Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 16 and April 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Trojan.Qjwmonkey-9852715-1 Trojan Qjwmonkey is adware that modifies the system and browser settings to display advertisements to the user.
Win.Trojan.Zegost-9852502-1 Trojan Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Win.Ransomware.Phorpiex-9852505-1 Ransomware Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware to sending spam emails, to ransomware and cryptocurrency miners.
Win.Packed.Tofsee-9852546-1 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Dropper.HawkEye-9852573-0 Dropper HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.
Win.Packed.Trickbot-9852642-0 Packed Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Trojan.CoinMiner-9852807-1 Trojan This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog /blocking-cryptomining.
Win.Dropper.DarkComet-9852811-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Dropper.NetWire-9852865-1 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.

Threat Breakdown

Win.Trojan.Qjwmonkey-9852715-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 46 samples
MutexesOccurrences
ATL:MemData03EA<original file name>.exe 42
Global\efbe59e1-9edb-11eb-b5f8-00501e3ae7b6 1
Global\f246c9e1-9edb-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
47[.]102[.]38[.]15 17
106[.]14[.]178[.]247 12
47[.]103[.]45[.]17 7
207[.]54[.]51[.]147 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
w[.]nanweng[.]cn 36
Files and or directories createdOccurrences
%APPDATA%\GlobalMgr.db 43
%ProgramData%\roundinfo.ini 42

File Hashes

00331f1ef388faeb02bbb86c516216340f34ebc12f710d0fd01212dbdc55e3a6
04e5849bab0d1bd1c47674133109077de6d7f3134c667f3f1fb84aa4db532d32
052ee7bac02807f428cb413b4901755711785b56e49d6a35f3621894edd54f4a
089d93ebbb689f8ab128b58fe9871e54293d4c434f19e0bdf8b0480176ad2e6b
095c9e1d80976ce4cfb89cc7d112302b5127cf5f654667e9afd022d117507fc1
09e01e13c42ee3cee1a7f51cbc3a0ca6165c2f7e335ed55b5e5507d4e0b306e9
0bede372ae2dcaaeeb7299bda58227ea7ccb873abe09eeaf9265de5a0a1b8df8
0ce61130dbc812f9331f2a8938bd3e95cab2546746e0fe7101b4b53f2969860f
0d2e1ed85ffd773b35c3ccaaa6cb92f2ef5234a1697955db44224169ddaebb7e
0ea890d616bf12357d5eb8c37e4c22a1ce2ee7dc75e1138371165243b8819eed
0fa26a2a738a4007f6c3bfdc78ecd58748060222843da5b59d49167b0fd4d468
110e0b21c31a3646cad09cb314caf7201fdbc71e83d3bc881f0ba3319d67aa72
111eb46d97a18360467d274db9eb3790809f7bde76bdbcd3e4d825fd3d3a117b
11f98e9446145e96c470dcc1e8095d8b141f6f5f75a1a4c3c99aad4f3ea83597
14abbb57e56414bc0639be3d3bf41da3450a8978d29c5b8c8a248f4369504915
15bad4a7efa4ffcd92b1a4d971c8cd1aadc257c407d79801610c80a35c13383f
16e5345e9ca10efc290104bb6d452973a1332dfef8c6a28efa813957d66c9fe2
180279b12f7d86224fb196586705a9c2f07708ee3b6e77b419324dbd2f785caf
1a243d757b98f46276ec2869c71cde2a4fbc09875ce69e1aa71fac9d94bf3fa0
1d32bcd34cbf793b95211e34dd35836fbd8e4559378e4a37905e02181305b638
1f9ca41c1daf1625612390570f36c1dc8ae2c9b37a6770cd05596836ee9a39b8
2268b746d62d141c67aaa2f42c4fd18bd856f79601fea9e1f236e002c2f2cbaa
236ed6f228127934c6a994945f4e097bc75bde95fd951522df5e0db77f1f9ee7
28900956aae3e8a5f1f3f40ad290b8931e22442d9be9769e857ba8dd0fe61872
2a4be36f9f60352ac7dff26e9e127aa86731c314679ceeff82df6396aa4d434b

