Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 07 and June 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
Win.Trojan.Gh0stRAT-6993126-0 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.Win.Worm.Vobfus-6992861-0 Worm Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.Win.Dropper.Nymaim-6992731-0 Dropper Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.PUA.Win.Adware.Qjwmonkey-6992589-0 Adware Qjwmonkey is adware that modifies the system and browser settings to display advertisements to the user.Win.Packed.NjRAT-6992540-1 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.Win.Malware.Tofsee-6992280-0 Malware Tofsee is multi-purpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control. Win.Malware.Yobrowser-6992453-0 Malware Yobrowser is adware that typically masquerades as cracked versions of legitimate softwareThreats Win.Trojan.Gh0stRAT-6993126-0 Indicators of Compromise Registry Keys Occurrences <HKCU>\Software\Microsoft\Windows Script Host\Settings
26
Mutexes Occurrences guduyinan.gnway.net
6
127.0.0.1
2
soiufnrfjowieursmpwoeirfujaiurvnapoai39w45
2
y927.f3322.org
2
ddos-cc.vicp.cc
2
192.168.1.100
2
linchen1.3322.org
2
\BaseNamedObjects\linchen1.3322.org
2
119.98.51.129
1
115.28.32.138
1
203.156.199.11
1
q727446006.gicp.net
1
zy520.f3322.org
1
169.254.22.15
1
118.244.153.46
1
121.199.6.242
1
192.168.1.68
1
850967012.f3322.org
1
169.254.25.100
1
a678157.oicp.net
1
192.168.0.13
1
192.168.0.101
1
cfhx.f3322.org
1
xueyang22.gicp.net
1
\BaseNamedObjects\www.touzi1616.com
1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 118[.]5[.]49[.]6
2
197[.]4[.]4[.]12
2
115[.]28[.]40[.]12
2
49[.]2[.]123[.]56
2
118[.]244[.]185[.]113
2
116[.]255[.]131[.]145
2
174[.]128[.]255[.]245
1
189[.]163[.]17[.]5
1
54[.]76[.]135[.]1
1
188[.]5[.]4[.]96
1
61[.]142[.]176[.]23
1
27[.]9[.]199[.]217
1
110[.]251[.]189[.]65
1
114[.]239[.]19[.]101
1
222[.]186[.]27[.]216
1
115[.]28[.]44[.]116
1
123[.]131[.]15[.]109
1
120[.]9[.]228[.]6
1
119[.]98[.]51[.]129
1
101[.]16[.]198[.]98
1
203[.]156[.]199[.]11
1
115[.]28[.]32[.]138
1
169[.]254[.]22[.]15
1
121[.]199[.]6[.]242
1
118[.]244[.]153[.]46
1
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences guduyinan[.]gnway[.]net
5
y927[.]f3322[.]org
2
ddos-cc[.]vicp[.]cc
2
linchen1[.]3322[.]org
2
xm974192128[.]3322[.]org
1
guduyinan[.]gnway[.]com
1
278267882[.]f3322[.]org
1
a3328657[.]f3322[.]org
1
www[.]touzi1616[.]com
1
jie0109[.]hackxd[.]net
1
zy520[.]f3322[.]org
1
q727446006[.]gicp[.]net
1
850967012[.]f3322[.]org
1
a678157[.]oicp[.]net
1
cfhx[.]f3322[.]org
1
xueyang22[.]gicp[.]net
1
Files and or directories created Occurrences %TEMP%\jnbxmapdsg.vbs
1
%TEMP%\rlzocrfujx.vbs
1
%TEMP%\bvjkzncqf.vbs
1
%TEMP%\mxoejtdhe.vbs
1
%TEMP%\ofcspybli.vbs
1
%TEMP%\imopeshvj.vbs
1
%TEMP%\paybqnqnd.vbs
1
%TEMP%\ntvxzbqf.vbs
1
%TEMP%\rvxmapdsgv.vbs
1
%TEMP%\dkaqshjynd.vbs
1
%TEMP%\vbdsgvjy.vbs
1
%TEMP%\noqftiwlzo.vbs
1
%TEMP%\ovxncegixm.vbs
1
%TEMP%\qhxurnkcs.vbs
1
%TEMP%\eyaodrgujx.vbs
1
%TEMP%\zyvhdvlis.vbs
1
%TEMP%\zdrshixlao.vbs
1
%TEMP%\waoqethv.vbs
1
%TEMP%\ulabqeth.vbs
1
%TEMP%\othjxmapd.vbs
1
%TEMP%\zdeguvky.vbs
1
%TEMP%\gzgjxmoqeg.vbs
1
%TEMP%\fqwzqhkh.vbs
1
%TEMP%\ulabqrguix.vbs
1
%TEMP%\vrfxlaods.vbs
1
See JSON for more IOCs
File Hashes
0477c2b9ba7eecc8b0827400576860257e62a306a3e0c310eb84c537ec47e018
13287e727a2be4b6a3533e768b4babfd9191ec65002abcdf77c43e69278963be
1d7633311c1f671c60422a4d6723aa10a37e833e2d5df732f3988b3e379b2ee9
2a38fbbcef4bc83582ccd98c9bf96ff29e4c915d90802ec799420420f2cad6e6
2b19de056a388d0ee3672be895f4e446c42053034c68675585dd3fb54b8d1eb7
3821a10495fb4759fbab1ef7868eeb1e207ea6bf4211370f072b0215a14b46c8
3ae58dca3ce80c3ed4b65f610eee921dbeb3343619caace78c6afe21ec237f08
3d54f0fbd50f0b91f635a9ecc89ef8cb58c021bb60326b5fa2db75989d1bff5a
3fdd3b5333f7e526e80599add12fdeef663c59ad79ef4e714912043038377730
47c349433e77aefb18ea384f6ab4759f7bd49466f7a747255d19d4648fecc762
