Friday, July 24, 2020

Threat Roundup for July 17 to July 24


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 17 and July 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Dropper.Formbook-8866958-0 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Dropper.Tofsee-8964103-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Worm.Socks-8977376-0 Worm Socks is a generic worm that spreads itself via autorun.inf files and downloads follow-on malware to infected systems.
Win.Dropper.HawkEye-8997282-0 Dropper HawkEye is an information-stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.
Win.Dropper.Ramnit-8988791-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Win.Malware.Cryptbot-8991879-1 Malware Cryptbot is an information-stealing trojan that attempts to siphon passwords and other credentials on an infected machine. It typically masquerades as legitimate software to trick users into installing it.

Threat Breakdown

Win.Dropper.Formbook-8866958-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 26
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX 26
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000001 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000002 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000003 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\0A0D020000000000C000000000000046 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\13DBB0C8AA05101A9BB000AA002FC45A 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\33FD244257221B4AA4A1D9E6CACF8474 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\3517490D76624C419A828607E2A54604 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\4C8F4917D8AB2943A2B2D4227B0585BF 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\5309EDC19DC6C14CBAD5BA06BDBDABD9 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\82FA2A40D311B5469A626349C16CE09B 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\8503020000000000C000000000000046 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9207F3E0A3B11019908B08002B2A56C2 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9E71065376EE7F459F30EA2534981B83 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\A88F7DCF2E30234E8288283D75A65EFB 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\C02EBC5353D9CD11975200AA004AE40E 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\D33FC3B19A738142B2FC0C56BD56AD8C 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\DDB0922FC50B8D42BE5A821EDE840761 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\DF18513432D1694F96E6423201804111 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\ECD15244C3E90A4FBD0588A41AB27C55 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\F86ED2903A4A11CFB57E524153480001 26
Mutexes Occurrences
8-3503835SZBFHHZ 26
8PL479TAXGU0FHAZ 26
S-1-5-21-2580483-10283421113525 24
S-1-5-21-2580483-15841774155802 5
S-1-5-21-2580483-17201774155802 4
S-1-5-21-2580483-19521774155802 3
S-1-5-21-2580483-17841774155802 2
S-1-5-21-2580483-20401774155802 2
S-1-5-21-2580483-19161774155802 2
S-1-5-21-2580483-6361774155802 2
S-1-5-21-2580483-19321774155802 2
S-1-5-21-2580483-17081774155802 1
S-1-5-21-2580483-12601774155802 1
S-1-5-21-2580483-3281774155802 1
S-1-5-21-2580483-7241774155802 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
63[.]250[.]47[.]83 23
34[.]102[.]136[.]180 11
194[.]36[.]166[.]10 10
184[.]168[.]131[.]241 8
199[.]59[.]242[.]153 8
51[.]75[.]108[.]121 8
13[.]52[.]160[.]194 7
185[.]230[.]60[.]96 6
89[.]46[.]105[.]38 5
193[.]46[.]197[.]109 5
151[.]101[.]192[.]119 5
141[.]8[.]225[.]75 4
23[.]20[.]239[.]12 4
66[.]235[.]200[.]3 4
162[.]241[.]244[.]34 4
210[.]224[.]185[.]225 4
23[.]234[.]27[.]100 4
86[.]104[.]44[.]39 4
198[.]54[.]117[.]210/31 3
23[.]231[.]239[.]10 3
104[.]27[.]174[.]249 3
204[.]79[.]197[.]200 2
185[.]230[.]60[.]211 2
198[.]49[.]23[.]144/31 2
209[.]17[.]116[.]160 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]glamotd[.]com 23
api[.]w[.]org 12
gmpg[.]org 12
www[.]astonfly[.]info 10
www[.]theclippersofficial[.]com 10
www[.]stoxcrypto[.]com 10
www[.]novaeramotoboysportoalegre[.]com 9
www[.]intera-canada[.]com 9
www[.]fristcreditunion[.]com 8
www[.]mysticadventuresails[.]com 8
browsehappy[.]com 7
www[.]startboostcapital[.]com 7
www[.]methvenonthemove[.]com 7
www[.]joshkaeding[.]com 7
www[.]cloudyans[.]com 7
www[.]gtitdunproductions[.]com 6
www[.]annualtransmission[.]technology 6
www[.]theedgebizconnect[.]com 6
www[.]myweddingbeautiful[.]com 6
www[.]pepper[.]guide 6
www[.]q83pfq[.]biz 6
www[.]azasianow[.]com 6
www[.]xnyppw[.]com 6
www[.]mannionexpertseniorcare[.]com 6
www[.]www750456[.]com 6
*See JSON for more IOCs
Files and or directories created Occurrences
%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.tmp 26
%APPDATA%\8PL479TA 26
%APPDATA%\8PL479TA\8PLlog.ini 26
%APPDATA%\8PL479TA\8PLlogim.jpeg 26
%APPDATA%\8PL479TA\8PLlogrc.ini 26
%APPDATA%\8PL479TA\8PLlogri.ini 26
%APPDATA%\8PL479TA\8PLlogrv.ini 26
%TEMP%\DB1 24
%APPDATA%\8PL479TA\8PLlogrf.ini 24
%APPDATA%\8PL479TA\8PLlogrg.ini 24
%TEMP%\Kwnuxv4rh 2
%TEMP%\Kwnuxv4rh\certmgrg0h.exe 1
%ProgramFiles(x86)%\Mox4\taskhost1b5x.exe 1
%TEMP%\Mox4\taskhost1b5x.exe 1
%ProgramFiles(x86)%\Hylu8\updatebbp.exe 1
%TEMP%\Hylu8\updatebbp.exe 1
%ProgramFiles(x86)%\Byjop\confignnul.exe 1
%TEMP%\Byjop\confignnul.exe 1
%ProgramFiles(x86)%\D_nu0\wincx58f.exe 1
%TEMP%\D_nu0\wincx58f.exe 1
%ProgramFiles(x86)%\Tpjst4zi\configzxqlgb.exe 1
%TEMP%\Tpjst4zi\configzxqlgb.exe 1
%ProgramFiles(x86)%\Kwnuxv4rh\servicesg0h.exe 1
%TEMP%\Kwnuxv4rh\servicesg0h.exe 1
%ProgramFiles(x86)%\Xdbcpkzi\gdijv1hb.exe 1
*See JSON for more IOCs

