Friday, February 28, 2020

Threat Roundup for February 21 to February 28

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 21 and Feb. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.


For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Doc.Malware.Valyria-7595017-0 Malware Valyria is a malicious Microsoft Word document family that is used to distribute other malware, such as Emotet.
Doc.Downloader.Emotet-7593277-0 Downloader Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. It is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Bifrost-7593600-0 Dropper Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. Bifrost uses a mutex that may be named "Bif1234," or "Tr0gBot" to obtain persistence.
Win.Dropper.XtremeRAT-7594794-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Dropper.Upatre-7594799-0 Dropper Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Dropper.NetWire-7597088-0 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.njRAT-7595003-1 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Packed.Zbot-7595026-0 Packed Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Virus.Ramnit-7597892-0 Virus Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.

Threat Breakdown

Doc.Malware.Valyria-7595017-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 30 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
169[.]254[.]255[.]255 3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
footarepu[.]top 11
zofelaseo[.]top 10
folueaport[.]top 6
vvorootad[.]top 2
dosehoop[.]top 1
Files and or directories created Occurrences
%HOMEPATH%\AppData\Roaming.eXE 30

File Hashes

014b3b9e320110980c62166a08832fda7b2bd8a6b095ee18ea8bfe4372caa690 02909271cfee6ff35f7c9da9ed2354f589247809f4119b46b237c4ba45f02db5 02ac3145ddddff7fd3e75985cbb8bbe9f094ce01b973d4a12870d009df968be2 04476696529134b2926b26c0427fb471084227fbaf0104d6e480379f9990bb5b 071e792d60441d74fc28cc37ec9237a4174242ee4611fb0aaab3356fb3829331 074afa99c7845566231749b727db862f16924cf84a03a9bad5f8146c13e02947 078848b174d490b613545f8fbc98ad18543c426916451bfc7aee51fdc2b979c1 09f7f3c299beb9be5a5f223b6398b867433dd5171045b37dc8be815421e35119 0a2bdecf39d98dba8eeafad36252d9ae0164032bdc404a8f8da8f27623657fc9 0e2c6cbee4f20e09c92d2c8534dadd1665eb58f8f5a662ea63a9d9556c5a3bf7 1033538e6ac46ade3da7b644f3e1d07b5a89dc40f7f58cf6a501e885813fc0f7 11b707b076bb829d8e86b775e1f005e6bbab3e9dc3efd223a34e46e53ed2f747 13cf6351dee9bf68beeefa1aa8c003f6bc689303dd19e1e4c8e9dc88d39b82e7 148173cc7590e62277ad64cf59fea93a556bd0bd578bee8de3628aadcc93176c 14c490ab9716eac9edbcdf2d9f49f10ac1d431f47ef26f76c37611c5437b91d8 15ca3df33525ce91e6920ed4621c5deaee74a86b9299123e844d0832a885aa8b 18767f3890df85eb67b775c4fc37d39116f5e7c59222d430820d9d270508941e 189abb02afe2a834dfeba5613b2d2f3cefd8143237301be1b8f49d9ed72de130 18f431c306631e11bdbeb7d45668e12ec9e9a1fc2faf0d8202a5e5d78b621bd7 1ac3723f78e87ce505114e1204d40da4af14f6470779dc58f3662dc7a1cec046 1b882e4bf3c0c2b7c7ee7d98ad28a72c94684f0bf70acc34ca3fafcb517bd021 1da8654cfcc0a2c57d35cb8e9ca50034ea26a4e2a7ede9ba02244c4c030a69e7 1f567c2e7f5e0e0143259ce8daf14c07d29f6d6d71f227a62bc4c8861f406d63 202ed2316d5ecbd3670cefcd64c0fd49a577e77d3a61290a78a8450bb7c627e8 20f92cd40972708128a8e3b31441218de329e59c4858eb3419100c8a6a4de7e3
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Doc.Downloader.Emotet-7593277-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\33E4E80807204C2B6182A3A14B591ACD25B5F0DB 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
91[.]199[.]212[.]52 25
88[.]198[.]60[.]25 25
160[.]153[.]137[.]40 25
27[.]254[.]81[.]87 25
45[.]119[.]83[.]237 25
165[.]22[.]221[.]121 25
216[.]218[.]206[.]69 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]w[.]org 25
crt[.]sectigo[.]com 25
secureservercdn[.]net 25
pieceofpassion[.]com 25
raisabook[.]com 25
www[.]marketfxelite[.]com 25
biswalfoodcircle[.]com 25
tananfood[.]com 25
www[.]pieceofpassion[.]net 25
Files and or directories created Occurrences
%HOMEPATH%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75A 25

