Friday, August 16, 2019

Threat Roundup for August 9 to August 16

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 9 and Aug. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Packed.njRAT-7122661-1 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Malware.HawkEye-7122916-2 Malware HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.
Win.Malware.Cybergate-7114776-1 Malware Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.
Win.Malware.Nymaim-7112030-1 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Malware.Tofsee-7112026-1 Malware Tofsee is multi-purpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
Win.Malware.Trickbot-7112005-1 Malware Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Malware.Gh0stRAT-7109635-2 Malware Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Packed.Zeroaccess-7109532-0 Packed ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
Win.Trojan.Shiz-7108197-0 Trojan Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.

Threat Breakdown

Win.Packed.njRAT-7122661-1

Indicators of Compromise

Registry Keys Occurrences
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
18
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
18
<HKCU>\SOFTWARE\91DFFF70961506A1564FE50B6195DEAD 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 91dfff70961506a1564fe50b6195dead
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 91dfff70961506a1564fe50b6195dead
18
<HKCU>\SOFTWARE\91DFFF70961506A1564FE50B6195DEAD
Value Name: [kl]
18
Mutexes Occurrences
91dfff70961506a1564fe50b6195dead 18
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
187[.]4[.]28[.]100 15
189[.]10[.]170[.]195 3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
aab58[.]ddns[.]net 18
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\91dfff70961506a1564fe50b6195dead.exe 18
%TEMP%\iexpress32.exe 18

File Hashes

082411fe51dee3bbd6a97833be2f4dcaed2baac2497719384d583ecf10543032 187d82724fbe8fc09023fe8a5bb734acb8eda95cff5e7f80b2481161224539c0 4577dfba3c8f21b0d617fcf22c23e26cc09e7bdbe9b33da561632f8fb94e3e2b 4aa27fd43e7d7bc052b82dcf0b5354c4df80e53cc5a57a73a6ae54665e96f688 4ff742c0e90c295e97e2db692f30435d987ad34deaeafec1ea0772d958c1bb02 5986cbe8265a3a289e5854c5996adce4e415b966d2967b77056fb5f64a2d37ef 606ffb24b488b0d9fb5646779f2806795f836ad1af7565bf8fcc0147318e17a5 60dbc16e6c6f7b338374f48dfa19fb0946275982b021d25370cad3bbc27e303b 95ba99bc91142b433da3a42eaaeefb1ce2a7abe93f2d8816b931eaccff600192 9b7a41fc9ccb0392a9d609fcb583e3b966ed713732342822898ac6d560d569b1 9ec10adc83de49e13e491384047b11e40f2b7567991a11ab03a9703899ab55f0 b168b7b5acf2cb602aacb9c737a9a6e252461e7a4f2a4c0c1eab2fdbd36fdd7a c2d48bfb920ccc59958d456262b6313d6c1246790e1ad0270ea775665e411dac e81f03b9fcfb674248f670d60be4918781bc0c6d6b343f890c2c2fcab15d7ea0 eac06f1399c63d11fb621d348a2a8fb6256262639d239b142092fde76a684eff f0eb05bd16881de42de9a63d54164a9bc68f6f6ea1dcbf5a14a1325c018a4584 f446642655c929d6b069a874364d6da67a6d07f4a2a5f78a77087fb2f1f243aa fe84c213aa4643ba68eeca9e6af567aa809a6c0a3d2b0f9f5fa13aba4033a5de

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.HawkEye-7122916-2

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Registry Key Name
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]16[.]155[.]36 7
104[.]16[.]154[.]36 4
93[.]158[.]134[.]38 2
87[.]250[.]250[.]38 1
136[.]143[.]191[.]189 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
whatismyipaddress[.]com 11
smtp[.]yandex[.]com 3
smtp[.]zoho[.]com 1
Files and or directories created Occurrences
%TEMP%\holdermail.txt 11
%APPDATA%\pid.txt 11
%APPDATA%\pidloc.txt 11
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 11
\Sys.exe 9
\autorun.inf 9
E:\autorun.inf 9
E:\Sys.exe 9
%TEMP%\holderwb.txt 8
%TEMP%\SysInfo.txt 8
%APPDATA%\Windows Update.exe 8
%APPDATA%\WindowsUpdate.exe 3
%TEMP%\subfolder 1
%TEMP%\subfolder\filename.exe 1
%TEMP%\subfolder\filename.vbs 1

