Friday, July 19, 2019

Threat Roundup for July 12 to July 19

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 12 and July 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.


For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Trojan.XtremeRAT-7059357-1 Trojan XtremeRAT is a remote access trojan active since 2010 that allows the attacker eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Trojan.Kuluoz-7059308-0 Trojan Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Malware.Ursnif-7059281-1 Malware Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Dropper.Qakbot-7058187-0 Dropper Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Ransomware.Cerber-7057873-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns this is no longer the case.
Win.Malware.Nymaim-7057729-0 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Trojan.Gh0stRAT-7059563-0 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Malware.Ramnit-7057249-1 Malware Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Win.Trojan.Tofsee-7055545-0 Trojan Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

Threat Breakdown

Win.Trojan.XtremeRAT-7059357-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\Software\Wow6432Node\Microsoft\DownloadManager 24
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 24
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: ServerStarted
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JavaMIX
11
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4N0N6X03-FM54-BKFY-G3EI-66VH61YVX11M} 7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4N0N6X03-FM54-BKFY-G3EI-66VH61YVX11M}
Value Name: StubPath
7
<HKCU>\SOFTWARE\JM2POJ
Value Name: InstalledServer
7
<HKCU>\SOFTWARE\JM2POJ
Value Name: ServerStarted
7
<HKCU>\SOFTWARE\LZT6VGCN
Value Name: InstalledServer
4
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{751C040L-SHHK-78QW-GC0V-VI60R44D4SB8} 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{751C040L-SHHK-78QW-GC0V-VI60R44D4SB8}
Value Name: StubPath
3
<HKCU>\SOFTWARE\J5AVE
Value Name: InstalledServer
3
<HKCU>\SOFTWARE\J5AVE
Value Name: ServerStarted
3
<HKCU>\SOFTWARE\FKVRGHZ
Value Name: InstalledServer
3
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H3JO8F05-3V0W-JBMA-H0A7-SSL627KW467I} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{H3JO8F05-3V0W-JBMA-H0A7-SSL627KW467I}
Value Name: StubPath
2
<HKCU>\SOFTWARE\AL7IUSZ
Value Name: InstalledServer
2
<HKCU>\SOFTWARE\AL7IUSZ
Value Name: ServerStarted
2
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2836V5JB-NJ6K-F70O-C5I0-TMW4O6S25IYG} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{2836V5JB-NJ6K-F70O-C5I0-TMW4O6S25IYG}
Value Name: StubPath
1
<HKCU>\SOFTWARE\RLSYBQAHT
Value Name: InstalledServer
1
<HKCU>\SOFTWARE\FAD2BSB
Value Name: InstalledServer
1
<HKCU>\SOFTWARE\8ER4NZ
Value Name: InstalledServer
1
Mutexes Occurrences
XTREMEUPDATE 24
j5AVEEXIT 17
j5AVEPERSIST 13
aL7iUSZ 7
\BaseNamedObjects\Jm2pojEXIT 6
\BaseNamedObjects\Jm2pojPERSIST 6
\BaseNamedObjects\Jm2poj 6
lZT6VgcN 4
lZT6VgcNPERSIST 4
j5AVE 3
fkVRGhZ 3
Local\TASKMGR.879e4d63-6c0e-4544-97f2-1244bd3f6de0 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
192[.]169[.]69[.]25 8
186[.]81[.]119[.]42 4
181[.]52[.]107[.]192 4
177[.]252[.]225[.]152 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
jb2168948[.]ddns[.]net 4
dnsduck6[.]duckdns[.]org 4
nincasu[.]myvnc[.]com 3
lospatios3[.]duckdns[.]org 3
lospatios1[.]duckdns[.]org 3
lospapa1[.]duckdns[.]org 2
dnsduck4[.]duckdns[.]org 1
duckdns4[.]duckdns[.]org 1
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.dat 13
\testt 11
%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg 11
%APPDATA%\Microsoft\Windows\Jm2poj.cfg 7
%APPDATA%\Microsoft\Windows\Jm2poj.dat 7
%SystemRoot%\SysWOW64\svshr 7
%SystemRoot%\SysWOW64\svshr\svshr.exe 7
%System32%\svshr\svshr.exe 6
\testt\testlr.exe 6
\testt\avas.exe 5
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 5
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 5
%SystemRoot%\SysWOW64\System32 4
%APPDATA%\Microsoft\Windows\lZT6VgcN.cfg 4
%APPDATA%\Microsoft\Windows\lZT6VgcN.dat 4
%TEMP%\x.html 3
%SystemRoot%\SysWOW64\System32\cal.exe 3
%APPDATA%\Microsoft\Windows\Jm2poj.xtr 3
%APPDATA%\svshr\svshr.exe 3
%APPDATA%\System32 2
%SystemRoot%\SysWOW64\ava.exe 2
%System32%\ava.exe 2
%APPDATA%\Microsoft\Windows\aL7iUSZ.cfg 2
%APPDATA%\System32\ava.exe 2
%System32%\System32\cal.exe 2
*See JSON for more IOCs

File Hashes

01cb719e13c2a22504c6dcef5942622f5f5f762687c73dca4adbb9a4c1a6c7af 01f8782ca1f6ff83166b153b7b43bd76334188c1757388a617c5a1b981a1f405 0df323ba31479afc0a6c6094dbeaa7dffc387ffd4c2a58afc5b99dce46c87990 1405c4b2d89b832349beda35d1b654edacb69e0116d70c1fee1688d12d4f8712 1476e26cce5f9af1161cf67fa447254c93021b5ceffdc6b380d43bcf7d77283d 14ff797173560348f4a2b2eaefb414a6bd3996b7c13a6f1322b06e27b803455d 1ca56c4f1c6fef5c0fb76819d9c25f2a13237329f597b7c9eca3e79626de7821 2177ee809fc7903db595959a4aea861a9aaa69395433de035892b0fe2c918088 23eb6e59d6c0538479c9fd562ac8fb773a29328baeb0bf7663701ddfd2cafa1b 25dfafdfb9e85f8595aad8816cefb403973389f75100e3108c586fa246e19305 28d8a0be382ebf9c543dc2e79d54443560867ff24872082b6b656e0520d0df3b 2b9f3b9a808dfa25f319d16d6281e8a5cbfc3db62a90bf9fd4af73ac199fd37a 37b1659a06eb2eb82fd9464d8fa2ec9a903521d293e0347457d8c0a31805f4ba 396482c8d42a719a7a3d56b7bac00c1f0b03b2df89d96d32fee737b7201f024e 41c74ebe37151d30b223a1f72f4dcae08f2378fbc54a4627c63e0087fad84d81 4276934f373be8e263bd63c3a245c77b21dc4fa1cb7eafdd0c53735774e0ffbd 43db2d9365904164107934c1ff49dc79c5fc900351daade6ad1b4730d443d400 47d21907eee2448e640d8916e0a8fc84ea548cd8da23f245d982fb6ba24d648e 4938b9546d92a960fe3a38f37e0496ecfbcf90b8e990a13f4bcdabb5a6761142 4d161989eeb3358db945926b153ed947cf1c143671f59ef8c1260021e372d334 501eda812f73f5810441ec74fa137b848e55218843cdeb85b5f47de7318da68c 57119382746d854de9ab5e16d4d8336d3d4a238514a2399f7b0b661206749e0a 5b79b7fa2685e7652bda432c5fa64fbc324232d5895658773c2eb1138a264053 5de33244c01cba4c53875ea7f556db32b731e1737710d93ca2313785a8ca9677 5eca98ddb51faf9b47302dfd90a12c543d9d0639e4a85ed23c8c3be85a595696
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid

