Friday, March 6, 2020

Threat Roundup for February 28 to March 6

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 28 and March 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.


For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Emotet-7600941-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Downloader.Upatre-7601201-0 Downloader Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Malware.Kovter-7601670-0 Malware Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Malware.Trickbot-7603048-1 Malware Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Malware.Nymaim-7602109-1 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Packed.Bifrost-7603033-1 Packed Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. Bifrost uses a mutex that may be named "Bif1234," or "Tr0gBot" as signs that it's been successful.
Win.Packed.Tofsee-7603095-1 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Ransomware.Nemty-7603722-1 Ransomware Nemty is ransomware that encrypts files and demands payment in Bitcoin for files to be recovered.
Win.Trojan.Gh0stRAT-7603864-1 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.

Threat Breakdown

Win.Dropper.Emotet-7600941-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\API-MS-WIN-CORE-DEBUG-L1-1-0
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\API-MS-WIN-CORE-DEBUG-L1-1-0
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\API-MS-WIN-CORE-DEBUG-L1-1-0
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\API-MS-WIN-CORE-DEBUG-L1-1-0
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\API-MS-WIN-CORE-DEBUG-L1-1-0
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: WOW64
1
Mutexes Occurrences
Global\I98B68E3C 15
Global\M98B68E3C 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]32[.]141[.]43 7
139[.]47[.]135[.]215 6
181[.]61[.]224[.]26 6
216[.]75[.]37[.]196 2
212[.]174[.]57[.]124 2
89[.]108[.]158[.]234 2
74[.]105[.]51[.]75 1
189[.]201[.]197[.]106 1
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 15
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 15
%SystemRoot%\SysWOW64\KBDRO 1
%SystemRoot%\SysWOW64\rasser 1
%SystemRoot%\SysWOW64\sppc 1
%SystemRoot%\SysWOW64\rdpencom 1
%SystemRoot%\SysWOW64\ias 1
%SystemRoot%\SysWOW64\msctfui 1
%SystemRoot%\SysWOW64\sppinst 1
%ProgramData%\RPjyQXrZOqjIXJnOwMa.exe 1
%SystemRoot%\SysWOW64\iasdatastore 1
%SystemRoot%\SysWOW64\iprtprio 1
%SystemRoot%\SysWOW64\acppage 1
%SystemRoot%\SysWOW64\rasgcw 1
%SystemRoot%\SysWOW64\api-ms-win-core-debug-l1-1-0 1
%SystemRoot%\SysWOW64\msutb 1
%SystemRoot%\SysWOW64\dsquery 1
%SystemRoot%\SysWOW64\api-ms-win-core-misc-l1-1-0 1
%ProgramData%\PJiawWEgBV.exe 1

File Hashes

0e4056035379093c420b6d84d9bcd77d2789c80d7729eb7e8635e489cfb0b9c0 0eabba5e6d29aadd3551715bab5279a1a2faf19f90a24f0168b8d903acee0d26 1afd9903eb0ba0b06fd05672c52a361551848d94215cf4071a329c3cd2743634 45bb0185b3b111814469ce0ec2d2e03e4c7e469170d42ae9733402c63f804431 486d1ab587964c3783faf01d9fb9b72c0719b512826984f17fb4b42553d2ad29 67baea8bd29156a72ecbf6d75c2abe452cf428aaa0503e3de41c93445f1bc163 6a1b89dc82ca6fe2944fb21d89e2e9cd50e18d7c102cef1986d9aebbb080b852 77110ce382c087ef3b89f354e0ff2362da40500c425e97e34c2e297d8ce83970 8257c2e631751a8a6114d4463debb0dfc2021a2630a7f463a928a4fe6c3bc211 83605486c96943d2a8a30a40b43c38dc588e86a05a667842132d69c5a0d7cac1 94a354a98259a0d92248531bd3c8ee59ebad766bc7c3cff4a4739bd467b1d244 96d43323599a68012b79990a2d2b861f6266a7c48ae3409f6f92aee912cb6fd4 bae886d7885453947e93c457f93b18c50cede1b7e17daebd2c934d32917d8d13 bd2e823604e511efa9b864d6e40d93b8d1f38d600c4ae6302e19078bd4ff0d0f de54dc917bcc60957bf16bc876080e485d5d2939c542057afc5aa5c098c2bc7e

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Downloader.Upatre-7601201-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
181[.]143[.]164[.]189 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
grupodolcearte[.]com 15
Files and or directories created Occurrences
%TEMP%\vitra.exe 15

