Friday, August 30, 2019

Threat Roundup for August 23 to August 30

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 23 and Aug. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Worm.Vobfus-7141112-0 Worm Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.
Win.Dropper.VertexNet-7139734-0 Dropper VertexNet is a remote access trojan that provides basic functionality like the ability to download files, monitor keystrokes, and provide a remote shell to the attacker.
Win.Malware.Ursnif-7139346-0 Malware Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Trojan.Remcos-7136041-1 Trojan Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. It is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.TrickBot-7135730-0 Dropper Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.
Win.Dropper.Nymaim-7135710-0 Dropper Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Ransomware.TeslaCrypt-7135496-1 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Dropper.SpyEye-7134261-0 Dropper SpyEye is an information-stealing malware that attempts to collect usernames, passwords, and credit card numbers as they are entered into the user's web browser.
Win.Dropper.Qakbot-7133972-0 Dropper Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.

Threat Breakdown

Win.Worm.Vobfus-7141112-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR
Value Name: Locked
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
10
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU 10
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU
Value Name: NoAutoUpdate
10
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jxwiq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jeoeri
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: guuagu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: buazoe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: weouw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: puoleey
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vuudei
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qjzaet
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: seaumu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: baeboig
1
Mutexes Occurrences
A 10
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]11[.]56[.]48 10
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ns1[.]timedate3[.]com 10
ns1[.]timedate3[.]net 10
ns1[.]timedate1[.]org 10
ns1[.]timedate2[.]org 10
ns1[.]timedate1[.]net 10
ns1[.]timedate2[.]com 10
ns1[.]timedate1[.]com 10
ns1[.]timedate3[.]org 10
Files and or directories created Occurrences
\autorun.inf 10
\System Volume Information.exe 10
\$RECYCLE.BIN.exe 10
\Secret.exe 10
\Passwords.exe 10
\Porn.exe 10
\Sexy.exe 10
E:\autorun.inf 10
E:\$RECYCLE.BIN.exe 10
E:\Passwords.exe 10
E:\Porn.exe 10
E:\Secret.exe 10
E:\Sexy.exe 10
E:\System Volume Information.exe 10
E:\x.mpeg 10
%HOMEPATH%\Passwords.exe 10
%HOMEPATH%\Porn.exe 10
%HOMEPATH%\Secret.exe 10
%HOMEPATH%\Sexy.exe 10
\<random, matching '[a-z]{4,7}'>.exe 10
E:\<random, matching '[a-z]{4,7}'>.exe 10
%HOMEPATH%\<random, matching '[a-z]{5,7}'>.exe 10
%HOMEPATH%\RCX<random, matching '[A-F0-9]{3,4}'>.tmp 7

File Hashes

c2767a62350a0d537b904317441c9634c0061229f88e6fdd2de972424c771355 deca43beac62ac0403adc173e8c8b45b34835165ea8241798233900870485cff e8151e83c5c703087f2f582d7d7666e9e563f19baf9eca55b00b1a8f357cb2fb e89bf0455c034b1c8c2f3813c21a5c563dfe4dcd4b1961131295d4477567b2f6 e8fc6f6c1e1dfcfaac05ea6e45cb1404ae8ef5508357fd2e6e897872761c1a73 eb4d9953b0d832e4e5be31ce624b1757dc503e548f1c85cdc871d11ac90930bd ef5099250b297ee7f0c34dff49d345f179935d1d32cbdce429769471359701a3 f0b6c9062f5601e99f3015db1bdb35e23984fe65c420ebe5e6984644d18312d7 f1ad5be9676c05b1242c6fcfb4dd86062cba1e1fe5aeaf1925387414aff90088 fb6cca89549e3d3d0c80a46080ff27dc2e06ad7081297e3a5e9c2baffe7eac30