File Hashes

0360cd478f78ed02dc9cebf82d31721fbc6915b0201900cd922e59ccc32f6038 04e3d5854d00d835e206b0982889a079e3710296d33ed1ebdaf349b4bbcf790a 1c38e7e3f9a7277e60399523a664c73ad1e950de5ab59981f6ce77c908403448 49d6cfdd06d8d9a234f5e59849b47199e52a0355479563c76896edd91ca7c04e 621448e4a383b6bcba18f2b522331c6f79764db97a73d596d92308f36a2b5add 7da2b98047bf4812b37f670b7a75b1b0ccd414802a3c59e564fe0437d23964da 939b12fcce7c902fff5730a6cde141311baf0a322e9334cf1dd13230c68e7794 b23e50aa8217e033f01bfe6c52e651a3d169a202e6949a4d0d7c5a4ad145a857 d187fe363c737c1c3babe56649a39a1dc1d0da4cc7aef65e4782ba0c801e5079 d5a45f2dac9346b72a23fe10c07dc4ce234e7e577fd6c2e471464276651df1f9 e584d0e379aa3fcb0c7f9de3106ae4234d88ceca407a9645a4edcf57b9202cce

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Cybergate-7114776-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: MSQM
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: MSQM
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Realtek Audio
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Adobe Starter
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{0H0N0B4G-P8H0-63SU-QBB1-QXKN5M1261DQ} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{0H0N0B4G-P8H0-63SU-QBB1-QXKN5M1261DQ}
Value Name: StubPath
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1C7T55HW-D326-IWQK-6087-652774G5V2RN} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1C7T55HW-D326-IWQK-6087-652774G5V2RN}
Value Name: StubPath
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{0KWTNM33-D745-1P14-D1BA-224TD37L2DP8} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{86TIP765-B0E5-AB86-L87O-3R28QFSJGN0J} 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Audio
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Audio
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{0KWTNM33-D745-1P14-D1BA-224TD37L2DP8}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{86TIP765-B0E5-AB86-L87O-3R28QFSJGN0J}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{6W6SH85E-GESR-7C8G-187D-4M6664523332} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{6W6SH85E-GESR-7C8G-187D-4M6664523332}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{G718OU16-FJJG-TVIB-LQ35-WINSRC80H3GD} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{G718OU16-FJJG-TVIB-LQ35-WINSRC80H3GD}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{41LU5C5I-NQ05-2KS6-7E2G-P3AD1GREFY8T} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{41LU5C5I-NQ05-2KS6-7E2G-P3AD1GREFY8T}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{216555Q4-64KR-BMG3-55K7-2354V88S0LSE} 1
Mutexes Occurrences
_x_X_BLOCKMOUSE_X_x_ 13
_x_X_PASSWORDLIST_X_x_ 13
_x_X_UPDATE_X_x_ 13
Pluguin 12
Pluguin_PERSIST 12
Pluguin_SAIR 12
***MUTEX*** 1
***MUTEX***_PERSIST 1
***MUTEX***_SAIR 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
187[.]58[.]232[.]18 12
52[.]8[.]126[.]80 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
rainoide[.]no-ip[.]org 12
www[.]server[.]com 1
Files and or directories created Occurrences
%TEMP%\XX--XX--XX.txt 13
%TEMP%\UuU.uUu 13
%TEMP%\XxX.xXx 13
%APPDATA%\logs.dat 13
%SystemRoot%\SysWOW64\Microsoft 13
%SystemRoot%\SysWOW64\Microsoft\svchost.exe 12
%SystemRoot%\SysWOW64\Microsoft\svchost 1

File Hashes

19f9ab1a6f01c5bb060fd865f165d48789f6b6c561960071823b6fcfbddc733b 40fc7ace7357cb61cb7ad47e655d7d33c0952cbea1fae151f969eca85deea68d 6b185c176128cf98a5241c3d10d0486cb3b4c3a8877d7831beed7088b688ee93 889728767005bed83d50f8ac92d4f8685be74f71155537c011dbdfb5da861b26 949809f505011d5b9aacc19fde3bead211004bce92921a460afe8e8f57b92923 ad8f56bddd8a0cae565c243ff0e4422781f78cc3033763d2a9100e32c2ffe98c b3b914069bb60dab4a0679f912c43f77a3c4bf71804fcbd5085646336dc41908 b3ded4b6a12a5a232816b33546167fa3e90eb78ac2876d1c6b4adaad4b75abc1 c5d0479add616c17dfdef957dc106522ff40bebd08ab070b0941474715a29dfb c7f2645df614351360457a892f9849df80155330e10449d4448d357c3d717ceb dc416c86df2bad0adde036bda83db1fbcac13036a2ea7f73453597e7a3d5788c ee13ecb06987aeef5bef6de64e0e5439b44f07f9f0783d8cdb6ace3fa950a6a1 f2a2dc50a052bc4a25cc8fcdd235d89286fec24beede6f6cb78b7641162bec0e