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Zegost-9852502-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM 12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM
Value Name: ConnectGroup
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM
Value Name: MarkTime
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM
Value Name: Type
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM
Value Name: ErrorControl
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM
Value Name: ImagePath
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM
Value Name: DisplayName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM
Value Name: WOW64
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM
Value Name: ObjectName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM
Value Name: FailureActions
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSQQWK WWQCQSEM
Value Name: Description
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CNNAT
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSYVRI TAIHHDGM
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSBMJX TMSEVSMX
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSYVRI TAIHHDGM
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSYVRI TAIHHDGM
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSBMJX TMSEVSMX
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSYVRI TAIHHDGM
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSBMJX TMSEVSMX
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSBMJX TMSEVSMX
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSYVRI TAIHHDGM
Value Name: FailureActions
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSBMJX TMSEVSMX
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSBMJX TMSEVSMX
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSBMJX TMSEVSMX
Value Name: ObjectName
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
61[.]142[.]176[.]23 2
219[.]235[.]8[.]33 1
182[.]92[.]234[.]15 1
113[.]11[.]212[.]64 1
115[.]230[.]125[.]112 1
123[.]249[.]39[.]14 1
110[.]210[.]176[.]52 1
60[.]213[.]35[.]28 1
113[.]5[.]116[.]165 1
220[.]165[.]9[.]89 1
119[.]29[.]33[.]122 1
122[.]114[.]38[.]7 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
woaini68[.]f3322[.]net 3
vnet[.]f3322[.]org 2
weiaufu[.]f3322[.]org 1
rouji5200[.]wicp[.]net 1
quan[.]f3322[.]net 1
woaini67[.]f3322[.]net 1
www[.]memejerry[.]top 1
1qdisk[.]vicp[.]cc 1
szzhongzi[.]f3322[.]net 1
ncmlove[.]tk 1
yk[.]1433[.]top 1
a1027663760[.]eicp[.]net 1
Files and or directories createdOccurrences
\<random, matching '[0-9]{4}'>.vbs 17
%ProgramFiles(x86)%\Windows NT\Iyyesms.exe 7
%ProgramFiles%\Windows NT\Iyyesms.exe 7
%ProgramFiles(x86)%\Microsoft <random, matching [A-Z][a-z]{5}> 6
%ProgramFiles(x86)%\Microsoft <random, matching [A-Z][a-z]{5}\[A-Z][a-z]{6}>.exe 6
%ProgramFiles%\Microsoft <random, matching [A-Z][a-z]{5}\[A-Z][a-z]{6}>.exe 5
%CommonProgramFiles(x86)%\kouou.exe 1
%ProgramFiles(x86)%\Windows NT\Aimeuqg.exe 1
%ProgramFiles(x86)%\Windows NT\Emjpvaz.exe 1
%SystemRoot%\cnnet.exe 1
%ProgramFiles(x86)%\Windows NT\Qrmvnzz.exe 1
%CommonProgramFiles%\kouou.exe 1
%ProgramFiles%\Windows NT\Emjpvaz.exe 1
%ProgramFiles%\Windows NT\Aimeuqg.exe 1
%ProgramFiles%\Windows NT\Qrmvnzz.exe 1

File Hashes

028677128fc11eb00531cc334c094c3c88037b9e0ead2914a9c63d3f548c0697
02ba07d0486a0da36a26a342e00ac07d9fcdeb3b540f7b06a0b05b747391da95
03289c763bc30bba3c9ab868ef0583ca482e73c2b9830d4bdb0abbadd460e243
03bc49dc247aed2c2128d56e32f575c590dc19a456562d74b7bf6c0244983835
03c1bf9b5c76af7e3c086fd4db7ef4787d5135dd3d69b182cf67521397b447f7
03df25e7512be5755567e10d2dd4fcf9e3b36acf51742341cb5b121c229d9606
03e4408e30e81a330618a05b5407e1bccfffed77d7f95d1cd6b24ecebb83d975
045766bd481e54f4a071c098a24aa1e4371941b6ec548798d21ec417a4c3fac5
04b679599fdb9a5dc1c8b61ca01d00b48bf8be22fffd6971b7b0c82049296db9
06737dbe64e13d13f5ffdd3bb368716f1c90c1b0223d41a5dcfacc866ed5ad19
07205c134cb739d502e92fb731f1a9be494210a86c0fcb8fe58aefbff746319a
09662f61b945fa07bb45a02d2b1cd1936394cdbfe1cdf4598e54de38cfa5d138
0ef26d5819a7ad589bc2ea2b4b46fa3fc210ebb94ff988c3f02a774ef1a4fc3f
10d1dd1ad3770108968c0bf80c616f39da53bbc14e6f2cb32cb06ca0e8963c01
125a474715d4a5cde0d837745cfb1ff6cbbce8185db4f2b1381d3f520a76d01b
188f4611aa4e4bf3820a55020614a2f42ccb72e2b6dcda59a404d650bb06c7c3
1d211437f30862a0a7c6d684d374af75ef7fa0b679b755512bed9e6c63081a3b
20026f4adf81593b597ecf95a2b89c0540fe5fcb99ac3acf8fd67dac265f1960
24aa3e1767d7f22cbc99a1670a6d9a2174a250777bcd50824a007b5ee46fe8d7
26133924cc676a545675cfbed746db952c12a7256402e9927a080e3914b47f98
31a9b4e67bc843eed4b2a7661f1de1424ab2c970bef88fa4483b6cfb501c3939
353e65f78f685f0b99576382b26db7d3ceae9fb00daa4217feccaa0fbabff3c8
38988528069fa8bf505c74e0c4b1c04156536d79575c038a212866263d11605f
3d7ce9256a7ac305599f5d8a0fb8eabebd9e06fad6f3a9896941c6c63f59845d
43032cd0e36ba31e28566823a7d2a9dbd7ef2a7837ee5ca6ef0ba736e88db5ac