File Hashes

0b4c6649ad41af209e5bd5d857f68d5edc560bc48eda4267c50f806e831b7af3 0fda18ca90096cec78e462f95be4cc2d46dc7dfbdcf44f8a022cb754d7607241 10f31d5d1d70661af3e512d03007b2c6f403a4a581bc6a71d66b3c7a1420bf94 18e85a75805b522d05cd674ad0c5eff59cdcccafa94f815b58483c2b89d0fd7e 1a3a144d6425ae749452dc9fba14b9d7e24152164d01cc78f3606df039bca8da 20607ff7ce201c1f167de3b0fd5fbb8c99d3f372c3e23027d365c8003ce7da79 207bfdb50cbada73d08d6f6849a670795f88892f50a81d83712f5c606ac074fd 2a9b6c82e814645cbaf5e3b77245ee17b11c629f82cbe92414fc40df1cc01e7a 2b1d86c9c4196536d630631a0a0c7abc99b74482b8b1260b48d3ed21c57313d6 314a112563a7a9cb9bfd1fe0ff7e54b19b2ab00827c68e237a251c47e77d28c4 3dec594b76a5f10a5ccb22f02be9afab964409e42ad864264f79596470c3b926 4188c8122fd994514c68a441bbeb2ea4981045cdad3b81cb30973ce853b89dbf 483421df4aace161f9d26c50bd0b6638397a90ab367f128beb759250cac85083 4c27e7c8f0d03b93b78a043800c2bf165183825d0ab4b5aec1973d3367e0d0cd 562047aa50f97221552f04df509b3b65f91b86c6cea109d8b2774ff7b61c0a6c 56a7d0293ab5e87d137ec58d312d381b38a9c2b40726c8a18deffb2cf6d8811f 5fa2d1ab59588863601e287aa39f0475749f16ef458f693992a9cc6afc106fbb 624b6b4f70e271f1dfdef7c9dc26a7d18f17feb7c5e5057866c42c0305ef55c6 6294cd75c47243ce037d61b46271f8425b0ba4838f829ac99fa22e40b2573b5e 68d2cef91a68892ff659a172c561b3638d5456dede979e5cfbeb91b7a8a8f8e7 774f03a7a0f1b281015f56c111092f83645e8671bae737391a0aa740bef03ccb 77ca0111c22e9de19cb947a73243aceb08b5b2e75289fd6747b35361f78787c4 7933573f99948a9b1ff3e813f9f7e186aca213638cb47cb0c6e2e5f59c1ef0ce 7b20e376a7a0f2a41411f91aa19a295aebd0acb2edfb0c5b7b7fc027baf01637 7d3e63ec5e6b564f45e9cc027e39669b3ed166abc7e65fe7c864bb892244add4
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


Malware




Win.Dropper.Bifrost-7593600-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wextract_cleanup0
9
Mutexes Occurrences
Bif1234 9
0ok3s 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
lronaldinho[.]no-ip[.]biz 1
zoulou[.]zapto[.]org 1
snouci[.]no-ip[.]biz 1
Files and or directories created Occurrences
%TEMP%\IXP000.TMP 10
%TEMP%\IXP000.TMP\TMP4351$.TMP 10
%ProgramFiles%\bifrost\server.exe 8
%TEMP%\IXP000.TMP\server.exe 7
%TEMP%\IXP000.TMP\serve.exe 2
%ProgramFiles%\h4o\h4o.exe 1

