Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 12 and Feb. 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Malware.TrickBot-9831264-1 Malware Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Malware.Gamarue-9831273-0 Malware Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Packed.Dridex-9831573-1 Packed Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.
Win.Packed.RedLine-9831330-0 Packed Redline stealer is an information-stealer written in .NET and sold on hacking forums.
Win.Virus.Xpiro-9831331-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Packed.Zbot-9831585-0 Packed Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Trojan.Coinminer-9831347-0 Trojan This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog /blocking-cryptomining.
Win.Malware.Zusy-9831590-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Trojan.Gh0stRAT-9831483-1 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.

Threat Breakdown

Win.Malware.TrickBot-9831264-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
MutexesOccurrences
Global\316D1C7871E10 11
Global\d88aa701-6c46-11eb-b5f8-00501e3ae7b6 2
Global\d885e441-6c46-11eb-b5f8-00501e3ae7b6 1
Global\d86e1681-6c46-11eb-b5f8-00501e3ae7b6 1
Global\d7c99921-6c46-11eb-b5f8-00501e3ae7b6 1
Global\2CD43D88F6210 1
Global\078E20DA836932832 1
Global\FFC9BDAEF6B932960 1
Global\3059262098810 1
Global\02B9498C2631128 1
Global\443511D847610 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
181[.]140[.]173[.]186 7
51[.]89[.]115[.]116 6
85[.]204[.]116[.]237 5
190[.]214[.]13[.]2 4
164[.]68[.]120[.]56 4
146[.]185[.]219[.]165 4
93[.]189[.]42[.]146 3
216[.]239[.]38[.]21 2
82[.]146[.]62[.]52 2
5[.]2[.]75[.]167 2
185[.]252[.]144[.]174 2
194[.]5[.]250[.]155 2
185[.]99[.]2[.]160 2
216[.]239[.]32[.]21 1
66[.]70[.]178[.]185 1
198[.]8[.]91[.]10 1
5[.]182[.]210[.]246 1
143[.]95[.]80[.]233 1
217[.]107[.]34[.]151 1
5[.]2[.]75[.]93 1
81[.]177[.]165[.]145 1
195[.]123[.]216[.]223 1
181[.]113[.]28[.]146 1
5[.]182[.]210[.]226 1
5[.]182[.]210[.]230 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
myexternalip[.]com 2
eastconsults[.]com 1
oscqa[.]com 1
www[.]eastconsults[.]com 1
Files and or directories createdOccurrences
%APPDATA%\windirect 11
%APPDATA%\windirect\settings.ini 11
%APPDATA%\windirect\data 11
%System32%\Tasks\Windows Direct core tools 11
%ProgramData%\ .exe 6
%APPDATA%\windirect\ .exe 6
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 5
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 5
%TEMP%\ AU9D9.exe 1
%TEMP%\b5PA44B.exe 1
%TEMP%\b5PA44B.tmp 1
%TEMP%\b5PF8C2.exe 1

File Hashes

03a68c65701896f79a23b22d2844146f91a237ddd4e840a5e78494b238f2aff1
0470611bf3b9097357687159801e27e578583fe41934e5e40babbe4a94da3a64
187fb2770b614909ce81559f70db3af470c551ce403778219a22c1d3083a4edc
239789e83dc0a80e8bbd0665a30c2219cbe4cc3d2677bdc818177b260c7fe982
28324d38845e953911330e985a51bda6431c40d63a7fc40a6d05a9f86b702ce8
2a806a8d3a9fc7f32033067e43506be9cc71fa6411affbc2dbd21a41a6bd3ba7
3008f83e52fc3d5c31a1e532346307201aec7157cea15f2204c0e1df76cc9241
31d1fa0cb2a8af462c681c38d5fde174f69735009bede1f6e20e27f561b783d4
42beeaba786a96e2bb9e717ca9e3227f5ad150759a6e6f2922090249a38dc6dc
7de1b9afef4135f13888a521142bb247284306184276326ef745a294ecb3cc31
8e2afd9599508f6a4652826e6ff133d6a29d7d3bf6a05de3332826b7c80688de
9b7ca2a5d739eadeeb2290e26ca8a11dffc85331fa539d080777083af9123b45
aa9daa79af830a093fa2b0e6ebdbfb67f4ea2f66e2adca60acc0beef3f1a895e
c874dd4a471fb101f8d019efbcf5b849d4575c36b479aea3d0ab54ad8ad6d164
d69e6e3b30a7e193eafebdb19ae91643faab437855523d994b1d1684a4c0ac0e
e270893e964120a11f48c888cd127959d3e60961fc7c8d7e58e4a13d58aff8f4
ea314769bdc1532c7994fe12fa3a3133ac6d5359cdf897cde30be58807bffe8b
ea8c36f9ce78e94cde716fd4eae708324cfa430fa93ae230292b2c68343d7fa4