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Ransomware.Phorpiex-9852505-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: DisableSR
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesOverride
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AutoUpdateDisableNotify
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Services
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Services
16
MutexesOccurrences
450044859330 16
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
92[.]63[.]197[.]153 16
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
hgouhfuosuoosrh[.]ru 12
ageouhoeufhhghu[.]ru 7
auehaofehofhuhf[.]ru 3
Files and or directories createdOccurrences
\_\DeviceManager.exe 16
\.lnk 16
E:\.lnk 16
E:\_ 16
E:\_\DeviceManager.exe 16
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\winupdrvcfg.exe 16
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\winupsvccfg.exe 16
%SystemRoot%\8507857406807850\winsvcs.exe 16
%SystemRoot%\8507857406807850 11

File Hashes

00c7da3fbd24d0c721325e6851ebece130d717c423a1d54586367f6f1f0b5868
1a9530fb0945113c20c5dada84b4bb41b7fed55d50bcaaf5563241ed2d6683d7
2c127a7e9a9b61d349a5475133f3b29e4ab605d83fdac9d64d4310071aa370aa
2ea176605386bab0a775e3dc774a480a8f68faf04654fd712f264a26c2d3f5e7
46524db5cb4be7cd7a7efacfb4f85e747fe0e678b670295dd1972c74601a718e
49128ded5a18746339f94e2d06d6fd78b9bbc835a9cbebaeafe2493222595e08
562aca63384b16e9708cfc8e19efe3b727f3a49da364ffbe5bfea9223a59b28e
6174731efdc45bc3e7ff64068a96264401a2d3553884d4cc6be89776248cf23f
7d4245d9601d1ab292768a099acb6603d35a3b218b5c52b4f6493dd2c3ae26c7
81539e713f3d2a5b3f052c23ed07ea59cbbdcd8115e01f5e9f676272e7dd3459
a10337c0265b88ec22f94c2eb3229d85faaf9b927fe79aa70a6ae609c2989533
a1d0619684cd6fa82640700c6205effbe3f7d5382b44b16c8b5ffff39244ad0d
adfb4cfcf99b3ea5c3053c5b742cd5b347310335237d86b09846916c4c137563
d79af3752d2bae848b6314b619ea9a31bdef3e14cd5c954ca8d24d490b362321
d80301145e10af6d4b872c6be3fb7db8aeb567db85e363fc7d2e4876f922ff90
dd0e3c43f0e028174719b49f20a1ee0f275c65b5e7018a11c79569d06085221f

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Tofsee-9852546-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 43 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
43
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 37
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 34
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
34
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
34
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
34
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
6
MutexesOccurrences
{<random GUID>} 6
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]231[.]4[.]6/31 34
217[.]172[.]179[.]54 34
5[.]9[.]72[.]48 34
130[.]0[.]232[.]208 34
144[.]76[.]108[.]82 34
185[.]253[.]217[.]20 34
45[.]90[.]34[.]87 34
185[.]254[.]190[.]218 34
31[.]13[.]65[.]174 33
37[.]1[.]217[.]172 19
176[.]9[.]119[.]47 16
52[.]180[.]174[.]216 16
157[.]240[.]2[.]174 15
172[.]217[.]197[.]103 15
172[.]217[.]12[.]164 14
172[.]217[.]197[.]147 14
172[.]217[.]11[.]36 13
172[.]217[.]197[.]99 12
87[.]250[.]250[.]22 11
172[.]217[.]197[.]106 11
13[.]107[.]21[.]200 10
172[.]217[.]6[.]195 10
31[.]13[.]65[.]52 10
23[.]5[.]227[.]69 9
40[.]112[.]72[.]205 8