File Hashes

33dd43fa4d96ddbfb167ee204c864586150e115579c9cc67964e6dfde5e40661 4a90db4add682ee08ec03e4145b373503b7a6f23ff34c2b771fa78dee8e44bc3 68fe7fca6b557da2dc0492b70c44a7a4510b3a1e0f1d4c3d75662cfdc3fa5659 78fb8c5fd52940a7188f5e4788bd05d4a9d83faa78bb22e23e20cabdf839c963 8374b6d974e93d0b728514bb2f5db7dfb4b32969e15b7362c4c260e68fbdcace 90e4cff29fc9df5cd3bc27bdcc5dcbbed7cc391d45ce38a1826e111aacef0a79 96947aeb886bde239f1ca5e39fb1534afbeef46aa91dac46f448e3a82eee29e6 a4d8e5d6dbb820150af6bb616fd2673167b477cd711afaa5484c630c18f5bdcb b91894048d0a84b1aea9ce9b947f4b32b5b0b8bb690b5e1f0010e5964b7bdf18 f04c620d94e41e30acdbe1c18f6df6fae97fad15d437874d9ced40d8402b9409

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Dropper.XtremeRAT-7594794-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: ServerStarted
20
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: InstalledServer
20
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 20
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Server
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Server
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dll
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vlc
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}
Value Name: StubPath
2
<HKCU>\SOFTWARE\FAKEMESSAGE
Value Name: FakeMessage
1
<HKCU>\SOFTWARE\((MUTEX))
Value Name: InstalledServer
1
<HKCR>\LOCAL SETTINGS\MUICACHE\\52C64B7E
Value Name: LanguageList
1
<HKCU>\SOFTWARE\((MUTEX)) 1
<HKCU>\SOFTWARE\FAKEMESSAGE 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4YYH6UVK-0H14-53J3-2EKB-QFCG58W0Y54X} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4YYH6UVK-0H14-53J3-2EKB-QFCG58W0Y54X}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4N6D64W4-JGT3-3SRU-VEIG-428Y3Y04H28J} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4N6D64W4-JGT3-3SRU-VEIG-428Y3Y04H28J}
Value Name: StubPath
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: msn
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{L026V375-M6QD-607A-01BW-NY4DH11HTA1N} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{L026V375-M6QD-607A-01BW-NY4DH11HTA1N}
Value Name: StubPath
1
Mutexes Occurrences
XTREMEUPDATE 21
<random, matching [a-zA-Z0-9]{5,9}> 20
<random, matching [a-zA-Z0-9]{5,9}>PERSIST 17
<random, matching [a-zA-Z0-9]{5,9}EXIT> 17
((Mutex)) 1
((Mutex))PERSIST 1
((Mutex))EXIT 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
in4ta[.]hopto[.]org 2
xtremerat[.]zapto[.]org 1
chrome[.]myvnc[.]com 1
antilove[.]zapto[.]org 1
lifefornoobs[.]no-ip[.]org 1
trancegend[.]servehttp[.]com 1
paxromana[.]no-ip[.]org 1
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg 20
%TEMP%\x.html 13
%SystemRoot%\SysWOW64\InstallDir 9
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp 7
%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.dat 7
%APPDATA%\InstallDir 6
%SystemRoot%\SysWOW64\dllcache 4
%APPDATA%\dllcache 4
%SystemRoot%\InstallDir 3
%SystemRoot%\SysWOW64\InstallDir\Server.exe 3
%SystemRoot%\SysWOW64\InstallDir\dll.exe 3
%APPDATA%\InstallDir\dll.exe 3
%SystemRoot%\InstallDir\Server.exe 2
%APPDATA%\Microsoft\Windows\((Mutex)).cfg 1
%APPDATA%\Microsoft\Windows\((Mutex)).dat 1
%SystemRoot%\SysWOW64\windows 1
%SystemRoot%\SysWOW64\dllcache\msn.exe 1
%APPDATA%\InstallDir\xyzl.exe 1
%SystemRoot%\SysWOW64\dllcache\xxsnd.exe 1
%APPDATA%\dllcache\msn.exe 1
%APPDATA%\dllcache\xxsnd.exe 1
%SystemRoot%\SysWOW64\InstallDir\xyzl.exe 1
%SystemRoot%\SysWOW64\rar.exe 1
%TEMP%\510photo1.jpg 1
%TEMP%\510photo1.jpg.exe 1
*See JSON for more IOCs