Umbrella




Win.Trojan.Kuluoz-7059308-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26
<HKCU>\SOFTWARE\TEXIUSFT
Value Name: whvqowqq
1
<HKCU>\SOFTWARE\ELABEBHH
Value Name: gqfipook
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fpfojnmk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xnnbsqss
1
<HKCU>\SOFTWARE\SDJMVCKJ
Value Name: wpjqvldr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fnhnolux
1
<HKCU>\SOFTWARE\LXPNLEFK
Value Name: sxlvsesc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fghmdeex
1
<HKCU>\SOFTWARE\PBKBURIS
Value Name: rledgmma
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: isgrqtpv
1
<HKCU>\SOFTWARE\OHUNVJNH
Value Name: ruqdejab
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hriifcac
1
<HKCU>\SOFTWARE\GKXFQLLC
Value Name: fpxjxdkq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qupomrkx
1
<HKCU>\SOFTWARE\BCRFGBHG
Value Name: paggnklk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: afashimn
1
<HKCU>\SOFTWARE\GROUTDUB
Value Name: hrpcdhfq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tekspeld
1
<HKCU>\SOFTWARE\DTRDNQPK
Value Name: pusibcmw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pllfthmw
1
<HKCU>\SOFTWARE\PXPOFICA
Value Name: rjjggxvg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xnvjgxii
1
<HKCU>\SOFTWARE\CMJGOKSF
Value Name: jiseecqp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: frxcpjwg
1
Mutexes Occurrences
aaAdministrator 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
222[.]124[.]166[.]12 20
64[.]76[.]19[.]249 20
194[.]85[.]183[.]2 19
78[.]24[.]223[.]130 19
186[.]115[.]122[.]67 17
93[.]186[.]181[.]62 16
217[.]106[.]238[.]145 16
217[.]115[.]50[.]228 11
Files and or directories created Occurrences
%LOCALAPPDATA%\xutnbrko.exe 1
%LOCALAPPDATA%\xwpbgtmu.exe 1
%LOCALAPPDATA%\igrjkxhb.exe 1
%LOCALAPPDATA%\mnhtpeqi.exe 1
%LOCALAPPDATA%\xagcutko.exe 1
%LOCALAPPDATA%\roqgpith.exe 1
%LOCALAPPDATA%\lfeirrtc.exe 1
%LOCALAPPDATA%\cirbcngq.exe 1
%LOCALAPPDATA%\udiiopqj.exe 1
%LOCALAPPDATA%\ttdmkjtg.exe 1
%LOCALAPPDATA%\ukfgborv.exe 1
%LOCALAPPDATA%\bdjctnfg.exe 1
%LOCALAPPDATA%\imeovntu.exe 1
%LOCALAPPDATA%\upotkcoj.exe 1
%LOCALAPPDATA%\qrdbteqp.exe 1
%LOCALAPPDATA%\fcklmars.exe 1
%LOCALAPPDATA%\rkhnrwhb.exe 1
%LOCALAPPDATA%\gfjaqioa.exe 1
%LOCALAPPDATA%\vlflabdh.exe 1
%LOCALAPPDATA%\aevxokcr.exe 1
%LOCALAPPDATA%\osoepccl.exe 1
%LOCALAPPDATA%\jtxuriff.exe 1
%LOCALAPPDATA%\hswndivc.exe 1
%LOCALAPPDATA%\aolfvkov.exe 1
%LOCALAPPDATA%\xqwpexol.exe 1
*See JSON for more IOCs

File Hashes

005e242acc91ca84a157d421cf04b1e70cf0acbca338186eeebd9d6a307b465d 01611ca8d63e83d78e906b13d4c6ceaeef870f349b79250ef2e368b89b66810f 03247ca7d7581455ee2c774d1f952bfec71850bebe89400d069a7c23c223bd97 03798902309d569891b82c98c1cfbb1bf2188bc8cef81d04d06611b7534bbffe 053aa8081aa87fb4f2c089947e166e4adc8d25d4f83d7e73ad996487e72744ee 0613bdf614ae48b7938ef97264d7fa0cfb8c767cf338f678ca9c6946caf6ea7a 09a90ed0daf0f1b7281ed7ca49ae255e7f3ef190bdaa9df9608374b8521a64bf 09ae7c7da59c93796eee6e15a176fe3495018e33d9a6f98765fd90e06a694cd9 09ce86ce64e7397dc91621b4a109847a3b657ceb24ad2d2653ad0cf84faad95c 09cf7b2388964d4c345111c5f0b65ba99718a2da28af1f78643b5a4f9492297b 0a2e4fe397906f1e96cdb3cc4fb68d8d5059d8f1b16b83d264f472c25ade584b 0abe61b2c3095978f473432fab94740838d0b96c844ae128119b5ac4d6973e98 0b076f0b98e4908caddf3a4f8a4521aa4fc33b16a553c5d0ef6834219e67b21d 0b23a3b32433c7bf0bda37e6265db503fad957a1a9468b806c27dcfb934658c3 0b8f52f9d6e2b8913e94a488a82eb5b1f14db9cd245829881b1fab181b4938d4 0c682e42e070545c14375c540a3fe3a5b192fd77ad5e8e0d2fe4db1c90fe11bc 0d1963667948b4e9e3452e120fd3fccd7cd0c19e1904c362f2503907482e90c7 0d1aa3486bd89c7557d4cf8176f4b5ae371b115a4e8d1a58089be3f4adf5cde9 0d53ba89dce68e1b1c349fc56ad0627990220f4d03a9b78b49ef3aae4cd50182 0dc8265b6586541f00202f0489978b1832a556ae70d0eefd96aafcf52e7b9202 0eae35bca5e7924673dce18e3ba3f4d14ad49c728da58e57490074792cd9f13d 1025549d6d9dff19754ac1df45d1861927f6f942955482fa77c9ed46dde423d3 105837bf20a966cf8b4867de08012ec47dae449b22d64c393ec7117e5f6a6ef6 113a7abff0936a136eb03245d7e7ce75e0a6630ac3ceca87528938c4c2ba6493 13289307bf5fe48823b28b06f5bfee5adfa0f8699cce4e4a3176245d5c7b6e20
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Ursnif-7059281-1

