Friday, July 31, 2020

Threat Roundup for July 24 to July 31


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 24 and July 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Ransomware.Cerber-9142650-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Dropper.Gh0stRAT-9111297-0 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Dropper.Tofsee-9108085-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Malware.AgentTesla-9093590-1 Malware AgentTesla is a Remote Access Trojan that records keystrokes and attempts to steal sensitive information from web browsers and other installed applications.
Win.Virus.Xpiro-9093573-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.DarkComet-9152539-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Ransomware.TeslaCrypt-9105565-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Downloader.Kuluoz-9106992-0 Downloader Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.

Threat Breakdown

Win.Ransomware.Cerber-9142650-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 19
shell.{<random GUID>} 10
Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_AudioOutput_TokenEnums_MMAudioOut_{0.0.0.00000000}.{7bfc7233-d738-4ab8-aafa-ce95fe369e4a}_Mutex 6
Local\Mutex-0SpWaitObj-HKEY_LOCAL_MACHINE-SOFTWARE-Microsoft-Speech-AudioOutput-TokenEnums-MMAudioOut-{0.0.0.00000000}.{7bfc7233-d738-4ab8-aafa-ce95fe369e4a} 6
Local\Mutex-1SpWaitObj-HKEY_LOCAL_MACHINE-SOFTWARE-Microsoft-Speech-AudioOutput-TokenEnums-MMAudioOut-{0.0.0.00000000}.{7bfc7233-d738-4ab8-aafa-ce95fe369e4a} 6
Local\Mutex-2SpWaitObj-HKEY_LOCAL_MACHINE-SOFTWARE-Microsoft-Speech-AudioOutput-TokenEnums-MMAudioOut-{0.0.0.00000000}.{7bfc7233-d738-4ab8-aafa-ce95fe369e4a} 6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
149[.]202[.]64[.]0/27 19
149[.]202[.]122[.]0/27 19
149[.]202[.]248[.]0/25 19
178[.]128[.]255[.]179 17
52[.]21[.]132[.]24 8
54[.]87[.]5[.]88 8
193[.]169[.]135[.]155 7
104[.]20[.]21[.]251 7
172[.]67[.]157[.]138 7
104[.]24[.]105[.]254 6
104[.]20[.]20[.]251 6
104[.]16[.]148[.]172 5
104[.]16[.]152[.]172 5
172[.]67[.]2[.]88 5
104[.]16[.]150[.]172 4
104[.]16[.]149[.]172 4
104[.]24[.]104[.]254 4
104[.]25[.]47[.]99 3
104[.]25[.]48[.]99 3
104[.]16[.]151[.]172 3
198[.]211[.]122[.]103 3
188[.]226[.]138[.]244 3
104[.]26[.]15[.]247 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 18
btc[.]blockr[.]io 8
hjhqmbxyinislkkt[.]13eymq[.]top 7
chain[.]so 5
bitaps[.]com 5
hjhqmbxyinislkkt[.]1j9r76[.]top 1
hjhqmbxyinislkkt[.]1bxzyr[.]top 1
sochain[.]com 1
Files and or directories created Occurrences
%TEMP%\d19ab989\4710.tmp 19
%TEMP%\d19ab989\a35f.tmp 19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.tmp 19
%HOMEPATH%\Documents\10_147_20121129071628.RTF 19
%HOMEPATH%\Documents\127SYLLABUSFA07.PDF 19
%HOMEPATH%\Documents\13ACX.PDF 19
%HOMEPATH%\Documents\143.PDF 19
%HOMEPATH%\Documents\15_DIPLOMSKI2006.RTF 19
%HOMEPATH%\Documents\167_VAN_OORD_V_THE_PORT_OF_.PDF 19
%HOMEPATH%\Documents\1_ANKITAMISHRA_ESSAY.DOC 19
%HOMEPATH%\Documents\2329444014.DOC 19
%HOMEPATH%\Documents\2590OTHERSUPPORT.DOC 19
%HOMEPATH%\Documents\2Q37_DELETIONS_FTNW.PDF 19
%HOMEPATH%\Documents\46_DSENV.DOC 19
%HOMEPATH%\Documents\5PROTE_SL45_S.DOC 19
%HOMEPATH%\Documents\AT_DOM_E.DOC 19
%HOMEPATH%\Documents\B813B53525710DA882C4D06A52.XLSX 19
%HOMEPATH%\Documents\CONTRACTAPPENDIXB.DOC 19
%HOMEPATH%\Documents\DC546113F9030F161A90B734F3.XLSX 19
%HOMEPATH%\Documents\ERSD200502_E.DOC 19
%HOMEPATH%\Documents\F490F81ED03E44A1E7B5C86E19.XLSX 19
%HOMEPATH%\Documents\GOOGLE_CORPORATION_KHOTSO_.DOCX 19
%HOMEPATH%\Documents\HUNJA2B3_E.DOC 19
%HOMEPATH%\Documents\IATA_OMC_TOURISM.DOC 19
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp 19
*See JSON for more IOCs