File Hashes

02e92a155d33c4ca944d13f25efc1cb64e18fe9a2f3343cb26abb1e898f03311 20ca23453249306f1b2f7e36cbca3f7b99daced979bbc6131d6cb6950bfb739f 23d112d78879dde9cd9f38b3de9b6fd41191a8a64d77734886b6e971fc0ca4cc 3595f2059b5d2ac9c110fa15ec32b94da8fe9fb2937327ec5fcd60dcf0c7669a 439a8dc0f85467bc1e34ea057e5f529aeea392a677db8e1fc2cd32a4b5c5011a 79cb02073d36f32ce34cad9618a3bebdf09c38c1c46629e3acd76c03dd0d9ba1 83fff77b45dab7b20920a22207a202cfeebfc4b0e19b1efff8ce1dac7cd2c5c9 b3368d3532c08ed8fd83aef55d0d10d55479c686a7b9659f598772c17abe2919 b4679d7520c1769e1bb4cd0d1a88652a036346c6de7d7d30ee1dd59a8d90251b dfb32e641900be3f65c7af2ba26c7728883ed123e6246808d2068444a1338f8a e42bd741b4596381169df7b9643466422cc0e071fbd4d69d4acfc08df00692da eb4abbc6e8b7980686f07344ef0ecb7cef00188339e65fa16258feab7be0dd02 f81d5c1f44065d3bf471255104b9740930b88347fb55fbd7116a967c1a6d3225 f95e463db1ea767128da0df3fa48817084e2522393a1758e70d80e9d17077927 fc9ab4d96279fc746aa4730ef51d9034fedb0eb3775e4a1aa29505261a5a8332

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Kovter-7601670-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: xedvpa
25
<HKCU>\SOFTWARE\XVYG
Value Name: xedvpa
25
<HKCR>\.8CA9D79 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vrxzdhbyv
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ssishoff
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE 25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE 25
<HKCU>\SOFTWARE\XVYG 25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG 25
<HKCR>\C3B616 25
<HKCR>\C3B616\SHELL 25
<HKCR>\C3B616\SHELL\OPEN 25
<HKCR>\C3B616\SHELL\OPEN\COMMAND 25
<HKCR>\.8CA9D79 25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: svdjlvs
25
<HKCU>\SOFTWARE\XVYG
Value Name: svdjlvs
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: lujyoqmfl
23
<HKCU>\SOFTWARE\XVYG
Value Name: lujyoqmfl
23
<HKLM>\SOFTWARE\WOW6432NODE\6EDCD1ACE8E1BEB04F 1
<HKLM>\SOFTWARE\WOW6432NODE\AYIWU21XG 1
<HKLM>\SOFTWARE\WOW6432NODE\6EDCD1ACE8E1BEB04F
Value Name: 7627520618DA5D099
1
<HKLM>\SOFTWARE\WOW6432NODE\AYIWU21XG
Value Name: 30CCbFnYqq
1
<HKLM>\SOFTWARE\WOW6432NODE\AYIWU21XG
Value Name: 3WBi1nRFP
1
Mutexes Occurrences
EA4EC370D1E573DA 25
A83BAA13F950654C 25
Global\7A7146875A8CDE1E 25
B3E8F6F86CDD9D8B 25
Global\350160F4882D1C98 20
053C7D611BC8DF3A 20
408D8D94EC4F66FC 19
1F7768DE4B445CA4 1
45D0E7B493967BD3 1
Global\BBADD150515CFAC6 1
Global\B8F225B5B0E54634 1
389405CE233FA3A9 1
2F37600C5F8C3F9D 1
B5169E04A784F73A 1
Global\0E043F99F52ADD23 1
28F3C9E454B2BE4D 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
195[.]66[.]169[.]214 1
193[.]89[.]27[.]38 1
82[.]26[.]6[.]183 1
110[.]19[.]168[.]112 1
205[.]74[.]243[.]98 1
175[.]129[.]208[.]52 1
75[.]78[.]164[.]64 1
129[.]131[.]39[.]141 1
202[.]80[.]190[.]29 1
2[.]92[.]35[.]198 1
78[.]174[.]172[.]25 1
157[.]249[.]101[.]131 1
50[.]76[.]35[.]183 1
108[.]61[.]180[.]5 1
89[.]115[.]171[.]148 1
33[.]237[.]143[.]29 1
68[.]197[.]76[.]18 1
39[.]92[.]225[.]165 1
50[.]185[.]184[.]107 1
216[.]28[.]85[.]142 1
74[.]50[.]14[.]5 1
102[.]220[.]95[.]104 1
88[.]29[.]104[.]209 1
179[.]52[.]109[.]188 1
217[.]42[.]217[.]105 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
maxcdn[.]bootstrapcdn[.]com 1
cpanel[.]com 1
certificates[.]godaddy[.]com 1
crt[.]sectigo[.]com 1
qdrtjvht[.]cn 1
Files and or directories created Occurrences
%LOCALAPPDATA%\4dd3cc 25
%LOCALAPPDATA%\4dd3cc\519d0f.bat 25
%LOCALAPPDATA%\4dd3cc\8e9866.8ca9d79 25
%LOCALAPPDATA%\4dd3cc\d95adb.lnk 25
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\91b4e5.lnk 25
%APPDATA%\b08d66 25
%APPDATA%\b08d66\0b3c0b.8ca9d79 25
%APPDATA%\db7a\c227.a7783 20
%HOMEPATH%\Local Settings\Application Data\f4fa\97ea.lnk 20
%HOMEPATH%\Local Settings\Application Data\f4fa\c0ce.bat 20
%HOMEPATH%\Local Settings\Application Data\f4fa\d5a9.a7783 20
%HOMEPATH%\Start Menu\Programs\Startup\d733.lnk 20
\REGISTRY\MACHINE\SOFTWARE\Classes\.bat 2
\REGISTRY\MACHINE\SOFTWARE\Classes\exefile 1
%APPDATA%\904327\acf971.5ad8d0d 1
%HOMEPATH%\Local Settings\Application Data\d23b56\48c11b.lnk 1
%HOMEPATH%\Local Settings\Application Data\d23b56\56341e.bat 1
%HOMEPATH%\Local Settings\Application Data\d23b56\8ed9fe.5ad8d0d 1
%HOMEPATH%\Start Menu\Programs\Startup\8f3c0b.lnk 1
%APPDATA%\ef9fd\dc166.73309a 1
%HOMEPATH%\Local Settings\Application Data\00594\249d2.73309a 1
%HOMEPATH%\Local Settings\Application Data\00594\7957c.bat 1
%HOMEPATH%\Local Settings\Application Data\00594\7b643.lnk 1
%HOMEPATH%\Start Menu\Programs\Startup\61575.lnk 1
%APPDATA%\2b7b\8e52.5c403 1
*See JSON for more IOCs