49752684078dfa74cd25adbbdc9bbf7a98e6f96f5355cd52b8b77738506673e7
4e5a282c7230242d090844875c9f5c432dc2c4bad3ba13fa2a7df86843785f75
53e08241abdfe3f13d6aa875642638d1badc6ec59cdb9757fe0fd598dc736927
57fc8d1737521cb0af37fcf70079603dc0eb5da1b3bbef9bad334dfe79176068
5ba20f4aaf94b4f418501ae977d1f6cf947accf8134c3b9487b42cdd65ef715b
5fab1a54d1338b2cb906aae3b2f5292d47445aae2af383c2a0e99b4ccf863262
60f6548844d59e59dc90a12fcb97396793c20687947a6eb5cc543debecf607d1
61caab6c70480cd6db4f33234cfc86467bff26c2e19b804211be8c822218a940
623fbdc46be1a797f743894e3e1cc003a29692d6fb9b3246de80282207d99b9c
63746003a0c8fcdf11f9367ca5102c8413ee5e2cd298079de5a3ab0ba5493ea7
66b770d0d2e02739e0495d30f9f56c717989eec3f1da96c7ffa01b05deffeb37
68d644144b33f4766a3e11a33c471cf877d5801e1833d1d1813d4a06125ff2a9
6a820f70fc59abd8d0b5202de65a9fc51312d18322e55b24d1f63a2339ff13d3
6cb616c3229fd37e2615de709496215cc9138436b16eab265e9feae9d81cfac2
6ed77af0d3929a62256c7aac5068ff7ca337460cb813863d7c528e95f503cc59
See JSON for more IOCs Coverage
Screenshots of Detection AMP ThreatGrid
Win.Worm.Vobfus-6992861-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
25
<HKLM>\SOFTWARE\WOW6432NODE\Policies
25
<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU
Value Name: NoAutoUpdate
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jauxec
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qiusooj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mokiy
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wiiorit
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kuivuo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: viezus
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fonef
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: znxaaq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: reiiraj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wauul
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wlcug
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wzzuf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: laociek
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tioila
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tstoj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: yeeuqov
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vyjuos
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zeuub
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: teozuim
1
Mutexes Occurrences \BaseNamedObjects\A
25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 216[.]218[.]206[.]69
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ns1[.]helpchecks[.]com
25
ns1[.]helpchecks[.]info
25
ns1[.]helpchecks[.]at
25
ns1[.]helpchecks[.]eu
25
ns1[.]helpchecks[.]by
25
ns1[.]helpcheck1[.]org
25
ns1[.]helpcheck1[.]com
25
ns1[.]helpcheck1[.]net
25
Files and or directories created Occurrences \??\E:\autorun.inf
25
\autorun.inf
25
\??\E:\System Volume Information.exe
25
\System Volume Information.exe
25
\$RECYCLE.BIN.exe
25
\??\E:\$RECYCLE.BIN.exe
25
\Secret.exe
25
\??\E:\Passwords.exe
25
\??\E:\Porn.exe
25
\??\E:\Secret.exe
25
\??\E:\x.mpeg
25
\Passwords.exe
25
\Porn.exe
25
\Sexy.exe
25
%HOMEPATH%\Passwords.exe
25
%HOMEPATH%\Porn.exe
25
%HOMEPATH%\Secret.exe
25
%HOMEPATH%\Sexy.exe
25
\??\E:\Sexy.exe
24
%HOMEPATH%\Passwords.exe (copy)
24
%HOMEPATH%\Porn.exe (copy)
24
%HOMEPATH%\RCX1.tmp
24
%HOMEPATH%\RCX2.tmp
24
%HOMEPATH%\RCX3.tmp
24
%HOMEPATH%\RCX4.tmp
24
See JSON for more IOCs
File Hashes
03f2507d1db297b7176fddce8540639e2a8986045af7d4cf27b09a424629a08d
181896288ffa6cfea0d847eda1cbce7462fbdfbf6536c6b6d874155f8d23058c
366c47a2774078e135f48b03f4facbbba80aa4e294d523f0112d1cf001a93e4a
59570b2c73227359544e6c7fde4ba2368170ca48482cdb530de097bb833c177d
5a8e8c501cc8864d928beddb8837e0ce70f272a9a6ae13d175dfcbe52d2f3d7e
5b4ebc908f6cff3ad1acc262790b3b7ad1e2e65031c7b0f8c55f700ae499f40d