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 34
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 34
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 34
249[.]5[.]55[.]69[.]in-addr[.]arpa 34
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 34
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 34
microsoft-com[.]mail[.]protection[.]outlook[.]com 34
microsoft[.]com 34
www[.]google[.]com 34
www[.]instagram[.]com 33
work[.]a-poster[.]info 19
www[.]bing[.]com 18
msr[.]pool-pay[.]com 16
z-p42-instagram[.]c10r[.]facebook[.]com 15
market[.]yandex[.]ru 11
yabs[.]yandex[.]ru 11
i[.]instagram[.]com 10
iv0001-npxs01001-00[.]auth[.]np[.]ac[.]playstation[.]net 9
ip[.]pr-cy[.]hacklix[.]com 8
119[.]151[.]167[.]12[.]in-addr[.]arpa 7
www[.]google[.]co[.]id 7
www[.]google[.]ca 6
google[.]com 6
native-ps3[.]np[.]ac[.]playstation[.]net 5
mds[.]np[.]ac[.]playstation[.]net 5

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 37
%TEMP%\<random, matching '[a-z]{8}'>.exe 37
%SystemRoot%\SysWOW64\config\systemprofile 34
%SystemRoot%\SysWOW64\config\systemprofile:.repos 34
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 32
%System32%\config\systemprofile:.repos 30
%LOCALAPPDATA%\bolpidti 6
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 6
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 6
%LOCALAPPDATA%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe 4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<random, matching '[a-z]{8}'>.exe 4
%TEMP%\nkvhbcg.exe 1
%TEMP%\baqmtpu.exe 1
%TEMP%\urcoijn.exe 1
%TEMP%\mlbxeaf.exe 1

File Hashes

00ca5ef971e4cf182b08ae1ada010398133e5b915af7bbda40192a3a817403c7
03be408997e91fa250c447c25e0aead57f303b572c78fc175385c6feb03f96d0
0482b5bc337ca5aa1a3a624bfc08efe473346d5f1ba0e17c45f6bafe3d6d0581
0799dcc90c7153219577a5ac0bc91ebd3dbffc71eda7bef6a75968e8be45ad4d
09054a887c18f1e0dd2a1e24cdd134b8d43c0fb7b7337c226a3c3f4ed51438f8
093b6c0dcab0f0331b3b04211c9fe29b54967adca54db9a725de5f979f72f813
0a8affdbae221cfa266f7540a29bc870918f78449ae8381ef7f321ddcc108fb6
222233369706797949c578b97cd43540e27418625f7df5afcecbb382f07c7ae6
243271264d383a285096a7c6753342b0fb90ba4265abc3946475ba2d2e1482d4
291ce104da1a72f7f3f68639652206e4fb4fdf52d3a10e9a38b1309762e51920
45b4b53bf3009c173e6b687386302cef043fc03e0c5c142108ba6e3af19abc9b
45f56697234710e95efd21cacb28dbb6a4f404957d2b9d3ea355c379cd5f064f
4b794cd5ce1b343ca18a7e581017bf830ce71a6d34385d1734b0f456adf866c5
4eb5f07c7e381fd33762d53f887e216632c5f942950af76a33d95fbca64bb657
51dc694344a2b34ff3bc35cfc6277b315ed833f0d20aef0ce6671746d3fbfbbd
641c7406b6147572365d926a01e9560d15b641816d73819e9f95d6e339f9cbcd
74a1afbb3e3b5c283cec35c53d150ec8cfd3460976ec188fb28ac3efece292b2
7eacd84fe08ec4f129f75af6e633124a235a3a5f8a572f446a14ae8d5188707f
81460e03509b3fa094f572d85bef0ada877225c4da820cd3d76741115bee72f9
82ea49824851c7af5a02c02810a383a06a95eed951617ee16d9f887135b2ab53
84ff4f09654aadea13a13bf73e70ac7ebea37d887b09269e41f37bce24750d70
8a84ecc144e51f1b562b0143786db7c934206db7a6c3b6199b035e5040902412
8e239f23b97524edea3b14b85fa0f5deba8071ed2421ebb3c4ce2bc9964966b8
90272397725765a99a032384f9b48e87c2fa4a871dbe77c1b73756f157576959
91680d6f4720aa9a77785ece67fd7ba7aaa9e96b7cc06ffa9e735c45cef4623a