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Dropper.VertexNet-7139734-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: win32
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Svchost
7
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winlogon
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: windowsAccApp
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: windef
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winupdate
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoftnts
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Google Updater
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: system
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: maz
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ctfmon
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: explorer.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: UniKey
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: taskmng
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WinHostMngr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: VIRUS
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Adobe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: CRACKWIN
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jusched
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WinApISBMhost
1
Mutexes Occurrences
VN_MUTEX16 285
win32 14
rundll23 14
Global\c020f8c1-c573-11e9-a007-00501e3ae7b5 14
explorer.exe 2
VN_MUTEX 2
Me_MUTEX16 2
sadfsadfhmj4353t gfvb 1
VN_MUTEX29 1
VN_Nyarkouf 1
DiZi_MUTEX 1
unh43n805q95 1
634t 1
VN_MUTEXL33T 1
X86 Host Process for Windows 1
fadsfgagdfgaewwfadsfsda 1
VN_inet1 1
net work 1
VN_SAINT 1
6826863HGGUSG2782 1
VN_MUTEX133 1
teshell::netstat -an 1
rundll32.exe 1
WIU23fwfhWEHF2fwjhWJKHef2f 1
VN_B4SMIX 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
153[.]92[.]0[.]100 62
104[.]20[.]67[.]46 35
104[.]20[.]68[.]46 27
185[.]185[.]84[.]210 18
199[.]59[.]242[.]151 15
144[.]76[.]162[.]245 7
175[.]126[.]123[.]219 5
104[.]25[.]37[.]108 4
72[.]9[.]150[.]244 4
31[.]170[.]160[.]57 4
35[.]186[.]238[.]101 3
162[.]253[.]155[.]225 3
5[.]57[.]226[.]202 3
91[.]195[.]240[.]210 3
185[.]53[.]179[.]29 2
185[.]53[.]178[.]8 2
104[.]200[.]23[.]95 2
204[.]11[.]56[.]48 2
88[.]99[.]150[.]216 2
23[.]20[.]239[.]12 2
18[.]211[.]9[.]206 2
95[.]211[.]219[.]66 2
69[.]162[.]80[.]55 2
81[.]171[.]22[.]7 2
195[.]20[.]43[.]88 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]000webhost[.]com 62
HTTP 39
www[.]yoursite[.]com 18
yoursite[.]com 18
www[.]z3mr4[.]co[.]cc 10
www[.]subdomain[.]com 7
www[.]altervista[.]org 5
www[.]freewebhostingarea[.]com 4
www[.]hugedomains[.]com 4
freewha[.]com 4
err[.]freewebhostingarea[.]com 4
api[.]w[.]org 3
gmpg[.]org 3
iyfsearch[.]com 3
www[.]dailyetalaat[.]com 3
static[.]hugedomains[.]com 2
www[.]mibotnetpol[.]tk 2
apfrtek[.]freehosting3[.]com 2
firemoon[.]myftp[.]org 2
www[.]mrm3n2lok0[.]com 2
www[.]ethy54[.]azok[.]org 2
www[.]sgchack[.]tk 2
www[.]hackedbootnet[.]altervista[.]org 2
www[.]juztest[.]000a[.]biz 2
www[.]cyber-power[.]net16[.]net 2
*See JSON for more IOCs
Files and or directories created Occurrences
\dropped.exe 83
%APPDATA%\<random, matching [A-Fa-z0-9]{5,8}.exe 27
%APPDATA%\dropped.exe 18
\<random, matching '[a-z]{4,7}'>.exe 14
%TEMP%\dropped.exe 11
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 10
%ProgramFiles(x86)%\dropped.exe 9
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\dropped.exe 7
\svchost.exe 6
\TEMP\svchost.exe 2
%APPDATA%\java.exe 2
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe 2
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe 2
%APPDATA%\winupdate.exe 1
\WinLogonn.exe 1
%SystemRoot%\dva.exe 1
%APPDATA%\WinHostMngr.exe 1
\systemerecoverys.exe 1
%ProgramFiles(x86)%\svhost.exe 1
\systemrecoverys.exe 1
\bot.exe 1
%APPDATA%\windows-proteccion.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\jusched.exe 1
\winlogon.exe 1
\sys.exe 1
*See JSON for more IOCs