5c314363a05429b3a76149ed8a0ab9b9342b69d76794ba9d02e3ab09092ff4ad
5f06f5540689bd9346ae76995c25e8efd60d10c22ec9f6723cd6467dabd0b78e
60398eff74f6a02cd6dad118d7dc028102b56b20dc6ff7bc0c383b6accdac8e9
60b898046d99e11912349e895685616d5c59a1d0e6d05fa23fdb654a96c67931
62070e7ac4e86195d915ffecd132823e178fb7eaad331fea65926fa2bb80f23b
6b63b301a133703b5a6fe3c99c4e2c5a421490daf2a26682a83b95b1eaecb186
71999972c8bd0259bab9d76a6e2d9525a141ad7ba151d0b8bf77876b6d6660c7
7271cb745dcca0d0bb516b7ff4cd69d2c5c261df33e48091890450ca789ae081
753c11420e4a06bcb790a51918923c564c6da62c46d923eeb3541e342667a453
75a188c634a0c857220ee7c6ad848293ec08d1d8a9f6027f39a02194665edffe
7da2c1a73cfa87b1a66d4c0bbe2b1b18ae7540e3ae4de407092fe5f56a44d772
80107ca033df25818e9bb64aed5f088c98b4c75d8a3ed3d3a47bb0f2660a2b2d
8b76268bc5255134ff460ee3356797657f98f8a0cc6fef98d0e173e367b6734b
92944feb88a896a922c9a88fef2683e864b931fd919c4405eeab4ed6cc2a7e02
a3b82b5badf315c723973a8e8d8441351a6aea76541d888bdf1db29fd4b3721b
ae5a2a2a0cd106146aa40390596bba6c72fa7d8c75ab237b3cbb040946fcac19
afb4401b564b6330f107b4a8d95e7d28429957929140a84ee99f01eae3fc5619
b3f564ef2e4550601f2728da6eec584fadcb7b5060a0df91ed2cbf4e306c5189
c80909dfb38fc5646008338b31bf576275d59c5880403adc8e5bb072eec9ce1b
See JSON for more IOCs Coverage
Screenshots of Detection AMP ThreatGrid
Umbrella
Win.Dropper.Nymaim-6992731-0 Indicators of Compromise Registry Keys Occurrences <HKCU>\Software\Microsoft\GOCFK
24
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
24
Mutexes Occurrences Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}
24
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}
24
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}
24
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}
24
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4}
24
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A}
24
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}
24
Local\{764A5E5B-9D8B-4E3E-3AE5-6BA089B04B34}
24
Local\{D6E0445C-66CF-7E18-EE4D-5700342376D0}
24
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 66[.]220[.]23[.]114
24
64[.]71[.]188[.]178
18
184[.]105[.]76[.]250
18
Domain Names contacted by malware. Does not indicate maliciousness Occurrences jexzc[.]in
24
nenpzs[.]com
23
Files and or directories created Occurrences %ProgramData%\ph
24
%ProgramData%\ph\fktiipx.ftf
24
%TEMP%\gocf.ksv
24
%TEMP%\fro.dfx
23
\Documents and Settings\All Users\pxs\pil.ohu
23
%LOCALAPPDATA%\giy4vh3
5
%APPDATA%\io77x
5
%LOCALAPPDATA%\av1165d
5
%APPDATA%\tv2
5
%ProgramData%\0c7
4
%LOCALAPPDATA%\g816
4
%APPDATA%\p3f
4
%LOCALAPPDATA%\r4v2rp
4
%APPDATA%\3w7
4
%ProgramData%\3e9sq
3
%ProgramData%\qi39
3
%LOCALAPPDATA%\yp870bk
3
%ProgramData%\4b8s2
3
%ProgramData%\q8216p
3
%ProgramData%\94z
2
%ProgramData%\igzk4
2
%LOCALAPPDATA%\ycq1ac
2
%APPDATA%\867j
2
%ProgramData%\9d0g9
2
%ProgramData%\0186d9m
2
See JSON for more IOCs
File Hashes
08beb94545dabf135ef630b432f00fc603f3797328b5a9681d9d1a8041238147
0be51b6a0e11b6d807c4e6d2eea49b0c9e60c23babbb48ff17c27ee2e2050eef
0fee18d7562b359c642e4a953d08251b36c3971f8fc9dbfce46af98fe26f04e8
160fb874c1e78de9cb2e7d6a829e5f1e40aba2edae9de7a274a9639b80b6df9d
17b5939fc77e2acb9a76c9baa6c4de01822ef4633da4732a49c4cd26f2ff024c
1bef5f7889b5b8528bd9f20d6218dd4faa6ff70ad60cfd182e80374045ff9faf
281bae2b93ae03725217deac68fd1f513d0a0267dda486e4d2d51f92044c8fca
41d57f15b7c1ffd1c4bc5af862da97963405eace4c67574d68fcd39eb4dbe6c0
44b688082d3305d8e0d29bf7d6d78b60078592f1bda83a90ec6d227823d0e297
4cde92c748f5aa5912a83d075dae2241de2496d4f4cf8e69a04a65c2080ff0b8
507340f713f0c6f4172253b20bab21bdc6dbdd7ad4866d037894acdf167c60dc
50a3f7c98b739d33ff4ba7b3ef38e553a42d7b47bc8b34f2d877055da9eaa1e9
514affb7cd921abb88040abc8beb7af9139488da9f625dfb8647fdab665c38c5
5bf35c74cfc5908e266e3d59615a16b30eb9b6de68759fe346257b420edf6748
67989a565971fbe6f02c909b0696edc0de6ec1234129c4df4455a1f63a702189