File Hashes

00a0094d11c7ce21216f479dbc3b37df812f46eecb7a8baa10dceeff8b7fc864 0d1259096242c800bb9b2b5dd036582036685e83b6d9347b7ed9df522be20805 0e6172900041e5025a6001500f9aa12998b8dd75641f6f7950a21c8e0fb516b3 1361c2b2d05259699ae35fbadb6f6e3083b2c375fd2f6f64caff31651b2321ba 15bd77b74ca028f72d350e87f18062d63eb6fee6aec65775f5e24862cef225d1 2ad3d8e923074c817424cbaaa4472ea3b8e47b4fd675b78a9d4b0b352fbf35b6 39458342b048fc5370f6067fdbd643389e4224ce975b823666ca1e85da787312 3c05af41a392ad8969df9d9e20d2a9f01efc8e46ac605872cdee2ef708b7be60 3c63a1e1d5b46b6bd9dfb2c51bb08b6adccf0d15b84251c3e4ddbc05c7e6be9d 3fad736a2fc7451753a963916f4e4905b24b513254e53f63e6c036f080cb10b1 402b4871f364293d14b55f5cfe75aa0e4d76c38d480d83877c2be96724678686 4281e69f6ac697ad7387167118c6d9a8a6fc347df56fe19d11535c61a3040f9c 5e1c2460cd6027332f8db798a30501aa899379f67136189f6fec75cbb376925f 638bb5dc4d10ed89a33b8fa09d058a0b9e28dfac6795b91b73dc0d1abd93dfde 72e72e8daaf16cf30e2526304f288e1cbb43c3ec8be3b8614bd7775e72762a24 7342ca1d5c98e486168bd2dab2f638770015a36e79c7268072c1ea15bd1ac64d 855deaea6afba9dc1e12a95a5f7f6e59a678369332d269c4d65d457c18b77ee2 943f26c1fdebfaf93bbf41209c930911a2560338858602ed5947fe507b5514e2 aec0796263f2a23f0f6d2350ef57cd3ffc633f46be9f4bb20e17b749e701370b b65cdfbd27bdf43688145b400a28fe90cd85682a6860907f5c727c763d8e6ebe cff693dfc81698f2f5f2fa9c14fd0ce225a417e72dbdaf8a9c5c81701d81a75d d4277a4c78adcc0813346bf30d61e9b8f27c0b8448db0f38cb024d79d74afbf6 d63470edb6e570d779a965d33fcb6bbf5115912e8942752f5d4bc3156933f93c db93564a03edf3774d2d9f33df9a2dc76e3d8b235e631907fc8f425e2d055b0b f5a3917eda90a6b22edd559c5db6112cfb7039f300071145fe4cbe8dbd1f8e36
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.Tofsee-8964103-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 35 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
20
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
20
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: PatchTime
5
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: PGDSE
5
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: GPU
5
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: Servers
5
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: CDN
5
Mutexes Occurrences
(null)\69884752-95BE-4032-8AF1-B300F0E2CB97-Mutex 7
Global\SetupLog 5
Global\WdsSetupLogInit 5
Global\h48yorbq6rm87zot 5
Global\Mp6c3Ygukx29GbDk 5
Global\ewzy5hgt3x5sof4v 5
Global\xmrigMUTEX31337 5
WininetConnectionMutex 5
1dc907539dc8fc57e6b3cbf1a276ccce 5
Global\1dc907539dc8fc57e6b3cbf1a276ccce 5
25ba6ebb3e470993540ebc62e98a51e2 5
Global\25ba6ebb3e470993540ebc62e98a51e2 5
<random, matching [a-zA-Z0-9]{5,9}> 5
\Sessions\1\BaseNamedObjects\Global\h48yorbq6rm87zot 4
FstCNMutex 3
GJLAAZGJI156R 3
I-103-139-900557 3
J8OSEXAZLIYSQ8J 3
LXCV0IMGIXS0RTA1 3