File Hashes

023196a258c5e9a714f6b406a6cff36bb4c25d0471a1a56b4d3b9f46d150ae1f 036117b3b838ce7a20cc4aa6b798ff8fa3966f308c03517b14d90dcfa46d010f 0402e0947e984f6a2bf56ddecbd6aea51c73098cfc914b3c289577ccd446d493 075192c857c9c4bef7d18368321d31620e7e0539ecd96000a5393acb8813abea 075ff8393ee0c121d200490ff5506456b5c9450c1589208ac82d31f023929294 0acc97a4ffa1fa86dfecfa5f176a027aeeb4c065d155d93aba50760cfef2c6ff 0c3a2e27ef912b5fb6c17b241e86da27e1146ef0a3db01f8276fe9ba45608b8d 0f64335da1a12fa9ad82fd7103c8a1a981496528e892ab7a10ee3d1c05a3442b 15b85c9bc17b14a093640dfbc1fc1e9c926690ad27bd47eb8a5670449957e9c9 1d92e058049850136bf176705613903a52650693d1baa9ec9b01cb565754b47c 1f576661825d0daf76e1fe297f3de6f90ffd50f554a42dd0e86fc5cd623a2012 22ada87e79518993f2e3af9eba82a6da0dbd7bc3e77a8836454147cc3c3dec6e 27e0f993e69d6123d98b801d026538783e6bffa4678ac4b5343a8c4f96741ab0 282c5f61b701dde8aa4599ce99e1786352cc127317300f8e5e594b2eb3ea1351 29e79e990607b2674c17ef582029a79d447209d8d82ba9ecc5cf0018a38b2365 2a6d5846fc4ec275e50f48770ace19635917593f84373a735c6e05cf5142083e 2bb71d1684473592d3c09495e62de2266cd965a2aba39c2bb69184e1f0ed74ef 2ca36f83972e8da2e176dd2895ec3557f7566295111262d84ae89687b191fb36 2cc88246db7c82b8ad27b1ecf3f588f60321723b7eba960ccac648bf8eeb1cdf 2cdac4031b8316e693eb8871c8abdeee03887cc6608c4b7b11b6bc56d4df73df 2d9eba6cbdbd2f498e26eb3a73772681c5f7fce3c314154cdd5355e11da5bd4c 2dea18d05c5c85cbfe9adbf41213cc09696b6540b9204cb95f433275600722db 30a3c3d914a785eac190a4623ef59b3dc438bb92e9124f55e41d51e0385c8b2f 32eb0e0944dc52cfeb26207c283f9e757bdc8b8a8271be388fe3754782b4f696 3343e10482f4d67995994b94a16fa589f2f17a647c0891e67a0d082582db5add
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Ursnif-7139346-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
13
<HKCU>\SOFTWARE\MICROSOFT\IAM
Value Name: Server ID
6
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: apiMPQEC
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client32
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client64
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: datat3hc
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Dmlogpui
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {F50EA47E-D053-EF14-82F9-0493D63D7877}
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954}
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT 1
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT
Value Name: Client32
1
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT
Value Name: Client64
1
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT
Value Name: datat3hc
1
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT
Value Name: Dmlogpui
1
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT
Value Name: apiMPQEC
1
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT
Value Name: {F50EA47E-D053-EF14-82F9-0493D63D7877}
1
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT
Value Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954}
1
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT
Value Name: Client
1
Mutexes Occurrences
Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269} 6
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1} 6
Local\{B1443895-5CF6-0B1E-EE75-506F02798413} 6
{57774070-CAAC-A135-8C7B-9E6580DFB269} 6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]3[.]101 17
13[.]107[.]21[.]200 9
172[.]217[.]10[.]110 9
204[.]79[.]197[.]200 8
172[.]217[.]10[.]78 8
172[.]217[.]10[.]133 8
185[.]251[.]38[.]197 7
208[.]67[.]222[.]222 6
172[.]217[.]12[.]132 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wai177iowjedidiah[.]xyz 17
m18fwairving[.]club 11
lvinnie65a41ay[.]com 11
resolver1[.]opendns[.]com 6
222[.]222[.]67[.]208[.]in-addr[.]arpa 6
myip[.]opendns[.]com 6
Files and or directories created Occurrences
\{4BC230AC-2EB3-B560-90AF-42B9C45396FD} 6
%TEMP%\RES<random, matching '[A-F0-9]{3,4}'>.tmp 6
%TEMP%\<random, matching [A-F0-9]{4}>.bi1 6
%TEMP%\<random, matching '[a-z0-9]{8}'>.dll 6
%TEMP%\<random, matching '[a-z0-9]{8}'>.out 6
%TEMP%\<random, matching '[a-z0-9]{8}'>.0.cs 6
%TEMP%\<random, matching '[a-z0-9]{8}'>.cmdline 6
%TEMP%\CSC9FEC3429276401888B76E8C2AE68BB3.TMP 1
%TEMP%\CSC3409E48E22F1400B95FE520264D3A47.TMP 1
%TEMP%\CSC330E69B495C9470E8A307FDE1DCCAE.TMP 1
%TEMP%\CSC330E69B495C9470E9A311BFDE1DCCAE.TMP 1
%TEMP%\0xobqs0n.tmp 1
%TEMP%\vvfb3gye.err 1
%TEMP%\vvfb3gye.tmp 1
%TEMP%\ntg1z15y.err 1
%TEMP%\ntg1z15y.tmp 1
%TEMP%\phcet32c.err 1
%TEMP%\phcet32c.tmp 1
%TEMP%\CSC330E69B495C9470E8A311AFDE1DCCAE.TMP 1
%TEMP%\0xkjv12k.err 1
%TEMP%\0xkjv12k.tmp 1
%TEMP%\CSC330E69B495C9470EBA3DFFDE1DCCAE.TMP 1
%TEMP%\rzfbq10e.err 1
%TEMP%\rzfbq10e.tmp 1
%TEMP%\bx1opn4f.err 1
*See JSON for more IOCs