69f167f13f7e93a17d8dfaf59eb97014aa1446db339e300982aa8dc5ca3f14e3
70e414e8f7895b3ed7dec9e71693f1f8ca9ad6421fe9b3c0d38280cdb1c4608a
74bb6e3a0ddaf3f2d7ad6e12513004c6efd77ad6a21f2faeef0fedd214f5f3fc
74d43a9e8803c815e03184619fe2ea10029e8db22c68a24290495b506fcea48e
7b6a3b68714b06b9f749a20c22461ff0c7e0759f7a5ca8d51e318dec2d88be51
7eb6295c6f70a823a6a02f1728cb16827c545737e0b7a0a5a1cb06ebbcf965a5
82c92424c692ee6769d9e2f3e9e9accf5c45794cd27b95a68f507eff88850a98
83929ceb3274a34650127a4cb9ccac5b5bcb559fd43f39b6b64081bd3255dccb
8c665d48bddc2f4436223689fd97f11790481f8df7f0e4c91af31aed0b4a4711
91e25ed856ffb9ea7cea06e4de5e5eb689063324e9268730e03cd34f4dc3ee68
See JSON for more IOCs Coverage
Screenshots of Detection AMP ThreatGrid
PUA.Win.Adware.Qjwmonkey-6992589-0 Indicators of Compromise Registry Keys Occurrences N/A
-
Mutexes Occurrences ATL:MemData03EAPC
10
\BaseNamedObjects\ATL:MemData03EA899552
1
\BaseNamedObjects\ATL:MemData03EA830021
1
\BaseNamedObjects\ATL:MemData03EA841675
1
\BaseNamedObjects\ATL:MemData03EA358075
1
\BaseNamedObjects\ATL:MemData03EA675052
1
\BaseNamedObjects\ATL:MemData03EA134349
1
\BaseNamedObjects\ATL:MemData03EA414408
1
\BaseNamedObjects\ATL:MemData03EA124406
1
\BaseNamedObjects\ATL:MemData03EA651689
1
\BaseNamedObjects\ATL:MemData03EA172892
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 47[.]102[.]38[.]15
10
39[.]108[.]27[.]173
9
47[.]95[.]181[.]45
2
36[.]99[.]227[.]233
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences x[.]93ne[.]com
10
cdn[.]zry97[.]com
1
Files and or directories created Occurrences %System32%\d3d9caps.dat (copy)
10
%System32%\d3d9caps.tmp
10
%APPDATA%\GlobalMgr.db
10
File Hashes
068eda364702ce61530d3b06ff1edb490fa157572ebf936ad9ad0d913c44e46d
0c748be9a32bc9ce08709f67a45fc9e3e76a06b6e30091ea6e75014651449bd6
1211299848ddadcaefe019ade6a5394a744297e5fbe8182d0156faffe2f40e34
275b0dad9af4cad57d9fe546b7f8c11e55b848b2ca68959bbe8d45fc3195a85b
326d9df48f47cad42b8a6bac64061b9e2592d62ad5c8fd2a727865f84a79b6c9
32a0d53d2716251728d4120e5cceb4eb8894fd830841d9476820cd868420d37a
6f5854d4dce3170393d74fb216573d08b694d7ec2982f02d3e46fe34b3ba0ed7
70ab5cb1653e39937408d71b70c9bd3952c572a2b54bc2b039794130efe5ae77
8da41212571b8b910ec657bc8f1b67ef22dd3c15e40280d5c6f93a5104227c0f
90a457c02c2e659902d1be908c53c38eec47574101f14477c22ec87968b5b870
9ae31bf1c30051d3438f3548d5f7593c24aa9297cb9f89b26b04d01482f77622
9dcb833bbac2d4fabafe49babb53b127349be1ee1444031cccb77d2752206813
c3e2f2e2e17f0408b11bd9cc8dc3ea97364fec6d3dea07ba896901d24f89fef4
c48b5755d64f2fa9fe6bdeec4605d5352e196db78d507608fc9f181be93f9da1
c4e26e43528d8be9dba86a1b7c30b4ef8bdca67b56bbcab2d7fc76cb12004b14
c88992429426ed40e4a5ff37c0ff0b3ecdb52a07f7e6b4b2377a6c4160263419
d29b9fa55f21577991f220bec9bbc89969e843b6b03f7dad0084e80b86961c97
d2bcb4e712ee873f8cce82a2783b84bf2a11f275e9064581cf00fd88323e803d
dace1d73cd93785decdc4993f12de1b214b0a836539063c5fac8b154ce948eb1
db55da939400d9d718b39e20280da3317cd1d35a522ec4927b059fefea4aa754
df38320eb4d1eedf53b9927cb734bf2506e3d38d04c9279e65aea08391bc6caa
e8a913bb3211a926e04ce387dadf74d262e287070ad08192153b4a07f8914544
ed613488a7bdde693d5b819ce946a8e9865426b9ea7cbbab8a867dc4db79d483
Coverage
Screenshots of Detection AMP ThreatGrid
Win.Packed.NjRAT-6992540-1 Indicators of Compromise Registry Keys Occurrences <HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
32
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
32
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig
32
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
32
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
32
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
32
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
32
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
32
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 7a6058fe5633bcc68b913467734f0f12
1
<HKCU>\SOFTWARE\7A6058FE5633BCC68B913467734F0F12