MKS8IUMZ13NOZ 3
OLZTR-AFHK11 3
OPLXSDF19WRQ 3
PLAX7FASCI8AMNA 3
RGT70AXCNUUD3 3
TEKL1AFHJ3 3
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 20
43[.]231[.]4[.]7 20
69[.]55[.]5[.]252 20
85[.]114[.]134[.]88 20
217[.]172[.]179[.]54 20
5[.]9[.]72[.]48 20
130[.]0[.]232[.]208 20
144[.]76[.]108[.]82 20
185[.]253[.]217[.]20 20
45[.]90[.]34[.]87 20
157[.]240[.]18[.]174 16
104[.]47[.]54[.]36 13
83[.]151[.]238[.]37 13
209[.]85[.]201[.]104/31 12
12[.]167[.]151[.]119 11
99[.]181[.]79[.]1 9
209[.]85[.]201[.]99 9
34[.]205[.]21[.]41 9
172[.]253[.]122[.]104/31 9
209[.]85[.]201[.]147 8
209[.]85[.]201[.]103 8
104[.]47[.]53[.]36 7
209[.]85[.]201[.]106 7
216[.]239[.]32[.]21 6
66[.]171[.]248[.]178 6
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft-com[.]mail[.]protection[.]outlook[.]com 20
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 20
252[.]5[.]55[.]69[.]in-addr[.]arpa 20
252[.]5[.]55[.]69[.]bl[.]spamcop[.]net 20
252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 20
252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 20
252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 20
schema[.]org 12
119[.]151[.]167[.]12[.]in-addr[.]arpa 11
ip05[.]gntl[.]co[.]uk 11
tube[.]pool[.]gntl[.]co[.]uk 11
video-weaver[.]hel01[.]hls[.]ttvnw[.]net 9
auth[.]api[.]np[.]ac[.]playstation[.]net 8
lh3[.]googleusercontent[.]com 6
vsblobprodscussu5shard60[.]blob[.]core[.]windows[.]net 5
vsblobprodscussu5shard35[.]blob[.]core[.]windows[.]net 5
www[.]sendspace[.]com 5
api[.]sendspace[.]com 5
gfixprice[.]space 5
ordinarygame[.]site 5
s2[.]ipinfo[.]pw 5
iv0001-npxs01001-00[.]auth[.]np[.]ac[.]playstation[.]net 4
www[.]google[.]com[.]au 4
e6355[.]b[.]akamaiedge[.]net 4
ip[.]pr-cy[.]hacklix[.]com 4
*See JSON for more IOCs
Files and or directories created Occurrences
\Device\ConDrv 22
%SystemRoot%\SysWOW64\config\systemprofile 20
%SystemRoot%\SysWOW64\config\systemprofile:.repos 20
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 20
%System32%\config\systemprofile:.repos 20
%TEMP%\<random, matching '[a-z]{8}'>.exe 20
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 18
%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.tmp 7
%SystemRoot%\Logs\CBS\CBS.log 5
%SystemRoot%\rss 5
%SystemRoot%\rss\csrss.exe 5
%TEMP%\csrss 5
%TEMP%\csrss\dsefix.exe 5
%TEMP%\csrss\patch.exe 5
%System32%\drivers\Winmon.sys 5
%System32%\drivers\WinmonFS.sys 5
%System32%\drivers\WinmonProcessMonitor.sys 5
%SystemRoot%\windefender.exe 5
%TEMP%\Symbols 5
%TEMP%\Symbols\ntkrnlmp.pdb 5
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02 5
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02\download.error 5
%TEMP%\Symbols\pingme.txt 5
%TEMP%\Symbols\winload_prod.pdb 5
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361 5
*See JSON for more IOCs