File Hashes

0783be77f30524f31ced2fab0a1da860a9bd443263e1611cf26e8073005e578e 1a98e6aaae47877a0eccd691746c91d260937a3f5c110755da606965c1112729 1ca181cb491b5bd981df55f1d7ac4396b6020d38b8620c34e5af7174acf2254b 290f09ae381279ab8c97e14aadca08e62c359a0b1ce3b957578ddd097ac22682 2ba692360c9ebb9790f0a84a76e7b735bed6ffb8c82bfc861721728b5981ebc5 2fe2ed37720da7b06e1582d735743f5222467b06d589870887e62d4b057d09f8 36f600ea6989ee9a6c8821333e44ddd25622ab6a0dc383078c9887dc77c95fee 62714af2a73da1a69d915d05daeba464f65946d957f980862df5aa000fc3c8b2 6b94f9e63d9734dc4667b47c283026772ae0559cec29623296607d611fa6aa01 781aac6cc4e782ce3877c41c20e0715fcc56f76dde8f42e2df41f157b27d131d 7cad4929dc9483277f7c181f4fc7abafba6d67e9cdd65fbffe3bee90c64a2fb2 b7daaa3a091bac248f83bcf00aeec568feb83c490a03575b91909d059c7c2723 c3f2f7bc2b88e59af96157f6cce9b4889b419ca29bdd4075dc09155cd6a4b97e d995b6aeace5dc5fc1dccc3867a15bc65cafff77b2cce3ad4a93b2ff840b1bbb da7254c6feea716f30e709db69d9972633bee2b75a2129933cfe4ec3bea33c92 dc001b6eefd1ea132d5ff7e4c2b8fbd5fb44e5c62b2b5a144a08693b26ece3fb e7ba9ea77e262f55862d8f7432603005fcb1d6c959e312a822c1bcfce48c2aba

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid



Umbrella




Win.Trojan.Remcos-7136041-1

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\REMCOS_TBAKKPFJRCZYNTN 19
<HKCU>\SOFTWARE\REMCOS_TBAKKPFJRCZYNTN
Value Name: EXEpath
19
Mutexes Occurrences
Remcos_Mutex_Inj 19
remcos_tbakkpfjrczyntn 19
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
SILKBROWN[.]BIZ 19
Files and or directories created Occurrences
%APPDATA%\hyerr 19
%APPDATA%\hyerr\logs.dat 19
%System32%\Tasks\Modelleres 19
%APPDATA%\Foreshadower5.exe 19

File Hashes

04db2630c447c200d6b66d5545ced5bfd9b713562c9f975d4b1e34a60399efce 06809f29aa449ee0c5eac9a3956c2e53c4f08ea9992d24a201659c00b1cd8a80 1192c287dde92fe1c792b2122730610e1493fe242098fbb3a2da3f0bbcff0626 1ae04864cf13504552ced7ea85ff535adf38477ff9ca04520ce2781d17303de7 2056c5c204c5196f274f6ceab3dfd7a57de789f3327eb3872de116e433571723 2da878702f8bd11ac4d210e8c328fcbd7eb9bf5825111ba4e3a8a364f3f0f0f1 37bbd1a2db56b164a2e02423b47bdcfcf84bbe8cd98d3d6d9a3a2a46d659bf94 48c1f4427696658634d1a1db9d351ca74671b59c68bf4c3fc822c8e5895f8a10 4a4e9ca03ae19a1e6fef6a7d6bed84dcd66b8b07b3b5328cde53a9b5b5b7d8bf 80529b7f15fd80fb3eb2d05a7d91484c27cc8620c2342dd941568e1ab8031aed 827e49a00bd502dba505b35fc404a490236f3a9016ccaa1b11ccd4551360de2b 859c379889a0137e40112063ae04cb3f035dd9292112da8b02e5af2c6aa8b253 8b991afe7eb5b58d3d6c9586251111a6b7536d76eaca894f92941da818503ae4 934fca8c3e096e138cd25db859f513aef629946222f33b5932672a55e526fe76 a4ed0124c0cc59e88b5443376886b0b71532231d977ba849e5f98a233b8707c6 c751e5a7e2e83bcdd10dcdca29cf08138d455856466f6bc35c3913bade7f6a28 cae9aa03dab3cb4fbad8dbc37a8418e8817ce2a4bc28187c9d98240190b292c3 dcfa83b2d25d02429dc00ed823f6492c9ca248e0b03140f31d638660e2b274aa e45b64e33fe69503ad8d584155d74299b1cff13f481464b190a2efd697845fdc

