Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 26 and April 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for theinyban following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Trojan.DarkComet-9847204-1 Trojan DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Dropper.TrickBot-9847207-0 Dropper Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Malware.Dofoil-9847246-1 Malware Dofoil, aka SmokeLoader, is primarily used to download and execute additional malware. Read more about this threat on our blog /smoking-guns-smoke-loader-learned-new.
Win.Packed.njRAT-9847262-1 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Packed.Razy-9847307-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.TinyBanker-9847321-1 Dropper TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Keylogger.Gh0stRAT-9847918-1 Keylogger Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Trojan.Gamarue-9847820-0 Trojan Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Ransomware.Phorpiex-9847468-1 Ransomware Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide-range of payloads, from malware to send spam emails to ransomware and cryptocurrency miners.

Threat Breakdown

Win.Trojan.DarkComet-9847204-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
5
<HKCU>\SOFTWARE\REMOTE
Value Name: NewIdentification
4
<HKCU>\SOFTWARE\REMOTE 4
<HKCU>\SOFTWARE\REMOTE
Value Name: FirstExecution
4
<HKCU>\SOFTWARE\NEW 3
<HKCU>\SOFTWARE\NEW
Value Name: NewIdentification
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{7FDJV855-7Q2T-E002-GT1M-4IN3GE2CKW31} 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Win32
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Win32
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{7FDJV855-7Q2T-E002-GT1M-4IN3GE2CKW31}
Value Name: StubPath
3
<HKCU>\SOFTWARE\NEW
Value Name: FirstExecution
3
<HKCU>\SOFTWARE\REMOTE
Value Name: NewGroup
2
<HKCU>\SOFTWARE\LAMMER
Value Name: NewIdentification
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Avgnt
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Avirnt
1
<HKCU>\SOFTWARE\LAMMER 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{LD46Q15Y-AQX4-T2KY-240B-1IQG2817R886} 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: SYSTEM
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: SYSTEM
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{LD46Q15Y-AQX4-T2KY-240B-1IQG2817R886}
Value Name: StubPath
1
MutexesOccurrences
<random, matching '[A-Z0-9]{14}'> 4
Windll 3
Windll_PERSIST 3
Windll_SAIR 3
_x_X_UPDATE_X_x_ 2
_x_X_PASSWORDLIST_X_x_ 2
_x_X_BLOCKMOUSE_X_x_ 2
Pluguin 1
Pluguin_PERSIST 1
Pluguin_SAIR 1
0I4T4H50CU050U_PERSIST 1
0I4T4H50CU050U_SAIR 1
MCH1FE6J9ISQ 1
MCH1FE6J9ISQ_PERSIST 1
***MSNMSGR*** 1
5O334LO225PP80_PERSIST 1
MCH1FE6J9ISQ_SAIR 1
Global\cb7e1ce1-8d61-11eb-b5f8-00501e3ae7b6 1
5O334LO225PP80_SAIR 1
***MSNMSGR***_PERSIST 1
***MSNMSGR***_SAIR 1
8262WV77OVXX8L_PERSIST 1
8262WV77OVXX8L_SAIR 1
D46RNO5U3807C8_SAIR 1
PRUEBA 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
zepher[.]no-ip[.]org 3
adri14gay[.]no-ip[.]biz 2
conections2012[.]no-ip[.]org 1
x1221[.]hopto[.]org 1
kura[.]myftp[.]org 1
email-msn[.]no-ip[.]org 1
deprueba2[.]no-ip[.]org 1
djk1k3[.]no-ip[.]org 1
compartilhar[.]no-ip[.]org 1
Files and or directories createdOccurrences
%TEMP%\XX--XX--XX.txt 8
%TEMP%\UuU.uUu 8
%TEMP%\XxX.xXx 8
%APPDATA%\logs.dat 4
%TEMP%\Administrator7 3
%TEMP%\Administrator8 3
%TEMP%\Administrator2.txt 3
%APPDATA%\Administratorlog.dat 3
%APPDATA%\cglogs.dat 3
%SystemRoot%\SysWOW64\Windll 3
%SystemRoot%\SysWOW64\Windll\win32.exe 3
%SystemRoot%\SysWOW64\install 1
%SystemRoot%\SysWOW64\Microsoft 1
%SystemRoot%\SysWOW64\Microsoft\Pluguin.exe 1
%SystemRoot%\SysWOW64\win32 1
%SystemRoot%\SysWOW64\win32\svchost.exe 1
%System32%\Debug\svchost.exe 1
%SystemRoot%\SysWOW64\Debug 1
%SystemRoot%\SysWOW64\Debug\svchost.exe 1
%SystemRoot%\services32 1
%SystemRoot%\services32\services32.exe 1
\window 1
\window\wine 1
\window\wine\win 1
\window\wine\win\winr.exe 1

*See JSON for more IOCs

File Hashes

03bcf86148e2db84aff42d9404e903e63fa37d6b50b54221b9f24c0afb73d8ff
2fc48499052b2f84f54c843f2c64ac393aa8677deee2243b81657029620b935d
45a16f19d15e7fefae43d7cc7973e4df4bfdcf52ed79b98d32afee437637dbb7
601ab02767a74cf1fb092a8db7bd30cdd04ae70aacbbc2971c46e3b20f532fd9
859fe5d418c1349417a89542cbbf78c9ebc95388f9b8bab74d09b399dbefc976
a338c963183b33255b54fa993be8af5311ac9b085461f5d19630c9d54401f41a
aeba5c41d04277ebf2d90cc40c8f9300df8471594609292d2f720631148a262a
b0c1799777da32256b789f957c955d60455326e3754db9596cd12a0706bd0772
b2c5bf04fbc8f5f023b94a2c4b928a938467dc405b9e6f46d993c0ad23bbd9e7
b5b34b49b05979f2e5900f63d418b3acdb2946a2c9362c7d0a7bcbc8c3769020
d16ddf1f79f8e6ec9bd70f5c26338c8d4f188950a4f959bfabefa57ea7b5fb01
d5d41c812b846e9eb62369d8ab3bb784b5aa1c6b3b7e26890417d78689e63d9f
dc4ef9d9d9b2ad215e95ee68fec8af33c45e1591f45fd2034365e81f0767d44c