File Hashes

048fa8555de0792fc219580672e896ea3945de1f90f09910a3166e307825edc0 08d57e06535cd452f061aff0eefd2dc8ea88ce60630fca365efbc95a5eee8007 08ecec4c732190e56000173c05210bfa300053916246d3a3f11ad10965260b14 0cdec5533004f71f78b19346292438aae43ba146e3152982a8b21783d466f74e 11416b9fce27d1d0a11ba8ceb4fa0132861c2a050fccff4b3a64b0278c016576 3f8a044ff54c10f96ac46ba48203fe4aa6e9a6b4ee2b81ec5fd8611c215efb48 4141cfb28e05e048e10924157ba8daf94c858dc2d5207d04a6792a961a78c80b 4acb44a8ba011dc5aed1ab037506c51cb943fb722bd682dce35020ac03b9f07d 4e2a6d003590bbdbde4f912aa9bf0f0450e3e68a241d1f29c7259b003580eaf6 4efc60638df5e3c46aa8de0bfa3d9677898c4bf705a9c0eec36183a271662876 59f0d8b3450d9caa89f1b3954587c5a1986375f867dd16709a2309293e30f09a 6a5624f3bac8dea8ba1e75d7a0b3cfffe08ff68fce1ca335e435492c654b9f87 7a91c94a0161eb50cad7446f42e96d4f3c6c43ad2ed9bec4af3817184dd2c106 83db79b4a01382653496ed19fe36f0d8dcdbb4b0c58b22a751806c161f8bfe9f 8f3e31759ed8a358d0706dbb59cbc3f984e14b122cf2d284572e535c885115e7 96f5ecab2a4f688eb3062a507f771dd9a548cdb06b804c1f0d94587cf3a3dafb 978b002cb763f1c52cbc776f2f12a630fedf86682edebfebeeec20f00ceea781 9dbe3b532d0d4b1ae06ee92a8ae4d0e344f0c088502508a270769d2ebdbe8a2d aa8b89d47a629c5939047f0b3bb0c220e7d5bcdfa5f76b2ee5a62d586257c3ca b03458e88ffc5f4cbd998284d2eabcbb815b47c309c7aefef1fe45695f387dbb be2c8e761c1f27e139e9abeae0a8fc3fbeda1e5598b354f2390f182a7f08ea45 ced17b2923a4007955d26395bb1a53d0dafe27900f72e94489c492ac22d7d173 cfc1d5b68437f46c72dc2dbf9aa12322307e066dbc3bc74d49750fe75c830eab d0eea3587e65ee8925d44b5add80fcca787608e1902a6250139c3145e21b103a d49281327943efe38097e5ba85a483d15478488cf13ffabc8c6ffab30b66b00a
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Worm.Socks-8977376-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 218 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ntuser
218
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: ImagePath
218
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ntuser
218
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: autoload
218
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: autoload
218
Mutexes Occurrences
z111xc 218
z3sd 218
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]20[.]239[.]12 218
204[.]79[.]197[.]200 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fewfwe[.]com 218
www[.]hugedomains[.]com 203
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\drivers\spools.exe 218
%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.tmp 218
%HOMEPATH%\Local Settings\Application Data\cftmon.exe 218
%HOMEPATH%\ftpdll.dll 218
%SystemRoot%\SysWOW64\ftpdll.dll 218
%LOCALAPPDATA%\cftmon.exe 218
%SystemRoot%\SERVIC~2\Local Settings\AppData\Local\Temp\MpCmdRun.log 21