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Dropper.TrickBot-7135730-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
9
Mutexes Occurrences
Global\316D1C7871E10 68
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
89[.]105[.]203[.]184 10
192[.]3[.]146[.]179 9
185[.]174[.]172[.]60 8
198[.]46[.]198[.]12 8
200[.]119[.]45[.]140 7
37[.]228[.]117[.]250 7
178[.]170[.]189[.]117 6
82[.]118[.]21[.]99 6
185[.]172[.]129[.]146 6
107[.]181[.]175[.]122 5
190[.]13[.]190[.]178 5
31[.]184[.]253[.]6 5
107[.]22[.]215[.]20 4
131[.]196[.]184[.]141 4
187[.]58[.]56[.]26 4
198[.]12[.]97[.]212 4
5[.]53[.]124[.]49 4
146[.]185[.]219[.]27 4
198[.]27[.]74[.]146 3
172[.]217[.]3[.]115 3
116[.]203[.]16[.]95 3
185[.]248[.]87[.]88 3
146[.]196[.]122[.]167 3
189[.]80[.]134[.]122 3
191[.]37[.]181[.]152 3
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 15
api[.]ipify[.]org 6
www[.]myexternalip[.]com 4
ipecho[.]net 4
ip[.]anysrc[.]net 3
api[.]ip[.]sb 3
checkip[.]amazonaws[.]com 3
wtfismyip[.]com 3
icanhazip[.]com 2
ident[.]me 1
ipinfo[.]io 1
Files and or directories created Occurrences
%APPDATA%\speedLan 68
%APPDATA%\speedLan\data 68
%APPDATA%\speedLan\settings.ini 68
%System32%\Tasks\Speed lan library 68
. 68

File Hashes

04cc68fc30be714b023932e85456cf0bb960e7c72c0c07b27a0aeb35cf8fb71e 077e31a93f6d19f4d0a4912f1ffaf0f9cc5dca757fc4c305344b0322f9d95170 0bd995744b6007b5d81ca25eac6f2aac3a9f9b0973fb4d8c319d5efebe0beec0 0e035419a2cd340cd563c1ba4d6a5701191ed97514ff43b0ff72dec3a36b0b50 1089c586a612d0eb070bb3b7adaab25ca21a2b74f5f32503ee11a93191699917 114de28dcd95a63d6ce8d39e9c580c0eaa845e24cf2949ed3bf1abe8e1430bb1 11c4553afa84784bb7933a6985cbf5398080024a209ea93dacd3ab325696d94e 17a1a857bff381e82d53dd579f5e71a9e9618a76cc135270783304d74693875e 17a44bda03089760b062816b65c1a31389e0379a2cc0b56d7bfe5406f791799f 183b29273cdede74e44f33e83441715a1ffd299959ffd94b2822d6c57cf7ff97 1b6324a79bae59678f056144dc2ada1be75a9134705faa87be1071576b67d2b7 1c6dd29936b46416bfad1882fe8d274c5cc456506ced1e3099ac2f28ecc83e24 1cfba2808e9e1f061a78141b42924825ca42209c6a3c767b20036f8b9b36fc03 2029cac9beb5ddfd09f89c164d38df940c9c3df930adb8a9b1f72bbd2724cfc2 2237a25cdf59f0dfee59dbcaf2d2bcf4e1b9416345d0d8dcdfa69355d879705b 22e973106e2ed6be4e73b09d527e4da7c1bc5f6a963999dc84d111e1e15e36a3 24362b930aa0b37e09b100d7e85534660ac8c902282cada914c9653680461fb7 26b22ce48b355abd0e368a786b3006d5d7d3c706deed14a3d112eb6cbbd3f2f5 27a17876f662ff5a8e3cfb99fc6c3289ea89c33b3d86aadbc4725e923f59d394 2882bf641cd6e1a2c29345be31cac1ec05364e04a68e702265e3db6fee3abcbd 2c6236b1b928c9c1171ee9fdba7ab69b6aa138bbca47e25135b42a0bf71d4d05 2d35bf5612f6bf43f52a03a9f2ff6d7dc55dc1351989535a9b9303947008fc09 2e742af09eeb39431cc8ea672c688e1facc6c481ae5bde6f41510180c38da3c5 2f68006ccb92f292a9b3a2091ed24ca37a079515e8d1a8d04417ee02bcf72991 30b4637c55f9af07575f0c7e28135e9a3ca843f3ec2166dd240722b6a9899a85
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Dropper.Nymaim-7135710-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 14
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
14
Mutexes Occurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} 14
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 14
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} 14
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} 14
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4} 14
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A} 14
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D} 14
Local\{B888AC68-15DA-9362-2153-60CCDE3753D5} 14
Local\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E} 14
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
urbdld[.]com 13
sgkwcf[.]in 13
jzhqh[.]pw 13
uyakvehnglm[.]in 13
elshuxnhc[.]pw 13
kuazdamnx[.]pw 13
ukyffr[.]net 13
cqgupfbw[.]com 13
ylslbgzh[.]com 13
bhbhsllaoxfp[.]in 13
myiuumylf[.]pw 13
ouwtnuaujnj[.]com 13
kpmotg[.]com 13
uyoegvucna[.]pw 13
llenpvbww[.]pw 13
biusulcp[.]com 1
asmouxe[.]com 1
retbiq[.]pw 1
niyzb[.]com 1
msktndng[.]net 1
lmgdj[.]pw 1
kxjoleveza[.]in 1
scydgzjclxb[.]pw 1
rqtppygwhgb[.]net 1
rtsdhccwsyjf[.]pw 1
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramData%\ph 14
%ProgramData%\ph\fktiipx.ftf 14
%TEMP%\gocf.ksv 14
%ProgramData%\<random, matching '[a-z0-9]{3,7}'> 14
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 14
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'> 14