File Hashes

018d893ffd6b7615345abd9cbfc902dde6bbe115804828806ee97901e36c755c 018e7acce9f9fc7d20027237d0330a8a83a754b942c99c91e746dc889239ef64 03730a72ddac7691ae779bb83257f3b3f6b46d66546f994a60ef23fa33593928 0cab75ffb5135950be5490997f051340e45ef14e25974b03b91bb3507a466313 0d50c47acf25f10775ae42f795898e51cda4b490e5d03489b33d7e5592bd9699 14de53a89e8243ad7ea829c0f81b2f05fe9989849588489e1494f336a2211c4c 1854d7d4bc91b4a09c6b4a13242613b34ea86e4b230db1d284db95df4d48084f 33a6725dd2d52664fbec1d8507229927842fcdc60977110e8a9f30eaee4158b5 426f91dbe8e040045a8b7f77aef19b07df5bdd0bea4354d58a490219a5855fcf 42d1bfbe6822f58378265f6264a951ac99717bdd7e47e848373b1a6bbc0d6148 734c3a31f4d2c5c0d906e55e7bc6437e58bac4a9229162cb8c21ed446d18bb0e b60237f6ce542663d3e1d6b62731ab1e08c478e6b27fa4f6ff1f527c8c002be7 c82b6f79752806e3c0bb9f698eba969aa339c8f9e2e6c9a6be0146fa73e1d658 d5feb64ca7831b06aa48d592245afb0279756e7dcd971299a8c7194a3453506f dd731cd498dbf94bb451450524430426f61e1e0329decfbb30f3bc68ca6c8ea4 e461c18fb97049fce2a9476f27d51e3c9a0b649c57090896913ce4210c9e6902 e57cf698b7ee17408847ac5dfca29ac6751c379c593c765707262e8392872e14 e6f7a66a2db4b2c69d1feaacc3be165a77bb1c3e3d62ed2c5951c1ffad9f459b f2d99dfe698d84c007f72b711f5a0308ae9ff184fab2a217fa84df22eb1187c4

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


Umbrella


Malware


MITRE ATT&CK




Win.Dropper.Gh0stRAT-9111297-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WEWIEWIIERIN
Value Name: Description
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WEWIEWIIERIN 15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WEWIEWIIERIN
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WEWIEWIIERIN
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WEWIEWIIERIN
Value Name: ErrorControl
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WEWIEWIIERIN
Value Name: ImagePath
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WEWIEWIIERIN
Value Name: DisplayName
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WEWIEWIIERIN
Value Name: WOW64
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WEWIEWIIERIN
Value Name: ObjectName
15
Mutexes Occurrences
wewiewiierin 15
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
1919[.]ali114[.]net 15
cc[.]ip-163[.]com 15
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\<random, matching '[a-zA-Z0-9]{4,19}'>.exe 10
%SystemRoot%\SysWOW64\kqwkig.exe 5
%System32%\aaaaaa.exe 2
%System32%\nannaa.exe 1
%System32%\dqrhqi.exe 1
%System32%\uusmuk.exe 1
%System32%\eeosec.exe 1
%System32%\zmhpmg.exe 1
%System32%\hufzuk.exe 1
%System32%\zmdpmg.exe 1
%System32%\ccuwco.exe 1
%System32%\jwzvwy.exe 1
%System32%\wwmiwy.exe 1
%System32%\mmqcmg.exe 1
%System32%\ggiogq.exe 1

