Friday, February 21, 2020

Threat Roundup for February 14 to February 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 14 and Feb. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.


For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Gandcrab-7586670-0 Dropper Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB," ".CRAB" or ".KRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
Win.Packed.Mikey-7586709-0 Packed Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. This threat can also receive additional commands and perform other malicious actions on the system, such as installing additional malware upon request.
Win.Malware.Qakbot-7586710-1 Malware Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Malware.Razy-7588195-0 Malware Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, then sends it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Packed.Generickdz-7586813-0 Packed This is a BobSoft Delphi application that wraps malware. In the current campaign, the HawkEye spyware is installed. The malware uses process hollowing to hide from detection and achieves persistence across reboots by leveraging an Autostart key in the Windows registry.
Win.Packed.Tofsee-7586819-1 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Malware.Nymaim-7586870-1 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain-generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Ransomware.Remcos-7586925-1 Ransomware Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Autoit-7586956-0 Malware This signature covers malware leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows adversaries to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions or download follow-on payloads.

Threat Breakdown

Win.Dropper.Gandcrab-7586670-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 48 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: eegsjfdkqvr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ythjobixtnr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: yeelxnznvki
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: umwdlwwsaaz
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: piveskqvesb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ispyjcnalox
1
<HKCU>\SOFTWARE\MICROSOFT\OFAGAS 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Diokydyb
1
<HKCU>\SOFTWARE\MICROSOFT\SYSTEM
Value Name: Panda
1
<HKCU>\SOFTWARE\MICROSOFT\OFAGAS
Value Name: Ydcyuxos
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: pkmkandzsro
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ejmsgaummxr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: hujteforzto
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: jcrillrkibx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: hrsalhxnejd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: dctzafzqnkl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: cuzlcuudbwx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: sxzpjghkvsd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wriuvpwacau
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: duivayvsjqx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: xbxpanidwht
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: uethoblisdu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: sarblkidckc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: sujhhdohjjr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: yfvdvhnadpu
1
Mutexes Occurrences
Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c 46
GLOBAL\{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
66[.]171[.]248[.]178 46
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ipv4bot[.]whatismyipaddress[.]com 46
1[.]1[.]168[.]192[.]in-addr[.]arpa 46
dns1[.]soprodns[.]ru 46
nomoreransom[.]bit 46
gandcrab[.]bit 46
nomoreransom[.]coin 46
bon[.]aungercote[.]org 1
ver[.]sceinsheru[.]org 1
Files and or directories created Occurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 46
%APPDATA%\Microsoft\<random, matching '[a-z]{6}'>.exe 46
%APPDATA%\Enylf\vyku.exe 1
%APPDATA%\Guibc 1
%APPDATA%\Guibc\hyka.irp 1
%APPDATA%\Gyun 1
%APPDATA%\Gyun\vaxac.qae 1
%APPDATA%\Nozuo 1
%APPDATA%\Nozuo\quzui.exe 1

