Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 9 and Aug. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Packed.njRAT-7122661-1
Packed
njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Malware.HawkEye-7122916-2
Malware
HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.
Win.Malware.Cybergate-7114776-1
Malware
Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.
Win.Malware.Nymaim-7112030-1
Malware
Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Malware.Tofsee-7112026-1
Malware
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
Win.Malware.Trickbot-7112005-1
Malware
Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Malware.Gh0stRAT-7109635-2
Malware
Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Packed.Zeroaccess-7109532-0
Packed
ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
Win.Trojan.Shiz-7108197-0
Trojan
Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Threat Breakdown Win.Packed.njRAT-7122661-1 Indicators of Compromise Registry Keys Occurrences <HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
18
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
18
<HKCU>\SOFTWARE\91DFFF70961506A1564FE50B6195DEAD
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 91dfff70961506a1564fe50b6195dead
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 91dfff70961506a1564fe50b6195dead
18
<HKCU>\SOFTWARE\91DFFF70961506A1564FE50B6195DEAD
Value Name: [kl]
18
Mutexes Occurrences 91dfff70961506a1564fe50b6195dead
18
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 187[.]4[.]28[.]100
15
189[.]10[.]170[.]195
3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences aab58[.]ddns[.]net
18
Files and or directories created Occurrences %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\91dfff70961506a1564fe50b6195dead.exe
18
%TEMP%\iexpress32.exe
18
File Hashes 082411fe51dee3bbd6a97833be2f4dcaed2baac2497719384d583ecf10543032
187d82724fbe8fc09023fe8a5bb734acb8eda95cff5e7f80b2481161224539c0
4577dfba3c8f21b0d617fcf22c23e26cc09e7bdbe9b33da561632f8fb94e3e2b
4aa27fd43e7d7bc052b82dcf0b5354c4df80e53cc5a57a73a6ae54665e96f688
4ff742c0e90c295e97e2db692f30435d987ad34deaeafec1ea0772d958c1bb02
5986cbe8265a3a289e5854c5996adce4e415b966d2967b77056fb5f64a2d37ef
606ffb24b488b0d9fb5646779f2806795f836ad1af7565bf8fcc0147318e17a5
60dbc16e6c6f7b338374f48dfa19fb0946275982b021d25370cad3bbc27e303b
95ba99bc91142b433da3a42eaaeefb1ce2a7abe93f2d8816b931eaccff600192
9b7a41fc9ccb0392a9d609fcb583e3b966ed713732342822898ac6d560d569b1
9ec10adc83de49e13e491384047b11e40f2b7567991a11ab03a9703899ab55f0
b168b7b5acf2cb602aacb9c737a9a6e252461e7a4f2a4c0c1eab2fdbd36fdd7a
c2d48bfb920ccc59958d456262b6313d6c1246790e1ad0270ea775665e411dac
e81f03b9fcfb674248f670d60be4918781bc0c6d6b343f890c2c2fcab15d7ea0
eac06f1399c63d11fb621d348a2a8fb6256262639d239b142092fde76a684eff
f0eb05bd16881de42de9a63d54164a9bc68f6f6ea1dcbf5a14a1325c018a4584
f446642655c929d6b069a874364d6da67a6d07f4a2a5f78a77087fb2f1f243aa
fe84c213aa4643ba68eeca9e6af567aa809a6c0a3d2b0f9f5fa13aba4033a5de
Coverage Product Protection Amp
Cloudlock
N/A
Cws
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
Wsa
Screenshots of Detection AMP ThreatGrid Win.Malware.HawkEye-7122916-2 Indicators of Compromise Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Registry Key Name
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 104[.]16[.]155[.]36
7
104[.]16[.]154[.]36
4
93[.]158[.]134[.]38
2
87[.]250[.]250[.]38
1
136[.]143[.]191[.]189
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences whatismyipaddress[.]com
11
smtp[.]yandex[.]com
3
smtp[.]zoho[.]com
1