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.TrickBot-9847207-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
316D1C7871E00 25
785161C887200 1
D3D3CA2A28A832832 1
A1020A0A282832832 1
C46EDBD86F600 1
28BDBFB0FEC00 1
3BD92AFEABF832960 1
E050C6E61B9832960 1
758AA58096000 1
7C1368F6A3D832960 1
65196EC0BB000 1
A5F07364CD90128 1
797C84B412D0128 1
58E53D2EF4B832960 1
B4FEEBF4AFD0128 1
F14F5BB26EC832832 1
953F3058C1600 1
9FE9E0648190128 1
2B62A7969E5832960 1
0FD43800E0000 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
34[.]117[.]59[.]81 6
207[.]231[.]106[.]130 5
216[.]239[.]36[.]21 4
116[.]203[.]16[.]95 4
195[.]133[.]196[.]219 4
94[.]127[.]111[.]14 3
37[.]230[.]115[.]184 3
94[.]103[.]81[.]225 3
80[.]87[.]198[.]207 3
62[.]109[.]22[.]172 3
194[.]87[.]94[.]96 3
216[.]239[.]38[.]21 2
37[.]230[.]115[.]138 2
54[.]221[.]253[.]252 2
185[.]234[.]15[.]90 2
92[.]63[.]97[.]145 2
37[.]230[.]114[.]248 2
77[.]244[.]213[.]237 2
95[.]213[.]204[.]41 2
109[.]234[.]38[.]14 2
216[.]239[.]32[.]21 1
216[.]239[.]34[.]21 1
78[.]47[.]139[.]102 1
200[.]111[.]97[.]235 1
37[.]230[.]115[.]133 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ipecho[.]net 6
wtfismyip[.]com 5
ipinfo[.]io 5
ip[.]anysrc[.]net 4
api[.]ipify[.]org 3
icanhazip[.]com 2
checkip[.]amazonaws[.]com 1
myexternalip[.]com 1
Files and or directories createdOccurrences
%System32%\Tasks\services update 25
%APPDATA%\localservice 25
%APPDATA%\localservice\Modules 25
%APPDATA%\localservice\client_id 25
%APPDATA%\localservice\group_tag 22
%APPDATA%\LOCALSERVICE\<original file name>.exe 20
%SystemRoot%\Tasks\services update.job 1
%APPDATA%\localservice\69927566695775e25e6597a76aab4e80.exe 1
%APPDATA%\localservice\40egg0b67e557750g6fec26begc49e760cb7e3f6708fg787f7756f765e06gabe.exe 1
%APPDATA%\localservice\66256bb8e60cb006gb2a725g5369278b76e889c736ebe443c7a439gb4bb693f2.exe 1
%APPDATA%\localservice\32b566543c78bc4g3e8a6b34cfe6fcefb0geacg364gf77232e9ac606eeea672b.exe 1
%APPDATA%\localservice\5gc0ffga984ab557g2ea5gg3agb66f66ae67a48c684acc03c9feb53gg05cca8f.exe 1
%APPDATA%\localservice\535g26g290fe798a3gg97eg92072a4g77ac463662ff5e5f8g05095f536657570.exe 1
%APPDATA%\localservice\6gfb9577ca99700f6gb5be677ef68994bab5664a8gc00e822ce07aae2fb07e98.exe 1
%APPDATA%\localservice\6ffg7a0992a4286660gg8c32c9fb84469g8782b73ab9e5f245a47756350ebb08.exe 1
%APPDATA%\localservice\5ff2e2b4309f0gc6f95494474c06a9cc64ca8b36c69ag927g5ga05f2728c64ag.exe 1
%APPDATA%\localservice\747b0g500c6a952739927227693295abg9af376ff02967027be9559faef53g2b.exe 1
%APPDATA%\localservice\2c3a6a2c0eb8c3bc954b70a60g7g03570a068b5b2739g03ff08e68g6g39b75b5.exe 1
%APPDATA%\localservice\7607cee08g6cg8ec54b6a7565766b6g5870a065ca297624a30056gf6266b63f4.exe 1
%APPDATA%\localservice\6932fbg885g89f47e5g4622c288cca4666460e6f59368ce66e0b9f6e274gca67.exe 1
%APPDATA%\localservice\36a40005e8eg953606e9fb4a777279c6ge32656gb67g07028c293a4ea6c07460.exe 1
%APPDATA%\localservice\457a7c6686ab96b329afg323c39g68697gg9266cc8278g6ga7g83gg2e02gf2e7.exe 1
%APPDATA%\localservice\9927683fe6a87b033g00599gg663a44ggc4b3b98c5a2e44a27964c3efb3676c4.exe 1
%APPDATA%\localservice\6456f6f2g7e79e045c4baab89bgc27e70fcc3ee42495a28c96a2e84550588b56.exe 1
%APPDATA%\localservice\54f5524c9e65ea3b645b45b06948a02cafeb9c650ff439cb93gfgb2a373c454f.exe 1

*See JSON for more IOCs

File Hashes

04cc519e8b3e726aa8bfc054357143dfb616c90f9b4ae6fff2a1daae84f8120f
1c2a6a1c0db8c2bc943b70a50f7f02470a068b4b1729f02ee08d58f5f29b74b4
21b456432c78bc3f2d8a5b23ced6ecdeb0fdacf263fe77121d9ac505ddda571b
25a30004d8df942505d9eb3a777179c5fd21545fb57f07018c192a3da5c07350
30dff0b57d447740f6edc16bdfc39d760cb7d2e5708ef787e7746e754d06fabd
319bd835c16a36f102b858eef8a320aead71c02268155debf90964b02e5d3c32
347a7c6685ab96b219aef212c29f58697ff9155cc8178f5fa7f82ff1d01fe1d7
424f16f190ed798a2ff97df91071a3f77ac362651ee4d4e8f04094e425647470
43e4413c9d64da2b634b34b05938a01caedb9c540ee329cb92fefb1a272c343e
492a330454b1582197bedcbbbbf5c1534f7a9c50811c7bd33dac5523d05019a1
4ee1d1b3209e0fc5e94393373c06a9cc63ca8b25c59af917f4fa04e1718c53af
4fc0eefa983ab447f1da4ff2afb66e66ad67a38c583acc02c9edb42ff04cca8e
521b0c3c83ffc1dd0e132f8c3c24232d546c5db2da2574c37513e7fff0371480
5eef7a0991a3185550ff8c21c9eb83369f8781b72ab9d4e134a37746240dbb08
5feb9477ca99700e6fb4bd577de68993bab4663a8fc00d811cd07aad1eb07d98
6346e5e1f7d79d034c3baab89bfc17d70ecc2dd31394a18c95a1d83440488b45
65146bb8d60cb006fb1a714f4269178b76d889c725dbd332c7a329fb3bb592e1
6921ebf884f89e37d4f3511c188cca3556360d6e49258cd65d0b9e5d173fca67
737b0f400c5a941729917117592194abf9ae276ee01957017bd9449eade42f1b
7507cdd08f6cf8dc43b6a7464766b5f4870a064ca197513a20045fe5166b62e3
7af3607bb938a714c4eefa99046375c4b0f4dbb42e45811c41a764cc42ec50bf
8d120f6e0e10eeb33170b4e9bb67378c977eb3a2cbd0ed80b89148e0bc28c509
9917682ed5a87b022f00499ff562a33ffc3b2b98c4a1d33a17953c2deb2675c3
a96f9fb221cbceb769e6d6fcf78e376d188e18560cf4ee6eb90256d98a5bce49
aba569be9425a8736f0adfbf23b20abc05a1b2d6a4ff5459fb2b88e3a75bfcdf