File Hashes

001957ffcab5266760b3557afa7a077d8b166354deb1c0a44bcb264a51a7fd5a 00ad3bc9ef01f7062fdd56c88455cc424e0d628a60af7c828818210f75e87ab8 03d3565ffb95c782d784799dc25fabaa40305656bd4ac8eaec8e9755b53e3db9 03d70bae1fed6adc499a2039b0c2a54f319f1418b22dcf0eb83e3899e84eb272 04c5d2c156f483aaeb8b7f139a820fe44a865561d2e72e349a6db382935b11af 057d3d93f01f47d7dfb6929d228b326dde57cd93f792eb2a3f8f05a79095fa27 06fafb59c893ec6f4e54605d4a0ab8d18b650ba9bd673c01b0185234247756e6 08855770401430c9cd45ddcfffed68d3a6d3998f6f1e9ba72a6383f76a4e1c0b 09061b24f2719f33ee7070dc2558ba0660b9296b1f62bcfe3896743d73ba6798 098bb8c5041ca9a7b3d2d7847ad6f04ab4d7a487a33993eea919fa7158552bf6 0aae1649239311b00fff8b50d3a93f31ded9a3e003d22d94c6644239d6b65854 0e30ad29a435dd37ae615a090f7517f1a41c01af8c52e8573a7c62256b19d5eb 0ec334ca11c86430dc8926cf88370624f2056fa33d4d7875a02d8b20951a4ecd 0f5d29b145207fa49116f998b7f38feda1adebeebb9b9d3176179ff5b591440e 10a173525f1891752207500e31969d70b9b3aba4fac5ae9a9b4bb0186081cad9 10f8ffc5b80c5b1054240fe2141133616d9886a7476348618ccfbaf36bde6384 11672fcb6691791d1e01b6ee3c2898dc1278b8cc5f000f45b9dd4b51400c432a 11b78d58598364f15f7002940c580bf4fb14cbbcd38184be12ce934e4c062f9d 12fdd75830bda17cbbc7897b592e315df8844d5b1036d5d7a940f87951c1e5c9 132cbbb6f60b13ae62af80331061c2e9015e27e0bcbf38e76ebe77bbc9bd989f 133088aebb720a8334fcd037f29c55b40dbcd3c7e9fe16ed4e15aa1900837fc0 14b6f8d982557eb3e9a371b78f61795a3309fd6704116d84aae331dc2f2b442c 14e36b503e2f1709d488d52870fedacfb8658748e44def4a594127ac6ead0bf3 160a1061f5044d3345a9bb7dd7b52a904a212e8c54d0fd1d3a052f85632bed26 16f9d844fad95b50705ff36039e4d3c1458302acdd815ff90af90e95d9eea2b1
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.HawkEye-8997282-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Registry Key Name
3
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update
1
Mutexes Occurrences
Local\https://docs.microsoft.com/ 2
Global\bbccd540-cb7c-11ea-887e-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]16[.]154[.]36 5
77[.]88[.]21[.]158 5
204[.]79[.]197[.]200 3
13[.]107[.]21[.]200 2
104[.]16[.]155[.]36 2
151[.]101[.]0[.]133 2
151[.]101[.]130[.]217 2
152[.]199[.]4[.]33 2
65[.]55[.]44[.]109 2
20[.]36[.]253[.]92 2
151[.]101[.]192[.]133 2
23[.]5[.]230[.]228 2
172[.]217[.]2[.]110 2
23[.]217[.]148[.]78 2
94[.]100[.]180[.]160 1
140[.]82[.]113[.]4 1
34[.]232[.]187[.]93 1
34[.]226[.]71[.]106 1
140[.]82[.]112[.]4 1
172[.]253[.]63[.]155 1
172[.]253[.]63[.]157 1
136[.]143[.]182[.]56 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
whatismyipaddress[.]com 7
smtp[.]yandex[.]com 5
prooemiac 3
schema[.]org 2
www[.]google-analytics[.]com 2
stats[.]g[.]doubleclick[.]net 2
github[.]com 2
avatars1[.]githubusercontent[.]com 2
az725175[.]vo[.]msecnd[.]net 2
aka[.]ms 2
avatars3[.]githubusercontent[.]com 2
developercommunity[.]visualstudio[.]com 2
cdn[.]speedcurve[.]com 2
w[.]usabilla[.]com 2
smtp[.]zoho[.]com 1
smtp[.]mail[.]ru 1
naszut4 1
spouter7 1
tonle 1
inseparable 1
overdignify 1
rafiq8 1
jovenes3 1
Files and or directories created Occurrences
%APPDATA%\pid.txt 7
%APPDATA%\pidloc.txt 7
%TEMP%\holdermail.txt 7
%TEMP%\holderwb.txt 7
\Sys.exe 5
\autorun.inf 5
E:\autorun.inf 5
%TEMP%\SysInfo.txt 5
%APPDATA%\Windows Update.exe 5
E:\Sys.exe 5
%TEMP%\subfolder 3
%TEMP%\subfolder\filename.exe 3
%TEMP%\subfolder\filename.vbs 3
%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.tmp 3
%APPDATA%\WindowsUpdate.exe 1