Files and or directories created Occurrences %TEMP%\holdermail.txt
11
%APPDATA%\pid.txt
11
%APPDATA%\pidloc.txt
11
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp
11
\Sys.exe
9
\autorun.inf
9
E:\autorun.inf
9
E:\Sys.exe
9
%TEMP%\holderwb.txt
8
%TEMP%\SysInfo.txt
8
%APPDATA%\Windows Update.exe
8
%APPDATA%\WindowsUpdate.exe
3
%TEMP%\subfolder
1
%TEMP%\subfolder\filename.exe
1
%TEMP%\subfolder\filename.vbs
1
File Hashes 0360cd478f78ed02dc9cebf82d31721fbc6915b0201900cd922e59ccc32f6038
04e3d5854d00d835e206b0982889a079e3710296d33ed1ebdaf349b4bbcf790a
1c38e7e3f9a7277e60399523a664c73ad1e950de5ab59981f6ce77c908403448
49d6cfdd06d8d9a234f5e59849b47199e52a0355479563c76896edd91ca7c04e
621448e4a383b6bcba18f2b522331c6f79764db97a73d596d92308f36a2b5add
7da2b98047bf4812b37f670b7a75b1b0ccd414802a3c59e564fe0437d23964da
939b12fcce7c902fff5730a6cde141311baf0a322e9334cf1dd13230c68e7794
b23e50aa8217e033f01bfe6c52e651a3d169a202e6949a4d0d7c5a4ad145a857
d187fe363c737c1c3babe56649a39a1dc1d0da4cc7aef65e4782ba0c801e5079
d5a45f2dac9346b72a23fe10c07dc4ce234e7e577fd6c2e471464276651df1f9
e584d0e379aa3fcb0c7f9de3106ae4234d88ceca407a9645a4edcf57b9202cce
Coverage Product Protection Amp
Cloudlock
N/A
Cws
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
Wsa
N/A
Screenshots of Detection AMP ThreatGrid Win.Malware.Cybergate-7114776-1 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: MSQM
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: MSQM
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Realtek Audio
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Adobe Starter
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{0H0N0B4G-P8H0-63SU-QBB1-QXKN5M1261DQ}
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{0H0N0B4G-P8H0-63SU-QBB1-QXKN5M1261DQ}
Value Name: StubPath
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1C7T55HW-D326-IWQK-6087-652774G5V2RN}
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1C7T55HW-D326-IWQK-6087-652774G5V2RN}
Value Name: StubPath
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{0KWTNM33-D745-1P14-D1BA-224TD37L2DP8}
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{86TIP765-B0E5-AB86-L87O-3R28QFSJGN0J}
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Audio
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Audio
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{0KWTNM33-D745-1P14-D1BA-224TD37L2DP8}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{86TIP765-B0E5-AB86-L87O-3R28QFSJGN0J}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{6W6SH85E-GESR-7C8G-187D-4M6664523332}
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{6W6SH85E-GESR-7C8G-187D-4M6664523332}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{G718OU16-FJJG-TVIB-LQ35-WINSRC80H3GD}
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{G718OU16-FJJG-TVIB-LQ35-WINSRC80H3GD}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{41LU5C5I-NQ05-2KS6-7E2G-P3AD1GREFY8T}
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{41LU5C5I-NQ05-2KS6-7E2G-P3AD1GREFY8T}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{216555Q4-64KR-BMG3-55K7-2354V88S0LSE}
1
Mutexes Occurrences _x_X_BLOCKMOUSE_X_x_
13
_x_X_PASSWORDLIST_X_x_
13
_x_X_UPDATE_X_x_
13
Pluguin
12
Pluguin_PERSIST
12
Pluguin_SAIR
12
***MUTEX***
1
***MUTEX***_PERSIST
1
***MUTEX***_SAIR
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 187[.]58[.]232[.]18
12
52[.]8[.]126[.]80
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences rainoide[.]no-ip[.]org
12
www[.]server[.]com
1
Files and or directories created Occurrences %TEMP%\XX--XX--XX.txt