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Dofoil-9847246-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: JavaSoft
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 7-Zip
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: aclutxml
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Netscape
1
MutexesOccurrences
60F16AAB662B6A5DA3F649835F6E212598B68E3C 3
{<random GUID>} 3
debug.{8067AF37-05F3-E0A7-F91D-CF35012EB051} 2
Global\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a 2
Local\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a 2
C65766FAC4B048764AB4FEC9D2E9943298B68E3C 2
Local\{31F7CC8D-DC06-8BF4-6EF5-D0EF82F90493} 1
Local\{73A713E4-3646-1D08-D857-CAA18C7B9E65} 1
Local\{C955B29C-9464-E306-E60D-08C77A91BCEB} 1
7ED19AE33D6C4F72529381524A61696A98B68E3C 1
debug.{994CFC98-EC90-5E7A-0E6B-E5444891989A} 1
C7F5D2822F4E277E3408A3E915E258C798B68E3C 1
E9F556ABF8EE368F293497B01578C6293C28B0E4 1
D7F0DA6E745395ED940F0EB002FFDD1F679EC44C 1
HoUobXlvRj 1
BEWARESCARAB 1
2D2E2E40964A3122EFBFA0735D8D9BF478E1E799 1
D8BCD5559615D650A1000E8C772E2D3B7A56BB98 1
6CFD2E57A0A05C3F41EC03BD0568A2134CA094EF 1
D5813A91A9B68FEF8D5E33262A29AD51682CF26F 1
debug.{F77D8339-25DD-C7D1-B0C6-0211B4241E0D} 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
50[.]21[.]183[.]63 6
50[.]3[.]75[.]246 6
199[.]21[.]113[.]151 6
203[.]150[.]19[.]63 5
173[.]243[.]126[.]142 4
104[.]107[.]28[.]123 3
23[.]6[.]24[.]15 3
23[.]209[.]185[.]159 3
185[.]121[.]177[.]177 2
13[.]107[.]21[.]200 2
172[.]217[.]10[.]142 2
130[.]255[.]78[.]223 2
185[.]121[.]177[.]53 2
144[.]76[.]133[.]38 2
45[.]63[.]25[.]55 2
27[.]100[.]36[.]191 2
89[.]18[.]27[.]34 2
178[.]63[.]145[.]230 2
104[.]168[.]144[.]17 2
62[.]113[.]203[.]55 2
192[.]35[.]177[.]64 2
23[.]6[.]65[.]194 2
195[.]201[.]179[.]207 2
104[.]20[.]21[.]251 2
23[.]3[.]13[.]137 2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]bing[.]com 7
go[.]microsoft[.]com 3
www[.]microsoft[.]com 3
java[.]com 3
bunikabatedoba13[.]top 3
bvnotike[.]667[.]top 3
jokimutinke[.]net 3
opiutunuza11[.]net 3
ujnuyteeej[.]top 3
ff[.]dfbkmoeiruoiumoeio[.]pro 3
x[.]demolist[.]org 3
nerdasss33[.]top 3
fin[.]sleeptimellc[.]net 3
support[.]hebit[.]at 3
pp[.]ekrjhgkjjhvhkkdfgd[.]pro 3
prod-tp[.]sumo[.]mozit[.]cloud 2
support[.]mozilla[.]org 2
makron[.]bit 2
www[.]mozilla[.]org[.]cdn[.]cloudflare[.]net 2
a1815[.]dscr[.]akamai[.]net 2
filezilla-project[.]org 2
www[.]mozilla[.]org 2
www[.]adobe[.]com 2
erwwbasmhtm[.]com 2
fbnurqhsbun[.]com 2

*See JSON for more IOCs

Files and or directories createdOccurrences
%LOCALAPPDATA%\ReasonUsers 6
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ReasonUsers.lnk 6
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 6
%HOMEPATH%\Start Menu\Programs\Startup\DisabledDfs.lnk 3
%APPDATA%\Microsoft\gawbgrrs 3
%APPDATA%\Microsoft\gawbgrrs\jisgivdt.exe 3
%TEMP%\d19ab989\4710.tmp 2
%TEMP%\d19ab989\a35f.tmp 2
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 2
%APPDATA%\Microsoft\tgfhggwr\jisgivdt.exe 2
%APPDATA%\93547108\svchost.exe 2
<dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy) 2
<dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.txt 2
<dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.hta 2
. 1
%HOMEPATH%\Documents\OneNote Notebooks\Personal\loptr-f391.htm 1
%System32%\Tasks\igodmn 1
%HOMEPATH%\Documents\Outlook Files\loptr-71ae.htm 1
%System32%\Tasks\jlfnl 1
%HOMEPATH%\Documents\loptr-76f7.htm 1
%System32%\Tasks\nwsbf 1
%System32%\Tasks\obctyyfh 1
%System32%\Tasks\uxoojl 1
%System32%\Tasks\velc 1