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Gamarue-9831273-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Client.exe
1
MutexesOccurrences
3749282D282E1E80C56CAE5A 21
9DAA44F7C7955D46445DC99B 21
Global\a9266381-6c57-11eb-b5f8-00501e3ae7b6 1
Global\a9ee1881-6c57-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
103[.]153[.]182[.]50 9
185[.]208[.]180[.]121 4
51[.]195[.]53[.]221 2
45[.]128[.]207[.]237 2
45[.]8[.]124[.]25 2
91[.]107[.]126[.]138 2
172[.]217[.]197[.]139 1
209[.]85[.]201[.]94 1
172[.]217[.]197[.]136 1
172[.]217[.]164[.]238 1
45[.]128[.]204[.]36 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
atlasqrp[.]com 9
becharnise[.]ir 4
azmtool[.]us 2
newcesarnex[.]com 2
klimsourcinq[.]com 2
cpanel[.]com 1
Files and or directories createdOccurrences
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp 24
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\System.dll 24
%TEMP%\yrcvb.dll 23
%APPDATA%\D282E1 21
%APPDATA%\D282E1\1E80C5.lck 21
%APPDATA%\7C7955\5D4644.lck 21
%APPDATA%\7C7955\5D4644.exe (copy) 10
%TEMP%\50x50.jpg 8
%TEMP%\README.md 8
%TEMP%\download.png 8
%TEMP%\hmilyqt.y 1
%TEMP%\kdzuq.ta 1
%TEMP%\aqmwckjmrn.nu 1
%TEMP%\liwss.xth 1
%TEMP%\myqkt.lqe 1
%TEMP%\hudevtl.jg 1
%TEMP%\lunzuig.jbl 1
%TEMP%\daxet.aj 1
%TEMP%\oqwlvuu.bow 1
%TEMP%\npaiwbql.lr 1
%TEMP%\pppxeh.lu 1
%TEMP%\jngyo.p 1
%TEMP%\enjwfflcig.e 1
%TEMP%\nfyavszd.iqa 1
%TEMP%\qvdzm.nsz 1

*See JSON for more IOCs

File Hashes

1aa0868d7d776c38e89a484a5ecb317c85a7b82e53c468c21b0dcb35125fac09
52fe675ddb9df4128e5ee394dd1c13fb77d2f583596b31373c938a49c0b52124
5b244022ae7d5b464176b46d5d4b242f5ccda7c404582f49e298588e158f0286
6354765d4962239b83d51578bc799b55ccc5554a8fab6ebe8a0a2b07afa23c3f
65eec9f4e3b8c629084b17ee78ad59082faa77bafaf7ca6280e9385c8f500779
66b3c23a633df3972a047362c616bd7bd003940977a251b5af854ce36ccb0e19
6c66cb2982ab8d7ed7df748e1ff87daf8bf55f6ddf7126226ffcb920e49da719
6cee2598da13d14ccc6f3e785de28a40dd45b0522c227f9a69998db3d28148e9
7e73dc8d96bf9474a02508c89bbd303108b6aec394d92e8f82235e61427d82f8
7f7a485b67fb5f5a583ad6af699bcda1732f6b4c3d0f4e7126c57e3312bb7616
a0d02c35c4900c56042c820357f9df11f6a34ed0e141c3517621c18892a60636
a4f07bb94efd3faaec930bf73c2ece6e4a8512a14983445b22d396eccde4aa6e
a8af41cc614d3851860eed0ec845c0301b119d4dfc1587a239b4e3d66e74a8d1
af1a1eff9838709bead50e1aaacd900dfb786244bf9011d63290188e9f08d16f
b9943d65b39622411a668ff43eb3ffea754c6d29c04b3489d6d09125ed095b7e
bb905066d588ca1cbd907b80ac93278e57e565136e76fea12ca14419f204f7a9
c17fdfde5ec4fb24c28ee4707b0445649384bb92de6814a66e330efad277f6b8
c38d8c9c6d6fc2de066cde9c26d59f2dd8576c97889129f711abd5b1d773832a
c55cdb071870b0b9e1f50dfb310e8f6b78afcf19bdfec3b5be913cf189538a44
cffc78e64ca2533de6c216b9420fde1e51884ac2b82e340a400466ed96002017
d11ef65cbac6ed9973b667181acd05c021f5f5af6a944ac9be1e8694905d87af
d370a634eff1bf62d4732521f199eae8280b8a82f7983ea7beddd85c8a7b7c9c
e90efdf2736e36ab2a00add2e6663ee229222088b6109c0bae221ee2a56ff3bc
e94d2344c041ac575285613a13541dc1601bd3d79399edddace84964a733281f

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Dridex-9831573-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
20
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
20
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
20
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 20
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]11[.]46 19
104[.]23[.]99[.]190 12
104[.]23[.]98[.]190 7
173[.]194[.]175[.]138/31 7
173[.]194[.]175[.]102 6
23[.]3[.]13[.]154 5
173[.]194[.]175[.]100/31 4
72[.]21[.]81[.]240 3
173[.]194[.]175[.]113 3
23[.]3[.]13[.]88 3
172[.]217[.]11[.]14 1
205[.]185[.]216[.]42 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 20
w[.]google[.]com 20
www3[.]l[.]google[.]com 20
ctldl[.]windowsupdate[.]com 12
a767[.]dscg3[.]akamai[.]net 8
cs11[.]wpc[.]v0cdn[.]net 3
www[.]nifrdvobhd[.]com 1
www[.]iywhpbgr3g[.]com 1
www[.]gv9wsvkwyy[.]com 1
www[.]alttykgp11[.]com 1
www[.]a2mmxwlxvz[.]com 1
www[.]5gfm7hi7qd[.]com 1
www[.]buwejlpp0d[.]com 1
www[.]suetin4khr[.]com 1
www[.]ek6pnnamyz[.]com 1
www[.]hywh1moi2j[.]com 1
www[.]mbvakzylhn[.]com 1
www[.]vvubjb0gdm[.]com 1
www[.]hy9omntzcm[.]com 1
www[.]8oneeswa1v[.]com 1
www[.]tayjwmhzgx[.]com 1
www[.]q4szrjzmhc[.]com 1
www[.]u7ols5b564[.]com 1
www[.]vich2cbkdj[.]com 1
www[.]vphejtfpjx[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 20
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy) 2
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp 2