13
%TEMP%\UuU.uUu
13
%TEMP%\XxX.xXx
13
%APPDATA%\logs.dat
13
%SystemRoot%\SysWOW64\Microsoft
13
%SystemRoot%\SysWOW64\Microsoft\svchost.exe
12
%SystemRoot%\SysWOW64\Microsoft\svchost
1
File Hashes 19f9ab1a6f01c5bb060fd865f165d48789f6b6c561960071823b6fcfbddc733b
40fc7ace7357cb61cb7ad47e655d7d33c0952cbea1fae151f969eca85deea68d
6b185c176128cf98a5241c3d10d0486cb3b4c3a8877d7831beed7088b688ee93
889728767005bed83d50f8ac92d4f8685be74f71155537c011dbdfb5da861b26
949809f505011d5b9aacc19fde3bead211004bce92921a460afe8e8f57b92923
ad8f56bddd8a0cae565c243ff0e4422781f78cc3033763d2a9100e32c2ffe98c
b3b914069bb60dab4a0679f912c43f77a3c4bf71804fcbd5085646336dc41908
b3ded4b6a12a5a232816b33546167fa3e90eb78ac2876d1c6b4adaad4b75abc1
c5d0479add616c17dfdef957dc106522ff40bebd08ab070b0941474715a29dfb
c7f2645df614351360457a892f9849df80155330e10449d4448d357c3d717ceb
dc416c86df2bad0adde036bda83db1fbcac13036a2ea7f73453597e7a3d5788c
ee13ecb06987aeef5bef6de64e0e5439b44f07f9f0783d8cdb6ace3fa950a6a1
f2a2dc50a052bc4a25cc8fcdd235d89286fec24beede6f6cb78b7641162bec0e
Coverage Product Protection Amp
Cloudlock
N/A
Cws
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
Wsa
N/A
Screenshots of Detection AMP ThreatGrid Win.Malware.Nymaim-7112030-1 Indicators of Compromise Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\GOCFK
25
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
25
Mutexes Occurrences Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}
25
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}
25
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}
25
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}
25
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4}
25
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A}
25
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}
25
Local\{B888AC68-15DA-9362-2153-60CCDE3753D5}
25
Local\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E}
25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences grkokxuhgk[.]net
24
utjawtkqtw[.]com
24
glgythylattw[.]in
24
xdqhf[.]com
24
kcrrrqnoan[.]com
24
bweyobzofdy[.]com
24
xukgvscceju[.]in
24
luewnrtwhigf[.]in
24
zwhgvnfdb[.]com
24
bxsfawcpsgwl[.]com
24
hwhskkbdlc[.]in
24
uxwauildd[.]pw
24
cogkyi[.]com
24
tqsxnfi[.]net
24
jvelkgcftqy[.]pw
24
uihmdwnvp[.]com
1
wnucbhflcr[.]in
1
bpgfuc[.]in
1
zrhqhmghjx[.]com
1
sdwnmtsxtjcf[.]pw
1
rfvztqxsfiz[.]net
1
cofuvrdr[.]in
1
kdhlszxotsd[.]in
1
arnkxqhjjs[.]in
1
fanshg[.]in
1
*See JSON for more IOCs
Files and or directories created Occurrences %ProgramData%\ph
25
%ProgramData%\ph\fktiipx.ftf
25
%TEMP%\gocf.ksv
25
%ProgramData%\<random, matching '[a-z0-9]{3,7}'>
25
%APPDATA%\<random, matching '[a-z0-9]{3,7}'>
25
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'>
25
%TEMP%\fro.dfx
23
\Documents and Settings\All Users\pxs\pil.ohu
23
%TEMP%\bpnb.skg
4
File Hashes 01fbd952fe57f673aea818e12a0aa675c9e29e1ba0f85d28645a926f3df4f7f4
028423fc9b5fb8f3fc0f985e43b703ce05e69a3828f7152dda5d6e6bc3175da7
05263f754c5456ad772dd2448b85e9fefd1c4204f12391d8068bcba7cc388c53
0b51bc5550062212ed1ac0a7099235e2fd0296b93446106b0220fab519fd634e
143c9de178660a194d5e22ba45bd7d1d56d3f286eb16ff9a1206cbbecaf811a1
2dbd752e0cb2b3b1d20fa8e714281b8856fc121b4a2670937f7956f90dfe9ecd
3180f041ff1ccd52f829f222e5d124935a11bc3aa9fc908e3ce93f84e1ec49dc
3f88dae29802bbbd85c175ce34b40b4bf34f884768b6669a91981f374bd1cd1f
441649516eb75a61f2ca4d0570dd2e201c6528b452ce7bc04c5120a5b36ee090
485e521ef0299ede43da514cdf8992bddc95529209889e562d0cab884bf71cdd
54875c46bc6795dd22af5760a5452f3814a5b6827ed996d6a475ec95b9107626
645c58460c7d1b0ef4769d505492eb5a9bba5efadf9f6a456313df72bf706eda