*See JSON for more IOCs

File Hashes

0c451e42735fa72cb36d1cc6911cd78ff5a6605bbf104c5f43b90342b1cc38db
11959868974ed014b69f572db4c68a1e7547121a759241e32856f208b64c88a8
1498e1536f2beb0d4e2ff9e1ace10e5c37fde536b3ed8d3ac2f6614ef37c9216
18712de3ff1e2af3255f76ccb40bf79e6f58599e15b7c148c87e8720438f56b6
1dc196190e82a017a81937d0b42f96ecd86673b7cc4d4a5fcebe0b4c63495879
1df87baeeac67f7eadf3875c0a12a610ec21b285e6b6be97bc0c6969b33277e7
1e7e024929426dc634eb67cdf25e1ea621bcaa437707f1956a96c62d66307c30
1ebcb62975ca935c0c538d1a421fe94c35c42ca42ebae3fdddce3b23240899b0
2047537c162e02f2135b3386f5cfec72c94a7dbe030c7ec12083a93e0a308d3b
4d11b045a577258f2ed62c1a56584c6ad8b0128398d19e2ad114c53dc091a734
62438d9ec56061fb81f514d6c8eff718f765d3101c16f70051c605deb3e4d788
74e23bf9c148dda32dd64e972a6eca790fef3e53008b80242b0732eefb283d51
78568ae742d82478786a06e8639fac6a2da6fa032a576ba89bc85261771abb18
7f6ebd301c47243a0c909c8f59f1600eacfe56dba2ccfb2639b24d9b16c9ec92
8176f5b87011d4d4db43e23663350820ef7a8f31ab452cf5ceae53b49d51b41e
823d10a3218a7fb185e70351870c21dcdbd175755a6da60c2cf5a5126904765d
83f1e0aceccf0ee054b7f0a933f3ccea3b2306d5b3bea741ea9206c08428a58f
91b5b42102b2a55ccf2cf8644e6c310c85b4061ec9ecdc228929769d51cf9ee3
a8546a9766dec41398b77083033656665b0b2b456bafeef6787284e224edde7d
a94f325d59619e015c362c480b953dedee41f90d10643c6ecc2b7405ce4d4d61
aec1921b68b08b6524304f0857bf328c7a404f25fdac2cd9ee88aaa822be6567
be801f78febf260293a7977dfd7f539f97faf3badbb8d21fe95ca894dd373e0e
c2bea2314e29228dc45397436380ce833cd456e95a36b04396da5bc512589a5b
c8d5bef4f8a9c5ca0ae5fbeed8494952a2eb2068e716b075682d056b496493c6
d43fc5bd5ab07811b01def3be2a57a4bf0126fd6ced7b73e55f1bf2fe80b95b1

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.njRAT-9847262-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 28 samples
Registry KeysOccurrences
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
21
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: eeecfead02ec78798e6b8f77a883a101
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: eeecfead02ec78798e6b8f77a883a101
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
1
<HKCU>\SOFTWARE\E6D5321A4E20C1E52E73A55A2A6A14FE 1
<HKCU>\SOFTWARE\E6D5321A4E20C1E52E73A55A2A6A14FE
Value Name: [kl]
1
<HKCU>\SOFTWARE\76A9C92DAE5DA9885E9898C8D0AB647F 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 76a9c92dae5da9885e9898c8d0ab647f
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 76a9c92dae5da9885e9898c8d0ab647f
1
<HKCU>\SOFTWARE\76A9C92DAE5DA9885E9898C8D0AB647F
Value Name: [kl]
1
<HKCU>\SOFTWARE\C752C786DC4237CFE02437AA2B91FC4B 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c752c786dc4237cfe02437aa2b91fc4b
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c752c786dc4237cfe02437aa2b91fc4b
1
<HKCU>\SOFTWARE\C752C786DC4237CFE02437AA2B91FC4B
Value Name: [kl]
1
<HKCU>\SOFTWARE\B41918A4E835EC75BC9FE285CF3A54CA 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: b41918a4e835ec75bc9fe285cf3a54ca
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: b41918a4e835ec75bc9fe285cf3a54ca
1
<HKCU>\SOFTWARE\B41918A4E835EC75BC9FE285CF3A54CA
Value Name: [kl]
1
<HKCU>\SOFTWARE\0AE7EC0F354DC76C911F0FAF0C58CE68 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 0ae7ec0f354dc76c911f0faf0c58ce68
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 0ae7ec0f354dc76c911f0faf0c58ce68
1
<HKCU>\SOFTWARE\0AE7EC0F354DC76C911F0FAF0C58CE68
Value Name: [kl]
1
<HKCU>\SOFTWARE\TASKCENTER 1
MutexesOccurrences
<32 random hex characters> 15
faadc23089745177fe502d2a8d525b1e 5
eeecfead02ec78798e6b8f77a883a101 4
RV_MUTEX-euSAtYBxGgZHxu 1
Taskcenter 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
46[.]243[.]150[.]150 7
182[.]189[.]245[.]117 2
192[.]169[.]69[.]25 1
23[.]3[.]13[.]88 1
52[.]128[.]23[.]153 1
119[.]154[.]72[.]180 1
182[.]189[.]75[.]240 1
181[.]52[.]113[.]172 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
dill123[.]ddns[.]net 9
qatar1[.]ddns[.]net 7
laryoverabril[.]duckdns[.]org 1
winmicrosoft[.]sytes[.]net 1
microsoftpavilion[.]duckdns[.]org 1
ex[.]com 1
njhost[.]hopto[.]org 1
Files and or directories createdOccurrences
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\<exe name>.log 10
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Name.js 9
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 8
%TEMP%\chrome.exe 5
%TEMP%\explorar.exe 5
%HOMEPATH%\Start Menu\Programs\Startup\Name.js 4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\eeecfead02ec78798e6b8f77a883a101.exe 4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\free.js 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\chrome.js 2
%HOMEPATH%\Start Menu\Programs\Startup\80e517af7a8a560c6a6ba08f37912242.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\explorar.js 2
%APPDATA%\app 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\check.js 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\taskpronk.js 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\76a9c92dae5da9885e9898c8d0ab647f.exe 1
%TEMP%\Putty.jpg 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\4f4d6229e404afd7815409fbe7b105adWindows Update.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\nsfconsole.exe 1
%APPDATA%\nsfconsole.exe 1
%System32%\Tasks\Microsoft Runtime Services 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\drivershash.js 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sound.js 1

File Hashes

053ac35940f83fe538ef285d92a476053552f4d4c1afa2b4d8da6302ea2c775b
087b8d95c56e4262831e601d81932270b6f2cf51a4b7b3c5314dbed5e1788b71
0c63fc261b4b5c4b398bef04495000515de5cb65ab901223c19904d2af552271
0f377b5b4eee7334c6c48876fca9db04b2428efa16a1d561693967ccec12b0f6
196c85f062d0d8ff908d5be825765836c3b0ab4eca465d462014c6054531353f
1c870ceac9f868fe70b9d365b4ec80d4cc1198dfc4762942cc78f9233baef9cc
37539c7ca91aec577a7c7c4a9f25dd949ce49cb5d4de8813ebe5fdd23ca13496
3babc85de2ec354ad9210d672b3ab1ae8dc6214e2c42864646d6ba192ac67fb5
3fa3ecaef99d1214cebfe4ce94fe94974d0d9b16f0aa2156f40b2d8c0b0e5818
4090a7c786adb6af49aec3cac39159c591725cd59e211a585f12d96cdc4dd2fd
46531b95759beb5894f703fe5cb610e35017e7418cbc8220f8f1cb90648fd4fe
48c0cb015581d7e3e108ed6dcc74f500ee2f970538e9f2c9f8ed37de8ec07715
4c69e3038955eb0a93393490dabe71b9c49598dfe359ed679b3df32a46412b36
4d756c741952fa9c9e0dece76a1543d838ea8049bc06f69bff30d96b226f10c2
56273179cc392c82188a2acc946cfc144c63dc03151f03b823ad07311fb5743d
56b4c353c309f7c10cf7592db2b6d882217fed275a3bf42002211e83105f4964
615cced29cfbbd12e1a9c71fbdf348c2c551f7a8162381bbfb69c27039c16682
661b8869c23ff399507e92afa373df4441d05e79a32ee91c57f423f996e09c68
6b741c9915993be7f2be6eabaf9c3ed4c217960eb89f974086a8759ea14ebee5
71688ceb5ac55bcc81856c474bba5374a5bb2976946d6461b3b461efe2374dbe
71f70c8c0cafde7df43a4c449315d21de65589eb4d79da12c59031d5dcd1251a
79b75ef90a740478470554882a9f05de12de166a1350bd4af64c1a7905b97a4c
79d3d5ec077a49ec08cff663b9d4e59fb22af65ff5e26effd073f85f40d3a9fc
7b056bea08303b13284326682d95976d7982b591d02cc53e562b09eed8836938
98927b780ca4463d1aa0d7759a2e6624a5d79d05ce97b0cde6e49efccdf98fe2