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Nymaim-7112030-1

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 25
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
25
Mutexes Occurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} 25
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 25
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} 25
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} 25
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4} 25
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A} 25
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D} 25
Local\{B888AC68-15DA-9362-2153-60CCDE3753D5} 25
Local\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E} 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
grkokxuhgk[.]net 24
utjawtkqtw[.]com 24
glgythylattw[.]in 24
xdqhf[.]com 24
kcrrrqnoan[.]com 24
bweyobzofdy[.]com 24
xukgvscceju[.]in 24
luewnrtwhigf[.]in 24
zwhgvnfdb[.]com 24
bxsfawcpsgwl[.]com 24
hwhskkbdlc[.]in 24
uxwauildd[.]pw 24
cogkyi[.]com 24
tqsxnfi[.]net 24
jvelkgcftqy[.]pw 24
uihmdwnvp[.]com 1
wnucbhflcr[.]in 1
bpgfuc[.]in 1
zrhqhmghjx[.]com 1
sdwnmtsxtjcf[.]pw 1
rfvztqxsfiz[.]net 1
cofuvrdr[.]in 1
kdhlszxotsd[.]in 1
arnkxqhjjs[.]in 1
fanshg[.]in 1
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramData%\ph 25
%ProgramData%\ph\fktiipx.ftf 25
%TEMP%\gocf.ksv 25
%ProgramData%\<random, matching '[a-z0-9]{3,7}'> 25
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 25
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'> 25
%TEMP%\fro.dfx 23
\Documents and Settings\All Users\pxs\pil.ohu 23
%TEMP%\bpnb.skg 4

File Hashes

01fbd952fe57f673aea818e12a0aa675c9e29e1ba0f85d28645a926f3df4f7f4 028423fc9b5fb8f3fc0f985e43b703ce05e69a3828f7152dda5d6e6bc3175da7 05263f754c5456ad772dd2448b85e9fefd1c4204f12391d8068bcba7cc388c53 0b51bc5550062212ed1ac0a7099235e2fd0296b93446106b0220fab519fd634e 143c9de178660a194d5e22ba45bd7d1d56d3f286eb16ff9a1206cbbecaf811a1 2dbd752e0cb2b3b1d20fa8e714281b8856fc121b4a2670937f7956f90dfe9ecd 3180f041ff1ccd52f829f222e5d124935a11bc3aa9fc908e3ce93f84e1ec49dc 3f88dae29802bbbd85c175ce34b40b4bf34f884768b6669a91981f374bd1cd1f 441649516eb75a61f2ca4d0570dd2e201c6528b452ce7bc04c5120a5b36ee090 485e521ef0299ede43da514cdf8992bddc95529209889e562d0cab884bf71cdd 54875c46bc6795dd22af5760a5452f3814a5b6827ed996d6a475ec95b9107626 645c58460c7d1b0ef4769d505492eb5a9bba5efadf9f6a456313df72bf706eda 6802f2b005b9e02f395117ce2f753d98d239d9271825871105cca11f86764ada 8519328e272602bc7117a7c9da2c00e40e8d45a97528ed3fa7c86f2fdeb9b679 862346823cef73fdd9a155b84edb2feb180a61390a3817ef97fa272cb01d7994 95556cf5e5a160d2940014413d4948bc4877a127ce142bf27a7295ca212e48ae 991bd9883c36b2fdf326418d6ec660c6a5d57e88f2355a49a5c69b2490c848b3 9d30abaa088f71f0914d083a8c6232e37e1fb13bdb495c6d3b1485b50f764e42 b0eb5e5599605584271a1513740039d6cfc363d7203e8654d9ece9d7df1b06a2 bc11794224c3dba73fefc8be9bea7ddc8782db3e3173467a1726e02588e56019 c3120a24f20ecedf04b17c71bc7f1588d1daa776ea66b1b85f713ffe7136c944 c9017faf332ab5c93fadda86db30d7e6b6a67afd6aa0cf1334b1744e16497b69 d0f6e3867416053747e82117e4cf5b5dd1a0f573316ddf6d1716465726bbb215 e1797282c01e2bcf9e03707136cfc60bfdee5818cb1ec59984befd55de4c6719 eae1547bca1f3c4425f9ea295ee6cebef5a6815ed6348107cb23cccbfd8fb1e0
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Malware.Tofsee-7112026-1