6802f2b005b9e02f395117ce2f753d98d239d9271825871105cca11f86764ada
8519328e272602bc7117a7c9da2c00e40e8d45a97528ed3fa7c86f2fdeb9b679
862346823cef73fdd9a155b84edb2feb180a61390a3817ef97fa272cb01d7994
95556cf5e5a160d2940014413d4948bc4877a127ce142bf27a7295ca212e48ae
991bd9883c36b2fdf326418d6ec660c6a5d57e88f2355a49a5c69b2490c848b3
9d30abaa088f71f0914d083a8c6232e37e1fb13bdb495c6d3b1485b50f764e42
b0eb5e5599605584271a1513740039d6cfc363d7203e8654d9ece9d7df1b06a2
bc11794224c3dba73fefc8be9bea7ddc8782db3e3173467a1726e02588e56019
c3120a24f20ecedf04b17c71bc7f1588d1daa776ea66b1b85f713ffe7136c944
c9017faf332ab5c93fadda86db30d7e6b6a67afd6aa0cf1334b1744e16497b69
d0f6e3867416053747e82117e4cf5b5dd1a0f573316ddf6d1716465726bbb215
e1797282c01e2bcf9e03707136cfc60bfdee5818cb1ec59984befd55de4c6719
eae1547bca1f3c4425f9ea295ee6cebef5a6815ed6348107cb23cccbfd8fb1e0
*See JSON for more IOCs
Coverage Product Protection Amp
Cloudlock
N/A
Cws
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
Wsa
Screenshots of Detection AMP ThreatGrid Umbrella Win.Malware.Tofsee-7112026-1 Indicators of Compromise Registry Keys Occurrences <HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qjxdckqf
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\piwcbjpe
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\cvjpowcr
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 239[.]255[.]255[.]250
16
69[.]55[.]5[.]250
16
172[.]217[.]11[.]36
16
46[.]4[.]52[.]109
16
176[.]111[.]49[.]43
16
85[.]25[.]119[.]25
16
144[.]76[.]199[.]2
16
144[.]76[.]199[.]43
16
43[.]231[.]4[.]7
16
192[.]0[.]47[.]59
16
74[.]6[.]137[.]65
16
172[.]217[.]7[.]132
16
98[.]137[.]159[.]27
16
95[.]181[.]178[.]17
16
168[.]95[.]5[.]116
15
74[.]125[.]141[.]27
15
74[.]125[.]193[.]26
15
67[.]195[.]228[.]109
14
212[.]82[.]101[.]46
13
168[.]95[.]5[.]216
13
67[.]195[.]228[.]111
13
67[.]195[.]230[.]36
13
69[.]31[.]136[.]5
12
212[.]227[.]17[.]8
12
213[.]209[.]1[.]129
12
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 250[.]5[.]55[.]69[.]in-addr[.]arpa
16
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
16
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
16
mta5[.]am0[.]yahoodns[.]net
16
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
16
whois[.]iana[.]org
16
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net
16
whois[.]arin[.]net
16
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
16
microsoft-com[.]mail[.]protection[.]outlook[.]com
16
honeypus[.]rusladies[.]cn
16
marina99[.]ruladies[.]cn
16
sexual-pattern3[.]com
16
coolsex-finders5[.]com
16
super-efectindating1[.]com
16
msx-smtp-mx1[.]hinet[.]net
15
hotmail-com[.]olc[.]protection[.]outlook[.]com
14
msx-smtp-mx2[.]hinet[.]net
14
mx-eu[.]mail[.]am0[.]yahoodns[.]net
13
mx-aol[.]mail[.]gm0[.]yahoodns[.]net
13
eur[.]olc[.]protection[.]outlook[.]com
13
web[.]de
12
etb-1[.]mail[.]tiscali[.]it
12
mx-ha02[.]web[.]de
12
msa[.]hinet[.]net
12
*See JSON for more IOCs
Files and or directories created Occurrences %HOMEPATH%
16
%SystemRoot%\SysWOW64\config\systemprofile
16
%SystemRoot%\SysWOW64\config\systemprofile:.repos
16
%TEMP%\<random, matching '[a-z]{8}'>.exe
16
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
16
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy)
16
%TEMP%\edtpwsx.exe
1
%TEMP%\ondzgch.exe
1
File Hashes 1c331b81428107c325673ea4b19acdff598772d9e1069e09ca92cb88d223c326
1c916b795f49331678816ef6cfba0dbdbddd4b92a421e086ab2fe2ea095d10e9
398c23230679c69942c5d64c7aaf0e9e8ca3434d54559871f3a3a24fbd9ffa3c
4d660a6519c258074627f7d30a4878e15a4e621bd79f21a34f4550c54ef38c4e