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK


Win.Packed.Razy-9847307-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
MutexesOccurrences
uiabfqwfuAdministrator 9
uiabfqwfu 8
serhershesrhsfesrf 3
uiabfqwfu ' w 2
{48D87B02-03F7-4188-8BE8-7733FF2CBCA6} 1
Global\f1f33141-8db5-11eb-b5f8-00501e3ae7b6 1
Global\0de34ac1-8db6-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
192[.]35[.]177[.]64 8
195[.]201[.]225[.]248 8
45[.]139[.]236[.]6 8
8[.]248[.]161[.]254 5
78[.]46[.]142[.]223 4
104[.]17[.]63[.]50 3
8[.]249[.]223[.]254 2
54[.]225[.]157[.]230 2
8[.]249[.]241[.]254 1
23[.]21[.]252[.]4 1
104[.]17[.]62[.]50 1
50[.]19[.]96[.]218 1
54[.]225[.]165[.]85 1
54[.]225[.]155[.]11 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]faceit[.]com 4
ok 4
ciaociaoline[.]com 4
api[.]ipify[.]org 3
lukkeze[.]club 3
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 1
apps[.]digsigtrust[.]com 1
apps[.]identrust[.]com 1
telete[.]in 1
Files and or directories createdOccurrences
%HOMEPATH%\AppData\LocalLow\machineinfo.txt 8
%HOMEPATH%\AppData\LocalLow\sqlite3.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-localization-l1-2-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-memory-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-namedpipe-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-processenvironment-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-processthreads-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-processthreads-l1-1-1.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-profile-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-rtlsupport-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-string-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-synch-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-synch-l1-2-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-sysinfo-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-timezone-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-core-util-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-crt-conio-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-crt-convert-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-crt-environment-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-crt-filesystem-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-crt-heap-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-crt-locale-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-crt-math-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-crt-multibyte-l1-1-0.dll 8
%HOMEPATH%\AppData\LocalLow\cR1dL5pE5dG6mD5k\api-ms-win-crt-private-l1-1-0.dll 8

*See JSON for more IOCs

File Hashes

0efaf3582953f7c45e0425d89ca01506b4cc9079c5a8343f526fdc67d6cadc55
1697d239add6ebfcc57ab9b277f59b744816ed8185e3b8f048a718054efce874
1fa03c0a09833c2574dc0b65f1432eb1d66412f44b6a232894f0cb09d6ab6f74
2ae195673df4e74b75cd268ad3d08a5baec4f5d9de4a4d9892ec16174f6c95ef
2c3e9488e3818d37a1f214bd30d6b62850020acb491d96d55b437d3b1300aca8
38c2f231be2cbb4108b16a2753cd09955a9cb93e3c0be20cebfaa2b0b39a4eb9
3f4a41db521a5f0c6bd88fda617b448fa679fcef2c0bc4a58902a48731a4517c
43bdaad31f8978a4426179727457d6c41fa53af6bd1835489189d39c03b52ec6
4d12d3563fce6e241f9da491a046d2b33734cca9d496f2e22b0fc25429fbec63
68398faf26b078ea8fc1516d0192d7557683c2c7d8acd0baff2ad6dcec9372c4
7a14604890197ce200d44292f40afac8d1f4ed3a830b4829fee62ec61ebc4c24
7b7cc37f870962b4101895767320beaef0587e02ffd77f43efb5acb7dfa266ac
8db9d37a451ded3dfb8bafd26ad9d0f86e5a07a291776db5c95923076a9e5a0a
959239d7ff6b99a9269c241fdd8f6e4464ccce6d381572a67f62af2559dcbeab
961ff46c222f2226de5023a619fa788502b0270e72584c59e80d10b81937bd64
b827b790b85ed3ae2b865eb6b64f7bc9a00cbf738a45b741977d6727fd40fd80
beaedf0d342029c5e7001646f92171bc0b4acdbedf06ce7d6d8cb835dc505e97
c018dcdffbeee72f9a4af15694d780b99c4b494c77e9a9ca1c7a4b3625d7340d
c5584bf031436840f86b17d2db6723ba282e7d8b7b298a35539a8136f5df88dd
d452f10b338c0d3403720f5fe357baa68b7ae2017f0c3e9a536744b6daad5a52
d62070bbd6b27505679aef4bf513108ad2a4493459d6c360b5e0db01a06b0863
df461ebe53b3300a3ce6ab0ba7767756431d6ab0ada7f9a98dafe93866a76213
f116cf5b31e17aa690b7f9dd65e23f07d59401be0142fdd2581ae46fb6f68827
f18c63339d8b8467c8ea5ec952caead02811e85385ee2f954dfacd4214c3c5d8

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.TinyBanker-9847321-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: DA81EF4C
23
MutexesOccurrences
DA81EF4C 24
<random, matching [a-zA-Z0-9]{5,9}> 24
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
216[.]218[.]185[.]162 20
185[.]53[.]179[.]6 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
yxjsibeugmmj[.]com 20
insamertojertoq[.]cc 20
lngothvvceon[.]com 7
tbiimhetdqyn[.]net 2
tbiimhetdqyn[.]com 2
www[.]google[.]com 1
Files and or directories createdOccurrences
%HOMEPATH%\AppData\LocalLow\DA81EF4C 24
%APPDATA%\DA81EF4C 24
%APPDATA%\DA81EF4C\bin.exe 23
%APPDATA%\7E1FD194\bin.exe 1
%APPDATA%\19ECB1B8\bin.exe 1
%APPDATA%\2030532E\bin.exe 1
%APPDATA%\30FB4BA9\bin.exe 1
%APPDATA%\7F820852\bin.exe 1
%APPDATA%\78C94770\bin.exe 1
%APPDATA%\710AEE43\bin.exe 1
%APPDATA%\7B36CE0A\bin.exe 1
%APPDATA%\16E8D7A2\bin.exe 1
%APPDATA%\74BBFE13\bin.exe 1
%APPDATA%\660D574D\bin.exe 1
%APPDATA%\48244519\bin.exe 1
%APPDATA%\0EB7E380\bin.exe 1
%APPDATA%\78324223\bin.exe 1
%APPDATA%\5F8C34F4\bin.exe 1
%APPDATA%\70F42938\bin.exe 1
%APPDATA%\62CAD048\bin.exe 1
%APPDATA%\18472F0F\bin.exe 1
%APPDATA%\3F1DB60A\bin.exe 1
%APPDATA%\59BDE9E0\bin.exe 1
%APPDATA%\2302FAB0\bin.exe 1
%APPDATA%\47D512A9\bin.exe 1