File Hashes

099c47434a97a9bcd0c6bb5f0291bb69d70dd05ab002fa83487d63b997b90f96 09eeafacfe79c4fc87c45dab72ce88aa1e234e668e2535e209beaa4a8181610f 0d293a8759d4bae6aa5d8587108a508f6d40efb449dbc239800efebb7a2bf2d7 10ae8e44b98f0255ba8e6d819d804e8379336500f3e27a14bb5b8ea72a07eb80 134e8947ef2f684d816c6c1da588fba3f9f0c08c24533adc02cbcb93d9e1494a 145bcff3aca6ba04f241e0d5ced04e2781c8a0f225ebf51dcddfb238fdbc63ea 18213dfc3c25be525312f6ff70e4ea8861233bc562d1442a501a0ae7c7bd93f4 187591cccfe3eb0c7bea183e03a735be581f704866b2bf2f82c2f57c759f5fde 1a2e00ce828da6130592178bd3b0bf47f2b3edefafffe7e6371622aae1ceb9af 1a99329960098a5414c2fac1bad96ef143878fb5435bcdc6cef9d288081e8b4b 1d2d031f33ce5adea4a45c700e29e99903d55850481fb17deb479fe47d367a18 1e4294a2b465e27903582116b12d5db2a6999116e27c698b5b98ae52035649b7 1ee6e03bfe259cf4a95c093e85056ae9807fa53f83f465b8878d74a114f148fd 2164d2a4c1a861298c8003118855be9ae68614c5e557638830038658b2e6e47c 22d18aa907e4750c7fce359140c44db444c644e8576c8609ca54c2e85afa0ac7 234bcafc5700b9f59d30bbcd0b7ba4694e49ffe6621ed63a5a6f0464a6aba447 25a297586142486627a765200bfc30658cdb4500949c581a83d1be262c60c4c6 25ae0f8e3b3938131d098ff7832167a5b6629e6cb8972827b7f1175b69e063c9 2651e9bbd4004b56eefa43f4f7ffd982d16d07df2980423cb54b1ee585172ae5 274d2074201aabff30008390fbc34087fc9aead9ec924d18708a0d6670bb6995 276f56271a9b3e3fcce07ccd2e4dab2a4316b90e8e715e2657b572da0109c801 2a7ad044e7f131e71e794cc8dd31ce746f455d9c53e45b88c3696891f4f11b35 2bb8a6eae8695c55070f5f78371609052f73826a2df29a9e2ab82c7c89603369 2cecccc835e1485e21cc45c86571f82f06223e422f59410228c140e77862ef3a 2d239ffa8b5e13e8c19de06e5d5825e24df4c52f31741ab7373b2b74b612ab2f
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Packed.Mikey-7586709-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DEFAULTICON 4
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
4
<HKCU>\SOFTWARE\NEMTY 4
<HKCU>\SOFTWARE\NEMTY
Value Name: fid
4
<HKCU>\SOFTWARE\NEMTY
Value Name: pbkey
4
<HKCU>\SOFTWARE\NEMTY
Value Name: cfg
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ
Value Name: Description
1
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
1
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ 1
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
1
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
1
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ
Value Name: ImagePath
1
Mutexes Occurrences
Global\<random guid> 7
Vremya tik-tak... Odinochestvo moi simvol... 4
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A 3
A238FB802-231ABE6B-F2351354-CF072D6D-090D08F1 1
chv8VoF8462A240TQszdiFeaRyFs610A 1
A238FB802-231ABE6B-F2351354-7FCA0C5B-B9CFE7DF 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]164[.]179 3
172[.]217[.]7[.]243 2
104[.]26[.]4[.]15 2
46[.]29[.]160[.]26 2
104[.]26[.]5[.]15 2
194[.]116[.]162[.]29 2
91[.]215[.]170[.]234 2
46[.]4[.]52[.]109 1
104[.]47[.]36[.]33 1
43[.]231[.]4[.]7 1
93[.]171[.]200[.]64 1
67[.]195[.]228[.]110/31 1
168[.]95[.]5[.]112/31 1
168[.]95[.]5[.]216/30 1
168[.]95[.]5[.]118/31 1
172[.]217[.]197[.]26/31 1
98[.]136[.]96[.]76/31 1
203[.]15[.]169[.]11 1
67[.]195[.]204[.]73 1
85[.]114[.]134[.]88 1
67[.]195[.]204[.]75 1
67[.]195[.]204[.]80 1
98[.]136[.]96[.]92/31 1
134[.]0[.]12[.]89 1
198[.]35[.]20[.]31 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]myexternalip[.]com 4
nemty10[.]hk 4
api[.]db-ip[.]com 4
0300ssm0300[.]xyz 3
ghs[.]googlehosted[.]com 2
smtp[.]secureserver[.]net 1
ipinfo[.]io 1
api[.]pr-cy[.]ru 1
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 1
hotmail-com[.]olc[.]protection[.]outlook[.]com 1
centrum[.]sk 1
post[.]sk 1
msx-smtp-mx1[.]hinet[.]net 1
www[.]google[.]no 1
damstein[.]no 1
clayvard[.]com 1
oppdal-booking[.]no 1
luthgruppen[.]no 1
gjestal[.]no 1
claytonwright[.]co[.]uk 1
hxqk[.]sk 1
lovetts[.]com 1
upkm[.]sanet[.]sk 1
loveumail[.]com 1
vae[.]sk 1
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\CC4F.tmp 7
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 6
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 6
%HOMEPATH% 5
%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\01\0119C23D88292A0E4FEC04D5CF8629005A44E37C 4
%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\17\17542707A3D9FA13C569450FD978272EF7070A77 4
%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\1A\1A141DBFA4083406630DD9A81AD35C416F604800 4
%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\47\47267F943F060E36604D56C8895A6EECE063D9A1 4
%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\95\954D59EAEADC36CB19A224A5DDDFA1EDCFDC49CE 4
%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\A2\A2C4E53F8E58DC61E337D4CFBBDFBF5BA2825852 4
%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\A5\A5B16A7D28D2BA79A9CCFC16ED480AD75A757166 4
%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\AF\AF210C8748D77C2FF93966299D4CD49A8C722EF6 4
%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\B0\B066A9B35AE0BB605431AC8740DEA2A659EED4C4 4
%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\D3\D34ED774F9FDCBA938A7807BD8FB1B398C51BC81 4
%ProgramData%\Microsoft\Windows Defender\Scans\History\Results\Quick\{69EB062C-C99C-4979-B7E6-36430B258597} 4
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\518e2bc94bc324e5e6f82437175ae1af_d19ab989-a35f-4710-83df-7b2db7efe7c5 4
%ProgramData%\Microsoft\User Account Pictures\Administrator.dat 4
%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\LastBld.dat 4
%APPDATA%\NEMTY_GBF756G-DECRYPT.txt 1
%HOMEPATH%\Desktop\NEMTY_GBF756G-DECRYPT.txt 1
%HOMEPATH%\Documents\NEMTY_GBF756G-DECRYPT.txt 1
%HOMEPATH%\Downloads\NEMTY_GBF756G-DECRYPT.txt 1
%HOMEPATH%\Favorites\NEMTY_GBF756G-DECRYPT.txt 1
%HOMEPATH%\Links\NEMTY_GBF756G-DECRYPT.txt 1
%HOMEPATH%\NEMTY_GBF756G-DECRYPT.txt 1
*See JSON for more IOCs