File Hashes

064c44467f1d528ec2d7da3190f5d0f0760825dd78dbdcd0800b5cf93ddfc35e 14b5b5b795998d35a0d7fdbec17264d677ccbe42ca0f0012ddea0b89c581998c 189815a3c61f115518eefef42514e5ade690d68c3f17cd5f25503114f8c76d39 18f93702d819615f2c6132ff4c9b72fe82d857f8c72ef8c0fa0568cfb87ce382 1f89323eccd76c387a536cbed269f64ae84abe86a25474d73a8d9ea48bc222bc 2ded94da0ecc3e9353762f4c097ab6bb4243ca51765e3075a60d575b4cda27c2 2f4d1036e0074d324b78bd15da52c63602aa467455ba8271520b7ea96b620f0f 4840f56924ba0b45a510341a7b748ec5507aefa1cf451c6c42ac6a5755f7a76f 4ed0da4f544326ee3d2ab53698ad556a7d79f2c71489be7586cb9489462c438b 6bc1a651a94482ad19df56647fb5b6e9b87be392ee8ba96794a778b8b27dfb34 716d6bb0792522da08ad4af7d0ad9500d25456c1138c6afb151a61cdac8c1d5b 8314a980d82e0c0abd2d51c44bbb9fcc0eb0d388e730d97e30b2d4abd8ec35ec 96b451f2217da28c874d357e574911ab5bf1534ef57cad4ee975c14dc1efe17c a0624e016eae6a07df74d75f4ff1a240c7502ce3e104a1df10ce3d8cd317815e ac7714fac188ff0cc932f752add2c001044b4ff3fb4aa73f5c3ef6f2a2ed17cf ace5f789b508a16e2a2a9b81ae6a2f8152546eee393dd7b37677cd4e22b7354b b893c36382ab489f6f23979f547b79a861457f08e0421a49756482a50a8a6d44 c0bc592589a215bb74bd525b44330246094db50cdeb5722d057485a7aff01156 d4fdf6ef3db3e219a672f7e7c18f81b3ded3d0639311cc8cb11df7ce0e128d98 ec04f36832901dfef1738c851a8f5df812c94762cf1ebdaadb2117f00b4e10a4 effa69e2b4b1301360f48fd51e759151a0ef8e656800d3da4a1107a590fc00ff

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Dropper.Upatre-7594799-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
38[.]65[.]142[.]12 27
104[.]20[.]16[.]242 15
104[.]20[.]17[.]242 12
96[.]46[.]99[.]183 5
96[.]46[.]100[.]49 5
217[.]168[.]210[.]122 4
81[.]90[.]175[.]7 4
176[.]36[.]251[.]208 4
109[.]86[.]226[.]85 4
68[.]55[.]59[.]145 4
37[.]57[.]144[.]177 4
64[.]111[.]36[.]52 3
66[.]215[.]30[.]118 3
72[.]230[.]82[.]80 3
104[.]174[.]123[.]66 3
24[.]220[.]92[.]193 3
84[.]246[.]161[.]47 3
216[.]254[.]231[.]11 3
69[.]163[.]81[.]211 3
77[.]95[.]195[.]68 3
76[.]84[.]81[.]120 2
85[.]135[.]104[.]170 2
24[.]148[.]217[.]188 2
98[.]209[.]75[.]164 2
24[.]33[.]131[.]116 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
icanhazip[.]com 27
Files and or directories created Occurrences
%TEMP%\murzuja.exe 27