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\Software\AppDataLow\Software\Microsoft\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: appmmgmt
17
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Install
17
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client
17
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {F50EA47E-D053-EF14-82F9-0493D63D7877}
17
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954}
17
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Temp
5
Mutexes Occurrences
{A7AAF118-DA27-71D5-1CCB-AE35102FC239} 17
Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269} 17
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1} 17
Local\{B1443895-5CF6-0B1E-EE75-506F02798413} 17
{BBAE0F6F-DE54-A5B6-C01F-F2A9F4C346ED} 17
\BaseNamedObjects\Local\{FCAA51DD-2B0A-8E99-95F0-8FA2992433F6} 13
\BaseNamedObjects\Local\{6AE7CB31-C1EF-2C06-9B3E-8520FF528954} 13
\BaseNamedObjects\Local\{72534A3F-299C-7437-43C6-6DE8275AF19C} 13
\BaseNamedObjects\Local\{1163A908-3CC1-6BAB-CED5-30CFE2D96473} 3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
173[.]237[.]190[.]72 3
184[.]105[.]192[.]2 1
87[.]106[.]18[.]141 1
169[.]154[.]128[.]124 1
104[.]20[.]0[.]85 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]iclnet[.]org 3
DEOPLIAZAE[.]AT 3
permittitthesaurus[.]at 2
iclnet[.]org 2
nssdc[.]gsfc[.]nasa[.]gov 1
nssdc[.]sci[.]gsfc[.]nasa[.]gov 1
diuolirt[.]at 1
www[.]ietf[.]org 1
quiomnemauribus[.]at 1
gonna[.]su 1
LIOKGAMEMU[.]AT 1
adesirablebcptheyimpphys[.]pw 1
manystarreleasesys[.]pw 1
greatwiththrtpio[.]pw 1
COINAGESTWW[.]COM 1
unaegvegratiasqui[.]com 1
FONICARRO[.]COM 1
fabelussss[.]com 1
MABLOSSSSCC[.]COM 1
venukex[.]com 1
goglosmmosss[.]com 1
filmemario[.]at 1
Files and or directories created Occurrences
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js 17
\{4BC230AC-2EB3-B560-90AF-42B9C45396FD} 17
%APPDATA%\ds32mapi 17
%APPDATA%\ds32mapi\dhcpxva2.exe 17
%TEMP%\<random, matching [A-F0-9]{3,4}> 17
%TEMP%\<random, matching [A-F0-9]{3,4}\[A-F0-9]{2,4}>.bat 17
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\prefs.js 16
\{CE10F1BD-D5E1-3049-CFE2-D96473361DD8} 13
%APPDATA%\kbdidtat\iassdusx.exe 13
%TEMP%\2A54.bin 1
%TEMP%\5766.bin 1
%TEMP%\E707.bin 1
%TEMP%\7E47.bin 1
%TEMP%\AFA3.bin 1
%TEMP%\2889.bin 1
%TEMP%\10D.bin 1
%TEMP%\447.bin 1
%TEMP%\E488.bin 1
%TEMP%\48D5.bin 1
%TEMP%\6A8.bin 1
%TEMP%\9D2C.bin 1
%TEMP%\BEA0.bin 1
%TEMP%\B2CE.bin 1
%TEMP%\C92B.bin 1
%TEMP%\E5EE.bin 1
*See JSON for more IOCs

File Hashes

0c0937062f20850fe9ce77fdf2a741627659a1a709b6f5cc522fac7a6ef1a1f8 3664410a8cb8f6aa69ac6018a298deb1340a85e01119c4b640b08feb9e9c18dd 5c98056d6d30501c1a751bfb9e9d254623a09c8a1e2bede6a8e11184ab9dfcae 61a41ec04624825e56192a6f3705a75fa3fe3236be7f86c3d78fc1e4937c0925 6e868a45a0f7878e42dcca96ef8de0cd08991bc1221b4a9a1b8b8f66eca6bd84 708ce4f663609d649b14d65addbea85f0646dbeb80ea543930586a7cd6aa8f51 73706c56cb7b1bb4da1a7f9c18c15ea0f1998a333639eaefffe72bfcce840479 82853aa1ff5511a00d25fe56bd6afdeb8e16e68ec674404666499f27396a0b78 865953e9cd42596232373e0f45517a69084ef6b8c00ce747decf1adc86528fd2 9616b03274ee7054894d387afb4a5f7289d9a391d68427c57f08e58ba0351600 9f5938333856986e8562cc3d236c8d9302ad0b4b8747676828e4300f106b1ff5 a1e1b4fa1d76ccbda494840fdf8fbbda3377c1d235248967efed0f55ed02c37e c1ecb3baf2ed60d888c6971c1e8f371018de3ee1b295a39d0b362f54b609600d c4e117c98948a41542e9e4018aba833be08cc0d0cf25de2a7989f6ae5fa434e6 cd029d22e9303a9243838c48a8a11cfe7ac4a17f20099e3a137e9e08e7acca50 cda5d0e4d04eeceb31a29357a92458ddb810383c38d7e6428360d0c1f87880e7 d0605005e6f4d4f042a196339f96f0258a4a9fa84607de20284c0fae6ebd6c84 d470d90b4c34369f1afe77881811256a536ddbb597135937c571158d070f98bf