File Hashes

0b02eb48cb0b7e88d3c5c6d6b6366dedc8d29f13e8ef252d768ce5f0acf3e6b7 2d2c2363a77afa2a914cf77e684cd279150bef2e5f5c27ba45e2be26b094d6e9 31145485a77c5167d0b01834793203c7f03e4298e532712773700f853bf494d5 4ed113b1e3967eea8beec9ac8b23017a25938dda53822c51c21d30c71a946660 53279dd8f9c45b2e213d4925c5a59cc0297a3446d566cb4eb2825b5042d912a9 7475233e2a3836d3a8b69fc76450cda8770beb5e61da095fb108898ef9bca0fb 7f944fc983d8100caf59f4918239e6d83f0cb2a498ea3f48e8623b3cebcc3250 944006ef7abb2e02f87ddafd0e50f8e3c600d3914462d6216027f5c5dd8db475 9f2a258a72368901ac1f99e7d0eadf62a85a2d33c56d3dca3d1406244dd0713a a30e02134af6767d48793d1ac857d428b11380fa6c2f4898918b1b3ed2012700 a969b88015cf14ae1b50cc903e82b75d754deddbca2a2bb1a39db4c6cf447c12 a9f6d5ad40d5b073be92fc46666ce1f96e30c50494a018d472cfee56ff2b8c65 cbe96c19bc6246b4c85242e87b74481be23ac7bebe61aea6b34ff7deb8f17275 d74cc221d6ab6e29b7049ab7f49a6ac80c9cde20ca7f4db31e128037f1bf9d4d dba02f5167986887ab29070b468c15bbc15d79942d62c8f9bcf95546c461d128 f15065bb9747e1c9a7f2bb41e80efdc2ef0435ac1f5b649d11c7537fa9095eba

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Malware.Qakbot-7586710-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Mutexes Occurrences
ocmwn 17
Files and or directories created Occurrences
\TEMP\7dcd176143285b60a9dda1499593d0e2.exe 1
\TEMP\7119a1ba9e8866f9aca5360c337aa099.exe 1
\TEMP\8d6ac636eb8758ef5c1820e457f6f4c3.exe 1

File Hashes

16e98279914ef3280950a2cba389e0aced7bc38d45db4f4e3b516bab17de41b2 2194ff71108712b66905dc46155aada3b0c5e56986e7db97f50b1dc5055aa41f 279be64e1b80827ebc2187f76914b57d8ce6fc14aa70ee908c8e29c1a6177f8a 2b8c204a35189a6937aa9740820a4ac6caf7ca372656d20d8bfc9f8583f02081 3cb499f2bb1838ad8066bae7254fa012a2b7ba4270ae284774537093898beda2 44b234565a5590957845f1c4e14e7c81ab5be8a9ae0d19a1f4e04ebcf67be907 46ab34a52c0e0f8a6cfb302d38085924f55e7a0d37c5bf8cd6b503ea83a2055e 58225241e8f436355e2cc739127490ad8a88d6d47620c727a26e56c5c1e786e0 5afa22c50fd430fed4f06437dcdb74248bc40917dd6a4f4844137528ae186aaa 8c17ae11559298aa36b6837b9e6a2f4fcee5a083004ea6463aa9384c04d016f3 abe179259e363dad7ab393685c3dd711550a9f8aa7fe5344de8141723352b0de b053b3570129f906cf09d2a63d034f724fd3d561d991fec761133c1cfe568ef6 b8a80038ab33b7a556f3b1e47cadfddc417d7301ee62c0a87610ab635e60360a bf052b65100259f2a13c98a20aad8f8bd8688a07639530aa12159200fb39c504 d6b4f5ce244ce922fbed636528ad6deb7ca306f543400657b5e07dc0ffd6521f db037e58c1bc214b4853bff0aedd8ba22a5ab60e37b127178fb36547b2124051 dc01374a8e4b46e82f3efc130065b8e7a93bdb537ece13e02ac303a881b138ac