File Hashes

0821363f53ec2a72819d56278c9b39703e05bab22b4e56a0c00db3879cecac55 2a1a0f7c3d95335b75de8811f6171c831c3f3dade409e63231271badfd3486ed 39cb44a14da3b712dc0d9510be72b0c66dd36e864b5464a04102b340a0296627 3cedfc896105c5a9f916300dc0225a7947a70b9002f73c2c8a4cb9b1127a931a 3df39b7001b5ba14aa05225b5b4296dac86515ae9e977dfa8eb46ed8c6b51c58 3f9b3a34b35fd6739104dedd638a004cb19b1f9d12a11abea784555574c795a7 4801659c7f062a938dc6a9328c177b1cf989313f70a1d3d707cf01d06d64504f 6719677f4d3ab6a5f7061bea53262ec6aa55f1812cdfa1c3c399e8bbcb52bcba 7f744f6c9a2d2137cbbfa4535ea508e73833246568ff0f7b98a1d1fab6e09221 9f61d77596bc946a60ce02193c32db7ad07085b0c02727faf3fd277e4bca52db d2c81b210d6a3a6c5cf039eb1da34cb06d69603e032930cb7a7cb325d10251cc dbf693ab577193960287a484dc6657b9467409087a5796cf01f806ae23c74092 e3311f3016cf7c6e9cd401a58607a21941017baa4170e19ff41ab233b90bbcd9 e5f82886762407fe9970385493be1f5f6fcea005ed509c36e745a121341d9c6e f3a10671f32560cb433d32caaa8a06a9c89d805a002375a88dad0cd3a5f44611

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.Tofsee-9108085-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 58 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 58
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 58
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
58
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
58
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
58
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
58
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
58
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
58
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
58
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
58
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
58
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
58
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gzntsagv
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dwkqpxds
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qjxdckqf
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 58
43[.]231[.]4[.]7 58
69[.]55[.]5[.]252 58
85[.]114[.]134[.]88 58
217[.]172[.]179[.]54 58
5[.]9[.]72[.]48 58
130[.]0[.]232[.]208 58
144[.]76[.]108[.]82 58
185[.]253[.]217[.]20 58
45[.]90[.]34[.]87 58
157[.]240[.]18[.]174 52
87[.]250[.]250[.]22 37
104[.]47[.]53[.]36 32
216[.]239[.]34[.]21 28
104[.]47[.]54[.]36 26
104[.]47[.]18[.]97 21
172[.]253[.]63[.]94 21
144[.]160[.]235[.]143 20
69[.]31[.]136[.]5 19
96[.]114[.]157[.]80 18
67[.]195[.]228[.]84 15
104[.]47[.]18[.]161 15
216[.]239[.]38[.]21 14
144[.]160[.]159[.]22 14
144[.]160[.]159[.]21 13
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
schema[.]org 58
microsoft-com[.]mail[.]protection[.]outlook[.]com 58
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 58
252[.]5[.]55[.]69[.]in-addr[.]arpa 58
252[.]5[.]55[.]69[.]bl[.]spamcop[.]net 58
252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 58
252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 58
252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 58
market[.]yandex[.]ru 37
www[.]google[.]de 20
api[.]sendspace[.]com 19
lh3[.]googleusercontent[.]com 15
static[.]ibsrv[.]net 15
scbfb[.]com 15
www[.]chlaw[.]com[.]cn 14
iv0001-npxs01001-00[.]auth[.]np[.]ac[.]playstation[.]net 13
dehghanidesign[.]ir 13
ip[.]pr-cy[.]hacklix[.]com 11
www[.]google[.]se 10
work[.]a-poster[.]info 7
www[.]off---white[.]com 6
service[.]gmx[.]net 6
meinaccount[.]gmx[.]net 6
ip05[.]gntl[.]co[.]uk 6
tube[.]pool[.]gntl[.]co[.]uk 6
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 58
%SystemRoot%\SysWOW64\config\systemprofile:.repos 58
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 57
%TEMP%\<random, matching '[a-z]{8}'>.exe 55
\Device\ConDrv 25
%System32%\config\systemprofile:.repos 25
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 20
%TEMP%\ikflerb.exe 2
%TEMP%\jlgmfsc.exe 1
%TEMP%\oqlrkxh.exe 1
%System32%\iuamwac\ducakfma.exe (copy) 1
%System32%\fzlpafp\eqpdoyga.exe (copy) 1
%System32%\emnkxii\aixbomvv.exe (copy) 1
%TEMP%\cezfylv.exe 1
%System32%\mqxtgzi\cezfylv.exe (copy) 1
%System32%\esuuycp\usbclhws.exe (copy) 1