File Hashes

05d060844cfad849625b3d81e929caa570c382d86dbaa7b103f5b383774ddaba
0894dbd6a9e65e5599d0d8faac3cc1b9c8263982f6dbb3ca779744c07fe13383
1064f656c6db7845c5a8376c0806facb68876a0d1db22bddf513d450e7186551
28cf65cc0b12e91dc2dfe762b953ec40dbce2f9599202c3ea78bd5c717fef727
2a0ee20d9da36fc9224549fe6cd28a48925b10e224c937ea9405dc1a964b886d
3924a67ebb6d966ec2d5fc3a4d69c91903365d4254d22cb57b3d2a129674d1aa
3ed4dec2e8102f833c378581bb2647a4f3350637c1a76e3c97210a59c2a28874
5e6a5012da6d259bf27f80fce6f585404a8b7d251df77dc8487a4149bc7f73b8
6b3bc26e0397baf1040e6bb909ea6881fdaf8241c3377d1034d2ea941234eccc
862239dbbff81e50e58238e5f17e27a7053b4610b7661f1f3498d755d8ecbe36
9126101067461824beed8d288d53f90a3c93967f4bcf6cbea5104df7e29b055c
99da867bce6ba87309a9cac10625cfd659e6b6726964556a589e25d7703ffdb7
99e0cc28031e84d120839d65bf39ce43a91e4cde2f41cf9796e5ea2dabec0ec5
9d725825572aa379424931b9d5ad2bcac275b9704d36375ab366fbabc02b00a6
a4d8a644f002245879ae438cb7589b1e542997024a5d1254ac17a35f842a051c
bab24cf9200dffb3096655b2296548a90b767180d0543880966c195070f36163
d4eee9764c67a0ee51c8b18494ed900bdd0084883da2078edf772916625a26af
e419d6565615a8a0cd2b1abba7a7496ad9a54e07f0cbe692c589fd7dd832738c
ebf66bf4419783bcbc79de9cbfc6cac271a3b70318064c0f9eb3d37b38b22e37
f5dcc604286b119640c7273d63bb60c681829f5c714c6940f73aa6913ee94394

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.RedLine-9831330-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
192[.]0[.]47[.]59 11
104[.]26[.]13[.]31 6
199[.]71[.]0[.]46 5
172[.]67[.]75[.]172 5
199[.]212[.]0[.]46 4
104[.]26[.]12[.]31 3
94[.]140[.]115[.]81 3
199[.]5[.]26[.]46 2
86[.]105[.]252[.]119 2
94[.]140[.]114[.]79 1
45[.]128[.]150[.]68 1
194[.]33[.]45[.]208 1
45[.]84[.]0[.]200 1
194[.]127[.]178[.]169 1
138[.]124[.]183[.]216 1
45[.]33[.]89[.]196 1
37[.]46[.]150[.]90 1
45[.]67[.]231[.]50 1
86[.]107[.]197[.]242 1
178[.]20[.]40[.]83 1
46[.]105[.]124[.]55 1
185[.]117[.]73[.]183 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]ip[.]sb 11
whois[.]arin[.]net 11
whois[.]iana[.]org 11
ianawhois[.]vip[.]icann[.]org 8
api[.]ip[.]sb[.]cdn[.]cloudflare[.]net 8
jelonaki[.]xyz 3
ronamei[.]club 1
kapesteis[.]xyz 1
bilirtylo[.]xyz 1
Files and or directories createdOccurrences
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 2

File Hashes

181deb00fe0cef63aa1110722c263e33e010bef99b2239f7f3e010e4ef896ee8
1f6a851e6ec58527597fa34f45bf3fb57fb792dc510dd2924223fe06767ac5db
5ed7321d0e4d7e0dbec935824a15bd6706d26e1798c8d86ac820e7632fa12af5
69fca12354a4e0577c699dfbf58b665f5358693660ce2cf8144b75ea08249d50
6c8e9ea9c67e2807cdf62f2b682bbb59038d00435c55e18a69de6ad3331e5455
81d268ae82f4444e0635482a5cdeb183b03a9f514815d1b37e3db42845d26391
8bc9c34c4795259ec849342ef090ff6afe98386cf8f3e178090462ea2e9222a3
8c0e0c1eb5b238d795ee9403e342c9b174bb3d1adefbaeec4897002bd02b5c5d
8c89c9a094a0f0d39f2b58ba29bad8a5d2373a98cf7adf0ae8d535853005dee9
8d41ef2fb5dc6d40326edbc5c030442c9b405adb1dec5340a43c5a63fda16ee2
99e8f71c4b1defd1fdad56f2b9e70578633cb2cd1901698bbadf97c1538c7384
9cef12bd078776ed63eeac73915174764c331244fc79609a0b8d8a7589c09c83
9f53624e3d08ef50e14c5761553d0f90d1203f69ba5674c35b309e285980c811
be92ed06586b1d63cd82f3ae730ca8c99abd2a2de403b5f14094fd01ce47a1c2
c2a7cf7be6e395d3212033cde522a314c8ab117dc279ff19b15066d14e2f7829
d1db7d5b29bdde7c9e1e7899d1867eba946e961c95e0d9867dbbdfc63d7b81da
f043c533c3d2a09cbff857a3351a7c7f3938342494d73cb5c582b1a999c11260
f89e6f2527aa365968333a01f97ba93b6d21e55375e6be255841fed0ecf67054