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.HawkEye-9852573-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 43 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Registry Key Name
2
MutexesOccurrences
3749282D282E1E80C56CAE5A 18
Global\<random guid> 9
Paint 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
104[.]16[.]155[.]36 12
104[.]16[.]154[.]36 9
31[.]209[.]137[.]12 2
208[.]91[.]199[.]225 1
208[.]91[.]198[.]143 1
23[.]94[.]43[.]90 1
107[.]180[.]54[.]175 1
72[.]29[.]90[.]201 1
78[.]47[.]96[.]212 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
whatismyipaddress[.]com 21
www[.]traucotravel[.]com 3
us2[.]smtp[.]mailhostbox[.]com 2
smtp[.]vivaldi[.]net 2
ymams[.]cf 2
smtp[.]believelogs[.]com 1
paadasala[.]com[.]au 1
smtp[.]decemberdonreach[.]com 1
ymams[.]gq 1
global-dahuatech[.]com 1
loki[.]podcastim[.]net 1
www[.]jennyh1[.]tk 1
smtp[.]bestlogs77[.]com 1
smtp[.]millionslogs[.]com 1
outka[.]tk 1
bergenpremieredentistry[.]us 1
obonwa[.]ml 1
smtp[.]byrnecut-au[.]com 1
paylesssignandprinters[.]ca 1
www[.]tsq-hk[.]com 1
last[.]matrixtomaven[.]com 1
smtp[.]stronghand1[.]com 1
smtp[.]indogal-co[.]site 1
smtp[.]felecln[.]com 1
mail[.]inducenter[.]com[.]bo 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%APPDATA%\pid.txt 21
%APPDATA%\pidloc.txt 21
%APPDATA%\D282E1 18
%APPDATA%\D282E1\1E80C5.lck 18
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 18
%TEMP%\holdermail.txt 13
%TEMP%\holderwb.txt 13
%APPDATA%\WindowsUpdate.exe 13
%TEMP%\subfolder\filename.exe 2
%TEMP%\subfolder\filename.vbs 2
%ProgramFiles%\Java\jre6\bin\javaws.exe 1
%ProgramFiles%\Java\jre6\bin\jbroker.exe 1
%ProgramFiles%\Java\jre6\bin\jp2launcher.exe 1
%ProgramFiles%\Java\jre6\bin\ssvagent.exe 1
%CommonProgramFiles%\Microsoft Shared\OFFICE14\vMSOXMLED.ico 1
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 1
%ProgramFiles%\Java\jre6\bin\java-rmi.exe 1
%ProgramFiles%\Java\jre6\bin\java.exe 1
%ProgramFiles%\Java\jre6\bin\keytool.exe 1
%ProgramFiles%\Java\jre6\bin\kinit.exe 1
%ProgramFiles%\Java\jre6\bin\klist.exe 1
%ProgramFiles%\Java\jre6\bin\ktab.exe 1
%ProgramFiles%\Java\jre6\bin\orbd.exe 1
%ProgramFiles%\Java\jre6\bin\pack200.exe 1
%ProgramFiles%\Java\jre6\bin\policytool.exe 1

*See JSON for more IOCs

File Hashes

01a0769f9a3e938756a0472f5c666dca5c54a222d9702ac92313a83944cdf627
0204b4d729d15577e1473ce32b1cd78f97472a85ec3d07de0d343769cf42e620
02412efeb7a947e92f0c75086325a3e04ce84a96c3cfe410bc4e0c4bdec45fb8
1ac74bba789aeaa909c20d764d62fcf9430e1c4cc2fed9856dff7245a322f595
1ae37a520083e73b10b82c04d69f4ffd9a9a8427e37cd458e8065a2bed5f5aa8
2620e5ee10b89659a7a4e119d23bb558d68212644b57cc22e295619b08c2eb37
2895648f184b7aecbedb47c5243c9986ccaf3f8cdf4b8dfe4efadafcda77fb14
299df8df187b618c1fd7883d8aa17929f9cd3e729d6dc587bbb72da94dc15071
45cc93a498d8c0e6dc6cfd38c10da1374f6c6643ed84982ad8f6971a438ec3b3
49dbb7c526aa95d3c96a05e9c4579b9e80f90af6147bb688e7cd9cd64490541d
52eed5b1a0ac850f08951b75d4c052c564371e6eb470a42e94106c9d43fa3a2a
54a0b377ec47b243096d0c850626d8255b60c14124a3eb7991798a76f59d23a2
5a9fd839f306577891b1075a32c8d4ed6a3517c5835e55a03938f1386943cb65
66e9a18dc333952f5d867438d017dc8bc2ceee5c9f0051fd1aa8fc8029835714
6a6de1c0379f7b13eb71b32fb8b8c2467464acceab41876c781864eec220ca40
86a2bec2bdbfd6dcc3f275980c0215f8ac9debc2ce71214f5b21df74c635f2e0
900539ee3f6f9cb4dedba9a0a3e0ec6d6a6eb95dc0204dd0c8ac0fc33499047e
900715875519ea55020de7424fec00aed6ac8fd3e58ddbe076b5ee491612b8ef
9049923e5baed4fb39eb2da9ff7d7435d0f530c0323b9a480bc3f086811c34ce
91389fa8a6234cd884fe96c5f8e5f6d0a13baf357acc1cf44bfb757d6e78fd71
973536f2773e641b3fc6415b388161121c0041e45f3553689b5639490103a217
9bc82f2fedae5b6fe8e31d083814cde8ba5d2376645becd619d5fed28b1879b4
a452f5be74bfee9d017d29d67138e410ddc1f9cd29cd8374c6e28859ed049f9f
a56b96f68c21d60ed1aa9a56fa479442601e99b5a26d372c1d2aacd283f785bb
a68d57ddbabd6c4d329f365bea87058a7328f4b9c9cff958a69e684a612839f4