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Razy-7588195-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 54 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR
Value Name: Locked
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\HOMEGROUP\UISTATUSCACHE
Value Name: OnlyMember
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: CleanShutdown
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: Generation
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5}
Value Name: Data
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5}
Value Name: Generation
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Data
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Generation
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Data
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Generation
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPLETS\SYSTRAY
Value Name: Services
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: Drive Type
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: IsImapiDataBurnSupported
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\STAGINGINFO\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: DriveNumber
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\STAGINGINFO\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: StagingPath
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\STAGINGINFO\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: Active
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING
Value Name: CD Recorder Drive
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA
Value Name: FreeBytes
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA
Value Name: Blank Disc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA
Value Name: Can Close
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA
Value Name: Live FS
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA
Value Name: Disc Label
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA
Value Name: Set
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\HOMEGROUP\UISTATUSCACHE
Value Name: UIStatus
1
Mutexes Occurrences
B4BBD0F7883AF46401A8F944D11D8E1698B68E3C 40
Global\<random guid> 7
opera_shared_counter64 2
opera_shared_counter 2
<32 random hex characters> 2
{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3} 1
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]129[.]67[.]170 22
104[.]129[.]67[.]168 18
72[.]22[.]185[.]198/31 2
185[.]53[.]179[.]7 1
185[.]222[.]202[.]91 1
62[.]149[.]210[.]9 1
185[.]35[.]137[.]147 1
185[.]61[.]148[.]224 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]msftncsi[.]com 40
ligue1[.]shop 2
klub11n[.]us 2
jong37[.]pw 2
klub046[.]co 2
ijust1fy[.]pw 2
ktfr34ks[.]pw 2
son0fman[.]pw 2
jsbook[.]info 2
js0c892[.]se 2
iyfsearch[.]com 1
ligue1[.]fun 1
www[.]mac-pro[.]it 1
j5cool[.]xyz 1
sm0osh[.]xyz 1
jo1b9[.]co 1
lip616[.]co 1
lip4u5[.]se 1
jsoc8492[.]us 1
jo15y[.]xyz 1
l0vew1n5[.]xyz 1
snd616[.]co 1
dill10n1[.]pw 1
j0011y[.]pw 1
j0nhy[.]pw 1
*See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sessuawh.lnk 40
%APPDATA%\Microsoft\Windows\sessuawh 40
%APPDATA%\Microsoft\Windows\sessuawh\jisgivdt.exe 40
%System32%\Tasks\Opera scheduled Autoupdate 3131961357 4
%System32%\Tasks\Opera scheduled Autoupdate 3115184141 4
%System32%\Tasks\Opera scheduled Autoupdate 2980966669 4
%System32%\Tasks\Opera scheduled Autoupdate 3130913037 3
%System32%\Tasks\Opera scheduled Autoupdate 3130912781 3
%System32%\Tasks\Opera scheduled Autoupdate 3131961405 2
%APPDATA%\Microsoft\Windows\sessuawh\sessuawh 2
%System32%\Tasks\Opera scheduled Autoupdate 3004035085 2
%System32%\Tasks\Opera scheduled Autoupdate 3131109389 2
%System32%\Tasks\Opera scheduled Autoupdate 3131962125 2
%System32%\Tasks\Opera scheduled Autoupdate 3131961349 2
%System32%\Tasks\Opera scheduled Autoupdate 3127767149 2
%System32%\Tasks\Opera scheduled Autoupdate 3007180813 2
%TEMP%\7CE0.dmp 1
%TEMP%\WPDNSE 1
%LOCALAPPDATA%\Microsoft\Windows\WER\ERC\statecache.lock 1
%System32%\Tasks\Opera scheduled Autoupdate 2989355021 1
%System32%\Tasks\Opera scheduled Autoupdate 1044487932 1
%System32%\Tasks\Opera scheduled Autoupdate 3131961552 1
%System32%\Tasks\Opera scheduled Autoupdate 3131963261 1
%System32%\Tasks\Opera scheduled Autoupdate 2980966925 1
%System32%\Tasks\Opera scheduled Autoupdate 2989726024 1
*See JSON for more IOCs

File Hashes

002f27cf7d9185bd0c0ee1c363a221be80e797db81f25e1abb9898de6906c6b6 00de50e39e76fe23df42f435dfe0c0571b41c06a4337f15dc0c70ef28182c332 03759da14ffcd558e1b492286a1f04cce519995b591a848ee4e76b1a00f9bfbd 038a84e68adbb095a8ad39ced3de6407f977113fee99c46c6e87dc7c2c66d739 070ef4de5fe79fe29dfb5d3db253ec2c4b6e20797116b608cbbadb110afc54d1 07ed129012419a5c63e2987883653f7781ccc214f2abe3580b3baac5df397b88 08f442c4d7bcbbfbed9cf39ed382529fdb1368f2cd8e8d88d39a987b566b705a 096add794410c4bc72ef29cebfba05db27ca895f9136eba710cf45ad3492e37d 0c260a56652727b6dd9e280cb741870e61b9c1a8fe54dad0e12b42b2163eb391 0ec389eaa5253a5477aff5a36b5af41a76430cc41a4231dba9dab9587650e36b 11c15bc5878e34eb98b320aa9d7dbe6fb71987603cec86d39c1d7a902e3b5eef 198501a9810da38bb19dc1e0f4dd3a669a86fa57165075485cebf6e7662600e7 1ac2a34d85e02dc74dc1f612d06634d160fd29e359d45b8a50ccc3bbd78c3975 20dd29c3c7271b2d44600e7896dc3e351e8d53b583f9535104fe9cca3077d219 21633fd3deaa6b4a8bb9095f3d396c894a0a8648edbd85919d4589068327c3b0 2c6a0eb320df561009681342b3ccb1dd8a585968ec0932716553389f19d0b620 2fa0184c94b5220ec52d03e99eaa43b00ee78ef956f4c3a5b09bb7dca8270f47 3563013bf168f3021b42950648dd8175e51baeea1f9b6f1a9c8dfe2fb28b0187 383dede6a6d363e97a2d34a002aca69378da4b6769b13976b0344a20272a7d9d 3d51cff2d7fe5c108b765525081c3c0ec62811d6fd8f6d1e8f7ccb23ce1b5160 40c184b47b2d4d52ab39aab7c81b9e80b85948e6321989eed2e071a2346c836e 41e87e94d52d08cd7d82e052a72b598421dbd469d676cfb58640521a15ec0eed 533418f5d648f0a9855adbea0b6001531d8ea6687db27e1ddc0a157174cbc605 560df0484842e569cf4ec7a3c9b6942fbab8a5e5ef1bf8516baa6317841aa4bf 586303e0a91cd70a44b2311a081462b396f0e57cd948edf0fa97a4896eb830a4
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Packed.Generickdz-7586813-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 37 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\REMCOS-ZUXZLQ 4
<HKCU>\SOFTWARE\REMCOS-ZUXZLQ
Value Name: licence
4
<HKCU>\SOFTWARE\REMCOS-ZUXZLQ
Value Name: exepath
4
<HKCU>\SOFTWARE\REMCOS-V1R5VH 2
<HKCU>\SOFTWARE\REMCOS-V1R5VH
Value Name: exepath
2
<HKCU>\SOFTWARE\REMCOS-V1R5VH
Value Name: licence
2
<HKCU>\SOFTWARE\REMCOS-6PU1BX 1
<HKCU>\SOFTWARE\REMCOS-6PU1BX
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-6PU1BX
Value Name: licence
1
Mutexes Occurrences
QSR_MUTEX_ayVRCIIhAhYn6ZIdtI 17
Remcos_Mutex_Inj 7
Remcos-ZUXZLQ 4
3749282D282E1E80C56CAE5A 2
Global\{b1324b26-be01-4620-bf4b-b68b0ae0f95b} 2
Remcos-V1R5VH 2
57926c4f-8f06-4a2d-a8d5-a3428f4894fd 1
Global\8e50a541-4f19-11ea-a007-00501e3ae7b5 1
Remcos-6PU1BX 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
208[.]95[.]112[.]1 17
46[.]105[.]98[.]53 17
79[.]134[.]225[.]123 2
209[.]127[.]19[.]34 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ip-api[.]com 17
variakeburne[.]ddns[.]net 4
randydidier2468[.]ddns[.]net 2
renaj2[.]ddns[.]net 2
worldatdoor[.]in 1
kitchenraja[.]in 1
sixteen147[.]ddns[.]net 1
Files and or directories created Occurrences
%APPDATA%\Logs 17
%APPDATA%\Microsoft\System32.exe 17
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\System32.vbs 17
%APPDATA%\Logs\02-14-2020 17
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 13
%APPDATA%\remcos\logs.dat 7
%TEMP%\96f91905-b339-4638-bd86-c6a77cf058d3 4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\appsdatas.exe.vbs 4
%APPDATA%\appsdatas 4
%APPDATA%\appsdatas\appsdatas.exe.exe 4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\yfgr.exe.vbs 4
%APPDATA%\jnxc\yfgr.exe.exe 4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\lmwq.exe.vbs 3
%APPDATA%\hcek\lmwq.exe.exe 3
%APPDATA%\D282E1\1E80C5.lck 2
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\daxp.exe.vbs 2
%APPDATA%\gnwk\daxp.exe.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs 1
%APPDATA%\appdata\update.exe 1
%TEMP%\637172179772244000_d1934800-c529-4e3b-afff-37bcc71b45d4.db 1
*See JSON for more IOCs