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Virus.Xpiro-9831331-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\CLASSES\SOUNDREC\PROTOCOL\STDEXECUTE\SERVER 26
<HKLM>\SOFTWARE\CLASSES\SOUNDREC\PROTOCOL\STDFILEEDITING\SERVER 26
<HKLM>\SOFTWARE\CLASSES\SOUNDREC\PROTOCOL 26
<HKLM>\SOFTWARE\CLASSES\SOUNDREC\PROTOCOL\STDEXECUTE 26
<HKLM>\SOFTWARE\CLASSES\SOUNDREC\PROTOCOL\STDEXECUTE\SERVER 26
<HKLM>\SOFTWARE\CLASSES\SOUNDREC\PROTOCOL\STDFILEEDITING 26
<HKLM>\SOFTWARE\CLASSES\SOUNDREC\PROTOCOL\STDFILEEDITING\SERVER 26
MutexesOccurrences
kkq-vx_mtx63 26
kkq-vx_mtx64 26
kkq-vx_mtx65 26
kkq-vx_mtx66 26
kkq-vx_mtx67 26
kkq-vx_mtx68 26
kkq-vx_mtx69 26
kkq-vx_mtx70 26
kkq-vx_mtx71 26
kkq-vx_mtx72 26
kkq-vx_mtx73 26
kkq-vx_mtx74 26
kkq-vx_mtx75 26
kkq-vx_mtx76 26
kkq-vx_mtx77 26
kkq-vx_mtx78 26
kkq-vx_mtx79 26
kkq-vx_mtx80 26
kkq-vx_mtx81 26
kkq-vx_mtx82 26
kkq-vx_mtx83 26
kkq-vx_mtx84 26
kkq-vx_mtx85 26
kkq-vx_mtx86 26
kkq-vx_mtx87 26

*See JSON for more IOCs

Files and or directories createdOccurrences
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 26
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 26
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 26
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 26
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 26
%SystemRoot%\SysWOW64\dllhost.exe 26
%SystemRoot%\SysWOW64\msiexec.exe 26
%SystemRoot%\SysWOW64\svchost.exe 26
%ProgramFiles%\Internet Explorer\iexplore.exe 26
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\extensions.sqlite.new 26
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ncjookla.tmp 26
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pijiegfa.tmp 26
\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\afaqkaok.tmp 26
\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\amhadgcp.tmp 26
%ProgramFiles%\Windows Media Player\wmpnetwk.exe 26
%System32%\FXSSVC.exe 26
%System32%\UI0Detect.exe 26
%System32%\ieetwcollector.exe 26
%System32%\msdtc.exe 26
%System32%\msiexec.exe 26
%System32%\snmptrap.exe 26
%System32%\wbengine.exe 26
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\extensions\{5b6f0873-b92d-cd41-be38-201b60017637}\chrome.manifest 26
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\extensions\{5b6f0873-b92d-cd41-be38-201b60017637}\chrome\content.jar 26
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\extensions\{5b6f0873-b92d-cd41-be38-201b60017637}\components\rooka.js 26

*See JSON for more IOCs

File Hashes

00ed7b067da4cd36d1a16fe2080c49da137783da6f238476f6f44b4ea6e54c26
01beadb0bb93aef9b607707c60daaa37d3d8216ab2fe3ba8a9708631d62530b8
042053d63245bf5d490650290dfc1829f0c9db8bce84dc3937a9e5b938fc159d
05b86eeff64bfe8195093a96644f36678fd10097a447f1ef40e19535d5cf8b1f
08ba9c3d0ef3d2013b17c5d44307541904a89deefac079c91f8e1cb420765c9c
0b3d264167717d6d77640e61ccec3769016d6eebb644f400ce7b2e3825c51860
0d15707febee11db830ff11cb77281206406e1badded11774b67832e13d97659
10e360fdf96f9e3cad105e1390b5505093f51fafde790b2cd4555ddd29752f2b
14209ffd9ec31e18565cb9c075eb4f0a134449c5dbc72c36b4bdff3e5366da93
18e46929b95266e2424e801f840c2106271f3204d49223f4eb6f919c36a9d2e2
198cb4877d9f2de35fa7ea8d420e78f93080df3782cf0a2afe199dbc1f43f289
1e29ca4150e7c9b737f01d3999f0200216687adfca45623bfc4335eb018a5495
1e80e90cefc5a4f72848d621e04c1ef7047e6390d658706d8ab00e31be0e614f
1f5509aa35700ee4a79285a4df39de8fc83f7b715a2bc4d612e23ed95b1e6c8a
236ec1d43899bd962f2426db70f67d4a12af659d88febcc5c4154ef68554276a
23f251b932767402189ca60b44b1c8d34aef8aa1d0590e2af7f93fecb047f585
252573caa7e7a333679f6dfb97ae0afbad0db7125ddeb2c1c44a9d73b4a27e56
265ccc248b75cc2dcbf19b078672dd08e9e1670373ff45b8d8027e3cd53b4790
2677d9e396125edbcf22045f43b2e74a6994ad409c590c6a878d09e69ca94330
27d1a2e1067de23f95866007a72a81fd1f1909984a844d2888f07f6ee59f68fb
2dc6f193a7c24b82ab2b0f7c82e5d66246789c67aae27e4ad194595bf82847a4
2e414e9fc209d6f19eb28c390c45ef113c018b895c4b69852e7105df27f5bf7f
2f1d38626740802d837b03bde0148ee0de79705c9480482bddd3f24fc406fa2d
2f357318c8ac8f9c4332eb9845f67a9f7710f21ee955588ff6a4e899f21343ac
2f5afeff1dbae3219c061704da87caa52626d326027b983cbd2ecb9b38ac1b19