Value Name: [kl]
1
<HKCU>\Software\5d6c253999006e0a364768488fca8056
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5d6c253999006e0a364768488fca8056
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5d6c253999006e0a364768488fca8056
1
<HKCU>\SOFTWARE\5D6C253999006E0A364768488FCA8056
Value Name: [kl]
1
<HKCU>\Software\81d13862f7a9e91b88ef1cf04880f30b
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 81d13862f7a9e91b88ef1cf04880f30b
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 81d13862f7a9e91b88ef1cf04880f30b
1
<HKCU>\Software\c4356a2f1cc184765354ac346ff3c760
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c4356a2f1cc184765354ac346ff3c760
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c4356a2f1cc184765354ac346ff3c760
1
<HKCU>\SOFTWARE\81D13862F7A9E91B88EF1CF04880F30B
Value Name: [kl]
1
<HKCU>\SOFTWARE\C4356A2F1CC184765354AC346FF3C760
Value Name: [kl]
1
<HKCU>\Software\92c90be64c51c97abffcb0136889e008
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 92c90be64c51c97abffcb0136889e008
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 92c90be64c51c97abffcb0136889e008
1
Mutexes Occurrences \BaseNamedObjects\23f0e3bce589df29a3e6f3e8879b41c1
1
cf56ee275cc59274062dc1b03224ca99
1
7224ecb50ef565a251e4dca6d8280c72
1
ddb5e6e34f69e8c18573f23e18eb66b5
1
dbac86ee556aeefaf987b893994aa8a6
1
9933a39bcdb4ca2ba91ddfbf0eb49c28
1
27e6ba15367cfc6ccdb30fd12c8ebc9a
1
551c2891c1a5b14d85bd8205beca398a
1
6f548f49442e3cf6cd712e1421ced30b
1
ea48d06232228d6119e51286c4c0d7cb
1
6843bfb57b172a29eaca1016ea14dd34
1
b6a24dab009c0449997c4b895176ddee
1
b17b3051ec3895b563f6189b117c7103
1
61d4512a2b96204a3981459fa733229e
1
b1471de1dda54e505e7a2fe5dc250cbd
1
5b9aa31356f88f5efd2d650bab2fd205
1
227ae895ae9adabb3c9cc7efd9b8f180
1
cf10c5de3b577ea5f5b8886499972c21
1
89ced9869827e13512140dfd15310bdb
1
7a6058fe5633bcc68b913467734f0f12
1
5d6c253999006e0a364768488fca8056
1
81d13862f7a9e91b88ef1cf04880f30b
1
c4356a2f1cc184765354ac346ff3c760
1
92c90be64c51c97abffcb0136889e008
1
d8cff2de0df1355a3d74ec30295aa1da
1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 2[.]91[.]138[.]211
2
197[.]206[.]180[.]205
1
85[.]170[.]230[.]163
1
185[.]17[.]1[.]245
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences youwave932[.]no-ip[.]biz
10
dmar-ksa[.]ddns[.]net
3
karem[.]no-ip[.]org
3
alkhorsan[.]linkpc[.]net
2
sabridz[.]no-ip[.]biz
1
alkhorsan2016[.]no-ip[.]biz
1
amiramir[.]noip[.]me
1
MSKGH[.]DDNS[.]NET
1
mskhe[.]ddns[.]net
1
paleb[.]no-ip[.]org
1
yeswecan[.]duckdns[.]org
1
megatn[.]publicvm[.]com
1
Files and or directories created Occurrences %TEMP%\server.exe
4
%TEMP%\svchost.exe
2
%TEMP%\svhost.exe
1
%APPDATA%\google.exe
1
%TEMP%\system.exe
1
%TEMP%\win32.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\9933a39bcdb4ca2ba91ddfbf0eb49c28.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\27e6ba15367cfc6ccdb30fd12c8ebc9a.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\551c2891c1a5b14d85bd8205beca398a.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\6f548f49442e3cf6cd712e1421ced30b.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cb0bc0e4b97025e4a12cd7655f373600.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ea48d06232228d6119e51286c4c0d7cb.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\6843bfb57b172a29eaca1016ea14dd34.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\b17b3051ec3895b563f6189b117c7103.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\b6a24dab009c0449997c4b895176ddee.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\61d4512a2b96204a3981459fa733229e.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\b1471de1dda54e505e7a2fe5dc250cbd.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\5b9aa31356f88f5efd2d650bab2fd205.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cf10c5de3b577ea5f5b8886499972c21.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\89ced9869827e13512140dfd15310bdb.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\7a6058fe5633bcc68b913467734f0f12.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\5d6c253999006e0a364768488fca8056.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\81d13862f7a9e91b88ef1cf04880f30b.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\c4356a2f1cc184765354ac346ff3c760.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\92c90be64c51c97abffcb0136889e008.exe