Indicators of Compromise

Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qjxdckqf
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\piwcbjpe
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\cvjpowcr
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 16
69[.]55[.]5[.]250 16
172[.]217[.]11[.]36 16
46[.]4[.]52[.]109 16
176[.]111[.]49[.]43 16
85[.]25[.]119[.]25 16
144[.]76[.]199[.]2 16
144[.]76[.]199[.]43 16
43[.]231[.]4[.]7 16
192[.]0[.]47[.]59 16
74[.]6[.]137[.]65 16
172[.]217[.]7[.]132 16
98[.]137[.]159[.]27 16
95[.]181[.]178[.]17 16
168[.]95[.]5[.]116 15
74[.]125[.]141[.]27 15
74[.]125[.]193[.]26 15
67[.]195[.]228[.]109 14
212[.]82[.]101[.]46 13
168[.]95[.]5[.]216 13
67[.]195[.]228[.]111 13
67[.]195[.]230[.]36 13
69[.]31[.]136[.]5 12
212[.]227[.]17[.]8 12
213[.]209[.]1[.]129 12
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa 16
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 16
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 16
mta5[.]am0[.]yahoodns[.]net 16
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 16
whois[.]iana[.]org 16
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net 16
whois[.]arin[.]net 16
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 16
microsoft-com[.]mail[.]protection[.]outlook[.]com 16
honeypus[.]rusladies[.]cn 16
marina99[.]ruladies[.]cn 16
sexual-pattern3[.]com 16
coolsex-finders5[.]com 16
super-efectindating1[.]com 16
msx-smtp-mx1[.]hinet[.]net 15
hotmail-com[.]olc[.]protection[.]outlook[.]com 14
msx-smtp-mx2[.]hinet[.]net 14
mx-eu[.]mail[.]am0[.]yahoodns[.]net 13
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 13
eur[.]olc[.]protection[.]outlook[.]com 13
web[.]de 12
etb-1[.]mail[.]tiscali[.]it 12
mx-ha02[.]web[.]de 12
msa[.]hinet[.]net 12
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH% 16
%SystemRoot%\SysWOW64\config\systemprofile 16
%SystemRoot%\SysWOW64\config\systemprofile:.repos 16
%TEMP%\<random, matching '[a-z]{8}'>.exe 16
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 16
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 16
%TEMP%\edtpwsx.exe 1
%TEMP%\ondzgch.exe 1

File Hashes

1c331b81428107c325673ea4b19acdff598772d9e1069e09ca92cb88d223c326 1c916b795f49331678816ef6cfba0dbdbddd4b92a421e086ab2fe2ea095d10e9 398c23230679c69942c5d64c7aaf0e9e8ca3434d54559871f3a3a24fbd9ffa3c 4d660a6519c258074627f7d30a4878e15a4e621bd79f21a34f4550c54ef38c4e 5f4bd5a0728432e4731b9d2606bacb05d7c6f10ad926735f3e4d9dee10791f85 7d96ef5dfba65346fa3ffbcd23016f21e0a523e2215e963f21cc8c939c2e35a0 9bf983cc999b2a3bd029e21e445bca85853b58d66247c7221157fab41fbd19d8 9e5897942fac812b74be41b06b5e1cd1ff4e9fd9b71d10aadca3d5f368cda0d1 a8adbab4a72506f7343b7ff78a028fd26ec944a1d4de846ee0bf9651196d7724 a8f74812b66b89f9c0450b2f565d3ba2b417e7e10514618c3306de37749af886 ad34ec4764147faaee82935e142eedfe5569f88ef81195281539075a0f3c91ac b4f6aa14eb833c83413f72a4e901d0e92c7da45828c5438594693f68c2a3ebfe b75a2838b93b6ec47b27bd5c9798386775e9a3dfcac5c3562a7ff139eaa14ce3 be8a71e6dfa63485be4a848cf6d0bc1da15b20fb9735e0c0ed08e346840096e0 d62553c4ef53220d32af9e5eb1a0accca3ca6aac7e9f3539119fec0718edd65b f095b72dc6ba5c3c3f2e410d0f1766a8f6ebbecec1a4914b957f9a7225cc6c00