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Zbot-9831585-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 4
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: NextAtJobId
3
<HKCU>\SOFTWARE\WINRAR 3
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Update
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Update
3
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
3
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
3
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: GoogleChrome
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS MAIL\MAIL
Value Name: Safe Attachments
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS MAIL\MAIL
Value Name: Secure Safe Attachments
1
<HKCU>\SOFTWARE\MICROSOFT\IAM
Value Name: Default News Account
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS MAIL\MAIL
Value Name: Welcome Message
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS MAIL\JUNK MAIL\SAFE SENDERS LIST
Value Name: Version
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS MAIL\JUNK MAIL\BLOCK SENDERS LIST
Value Name: Version
1
<HKCU>\SOFTWARE\MICROSOFT\IDENTITYCRL\DYNAMIC SALT
Value Name: Size
1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER
Value Name: EnabledV8
1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER
Value Name: ShownServiceDownBalloon
1
MutexesOccurrences
Global\Instance0: ESENT Performance Data Schema Version 85 1
Local\Identity CRL v1 File Access 1
Local\OutlookExpress_InstanceMutex_101897 1
Local\microsoft_thor_folder_notifyinfo_mutex 1
zXeRY3a_PtW|00000000 1
Global\GSA28593KFE7A535493E02180280 1
bktrue 1
Global\svchost 1
Global\svchosu 1
kp_svc_mt 1
Global\GSA28593KFE72F0C7972535D8623 1
Local\XMQ562D9521 1
Local\XMR562D9521 1
Local\XMS562D9521 1
Local\XMR9A1177EC 1
Local\XMS9A1177EC 1
Local\XMQ9A1177EC 1
Local\XMI0000056C 1
Local\XMM0000056C 1
Local\XMM00000868 1
Local\XMI00000868 1
Local\XMM00000D5C 1
Local\XMI00000D5C 1
Global\GSA28593KFE72F0C7972A780218C 1
Local\MSCTF.Asm.Mutex{2CA63007-19D4-46d1-A14A-CD1AAAFF9D6B}1 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
209[.]85[.]229[.]104 3
85[.]25[.]136[.]14 3
205[.]185[.]216[.]10 1
23[.]193[.]42[.]12 1
23[.]56[.]9[.]181 1
123[.]49[.]61[.]59 1
59[.]90[.]221[.]6 1
81[.]255[.]83[.]189 1
203[.]217[.]147[.]52 1
188[.]40[.]0[.]138 1
211[.]191[.]168[.]98 1
41[.]168[.]5[.]140 1
207[.]182[.]144[.]115 1
200[.]169[.]13[.]84 1
83[.]238[.]208[.]55 1
219[.]255[.]134[.]110 1
61[.]7[.]235[.]35 1
210[.]56[.]23[.]100 1
58[.]68[.]2[.]214 1
91[.]220[.]35[.]226 1
104[.]26[.]6[.]125 1
104[.]26[.]7[.]125 1
172[.]67[.]70[.]48 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]ip-address[.]org 3
hlebska[.]info 3
verodex[.]info 3
go[.]microsoft[.]com 1
www[.]microsoft[.]com 1
cds[.]d2s7q6s2[.]hwcdn[.]net 1
ctldl[.]windowsupdate[.]com 1
e13678[.]dscb[.]akamaiedge[.]net 1
lajogrodushope[.]pl 1
vitamingraphic[.]pl 1
google-adsense-n1[.]com 1
vizit-tracker-n192[.]com 1
dailytip4u[.]net 1
discountgoods2012[.]com 1
Files and or directories createdOccurrences
%System32%\drivers\etc\hosts 3
%System32%\Tasks\At1 3
%SystemRoot%\Tasks\At1.job 3
%System32%\drivers\etc\test 3
%System32%\drivers\etc\hosts.sam 3
%LOCALAPPDATA%\Microsoft\Windows Mail\tmp.edb 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vTSVI3PG3Ts.exe 1
\svchost\3D1A3642457.exe 1
\svchost\95DA209CDDD9E7E 1
%APPDATA%\KB00220796.exe 1
%TEMP%\ppcrlui_624_2 1
%TEMP%\tmp2C6.tmp.gif 1
%TEMP%\tmp6332.tmp.jpg 1
%TEMP%\tmp642.tmp.gif 1
%TEMP%\tmp65DF.tmp.jpg 1
%TEMP%\tmp6AAE.tmp.jpg 1
%TEMP%\tmp6ED2.tmp.gif 1
%TEMP%\tmp718C.tmp.jpg 1
%TEMP%\tmpDD19.tmp.gif 1
%TEMP%\tmpFDAC.tmp.gif 1
%LOCALAPPDATA%\Microsoft\Windows Mail\Local Folders\Inbox\6E59117C-00000001.eml 1
%TEMP%\5wO501C.exe 1
%APPDATA%\Ebreyn\nuiq.ohy 1
%TEMP%\tmp6e308747.bat 1
%APPDATA%\Ygit\pivil.exe 1