File Hashes

0d4e850f6a4dfa6dc74f8770d6293c37a2a1df3bcf8bbac8ed5eebd7041cdf2e 4496ce4c4eb7baa7ba7cac5a30d632db25143d89462ee4a885fbaf3752caec8d 5983ce394d98d07d267d563496f4d444eaeb17e5fd9d2dd517b92145598d27ec 5c2d0070ab7f93ddee20bbb6f38e60d994bcc3e256658c31a6ce8a033767a81e 7d8dafc1e315b3adf788763ad0792e1c6e3cc0925f80b5bde41509858470b432 88f75d07e5f0b4f18651380e891d02b4980de66351c97a7bd766a9e6065452d8 93b1a9aa9be7e72eaed6ba8de581f9e73020fe70f021912e2e3ec956bd5171d9 94a3fbed738a7683435d72e0082c6c56a8472fb289ecda7e93055d69fb7f0117 dcab4d6f0691ce5b507470e879ffb9abfbe4039a52ebe0f4d5293e901c53e458 f264c1d4f641bb0063a6760ac36dcf6df08f01398bdf013e70ce14bfeea0322e

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.Ramnit-8988791-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
8
<HKU>\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\66\52C64B7E
Value Name: LanguageList
4
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
3
<HKCU>\Software\Microsoft\<random, matching '[A-Z][a-z]{3,11}'> 3
<HKCU>\SOFTWARE\MICROSOFT\IAM
Value Name: Server ID
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: aclutxml
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: parent.exe
1
Mutexes Occurrences
\x7774\x616f\x766b\x6b62\x6866\x626b 23
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 8
Frz_State 3
Sandboxie_SingleInstanceMutex_Control 3
df7689e6-c49f-4a86-82e8-6809a406872a 3
<32 random hex characters> 3
Local\{31F7CC8D-DC06-8BF4-6EF5-D0EF82F90493} 1
Local\{73A713E4-3646-1D08-D857-CAA18C7B9E65} 1
Local\{C955B29C-9464-E306-E60D-08C77A91BCEB} 1
{FECD2115-459D-E06D-BF12-491463668D88} 1
{3686B563-1D48-D82A-57CA-A18C7B9E6580} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]7[.]174 10
208[.]100[.]26[.]245 8
35[.]225[.]160[.]245 7
72[.]26[.]218[.]70 7
217[.]20[.]116[.]137 6
195[.]201[.]179[.]192 6
37[.]220[.]31[.]41 3
195[.]201[.]179[.]207 2
208[.]67[.]222[.]222 1
217[.]20[.]116[.]138 1
217[.]20[.]116[.]140 1
172[.]217[.]7[.]142 1
80[.]211[.]164[.]74 1
176[.]53[.]118[.]122 1
3[.]18[.]65[.]24 1
139[.]59[.]85[.]151 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
lpkdvolbaca[.]com 6
uaseqxra[.]com 6
pdfueilv[.]com 6
fxejmhvyijoyxjcmly[.]com 6
jqibggawcw[.]com 6
wpaaihqbubcnmmrs[.]com 6
jxrlpxdwnpc[.]com 6
wsajnxcqredi[.]com 6
fajsnjrkxqdnuecblmg[.]com 6
dqbbdvdqayfhvvv[.]com 6
bvvimdtiuuceto[.]com 6
wsmkwcyfetd[.]com 6
mheaamwwb[.]com 6
ovfdnnqivoh[.]com 6
limyhsqxryqauxxcfkc[.]com 6
iyquaulnfx[.]com 6
urenesqsfqnugs[.]com 6
qkhrrpcreyq[.]com 6
eyarffmarxwm[.]com 6
djgtardir[.]com 6
lwbgroaagnnrevjm[.]com 6
umgrhdfoijvjn[.]com 6
mekgwuqaxakwwi[.]com 6
bqetqsrvrn[.]com 6
nuveqyhlk[.]com 6
*See JSON for more IOCs
Files and or directories created Occurrences
%LOCALAPPDATA%\bolpidti 8
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 8