1
See JSON for more IOCs
File Hashes
04675d38c3f123c6cfe12a8b96c840894985d77a044aa009b6f6a2d1d9bd42a5
070a2b244bfb020dc8c3203831e14d3f27f3a3d5a7bc0df2e1a1acc1b7a5b48a
0bfae405fffc2cb791f7eefb7c4d2efe4b76235289e5a043718bc6ed7480c4f1
0c75f012571cc271d8c19d95b714f425bf6f5ef7b09a646c18cd0b99e0050ede
0e37c0759ded6594cf671c82ea8d8404b2c8ad34c8b7c772d4f4bcdbc01f6b28
133d714e145400b9adc0ac24584745443fee2a9cdcda31bd3251264e46c84607
1444bf151e764ffe3402827f60a142f20a0e6060ad8fb80255e1a82c63ec70e0
146054936453e72343079c7c89517cef5a8e270ba827c321ce6c6740775df7c4
19b06c7cf56e2148202b8051d64823817d8c81afd9e6061e6e625b953439b9eb
26f3184e05046a17a8a470a0ca2088a8774641729eb86c6f84310707014dfb6b
2d4c6b0074ca4866f50c7242882e467a65da7f7dc28fd9c2bbd09caa6f99a8d6
369f407ad2e8321d87ac5f32241d7cf2a0e72aae0b8c0caed4f30faa042ed85e
3bb55a41fa1c485c018b03b521beb74a4baea14bc2b89b8b69713e07079771f9
3d0946ab360b335a58789cc81cb5711e438f312426b2477b2777a256f2b772c6
452ec0f00cee0a7ea6c104d9835af5f3999c50b37d22081dee4b47e75b794cad
469d100e0e62a4099313c485e24f134abd32e598a7f65f147342ac7ea9274f2a
4cd937a9a1914666ebe671b2b9f4db59806dbacd6ae784b10f5b625e1448649f
560a570d89a632b81d34cf4d1e20a86c35657d9211ac4061c419883e2b108e63
5da16143a544f7c51cdd146540b5393113a6768162328cfccb5e484c64472ec6
619b638736132bd02470c09508cb63a3fb753c6ee0f8dab4f4af6c2694f9095f
6323174f37df70906257ac7b545eeed4e1cfaea1cbbba74d5acc49230fadcf73
64f50c68d48d152eba786380b7a1db84f94f28c63f34ccb499008e1889ee0675
694a3485ae77c8e024295e34caf2f335eeb61d4ebcda6fd5789086526ae44a9f
6aacdb0640cda4db32f307b91e4d0d6bb4d88429a14308fb90ec573a9c892afb
7530fc29bdc4ae5be727789818541dafcb590bdd708e64e8bde0a4c99b37b2f7
See JSON for more IOCs Coverage
Screenshots of Detection AMP ThreatGrid
Win.Malware.Tofsee-6992280-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
17
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
17
<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel
17
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
17
<HKU>\.DEFAULT\Control Panel\Buses
17
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\wpdjiqwl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: ErrorControl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: DisplayName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: WOW64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: ObjectName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: Description
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: ImagePath
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gzntsagv
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\gzntsagv
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GZNTSAGV
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GZNTSAGV
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GZNTSAGV
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GZNTSAGV
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GZNTSAGV
Value Name: WOW64
2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 239[.]255[.]255[.]250
17
69[.]55[.]5[.]250
17
192[.]0[.]47[.]59
16
144[.]76[.]199[.]43
15
176[.]111[.]49[.]43
15
46[.]4[.]52[.]109
15
144[.]76[.]199[.]2
15
85[.]25[.]119[.]25
15
43[.]231[.]4[.]7
15
172[.]217[.]164[.]132
15
94[.]23[.]27[.]38
15
216[.]146[.]35[.]35
14
208[.]76[.]51[.]51
13
172[.]217[.]192[.]26
13
74[.]6[.]141[.]40
13
212[.]82[.]101[.]46
12
98[.]136[.]96[.]73
12
98[.]136[.]101[.]116