5f4bd5a0728432e4731b9d2606bacb05d7c6f10ad926735f3e4d9dee10791f85
7d96ef5dfba65346fa3ffbcd23016f21e0a523e2215e963f21cc8c939c2e35a0
9bf983cc999b2a3bd029e21e445bca85853b58d66247c7221157fab41fbd19d8
9e5897942fac812b74be41b06b5e1cd1ff4e9fd9b71d10aadca3d5f368cda0d1
a8adbab4a72506f7343b7ff78a028fd26ec944a1d4de846ee0bf9651196d7724
a8f74812b66b89f9c0450b2f565d3ba2b417e7e10514618c3306de37749af886
ad34ec4764147faaee82935e142eedfe5569f88ef81195281539075a0f3c91ac
b4f6aa14eb833c83413f72a4e901d0e92c7da45828c5438594693f68c2a3ebfe
b75a2838b93b6ec47b27bd5c9798386775e9a3dfcac5c3562a7ff139eaa14ce3
be8a71e6dfa63485be4a848cf6d0bc1da15b20fb9735e0c0ed08e346840096e0
d62553c4ef53220d32af9e5eb1a0accca3ca6aac7e9f3539119fec0718edd65b
f095b72dc6ba5c3c3f2e410d0f1766a8f6ebbecec1a4914b957f9a7225cc6c00
Coverage Product Protection Amp
Cloudlock
N/A
Cws
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
Wsa
Screenshots of Detection AMP ThreatGrid Umbrella Win.Malware.Trickbot-7112005-1 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
3
Mutexes Occurrences Global\VLock
25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 116[.]203[.]16[.]95
6
216[.]239[.]34[.]21
5
194[.]87[.]92[.]184
4
188[.]137[.]122[.]83
4
185[.]158[.]115[.]75
4
185[.]158[.]115[.]49
4
216[.]239[.]32[.]21
3
216[.]239[.]38[.]21
3
216[.]239[.]36[.]21
3
185[.]158[.]115[.]87
3
188[.]137[.]122[.]68
3
195[.]133[.]146[.]156
3
94[.]242[.]206[.]204
3
198[.]27[.]74[.]146
2
50[.]16[.]229[.]140
2
194[.]87[.]232[.]146
2
23[.]21[.]121[.]219
1
104[.]20[.]17[.]242
1
54[.]243[.]147[.]226
1
54[.]235[.]124[.]112
1
104[.]20[.]16[.]242
1
23[.]23[.]243[.]154
1
3[.]224[.]145[.]145
1
34[.]196[.]181[.]158
1
23[.]23[.]83[.]153
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ipinfo[.]io
6
ip[.]anysrc[.]net
6
api[.]ipify[.]org
5
myexternalip[.]com
3
icanhazip[.]com
2
ipecho[.]net
2
checkip[.]amazonaws[.]com
2
wtfismyip[.]com
2
elb097307-934924932[.]us-east-1[.]elb[.]amazonaws[.]com
2
checkip[.]us-east-1[.]prod[.]check-ip[.]aws[.]a2z[.]com
1
Files and or directories created Occurrences %APPDATA%\winapp\Modules
25
%System32%\Tasks\services update
25
%APPDATA%\winapp\client_id
25
%APPDATA%\winapp\group_tag
25
%APPDATA%\winapp
25
%APPDATA%\WINAPP\<original file name>.exe
25
%SystemRoot%\Tasks\services update.job
23
File Hashes 00c98d727a85576416dba2a3a68010f986ae276935435e6d9eb02d33fb71b3a3
0143365726dffade4573b49e8c816d414c8ca96567a8163cbb714a4b9c18df2d
051eeb1a5f4ef84caff3c5a7abcebb1839569516480df43c929aba282eb8ecb2
0fff84cfd0c674f7d55a39cb6be3bb7fccb3549dbfd9bc8f8b4c8c6307cc5102
112a18bcbc8424b2bdb7ea574f5696288d28a28dda3f0aaa9894a84285c932aa
11513df12b19240af3485b6b0d0c871c305e2644e6503770baf8fb2949542462
19910cf1b0fb40f8143c459e93a6110393b502de81646ed7685c7a0766e4823d
2807fea0af4c94116f0677eb94d798b6f40c3a3cc50ed8d2d2184a061ce30904
292920637d78485e4053b4a056d569f2e17cb8ab531f3372d18402c35fd735bf
30938782dd1ae8ff1a35c17821860745f613a5267e18171e7336d1c6d5f5b6b1
30f321827bea98609847dc047de756f7b86074bb3f5c6e4c7875f25db5dcd627
362d936eebd48241b9e3b6ae0f8650365af42aa307320438ae170862750b2a08
3dd50fe971d7256311dab97ac7afeb0a6ec91de2feccb125eb09ac8a22947005
3e98c771dd86669152fb58cfc0ecd7d264426ebe125ee4d96893efad5af5d236
3ecf64c343752bfbed1a8984cfb207309133df964da0b2e086509e8aed167a66
541729295b97eaa2ec3a566c2095b5e4c03239d9b1235d4a2b6331f3dd986f75
639adafd87d067c1cc5c5d1be870f3800e719637dab20e435f379fc86b268d15
653fc5565b1e8746ddaa507722815fc225ce5c327fa69dbbdaf8924880197035
6809cf34ac7fa454a8d8c25482c7a9acb44be1222bc89f2d478a953d93f63f3d
74547a954562f29ea05230900daab9c043e088fd1a38cb2d077ba4624ef51523