*See JSON for more IOCs

File Hashes

08afdedb9078ad7ea45ca6feba03dd924ce55186e50b03a5aaded8a77c999b1d
0d6aa7dfc8680cf54ea4a0165dd0012bb5ea78aad82b851437918528e2888463
186cfa778fbae650241e35e72467843e0528a5d430a4b948f698956efbadbffa
22bfdf8170fb6eeb3b7e3aa08d7ac2c9b2ba72ba05512bbf8a78bf52ee3d212d
402964a258fc76b35bd651ba69a3cdd1c70a9f341f0f7956f2d9c7ae4be747ec
4739a055861af93c7350b2b68a39d429d7eca729fa518e8a497fd5f8cc9c9d73
4cdc186d6df0a27130c07b8279921a1f1a63462683631a2f345bc5bf2b88a4c0
59202b68cf0c952827fade84585a8614fd439d9fb30d28539edb7621701d4fdf
5b91677fb5f896ebd320da9541bd6c6ca1335af823efd6676e173b280053dd0b
632e239596f7128cc9e6160a925893e9c34904b341d820196610455e63d46a17
64af15812f7837117b3c70435a1ac5834bf19fce6b8e9ba95e41f192469762fc
69cc6d4f5569d8c21d4edca5618c2ec042af454deeba462529c8c23c1e1efaf0
6d9aef0e99744310c4affcf2d8a4c6826f6d6255a9f5bf89d18d02976de5c6de
7498f05168c4c2c3906b03af19fba3eeea20ac97ce351a7aa349cfcf7498edd3
782f22c5a44e7386c51dcfdc82354f8e0ef99ca2f66b995c64c206ee63620d43
7ce1516cd2af2b85e6d809bc36457600daa7122979d9cf6db830ff29d9d7247f
7f60f05c6b9a8ddd69024f86c349bfe0e4bcd6238238b8057b77a068eb05e10c
7fe3f0af06afc1769ae21ba260b4a14d5858afe5328e3c5074979f57d855dbeb
8b2f3e4e9dd04b2b5b260e011048fa224f56d4ff9b19e7d516959448c006cd6c
93eca7ca6fb2f4a665b61b9ca13d4975788637cb5df0c3e9bf1507ebc3122231
96f8f50fe24c4a8e07e261c817c65f1eb3f44797cf1ffdc02668be9e118431d2
9a82c9b8e0bdfaae39328ff783a9f9a52dbf363653cedfac82c64f5e475727b1
a5abad586e6732108f8080b3d2e9e989d04d707cd1302485b7a14eac81af54fb
b06ff63412748df3097be179591c4e42d143db64bd9b026b37da6e4d582e94f0
bb0634a557dd9a8efcb6c5fab387ce02e71f9f6f3d0071a4d4cb026a1cf9dddb

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK


Win.Keylogger.Gh0stRAT-9847918-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\SELECT
Value Name: MarkTime
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: ErrorControl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: ImagePath
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: DisplayName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: WOW64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: ObjectName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: Description
3
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM
Value Name: Version
2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE 2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DTLDTL DUMDU 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DTLDTL DUMDU
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DTLDTL DUMDU
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DTLDTL DUMDU
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DTLDTL DUMDU
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DTLDTL DUMDU
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DTLDTL DUMDU
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DTLDTL DUMDU
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DTLDTL DUMDU
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT WINDOWS 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT WINDOWS
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT WINDOWS
Value Name: Start
1
MutexesOccurrences
Global\C:\Windows\SysWOW64\sainbox.exe -auto 4
Global\C:\Windows\SysWOW64\sainbox.exe -acsi 4
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18 2
127.0.0.1:2020 2
www.lolsb.cn:65531 2
43.226.152.12:2020 2
Global\C:\Windows\SysWOW64\Dtldt.exe -acsi 1
Global\C:\Windows\SysWOW64\Dtldt.exe -auto 1
192.168.1.101:8080 1
ferfererv.e2.luyouxia.net:8888 1
43.226.159.201:2020 1
cn-xz-bgp.sakurafrp.com:60240 1
116.255.206.225:2020 1
36ho560717.wicp.vip:41506 1
ferfererv.e2.luyouxia.net:20287 1
Global\C:\Windows\SysWOW64\Jklde.exe -auto 1
Global\C:\Windows\SysWOW64\Jklde.exe -acsi 1
Global\C:\Windows\SysWOW64\Tlmde.exe -auto 1
47.93.245.163:2020 1
Global\C:\Windows\SysWOW64\Tlmde.exe -acsi 1
212.64.72.130:8080 1
182.150.0.31:58726 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
115[.]28[.]204[.]197 16
47[.]112[.]30[.]91 2
43[.]226[.]152[.]12 2
113[.]17[.]169[.]82 2
61[.]142[.]176[.]23 1
45[.]253[.]67[.]78 1
47[.]93[.]245[.]163 1
116[.]255[.]206[.]225 1
43[.]226[.]159[.]201 1
212[.]64[.]72[.]130 1
182[.]150[.]0[.]31 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
e2[.]luyouxia[.]net 2
www[.]lolsb[.]cn 2
ferfererv[.]e2[.]luyouxia[.]net 2
cn-xz-bgp[.]sakurafrp[.]com 1
36ho560717[.]wicp[.]vip 1
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\sainbox.exe 4
%System32%\sainbox.exe 4
%SystemRoot%\SysWOW64\Dtldt.exe 1
%System32%\Dtldt.exe 1
%System32%\Jklde.exe 1
%SystemRoot%\SysWOW64\Jklde.exe 1
%SystemRoot%\SysWOW64\Tlmde.exe 1
%System32%\Tlmde.exe 1