12
67[.]195[.]228[.]87
12
66[.]218[.]85[.]151
12
213[.]205[.]33[.]63
12
98[.]137[.]157[.]43
12
87[.]250[.]250[.]89
12
74[.]125[.]193[.]26
12
172[.]217[.]6[.]228
11
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 250[.]5[.]55[.]69[.]in-addr[.]arpa
17
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
17
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
17
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
17
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net
17
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
17
microsoft-com[.]mail[.]protection[.]outlook[.]com
17
whois[.]iana[.]org
16
whois[.]arin[.]net
16
sweety2001[.]dating4you[.]cn
16
honeypus[.]rusladies[.]cn
16
katarinasw[.]date4you[.]cn
16
marina99[.]ruladies[.]cn
16
mx-aol[.]mail[.]gm0[.]yahoodns[.]net
13
hotmail-com[.]olc[.]protection[.]outlook[.]com
13
mx1[.]emailsrvr[.]com
13
aol[.]com
13
mx-eu[.]mail[.]am0[.]yahoodns[.]net
12
tiscali[.]it
12
mxs[.]mail[.]ru
12
mx[.]yandex[.]net
12
mx[.]yandex[.]ru
12
msx-smtp-mx2[.]hinet[.]net
12
tiscalinet[.]it
11
inmx[.]rambler[.]ru
11
See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SysWOW64\config\systemprofile:.repos
17
%SystemRoot%\SysWOW64\config\systemprofile
17
%HOMEPATH%
15
%SystemRoot%\SysWOW64\wpdjiqwl
3
%SystemRoot%\SysWOW64\gzntsagv
2
%SystemRoot%\SysWOW64\athnmuap
2
%SystemRoot%\SysWOW64\slzfemsh
2
%TEMP%\utjfmin.exe
1
%TEMP%\evorylxw.exe
1
%TEMP%\gstniefc.exe
1
%TEMP%\otggjiyd.exe
1
%TEMP%\edtpwsx.exe
1
%TEMP%\uutzkyfi.exe
1
%TEMP%\rlnkeakp.exe
1
%TEMP%\azlhmwgt.exe
1
%TEMP%\wytkbvcv.exe
1
%TEMP%\uboorcup.exe
1
%TEMP%\uxffdbfo.exe
1
%TEMP%\ondzgch.exe
1
%TEMP%\arknuhts.exe
1
%TEMP%\tyllondi.exe
1
%TEMP%\qpfbiej.exe
1
%TEMP%\jhokjsqh.exe
1
%TEMP%\lkwsxhre.exe
1
%TEMP%\pjlicyin.exe
1
See JSON for more IOCs
File Hashes
116bb71b6e6866ba5862d18e5361fe70ad2f9adb3ed8f5f1606e2561bff9fa79
2b9c74a2ffb4d1164048adec4381d151922244be8855026bff683abbf4122684
397ad676785c8e47422e723c081e44172dd935bcfe1389a039ac4bb1013c50c0
59639b75a9ebe2fdcf6ec9623454f06455a5fa6f0a23e47cece96d98c8c0f324
650c6dae8c1553d599d15e7c3d2235a393f498b743538674c7a1d87a8b627d90
7b962ff72c455f123c5ee0ba29aeea11e6fa23d595a0be8aad7b0235d5280d79
85bd864d585a37662a1c6a28daef2ac8c97996e52bf37209e76b0a8a9d6494e1
a1fd580e38af18c70ede2540e309a513e85b9a06423aee45f35fbbf1bfa517b9
a94cea85efa1c6842892248e1724cd17fb66a34435c9797d9809c3e25a5e6770
bad0767a0cf7088aed7904551b26bafd66b4bbc1257518275a1b277f27d1f7a9
c3bb4a36939e8f6d2acf8b57b0676ca8c7bafea33cfd15bedecf192f0610e6e9
c5ed772f6cb0aa202fb87049bd20063741fd62023f7d9c924876e28711dab3f2
de76a7d7af2c38342333014608b75117a2d1868d9020f62fdd117cdfb5ed30fa
e1cfadc86259f90b2f1fb5cd23bd267a94ed8c8a2d72035b6e335fd5e68d5866
ec4960b3885c4bb63032883cd088585e4f347c4ac9659f49982f999775d90a21
f1e790bcc0711047ab255646e07ef7d2fb644c45b24a4bc67250e2c8ee9318a1
f7699a1eafb0aded81818b28fd1c897e3e2e22d9d7b4297d97654a5aca09da49
Coverage
Screenshots of Detection AMP ThreatGrid
Umbrella
Win.Malware.Yobrowser-6992453-0 Indicators of Compromise Registry Keys Occurrences <HKCU>\Software\Microsoft\RestartManager\Session0000
33
<HKCU>\SOFTWARE\MICROSOFT\RESTARTMANAGER\SESSION0000
Value Name: Sequence
33
<HKCU>\SOFTWARE\MICROSOFT\RestartManager
33
<HKCU>\SOFTWARE\MICROSOFT\RESTARTMANAGER\SESSION0000
Value Name: Owner
33
<HKCU>\SOFTWARE\MICROSOFT\RESTARTMANAGER\SESSION0000
Value Name: SessionHash
33
Mutexes Occurrences Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
33
Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
33
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences N/A
-
Domain Names contacted by malware. Does not indicate maliciousness Occurrences N/A
-
Files and or directories created Occurrences %LOCALAPPDATA%\Programs
33
%LOCALAPPDATA%\Programs\Common
33
%TEMP%\is-C6FN7.tmp\32dfee8be7cca7d0ed5b84fe8deff6d7177042a802586d16c26176ec58952309.tmp
1