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Trickbot-9852642-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
MutexesOccurrences
GLOBAL\{<random GUID>} 24
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
78[.]108[.]216[.]47 8
185[.]90[.]61[.]9 8
85[.]204[.]116[.]100 7
185[.]14[.]31[.]104 7
107[.]175[.]72[.]141 7
134[.]119[.]191[.]21 7
95[.]171[.]16[.]42 7
192[.]35[.]177[.]64 6
185[.]99[.]2[.]65 6
181[.]112[.]157[.]42 5
192[.]3[.]247[.]123 5
85[.]204[.]116[.]216 5
51[.]81[.]112[.]144 5
134[.]119[.]191[.]11 5
5[.]1[.]81[.]68 4
91[.]235[.]129[.]20 4
194[.]5[.]250[.]121 4
205[.]185[.]216[.]10 3
181[.]129[.]104[.]139 3
185[.]99[.]2[.]66 3
45[.]6[.]16[.]68 3
103[.]12[.]161[.]194 3
200[.]107[.]35[.]154 3
72[.]21[.]81[.]240 2
23[.]3[.]13[.]154 2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
apps[.]digsigtrust[.]com 6
apps[.]identrust[.]com 6
cds[.]d2s7q6s2[.]hwcdn[.]net 3
cs11[.]wpc[.]v0cdn[.]net 2
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 1
Files and or directories createdOccurrences
%ProgramData%\Microsoft\Windows\Start Menu\Programs\PowerTools 18
%ProgramData%\Microsoft\Windows\Start Menu\Programs\PowerTools\<original file name>.exe 10

File Hashes

05d857096e8966827e4273c107e876ea9a1d49fdeb1aabbb450d00b09de391f3
0b3846d2c32aa9b114aa4803e2db4114b48fdfc91eb53d25f7e4dc013c656261
0c99ceb4a54818a17eeba68002ec4abe4033940405a0fc8b53952fd3f5b02fc6
1e0ba69e3021f466641265badb25a11c21587dca6cbfc4c4038a81a0ecf30f01
2ab56507fc33a3c8f5a97b5aac78075a741d226df03b15931e4491ae72b9238b
2b107a7f4cbe5750d6fda60c0e795d132972d60b5c48bf4e24a1d53e608ef80e
30b4a73269b434fa208abd76aadae11945bb4a0b5f6e7a9856772373cd7d5c5a
3c2325b373cc5fbf2646fc4b1053fc396bae87570e598d123c53acb3ea9b8785
420d43cc7b14bec337de312395562c102ec97177036006a2522b34dc9f5a7394
4834669d106aa8e9367989061735338457a77d2f79cafdcab3c1b3faa08a6e72
4fb1d7ededcbf51f425cb88d4a83e0bdac690c2603aa80d193155a750806b2b7
53447a479b1b332d6c51e2fb45266ff965a47269189ef796071e7498c85cc7d4
65777713d8ad4d8d84c4817881c6ef8bf5fe743bb5f5423cfa63add399624a2b
668f9d18c65d410534dd17e472f63950fa17cd7fa546e8d580a928b610011ff0
73faa3696e5f0b64a45e859a73121e2e688d957532148ea1be18e1496af3461a
9ef2ef65537234b75717d4a009feae4b8934ec31904410a85bc326f94ba7bddd
a7ed3a3dbf78448c82b4a67526c3c375c2d68dd0e254b9179a2e8befa85c43b1
a80924daeaeda8c48136c79ba114ede1862316cd9f595524edf233c15eb5bf60
a9596f5c3616acea8aab657fd685fc40ef578ea913cf32be88203615a9a4d684
bcaa6505aedef85da244b14fa85468b037e7e5723edb4e7f6c86b32465f46764
d1228e1e241a5b5b2f2fa989bb91c12f98b44021f0feee02e18aae23e71049e4
db2142d47227bed3d78a5b7fb68d7a564c08f9a8e5c5cdb4ec7ab71aca71c874
e543dc225ba2e9368c3a2beb08f965240715f98e3fff301b8b6569fe3d300db6
f8ae6d4221d337ca32de902424054dd5b7a3e170d2f50e3ec50757c1ce13f240