File Hashes

13728ef00cab9f41bf6c51960be37151ae93fdadb169a16871ab4eccb9766753
213855af9563eb6de82af76be28447e2e2b07f4a64254920d893b26b982f2575
24b541d3b65f5f7d23131dc708e9df25653d0f47c5758c1df4c27448aa04b064
2d1862cb9574bc1b27eda120e98419505757dc6877bad37caa2d8ca838769fb5
4906124bd2fa5481943fdd431fec1f06cf40dc1fa082248e7ed9592515f3a5eb
503b39d0e5c9800fb2aebc5c4a6fdb799c861b51cc9629dde99a469da52b79db
5206ca93e79aa229795533c0506b652f4c44aeecd8f0daf567cbd6023cc55d59
8302cd87293afdc27c54896d6f9f83b675ec67351be1c2a0d5e02915ebced4e9
8e0c958d2bf498a423f39cf0756d203437d5761dd6b44e6a111a046c80dfa36e
a3120300ab8716de274b3fa7650e9430485fa046f2549ddb9c2c0b90b030ffe8
ba7cb13e0da466ec472bc6970cff2a3b1b976db005bef5f07ac1af4bc149cfc2
c5958f950b27f32a55348b94d878afe82e34730a12ecabdaae32d683e06255d3
e0e2959b8862c5cabca39ae12bba569974f768a1a50a661c4f22983e11deadff
e21160b5d3aca54a0fb4f6c0760f37af8a331cba91790167f2806e5e2f53e91e
ed404b2f4f65d75dba0f768df1810e37681ff8a3e438b74a2399d256396cd646
f9783f91fc0434f8f08a7f3e26231ba21f1705d4ed122f62ea8b7158201a3eab

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Gamarue-9847820-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 39 samples
Registry KeysOccurrences
<HKCU>\Software\Microsoft\<random, matching '[A-Z][a-z]{3,11}'> 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uryccnar.exe
2
<HKCU>\SOFTWARE\5C20D44A107E 2
<HKCU>\SOFTWARE\{47C5851A-4B01-4228-9EE3-D8E6DE7F68D4}\1989
Value Name: oieo
1
MutexesOccurrences
qazwsxedc 20
Frz_State 5
Sandboxie_SingleInstanceMutex_Control 5
MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex 5
82000000A0707177885CE4AF3E64D3E4 5
B00000008C99FA19E77C22F8B3E2BB39 5
8800000029BFA3BC1AF0D57C4E5F719F 5
54000000BDB5166AAA98F51EFEC1159C 5
<32 random hex characters> 5
UVhVXmJpX2Ax 3
MSCTF.Return.MUTEX.674971C3 2
{<random GUID>} 2
Local\{41435A30-AC43-1BEB-BE05-A07FD209D423} 1
Global\TrickBot 1
fuiptvsjjthh 1
MSCTF.Return.MUTEX.ACAB67A0 1
MSCTF.Return.MUTEX.8AD1505E 1
Global\408c54e1-8f59-11eb-b5f8-00501e3ae7b6 1
Global\38e95422 1
Global\370a6ec1-8f59-11eb-b5f8-00501e3ae7b6 1
Global\3b858701-8f59-11eb-b5f8-00501e3ae7b6 1
Global\2a4fb461-8f59-11eb-b5f8-00501e3ae7b6 1
Global\83357b18 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
178[.]17[.]170[.]133 3
185[.]14[.]29[.]140 3
107[.]161[.]16[.]236 3
178[.]63[.]145[.]236 3
37[.]187[.]0[.]40 3
128[.]199[.]248[.]105 3
95[.]85[.]9[.]86 3
46[.]254[.]21[.]69 3
193[.]183[.]98[.]154 2
130[.]255[.]73[.]90 2
87[.]98[.]130[.]234 2
109[.]69[.]8[.]34 2
50[.]116[.]23[.]211 2
106[.]186[.]17[.]181 2
104[.]215[.]148[.]63 1
104[.]42[.]225[.]122 1
78[.]47[.]139[.]102 1
172[.]217[.]7[.]4 1
172[.]217[.]197[.]147 1
107[.]154[.]103[.]114 1
107[.]154[.]102[.]114 1
5[.]154[.]191[.]57 1
185[.]141[.]27[.]249 1
185[.]117[.]88[.]111 1
185[.]17[.]144[.]163 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
kuwiran[.]top 5
alors[.]deepdns[.]cryptostorm[.]net 3
ns[.]dotbit[.]me 3
ns1[.]any[.]dns[.]d0wn[.]biz 3
ns1[.]random[.]dns[.]d0wn[.]biz 3
ns2[.]random[.]dns[.]d0wn[.]biz 3
onyx[.]deepdns[.]cryptostorm[.]net 3
anyone[.]dnsrec[.]meo[.]ws 3
civet[.]ziphaze[.]com 3
ist[.]fellig[.]org 3
ns1[.]nl[.]dns[.]d0wn[.]biz 3
ns1[.]sg[.]dns[.]d0wn[.]biz 3
ns2[.]fr[.]dns[.]d0wn[.]biz 3
permittedsm[.]net 3
encampmentev[.]top 3
dns[.]dot-bit[.]org 2
cash-money-analitica[.]bit 2
po-sutoshno[.]ru 2
microsoft[.]com 1
www[.]google[.]com 1
europe[.]pool[.]ntp[.]org 1
myexternalip[.]com 1
www[.]iplocation[.]net 1
b7rql[.]x[.]incapdns[.]net 1
money-cash-analitica[.]bit 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs 10
%HOMEPATH%\Start Menu\Programs\Startup\x.vbs 3
%APPDATA%\UVhVXmJpX2Ax 3
\VAULT.KEY 2
\VAULT.hta 2
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\cookies.exe 2
%System32%\Microsoft\Protect\S-1-5-18\0635df79-66df-4402-9cf2-4d6327c2706a 2
%HOMEPATH%\Documents\Sheets\budget.xls.vault (copy) 2
%HOMEPATH%\Documents\Sheets\budget.xlsb.vault (copy) 2
%HOMEPATH%\Documents\Sheets\budget.xlsm.vault (copy) 2
%APPDATA%\CONFIRMATION.KEY 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta 2
%APPDATA%\Microsoft\Windows\Templates\CONFIRMATION.KEY 2
%APPDATA%\Microsoft\Windows\Templates\VAULT.KEY 2
%APPDATA%\Microsoft\Windows\Templates\VAULT.hta 2
%APPDATA%\VAULT.KEY 2
%APPDATA%\VAULT.hta 2
%APPDATA%\userdata.ini 2
%HOMEPATH%\Desktop\VAULT.KEY 2
%HOMEPATH%\Desktop\VAULT.hta 2
%ProgramData%\Winlogon\winlogon.lnk 2
%APPDATA%\UVhVXmJpX2Ax\UrycCnar.exe 2
%ProgramData%\Winlogon 2
%ProgramData%\Winlogon\532fdb451f71 2
%System32%\Tasks\Windows Update 11bcc632 2