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 8
%APPDATA%\93547108 8
%APPDATA%\93547108\csrss.exe 8
%APPDATA%\93547108\csrss.exe:Zone.Identifier 8
%LOCALAPPDATA%\c0598c70215326fb56d5a33092df3c688d2c1a8b 3
%LOCALAPPDATA%\c0598c70215326fb56d5a33092df3c688d2c1a8b\container.dat 3
%LOCALAPPDATA%\c0598c70215326fb56d5a33092df3c688d2c1a8b\container.dat.tmp 3
%LOCALAPPDATA%\c0598c70215326fb56d5a33092df3c688d2c1a8b\fcb72db2-3076-4d18-be42-468add95d18d 3
%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.tmp 2
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js 1
\{5D9E0C27-180C-9720-0AE1-CCBBDEA5C01F} 1
%TEMP%\per 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\webappsstore.exe 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\parent.exe 1
%APPDATA%\Microsoft\Cicprov 1
%APPDATA%\Microsoft\Cicprov\api-draw.exe 1
%APPDATA%\96804751\csrss.exe 1
%APPDATA%\96804751\csrss.exe:Zone.Identifier 1
%TEMP%\upd9b628443.bat 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Internet Explorer.exe 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Music.dui 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\content-prefs.utq 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\desktop.tyi 1
*See JSON for more IOCs

File Hashes

06056e94b799f81695fb2f9175dd970027d5492faf40caaf943d0cd5b294099f 067b3cd1b068a83ace195fade2f015cb8b6d223c5e873fe12b4807ce523722b2 12b9cc6d62fdbfacff577022bef01922c62cc99a04b20fa700bb9f1ae279a8d8 1afe893aae8c764a9eaab06dc805d16d2ce185279b4e18467dda0fee37ef48a4 1e6a2f8c6f4dc130539c09057f103be2f93f12af85977d1d2f8c4d5640ce146e 25f0452d608d18b671d8f9d3d7b94bddd94d8265f35a95068bfe7d54053e7edb 34262cf747d821b6edce8286980b367c290663c3105da779d8af4f7381e609c6 3b40a6b6962aeff1c0ffe2562c57de86d0c55c5545e70a87c65be0cb9f71bef1 3c829ebb8347e074f1fee7a6398f586b2523cf728bdb7ab3e1d5f147a5d591be 3cd579592b9e6f86bd9276d48fb8ff553f567e7ceb792489de17406fdf6108ba 59739397835d75a78e69590fcb916ffc563f3943fcba62961e555a25152580d1 6960a764f20ce7baa46508a8b231c25047fc9ff79cfe9a7e3d803f1751fc194a 7543be2459a25cd65bbc5f1c5ce93146ab2830094c58cbf12e9a07099f8a8fe6 9090cfe08fa1cfd3b5af5343fdc3cb37eb33bc7a1a6a1303acab400c7e0de70e 90d2f7545fc3bb66d424a0f7132539aed354b4680aaaf693467245e53b439439 a0ef6e383e9dba6ad1e07f58e836c987acef9d538563e96ba2d5e6453d9dcf48 baf95ce5370f18a51f23d473df8c3ec161c00249fd76480074e11e3eaf7785ab d16f881c9cb7dd6da4cd7646a13baaed31553a6f4ed5408e1bb850c7b34211e0 d6fb602c065740a922e1d4a7c67a50acbcfcf3cc58f4464e78fe26a2dbf52889 dacc9a5c1db7ed213bbd0c509d99d4ec2a83a5def1733849485ee7448c9074a6 ea26a14263f52e2c90410fc6d4aea9a2816659282443d5d99ebab1667f2049a9 f08af083ed36b451ddb9b5c44fed95d2107c690bb8c186afb5361240b48321b7 fb1529c46b1c0f29dbbdff4b7bc488a59f7ea20a1eb1a4e56109882aa3bb868d