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Dropper.Qakbot-7058187-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\avkaxoq 14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: Type
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: Start
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ErrorControl
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ImagePath
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DisplayName
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DependOnService
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DependOnGroup
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: WOW64
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ObjectName
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\aqejpwsx 11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Type
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Start
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ErrorControl
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ImagePath
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DisplayName
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnService
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnGroup
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: WOW64
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ObjectName
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ftuwqkx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: aivx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ohva
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gqfcu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qzdknor
1
Mutexes Occurrences
llzeou 25
\BaseNamedObjects\392624144a 24
\BaseNamedObjects\rmnzqea 18
Global\amztgg 14
amztgga 14
Global\eqfik 11
eqfika 11
\BaseNamedObjects\ejovtena 2
\BaseNamedObjects\Global\ejovten 2
\BaseNamedObjects\hlaikmsv 2
\BaseNamedObjects\Global\zclxfv 1
\BaseNamedObjects\puprjd 1
\BaseNamedObjects\iyokaaloa 1
\BaseNamedObjects\owianu 1
\BaseNamedObjects\laipbwa 1
\BaseNamedObjects\Global\laipbw 1
\BaseNamedObjects\sqsaga 1
\BaseNamedObjects\aahrpa 1
\BaseNamedObjects\Global\fzalyczn 1
\BaseNamedObjects\Global\qyexvgu 1
\BaseNamedObjects\Global\vgvol 1
\BaseNamedObjects\Global\ijajr 1
\BaseNamedObjects\Global\wyxnbogx 1
2bf8953778e954ffb2ddba094aa9d65a 1
1267f8266d350bb9097fcae862c40a0a 1
*See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\Microsoft\Amztggm 14
%APPDATA%\Microsoft\Amztggm\amztg.dll 14
%APPDATA%\Microsoft\Amztggm\amztgg.exe 14
%TEMP%\~amztgg.tmp 14
%APPDATA%\Microsoft\Eqfikq 11
%APPDATA%\Microsoft\Eqfikq\eqfi.dll 11
%APPDATA%\Microsoft\Eqfikq\eqfik.exe 11
%TEMP%\~eqfik.tmp 11
%APPDATA%\Microsoft\Ejovtenj\ejovte.dll 2
%APPDATA%\Microsoft\Ejovtenj\ejovten.exe 2
%APPDATA%\Microsoft\Fzalycznz\fzalycz.dll 1
%APPDATA%\Microsoft\Fzalycznz\fzalyczn.exe 1
%APPDATA%\Microsoft\Qyexvguy\qyexvg.dll 1
%APPDATA%\Microsoft\Qyexvguy\qyexvgu.exe 1
%APPDATA%\Microsoft\Vgvolg\vgvo.dll 1
%APPDATA%\Microsoft\Vgvolg\vgvol.exe 1
%APPDATA%\Microsoft\Ijajrj\ijaj.dll 1
%APPDATA%\Microsoft\Ijajrj\ijajr.exe 1
%APPDATA%\Microsoft\Wyxnbogxy\wyxnbog.dll 1
%APPDATA%\Microsoft\Wyxnbogxy\wyxnbogx.exe 1
%APPDATA%\Microsoft\Isxyas\isxy.dll 1
%APPDATA%\Microsoft\Isxyas\isxya.exe 1
%APPDATA%\Microsoft\Ustbpests\ustbpes.dll 1
%APPDATA%\Microsoft\Ustbpests\ustbpest.exe 1
%APPDATA%\Microsoft\Xtdxbtyt\xtdxbt.dll 1
*See JSON for more IOCs

File Hashes

1267f8266d350bb9097fcae862c40a005a833468862b5471dffe099bb63d3d96 16d4fc9a786ec638dbea15793f1be322cb937c8c0243639c9b87181a8757e26a 2bf8953778e954ffb2ddba094aa9d65f657553953efa87181b786435a2a434c3 2c2d604d16319e7c43187b4c7f03a81a727230f7b3a59d15ab1473bd93f655c2 2c2e535cce4a7206867429548cc3849c32a672a04a969061e2b6647932f38f57 2ea9ec19e8fe9129135794a56eda8aa956ed63e8fdca90fd9e8e9da48d6335a8 318561b92649691da174ff88b4b9c6bb3e0e73fa92c1f34afa3eb8e78c8fbb54 339c33d1fb67c97caee8266b91c4f73bb2758099bbaaa980bc5ce4023f0036a8 355dddb7ece2d03044807c815b2eb6fd53273da4361b21858214c126e677912d 36779fcd942343a9c80d048a441cf1388825067eb917e853233d5f49f6face96 3f039add5eb363f9997b8feafc77302bef74e46891d005986124828c5d4c7a85 3fa149b9c02a8c4e2ab32969e9bffa20ec1407d2e249cdc876cd38419d6d59e1 45a06d73c4c2632eb69741e3a56e272851e3a33eee0b97afdc72487895acc8d9 4be25e716dd86a4df5678df1e807cadfd761542528c1c45d642635b8dca7ea86 4f57ad0f6f879ffb6e98b384615b19904d91c800c83d5fb04084f02337c447db 4f63cf6a6c97274c05bef0e2cfded13f7d28395161048cfb101c3301a6f07489 50ec1176fcfdcb1128a080f52712758deff0d708cfd59b7949324e452226e13a 543b2e27f3ec4f24a37c7991fa74adb31e24016cbfc88c9eb73e0464afa14f75 5471981908946cb6c8ecefc21ce3e84529a9bc9f9f5a6ef78de3be73a103ac3c 55ce23a507a66478a75437b62305f201fe752135afbe3d64a1199a2fca5068ae 5650cd078a14847039122a09558452e17bfbd95458e4ef3b1ae648358970b3de 56860a42b04113bad85c3e930cafe739358cd8ca6cdb6c4adff483e18e90f889 57f5bfcb14fa34cefe24ded4d6837256f276ae48c8f3624c1e4f81c1ebd36cd1 5830272b276500aea2d3947e1663fcab899e44c256e14f1eb3714e55ed743d28 5a9c8a282e0beb577a437d347f912c72f62731503f2afd4fe44f1d31e24ca0cc
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Ransomware.Cerber-7057873-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas 13
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs 13
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig 13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups 13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI 13
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: Wallpaper
13
<HKLM>\System\CurrentControlSet\Control\Session Manager 10
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
10
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 13
\BaseNamedObjects\shell.{B0DF901A-D930-98E8-1E89-BD8515DACB07} 8
wddmnotbx 5
\BaseNamedObjects\shell.{4D979936-6ECD-C1FC-8B7E-C65E6397B59E} 1
\BaseNamedObjects\shell.{E0466F25-8676-B972-E20E-2E2004CD23D5} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
149[.]202[.]248[.]254 13
149[.]202[.]249[.]254 13
149[.]202[.]250[.]254 13
149[.]202[.]251[.]254 13
150[.]109[.]231[.]116 13
149[.]202[.]64[.]0 13
149[.]202[.]122[.]0 13
149[.]202[.]248[.]0 13
149[.]202[.]248[.]128 13
149[.]202[.]248[.]192 13
149[.]202[.]248[.]224 13
149[.]202[.]248[.]240 13
149[.]202[.]248[.]248 13
149[.]202[.]248[.]252 13
149[.]202[.]249[.]0 13
149[.]202[.]249[.]128 13
149[.]202[.]249[.]192 13
149[.]202[.]249[.]224 13
149[.]202[.]249[.]240 13
149[.]202[.]249[.]248 13
149[.]202[.]249[.]252 13
149[.]202[.]250[.]0 13
149[.]202[.]250[.]128 13
149[.]202[.]250[.]192 13
149[.]202[.]250[.]224 13
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 13
p27dokhpz2n7nvgr[.]1j9r76[.]top 10
bitaps[.]com 10
btc[.]blockr[.]io 10
chain[.]so 9
bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com 9
hjhqmbxyinislkkt[.]1j9r76[.]top 3
crl[.]comodoca4[.]com 3
crl[.]usertrust[.]com 3
w3z5q8a6[.]stackpathcdn[.]com 3
crl[.]comodoca[.]com 3
prod[.]globalsign[.]map[.]fastly[.]net 1
crl[.]globalsign[.]net 1
crl2[.]alphassl[.]com 1
Files and or directories created Occurrences
%TEMP%\d19ab989 13
%TEMP%\d19ab989\4710.tmp 13
%TEMP%\d19ab989\a35f.tmp 13
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp 13
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 13
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 13
<dir>\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.hta 13
<dir>\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.txt 13
<dir>\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg 13
%TEMP%\8f793a96\4751.tmp 10
%TEMP%\8f793a96\da80.tmp 10
%TEMP%\tmp1.bmp 10
<dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy) 10