*See JSON for more IOCs

File Hashes

0b120303234a9cbd2f65a52c3b841c307f0a0a83922de1862113bb71217c4f9e
16b968ed23dd0a8816211b49ad8a6c338187b622c725b3af23f6b0771860859a
1a94222661752f8a9d715b8c2d61fcf8f9e26c7977476596a0246640b6f1bcd7
20b505b420c577559c2fd9deb5044f378a8f70fe84817dee7c70c30dcb37797a
2272035a77b667bb496461fa19f9f66e621c9701c8df43811b7daed3eac97463
22a052c416f5e9f9a069a153014264c85ee132e8606c296c8c90cc85fe8b6404
24d63f67c2525eb94551e7b8b0aa6e61f039d5be15b795ff5c3e8973a485d6b8
26b4be576063859126f2b80f48edcfcf381767d3408481fef6a4f7899beec768
297cce866ca0a21ce6a5eb82307316c2ba7f20ec0739f37f469d2b510e6b47b0
2a706340f55c16d0ab823d1772b032a581387fb4c6e551a5608a43feab3e41ee
36feab845282226d73f8d4ab81ed6d1b421ad331294a9eb547811f7a553bb8ba
382d0d3f2732f0c22ca57ddd74464f57c19ce8f9f20f360ab038a7c8d1268b7f
397dd738b784ab099dbfc9f430edb5ccc6e59804253b41e7fefcbb260876207c
4280dea8fa7a00312fd87afa7b05728cb1e965bee3c96ccdb3fc0da7e5f243ae
47d7f3d27be472ad40a4045048d8d9144ee959e24195c2efa9823442998f43e1
4f6196e33ccdbb0609d359684d3de5bd444514cc691d37f1e47d63a928d6b971
52998a1496937c8f7dd71e8a7421e4195c9dbc2e9a660b3bbf8b2c61dfefed15
583dd287fd56fe46cf9890a6e7280141e908d4196de3ef500f012808ee97628c
5c20b8c1c43885259af3d1d7f781ef1b332a45331773f8388936a88c0851d08e
6429e4fc09ed0371b7a97475e0b766674bb42ef6c5a8e4791f4c01a546452c1a
64c7ccf3cf638f64e284ee616ffd41374f47bca49868a668123d877d4cf98ee4
654f4ea88f04ba9cd56315144b984a6a82478330fd6c0cb1b955ef1348d9c4e7
66a9c2e57f2a39d75fb6a7be88a84a77f52eac6e6694d8b0fbc4a95fb81cccf3
6facaa143b90934450cee264ed05ad49430714834af6007e88857b92585ed040
74117c495de802ab211cf75dae1d962825ca8f58534bb975299ad795c73b36aa

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Win.Ransomware.Phorpiex-9847468-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: DisableSR
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesOverride
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AutoUpdateDisableNotify
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Services
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Services
15
MutexesOccurrences
495950303959 15
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
92[.]63[.]197[.]153 15
173[.]231[.]184[.]124 13
173[.]194[.]207[.]139 1
172[.]217[.]197[.]101 1
173[.]194[.]66[.]94 1
172[.]217[.]197[.]105 1
74[.]125[.]192[.]94 1
209[.]85[.]201[.]94 1
209[.]85[.]232[.]94 1
173[.]194[.]175[.]102 1
173[.]194[.]207[.]95 1
173[.]194[.]7[.]44 1
172[.]217[.]135[.]10 1
173[.]194[.]7[.]12 1
172[.]217[.]222[.]132 1
173[.]194[.]207[.]84 1
74[.]125[.]155[.]40 1
74[.]125[.]155[.]102 1
173[.]231[.]184[.]122 1
63[.]251[.]106[.]25 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
uaeihefiuaefhuhr[.]ru 13
uaeihefiuaefhuha[.]ru 6
uaeihefiuaefhuhe[.]ru 1
uaeihefiuaefhuhg[.]ru 1
uaeihefiuaefhuht[.]ru 1
uaeihefiuaefhuhv[.]ru 1
Files and or directories createdOccurrences
\_\DeviceManager.exe 15
\.lnk 15
E:\.lnk 15
E:\_ 15
E:\_\DeviceManager.exe 15
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\winupdrvcfg.exe 15
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\winupsvccfg.exe 15
%SystemRoot%\60808654730570\winsvcs.exe 15
%SystemRoot%\60808654730570 12
%TEMP%\2600516434.exe 1
%TEMP%\1557018472.exe 1
%TEMP%\3570711340.exe 1

File Hashes

07a55bef9700e3abb0dc052dd998493677fdec8126e50ad28346fab8ded796b8
1166cca67759415d19e9fdf66e02f0922dbd0c0b55a03b2f7f50cad05f14a2c3
1cab0b509b885709567ec3723c6df93904d345d22c160f9ada91a5e62a003297
215970f7bf2b7c28f403413f0073f8c3b3f6d19decee1be5282b6df689d423a6
325d0b955f6808a1e0049c761c6901e8cfc63f55f214605190018fe3bfc063ee
3587dcb3ae114b72224520e2f6c20dedd96e5d55de5853592fed0b1ee5a4bd20
5465324ea99095857c9230fe60f33f06e4bbcff17306a1cf6c444a16dd29ab7d
5ee9d2764ee1c9d65dc69b9f1c64c02ce181d9afdd2ff780d78da3e58574aef7
62d38255eed4c9ad96e0cd645ebd241458dbed98ecfe55c4b6077aaac6dda409
759cf1db0f86733ca2e5ae04b275c8ea4591b25ea53964f3415e18f3c80ce110
7eb6726c32ede6f09a43c505db5fcaa5692309247a3082593410a09230bd8b70
bdeac763eb8341a2e8261fb00dcad1fcab974ea054d4be65d2b4ccf993a2003d
e04f314be626be8670f8f586843a32a1d5654bb6d63938ef288df59d39c925fc
e626415c46185bda65580db919c2ab54215c5d06d0d435fc3821e4e8bf7c98f3
f9b7487972b845033be009fcd30b2019061bb130e7d3831c219c78106598966b

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (10169)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (5116)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse tcp payload detected - (2018)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Crystalbit-Apple DLL double hijack detected - (1019)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
A Microsoft Office process has started a windows utility. - (692)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Kovter injection detected - (611)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Squiblydoo application whitelist bypass attempt detected. - (599)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Dealply adware detected - (235)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Trickbot malware detected - (213)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
CVE-2019-0708 detected - (95)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.