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.CoinMiner-9852807-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
168[.]119[.]11[.]231 5
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
haven[.]herominers[.]com 5
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\startpa.bat 24
%ProgramFiles%\Experience 24
%ProgramFiles%\Experience\copy.bat 24
%ProgramFiles%\Experience\nvrtc-builtins64_102.dll 24
%ProgramFiles%\Experience\nvrtc64_102_0.dll 24
%ProgramFiles%\Experience\sonis.vbs 24
%ProgramFiles%\Experience\startpa.bat 24
%ProgramFiles%\Experience\nvcuda.dll 19
%ProgramFiles%\Experience\ravina.bat 19
%ProgramFiles%\Experience\WinRing0x64.sys 5
%ProgramFiles%\Experience\config.json 5
%ProgramFiles%\Experience\mam.cmd 5
%ProgramFiles%\Experience\mnv.cmd 5
%ProgramFiles%\Experience\xmrig-cuda.dll 5
%ProgramFiles%\Experience\mooexder.exe 1
%ProgramFiles%\Experience\mooseoxs.exe 1
%ProgramFiles%\Experience\chappi.exe 1
%ProgramFiles%\Experience\vocna.exe 1
%ProgramFiles%\Experience\enjiofix.exe 1
%ProgramFiles%\Experience\domontodi.exe 1
%ProgramFiles%\Experience\solanacolin.exe 1
%ProgramFiles%\Experience\kostinamil.exe 1
%ProgramFiles%\Experience\athip.exe 1
%ProgramFiles%\Experience\sensrhapne.exe 1
%ProgramFiles%\Experience\luexust.exe 1

*See JSON for more IOCs

File Hashes

028b3c5d9f7a9e785914dab08377907cfc56e0b4b4271baf34d1a980a3c2bc17
08913005bee15ea583dcd62988d554dbc86dfd9b9b76ec53880a5bb5a7224ded
0c6043d0dc064c29fb230daf59bdccb1443f07112abaf5c218fd12e5783bf22d
26c08df3af17827d325af9580fd5c37e16427e80202fcadc5e05defe08309fd5
30348ad8e6af6b904eebdf40adaeb87b1a4cea2d107b43373ae19e70fccc9fe7
513aad5d33fe3b952fe5adbf9e6f7509479d90aa5451391185cf9becdb5f56a7
55ad5b1d65a121d8869d7e2352fb18360f6b8585c1852136e0c893eefa51f10a
599a817b8575591f1448ca1d48d9115d00a05a815f3e7e864a87a1f08835c252
645143eb61fc37a854380f60861bbc19cf986939e2f01c1687e546038b7d4fb0
66febb812f25663d3da3441ea154e319213018aec664de7b390dd8ed6d33682a
69d67a7ad81a6d02ed6e84488551b0ab30d796bef30bbea700457e07c18f0889
8394892f456156f9857deca977a674e39d08fd83ee0643c62975440d26ddd214
8c09611d07053a8667eb89b06ef99e25b291062adc2b306bc8caa5b34f4a3a47
9c68be580be5d7ae4c8334f0e593e8f3d3130e9604490c13355be354a1a6091c
9de71ad136749dd06f2bef17c23462e2e3a49451af3cb8e4f49a83d594c2e801
a40e965b116f06d78ffba3d1073e89086d1c381c317178c6cfc8580ad4c6a398
a40fb0c9673fc6cf5186585c7a58161dc1fa8a5b1689811222b583e128c307c2
afa6d95299a29b90e951e194a3c16693d620b5f303e028499b4ba1404c6be9eb
b521b7641eed1422be35b9f2d364151c23c79f4abb4e3efc76e3171d5a62fdf1
bb29cb657a3e4dfacb1dd56986095b3b59e4504e9ae93eed7a78681e791bf443
c0dbbe42e63c048197001ac85aee5a525c0b377aa3b578ce765a9d519dc37bc7
c495a972998cad5213838622160221a5c4284469e2d1c42c49dc01c8cc47b5a6
c6bf79e85eeed17d0b7fd86ed9c9da1fcc4b0394b8da8e66b63cc6552a95f079
ca1e33ea54f3e4f61be36bc17da5ddc33d0802f89a69314364e9d31ba967b367
d81f502c16f39fa73c2311dd4347fc0be5b9775446ac9063bae9ea73fc20c073