File Hashes

03e1def6aacee690eef87e2258cb343de0ae510702e746c1f6b90713095b0af6 0d75b700002a835f0376b10d018756bed5000dc80c98bc5e2b0dbfcd0146f9f5 1d6d8c3cccaed80d97211a23313ae460889c421dc1de9f10b1d384fc07f14298 1effdcd38cbbcf779f1c6be09278bbd63a94c452117c36fec0bdbada20f57adf 3c86dbbc00e89e9433421ccc352462d2542e5071817af36585d6b038a4b074f2 469581018957d584f282f5fb12fafad8b8db506b3a463b2d963f29cf179fb74d 52fe670efafa52d293eece8e1e5e90dfafe6ec97b245f99d463699ea8f132d49 74ea5319f125c1c37d71fa834e926d88c6d96debac13a27c9aba0c4f90a93a2f 8cd0003bdf015c9ef502f791c36f74ae576f48067acd08df76814069ec16ed90 a1899bb2e5703e96a73f24d9aadab1cf4afce02bfeee67685d98079a545a9d06 de5b8612bc01bf22d724c72462785746a595aae168c6a87378bdacd4d8b53a4c e6478b31ad56410fd00f482bd7ad37fc1d1216aebc38e6a56ae95aa0894567b3 fbe34634b8ad36e8f793b25cfcf7bc7b41352033534fab2d7d437a1abd1b874d

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid


Malware





Win.Malware.Nymaim-7057729-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\Software\Microsoft\GOCFK 26
<HKCU>\Software\Microsoft\KPQL 26
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
26
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp
26
Mutexes Occurrences
Local\{06258131-BA39-27D4-02A0-AD682205B627} 26
Local\{2D6DB911-C222-9814-3135-344B99BBA4BA} 26
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} 26
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 26
Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606} 26
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} 26
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} 26
Local\{0CAD88C0-6AF8-0EDF-6CEE-161A49760D3C} 26
Local\{1B1B0EE4-67E0-0B41-FB4A-B5AEFA21FDDE} 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
216[.]218[.]206[.]69 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fplraqgdaq[.]com 26
RZCBJ[.]IN 26
UIIMKNPSAFT[.]NET 26
WURECAIGFSE[.]COM 26
kicxjtaec[.]pw 26
jvomazzl[.]pw 26
efonzybmsdtj[.]net 26
wztiqm[.]com 26
ZCBIPTLC[.]COM 26
mytjbj[.]pw 26
RKXAMSQBNND[.]PW 26
SVIWLPNP[.]IN 26
ZTPMQPSID[.]COM 26
jnnovcv[.]com 26
kpskawv[.]pw 26
MXJHZ[.]NET 26
atetgyy[.]com 26
qyaqzy[.]pw 26
dojtzsiroyjb[.]in 26
aydvw[.]pw 26
kdnbfzdvpkqa[.]net 26
LMHFG[.]COM 26
RWAXYME[.]COM 26
KZQCBTRPVQ[.]NET 26
zeqyucrzmoa[.]net 26
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramData%\ph 26
%ProgramData%\ph\eqdw.dbc 26
%ProgramData%\ph\fktiipx.ftf 26
%TEMP%\gocf.ksv 26
%TEMP%\kpqlnn.iuy 26
%TEMP%\fro.dfx 24
%TEMP%\npsosm.pan 24
\Documents and Settings\All Users\pxs\dvf.evp 24
\Documents and Settings\All Users\pxs\pil.ohu 24