%TEMP%\is-9HDTO.tmp\_isetup\_setup64.tmp
1
%TEMP%\is-9HDTO.tmp\_isetup\_shfoldr.dll
1
%TEMP%\is-9HDTO.tmp\trithiweate.dll
1
%TEMP%\is-7CPIN.tmp\36ca931623f279c6683ace47e425666510034f5e18441f90e895a3fc6cd2bbdb.tmp
1
%TEMP%\is-0142V.tmp\_isetup\_setup64.tmp
1
%TEMP%\is-0142V.tmp\_isetup\_shfoldr.dll
1
%TEMP%\is-0142V.tmp\trithiweate.dll
1
%TEMP%\is-CRK4O.tmp\42827e85051a54995e67aeb54b9418968224f6c299887e4afca574e08b2b76c1.tmp
1
%TEMP%\is-Q964A.tmp\482675e5774d1714ae17b5daefd13697fe3a921feb20fc4360065c2135b9c7b0.tmp
1
%TEMP%\is-9AA9G.tmp\3f2c22316bc2184f740f39499e41002c6d525a2c4c18dd0b9170c90410a5e4d1.tmp
1
%TEMP%\is-T68TS.tmp\4a55c9ceaa100182f6fc1ce9c8ec3c0f9eb58b7841c46c7d1d66fa5eaa4f410e.tmp
1
%TEMP%\is-8V9B2.tmp\_isetup\_setup64.tmp
1
%TEMP%\is-8V9B2.tmp\_isetup\_shfoldr.dll
1
%TEMP%\is-8V9B2.tmp\trithiweate.dll
1
%TEMP%\is-P9KOG.tmp\_isetup\_setup64.tmp
1
%TEMP%\is-P9KOG.tmp\_isetup\_shfoldr.dll
1
%TEMP%\is-FPHCP.tmp\_isetup\_setup64.tmp
1
%TEMP%\is-P9KOG.tmp\trithiweate.dll
1
%TEMP%\is-FPHCP.tmp\_isetup\_shfoldr.dll
1
%TEMP%\is-FPHCP.tmp\trithiweate.dll
1
%TEMP%\is-3SHVR.tmp\_isetup\_setup64.tmp
1
%TEMP%\is-3SHVR.tmp\_isetup\_shfoldr.dll
1
See JSON for more IOCs
File Hashes
02be7ea7484ce02344237e4aab046aaa3af0f67f5b5bc7530b7757c182008374
0912999b354d903202f981d327670d3dd5a6f37f3c3374cfbf29b9d5dce86e5a
0bd58e14131755d1671174225ea1349a9c9ca54e76a29c2696aab762859ed6ea
1150e22d4d164cd9a07ee28a6c6d33e657e10e1af6f06a3423c56a5f0449b02c
1609b08dc860872a1a37967ec01e9c8d90813e42f4c32a4a5c7651b226bf1c7f
16ee969920278d950596ee85505d40ed1b4265d6fdfa35dc55dd6d188c432614
18c140ae4eb5f0bdff9f07ba176fba6873e5359ff689145bf4d41defec9f635f
224b4f9f98e7d9887ebcae15c02d8973264f31d12ff87a30d696139a316e2cf9
259546449e9e630fbe3bdcfbda7c51de9c1e7bb93022bda08d89bea95ad23a24
26b5593a4e7c8b5accf97029cf6c646c7769cecd36d105153f228f03a20f24be
2e39806e189e988a6bb094359db5aab14638a1737fded6ab00095425672aa13d
2fc0b64cf4ab9d6a6a3b607b999b1e47551bfb62acf143bd08faebf0485157d7
32dfee8be7cca7d0ed5b84fe8deff6d7177042a802586d16c26176ec58952309
36c8f82ff5ebd1647044f14b83dbfb93e1ad5e8e80d95cb2f6e3f463cf4ac94e
36ca931623f279c6683ace47e425666510034f5e18441f90e895a3fc6cd2bbdb
3f2c22316bc2184f740f39499e41002c6d525a2c4c18dd0b9170c90410a5e4d1
42827e85051a54995e67aeb54b9418968224f6c299887e4afca574e08b2b76c1
482675e5774d1714ae17b5daefd13697fe3a921feb20fc4360065c2135b9c7b0
4843bffb11be8da31b059e63973b2f97a3a093cf80b537cb19629f49099a35c4
4a55c9ceaa100182f6fc1ce9c8ec3c0f9eb58b7841c46c7d1d66fa5eaa4f410e
4f349d22bc1cb7e4defbd97debebe906a5408351e7069cf5cc2333338d5be8ed
5677386b0050cff2f5a2c12430999d569dc744944f2f2d9c29f3bab6d5d43edf
5ca1ade829002a58684dc8ff37b11e7b07d91b61a26d89a6736f884d14a0d00f
5ddbe11ee1e50f6a198f1e331e55621fcfc02870f6e8b4e4d5d171bf008938b5
64543ddc78b58da0236310fcee0b447e153d94a4cd393c1975bbe6b000acc960
See JSON for more IOCs Coverage
Screenshots of Detection AMP ThreatGrid
Exprev Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. Madshi injection detected (3267) Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.Kovter injection detected (2041) A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.Process hollowing detected (1016) Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.Excessively long PowerShell command detected (676) A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.Dealply adware detected (284) DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.Gamarue malware detected (197) Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.PowerShell file-less infection detected (53) A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.Atom Bombing code injection technique detected (45) A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.Fusion adware detected (35) Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.Installcore adware detected (32) Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.