File Hashes

08ce5d7fc0de04906c1c24dc0d72d279dbd125b61d4ff3361e5f960d3441e421 0a603c32a8e16c81e314e9030a6e6d45055ae5f93ca819121ba6538660fe3072 0c4b27461dbd294c5a6a3851051ab5ff3ecf6b6aa72b7588ba59a7381632f06e 12a2568481ee9eca1ccb7a522f5853a7b0aa30ed56abfa5d3f1a2168865f390a 13ac030d6a53c594e08ffb80140b43fcad93841e170be5d8043e9f4b1512ea7e 1514b3e4e3c01eae8d55693255f12c5efd68549491c007425b6cac2465ec07b2 16a94d5de704b8166684143480c0c93c522751eba3acc8a79d468d0e7b579a9e 17309647cddb67ae9146b2746461e0152240808f88231c790dfcf923a7b717a2 1fbc7923dbc28f31aed3114f6ae66cd7431b78639b0998af963f606dd430dd41 1fde04dd38b0e62c6e39c9cf83d946052d665ab43be1aad712c665d4f216becf 2766c878553e8b7fae74b133be1880b6a345ade8284d919717d0ca6427e85a38 2ae7fe445fcc08eb3179519a41aea3fb7310e33973af114efd17dfa8653cbc5d 2b70abdaf78867285774c432c365ad6a7ab5777f0eda50d9c202205fcfe576d5 30b44cab6a839ae845647b0d608f645cc44bf01af6d5a9b53aae92e46bc12159 312915777632ef010f7a3bb2c60c274ea7c6d3f195349efac5e1057f6ec8a46a 3328f4ca20a50c85d8ddb77e20b54822bb44c7fc7dfbaab279fcf39389a50355 35ed04364daa9a21e306204ea27f1d7186248a8ab6bbc03ab202fb8d6f998a05 38f23b5da8cba1044efabbf1bbdb29d0fc748206ff5709a9c8c0fc553c21418c 3e50718cfffca7db327d35011301206ce21a7103f6a68bd78859a666e5781f42 4124aa54761859ab9d92cb3d50a64e461c5fe76b70b0839e933117fdb91391f0 48a1f2cf546a630bc763375052b734d4d1bd8d121e440a1718ec2c09d1605f57 4b388553f1b23e229fed441a7ada1afd2a87dfb1e77dc43d86f86b4028c2d46a 553e69e62475f74dcf2762e5499167539ae77df7692f0967cc1f9408d0bd8ae4 557e52d63114622d6adec38238bdf81d944d66389b07ddbe542fb8799b8d0b3e 5d3a4d8448e8af881bb3f82ed0d34735491c076c7c7f1f642431ec2777f4dec9
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Packed.Tofsee-7586819-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
17
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mftzygmb
1
Mutexes Occurrences
sejavpsfushosuk 7
None 4
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
69[.]55[.]5[.]252 18
85[.]114[.]134[.]88 18
239[.]255[.]255[.]250 17
192[.]0[.]47[.]59 17
46[.]28[.]66[.]2 17
78[.]31[.]67[.]23 17
188[.]165[.]238[.]150 17
93[.]179[.]69[.]109 17
176[.]9[.]114[.]177 17
172[.]217[.]197[.]26/31 16
172[.]217[.]7[.]132 16
168[.]95[.]5[.]112/31 15
46[.]4[.]52[.]109 14
43[.]231[.]4[.]7 14
209[.]85[.]202[.]26/31 13
98[.]136[.]96[.]92/31 13
67[.]195[.]204[.]72/30 13
216[.]146[.]35[.]35 12
211[.]231[.]108[.]46/31 12
12[.]167[.]151[.]116/30 12
67[.]195[.]228[.]86/31 12
168[.]95[.]6[.]56/29 12
64[.]233[.]186[.]26/31 11
192[.]0[.]56[.]69 11
96[.]114[.]157[.]80 10
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft-com[.]mail[.]protection[.]outlook[.]com 18
252[.]5[.]55[.]69[.]in-addr[.]arpa 18
schema[.]org 17
whois[.]iana[.]org 17
whois[.]arin[.]net 17
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 17
252[.]5[.]55[.]69[.]bl[.]spamcop[.]net 17
252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 17
252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 17
252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 17
bestladies[.]cn 16
bestdates[.]cn 16
bestgirlsdates[.]cn 16
sex-finder4you1[.]com 16
eur[.]olc[.]protection[.]outlook[.]com 14
aol[.]com 13
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 13
hotmail-com[.]olc[.]protection[.]outlook[.]com 13
smtp[.]secureserver[.]net 12
mx-eu[.]mail[.]am0[.]yahoodns[.]net 11
msa[.]hinet[.]net 11
myibc[.]com 11
ipinfo[.]io 10
hotmail[.]fr 10
mx1[.]comcast[.]net 10
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 18
%SystemRoot%\SysWOW64\config\systemprofile:.repos 18
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 18
%TEMP%\<random, matching '[a-z]{8}'>.exe 18
%HOMEPATH% 14
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 14
%TEMP%\kjzvcyd.exe 1