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Malware.Trickbot-7112005-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
3
Mutexes Occurrences
Global\VLock 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
116[.]203[.]16[.]95 6
216[.]239[.]34[.]21 5
194[.]87[.]92[.]184 4
188[.]137[.]122[.]83 4
185[.]158[.]115[.]75 4
185[.]158[.]115[.]49 4
216[.]239[.]32[.]21 3
216[.]239[.]38[.]21 3
216[.]239[.]36[.]21 3
185[.]158[.]115[.]87 3
188[.]137[.]122[.]68 3
195[.]133[.]146[.]156 3
94[.]242[.]206[.]204 3
198[.]27[.]74[.]146 2
50[.]16[.]229[.]140 2
194[.]87[.]232[.]146 2
23[.]21[.]121[.]219 1
104[.]20[.]17[.]242 1
54[.]243[.]147[.]226 1
54[.]235[.]124[.]112 1
104[.]20[.]16[.]242 1
23[.]23[.]243[.]154 1
3[.]224[.]145[.]145 1
34[.]196[.]181[.]158 1
23[.]23[.]83[.]153 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ipinfo[.]io 6
ip[.]anysrc[.]net 6
api[.]ipify[.]org 5
myexternalip[.]com 3
icanhazip[.]com 2
ipecho[.]net 2
checkip[.]amazonaws[.]com 2
wtfismyip[.]com 2
elb097307-934924932[.]us-east-1[.]elb[.]amazonaws[.]com 2
checkip[.]us-east-1[.]prod[.]check-ip[.]aws[.]a2z[.]com 1
Files and or directories created Occurrences
%APPDATA%\winapp\Modules 25
%System32%\Tasks\services update 25
%APPDATA%\winapp\client_id 25
%APPDATA%\winapp\group_tag 25
%APPDATA%\winapp 25
%APPDATA%\WINAPP\<original file name>.exe 25
%SystemRoot%\Tasks\services update.job 23

File Hashes

00c98d727a85576416dba2a3a68010f986ae276935435e6d9eb02d33fb71b3a3 0143365726dffade4573b49e8c816d414c8ca96567a8163cbb714a4b9c18df2d 051eeb1a5f4ef84caff3c5a7abcebb1839569516480df43c929aba282eb8ecb2 0fff84cfd0c674f7d55a39cb6be3bb7fccb3549dbfd9bc8f8b4c8c6307cc5102 112a18bcbc8424b2bdb7ea574f5696288d28a28dda3f0aaa9894a84285c932aa 11513df12b19240af3485b6b0d0c871c305e2644e6503770baf8fb2949542462 19910cf1b0fb40f8143c459e93a6110393b502de81646ed7685c7a0766e4823d 2807fea0af4c94116f0677eb94d798b6f40c3a3cc50ed8d2d2184a061ce30904 292920637d78485e4053b4a056d569f2e17cb8ab531f3372d18402c35fd735bf 30938782dd1ae8ff1a35c17821860745f613a5267e18171e7336d1c6d5f5b6b1 30f321827bea98609847dc047de756f7b86074bb3f5c6e4c7875f25db5dcd627 362d936eebd48241b9e3b6ae0f8650365af42aa307320438ae170862750b2a08 3dd50fe971d7256311dab97ac7afeb0a6ec91de2feccb125eb09ac8a22947005 3e98c771dd86669152fb58cfc0ecd7d264426ebe125ee4d96893efad5af5d236 3ecf64c343752bfbed1a8984cfb207309133df964da0b2e086509e8aed167a66 541729295b97eaa2ec3a566c2095b5e4c03239d9b1235d4a2b6331f3dd986f75 639adafd87d067c1cc5c5d1be870f3800e719637dab20e435f379fc86b268d15 653fc5565b1e8746ddaa507722815fc225ce5c327fa69dbbdaf8924880197035 6809cf34ac7fa454a8d8c25482c7a9acb44be1222bc89f2d478a953d93f63f3d 74547a954562f29ea05230900daab9c043e088fd1a38cb2d077ba4624ef51523 7a7029415edf56936d5eaf003f413a0b778fbc279168cc7cc5e3166a14aaf69a 7be5520d05f7f6afc0dbdf945faa7c93dbc3d3394a6fc8fc30532a6d241f10a1 7bf167e2fd1ad3b45e42fcfce427c702cdb4df6e96602a183fee57d777140a18 854124fe1ae699a3dfd99b89a0b44101e74039ea8f06c781254f4aeca07b7013 8a58ff91b277c4b10565d90fa8e0d847759276fa77983762337dc6bf916aa78e
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Gh0stRAT-7109635-2