File Hashes

019b344a8e7f3c77456904825315980c4470a207baeaf73e4b27e806d3d29cb3 1bb5bc698bf1c157fd1d59a93b05042191cf10faf717f4a275a65d692b47b6b4 2865baa489d087b61ade44ab6dcc5cde74b460d7c6253e35df27c8ba083b2ade 29c170c9817f4e027bca34e4f18213e2fcd320706c626f9c5831b901b0069092 2d1675a1e1ab54f9fedf904a3b9d81a42c96da4a044a2bda43e226050f71bfcc 2dee218bbc4b07efb543c50b6d55e3e685a4c2e57b6c4d7c059823a1ec43ece7 3d481ecedf7418ce930c8291375b043fbc3a879a01b8719b93296680d86a8162 4bf67a114270f6506f6552ac552d9b9ef5a8f3a5bc8dd16a8a8a932d4706e1ba 4c9ab51001bd342ca1ce44e5ca4427e11006bf4499399789dc9343eaf3576e77 506b98313e47d5437a0e0d690c40f3501314a15b46e3be245a659e3729f70258 5547747470941e6f2b4c76ab2e811f61a0676b2112629bc45750ba5ec96007e0 5b870a8c9b77afc82f629efb7bde9f96e8546e53122011b41336eb5553c6e4ca 6402c25ebcf11608c1b05d27fe6642b47638d3546713766762e50d2d3d83ca09 6a53862c999e92e936492a1bf45823aa4bf0072bcbb4b451f47870ad6c077f76 720609e2de6c8210effaf2870d9cb2d09b11940a6806e79d23187a658379f660 75f47542b9efdd3a8e1ae7e149fd1017db8dddd414d1abe5c877e4d33c2f51f5 7799dafddc4a5e548d953d26ae900690445de42ced9b2cacf272291129980577 7f16e38c960c0db1e5f5fc9324e83bef46f6c55ed8efd0c11d44d56505590615 8252a6deb89935b6d4d28ae5e4d3309ecb13453a8c283314d2e7be1ec4953cb1 85bea08924265155253c171276bd3258037c0deaabc0e6e5f3788bb64125344e 8b8240abba2d007dfecff03fdf9dc46355056aec7f00e8693f07002455c821c5 8b9c2df052ae2d6809ff2d268fd0c7cc58df677aa90d83f527f59cc1781a7c7e 8f0e0af7ba99a4ba8e908562d084d23daa9d31ebd5d48f6990628711cd2b1c90 9ebe5a5b6e7219498b3c869207cc5c6fe989ea7045b8beae473199de36ef935a a657fa50766ac0c785be910723473c307f4bb9c4770f73afc94c096df8d4d353
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Trickbot-7603048-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Mutexes Occurrences
Global\VLock 18
SafeGuard 18
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
216[.]239[.]32[.]21 5
216[.]239[.]34[.]21 4
116[.]203[.]16[.]95 4
195[.]62[.]52[.]96 3
194[.]87[.]92[.]113 3
67[.]21[.]90[.]106 3
216[.]239[.]38[.]21 2
216[.]239[.]36[.]21 2
87[.]121[.]76[.]172 2
69[.]195[.]159[.]158 2
91[.]219[.]28[.]58 2
104[.]20[.]17[.]242 1
191[.]7[.]30[.]30 1
192[.]35[.]177[.]64 1
51[.]254[.]164[.]249 1
84[.]238[.]198[.]166 1
67[.]21[.]90[.]109 1
91[.]219[.]28[.]80 1
193[.]124[.]117[.]189 1
194[.]87[.]144[.]16 1
185[.]86[.]150[.]89 1
34[.]192[.]250[.]175 1
37[.]59[.]183[.]142 1
107[.]181[.]246[.]213 1
54[.]225[.]159[.]35 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
myexternalip[.]com 4
ip[.]anysrc[.]net 4
ipinfo[.]io 4
elb097307-934924932[.]us-east-1[.]elb[.]amazonaws[.]com 4
api[.]ipify[.]org 4
wtfismyip[.]com 2
ipecho[.]net 2
checkip[.]us-east-1[.]prod[.]check-ip[.]aws[.]a2z[.]com 2
checkip[.]amazonaws[.]com 2
icanhazip[.]com 1
apps[.]digsigtrust[.]com 1
apps[.]identrust[.]com 1
Files and or directories created Occurrences
%APPDATA%\winapp\Modules 18
%System32%\Tasks\services update 18
%APPDATA%\winapp\client_id 18
%APPDATA%\winapp\group_tag 18
%APPDATA%\winapp 18
%APPDATA%\WINAPP\<original file name>.exe 18
%SystemRoot%\Tasks\services update.job 14