File Hashes

005ac256dddc3a368386cf19e2c8ff4ff897453e13d31c2a002389b1b8f6f0e6 0225cfc00d03fb8135dab6acdbb2165f678c8693927dd4e8180b7ddfa8bdcbae 2ecaa4a4541645f3d329b65981f97403c3a3cc2bf77feeecef4cc5108e5eb649 357ed9b86a1c594596641c650bce143f7d58f42c6c67fd508168389805eb2739 3ce3671481b73bf71782605b8e6429753a3c7a253b6ff8dd0c80af28eb881633 53210cdce3d628a61c5aed9fcad723d30634f6df74a8118183f9bfa8ba0b643e 53b68915686769a14855c37ad232b86f7d982d7c88e74ff641f1046612e04011 57917ee62c89309f3ac65a67ef6b3e983c2b882a9770e43b0095edb348ae9cb4 7e8a5dedb5852ba8f9f3970c0204657611bb7b3e8009c019e7105b7528111403 8f1d942a42022e2ad2c7ea175e742fc83785883df3e32e2f696cccb1785f9b04 9f23b12abc917fd84e47626f4695a2f811352dcf100224623dbb1343c2503bd2 a55ef46691eeebb5afe92223a87d8fa1332dc8406d5933d6dbadfebbea6708cc b833f9b5e15ceb0e9553dba19386e5f9420795251c499aee1f4dde3c19ae5571 bae92bcf28992f8a71f9216af418f3a38ca58435b0be6e9e998ba30680a9aa49 cf5208d9d87f44c5adc6cb07f050fa11693654384840cbf3f8ef6c7bcb299c39 d8cb668abbc88169df7393ef917f8214b53192c1cac6e372f46f048416fffe89 e29f7b44dbc846b438af94610b75f5d091ea15308536dfa337bf8c27bc80acdd e60fa6d29dcbac234244922ed994abff1e02a63ca62bdd7efb1393a1c22052c5

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Malware.Nymaim-7586870-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 25
<HKCU>\SOFTWARE\MICROSOFT\KPQL 25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter
25
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
25
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp
25
Mutexes Occurrences
Local\{2D6DB911-C222-9814-3135-344B99BBA4BA} 25
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} 25
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 25
Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606} 25
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} 25
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} 25
Local\{445DE72D-9B60-6571-D392-6925F65F5FE7} 25
Local\{E41B13B6-7B07-8560-4026-41A66FCE339D} 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
46[.]4[.]52[.]109 1
93[.]179[.]69[.]109 1
78[.]31[.]67[.]23 1
176[.]9[.]114[.]177 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
neawce[.]in 24
cawugh[.]pw 24
bfjtkee[.]in 24
xnexvlnlm[.]in 24
xirvjdkza[.]pw 24
njzcxk[.]in 24
ozbpuhdibrq[.]in 24
kniqbngezi[.]net 24
pbgtihnv[.]com 24
gxdawu[.]net 24
gxvim[.]com 19
nkkzhqqslod[.]com 19
tiuzomycjp[.]com 19
wzfhxytur[.]net 19
cdnnoeem[.]net 19
qlqywqinnnof[.]net 19
upfqangse[.]net 19
cxtuswfapphv[.]net 19
vgazbwj[.]net 19
apdkokb[.]net 19
xknfwgwvcut[.]net 19
jwieiuggex[.]com 19
rpwecn[.]net 19
wcafbjwj[.]com 19
bjeuewe[.]pw 19
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramData%\ph 25
%ProgramData%\ph\eqdw.dbc 25
%ProgramData%\ph\fktiipx.ftf 25
%TEMP%\gocf.ksv 25
%TEMP%\kpqlnn.iuy 25
%TEMP%\fro.dfx 19
%TEMP%\npsosm.pan 19
\Documents and Settings\All Users\pxs\dvf.evp 19
\Documents and Settings\All Users\pxs\pil.ohu 19