7a7029415edf56936d5eaf003f413a0b778fbc279168cc7cc5e3166a14aaf69a
7be5520d05f7f6afc0dbdf945faa7c93dbc3d3394a6fc8fc30532a6d241f10a1
7bf167e2fd1ad3b45e42fcfce427c702cdb4df6e96602a183fee57d777140a18
854124fe1ae699a3dfd99b89a0b44101e74039ea8f06c781254f4aeca07b7013
8a58ff91b277c4b10565d90fa8e0d847759276fa77983762337dc6bf916aa78e
*See JSON for more IOCs
Coverage Product Protection Amp
Cloudlock
N/A
Cws
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
Wsa
N/A
Screenshots of Detection AMP ThreatGrid Win.Malware.Gh0stRAT-7109635-2 Indicators of Compromise Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STUVWX
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STUVWX
Value Name: MarkTime
26
Mutexes Occurrences 193.112.13.217:7788:Stuvwx
26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 193[.]112[.]13[.]217
26
File Hashes 0cc11eb852f66920b4a4a35dc34b4e05f3612640b1963bd0ef8088022e2451f7
103960c11c696e1ed51771fec28b70d5cd0c1feb071575e4122827ac7541092b
1156fabd2305bd3ce5b218a59c3f3cfd99671dc8323fda13c156aebf26ee3ed8
11978ef69a330b0d4cc544f48bafbca5125019fe147fcaf2db0bd72fe94c4b4a
164c0c94d252f388ab7825a8bd9abf8cacc45cbf34281edb72951982874591ab
1af0bbdad437c6f711447ccb84444b92df5ba237acc0b33f6eebe0d48fd2f5a2
1ef070ae000ecca44fd13b1c3b642a7a5ef8894becc9a228f2aba33c04f267d5
24436d1687d5a814d3552f9fe6aed8d3778a66888508d1685d7c8c39d4b3b5a5
249cea1515c2c625b5e117a9495cce088f64dfe39dfab2b9d47d9071e2516900
2512e7506467e005bda030357121e832ff0dddc6a670ae4c732bac8345a0e2cf
265c64b98cd0d8515c829654ea931d751e9526b61f45f1d4799c41578f94534c
26f34567a93de01d7e6853e9ae31eb0f1848dee525b0ee605e1c1884accc4982
274d09e6e43dc96ba17a782a30afd525c972f3ad50e73655d8cbfe94ea97b481
2add1b8118caae8e35384758ffabf7fb9cd5eed7e7ae6189572f92993176cf7c
2c771b1e0003485b554e8014b428c9d53ad93d457c04c96b9e514f0f33e2e6ba
2cdd4e59d78f0a3537c1e1c5a7b9fb4c369a20d79a057568a51a2cbebb2f8241
2dae697a1aa350218fb9c4c6ed9d28caa9eff1ad7bfbd0feb32dc523e5c7baf9
3073891867551a6f111eb2f8af3e02729bf97627da4d019fc289433de4cfc35b
30fe5c510a0dc5ad89fcd66491ff24f605a90a2c4a53c67a9969fe15a4a5d0a7
313e7c484e87f221fe3e7af0aab2e17eac7c5a1f1a6c6fcf96140f1a24ba95ba
3176a16b8d3fdcd6162a24ea2979f82d8d1ec4bb98e15c299affd56704bf30d6
32824a80e061fa64a2cc928d3fbde4f742dfb22b4bd9daa13c2e5ab80697c836
333afdc84193d7b7b0d4d1c1e94fcd38426660db5f0fe8fb6dff57d0436a72eb
34e270be03c14465005a11e6eeca6c6c6437f24d9d0a120387cdc759519ad751
352d10cb6917a8bd67bd4054b5307ee38caa2ca63be034edda31371954fccb70
*See JSON for more IOCs
Coverage Product Protection Amp
Cloudlock
N/A
Cws
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
Wsa
N/A
Screenshots of Detection AMP ThreatGrid Win.Packed.Zeroaccess-7109532-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
19
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
Value Name: ThreadingModel
19
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
19
<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005
Value Name: PackedCatalogItem
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000004
Value Name: PackedCatalogItem
19
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 222[.]254[.]253[.]254
19
83[.]133[.]123[.]20
15
88[.]254[.]253[.]254
15
92[.]254[.]253[.]254
15
117[.]254[.]253[.]254
15
115[.]254[.]253[.]254
15
87[.]254[.]253[.]254
15
134[.]254[.]253[.]254
14
119[.]254[.]253[.]254
14
184[.]254[.]253[.]254
12
180[.]254[.]253[.]254
12
182[.]254[.]253[.]254
12
190[.]254[.]253[.]254
12
206[.]254[.]253[.]254
12
166[.]254[.]253[.]254
12
197[.]254[.]253[.]254
12
135[.]254[.]253[.]254
11
178[.]148[.]144[.]15
9
74[.]194[.]69[.]92
9