File Hashes

0079acd8e4919c1d944690ed62db665df7ee2033f0788fce8819dbd1dc52b495 00acff5b0b1d66f3518cb494dd25453245dac6bcf7445f572138b216dc60dd5e 061a443b28bcfb65d9bf4535e28e8d069a57b3b02b7313ce724ce7d65ace6cc3 087b88d444146ca59a3c728f0c2a4a531ad7a2dbc3639ed84ee408bf6215d8ac 0964da3037876a30f6d12b9205eea90a49b9bd63d603e052b7949b9abc0a1163 111cc7917516def507f0fc251b26a34e20507848a99405ddd8160bf409026679 12fc0b95918c16ada8f0833f544a07611f30f85211c9a77c73a249ce045b81bc 13c52d814547e6ef4379d980f95bed78b3d40b39a279573b9e049fb5099fff5e 20833a3aa302aa6e67bf9a527e6b61f077b0740405231b1df53a7c6764558b6f 2347db85b21ae8dc4acbf72ff8c60d5793c27bc6e067fd394f2b8e0d16a50587 2499f88be18379c4d00539250b0524632521fb7858baa0eca4bd807a9a05e908 24b01c67de3e123e84dc436772999cdf49f63bfea5367b9508a123d9a2b9bb20 28a49addd94f0a2a849a1b9304fcf408ac231a65f1f21f667f1b962a0b9a7861 2a67adf844b4e0ea5cad4864680231f8724862213d1416155675739686450087 2b2ad88f7c73ed799197300e4c83ec7833fd6623d2c561690f9a1390de312714 2f3520224d08d4ce69596975e6d3e4aad40ebbe2514dc4acf30f97df967efeff 2fefbeb2b24e4114fbf0eb5e6cbadd214c2d6a846aba2c776a1f1643cc26c6e6 32434dcee2ab34dccea41dc4946094c49c85fe698a1337566d200eb83ed2edc2 339d409e062631e1e64bf39fd0d6d61a92a98da179a69463fac1c374b4d328d3 3ab907d9ae4834ad819d9b0c22d15ae37acd43af4deff184d90fed1ab9abee6c 3b60c441272ef1ef1520e8295c583ad4abfb725f4ac21b26c774ea8fd0793cb8 3b90fe50da30f4c4a11687995c861586d9365c8cfab3ea0f9738f1254994cd9c 3c6b988b8af205e01b2c6ce71e02826478a29c091badb34a2f86e0b196fda1ee 40ef4e2cc593c02e1f0c92e495ba7b76386e9e694e70707d681e4e8b0e3d5b01 40f3d8368c69f76e48aa4e23b621b8acd9ca694f1552741aeadff450656e1768
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Dropper.NetWire-7597088-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 34 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR 22
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
22
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
22
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
22
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mkre
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MSConfig
1
Mutexes Occurrences
- 7
jpbuqnlp 1
Global\54220ec1-56cd-11ea-a007-00501e3ae7b5 1
Global\10d125c1-56cd-11ea-a007-00501e3ae7b5 1
thxETPfM 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
194[.]4[.]56[.]252 2
104[.]215[.]148[.]63 1
192[.]169[.]69[.]25 1
104[.]47[.]54[.]36 1
111[.]121[.]193[.]242 1
103[.]60[.]181[.]238 1
185[.]201[.]10[.]1 1
103[.]48[.]6[.]14 1
191[.]252[.]63[.]14 1
68[.]65[.]122[.]86 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
james7[.]serveftp[.]com 4
dualserverz[.]info 3
myp0nysite[.]ru 2
uzo123[.]serveftp[.]com 2
api[.]w[.]org 1
gmpg[.]org 1
microsoft-com[.]mail[.]protection[.]outlook[.]com 1
web[.]whatsapp[.]com 1
gypsypy[.]duckdns[.]org 1
bags[.]mn 1
pornhouse[.]mobi 1
opixib[.]bid 1
bishop123[.]ddns[.]net 1
papergang[.]ru 1
tizardns[.]3utilities[.]com 1
eorul[.]com 1
sistemacplus[.]com[.]br 1
www[.]sistemacplus[.]com[.]br 1
frankweb[.]club 1
usbasri[.]co[.]id 1
Files and or directories created Occurrences
%TEMP%\-<random, matching '[0-9]{9}'>.bat 20
\TEMP\.Identifier 7
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbs 6
%APPDATA%\GHYTRFDRTTG 4
%APPDATA%\GHYTRFDRTTG\filename.exe 4
%APPDATA%\Install 2
%APPDATA%\Install\.Identifier 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wind0ws.vbs 2
%APPDATA%\zqxhkpjwc 2
%APPDATA%\zqxhkpjwc\wind0ws.scr 2
%APPDATA%\Install\Host.exe 1
%APPDATA%\subfolder 1
%APPDATA%\subfolder\filename.exe 1
%TEMP%\99a0_appcompat.txt 1
%APPDATA%\Install\juyr.exe 1
%APPDATA%\FGBHYTUJIUY 1
%APPDATA%\FGBHYTUJIUY\filename.exe 1
%HOMEPATH%\obgtcgwm.exe 1
%TEMP%\711562.bat 1
%TEMP%\734171.bat 1
%TEMP%\760328.bat 1
%TEMP%\AA1AE.dmp 1