File Hashes

0734537582744df9451325031e9e8731642f668eccf59befd64edb7bc8fafe7e 6689bd8590bd31ff3527c49b5b11679264a1b9b10849dcc66cbe6900478eb871 67f0429ee85995d64131c87b6838e69ca53aa9e7b25d3ada30c97dab269ba7cd 7180b1814adf4ede4bdab8b9c61c81af3b170cdbcc12ad847f47690e2e526644 755a16e14820e83967b4b3e21f238fbd0a161032d1f6e837c21a1059678c1e94 84f89b0fd428f6932f1053d6456cddb2545f4de476e55029d410f1808fbf2a30 887e3e74d1c5d39a5bc52544fdb246b2c715068eb699cec7ad7adbe0c41afcba 903ac66acff8f25f7990d205cece0c3be4cf19782b81ef25dba48eb3d8deaf56 91894e74967a409a1237940d4e2c6bbe76399dedf57c771cb558aa12cfa5e3d1 9363dc1d3c9b8a07f523624f55707ce3c0d1723dad1efbbfe3f515008601cb96 b2103964af0368affa8fba5d7f6d240f4da2be650082498cfd7748c345275084 b892a452a962407b340e01b761b37a33e75a5dcfd06df33f24c6f12af68f88a3 c0189f5e94156e85176424967870b93eaadf3c56d6f37c71186aadb774e6339a c5f3bde9423af4d58282c14cf1b38ee6dd71982def8c3f6182ce1b75ecfda479 d94c6866a52bb26ed7b15e72f4ee8d762876a29a2e9efa6875aaf85899d49d0c dc47b07c0dafe93644c39795780bb3f73727fa1b9d18f45e6e5aa6445eebfa0c e2e0f5369df5a08b124098492de660aba4bdfbeb08fbe8af1ed86e165a45782a f04cda7271ff361471a8dc27f9d6de94255df35c15842fa65e030f27077d6ebd

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Nymaim-7602109-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 25
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
25
Mutexes Occurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} 25
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 25
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} 25
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} 25
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4} 25
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A} 25
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D} 25
Local\{B888AC68-15DA-9362-2153-60CCDE3753D5} 25
Local\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E} 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
msmumcsogb[.]com 20
xoisb[.]com 20
fhcbczook[.]com 20
vkeumq[.]net 20
cuxpehneqok[.]com 20
owirepdi[.]net 20
kmwiwxxhst[.]net 20
scsutgsikbf[.]com 20
hpneu[.]com 20
vsnoaue[.]net 20
nzkmud[.]com 20
zaljqgpthcoh[.]pw 20
sasrqtpipjfa[.]pw 20
aonibtaatpb[.]in 20
klrjxmici[.]pw 20
kvowzwz[.]in 1
wkrpqmneiaq[.]pw 1
stspxcbi[.]pw 1
kunygnck[.]in 1
esqxhtdjfsy[.]net 1
dsnquebpv[.]net 1
kbicwcs[.]com 1
ehigsgoht[.]in 1
meeidu[.]in 1
mofmwfsocpdd[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramData%\ph 25
%ProgramData%\ph\fktiipx.ftf 25
%TEMP%\gocf.ksv 25
%ProgramData%\<random, matching '[a-z0-9]{3,7}'> 25
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 25
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'> 25
%TEMP%\fro.dfx 24
\Documents and Settings\All Users\pxs\pil.ohu 24
%TEMP%\bpnb.skg 3