File Hashes

0218e9c2cf3ca8f6201331e44bfa7d8a5448b1b5b08d8b14d85aebb65671e1a2 0454d49281ad2a9f99228f543428338353da11fbf78e36b7f5b31479c121bf6b 056dc90528fe0b52da0e2810dfecc00a33ecb3fb055d4b1887b06ab042dbae1e 09136689c46634da3d89dc3609bc2db9582cf70992b9ef92ef6c7dfb3416bee2 0a58ad96a90964d56735bf61afa86fa7c6a2a3e15092b66154c6418465bb3a00 0cbed52d77571cb00e68ca65ed017272b69c2b90b548f5a3354dec2fd4da677c 1725392d15f6eeee49ba8222c595faeb59a5434b9136b137dc03a9b61e084087 17f077b3721d13d89bfe4d84b297620ff8590b9949e0b3a90e754cd147808695 201591910712d7b75f17831436b9c2c7a5bc95e6009d7a744de0fd2fe34a1dc6 20b70cb79a5bef35145254e2c456da2d2d90f7e2de2f72d413ce0fbf844af66f 2696cc5afb7daf7e9acfa6b48e9c925961c8b3675d4dba20fcd840879695f8dd 287f5e0b40f6341f7f9b09a97d2efbb00b9c389053b76976ccade63027f02425 2b0b69fcba2279c7c731adc17ce5e395739a4d957afe75b4dffe79a911d06834 3343d61a8a5e8f19686995852ac47dec453da1a61f0544a2b6cc75b404ac40c1 37c3c75c995da210c09a6b6e258af839386c4a8661d16395ef179065326ebbd7 39c08d0ebe20734e86539503b615716ef692aa37ba6a490e0265d1560dbae71c 3cfc8edcb512891aeb4241df6a800981d83c329883eaeeb265f5b555be7c85a4 43983a108eee5452032f21f6895cb9d930af372f4fbbf51e217a58f68412c9c4 44033bd26650bac58f19414b2f937a3d0aebd819a145738d4d9e77a087d1b2e2 446952c8181f0736647c99e3d4160fafcf272c885a62b19e4028a41183227292 473e6d64b9b5d33250f89781d2d7d0b7a763563e6703907953ae226e078b2a49 589b303963958d48a6d5aa9a506955ed04242994f1f7e36b8819463200970b21 5b186038f17adbde16e02e1e29513354112ecdc9b3a8be5fe2978696ce9541ec 5d95754de0c3bda4841e7122b0b24bd5d949adc647735582d4e6af72274950d7 6123859235132aed86f0520e20d623e8d5d0438e082db32caf310d1b77aa9ec3
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Ransomware.Remcos-7586925-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\OSRS18HD-UKGZDR 12
<HKCU>\SOFTWARE\OSRS18HD-UKGZDR
Value Name: EXEpath
12
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS
Value Name: Path
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS
Value Name: Hash
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS
Value Name: Triggers
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS
Value Name: DynamicInfo
1
Mutexes Occurrences
Remcos_Mutex_Inj 12
OSRS18hd-UKGZDR 12
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
secure[.]jagexlaucher[.]top 12
Files and or directories created Occurrences
%SystemRoot%\win.ini 12
%APPDATA%\ErrorLogs 12
%APPDATA%\ErrorLogs\logs.dat 12
%System32%\Tasks\SearchUI 12
%APPDATA%\SearchUI.exe 12
%SystemRoot%\Tasks\SearchUI.job 9

File Hashes

08606543b261293be2c91acebdd4100b77471a2cb2f29b8f558f2d12dd01c954 2d5275f0deb740be06001aa53d8719db88d08426f2e5f1b44bc4626fcc9b0258 46835bd196f40e56dfeb8fbdbf1e328358e545649ce10aa580575874ffeba5b1 778608ebdb66b22322989f6889668d11a5c243f540d094f834743651f847f6d3 b1edb734e012c5b941e7e7190b23c472937b5332b9af826e5eb07a807c7f0e80 c0a687a74845e57c671768eac45588576a194f36165279f19edb22d45a595904 cd9d9e7f425fbc41e1c6e12e7e9ffd0d9800aa703e690802a260f5f29837967a dc789666026dacfc446d3559c0aebeab538608668fac6645ba73591d9a4ced58 dda31fb5d2659b268d9f12541f26042e626d6162c442362b362f0eb80011c741 e6d0a9641a275e95ed0835cc1c65f861f03e6643b99ef24bb1b1e6711fe6b31e ec8cc8dd06095a94275b3e3f7564dfddbcb20ce78b84da301768b0e8484482a5 f21bb31466c5f318f41c021fc459caf0e413f580ade991087bc499bb5fa2ffa7