*See JSON for more IOCs

File Hashes

1fac4b4591db1bdb5233a8b21892052787ca340ab363c7c02bfb518eb53bada0
1fb715b062ccf9de5c25c245bcb544533e69e5cc29637fc1ab3ba387d8783041
24fed6c38a9824901b6bdd426da7b8af3a8e4a0fe20ecc9dc0413dc0456fa653
3e92f3554be2a8680a7cae2efd2c20fee0b1d6db484641254d478b8ded04721b
44aa74866216ac5fa2f6d8eac30d2f78c4d6c8403545802934ac2d310f0fc2c5
49f394ae29f30d5fb925c6f971e85474dcc2dae1c4e57cb576d6785648f0b634
6b8eebc66bbcc0c7fb49dbeae8164b4bc9baae263bd0f814acaaf5f076e62ee5
6dab41d09d97f620a989eef25e13b427ee8309591f396cee88f6d6c5bf0e6e4f
6f37f97fb5191a3c8620809aae280918eb71e626294fb8a7e7af28f5d962ba11
802d71ed68832886475e48a4895e80ecee8062569fd44e5108c1009e7ff49d23
946623117b13c50185a22a63457e6b0f02abebbe7c174b343cf418e2572e7bbd
a34652554c569c7cc2679cff19695453ce27b6a9464876d3c07c2315af0c305c
a5034b998a3ca784bb40ae2e68fd958787125e39425236bc560084de8fea1313
b3f9f02ebe8616873663c36216eb7dfb94c28348aed8bfd4b12e30dfb21ceda3
b8fb68f7afe9e80090cce1322883a3bd55aad07d37bf95ed785b83ed92838e8e
c8d08659829ab60140d245e63709e00fee646829c16e3cc41c7f5829e4cfe132
d81419a4214fb53636410053b1b96ad2284f3b3267bb7f6ec9be630973aa8626
d8db5f1daa88bd981cd63973d4722de43afb51615b549179d105ef215522c7ef
dcb3f43d43ea0dfea07ce6b58165e5521b50a8f19fc4a7a29c45b87302bf7d20
f8aa0ca5b78e08bec43cf32cfdebd205c984089aea6a8eae992ebaccc5275ed8

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Coinminer-9831347-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BAOFENG THUNDER
Value Name: ConnectGroup
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BAOFENG THUNDER
Value Name: Type
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BAOFENG THUNDER
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BAOFENG THUNDER
Value Name: ErrorControl
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BAOFENG THUNDER
Value Name: ImagePath
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BAOFENG THUNDER
Value Name: DisplayName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BAOFENG THUNDER
Value Name: WOW64
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BAOFENG THUNDER
Value Name: ObjectName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BAOFENG THUNDER
Value Name: Description
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BAOFENG THUNDER 6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSOTENG THUNDER
Value Name: ConnectGroup
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSOTENG THUNDER
Value Name: Type
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSOTENG THUNDER
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSOTENG THUNDER
Value Name: ErrorControl
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSOTENG THUNDER
Value Name: ImagePath
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSOTENG THUNDER
Value Name: DisplayName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSOTENG THUNDER
Value Name: WOW64
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSOTENG THUNDER
Value Name: ObjectName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSOTENG THUNDER
Value Name: Description
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSOTENG THUNDER 6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BAOFENG THUNDER
Value Name: DeleteFiles
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSOTENG THUNDER
Value Name: DeleteFiles
6
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
163[.]172[.]226[.]137 12
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
xmr[.]crypto-pool[.]fr 9
Files and or directories createdOccurrences
%ProgramFiles(x86)%\Baofeng\sllyuncher.exe 6
%ProgramFiles(x86)%\Baofeng 6
%ProgramFiles(x86)%\Thunder 6
%ProgramFiles(x86)%\Thunder\RingMet.exe 6
%ProgramFiles(x86)%\FlexNet\sllyuncher.exe 6
%ProgramFiles(x86)%\Conexant 6
%ProgramFiles(x86)%\Conexant\Pcee4.exe 6
%ProgramFiles(x86)%\FlexNet 6
%ProgramFiles%\Conexant\Pcee4.exe 6
%ProgramFiles%\Thunder\RingMet.exe 6
%ProgramFiles%\FlexNet\sllyuncher.exe 5
%ProgramFiles%\Baofeng\sllyuncher.exe 5