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STUVWX 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STUVWX
Value Name: MarkTime
26
Mutexes Occurrences
193.112.13.217:7788:Stuvwx 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
193[.]112[.]13[.]217 26

File Hashes

0cc11eb852f66920b4a4a35dc34b4e05f3612640b1963bd0ef8088022e2451f7 103960c11c696e1ed51771fec28b70d5cd0c1feb071575e4122827ac7541092b 1156fabd2305bd3ce5b218a59c3f3cfd99671dc8323fda13c156aebf26ee3ed8 11978ef69a330b0d4cc544f48bafbca5125019fe147fcaf2db0bd72fe94c4b4a 164c0c94d252f388ab7825a8bd9abf8cacc45cbf34281edb72951982874591ab 1af0bbdad437c6f711447ccb84444b92df5ba237acc0b33f6eebe0d48fd2f5a2 1ef070ae000ecca44fd13b1c3b642a7a5ef8894becc9a228f2aba33c04f267d5 24436d1687d5a814d3552f9fe6aed8d3778a66888508d1685d7c8c39d4b3b5a5 249cea1515c2c625b5e117a9495cce088f64dfe39dfab2b9d47d9071e2516900 2512e7506467e005bda030357121e832ff0dddc6a670ae4c732bac8345a0e2cf 265c64b98cd0d8515c829654ea931d751e9526b61f45f1d4799c41578f94534c 26f34567a93de01d7e6853e9ae31eb0f1848dee525b0ee605e1c1884accc4982 274d09e6e43dc96ba17a782a30afd525c972f3ad50e73655d8cbfe94ea97b481 2add1b8118caae8e35384758ffabf7fb9cd5eed7e7ae6189572f92993176cf7c 2c771b1e0003485b554e8014b428c9d53ad93d457c04c96b9e514f0f33e2e6ba 2cdd4e59d78f0a3537c1e1c5a7b9fb4c369a20d79a057568a51a2cbebb2f8241 2dae697a1aa350218fb9c4c6ed9d28caa9eff1ad7bfbd0feb32dc523e5c7baf9 3073891867551a6f111eb2f8af3e02729bf97627da4d019fc289433de4cfc35b 30fe5c510a0dc5ad89fcd66491ff24f605a90a2c4a53c67a9969fe15a4a5d0a7 313e7c484e87f221fe3e7af0aab2e17eac7c5a1f1a6c6fcf96140f1a24ba95ba 3176a16b8d3fdcd6162a24ea2979f82d8d1ec4bb98e15c299affd56704bf30d6 32824a80e061fa64a2cc928d3fbde4f742dfb22b4bd9daa13c2e5ab80697c836 333afdc84193d7b7b0d4d1c1e94fcd38426660db5f0fe8fb6dff57d0436a72eb 34e270be03c14465005a11e6eeca6c6c6437f24d9d0a120387cdc759519ad751 352d10cb6917a8bd67bd4054b5307ee38caa2ca63be034edda31371954fccb70
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Packed.Zeroaccess-7109532-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
19
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
Value Name: ThreadingModel
19
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
19
<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32 19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000004
Value Name: PackedCatalogItem
19
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
222[.]254[.]253[.]254 19
83[.]133[.]123[.]20 15
88[.]254[.]253[.]254 15
92[.]254[.]253[.]254 15
117[.]254[.]253[.]254 15
115[.]254[.]253[.]254 15
87[.]254[.]253[.]254 15
134[.]254[.]253[.]254 14
119[.]254[.]253[.]254 14
184[.]254[.]253[.]254 12
180[.]254[.]253[.]254 12
182[.]254[.]253[.]254 12
190[.]254[.]253[.]254 12
206[.]254[.]253[.]254 12
166[.]254[.]253[.]254 12
197[.]254[.]253[.]254 12
135[.]254[.]253[.]254 11
178[.]148[.]144[.]15 9
74[.]194[.]69[.]92 9
68[.]173[.]181[.]191 9
188[.]67[.]123[.]100 9
78[.]221[.]193[.]65 8
198[.]96[.]34[.]46 8
68[.]64[.]113[.]104 8
24[.]35[.]22[.]12 8
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
j[.]maxmind[.]com 15
uikvdwhrextuxymklwbrodjzhj[.]com 1
xikzzyxnfkaepapadgned[.]com 1
Files and or directories created Occurrences
\systemroot\assembly\GAC_32\Desktop.ini 19
\systemroot\assembly\GAC_64\Desktop.ini 19
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8 19
%SystemRoot%\assembly\GAC_32\Desktop.ini 19
%SystemRoot%\assembly\GAC_64\Desktop.ini 19
\$Recycle.Bin\S-1-5-18 19
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f 19
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@ 19
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L 19
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U 19
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n 19
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f 19
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@ 19
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L 19
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U 19
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n 19
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\@ 17
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\n 17
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\@ 17
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\n 17
%SystemRoot%\assembly\GAC\Desktop.ini 17
4.@ (copy) 1
8.@ (copy) 1
80000000.@ (copy) 1
80000032.@ (copy) 1
*See JSON for more IOCs