File Hashes

00e90aa8228e83e112f72fb1718215979e89194f3604f5420635fb57ea57460e 053c849c8bb19f98cdf0df36c9c0aed5dd07b31c28449239622bfd106f7d9749 0b7b8aa9b01f21422a6e11b0b1e737cc4f70c1b5995ddf143400dab7652cf15f 11e0864b5ee9d87a8288914d15a47eb88e1d65e87893aec43320639535765639 13df38fb64d3cc3863c6c0e1b0e3c6e645f998460a10e8e7c213c7054f142c1b 157a7940a3fe8bd376da1d7ade7a8ff8d39672b425f8cab07b42263cc318232f 1c811bc3c086fb32f19db792df567392633c66a09001e0bb69438f775f92cbc3 1d4021d1d390e898ebb650ba10661ef42d1118c153293c8b004aca89f985c279 20df9f32f64bfe0e6ce590667c85f2e1178bddfd3fb7e76c37266c02a96625a3 23f09c4fbfcf588ebf431e453586ffe5466f3c64349a2dfbece2f5a7acc757b3 271a926daa5ad7b924c00a35c5da9c3250f51912301b9f04769e0e9e3d4d2650 28c40764ff816f0d7515f023ec04e966ac2bb17bc3579db0ec901918d2cc1df3 2d76efc97b399399beb18a78574f4bc62bfb9b3a8fe1e50913e006e7d9eb7dfa 321406a35c6de90c3c8f195d0cdeeef212d604e9efb7331b813626d77e032c97 38c58dc49ded3ac66a59b4f22e630366224f0b1c38a45f2cd79a0d3eb605a9f1 3cf9db4180891a66f828e37da4cdf479c5b1eb121ff6cafb376bae57188d168f 4972b784201f9cc9bb8dcae4f13b5305873516eb172bff7a9225f91265e4bf4f 49b5678d6e49e6e4b3bb194330e6beac78d83faec56798297652b05e787cbac5 4bf53db8ab52e0728a2cc6ef34df33dca9de0a302bc9ccc3ee830d92209a63d0 4d2d506c39db4d0a97f021424b5734005967ab8734e0c6202059866aa4c03bc6 51e3d361c62316d2ecc78b3a68783ad3bf27ff269a645ee53d163fd94d14c145 528602c950a711c896751c00fc67ed96daef0d1ea67991e1b75ee9526ce7c8f2 580d6eafce7f349f112a4fa4e040589c84c0c3dc9b60b190f0ce53b954c3fc8f 5ebc0d79847a0afc7fa4b912c8e19fbdf512116f9792f40aa734ff862ae5f8ac 64909a2c1d734c3d03ceb5ca5fb667ea050bdb75994c813ffb24684c9a4d6c61
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Malware.AgentTesla-9093590-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 30 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 7
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MyApp
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: remcos
1
<HKCU>\SOFTWARE\REMCOS_ZSKVAVXXKBETKGQ
Value Name: EXEpath
1
<HKCU>\SOFTWARE\REMCOS_ZSKVAVXXKBETKGQ 1
Mutexes Occurrences
3749282D282E1E80C56CAE5A 9
Remcos_Mutex_Inj 1
A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A 1
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A 1
4f444b86-60f0-4ef5-ac81-fd992cbc807c 1
remcos_zskvavxxkbetkgq 1
Global\8dc26c01-ceab-11ea-887e-00501e3ae7b6 1
66b3f2e7-3ec9-4459-8212-0ed3ccdde8a3 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
51[.]68[.]128[.]171 3
51[.]89[.]183[.]99 2
192[.]169[.]69[.]25 1
198[.]54[.]117[.]198 1
104[.]16[.]155[.]36 1
204[.]79[.]197[.]200 1
79[.]134[.]225[.]41 1
206[.]217[.]131[.]227 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
siiigroup[.]com 2
waresustem[.]live 2
whatismyipaddress[.]com 1
passwrdboss[.]duckdns[.]org 1
smtp[.]enginelogs[.]top 1
clotiahs[.]info 1
deborahdell[.]xyz 1
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\dth54.vbs 12
%APPDATA%\dth54 12
%APPDATA%\dth54\smgu.exe 12
%APPDATA%\dth54\smgu.exe:ZoneIdentifier 12
%TEMP%\<random, matching '[0-9]{15}'>000_<random GUID>.db 7
%APPDATA%\D282E1 6
%APPDATA%\D282E1\1E80C5.lck 6
%APPDATA%\MyApp 5
%APPDATA%\MyApp\MyApp.exe 5
%APPDATA%\remcos\logs.dat 1
%APPDATA%\remcos\remcos.exe 1
%APPDATA%\pid.txt 1
%APPDATA%\pidloc.txt 1
%TEMP%\install.bat 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\I.exe 1
%TEMP%\FB_EA70.tmp.exe 1
%TEMP%\FB_F318.tmp.exe 1
%TEMP%\dbd1972e-0d99-c59b-cceb-15f2f6d04224 1
%TEMP%\tmpBFF7.tmp 1
%APPDATA%\bobialfj\bobhg.exe 1
%TEMP%\FB_1B9D.tmp.exe 1
%TEMP%\FB_1DB1.tmp.exe 1
%TEMP%\FB_7B97.tmp.exe 1
%TEMP%\FB_7E27.tmp.exe 1
%APPDATA%\slimialfj\slilhg.exe 1
*See JSON for more IOCs