File Hashes

0350f9f2984dac2a7a6770f5bf5870ad016b95d26feecde54f1dc7f6a7321c29 0b1d7aa06898c58946bad39134dafc13439a5db0e5dc2dc40ee4553dc3d29975 0c01e7d6a858233dd58b8b872e4893742455f50b76abff789ab29e1c483fde68 149b63f40ca4848f1ed92a281b1b4d069b93629062bbc581564c59b8c48b047a 149f0e351809f6cf4ad993a656ff6756dda959a8daee038be2d24fdfc8c8b007 1d813f7e5f17acf6d2181f544c00a9e1a990ed176fb33605f0e017cac91467bd 248e50d7d496167e3846f9093a70d875ad97c8654ae531c00b93c67d52cbb7bd 25c352c873caa5213f0665a9ce58ea7e348d8d203377742c377ede93e8b93cd7 26293d2fa07bbf9ed68c7d241e9b28ca4c644798d8f3fc33ef8616a6f6c74774 2ac299dd30fe2ca31768e34b8c75134dcfbfcff6c3457e6f2ae8385822a496be 2acf8806700ad8c0c6fa22b4fec49b63217c9be39f504feaee7de09e9bf49df8 363144700426ca0fad29bd473528038c1341991a941986eb609b4d5083efbb28 3b9103d8b1ea2bf26c2b8028caf6bdd9e1ad67b0e9db8b3067fd290b38c0c58f 46e04a66e76addea2a565390ee816c56ea118681c360f736ccd220edbbd86864 4c6902db08c7e033540304c254649849f49eebe6d91145d5d45c0fee95e2d80f 4e1bcc088361db93034f59a5b0c96f098def9b8ccd9959157f67e410423b41d7 526358c39c4015b12ae74212615fb4568b056f6b6a79272d71c77cab9f04aae8 68197f9c992f00577f0a25fa16c30f51fb21c4e263108eff26fecc4dc2ad79eb 7208ba495ff3980c1a1bc0221a5734cc27c87ce7c21fb9f4e9047bb46ce95555 819914daa5710e05f7eca95e29810ce75b9debb4d3cc9507c1baa18749d4b96d 83782a979f1f6d2a01c9872135f03ae220a48b405413cd8c149c1d009b4fba5b 86928bb41c2f85970a86fc00d6f8905dec0c90306e49efb5dba681eeca92c038 8c0d83941179966af6df1dc4d0ed5f96930e0df8f071451349ce51497d2d9aa7 8fbc0816bd1df870987de293d24e866ff98ea18fd0f22220556ae974cc4f9f8e 957160926bb20fec0fd05d4f50e41cc263f523616e5c27bb79a4523bdf7b96df
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Packed.Bifrost-7603033-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Mutexes Occurrences
Bif1234 17
0ok3s 11
explore 1
shhhhd 1
run 1
dll 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
79[.]210[.]124[.]47 1
50[.]22[.]169[.]26 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
hh[.]servecounterstrike[.]com 1
dzalgerdz[.]no-ip[.]org 1
Files and or directories created Occurrences
%ProgramFiles%\Bifrost\server.exe 8
%System32%\Bifrost\server.exe 4
%APPDATA%\addons.dat 3
%SystemRoot%\Bifrost\server.exe 1
%ProgramFiles%\Java\java.exe 1
%ProgramFiles%\ \explorer.exe 1
%System32%\skype\sytem.exe 1
%System32%\drivers\win3r.exe 1
%System32%\system\wimsn.exe 1

File Hashes

03558014784b043450fb11acd7fe1a8a8582f8b663766a8019053c76ef7215c5 08541f2d74b94ca3f90b039d2525340448b71460899b368aa1ee15bfc0d54390 0edb3da0e2cae96a8cffb48f8f5655fd039b01c7d2d79272232202f959d1af6b 13e9c893b0135a03ec67f4dbbb43e59981a35989777eff4477bce63a7fe49727 154e008a36ace894fb97b5e3738cfa0055d0fed2004f67e954c438812d20cc3b 16588e48147f6ef7182fa47399c520c95b559d11e69749027d16f7c6cb127725 26401cc5346770c7023dee159079637155a6292f096bc0fa47cf91b74a927570 29456dcc06e1d342c9d6c6afa5f7a445839853395e5cb624c44f1fd9b5390500 2daced6a63c11b3399b36c23214d73e026cff2907b559c288db2a03e7ca7da57 3159696d5d368ad8d214b668556c8cc8071e7a83331c7812f893af9125de092b 32e9d1f5e0764c7471775247ad0b06680980f9db491b92281de56e93d1594c91 3ee1fa6daec1659e53d238dda830f6c344f65b32ea3c90c9b441a92b5d4b8b78 4d94d1641c75b880e31dbb5948c8727f82858c56480a8ed1832bedebc0cceb1a 54b54ca691dde91cf1f3e1db60eea375ea280d100dc6a5f5ea1c3b39cc4ef7f1 61071881d3e077cbb87783faf73532e7dbca80c3252d1a398d96da0818dacc2a 68fa9c845333388e4f2f44aa79db05c0fc10c91ebcce819f6959feec7a3ccce3 76d71fad336a1082358567a0c5ef949bc4748397ab1258327673c316e1820c84 83f1bd6ff8de246bdf3b8e5a7549f26eed7a5dbcce9156ca12601ff7f7b0db55 8e95da958f0e5beae769d9adf0bd523a4cba0a97abebee99d51642a0c484a193 9620adde046b1ad8291d817e5b06c7eaeda4b5db457e5c5541cfac83806c049d 97dc870dd36389d74e9f77c725f513654c62b7152a5f18387dfb8e6c300e2415 9b8f14dea7b8f6f88606f2451fe8c0e51dd029aa95180e2e08e4f7833405e104 a51c89aa132abce4937e32d57a2d9903e507a89a1c696767164d6a33ce3eb28e b81853affa6b46779eb7024f5bc388ed406d337a1913f4b15788e6e54e969dc1 b8f1c8dcef8270105cae8058740b64dea319f284c20bbcc1a0640b011d6784ea
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Packed.Tofsee-7603095-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
26
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
26
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
26
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jcqwvdjy
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mftzygmb
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dwkqpxds
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gzntsagv
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
43[.]231[.]4[.]7 26
69[.]55[.]5[.]252 26
85[.]114[.]134[.]88 26
239[.]255[.]255[.]250 22
46[.]4[.]52[.]109 22
192[.]0[.]47[.]59 22
46[.]28[.]66[.]2 22
78[.]31[.]67[.]23 22
188[.]165[.]238[.]150 22
93[.]179[.]69[.]109 22
176[.]9[.]114[.]177 22
12[.]167[.]151[.]116/31 21
172[.]253[.]63[.]94 21
173[.]194[.]204[.]26/31 19
67[.]195[.]204[.]72/30 17
104[.]47[.]54[.]36 16
172[.]217[.]7[.]227 16
157[.]240[.]18[.]174 15
64[.]233[.]186[.]26/31 15
172[.]217[.]197[.]26/31 15
98[.]136[.]96[.]76/31 15
172[.]217[.]7[.]132 15
216[.]239[.]32[.]21 14
216[.]239[.]34[.]21 14
211[.]231[.]108[.]46 14
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft-com[.]mail[.]protection[.]outlook[.]com 26
252[.]5[.]55[.]69[.]in-addr[.]arpa 26
schema[.]org 22
whois[.]iana[.]org 22
whois[.]arin[.]net 22
bestladies[.]cn 22
bestdates[.]cn 22
bestgirlsdates[.]cn 22
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 22
252[.]5[.]55[.]69[.]bl[.]spamcop[.]net 22
252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 22
252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 22
252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 22
hotmail-com[.]olc[.]protection[.]outlook[.]com 21
www[.]google[.]co[.]uk 21
sex-finder4you1[.]com 21
eur[.]olc[.]protection[.]outlook[.]com 19
ipinfo[.]io 18
www[.]google[.]ru 16
auth[.]riotgames[.]com 16
msn-com[.]olc[.]protection[.]outlook[.]com 15
msn[.]com 15
mta6[.]am0[.]yahoodns[.]net 15
hanmail[.]net 14
mx0a-001b2d01[.]pphosted[.]com 14
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 26
%SystemRoot%\SysWOW64\config\systemprofile:.repos 26
%TEMP%\<random, matching '[a-z]{8}'>.exe 26
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 25
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 21
%TEMP%\wvlhokp.exe 1
%TEMP%\poeahdi.exe 1