File Hashes

1d6c1c9461d0bf7b37946e3f28407e5d88fa0da78484d9a960a4df9c4b9ffe0f 2902a96c02986c6590846a5143c4199c73cae3d5d2a12f5643743120f4d584fe 3fe8b765762f14e140b4aa8c39bb7444204167117a840bd7d5e65cbd767263c8 5b0c4cb210a1bf466a4e0ea29f255cbc42d0dfd63a97097f5c1c39ed9c55526f 5fc2ac8a8aa7694150a3aa422a6504ebfcfec6c1e8db6a8780d5d5efe9eecd4c 675cb1b87b1b643457f07b95ac17fdcb0930f27176618c9538635040f91af543 6b1c0e31f062cf4dc16943ce7885c01af0b32cae6d3695e2d0604a4e21a152b1 6d632cc9626034bb85cd49a3fcc264a41ea4569ed4fd2cc2c601ad7297f3e7e6 71b3a4f2aeba042780e39c75a2d56a31d8fc4a31c972797026ec2200a2e09e89 81ca5a3ad1f90b10020486ba3ec81052a1a830ababc3ec84317ede19fe26291d 8661bf629126df89b4d3bd297ea922b7139e742799b1787b4fad97796f39eecd 8a62eab5413d1eaa0eb15f7e0d9c011ac4f01484b5e7b7b8b9b6a41fb527b234 a6428373b3b3fa4dcf9c3e34c4b5254df87fa2ee734fd009a629d31b2c40c17f ad6a5e3d349879d994f0069911d3ed83437dc1e247b24259f44380b47ecfb3c0 ae777184b6db778db0236b4aa80725495ec525582091070b67d7522f8c2e928f b11da3e70d8b840c5cff281d684d0e8999faad69a8065a6411b32a18b96d21db b7e7d221985fd7394d9a539ac51b4625966286844437d4bdf70c746abb923383 b8d3993860c392e4b9ef0fb935bd602bdd1864d720b46c784c1002caa73c8482 ca55d250f769157a0b5ff23556ce7526b8231f8ea51585b611372b62478d2531 e0a491b18056bfb63e0d22f6a0246ac0c754b359b72f0cdbbf54896559c10c7e e2cfa862147fa2285629c42ee58c4b517c3315c1b7a9a45e8861d441d96a5553 e4a648a4f077f84951a54b45220296c062a7b02257cd82a2375e696dc40b201d e8e3666284b09d4715a46b5ca817ca0fbcdc9646f12ccd26d30d0cbe7a432363 ea72a76831207545b8c5c4605be8da138c5563ea2771a57917d2000056428136 f76d6532a35cf82c01974148f4ff4adc592f48458a14be84657dc5633b316668
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Trojan.Gh0stRAT-7059563-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DirectX jrq 12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: Type
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: Start
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: DisplayName
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: WOW64
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: ObjectName
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: Description
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: FailureActions
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: ErrorControl
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: ImagePath
12
<HKLM>\System\CurrentControlSet\Control\Session Manager 7
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DirfctX jrq 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRFCTX JRQ
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRFCTX JRQ
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRFCTX JRQ
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRFCTX JRQ
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRFCTX JRQ
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRFCTX JRQ
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRFCTX JRQ
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRFCTX JRQ
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRFCTX JRQ
Value Name: FailureActions
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DorhctX jrq 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DORHCTX JRQ
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DORHCTX JRQ
Value Name: Start
1
Mutexes Occurrences
C:\TEMP\eb220715b4a7132b3d7f1dd0deddc5221ccb11b450945f158c9a4f251b6477e8.exe 27
DirectX jrq 12
\BaseNamedObjects\yaoyao.f3322.net 7
\BaseNamedObjects\79575465.f3322.net 3
123.254.107.86 3
C:\Windows\bwhvas.exe 3
C:\Windows\toflso.exe 3
C:\Windows\xstdwq.exe 3
\BaseNamedObjects\119.188.248.144 2
C:\Windows\iqmuuc.exe 2
103.214.171.133 1
\BaseNamedObjects\BirectX jrq 1
\BaseNamedObjects\27.50.162.226 1
\BaseNamedObjects\192.144.129.121 1
222.186.26.105 1
205.209.171.148 1
103.243.25.106 1
DirfctX jrq 1
DorhctX jrq 1
mf123.f3322.net 1
cx820329965.f3322.net 1
mingyemo.3322.org 1
labixiaoxin.e2.luyouxia.net 1
chhacke.win 1
guxiaosen.f3322.net 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
103[.]110[.]81[.]37 7
123[.]254[.]107[.]86 3
119[.]188[.]248[.]144 2
222[.]186[.]26[.]105 1
205[.]209[.]171[.]148 1
222[.]186[.]170[.]37 1
103[.]214[.]171[.]133 1
27[.]50[.]162[.]226 1
103[.]214[.]171[.]249 1
192[.]144[.]129[.]121 1
103[.]243[.]25[.]106 1
118[.]184[.]31[.]22 1
60[.]17[.]95[.]145 1
13[.]115[.]40[.]251 1
142[.]252[.]249[.]202 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
yaoyao[.]f3322[.]net 7
79575465[.]f3322[.]net 3
e2[.]luyouxia[.]net 1
mf123[.]f3322[.]net 1
cx820329965[.]f3322[.]net 1
labixiaoxin[.]e2[.]luyouxia[.]net 1
mingyemo[.]3322[.]org 1
CHHACKE[.]WIN 1
guxiaosen[.]f3322[.]net 1
Files and or directories created Occurrences
\??\agmkis2 7
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\217b1c5aa83d1557640799121b2c9f8c.exe 4
%SystemRoot%\kkwgks.exe 3
%HOMEPATH%\Start Menu\Programs\Startup\217b1c5aa83d1557640799121b2c9f8c.exe 3
%SystemRoot%\bwhvas.exe 3
%SystemRoot%\xstdwq.exe 3
%SystemRoot%\toflso.exe 3
%SystemRoot%\dqrhqi.exe 2
%SystemRoot%\yygeym.exe 2
%SystemRoot%\uusmuk.exe 2
%HOMEPATH%\Start Menu\Programs\Startup\04b13d6b1971341eceaa553415eca2f9.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\04b13d6b1971341eceaa553415eca2f9.exe 2
%SystemRoot%\iqmuuc.exe 2
%SystemRoot%\fsldsw.exe 1
%SystemRoot%\zmdpmg.exe 1
%SystemRoot%\vipxie.exe 1
%HOMEPATH%\Start Menu\Programs\Startup\ab149447eb5ccd14cef581946ce7bd25.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ab149447eb5ccd14cef581946ce7bd25.exe 1