File Hashes

314aef8dcec3607b1fb20c0837e81df510c04e837c96590c564968030e3b0f14
3e65e3e9ac187c93143bbf23f9a6be19aa7b110e25639fbea95effd3941c7be1
7175ea1a0afcb6a2cb8dac3b7263a7aff00ebe8a9660eb482cdef57ae1aaaafd
77975542fc965910d42d91a6f55c934127e41ba27336c5689c668d913100d575
83169da4fbd88a4bff7fafb5f6ca9be332fac5f7f5513729a3c92e11c6b5b1ed
878ff3e9b12147e55dca4c8127b1bc66ef5c4910e3e57df7817a8ad0c02d7525
8a42e4775338cffc0ddd990b1de70461f84368dbdefa55aa78e15f5920d55646
8cac31ffaec8f8037b3426e602554959fc49418f5c3ce8ac0c2a631848d40f1f
99e2560e63cee813f91d2da8ea85e9ce5f2b265708bcc6d205b4f874cd8533d5
a05bef563a2ad48d1bc04c63db5f67257058dec6091f97293a4ad8c7319f9031
bfe3f1fbf21954717866408558f9699bb53f5c2d76b5f3a8d98be1bf36b242e3
da5bcde9af55cff7df417636d6fb92891c547c7c96c36f97c85546d0c74426f3

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Zusy-9831590-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
MutexesOccurrences
{ac5b642b-c225-7367-a847-11bdf3a5e67c} 23
{24d07012-9955-711c-e323-1079ebcbe1f4} 23
Files and or directories createdOccurrences
\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects 4
%APPDATA%\Microsoft\Windows\STARTM~1\Programs\Startup\Vagjkx.lnk 2
%APPDATA%\Microsoft\Windows\STARTM~1\Programs\Startup\Obowlzc.lnk 2
%APPDATA%\Microsoft\Windows\STARTM~1\Programs\Startup\Opguqigvd.lnk 2
%APPDATA%\Adobe\Acrobat\11.0\Security\TYFLYKZaX\UI0Detect.exe 1
%APPDATA%\Adobe\Acrobat\11.0\Security\TYFLYKZaX\WTSAPI32.dll 1
%APPDATA%\Microsoft\Templates\LiveContent\15\User\Document Themes\1033\tfkQSnB3f\NETPLWIZ.dll 1
%APPDATA%\Microsoft\Templates\LiveContent\15\User\Document Themes\1033\tfkQSnB3f\Netplwiz.exe 1
%LOCALAPPDATA%\6kv\AtBroker.exe 1
%LOCALAPPDATA%\6kv\UxTheme.dll 1
%LOCALAPPDATA%\BSvk33aUi\SYSDM.CPL 1
%LOCALAPPDATA%\BSvk33aUi\SystemPropertiesDataExecutionPrevention.exe 1
%LOCALAPPDATA%\e8ek7vBNN\wer.dll 1
%LOCALAPPDATA%\e8ek7vBNN\wermgr.exe 1
%LOCALAPPDATA%\yRzzD9A\dccw.exe 1
%LOCALAPPDATA%\yRzzD9A\dxva2.dll 1
%APPDATA%\Adobe\Acrobat\9.0\kAkW\dccw.exe 1
%APPDATA%\Adobe\Acrobat\9.0\kAkW\dxva2.dll 1
%APPDATA%\Microsoft\Templates\LiveContent\15\User\t86X5f\AtBroker.exe 1
%APPDATA%\Microsoft\Templates\LiveContent\15\User\t86X5f\UxTheme.dll 1
%APPDATA%\Microsoft\Templates\LiveContent\15\b41\SYSDM.CPL 1
%APPDATA%\Microsoft\Templates\LiveContent\15\b41\SystemPropertiesDataExecutionPrevention.exe 1
%LOCALAPPDATA%\65ADlV0mW\DUI70.dll 1
%LOCALAPPDATA%\65ADlV0mW\UpgradeResultsUI.exe 1
%LOCALAPPDATA%\E2yA1Zc\RdpSa.exe 1

*See JSON for more IOCs

File Hashes

075f64fbeb94bb40a6f267b9cb7d26980407434bd43bcdd0c5cbe8a6bf078fb4
27bf983b02321159e81858177d46db4a117a6a84d492cd217f6f342eb3216d1c
27de97a0d4ad7a5adae5e5b1983079f301bb0bec76f4ed7c8092df0e56cceadb
347038c94600cb1ac371faa50d90d6f650a80d7626318c9458ca395395a5a37e
3537d8853971b0640dbaef00c1a4e25be3e17030645a13616b18640c26b59b3d
41069d11a87a85790e8ccff930aa3ae9d7ced29b99825ba8d7e2726f66cfe2cb
4934c7a5441db3be71be860faf08553372d3d340a19111ea8de08e4e44be1d66
4d56359077591a57e8fe7e0e1ac0b8468c251bc23953e5ed4bc261184bc149ed
539e31628e45974b0465196f469d6326102e1a7046729ca685ca91ca481aefd9
574193861b68e3013a4a39aae418d3a3fb7602457f30e5b4a92ca2290d61f58e
58c90a06149b972f026f5269159383975f20c626f0b2d1c2f1fb48ef16d91815
6a6d7e403ea2ca9a5d2b15970a45e5201271f820fe44bfc08564282b93c4c1d6
714f895093dbd0b5fc6eef1fbf805f6adab82e5a26abbb42fc6a2797fa138047
878aeadd2c05b02eb2237d6e71566e07531dbf8acc03bc44a5b64ad32680c586
8ef8bbf64fa96281aa6af918baa4758338d4433f17a547397426832482c665c6
a4490742ab32325194fe021d29df0477bdff1c9ec81255f4af3f0a4c0e222733
a4a218954f8478525b7de65b92805bf29bc7dc33d2e24a246d4509d4df6ecaa6
bffc6a91428c4d3ee1d3a31dc6d39dfc4dc95845bf91479d3c35f3c0be31b717
db9705934e371598a759283c5b942d39a43bc67a43d80792134f36e1429feed0
df84a3d471d0e3a6aad534921206f34ad02a220d7cdc6b7b7f17bb04d1582856
f468e7af983336aa89f747ab90d04a2169439e76b8bd82903013953d14f1e2e3
f6e73830aa6bd7632e0f3fb6fb3ea93ce01b122267db87f65354b41b9994fe1a
fbdd66bf4b4f90908f164798aa0196b2ce2c06b6864ea516da975d841fc007b3