File Hashes

0054ae6df8395634c36f1a99f4b4df3edd3ca28e515b90a3a3eb30e0808bc640 006fe42eaaadf87e7ce537f1c2b2a9930a2cfa8cf5ec44a87c221b3f7ab1f9c1 0232e76cabc4c09b8191691e41ffd0cc2b9f1a88c762128cd179998148a5d111 05279b3deda1fd52dff2cda7700bcf0856584a25ed6f43eb9171ad60b943c081 0875682d36433cb0e7ac2d6fa0e6938189937260e150680b0b97c5c55efe73ac 0890de225e6d85aad88e5f99da81acb5a11148586eb39d02bf0a9fb9daf0525b 0b4fef0e6e222e43c42fed0bbdd300e997f7811a952dc1ff8a01f01500634412 0dbc8d645507f63e94d6d66646bd33c27a5e3b1409941453b6dc85b3fffe6cf8 12e14f7b0a204406116cc09ceea2c1b4d8f08feca9e2d6e7dd12c10916681121 1417719dfd0bc1acfbb76e86b3113759165e66e8e22062f27b173cdb8a7679fa 1426700dc20043556efa4c1c8c269117e1a1d09c7ca991f7bff0f63ba0db91a5 164c4890fff93d7cb73b341c111d911022500ee9da52450f97b2f68f8106fd2c 1997d4dda81bf4b308fbade5e162f5854c384c5e9cf0f7681e0c77ab9a60a772 1e0a9bca0a83e65ecd1a2b5752adf0795abec4109b6b61434d53ba42b393b40c 1e1769e2f970bc0b1c1d5d46ec4922c6de04e86ca5741a5007378ad18574d583 223f7e305d45ea14fb64b89ef9c16389325070c95eae48a30d31b421f3535df6 27bb321ef817b127f2f49c38d65811432dae5d940e32b9fc2d54234cbc63071e 28c25b55f98a02762851825a7c1748f70ed5426fd80431c7bd5dcc6d340b849b 34e436d8a2f7af8dfc8e5e90ba44536983849aa398058de2be70ca8c87d54133 370a67967f9728399e59a6bf28697bef6272e3ecbf1800ec0f0dab7df9961caa 37aa3e2ae08143083f21cbfaf8477d8b2def9bec4e219732387d91c102bb5e0d 3a400bef1869adb2525b641f1f7425fd882a26df1b1533ce56c66729461ab311 3fec44d6ea7f776d9446b54e3acd858af66713177fe216cde91441069c85d9ed 4161ceee9fcc738a00cbddfaba624b29484aab3376a14a9c3539d321e26a14cb 41bdc0e1616182febe37864cff2f7fd011615b33796e5443ef7fad0f497eb924
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid



Umbrella




Win.Ransomware.Nemty-7603722-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
6
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 3
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX 3
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000001 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000002 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000003 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\0A0D020000000000C000000000000046 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\13DBB0C8AA05101A9BB000AA002FC45A 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\33FD244257221B4AA4A1D9E6CACF8474 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\3517490D76624C419A828607E2A54604 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\4C8F4917D8AB2943A2B2D4227B0585BF 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\5309EDC19DC6C14CBAD5BA06BDBDABD9 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\82FA2A40D311B5469A626349C16CE09B 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\8503020000000000C000000000000046 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9207F3E0A3B11019908B08002B2A56C2 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9E71065376EE7F459F30EA2534981B83 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\A88F7DCF2E30234E8288283D75A65EFB 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\C02EBC5353D9CD11975200AA004AE40E 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\D33FC3B19A738142B2FC0C56BD56AD8C 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\DDB0922FC50B8D42BE5A821EDE840761 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\DF18513432D1694F96E6423201804111 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\ECD15244C3E90A4FBD0588A41AB27C55 3
Mutexes Occurrences
8-3503835SZBFHHZ 3
Global\<<BID>>98B68E3C00000000 1
Global\<<BID>>98B68E3C00000001 1
K41BS5D2301JFDHG 1
S-1-5-21-2580483-10603899367670 1
6Q9114S7BUVv1I9Z 1
L157BD647S7vKCZY 1
S-1-5-21-2580483-10602865790989 1
S-1-5-21-2580483-888606054490 1
S-1-5-21-2580483-10602417393080 1
da mne pohui chto tebe tam bol'no... dlya menya veshica i ne bolee... 1
S-1-5-21-2580483-14842513634586 1
S-1-5-21-2580483-1924291306070 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]7[.]238 5
23[.]20[.]239[.]12 3
172[.]217[.]9[.]193 3
172[.]217[.]7[.]206 3
13[.]107[.]42[.]12/31 3
172[.]217[.]7[.]174 3
170[.]250[.]53[.]240 2
205[.]144[.]171[.]155 1
192[.]0[.]78[.]25 1
184[.]168[.]221[.]66 1
50[.]63[.]202[.]39 1
185[.]230[.]60[.]211 1
146[.]66[.]113[.]187 1
138[.]201[.]168[.]29 1
81[.]19[.]186[.]167 1
3[.]234[.]181[.]234 1
40[.]90[.]22[.]187 1
40[.]90[.]22[.]188 1
23[.]21[.]50[.]37 1
63[.]250[.]41[.]107 1
172[.]217[.]7[.]193 1
104[.]26[.]5[.]15 1
162[.]213[.]253[.]192 1
31[.]220[.]121[.]73 1
103[.]72[.]146[.]121 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]hugedomains[.]com 3
securepasswel[.]ru 3
api[.]ipify[.]org 1
data-vocabulary[.]org 1
balancer[.]wixdns[.]net 1
www[.]namebright[.]com 1
miowweb[.]gr 1
api[.]db-ip[.]com 1
doc-0o-28-docs[.]googleusercontent[.]com 1
www[.]somebodydial911[.]com 1
www[.]prefre[.]com 1
www[.]slacktracks[.]info 1
www[.]befitbehealthybeyou[.]com 1
doc-0o-2k-docs[.]googleusercontent[.]com 1
www[.]showshow[.]club 1
www[.]eleumedia[.]com 1
www[.]spiritindosolo[.]com 1
www[.]worstig[.]com 1
www[.]baiyuetongxun[.]com 1
www[.]illuminatiam666[.]world 1
www[.]jackiesj[.]com 1
www[.]vierhimmelsrichtungen[.]com 1
www[.]zlateprase[.]com 1
www[.]wide-saddle[.]com 1
www[.]barayehfarda[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
\$Recycle.Bin\<user SID>\$<random, matching '[A-Z0-9]{7}'>.txt 1
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\desktop.ini.id[98B68E3C-2275].[checkcheck07@qq.com].Adame 1
%HOMEPATH%\subfolder1\filename1.exe 1
%HOMEPATH%\subfolder1\filename1.vbs 1
%HOMEPATH%\Subla\Mot1.exe 1
%HOMEPATH%\Subla\Mot1.vbs 1
%HOMEPATH%\ecstas\Toxino7.exe 1
%HOMEPATH%\ecstas\Toxino7.vbs 1
%APPDATA%\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Desktop\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Documents\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Downloads\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Favorites\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Favorites\Windows Live\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Links\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Local Settings\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\NetHood\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\PrintHood\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Recent\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Saved Games\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Searches\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\SendTo\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Start Menu\NEMTY_U1XTAJZ-DECRYPT.txt 1
%HOMEPATH%\Templates\NEMTY_U1XTAJZ-DECRYPT.txt 1
*See JSON for more IOCs