68[.]173[.]181[.]191
9
188[.]67[.]123[.]100
9
78[.]221[.]193[.]65
8
198[.]96[.]34[.]46
8
68[.]64[.]113[.]104
8
24[.]35[.]22[.]12
8
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences j[.]maxmind[.]com
15
uikvdwhrextuxymklwbrodjzhj[.]com
1
xikzzyxnfkaepapadgned[.]com
1
Files and or directories created Occurrences \systemroot\assembly\GAC_32\Desktop.ini
19
\systemroot\assembly\GAC_64\Desktop.ini
19
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8
19
%SystemRoot%\assembly\GAC_32\Desktop.ini
19
%SystemRoot%\assembly\GAC_64\Desktop.ini
19
\$Recycle.Bin\S-1-5-18
19
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f
19
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@
19
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L
19
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U
19
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n
19
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f
19
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@
19
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L
19
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U
19
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n
19
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\@
17
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\n
17
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\@
17
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\n
17
%SystemRoot%\assembly\GAC\Desktop.ini
17
4.@ (copy)
1
8.@ (copy)
1
80000000.@ (copy)
1
80000032.@ (copy)
1
*See JSON for more IOCs
File Hashes 64f81a35325dd38c136a632f0e23d167407a0c4963a70761d4ab5707775f0d23
67ebc3153ede004c1af8b82ecd6f4713573f4c29b4a84c0500d761f483ad9172
688db1253d2dcdaf11bb2e8f03790dea9b10625b14b20531f4ea108801066f62
78951871e9a63fa3907da13165bab1119addd1ce8a3b376afae47b532e5d3653
7d8a67472d130e64d41205a7c1e5263b4fe6a4c6dc2b413618fd9e38ce47f536
8eea2b29e69058398957d5972b62b47947d090c2610bcd45ee593fa92bf25004
91fff0045ed0ac9433217ee7dd1f5ede0554588995892e026044d8d9f9371e1a
9a254fc4e4ca669bab5ad0a830ab43a9ebee6b835fdf794f76a8575d2ca8d548
9db192e4eced11fc3f84d6d8f6302e0230798993bc2b9efca6170428fba13906
a1335dcc4001df7691151413c8c1280dcda1a28a5bd21e82673de4d7560116b7
a2f377e3ff205bc71b5c2a88957578d2a6fb9d390d7ba19fa5117fb0f17736b3
c11c70ca57c92e7224b2c011bb8559d5214ff644fec730a52e02eee172a8a043
c443515f2c11f9cce0be0bd88532bd2b0885d2836bb0b5abb4c2e9198bb2121b
d17a1fb8e452ae4fce1f2763a32b209b6663c600dcf253fd1e943e481ca90e63
dcfd777c230140e79392ba5adf4f6aa9ae249d68eb18cf2ba3b74eca47a2b3c2
df6e0399978745daad9974c24eecc3859740bc2e2ece4a7ec970cefcdd5a5bbe
eb5d5d7b8119f0819a9f00bd20e3c200e9e938a7705bcad0afc86f254d62a78c
efbf80ac6287c82b3231e87957271cadf5c5130eeea7b2e456ffa8b002cbde62
f12f6a6b3358a8dee157fa6bc7170d94cbf2e6f890c86791af20c1a841c01c17
f77e3f0bf61edecfc8f50904e19b9746ba78be95520288d824b61777b04649c6
Coverage Product Protection Amp
Cloudlock
N/A
Cws
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
Wsa
N/A
Screenshots of Detection AMP ThreatGrid Win.Trojan.Shiz-7108197-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
18
Mutexes Occurrences Global\674972E3a
18
Global\MicrosoftSysenterGate7
18
internal_wutex_0x00000120
18
internal_wutex_0x00000424
18
internal_wutex_0x00000474
18
internal_wutex_0x000004a0
18
\BaseNamedObjects\Global\C3D74C3Ba
17
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 23[.]253[.]126[.]58
18
208[.]100[.]26[.]251
18
104[.]239[.]157[.]210
18
45[.]77[.]226[.]209
18
198[.]187[.]30[.]249
14
35[.]231[.]151[.]7
12
13[.]107[.]21[.]200
10
35[.]229[.]93[.]46
9
204[.]79[.]197[.]200
8