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Malware.Cryptbot-8991879-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
208[.]95[.]112[.]1 10
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
lerm04[.]info 10
ip-api[.]com 7
Files and or directories created Occurrences
%LOCALAPPDATA%\Google\Chrome\User Data\Default\CookiesCopy 10
%LOCALAPPDATA%\Google\Chrome\User Data\Default\LoginDataCopy 10
%LOCALAPPDATA%\Google\Chrome\User Data\Default\WebDataCopy 10
%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\FNF9BE4O\line[1].txt 10
%ProgramData%\AxzkSfMRh4p4\US___2020_07_21___15_44___QE6bVOKN75eQhqTKLUoL.zip 1
%ProgramData%\AxzkSfMRh4p4\moz_cookies.db 1
%ProgramData%\pD6a2hXB7LDzBC\1723651.txt 1
%ProgramData%\pD6a2hXB7LDzBC\43561237N.txt 1
%ProgramData%\pD6a2hXB7LDzBC\Files\CC_List.txt 1
%ProgramData%\pD6a2hXB7LDzBC\Files\Cookies\MozillaFirefox_F7OZJjY.txt 1
%ProgramData%\pD6a2hXB7LDzBC\Files\Cookies_List.txt 1
%ProgramData%\pD6a2hXB7LDzBC\Files\Forms_List.txt 1
%ProgramData%\pD6a2hXB7LDzBC\Files\Information.txt 1
%ProgramData%\pD6a2hXB7LDzBC\Files\Passwords_List.txt 1
%ProgramData%\pD6a2hXB7LDzBC\Files\Screensh0t.jpg 1
%ProgramData%\pD6a2hXB7LDzBC\US___2020_07_21___15_41___oDXCZ3dBBRYRTKcq.zip 1
%ProgramData%\pD6a2hXB7LDzBC\moz_cookies.db 1
%ProgramData%\HP5iYyWrQmAdqOVk\1723651.txt 1
%ProgramData%\HP5iYyWrQmAdqOVk\43561237N.txt 1
%ProgramData%\HP5iYyWrQmAdqOVk\Files\CC_List.txt 1
%ProgramData%\HP5iYyWrQmAdqOVk\Files\Cookies\MozillaFirefox_komHeBY.txt 1
%ProgramData%\HP5iYyWrQmAdqOVk\Files\Cookies_List.txt 1
%ProgramData%\HP5iYyWrQmAdqOVk\Files\Forms_List.txt 1
%ProgramData%\HP5iYyWrQmAdqOVk\Files\Information.txt 1
%ProgramData%\HP5iYyWrQmAdqOVk\Files\Passwords_List.txt 1
*See JSON for more IOCs

File Hashes

00e1e236c747887543cccf20962ccd8de0cb5e4b3b9cfa52ea3610650efced31 1d480c6b93e963f1b69407fdcffbd9206702ee7b19acfdd3e8c80d8f1068ee1d 1ff359e37943658f48286551bf66c91a7e653358cbe285ece15a160367057913 9480baf6745ca47a0ca78aa4b795c70b6418d3470386e0a96aa9de1c7787a665 c693cba8320a572aea33c79b7554de9d5161bcf27edb12602081bc26cc9f3fb5 ce4476127d28aa62a4a5b378019ce51f5961f3043c2830cbabccf8f6201fe541 e562347adba7f3f67c52c15417730d9d8f9cc547d1dda4ef9a1efff173b609ff e6c60ddf7694cc97cf37db1ddac4bbff54411ac51123e956f19c8fbe383a222e eb650e5eae54aac2752e88be105b7bb29727c791dd03b7be6e64bc527225f49a ed9de62bedaf93108c81b00b54969a13024f509462a9c97f0e99cb73fe66c902

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




No comments:

Post a Comment

Note: Only a member of this blog may post a comment.