File Hashes

1d65adf3d53d2e6a7967de17f625d0556f0821958816637c60f76940e4c28520 211c8a29f76ac8521b51ba578764c2c22a18472c4bcc5e19f7e321951243b97c 21264886ed27cea1812b312ff85d2262b72e8af026dc290da8214e1e8960972b 232573e18d3f45b5b9a9abb50e09eb67ffe2e049d63dd602f411d46b02f18f2e 2c2635859e5436830913c41981130ca02b9ff1f91f6149702af84243f42ac225 31dccda43edcd3002ceb8f7cbc68bd749309ba953e592a48da0cf45b8d482d0b 4036eef611df5fafcff1ea69bd37bffb2b0b091b6421100c671aa40b7d807f8a 9ea864bf39f23d4115db192bdddda486c9ac67bd74ac0320900cdb75d048d674 a6421d2ffa3af855b46ccf0c2d9ba0c763ef16f8c80c41a7dc74412e4787217d af8f4b4b4cefaf594499c086483b94a43efc151cfe102f04bdb2451beeda269f b51d82b498581119a661400c90e9dc0b6cb15ba011f0fe55aa2e0bc4b6f64f30 bcaf8b9b2ad9a86c500055a3d4879ab37ecf475dd459a1781e586dbba4f1209c bd4a8ff85771eb162655f05317ec893041abf532b4b1a7313c9d86e0f4ad6bb5 f730d7caf3e44c1429cb7bbabeb2d801c4f49f100c834b26eb4fab8d72528a98 fdbc0107fa0fa6923e0caa39bdbb2e04c72134879ac845ecc6992301d2fc5784

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Trojan.Gh0stRAT-7603864-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SelfRunDemo
17
Mutexes Occurrences
127.0.0.1 2
101.200.58.177 2
117.78.50.197 2
112.74.75.143 2
210.222.25.223 1
192.168.99.25 1
118.125.192.112 1
60.190.216.225 1
w1464642840.f3322.org 1
www.cq52.top 1
xiaoxinzadan.gicp.net 1
113.214.1.34 1
69.165.69.98 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
103[.]45[.]105[.]244 3
101[.]200[.]58[.]177 2
117[.]78[.]50[.]197 2
112[.]74[.]75[.]143 2
210[.]222[.]25[.]223 1
117[.]168[.]99[.]164 1
118[.]125[.]192[.]112 1
60[.]190[.]216[.]225 1
113[.]214[.]1[.]34 1
69[.]165[.]69[.]98 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ip[.]aa2[.]cn 3
whois[.]aa2[.]cn 2
www[.]1182[.]org 2
site[.]aa2[.]cn 2
beian[.]aa2[.]cn 2
fl[.]aa2[.]cn 2
www[.]aa2[.]cn 2
pr[.]aa2[.]cn 2
link[.]aa2[.]cn 2
www[.]jqgcw[.]com 2

File Hashes

2737d0c8ab41b5bf6abf457fb940b7a4f8f90c7688600a4df87fbdb654623779 550d6397943cd525439a0d62c79459519d29438f1b1fcfddbbf2eb4a48660e63 60d7cae08475fb78cab77e09df43468cc0f6d2f01f847fc7582f56731672b0e8 699d3462c7c71c5bf0ad9c2dfc15faceb7d4858d2d0c341c9e18c27398718a40 8f3642fef8a0f84c1615efd6e3b90e26fcb8907d9a6e4904d2587dacd741932b 9d2c079618d2b3cbaa4c022048da451ecf0148fbae4cf41f8f19c363e9c23736 a9722843aa8d6b1b5a5e5400556c57b9cc31bf5a216bb5b458ce9241e818469d ac0ad4dc0abc6563b1ed7dc14703d2b77dfc606cffe875776c1167a95d6faba8 ac1807117ea4b5221dad637a8891e567849473d15cdfe49856d38877e1463019 b3ca2156cb96fb2d609bcf2b31080884d9a5621a3e1973c5338be746aec8317e b49b9e9f1457c63665a8e58d4f09a4811b0fa7733f650d163b87d686f4326203 b927b88cb9fb216b54b307fbf9d90fe6189af102d6b2b65a6e82ec1ee8cb7d7b c353e7a5e14c1aecae9d044da58c51daa0446118bbda54bc58777e9f39cdbfee cc2f2e01b07ea319cf4d5953bcf96c2c58ec218a4d0090b968291977d2e5b5f3 d43226aa4cba93b5bee9797da90d9a703c209cc8188693f93a603fdb60340063 d8b1847f025c2d48f775099421979c788816a1ea2c527f3c16f28aad1bc12d81 da7cd6233482da9114bf51bd6fb42825d4f4a044c4239a6e267d2134eb21282b e1ce464fd9c93969082c215d2358e6fb3e84e173fdaf36b1b1ddf6918a949109 e333a3c187ceea41f37e91b83dd79b5b6de3d96dfaa4dd76b9f5c9689683206b fede423fee4e77f708b95fb3e6efc2262e333fc295b1576f7f5b3163b053b565

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (3886)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (189)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected - (120)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Excessively long PowerShell command detected - (117)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Installcore adware detected - (95)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (73)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Dealply adware detected - (59)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Fusion adware detected - (13)
Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.
Corebot malware detected - (12)
Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.
A Microsoft Office process has started a windows utility. - (10)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.

No comments:

Post a Comment