File Hashes

00a3928a1fe9e3e38764778d756e594f1193d1a745cccb5edc88b36ce4857deb 11d0efa0003760e0ce44d0c414a55cad993edcac8bf870ce299ec15eea53cedc 12371b49f34be1ef8a10f8a5a4b4569753d1abd354ecebd437d18c684f97b22f 1c6114c19a491ca663c5f23831e1a1a755049d115d40206fd54402e295bdef2b 273cee564d8486089dea169f9ce2680ef2ad8c73a9568c573520f281cc9c8e1b 2a063841d3e6028a85bc37b76ef418e3d65082064c3a596a99b1e077cebca1eb 2b20fb7784f8aeea0a3fedb16f49c08a8482c8373b5c6d5cbe5171ac5efc6fc8 2e13710ff64cce32db611cf9450414f2ebb92ae46e4cb85ad3902d682cb03335 378cded475807d8412154512917c5df4689be5d7e989bc79e11f46f823da2308 417fa655f6ef37eede2cad99d78506042339cfcc395e1a07d5d0b6f5418398b0 4322cb9580767733bb8d065026202ff21b71763bcf3895687e39cad98383ca08 463cca46948a4dca20f30b5069cc3d225db37903d2590934c67f09577811a8e9 49616fb7eddddb9bc1ee808f13a3319860d56f25f44a3531c97144b51dbba8e4 5073d17032b763f14ac3c50ee84ea4f21099bbe8ff06ffd9ed3e1f56f8f4d33d 5a5517e1382046c937b2562ce39d006f6ee7976ac7eab4f5df154c2ff0bfcfe7 5ac2a744a7aae544c29971d5546d2916fa850c2b5eea864587c6e800185e4cf6 61befc51377cb1d95b19f287ec678cc6dc4291bfe7575f3639cad943aa08586a 629b89a76f8836b86b2603ac5c06a6724114bad49d9b9e4bfecdae2307b31b96 6f35093d486c2d85d6a664fab8a986a7fcc1bff06dbfe62595652baf71104b84 80466bbca37e66d4b3e228f7838f02b2a5b9ec782030471ef3879b2deac83b78 80a51bcc22ff1bfaa0f7af863034b6ceedf5db8e1d7a14506f284e7190c46c46 8539107c0bd3d3f7aa0327d09331d48e131d5e7ffe336f7765ae64c466d4868c 8bdb47941147076816fc7bfaa4067f1f0ce7a605b7810bf38d11f58a237afa41 9111250ffe19fa7d428f3cfa75e51285ef2fb5829e236cd33318c2e1fec0e2eb a92236e269b55c548009400ee5572606a07d12256d9050fbf356a12e742a0a21
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Virus.Xpiro-9093573-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
13
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500 13
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
13
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
13
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
13
Mutexes Occurrences
kkq-vx_mtx67 13
kkq-vx_mtx68 13
kkq-vx_mtx69 13
kkq-vx_mtx70 13
kkq-vx_mtx71 13
kkq-vx_mtx72 13
kkq-vx_mtx73 13
kkq-vx_mtx74 13
kkq-vx_mtx75 13
kkq-vx_mtx76 13
kkq-vx_mtx77 13
kkq-vx_mtx78 13
kkq-vx_mtx79 13
kkq-vx_mtx80 13
kkq-vx_mtx81 13
kkq-vx_mtx82 13
kkq-vx_mtx83 13
kkq-vx_mtx84 13
kkq-vx_mtx85 13
kkq-vx_mtx86 13
kkq-vx_mtx87 13
kkq-vx_mtx88 13
kkq-vx_mtx89 13
kkq-vx_mtx90 13
kkq-vx_mtx91 13
*See JSON for more IOCs
Files and or directories created Occurrences
%System32%\msiexec.exe 13
%System32%\snmptrap.exe 13
%System32%\sppsvc.exe 13
%System32%\vds.exe 13
%System32%\wbem\WmiApSrv.exe 13
%System32%\wbengine.exe 13
%SystemRoot%\ehome\ehsched.exe 13
%CommonProgramFiles%\Microsoft Shared\OFFICE14\MSOXMLED.vir 13
%CommonProgramFiles%\Microsoft Shared\VSTO\10.0\VSTOInstaller.vir 13
%CommonProgramFiles%\Microsoft Shared\ink\ConvertInkStore.vir 13
%CommonProgramFiles%\Microsoft Shared\ink\InputPersonalization.vir 13
%CommonProgramFiles%\Microsoft Shared\ink\ShapeCollector.vir 13
%CommonProgramFiles%\Microsoft Shared\ink\TabTip.vir 13
%CommonProgramFiles%\Microsoft Shared\ink\mip.vir 13
%ProgramFiles%\Internet Explorer\iexplore.vir 13
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome.manifest 13
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome\content.jar 13
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js 13
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\install.rdf 13
%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir 13
%ProgramFiles(x86)%\microsoft office\office14\groove.vir 13
%ProgramFiles(x86)%\mozilla maintenance service\maintenanceservice.vir 13
%CommonProgramFiles%\microsoft shared\officesoftwareprotectionplatform\osppsvc.vir 13
%SystemRoot%\ehome\ehsched.vir 13
%SystemRoot%\microsoft.net\framework64\v2.0.50727\mscorsvw.vir 13
*See JSON for more IOCs

