b4e5.lnk 25
%APPDATA%\db7a\c227.a7783 24
%HOMEPATH%\Local Settings\Application Data\f4fa\97ea.lnk 24
%HOMEPATH%\Local Settings\Application Data\f4fa\c0ce.bat 24
%HOMEPATH%\Local Settings\Application Data\f4fa\d5a9.a7783 24
%HOMEPATH%\Start Menu\Programs\Startup\d733.lnk 24
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\desktop.ini 3
%APPDATA%\Microsoft\Windows\Cookies\S2KTL2FI.txt 2
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fd8-6118f60c376b 2
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fd0-5619f60c376b 2
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fdf-6619f60c376b 2
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\1E8X74FH.htm 2
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fdf-5e19f60c376b 2
%APPDATA%\Microsoft\Windows\Cookies\0TSDIW0B.txt 1
%APPDATA%\Microsoft\Windows\Cookies\UGH0HZQB.txt 1
%APPDATA%\Microsoft\Windows\Cookies\ZLTD4G06.txt 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fd2-6219f60c376b 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fdd-6619f60c376b 1
See JSON for more IOCs
File Hashes
  • 0699fc68be026ed52555783f4ca395dcd68dd93898e9ee1756e0ffe9493c300a
  • 06a3a8ebf6965042378a003857434f775a014293830a3d02d468b02b02f13329
  • 0826313d6cdb1c85d39edf77f5faeaff0241f09a8bc6ad8ea4453cab46628dd6
  • 2adfbe4ebd34d062e774d20d300e80ec31cdf4d59b018be2a45e644341c55f97
  • 2e7aa46acaacad3f7e1675d3090ae7669efcffb91beb976cdf93d69782fe5453
  • 2fbdb93de7475386719d620bd685b955ec05cca0f458579daa9932023351040b
  • 31d170788a623341e4d6636e1dec87b9812a1967441415bcb8097d3b4a4bdfee
  • 3337a63c7f42977759f9a961af5c7265abfe0489d68c48f90d066b40d84c0ddd
  • 3754208c5f620f262726467daac435fbcc3a262dde1620c876b72459750fc90d
  • 39b74f9fad057cc9603e2a7a716236c9671dc08abdf7e64c37ef2d2b53acf691
  • 4297d27c8909c9c40b311827f40bf195ffbb6c1ee8bef5f9203465cb10cab9bc
  • 477c74758b4c59334fcdb2051089efbe191d2cda4252aecea59b13bb93bfb101
  • 4802c24fcb2d97233d22b26077714ca09fe47f6602586da0f96965af41adecb6
  • 4be5d24a7846b4ef102b47c0488140194b49c145353259fc581fa0da4068d84a
  • 4e3b31344f80b1693ee28cedb5109a9a4e522c8ef225f6087e480954fa76b3d6
  • 5061a14b94f0794e79e4cc57a49a38c422cf30171df07282a5de10fbac455b01
  • 50939d9ddcc87d1d2e8a3c81a7683b42beeb86471fd2e4da903f062086203d5e
  • 58f3ac23dd98672c20e01c5963b11fba8b077031c7ac41f156a37d2306b812aa
  • 66d2f5f39b4fbb1cab2a4c23d696add166f6dec3ae4dcba20a1c2f89b35d4b08
  • 7199c5b3a081ae13f6b6fc457196f62ecaf3240b39b728f1255f9d3ccc86f853
  • 812e4481d2e23732e41d4e58cd19eccbd53fceba8273ea9bbd1bcaf3da13766f
  • 822bf74cf43fdfd74ef7edd6a4c52dc2ca32dd8a866afbdbd4ae933cd531dd6e
  • 8580001fd28261a74f92594fe42a01012e202e3322a35004857b6881fa73ee9a
  • 8e9f427bca537dfa11df3360b71788dc2dd70cfad927d852094f1c07e8cf2c64
  • 94ff1192ecf870614b1f98103ade1ba1ad46153ddeb8a0c3a07a76ab4461e377
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.Razy-6956092-0