File Hashes

2d4101e26a68ba841691664f2b102e003559458ea5df5010967a820c615bd218 300096cf851508538a09694a71597be71f9a1e7cbacb664053f7b9ec6ef56254 31912de803b6d94833ad5aac693904288d718d98a4db162369b88d28ce486814 324c4463deac99896a6d8634a7c0f1ca2b32de4638cad6a4d6c245d9f7f93567 56afe6eb98d99c184e1a83b105f1425a40f132a47221c2d8f389649879408636 5dab30eb9eb87f97f01eb64c06faaa361a39fc56403ebd36005f208c5e4cfe66 782c73cafa54de836efc2613e006ab4f39f91f65616b773d9ae46275957ec2f5 7c5709b104905ecb64a8a1dfd87a7d3f380405b5ee790074290f5d3348e2aae6 8d371e0fd91fe1b9b0bebdd6f3712ef6246c52dc6f37c4eaf53269fefa57d06b a6fac72b01757f7ba3c8d2789f40fc966e32c10260b14341640a3e8565da3544 b2eb0926631be37902d8f28965d64d5519057cbc46de07f7ea209d7a9ecbb9a4 b4e5f95ef5b0ea44950ec94584228e7243ef4a1b2a4baf93fe4bba1f853f2141 d6b1935b8be102d5fbd67b5551090775e1d41dc1baa5c7dbf0a128ca2ec35c39 f359759b3960ddf91cd3a70636731411f615db1b1dd27d343d698b9680560a49

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid



Umbrella




Win.Ransomware.TeslaCrypt-7135496-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
12
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
12
<HKCU>\SOFTWARE\ZSYS 12
<HKCU>\SOFTWARE\ZSYS
Value Name: ID
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Acrndtd
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
12
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 12
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
12
Mutexes Occurrences
2134-1234-1324-2134-1324-2134 12
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
198[.]185[.]159[.]144 12
184[.]168[.]131[.]241 12
213[.]185[.]87[.]28 12
43[.]229[.]84[.]116 12
35[.]195[.]98[.]220 12
192[.]237[.]132[.]248 11
204[.]79[.]197[.]200 9
13[.]107[.]21[.]200 8
216[.]239[.]36[.]21 4
216[.]239[.]34[.]21 3
216[.]239[.]38[.]21 3
216[.]239[.]32[.]21 1
78[.]47[.]139[.]102 1
213[.]185[.]88[.]133 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
myexternalip[.]com 12
en[.]wikipedia[.]org 12
www[.]torproject[.]org 12
ogp[.]me 12
opengraphprotocol[.]org 12
static1[.]squarespace[.]com 12
vr6g2curb2kcidou[.]expay34[.]com 12
tsbfdsv[.]extr6mchf[.]com 12
www[.]garrityasphalt[.]com 12
gjesdalbrass[.]no 12
garrityasphalt[.]com 12
TESTADISENO[.]COM 12
o7zeip6us33igmgw[.]onion[.]to 12
diskeeper-asia[.]com 12
kochstudiomaashof[.]de 12
grassitup[.]com 12
vrd463xcepsd12cd[.]crsoftware745[.]com 12
grassitupbluegrass[.]com 11
www[.]grassitupbluegrass[.]com 11
Files and or directories created Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QX7W9.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I77RW1L.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I7J37KF.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I9NSD58.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IANXEE8.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IC5NB1M.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ID60W3E.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IIUTK07.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJE160U.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKAVPAE.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IL2NS3P.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$INKC8CM.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IP8M1EE.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IPDP9E0.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISIYA4I.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IV54ALI.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWK2JPN.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWYYKMD.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXC3P46.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ7KADN.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R0Y9SM6.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R0ZU5JT.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R478AKJ.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R4FI238.txt 12
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R4FKVBH.txt 12
*See JSON for more IOCs