File Hashes

0a04b54b5a9b865f24f5e34cbb270e8dd86acf850051fc8c080a0a275726b58e 2fb0b157b1219877a87e91206f452e94fe201d8e2d5aa6a0137561d0fa476bce 4328981354e850cded4cf8c84013397d9f8d9a6cfc17fad7dea6e8a284bd8f61 455d38581ca658f0d0a9d7d1ff9770a90a3d23d78eb4e260dcc8be3c6f16379d 72a7f1bb94cbbc25435d78c534f2d5dc240d7f6cd1c27427aca40ac497e3229f 82cd30e65834c6c4d92f08baf67a82d5648d2faa1fbd43afe25e24f4b426d1f6 860d4689b5494032861f7686069f1baa8456809f18fedf91fc5ab4d2ca8be65a 86edb5d3da89675b18ce415200f6947858078bda6960da13bc7e332390eafa85 8b427ba5d5811bfd4abec459b1497a36263f09da4dc28e97d19d80ef726eecc2 97787e9c62e495bd38190f22477b408542462c6882f80ed79a6a01c829905c37 a22dd5124ec76819f479b600593ca0e185fa1d202eeeeb38f79ba60909d1d692 bc839bdbad5bd3b32f010f70afd19512cc954735bf6bd56841561fffbb31702d dd56a2325867ab4f2afc4d4a344b98e0cd09fe14ae267ecbc19dec338bd68223

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.DarkComet-9152539-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 1
Mutexes Occurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}> 11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
193[.]0[.]200[.]186 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
sunnysmith2010s[.]ddns[.]net 2
ariffarhads52[.]ddns[.]net 1
youssefalsalhi[.]ddns[.]net 1
sirnon1956ge[.]ddns[.]net 1
brownwhite535[.]ddns[.]net 1
infoglass[.]ddns[.]net 1
chongliu10[.]chickenkiller[.]com 1
frankalbertfrank[.]ddns[.]net 1
johnmavies[.]ddns[.]net 1
mcscottxbanks1[.]ddns[.]net 1
Files and or directories created Occurrences
%APPDATA%\dclogs 11
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC 10
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe 10

File Hashes

0ab6f1f0a924a24fe7cd4be79de145437b37c764f7d15752ae4bfba3d4b6fc30 2a4a6818474c3fa0c9bad627390d3aa88a328555dfbf69fd98101fb2a31c7b07 36630dd83d6ad6535501ef756a0ea1caa82e8ce8edde8ce71923b552de7ac1ac 7f689c2190ca8b267927cf91663aa4b67cd6bed80581a496aadf1223a8bc27cb 9acfb52bea9cd4daf484f0c75d2993f49fdfcbca48a4ea23ba3d986161b81475 aea129a9ce8ad2155ed56f416420becac414ce05f46b488d3fe1a074ebf7fd38 bbc6557af0f5ba77be1f9a044908c984470d4a9da027733e6d04beff98b48fd9 c5b7f3077a4b94c409ad23738d425f859a570494ea91057a03b20cd623ed9fac d00503ed3336862635d035df5154e4f00a2a285374c86465e0b4fdf6ed43bb07 dd422842c73d48e0ce169617ac989ec9ce41ce6b0be25d1ff8020507c7f21a21 df4433d1227ccb7c5ff673f8f7082e5c6389fdc088ace5e0b57ae8b7186a55c2