File Hashes

03626570f585d84e55af0ce856078e9276419d199f905c54bddcd8b22ed59531 0fcd763cf9aacfe72a46b379a1b58234f969767077f0e58276d0c8496c780fcb 1aa57ab794a26bf3e5ffe959a232d76d0bbceae45b4e4a95cd0020b9544c6d0d 1cc2d9b34a545cd02771bf80cb5023dfbab5218c1e7de07625ac1acf7b2547db 23184d75b8da1d8098ad7781ddfc7b6ef77fdd829adb43983cac9f179ba38750 340e9f8c35eddc59064c602be4236f21168dca61b719c27c0663b79cef103a8b 3af3f307c5b1aaa3a45720cfae69ff81460dce4c9da0dea8c87a47a17faaa4cb 4265eab00295ca620c827e71be4674ee18570027ba01269a36604066b92f1920 4a9d1b415b5882f72096da7178edcb29748bc3307e3ae1419c856746eae66e8d 4d26a04fe07e1059cef86588306026a39acbd96796a2a971bcc1d6bb3be4637e 52f425836ad69e22d7594ef0b3ee22ecffd021a111e30f5dc9fc5425f6e0cac8 53d97906225832b310be044db70b6287ed3a20d23f43a4f4d4e0b6b2c13c08a8 579b412e9a175250a6f4248685924ad260b23ef4757173bea04ef62397027eda 752a6eabbd0eb73ed88633b288cde00fa4d47f66bbd42196d8631d5ff7525e53 82398b467b0d2d2f55111a2595fe665e416f9ee7fd47fc9ddb948a4d2f754bae 82c60953f478ac1f71ce1dbc4902c08058b20391915d32bb13ff8ff7d523b5b6 8761ab62984d012f514ec6ba9db5dabaf547729351c2db0d5bdcc3938a0381eb 9a2f9de8fd437e175e94688d9e84e77e2803d4b2c9d110a44597dead122484ca b7082b2820ff5e857b192f79a6d4fbfe55f66bd309bdcea06d9d8b214a3b4923 b9ba565eafc1c0d837bdf9e83e4be40c4966e8f9d23640b01c1a4a9caeca97a8 ba96661424707f2d430bf9d5e8c915c6925363b163f7ad9855b8f72255615116 c2f508a2d916a56c96985298988ac37e7352b013acfb30e142f13d7f998054f7 c602c39491544712670f4ae93ffaf76beeb2eb86d4d1ac55bbcc25852a3a260b cc4378d3d98efcb04fc4ac8071fa68e1a55b95b23283bf2dabcc74a593633b38 ce4b1e164c11a1cc3044cc0426f24eff4ed6149938cce855c116df7d21e4fef4
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Packed.njRAT-7595003-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
10
<HKCU>\SOFTWARE\9BD3387F7E8ABEB14EFCB3BDF5E7C89B 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 9bd3387f7e8abeb14efcb3bdf5e7c89b
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 9bd3387f7e8abeb14efcb3bdf5e7c89b
2
<HKCU>\SOFTWARE\9BD3387F7E8ABEB14EFCB3BDF5E7C89B
Value Name: [kl]
2
<HKCU>\SOFTWARE\BB0E5F604F30988E0B2498356D0A2358 2
<HKCU>\SOFTWARE\BDBC444244C8D079DD87AC27E84A52E2 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bb0e5f604f30988e0b2498356d0a2358
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bb0e5f604f30988e0b2498356d0a2358