File Hashes

0384f33c0f60902aafa0c1f5f57f8394547c461dbc7c744ef68fd598bda161d4 07d20f7641f228512c53d506093fb98c506af2c4e84017b2f044fc76b18f65db 0a2b304f7c348990afd2fa67a8642fc3f863b29e732971390f1fada404a9c053 1cae49580e2f3f1c73b7601d52a537809ae6d5a318cf398616ac60a30ea40344 29ee3d91d4381e50b6c483fbc04eaf85d54bca66aea37223e7931a3bf0dffe69 2b6061826e9e21aeb486a348e550e24adff26be135ca5fa4d13ce5c4fe0390e2 2b7e3cf249f3c8064bc77c58938c35017bc9aef0302f6e78a584ef0577531005 3405ea7e2605210cc8a78a39d223651244d3082669a918d7119cdb65af90dd13 360a930d3d09b02054d0191ea1dc96b8935041b71e743e09d7f203816755f94c 39bb8cdf51b3645ad2aad562f40a84f790868b538cb84cae23b01b52083b8b40 3bc00789944f89e7d467ebff20834d1773d8c3a934c07721785a2fdf8493de2f 4c680d6e11a3bd661986dd726a8bcecdac6b0ebc48c485edec364a3642be491c 57965bfc0368d3e1a47dfd62c374395474954e44b2982650dff3f23bc676b170 581dfd21e9055843023a64c8ce8c906e17d599be1ccd950b6993c1225ee9a97d 6408d34399f7d144d4ca5b76cf52880bbfdc0cbfb352b8b22d3ac8f76d432521 686e132fd317833979b14aedf48cfdf47abeb001893599e5e57c689e128f8a37 69f0c08363af6292948172aa1756f24d9735247dd4461e5ba2d3393abe498fbd 6c6a1f46d44efa21587cb19b2d2f4f4885383e75cd0a33fe4898d64de92dfced 6ce717339f2f6fa1f9260beb2f7abb6fc9de26f05967eae1a88da97e46470a83 735b79770ad3c141b6a24b27253eaa1645608a604a6bfd50b745c9225d385f8c 7c51982cc3a0bd0fdda770cc298ddcfcb2690e51570474e73b06f14d07aba8cd 98eef02902f0aa7b6d952fe724e52dc2aa71845384ffbabecb9e6ad071975090 9e6a97e05afba9b5e7eb940cb7d91e2fe795aeca5cfe7a4c03c47507ba31dc3f a31e162ed1ca8feaeb2d2790f44a42574ac2e7ab7e6f1ee151eae89cb769b3ae b188fd0f6b4f6ca29f464a90ab331b21a1e06bd8fae3e0b9ad4e5f84ea82330a
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Ramnit-7057249-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
11
Mutexes Occurrences
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 11
\BaseNamedObjects\{137A1518-4964-635A-544B-7A4CB2C11D0D} 4
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB5651D0D} 2
\BaseNamedObjects\Local\{41435A30-AC43-1BEB-BE05-A07FD209D423} 1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB5111D0D} 1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB7411D0D} 1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB8B91D0D} 1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB8091D0D} 1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB7851D0D} 1
\BaseNamedObjects\Ad48qw4d6wq84d56as 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
208[.]100[.]26[.]251 11
172[.]217[.]12[.]142 11
35[.]225[.]160[.]245 11
87[.]106[.]190[.]153 11
23[.]96[.]57[.]36 11
46[.]165[.]254[.]206 11
172[.]217[.]7[.]206 1
92[.]53[.]66[.]117 1
151[.]248[.]113[.]113 1
37[.]48[.]125[.]120 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
haqcdkwtukdegysigtv[.]com 11
ykvhpxixrqgid[.]com 11
saqjrigpkuins[.]com 11
fbhtsymefdwstuivosx[.]com 11
ntqchcmoegeif[.]com 11
ATFPJOULJN[.]COM 11
echrepdvcd[.]com 11
ffdjiuvufw[.]com 11
uacwwgvrdgqscbwb[.]com 11
wgpvglbadxo[.]com 11
qmbmbyqkltqfbbtxxc[.]com 11
gwlqggasgcluo[.]com 11
esxfrepgcyyvoim[.]com 11
bwnkdjlesbf[.]com 11
bphnopydih[.]com 11
jhapjgvatltxunklfwk[.]com 11
mbtseiltigrijncw[.]com 11
wwteytsfaiyrrg[.]com 11
qdvmstrtkslghpmunuk[.]com 11
tswgqcseq[.]com 11
HIVLCJCVUX[.]COM 11
ybhiodxwwmoymuv[.]com 11
htiobrofuirwkgn[.]com 11
VQRSXSLNBQT[.]COM 11
rghwarmlxmqivfmcs[.]com 11
*See JSON for more IOCs
Files and or directories created Occurrences
\Boot\BCD 11
\Boot\BCD.LOG 11
%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat 11
%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat.LOG1 11
%HOMEPATH%\NTUSER.DAT 11
%HOMEPATH%\ntuser.dat.LOG1 11
%LOCALAPPDATA%\bolpidti 11
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 11
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 11
\Device\HarddiskVolume3 11
%SystemRoot%\bootstat.dat 11
%TEMP%\<random, matching '[a-z]{8}'>.exe 10
%HOMEPATH%\Local Settings\Application Data\hmqphkgx\pseqpmjy.exe 4
%HOMEPATH%\Local Settings\Application Data\jpnfmrvn.log 4
%HOMEPATH%\Start Menu\Programs\Startup\pseqpmjy.exe 4
%ProgramData%\wtvakgao.log 4
%System32%\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 1
%HOMEPATH%\Local Settings\Application Data\kgrsioak.log 1
%HOMEPATH%\Local Settings\Application Data\lghigvda.log 1
\eqwjnvsh 1
%TEMP%\~TM3.tmp 1
%HOMEPATH%\Local Settings\Application Data\ftefvsfn.log 1
%TEMP%\156015309940850413887.tempcbss 1
%TEMP%\1561093680624440949607.tempcbss 1
%HOMEPATH%\Local Settings\Application Data\apitem.exe 1