File Hashes

0d65ea3ded78d4d778f95fb7b578e0484156ce0664f96c9e670fc39ba32d9499 10dd7d41572281016bd1e00fbd9a620bed11449c7dcf80f9dfe421d7a2b495bb 1d13db5d78dd1f92c89884bf62b01ce30bb66e61d5306b6a9e6d0c3fe8d449af 3d658a771cc4855faaadc1dc5e5bc22a832cc9dde7596bab6b3910e4d076d71c 5d3aae382c5e76531b67eb1216454da32380ed0b209d1d16f565481f2bd9f198 6056a5026ac23e431a4a966b0f1e76ea0563a0bddd4926c4ffb1a0301f57fa3e 67da257dd448e50c61118e2d18e72c5af4538cf0f34a455a551e66307d65bed1 6e98ef200aa863074266c6e0b793bb76cfa7e89226c48e2c85d299653ce6f6ab 9de6d3506741e86a78eab659f6320784feda15e442f909266567f033ed88d6a6 b59e53aa73396d311b5525080950567eaff847266a615f74a43592ef1b968444 bf77ab55ee1faad26faa871fd962f26aa49636ff8db5a8fb3fde52d3e4fcf7c3 e1e70ceb74927640f6c487d7ac6b6071a7d858e2b86001bdfc1fcaf5b826e866

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid



Umbrella


Malware




Win.Dropper.SpyEye-7134261-0

Indicators of Compromise

Mutexes Occurrences
__CLEANSWEEP__ 178
Global\5594cda1-c547-11e9-a007-00501e3ae7b5 9
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]218[.]40[.]161 22
199[.]59[.]242[.]151 4
213[.]155[.]29[.]144 3
216[.]218[.]206[.]69 1
78[.]153[.]149[.]28 1
185[.]27[.]134[.]92 1
216[.]135[.]83[.]84 1
31[.]170[.]160[.]57 1
64[.]15[.]147[.]205 1
66[.]90[.]97[.]7 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
e13678[.]dspb[.]akamaiedge[.]net 8
www[.]yourbotnet2[.]cn 6
www[.]microsoft-spynet[.]com 2
carder[.]bit 1
11776[.]BODIS[.]com 1
www[.]teto[.]ly 1
scorpions69[.]cwahi[.]net 1
mybotnett[.]hostingsiteforfree[.]com 1
egysn1[.]no-ip[.]biz 1
poker365site[.]com 1
www[.]yourbotnet[.]cn 1
www[.]kokainpawer[.]com 1
www[.]reskuesecurities[.]host[.]org 1
www[.]secureantibot[.]net 1
www[.]moawia2[.]eb2a[.]com 1
www[.]microsoft-windows-security[.]com 1
Files and or directories created Occurrences
\cleansweep.exe 178
\cleansweep.exe\cleansweep.exe 177
\cleansweep.exe\config.bin 175

File Hashes

15f730329a5f5931052f028770629fd0fc90661c0bdd5a98c24c5c5b79f81774 21a0f59cd2dd48186a2a5f45b96a7b9f2152bd22e361f50547ba76d8cb82b6eb 29e261b1bc20231df371c5718d9619c2445cb31260609e6a4787395b1382d883 37bbbe62a193a2b85dea704e2375850bd620e7b2e68235df0a5aa78aa2ba6688 38a0e91b74713a524f49d1ddce5dd1c3a22c34fb053bedde39659792c4acd0fc 38ae428938b7dc6a09f33bf3f3a55c7eec15a0cae695d9ac3e435a1ad887cdbc 3c3fa850ef2811432a6a37733e6fdb590ec6527291d0abcf0f74287df5214c76 3d03bd0db3532078bdba4b794da355c189222850535820a3f2570b4f1343e155 3e4393b3980a0dff3e6b364ea1ae1dabab7e079f90bf002efa280901ee7e0894 40b836c7f127ac0b67343746ad46e2058dd56f6b198629667e2c4dff19b06770 43d25cdcd985d5dceedfcd655ce06b9fb58df5e6a680764be91149249140d836 467e29745a7ec5f30c3df7f2cd74b78df6f075ee9b0c709ddec34382f6f9f116 46a112798b137e1977df820e5ba4d9f8908ff802e64f9d978f43354cd175712f 48945ce8f30583fb2796d0b8496a6a374bd2b57fab8965f758ba314a2c29ea5c 4a6125eb20553669ffb92f8b04baa3ed685ea8e34181814e82a1d26b128e0376 4d34b2fbc133331656ebf6583657a2a545387eef68829909649a8a161943531d 4dd1b6513ac756dcddd584a1734f2bf44af0741c5604c570bed28a9eced9acf6 4f4545bb03e227873fff3be2e471e012ff85440a11f9284a86c38611ac57f0ab 4f6e94a61f766e0b8d95009da98bfc0f525ce02932129d12a2da22cdac0edcb8 4fba37bd388eb78145f81f8c8679d4c147792ada6017b6665517974e291013a4 503309f6f90a6cac1f90153c89d08efa7856105eabaa64d56a3158880e057d88 52a69ad3586a2efe01f23d585c351c13da945453194bacb4bdaab6949b9d5fb0 5412da86b9e5483547f10d2e36da09f17d6c9e0956b8167987a72b4c7827b105 542f2945f5b6de001dac02ba0db3a7ca0987ea3f13a2a83b1b2cd9ddc40b0e7d 557818fb74b32f1e642f4ad228e657a73a11844afb5250a827a953a0e690dcc7
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Dropper.Qakbot-7133972-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\MICROSOFT ANTIMALWARE\SPYNET
Value Name: SpyNetReporting
25
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
25
<HKLM>\SOFTWARE\MICROSOFT\MICROSOFT ANTIMALWARE 25
<HKLM>\SOFTWARE\MICROSOFT\MICROSOFT ANTIMALWARE\SPYNET 25
Mutexes Occurrences
Global\eqfik 25
Global\ufwao 25
llzeou 25
5362a8e863415e3c7ed2392c736a 25
5362a8e863415e3c7ed2392c736/C 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
198[.]49[.]66[.]130 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]allens-treasure-house[.]com 25