File Hashes

64f81a35325dd38c136a632f0e23d167407a0c4963a70761d4ab5707775f0d23 67ebc3153ede004c1af8b82ecd6f4713573f4c29b4a84c0500d761f483ad9172 688db1253d2dcdaf11bb2e8f03790dea9b10625b14b20531f4ea108801066f62 78951871e9a63fa3907da13165bab1119addd1ce8a3b376afae47b532e5d3653 7d8a67472d130e64d41205a7c1e5263b4fe6a4c6dc2b413618fd9e38ce47f536 8eea2b29e69058398957d5972b62b47947d090c2610bcd45ee593fa92bf25004 91fff0045ed0ac9433217ee7dd1f5ede0554588995892e026044d8d9f9371e1a 9a254fc4e4ca669bab5ad0a830ab43a9ebee6b835fdf794f76a8575d2ca8d548 9db192e4eced11fc3f84d6d8f6302e0230798993bc2b9efca6170428fba13906 a1335dcc4001df7691151413c8c1280dcda1a28a5bd21e82673de4d7560116b7 a2f377e3ff205bc71b5c2a88957578d2a6fb9d390d7ba19fa5117fb0f17736b3 c11c70ca57c92e7224b2c011bb8559d5214ff644fec730a52e02eee172a8a043 c443515f2c11f9cce0be0bd88532bd2b0885d2836bb0b5abb4c2e9198bb2121b d17a1fb8e452ae4fce1f2763a32b209b6663c600dcf253fd1e943e481ca90e63 dcfd777c230140e79392ba5adf4f6aa9ae249d68eb18cf2ba3b74eca47a2b3c2 df6e0399978745daad9974c24eecc3859740bc2e2ece4a7ec970cefcdd5a5bbe eb5d5d7b8119f0819a9f00bd20e3c200e9e938a7705bcad0afc86f254d62a78c efbf80ac6287c82b3231e87957271cadf5c5130eeea7b2e456ffa8b002cbde62 f12f6a6b3358a8dee157fa6bc7170d94cbf2e6f890c86791af20c1a841c01c17 f77e3f0bf61edecfc8f50904e19b9746ba78be95520288d824b61777b04649c6