Indicators of Compromise


Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\avkaxoq 19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: Start
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ImagePath
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DisplayName
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DependOnService
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DependOnGroup
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: WOW64
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ObjectName
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\aqejpwsx 6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Type
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ErrorControl
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ImagePath
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DisplayName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnService
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnGroup
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: WOW64
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ObjectName
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mrldn
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ovsuw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: twgqm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: eqlshtrx
1
Mutexes Occurrences
llzeou 25
Global\amztgg 19
amztgga 19
Global\eqfik 6
eqfika 6
\BaseNamedObjects\eucofa 1
003c194a95c7849375590c48f1c5bc5fÐ÷XAdministra 1
02b5f67a3eba31421dc595a7efed8e0a 1
0e390dd0547334471c08c3b8b4e7ec3aÐ÷IAdministra 1
087ddce345ea3ed2fed8d02dd466026cÐ÷QAdministra 1
14a95d66f90495fcc278258097ed704aÐ÷ Administra 1
10435b4efc8049d260d4b36673f7d656Ð÷.Administra 1
1dd13f0648a70754c883c6262c3633c1Ð÷CAdministra 1
3afec20c013fca0abef646a7a6f0f5cdÐ÷dAdministra 1
385f6390936d000f4d9db3e30b117aca 1
3dede5abeacdabc758f70beef2984aca 1
3f61be1a4bcb773c48a6dc7ed4898387Ð÷:Administra 1
401b399a3aa67d42306ce7291299b7f2Ð÷6Administra 1
897b0a510174cbc4757982703e42a0ca 1
76097734f64ce5ae9b008273431fa4c8Ð÷9Administra 1
8ae8d944960e54c7a833875f71bdae62Ð÷2Administra 1
88cb1af973183aa93bf10d74440333b6Ð÷/Administra 1
\BaseNamedObjects\380065180a 1
\BaseNamedObjects\getnia 1
\BaseNamedObjects\xabzsenoa 1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
N/A -
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
N/A -
Files and or directories created Occurrences
%APPDATA%\Microsoft\Amztggm 19
%APPDATA%\Microsoft\Amztggm\amztg.dll 19
%APPDATA%\Microsoft\Amztggm\amztgg.exe 19
%TEMP%\~amztgg.tmp 19
%APPDATA%\Microsoft\Eqfikq 6
%APPDATA%\Microsoft\Eqfikq\eqfi.dll 6
%APPDATA%\Microsoft\Eqfikq\eqfik.exe 6
%TEMP%\~eqfik.tmp 6
%APPDATA%\Microsoft\Ilgqyl\ilgqy.exe 1
%APPDATA%\Microsoft\Duazxlbu\duazxl.dll 1
%APPDATA%\Microsoft\Duazxlbu\duazxlb.exe 1
%APPDATA%\Microsoft\Jeofze\jeof.dll 1
%APPDATA%\Microsoft\Jeofze\jeofz.exe 1
%APPDATA%\Microsoft\Ssfsns\ssfs.dll 1
%APPDATA%\Microsoft\Ssfsns\ssfsn.exe 1
%APPDATA%\Microsoft\Dcpptfmac\dcpptfm.dll 1
%APPDATA%\Microsoft\Dcpptfmac\dcpptfma.exe 1
%APPDATA%\Microsoft\Taozsa\taoz.dll 1
%APPDATA%\Microsoft\Taozsa\taozs.exe 1
%APPDATA%\Microsoft\Eucofu\euco.dll 1
%APPDATA%\Microsoft\Eucofu\eucof.exe 1
%APPDATA%\Microsoft\Getnie\getn.dll 1
%APPDATA%\Microsoft\Getnie\getni.exe 1
%APPDATA%\Microsoft\Xabzsenoa\xabzsen.dll 1
%APPDATA%\Microsoft\Xabzsenoa\xabzseno.exe 1
See JSON for more IOCs
File Hashes
  • 003c194a95c7849375590c48f1c5bc5fa23099976e09c997f29b22b367c1d3d2
  • 005055ca28d6866f033aff3753a1ef7c4064b5e094eaa663953407a9b19c6a71
  • 02b5f67a3eba31421dc595a7efed8e04834e9f0121c8bcd0186e99dba9781171
  • 087ddce345ea3ed2fed8d02dd466026c0fc0fa5aa7749b392683311fd97a80e2
  • 0e390dd0547334471c08c3b8b4e7ec3ad1d8fe4facabdb5df674af76c8e149d0
  • 10435b4efc8049d260d4b36673f7d656b9fa7163d00840acd0860175e2a79f47
  • 14a95d66f90495fcc278258097ed704aca265dd6bbb966903abe00dd7225cd11
  • 1dd13f0648a70754c883c6262c3633c19aeffa4e3558f0f16da78fc796a76cf1
  • 385f6390936d000f4d9db3e30b117ac382f70f4b7d1f3f4af06808e26683bf3d
  • 3afec20c013fca0abef646a7a6f0f5cdd3826541587cfd93c25033a35e588cb2
  • 3dede5abeacdabc758f70beef2984ac184bbec3112be97e891bb64abb2981373
  • 3f61be1a4bcb773c48a6dc7ed489838796a6b512bc14a517a667fb28a2a8e3ee
  • 401b399a3aa67d42306ce7291299b7f25a24345a980a7bd719c96a6834b9bf48
  • 52c90c5917cb1c6955f68c5b03e448b976ec3f1c258eb6039c5da399b2fd41db
  • 581d9e271871b1948191755bc99e2e9ec5346408f39613aec5c3b1e52d0449bd
  • 649e6217744762016fadb2f7f36a654c607ad160d136714946aa6e0478dc7a87
  • 673e3e8e62b09e39c161091ee70f046c038ba6f24f2a1da135af23bcc1701c20
  • 69c3c4ee664fc814ef070ae902ebaa305eda6ffd23a10e5b97afe49c1300ebff
  • 69d9d27ab1c802cd322c1b7795bda4de65cc7447982076f1e2d6873a8423d57f
  • 6aad36b27c188e73090f3b79352750489a1dce20f5396e63b2af3e998eba0f0a
  • 6e01014528a359c81851b2197a4656e13d87b15424dc961cc6d770e4d4c747ee
  • 76097734f64ce5ae9b008273431fa4c81e32b05a9b8586c39b80e68ee70d0a8a
  • 88cb1af973183aa93bf10d74440333b622206be6d0bd77322c6f8689f2cf24ec
  • 897b0a510174cbc4757982703e42a0c14c4bdba0e6bf77db5a6f94a3c2651f3a
  • 8ae8d944960e54c7a833875f71bdae6243e7fa380ae3fd8176b07cb7d7819508
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP

ThreatGrid

Exprev

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
  • Kovter injection detected (4469)
    A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
  • Madshi injection detected (3542)
    Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
  • PowerShell file-less infection detected (2488)
    A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
  • Process hollowing detected (541)
    Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
  • Gamarue malware detected (240)
    Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
  • Dealply adware detected (221)
    DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
  • Suspicious PowerShell execution detected (156)
    A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
  • Installcore adware detected (65)
    Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
  • Atom Bombing code injection technique detected (65)
    A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
  • Excessively long PowerShell command detected (57)
    A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

No comments:

Post a Comment