File Hashes

016d3ea1ff9056ab4d38ec27eff5f55c2937cf77ac9a18839ca2e2878ef5cab7 1b92ccc876e8f40ff500fad881f11f4594a173bb4d59c988a555a98a26ddec8a 284609ef1c4407db14ec09d6b3f429674e830d5e0c7543539e162faeb15e54d1 3e581c90b78ab15fd3febf27e4639c4ed4d83465d4c08b459bc33cad65f21b8e 75b983a6d29488b650d525a9bc666b3b1c1f4e98004d7934780d9d72a9578d86 aacdce0bcbb6cc0f3a3e171ec8bf595dbad35ad082014a1164b5e274d0d533a4 cb8dd63f3c6c3cbf7f2739ac6ef609e72a0518e8014f9d00cebff46cb2adf6c4 cf01652a747a1cbbaeab4833382dcfb4456bd80124008b1411c48fd0c5183462 d8a5782545ce9beee041085eb918d056776a3e66f2e503aa91c4cd179857d691 daf0e97b3c710a33158aee240070979c3708b6fb6a62651859b20176b14f887f f57cb898b2d3995ff95d1d075ca8a46bcc6008d83870afdf9a4034b3b6133aee

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Trojan.Tofsee-7055545-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas 24
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs 24
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig 24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups 24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI 24
<HKU>\.DEFAULT\Control Panel\Buses 24
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
24
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
24
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
24
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
24
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xqekjrxm
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qjxdckqf
2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 24
69[.]55[.]5[.]250 24
46[.]4[.]52[.]109 24
176[.]111[.]49[.]43 24
85[.]25[.]119[.]25 24
144[.]76[.]199[.]2 24
144[.]76[.]199[.]43 24
43[.]231[.]4[.]7 24
192[.]0[.]47[.]59 24
172[.]217[.]10[.]36 24
144[.]76[.]108[.]92 24
74[.]125[.]192[.]27 24
67[.]195[.]228[.]110 20
74[.]6[.]137[.]64 20
98[.]137[.]159[.]26 20
208[.]76[.]51[.]51 18
216[.]146[.]35[.]35 18
151[.]101[.]250[.]167 18
104[.]44[.]194[.]232 18
209[.]85[.]202[.]27 18
213[.]205[.]33[.]62 18
208[.]76[.]50[.]50 17
74[.]125[.]71[.]26 17
104[.]44[.]194[.]236 17
108[.]177[.]126[.]27 16
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa 24
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 24
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 24
mta5[.]am0[.]yahoodns[.]net 24
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 24
whois[.]iana[.]org 24
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net 24
whois[.]arin[.]net 24
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 24
hotmail-com[.]olc[.]protection[.]outlook[.]com 24
mta6[.]am0[.]yahoodns[.]net 24
microsoft-com[.]mail[.]protection[.]outlook[.]com 24
honeypus[.]rusladies[.]cn 24
marina99[.]ruladies[.]cn 24
coolsex-finders4[.]com 24
sexual-pattern3[.]com 24
mta7[.]am0[.]yahoodns[.]net 22
ipinfo[.]io 21
etb-1[.]mail[.]tiscali[.]it 20
gql[.]twitch[.]tv 20
mx-eu[.]mail[.]am0[.]yahoodns[.]net 19
tiscalinet[.]it 18
mx-apac[.]mail[.]gm0[.]yahoodns[.]net 14
video-weaver[.]lhr03[.]hls[.]ttvnw[.]net 14
api[.]pr-cy[.]ru 13
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile:.repos 24
%SystemRoot%\SysWOW64\config\systemprofile 24
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 24
%TEMP%\<random, matching '[a-z]{8}'>.exe 23
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 11
%TEMP%\kjzvcyd.exe 1
%TEMP%\srhdkgl.exe 1
%TEMP%\gfvryuz.exe 1
%SystemRoot%\TEMP\wincookie.repos 1

File Hashes

4556789446c3037570f9cf1bd4f4a46eee5319570336f461c851db39c2a8ee8b 5c350fc02478ae9c7292d07fa0af0b58f0368069b24bac66d6f81b3808f51cd3 680b245f8ef2c3ba1b08061f4a3f4f483a5a5d2776f085c80743277c78419c81 6af8f0b9791de8f0738125daf6022e4a4df4e2cdb0fc1231f00967a6916aef65 70035e894d3b4a4e98749a7b4a4a6d636fc8e44bd58dda2c0c448a0478fe5fb0 72f32f1f019e887e7fc316ba85011700e0565d6206419536f13e566592e74aed 75e8d2772d064e11049533ccdcf55825c397e127abf1ab8fa03ada6bf684d1f9 79fc121497c503d895234748331ae37c476271ec1e0f50b13ed4e5cb460acad3 80f8082743934e0d25177029fce2c8f2639c72ed4459fb6bfd8dbf9705435736 a2b4b995d47f2f327cf39906194be6e0833a07dc15671f0e6f1f8c3d8dc782a0 a5b4d5d1b73f027ce5f820e52b62006c8316beb83197f66f9fa83f278da5780f a6e0de9ca55434e7e07243d803725a2322ae88a873b83ef2a0ef7f79b14edee3 a9332649c0cc1430fb1239389aae9f411cfa9adc8bbe142fcf666d50319a65b5 ad45af1453bf848a7a5285e725452e61e404d775c2860c7d5db371091d775b14 b91d9b081f503891405d4fc9c0d914e279604d441775a7f08371224ce52dce88 babd568f2356db743a96b8b8712a106606d3043144420fa916f81ff89290668d c4ef64d809a2445747813c07bbd7922292dfbcf9514baf97cf9d12c7b4c4d657 c6ab94774b2b6f02cea022202ded9d059022e4e237645ecd706f10c2f1451256 c742920b0a4ee7162aa7d50193861bdcd55307004775671da6a5897204283d45 cd936bd7f6c8e0e637e7e9714e10b9243215a757bf2a70b4e40a8d2e6da07d28 d71df2e3d86d382b33adc99f205e42645dc18aace875c544da465673ca24bd3e ddca8e327b0ef2a799feecc239d9a63437fe4a98144fa1ca6d7ea594809b731a e8509f883df6e56efc9d8ea4db91966e24a41be99df5499e5f2cb10750738ea2 f1694805ede6bb4e09b654079d2a6063c8216565ef730d49c8319f7c561978d5 f350785d4cdf862dfac6a4afb80cce91f9ec6289664a985156295d904c14e26d
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Madshi injection detected - (1684)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Kovter injection detected - (1283)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Process hollowing detected - (619)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (585)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Trickbot malware detected - (217)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Gamarue malware detected - (189)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
PowerShell file-less infection detected - (72)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Installcore adware detected - (58)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Dealply adware detected - (52)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Possible fileless malware download - (47)
A site commonly used by fileless malware to download additional data has been detected. Several different families of malware have been observed using these sites to download additional stages to inject into other processes.

No comments:

Post a Comment