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bdbc444244c8d079dd87ac27e84a52e2
2
<HKCU>\SOFTWARE\BB0E5F604F30988E0B2498356D0A2358
Value Name: [kl]
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bdbc444244c8d079dd87ac27e84a52e2
2
<HKCU>\SOFTWARE\BDBC444244C8D079DD87AC27E84A52E2
Value Name: [kl]
2
<HKCU>\SOFTWARE\38407B401D4C3FE12E0AA019ABFE1C1E 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 38407b401d4c3fe12e0aa019abfe1c1e
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 38407b401d4c3fe12e0aa019abfe1c1e
1
<HKCU>\SOFTWARE\38407B401D4C3FE12E0AA019ABFE1C1E
Value Name: [kl]
1
<HKCU>\SOFTWARE\9F78F6C54CD3644B404DDA00839B7FA6 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 9f78f6c54cd3644b404dda00839b7fa6
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 9f78f6c54cd3644b404dda00839b7fa6
1
<HKCU>\SOFTWARE\9F78F6C54CD3644B404DDA00839B7FA6
Value Name: [kl]
1
<HKCU>\SOFTWARE\E425607C2D9B7766223C902817C469E3 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: e425607c2d9b7766223c902817c469e3
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: e425607c2d9b7766223c902817c469e3
1
Mutexes Occurrences
<32 random hex characters> 10
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
3[.]19[.]114[.]185 1
3[.]17[.]202[.]129 1
18[.]223[.]41[.]243 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
systeamwon[.]ddns[.]net 2
shwii[.]ddns[.]net 2
0[.]tcp[.]ngrok[.]io 1
windowshost[.]sytes[.]net 1
hell3324[.]ddns[.]net 1
hidden4matrix[.]ddns[.]net 1
Files and or directories created Occurrences
%TEMP%\server.exe 3
%TEMP%\svchost.exe 2
%TEMP%\Config.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\9bd3387f7e8abeb14efcb3bdf5e7c89b.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\bb0e5f604f30988e0b2498356d0a2358.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\bdbc444244c8d079dd87ac27e84a52e2.exe 2
%HOMEPATH%\svchost.exe 1
%TEMP%\svchos.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\38407b401d4c3fe12e0aa019abfe1c1e.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\9f78f6c54cd3644b404dda00839b7fa6.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\e425607c2d9b7766223c902817c469e3.exe 1
%HOMEPATH%\facebook.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\5ebda11b3fd5a5a7f5d1714d88c0f3af.exe 1