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Gh0stRAT-9831483-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SelfRunDemo
20
MutexesOccurrences
gyxin1314.xicp.net 4
aka.f3322.net 2
121.41.79.140 2
114.215.106.244 2
ljwser.xicp.net 1
125.85.222.189 1
219.128.49.13 1
58.221.47.47 1
14.211.117.20 1
219.235.4.247 1
58.221.47.41 1
36.43.74.215 1
nt520.f3322.org 1
113.140.183.36 1
39.109.1.246 1
god_xinghe.f3322.org 1
14.211.117.20 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
45[.]119[.]125[.]223 9
47[.]111[.]82[.]157 4
114[.]215[.]106[.]244 2
121[.]41[.]79[.]140 2
119[.]123[.]66[.]128 2
219[.]235[.]4[.]247 1
39[.]109[.]1[.]246 1
61[.]174[.]40[.]202 1
125[.]85[.]222[.]189 1
219[.]128[.]49[.]13 1
58[.]221[.]47[.]47 1
58[.]221[.]47[.]41 1
36[.]43[.]74[.]215 1
222[.]79[.]32[.]219 1
113[.]140[.]183[.]36 1
36[.]46[.]114[.]54 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]w3[.]org 9
beian[.]aa2[.]cn 9
fl[.]aa2[.]cn 9
ip[.]aa2[.]cn 9
link[.]aa2[.]cn 9
pr[.]aa2[.]cn 9
site[.]aa2[.]cn 9
whois[.]aa2[.]cn 9
www[.]1182[.]org 9
www[.]aa2[.]cn 9
www[.]jqgcw[.]com 9
14[.]211[.]117[.]20 1

File Hashes

0c147c1ff5a01b15840076dd456989c4f24fad3ad48fdf52a81e84eb3b8f972e
1780f7805fce98f8d326008ca94ccf93049b6f9d38305f842a465644de99a445
3627de08d6cf5a29d4f0febaefc14a3b3e8dc0a16a635682f72b7f55a37cd11e
4d0ef13738d4954bb8cd20836ad10b363850c246d3b5221718c7bd6f8e2bef5a
4e2bb868bff36fb3d9d0ceffe12c3fdcc362f9257748ddeada03b99f34ed1168
5225a64aa334322d25583810a1058e04cf42c9cd838f8dbd6a329c726dc93bd4
53fa3e285e76677f4437753fec063a1de809f969fa24fcf487530b088f2a04e3
5d83a79e065fee6bb4b846058211af7cac79340bb6dcb4fb34e905a1e1e20f03
61c8f070b87f962fe7f5f0e644cabc67cb8dffca0fca151269f59c372c7241af
703fe91a77ae3033cc932b978cb86e2416e1599d2917a98ab2abe5ca97faf707
71c28258867d9c230edaa0e902bf8234a2eb807c474441c36787f1b57075ea46
79920e494fc6048ed48f138a143374a86ef87d80ece9d6e5f840cd23ee72a308
920abea5f82e16b1551a4c7f6d2838c1e32a0e5e135e8589df9c1788ad7241cb
93c69d00eed5eae42dfbbbd2921e515f8b53ada99ab8475e87b6c829b8a04fcc
99d613e644d5fe25479cbaafb9c6ee8069d9d9dea7accc3b0e52ef0e2d9779b6
a16dd5a5637af8156a47149f9369d3cc460e8c3cb8efb12d1f59a845cd4deefa
a8be394202373fd25c484b2a558e657f663117f873859a4300be438c54f47d3f
b8fe734b2078280277c3acf004b95be1715bbc137dba7c7f4329cfcbbe971c80
c2defb4f50d32ea013817de59d898a37b36907ef1feb49e8f55730c7f8769c9d
c3be0d7b79b9038c3e2ebbab79f6747240738414cc3199abed8e08b50121bbc7
c66753583caac285cddc4b95f0c6de10f26e247701f4337d964f12cf33141ab4
eb5ee1046215b0977f97b672bc534a144927ec1a78722716923ba973a580b03a
f9e11ac6a4b1a878d2dd11785773cbb2802d1ee256e5681fcd0b0f4785669881

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (6424)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Crystalbit-Apple DLL double hijack detected - (4990)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
A Microsoft Office process has started a windows utility. - (1776)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Excessively long PowerShell command detected - (1169)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Kovter injection detected - (726)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Squiblydoo application whitelist bypass attempt detected. - (709)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Gamarue malware detected - (113)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Dealply adware detected - (109)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (82)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Maze ransomware detected - (52)
Maze ransomware has been detected injecting into rundll32.exe or regsvr32.exe. Maze can encrypt files on the victim and demand a ransom. It can also exfiltrate data back to the attacker prior to encryption.