File Hashes

09d52dcd746678ab7cfdf98920c69af368d0024dd387fea4cb4cf23af7c8100c 0fc1f1bbe848a9b6fdeb45135b262dcc2bface23a484f1f004c68dfc1048ef12 13579cd0a09fc3f35b0e086a3e4da7044005f820eb91a5a8172b37a997d9baf8 17d1ab8faf6c77c2155c414ff152afcb54dfdb274898fe6875db1b0b5b439977 1bd9b51dd8926e70c8749e415c9c87192c23240e6bd78fa1ff141e320ef2ad13 1fe482aac4ef067817e8b65ad3411cb94af8cad2a3758e284ccd42d25370723c 20e192f48253abdeba665e38681d5fc6977cf114007b45967ca7a0cdd0cccd96 21a01de82da765f27f34dc14dfda9660cfc3fed24423d98705d2d1550ea36ba1 2976602ffae5758d0eb0e7ccd0fa8eb7595a4ced9ead3a8b830410a2058b99e1 2ec0ff7389d034e2bd400e451edca5a3deda018a87dfccc9118f6f116759034b 3c4680da012f0b51a506dc7a0fbe3ae296d7ad96366dc8219167e6ac3887fc77 42be15098d49494e1cc88f97d6d4ed5547839b38db878e798764481d484853df 4dc140ee0226f7b07fe8fd810ba2486415bc3b13018b55238ca8865a76943618 5362a8e863415e3c7ed2392c736fd118775b470e37ea19257fc4c41941b6f342 546bbc6277e9a0057e38f166b2c9b066e27581e160b5c98043566225e2c2d836 63b6c543e28bae70de1b6fe67906831327d06dd65ccb8d8ca52e92636b3931bd 68d76d7697facbe74d18a20181f1e3eb5c17d43ed0bc69fdaab91401b027d8f2 69c47be5330ec6b8946feb79d31d5590d70cca9cc1e49fc120695db169992f63 737eed504a364c8f666c35348e42031f8177e7c8c11bb34f2c2110ba2a55c419 766b64050ada4916906acfb8c97caf163c68f9d38af60243b9a4384609ec0712 786b478fdc0cb9e9b3d09c788f3e13fe04c13db3c21bf750b23d3d421c06ad87 8a01813be148547015b7980bc0974c6da07e57044ed5029655ec624af4f23e59 8ea9c35eec1fb14c8866526e32d4dff022c8ef435afab922989468cd674007e8 92572a77f909ea7edb20fb235012065923928c3ce3a29d9cbdf672a55537121a 9ada91d7ff3140a80f4b344fc6067a105577443792941ab6675f7d4d862c265a
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Madshi injection detected - (3693)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
CVE-2019-0708 detected - (3432)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (1556)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Kovter injection detected - (1367)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Dealply adware detected - (210)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Gamarue malware detected - (203)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Trickbot malware detected - (133)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Installcore adware detected - (105)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
PowerShell file-less infection detected - (56)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Excessively long PowerShell command detected - (37)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

No comments:

Post a Comment