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Autoit-7586956-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} 25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyEnable
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyServer
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyOverride
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoConfigURL
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoDetect
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
Value Name: SavedLegacySettings
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadDecisionReason
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadDecision
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadNetworkName
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadDetectedUrl
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
Value Name: CachePrefix
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
Value Name: CachePrefix
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
Value Name: CachePrefix
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: NextAtJobId
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value Name: ProxyBypass
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value Name: IntranetName
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value Name: UNCAsIntranet
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value Name: AutoDetect
25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD 25
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\C8-B0-99-0A-48-DD 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\C8-B0-99-0A-48-DD 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\C8-B0-99-0A-48-DD
Value Name: WpadDecisionReason
1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\C8-B0-99-0A-48-DD
Value Name: WpadDecisionTime
1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\C8-B0-99-0A-48-DD
Value Name: WpadDecision
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
199[.]59[.]242[.]153 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
infikuje[.]freevnn[.]com 25
11776[.]bodis[.]com 20
Files and or directories created Occurrences
\atsvc 25
%System32%\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx 25
%System32%\Tasks\At1 25
%SystemRoot%\Tasks\At1.job 25
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 25
%SystemRoot%.exe 25
\Documents and Settings.exe 25
\MSOCache.exe 25
\PerfLogs.exe 25
%ProgramFiles(x86)%.exe 25
%ProgramFiles%.exe 25
%ProgramData%.exe 25
\Recovery.exe 25
\TEMP.exe 25
\Users.exe 25
%SystemRoot%\svhost.exe 25
\$Recycle.Bin.exe 25
%SystemRoot%\Driver.db 25
e:\System Volume Information.exe 25
e:\$RECYCLE.BIN.exe 25
\starup.exe 25
\System Volume Information.exe 25
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\list[1].htm 25
%SystemRoot%\list.txt 25
%HOMEPATH%\Local Settings\History\History.IE5\desktop.ini 20
*See JSON for more IOCs

File Hashes

0cfd5fcfbe7dcb0ca5d046e97815d68b7afec7562255c591efaf6e6ddff04dc3 176e3815db0582a528559fcd4ac5d556d8b44354470ef7000246a7dd70e02042 188fb9f78f7b0ec6ef4ddac9d5c3e246563a9d5e4689b49c5b4be343be805be6 1e401c8be910e4f07af2e40c1c20b25be23e896e3aef6c887bc505b4ffee805a 25290bd54de5289d9ea3cbcbf59fefa0a7efa1743196043989029d3b1a3aa23f 2c52210a40af62a33415f9d5fc31cf4ed0c9d60d87dc97fa53db86c028b4a486 2db7594e73018d54e9dca34869eed6fa7e523fd519e2cdc74a32a91d31c6a945 30226cf05067f4906bec842742691778bfe2f277a3ee3ebf82ebc5a2d313806c 32f9cec632967d84f191d9bb514409dcff9f4d8e59097e98fa72e74cbfd32ce9 3909a29ead2eb2248f107c1352e5259d244b3eda0c971b136fab7e671f63a7e2 3b2f4a185951364a131c6ece1b282f7442045063f0d00562bd1c462ddc45e8e5 433b74fd6206dcc64cdc96141263cf1fc5720f087e15ddb581b2084ba0604c1c 4544acce7aad2dc7f8ffc93815eaea59f714552a21863a70132a742e4938a852 478d53130c7b549c54401d4d1c8501a310e99a350846e0515ef8d416822d4ada 4872d9c8e75aa6ad18a1272b17c617811eff6c411f181cc450a52be747fc4d20 48d8d3219b405e7a7ac7e53dac401be58e50cc582d4d5a2c96eb3edab10a8920 4e0b6052c58992f28138a28c281c4bca93f3f90c6c14ef3b88ff697c821e3f34 520f5cfd75870100df9da88875a9d6aef2dae064901acf35695c7ea0d8f36410 56641ea2594a21e5aa25475b295b5130e49c94c78ec42d45b1aed9cf929ea300 65e7b497cebcd23ceb769656cc011a3cadfdd618657a0d66e14a63f94a113fcd 6b1821395bbba2f70b42f963dd63772d4dc97b9dcfeb13ea592ead01587c36d2 6f416a86789e81f95138751a71006189bf6e1215d8ea2063c370862738a996a3 75c38fa29ebe45c102663815d76491a566e34e404dd99088fb4257744539ed6e 78f0240b6e9c1a74546845b3d0ddfc84aecc388f8ff7d794cf80e33ae0de4c31 7f2e6da85f7ebb3dd066315504735c8dbcc4cdbc9c24d7d944cdeeb09df1c869
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (3408)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Excessively long PowerShell command detected - (414)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Process hollowing detected - (210)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Kovter injection detected - (143)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Gamarue malware detected - (114)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (97)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Dealply adware detected - (90)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Atom Bombing code injection technique detected - (21)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Corebot malware detected - (12)
Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.
IcedID malware detected - (9)
IcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections.

No comments:

Post a Comment