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Ransomware.TeslaCrypt-9105565-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\16000009
Value Name: Element
15
<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\250000E0
Value Name: Element
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
15
<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\16000041 15
<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\16000041
Value Name: Element
15
<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\16000020 15
<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\16000020
Value Name: Element
15
<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\16000040 15
<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\16000040
Value Name: Element
15
<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\250000E0 15
<HKCU>\SOFTWARE\XXXSYS 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
15
<HKCU>\SOFTWARE\XXXSYS
Value Name: ID
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 1qwqwqe-r213
15
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 15
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
15
Mutexes Occurrences
__sys_234238233295 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]236[.]62[.]147 15
222[.]165[.]133[.]242 15
27[.]254[.]87[.]155 15
217[.]116[.]196[.]239 15
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
gmpg[.]org 15
en[.]wikipedia[.]org 15
www[.]torproject[.]org 15
dd7bsndhr45nfksdnkferfer[.]javakale[.]at 15
hnb[.]net 15
chonburicoop[.]net 15
www[.]passlift[.]com 15
ladiesdehaan[.]be 15
passlift[.]com 15
firecheerleaders[.]fr 15
actionpourisrael[.]com 15
www[.]hnb[.]net 15
yy46bdff329hfbcjhbme2f[.]evertmazic[.]com 15
perc54hg47fhnkjnfvcdgvdc[.]clinkjuno[.]com 15
api[.]w[.]org 3
sample-data[.]kallyas[.]net 3
Files and or directories created Occurrences
%ProgramFiles%\7-Zip\Lang\ko.txt 15
%ProgramFiles%\7-Zip\Lang\ku-ckb.txt 15
%ProgramFiles%\7-Zip\Lang\ku.txt 15
%ProgramFiles%\7-Zip\Lang\ky.txt 15
%ProgramFiles%\7-Zip\Lang\lij.txt 15
%ProgramFiles%\7-Zip\Lang\lt.txt 15
%ProgramFiles%\7-Zip\Lang\lv.txt 15
%ProgramFiles%\7-Zip\Lang\mk.txt 15
%ProgramFiles%\7-Zip\Lang\mn.txt 15
%ProgramFiles%\7-Zip\Lang\mng.txt 15
%ProgramFiles%\7-Zip\Lang\mng2.txt 15
%ProgramFiles%\7-Zip\Lang\mr.txt 15
%ProgramFiles%\7-Zip\Lang\ms.txt 15
%ProgramFiles%\7-Zip\Lang\nb.txt 15
%ProgramFiles%\7-Zip\Lang\ne.txt 15
%ProgramFiles%\7-Zip\Lang\nl.txt 15
%ProgramFiles%\7-Zip\Lang\nn.txt 15
%ProgramFiles%\7-Zip\Lang\pa-in.txt 15
%ProgramFiles%\7-Zip\Lang\pl.txt 15
%ProgramFiles%\7-Zip\Lang\ps.txt 15
%ProgramFiles%\7-Zip\Lang\pt-br.txt 15
%ProgramFiles%\7-Zip\Lang\pt.txt 15
%ProgramFiles%\7-Zip\Lang\ro.txt 15
%ProgramFiles%\7-Zip\Lang\ru.txt 15
%ProgramFiles%\7-Zip\Lang\sa.txt 15
*See JSON for more IOCs

File Hashes

026b57bdb58644faccd1d42421ae32b3ec45e6c1cdab3dccecbeec1ed306af5f 06ab6b08d104754f9a16c877a9ff71369cb677a36ac97f580359b31ffa0801e0 27240a98c8667325bf9e5b62cef4bcc844965eaf0d49490fa2399eb63671a86e 39c21c5ea468b28486180b3f900823c8706badf8a74dcdb8302040bba3415ff9 49445d3bf411f9fae6ad3c8d301e95536d7436b45c99f6f83c90294abcb87c4f 4d66ea7210affa196a1dc26c284f54e4200c6825f1825cbe185514c8959646e3 58db5970c660bc5f8c9e35ad0e3afaae4c8aa2a881542e7e1781bcab471f218b 617fcd9360b6d10d4ba7ec5f6ad934ca1bcb4a105620bfccd35b879f6bf610ec 71237d99e527773471c7a6615f0aec71d591dd4a2d078b721ac11c2ae5e68609 83f1285795935c3da1fb2d18a2825ef582479a376ffac1155b42e174e3c59d2e a0351132a6069ab4d5c666386043fa2f8608d4bcd69db2925cbbaed350152c1b c49865b87d29226f0de102d4e2c481b22018e6c5f2dce85e6c313b3641f0d6d2 c4f5d245d9b212e3e62ecfd62dead04f75eb5515363d2b9b05251947a0c466b8 cef385ff3f8daa83ffb24f1f20bed716de1f9bf026e25b78486203d68a7582da d91bf691c78a2fb476eba1327e5b55660a16a33916a8dabf7cb67ce9296af31e