File Hashes

3ef25d1d353980ad2520e32b1b572f6cc89f9663b5fdede26e82a0ada4923c01 65d2420dd699fb1f44f67acd048eea2a25e38bf1d937c76409d3bab468504158 6d616a0f4624ac3bf296775b7d4f4463086874b03250c26f7d9ac70eead17de2 8e9b7527288d425e4ae9eaa8a1aa18b95211f633aa8c445d3ff3bb7d290e9099 a036f4468f651fcbdc9c127d6fd15a54e72e438d928558dc206fb36a154540a9 a3b9c055304610aa65535697bc17b5a4a24868f81d7b832013bb1efb544c416b ba8e06b7a75909f51aa597425432c532a92061fcdfb4652c5ad2566189720257 bd2707d424bc88be4dfcdf7a7c0a6bc53aa9a760634be11222b542f289c18a2d c9dba92e18ca02c2ea1a007ac18ad149d527889496a892159eb3642229865798 f021bdb5547ce84dc5a6dc3b49926db736b275823bfdf792a2643705724d99ee

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Packed.Zbot-7595026-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR 11
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
91[.]195[.]240[.]126 11
108[.]166[.]65[.]182 11
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
aloucakbileti[.]com 11

File Hashes

1483f9f04971cf117cde479d601b247b2799922e733e5d35fd751dfb752c170a 1a8719053b69c4a7c9276686eea82638f64c6c15c13ed44c532d4b650256212b 2dbcea2a92e98a3a4d41a2b4e281aaa7247de43ebd3c19d6461f8a6a5d288a29 32f4a6e21c6bb34c6a1cc0dd8cf8f796cae8f2e28f413b8b0b9498ae1679e682 48335f0bfbdbd881848966178e6b993a8a6ae5ea7a68b31b985ff8c77fc259a4 4c666cfa1f81701cd6756694a10e9840472ec0aef101a856b5f45bcaa4bef37c 6f6d0d9bf3a2e132194c83d63f1fe5e6b6112cbb707874beb51d27e55ca16959 904b1715e5ef21a0f8562ca8e785552459931cb7659fca83d5514e73b01e1242 9e12ac912d40f689ba60b1d7297a834c7928e1ecd298d60847eec5b9a6b79017 c71c0978b1eab31318e19dd3ba4147f947dfb88f2acba740c70ff9901bd1c732 e2b2f54504e9f02a8cb68ea87e3f5fcebc32269e907c64a89d1980751d1d0ed8

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Virus.Ramnit-7597892-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Mutexes Occurrences
KyUffThOkYwRRtgPP 13
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]79[.]197[.]200 13
72[.]26[.]218[.]70 13
172[.]217[.]164[.]174 12
13[.]107[.]21[.]200 9
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fget-career[.]com 13
Files and or directories created Occurrences
%ProgramFiles%\Internet Explorer\dmlconf.dat 13
%ProgramFiles(x86)%\Microsoft\DesktopLayer.exe 13
%ProgramFiles%\Microsoft\DesktopLayer.exe 13
%ProgramFiles(x86)%\Microsoft 13
%SystemRoot%\SysWOW64\rundll32Srv.exe 13
%System32%\rundll32Srv.exe 13
%SystemRoot%\SysWOW64\rundll32SrvSrv.exe 7

File Hashes

176b9a90fd733e2a9e1740f169c326d1e9283aca061fb347077dda1f7f57d9ec 34d156c616d6afffc050fae92c5b9adff44272b171b60e70cb335784a2ad13b8 3525253f41b121d2355eb87270c8549d2ee43c39aaebbef5b3b59a282dd2d057 3d828f510bacb5c21461913f8d3675a39a0aa4b0528796ae464340a6b6cb3971 3fac755cdd70a60589efb24db320dfa9996f454298c30718cf82686de76d6a52 643a1a549572481e2135c12ce90059e027e39eb5196ad4e297547574c04987f9 6e89caaaa958c55fccff5adfc9a2c48af0050133ea388aea0d611a39be24d021 80b91b5430c4200ddd41340d7ab5e72083ef5e2da2bbb62d21f93dab73b09374 a3af4e90dc0a7cbb477be2d196dba7a0b4540a145075d1740deb9bd2a384be53 af1ee4f6576c31441a2274c256d4607b756e97cca20782f4a48e2f1dbe73d00d b5065239929ba72b4ba764c7bd80e9a81a59cd37977a6a7a9044ccd08f443254 bcc3ddeb859276e8b8d83e53eca72f22bb15131ff2be63b1847403f91c1c9ad5 be71f31ad183c4c4987d9fbcb7618888f13c8c0472b7dccc451c7a576f50af02 c0eef4571e9bf2e8a07986d4191a3bdec59e3b5781f067f774d178e5ffe3ceb8 e77bacc45b82228bf607ff0d32fbff385fa74ee4e5dd77962cee5a6ff9832cd9

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (3979)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Excessively long PowerShell command detected - (402)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Process hollowing detected - (340)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Kovter injection detected - (109)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Installcore adware detected - (89)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Gamarue malware detected - (82)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Dealply adware detected - (59)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Corebot malware detected - (14)
Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.
Reverse tcp payload detected - (10)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Trickbot malware detected - (9)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.

No comments:

Post a Comment