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Trojan.Shiz-7108197-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
18
Mutexes Occurrences
Global\674972E3a 18
Global\MicrosoftSysenterGate7 18
internal_wutex_0x00000120 18
internal_wutex_0x00000424 18
internal_wutex_0x00000474 18
internal_wutex_0x000004a0 18
\BaseNamedObjects\Global\C3D74C3Ba 17
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]253[.]126[.]58 18
208[.]100[.]26[.]251 18
104[.]239[.]157[.]210 18
45[.]77[.]226[.]209 18
198[.]187[.]30[.]249 14
35[.]231[.]151[.]7 12
13[.]107[.]21[.]200 10
35[.]229[.]93[.]46 9
204[.]79[.]197[.]200 8
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
MAMASUFEXIX[.]EU 18
FODAVIBUSIM[.]EU 18
LYKONURYMEX[.]EU 18
qetoqolusex[.]eu 18
PUPUCUVYMUP[.]EU 18
vocupotusyz[.]eu 18
gaherobusit[.]eu 18
MAGOFETEQUB[.]EU 18
RYCUCUGISIX[.]EU 18
KEJYWAJAZOK[.]EU 18
puvewevodek[.]eu 18
gahyfesyqad[.]eu 18
MAVEJYKIDIJ[.]EU 18
lyvevonifun[.]eu 18
rydopapifel[.]eu 18
kemimojitir[.]eu 18
CIQUKECYWIV[.]EU 18
FOXOFEWUTEQ[.]EU 18
tucyzogojat[.]eu 18
JEJYKAXYMOB[.]EU 18
QEKUSAGIGYZ[.]EU 18
tuwypagupeb[.]eu 18
FOBATESOHEK[.]EU 18
NOVOMYFEXIJ[.]EU 18
dixyjohevon[.]eu 18
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 18
%SystemRoot%\AppPatch\ffiqrh.exe 1
%SystemRoot%\AppPatch\jshtht.exe 1
%SystemRoot%\AppPatch\akumbd.exe 1
%SystemRoot%\AppPatch\rkhhmxr.exe 1
%SystemRoot%\AppPatch\pvsvlhr.exe 1
%SystemRoot%\AppPatch\hcbpdh.exe 1
%SystemRoot%\AppPatch\suupehv.exe 1
%SystemRoot%\AppPatch\atvoia.exe 1
%SystemRoot%\AppPatch\xyovdf.exe 1
%SystemRoot%\AppPatch\qoatnug.exe 1
%SystemRoot%\AppPatch\stfvdxf.exe 1
%SystemRoot%\AppPatch\crsadq.exe 1
%SystemRoot%\AppPatch\iqxtlwt.exe 1
%SystemRoot%\AppPatch\vgabmas.exe 1
%SystemRoot%\AppPatch\cxglomg.exe 1
%SystemRoot%\AppPatch\mrfdmsf.exe 1
%SystemRoot%\AppPatch\eodhsml.exe 1
%SystemRoot%\AppPatch\bjihnwq.exe 1

File Hashes

15e38b549194635dbbce0ddc2fa97744992498292843924d0ef12fb1804a285c 90fb3fc2fa229953c808954a8eec46b36f1edc0f41ab088c82ea755ffa3c43c2 9ca9c80c7aef1de747e8fb0fbe2fdabe0242862341eac562799b96f94830bd7a a798d57162ee4fac07d2e23a16f9d0557d39f6c615a33add2a8f570177ae250e b45da6a6c26ccecac46deeceed64bea1dc7753ebbd6fb93ad33048e0f8587f95 ba8e2507b98e11681912eb982779c5791bfd084f1683d0ec211f187c04444b4b bf6c06b4720c871f38fe90fc4c2dd2a17fd3879b37668facd78f433309123094 c0b1f1dcd503c8e254cbc80478848db14d2ab731df0a3d3cd185d5df43727d54 cab99b6945c6ee017c2297f13f5962ff2be066c3c9f4b812f1183334ab133de0 cefb5097f6431abfd8ecaa842f8fd18e7c37b585c90ed7dab5cc58c985f327ce d736eb2fa68eb8da82c3823e90bee6fb374f00d59b5ce26df9a8f8f6e807bf39 e4c8b631c928eec873f54c2811315e48962a8f5e067e3f820e22fbfbb04755eb e7df207595977cf6802d5d039c76a91ace32521f290d115c06325bb8a72ce18e ea0ea261f2a0211dc179b23bf18609749df13f024db3384cf1f7f54d09a3e21d ea9b003f2dd1f2293add17f6607370a130d3efff27d55c5068c7ac8abcbfb76b eeb8342fd7c3ee5b7bb9b714899dc0b2b97597562022015b9d1d2464e7cd55d3 fce2a9dee62b71966aca7874ff8f37066a0323c73e5e524162b36b114a92894f fdbae139d64ee88eacf6ade8b366666432bc944430ab7dd0cf1af7156cb7d316

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid



Umbrella




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (1553)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Kovter injection detected - (1465)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Process hollowing detected - (1288)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Madshi injection detected - (1157)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Trickbot malware detected - (742)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Dealply adware detected - (417)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Gamarue malware detected - (151)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (75)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Excessively long PowerShell command detected - (72)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
PowerShell file-less infection detected - (67)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.

No comments:

Post a Comment