Domain Names contacted by malware. Does not indicate maliciousness Occurrences MAMASUFEXIX[.]EU
18
FODAVIBUSIM[.]EU
18
LYKONURYMEX[.]EU
18
qetoqolusex[.]eu
18
PUPUCUVYMUP[.]EU
18
vocupotusyz[.]eu
18
gaherobusit[.]eu
18
MAGOFETEQUB[.]EU
18
RYCUCUGISIX[.]EU
18
KEJYWAJAZOK[.]EU
18
puvewevodek[.]eu
18
gahyfesyqad[.]eu
18
MAVEJYKIDIJ[.]EU
18
lyvevonifun[.]eu
18
rydopapifel[.]eu
18
kemimojitir[.]eu
18
CIQUKECYWIV[.]EU
18
FOXOFEWUTEQ[.]EU
18
tucyzogojat[.]eu
18
JEJYKAXYMOB[.]EU
18
QEKUSAGIGYZ[.]EU
18
tuwypagupeb[.]eu
18
FOBATESOHEK[.]EU
18
NOVOMYFEXIJ[.]EU
18
dixyjohevon[.]eu
18
*See JSON for more IOCs
Files and or directories created Occurrences %TEMP%\<random, matching [A-F0-9]{1,4}>.tmp
18
%SystemRoot%\AppPatch\ffiqrh.exe
1
%SystemRoot%\AppPatch\jshtht.exe
1
%SystemRoot%\AppPatch\akumbd.exe
1
%SystemRoot%\AppPatch\rkhhmxr.exe
1
%SystemRoot%\AppPatch\pvsvlhr.exe
1
%SystemRoot%\AppPatch\hcbpdh.exe
1
%SystemRoot%\AppPatch\suupehv.exe
1
%SystemRoot%\AppPatch\atvoia.exe
1
%SystemRoot%\AppPatch\xyovdf.exe
1
%SystemRoot%\AppPatch\qoatnug.exe
1
%SystemRoot%\AppPatch\stfvdxf.exe
1
%SystemRoot%\AppPatch\crsadq.exe
1
%SystemRoot%\AppPatch\iqxtlwt.exe
1
%SystemRoot%\AppPatch\vgabmas.exe
1
%SystemRoot%\AppPatch\cxglomg.exe
1
%SystemRoot%\AppPatch\mrfdmsf.exe
1
%SystemRoot%\AppPatch\eodhsml.exe
1
%SystemRoot%\AppPatch\bjihnwq.exe
1
File Hashes 15e38b549194635dbbce0ddc2fa97744992498292843924d0ef12fb1804a285c
90fb3fc2fa229953c808954a8eec46b36f1edc0f41ab088c82ea755ffa3c43c2
9ca9c80c7aef1de747e8fb0fbe2fdabe0242862341eac562799b96f94830bd7a
a798d57162ee4fac07d2e23a16f9d0557d39f6c615a33add2a8f570177ae250e
b45da6a6c26ccecac46deeceed64bea1dc7753ebbd6fb93ad33048e0f8587f95
ba8e2507b98e11681912eb982779c5791bfd084f1683d0ec211f187c04444b4b
bf6c06b4720c871f38fe90fc4c2dd2a17fd3879b37668facd78f433309123094
c0b1f1dcd503c8e254cbc80478848db14d2ab731df0a3d3cd185d5df43727d54
cab99b6945c6ee017c2297f13f5962ff2be066c3c9f4b812f1183334ab133de0
cefb5097f6431abfd8ecaa842f8fd18e7c37b585c90ed7dab5cc58c985f327ce
d736eb2fa68eb8da82c3823e90bee6fb374f00d59b5ce26df9a8f8f6e807bf39
e4c8b631c928eec873f54c2811315e48962a8f5e067e3f820e22fbfbb04755eb
e7df207595977cf6802d5d039c76a91ace32521f290d115c06325bb8a72ce18e
ea0ea261f2a0211dc179b23bf18609749df13f024db3384cf1f7f54d09a3e21d
ea9b003f2dd1f2293add17f6607370a130d3efff27d55c5068c7ac8abcbfb76b
eeb8342fd7c3ee5b7bb9b714899dc0b2b97597562022015b9d1d2464e7cd55d3
fce2a9dee62b71966aca7874ff8f37066a0323c73e5e524162b36b114a92894f
fdbae139d64ee88eacf6ade8b366666432bc944430ab7dd0cf1af7156cb7d316
Coverage Product Protection Amp
Cloudlock
N/A
Cws
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
Wsa
Screenshots of Detection AMP ThreatGrid Umbrella Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. CVE-2019-0708 detected - (1553)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Kovter injection detected - (1465)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Process hollowing detected - (1288)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Madshi injection detected - (1157)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Trickbot malware detected - (742)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Dealply adware detected - (417)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Gamarue malware detected - (151)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (75)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Excessively long PowerShell command detected - (72)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
PowerShell file-less infection detected - (67)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.