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Downloader.Kuluoz-9106992-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 23
<HKCU>\SOFTWARE\KXPXUOLD
Value Name: khdfeori
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: evkhrnga
1
<HKCU>\SOFTWARE\KDCUXVLB
Value Name: jxhhspjt
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: doinvppb
1
<HKCU>\SOFTWARE\LKCRGDPW
Value Name: psilxpnc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: oidhjofc
1
<HKCU>\SOFTWARE\SQFKXOKD
Value Name: qhibpanh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: sumldepp
1
<HKCU>\SOFTWARE\XSOONHAI
Value Name: uomsguen
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: weicpshh
1
<HKCU>\SOFTWARE\RXGQRMRC
Value Name: jatacetp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vksouqno
1
<HKCU>\SOFTWARE\MUDBHNSD
Value Name: hxvouekb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lfbolshp
1
<HKCU>\SOFTWARE\JNRVOLUN
Value Name: lkwuacvk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bjrvltkx
1
<HKCU>\SOFTWARE\NNTUCSAX
Value Name: btperann
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qrhfxend
1
<HKCU>\SOFTWARE\MCDUIADL
Value Name: hcbajwak
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dmewtiof
1
<HKCU>\SOFTWARE\QNIFLETT
Value Name: smchkqff
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tvkuijik
1
<HKCU>\SOFTWARE\MGTWTMDC
Value Name: shhamajg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gxullgxc
1
Mutexes Occurrences
aaAdministrator 23
abAdministrator 23
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
192[.]254[.]138[.]62 21
211[.]242[.]129[.]21 17
205[.]134[.]239[.]167 16
200[.]98[.]130[.]145 15
188[.]126[.]72[.]179 14
162[.]13[.]189[.]52 13
95[.]110[.]147[.]192 8
178[.]32[.]136[.]245 6
193[.]46[.]84[.]84 3
204[.]79[.]197[.]200 1
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 23

File Hashes

0094e88fa062e4513c7f4d11697fcdffc8026662c60edb61be710f274d26230c 00ee20cdebe019ce877861915de7962280ac4cfa19150971f785c63d03d27920 0337bd4c1f05d2ccf685a405e65dcd6aa02ab9353ccf25d0f820012c646e5b41 044dfb21c444c2095fba7f16d099e4270590319e10e058d908d42c15af2dadfb 0dc859046c6a06ca537b7b51606089b3109eb09dceb648e2efdc98d38bfa254d 22ee8fff8c09c799d23a9d671c94637530d7d60f15d28da87c6c06f173f585fe 36871e569fb5877b7d51eda8644c168f6aff59854bb610292d8ba546adf5a81a 461cee0f19d1e8e4699115d7c2eb6f410f694510192a03f82fc634b99cff3b76 4f74669a05987f18988f86b5317e6e2ef71ff8addfeb24e40a839e44d8702679 713b37fe27bce83bf70a8477599c500b7cf8cd1bc6eff3394d48514c2f510911 7e488f85e322f137c9ed3a72ec4e799217802f208058574f98f2db81b7e6573b 89ed07908b928b6ebda5d85796172643c0012600a6a8b04b75f43e755f85a0f7 8cfb9111ef44e6de858a5561ed10df42b0f18fddbb42d3f955ee998a887b5913 94f49149f9c8e467016a86e0c8b68ddfdf264f0974298a19ae8b7967ce56cbcb 9a821b167bd79f460b25d5602b139fdc3ad817b12fb69ff3512cf9439c369032 a00f08cea9222485c8717008b4aa728351a1c4908a49d3662de428002261e249 a7ff6d32541a4f87b0c588485e552fbf7677071e833083baacda615ced9d82b2 b1813a4935ce5b84062abc8149e4262fdf282f9dba41f0e48c0edc7a50f4a849 b704f33b8351b6be06610537db1f6fc26eb41907973f3905dca4f1429763503d bfcb3c1827ef331df32385f195022976978f6fc9bccfa8d5ddf388cbb6703940 d06e2ffeb421403adf448e95a6267d6dca7c62a453bba36f446e36b1db31c3b0 daa012f5af87c5dfb15e166e0f35d0774b8789dcf6d3f2284c2a491a629d79dc ed5dcd3bc91e8b9b849f2f3b041088145cccfc262cf976ebf042bbe30adfcfe1

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Dealply adware detected - (10958)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (2298)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Excessively long PowerShell command detected - (1522)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Process hollowing detected - (1226)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Squiblydoo application whitelist bypass attempt detected. - (734)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Crystalbit-Apple DLL double hijack detected - (500)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Installcore adware detected - (284)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (124)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Gamarue malware detected - (73)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
IcedID malware detected - (29)
IcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.