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.DarkComet-9852811-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 43 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\DC3_FEXEC 43
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Java
43
MutexesOccurrences
DC_MUTEX-DFB3YS8 43
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]95[.]99[.]66 2
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pablito89[.]no-ip[.]biz 43
Files and or directories createdOccurrences
%APPDATA%\dclogs 43
%APPDATA%\Java 43
%APPDATA%\Java\csrss.exe 43
%TEMP%\<random, matching '[A-Z]{5}'>.txt 43
%TEMP%\<random, matching '[A-Z]{5}'>.bat 43

File Hashes

06d2273e5a659afc733a29383f13c643cb3f14a44a48676252589d3a76c6c1f6
12d79408ef45c990f8543e640e93e169d747564286c95a8063d9f18a825bc576
1a02e8bccb27c5c32e6774d8ab66f6d372f664cf93c5610fdca1d51028655918
22f30943ef148154186f3992357510b07a6b74c02c7bf2693fe24c19641a3f8d
25500f662a5142728cd5d087412205508befa66a967e1d64aa59d04bb58ab4ac
2b62a9329935f8390be9ba951bdacf55d45d1cb1081e74fb6da7b46e6873137a
2f8066f2f96ce3bb23e5f3682bf2dd6b0cd77ac9ea0bdc57cfb12ac3d9e6c909
321710d188f5b0fae7b2715c2678aedb1de9b1a6f040d60c1cdc9353e9a74a8f
3242dbb41d64adea4c066fc32fa47020fbd4decb80f9cffa2ec253d46e419ed9
39bd78b3f7d755c6a017e6f48103e097fb409fac0683c4bf9ed8fa8183437a49
3d2297f0f02bf47c614ab32e1d66de5b75eeeec90f516fb62a73074e4ece49fa
4257b4f150e86bcf10ee3fcefe5eb97242edcdc5056a790ed6b4d33147631034
4a33722b0f7e797521f929fdd2b05c1640893b93c38cfa21c0609836dc66da89
4babab621ff40f8dbf71bd3d294d441118c374ae86a2495a6287d7436f91d753
4f3a9d243bc3b56f3060e8e2ce21399c91d20a88da4ddffb5988108193f1faa9
50002b3aea729ee704a7a34ed00026f02cf90cd981d56324129d6f2ee1549848
520e691aab3209283477c4a1f2ed6ca7eea32a4d455c0107181c3c9bc9ce16c9
5cea019cb331a2ee859e10252cbaea062061d515f07939ae161fdb1531470e10
60637dda4956308b25e81c9ed5d2f99c0d245c84dd20805efa63785567569eea
698d64049d58df70686ea7fe271d4af603e90639e462afcd0565e2a11eb302e5
6d35f8bee76f0d63c57e4a21c942869ad6fbbfd4a9b6a61a5839617ca5d50ce7
6da5848be10590b5249499320a7e1c53b9a5178371cff2ced1c5acb964c49968
70f83e6f3c4d40a0d4dd367dde590d901239f89635bfac416ace28324a349be3
76d189a3deab5dfe695a52cf34fa7651052d631a4c120bc1efb3b1f44f829d9e
7ff7efedc234f54d1788829cfec0f06851774d768b5557cd467c1f0e2422880c

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.NetWire-9852865-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
MutexesOccurrences
igSqRIrw 6
YbEJloQP 2
qGhFgqok 2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
174[.]127[.]99[.]153 1
181[.]214[.]55[.]26 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ewnetco2[.]tecktalk[.]org 8
netkash[.]tecktalk[.]org 2
Files and or directories createdOccurrences
%TEMP%\RarSFX0 12
%TEMP%\RarSFX0\.Identifier 10
%APPDATA%\Install 8
%APPDATA%\Install\Host.exe 8
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Host.lnk 8
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Paonmsiyy.lnk 2
%APPDATA%\Vrmkwhrrxoeo 2
%APPDATA%\Vrmkwhrrxoeo\Paonmsiyy.exe 2
%TEMP%\RarSFX0\Paonmsiyy.exe 2
%TEMP%\RarSFX0\Isvxamvenagx.xml 1
%TEMP%\RarSFX0\Nrmkwhrrx.exe 1
%APPDATA%\Zbulmig\Isvxamvenagx.xml 1
%APPDATA%\Zbulmig\Nrmkwhrrx.exe 1
%TEMP%\RarSFX0\Inmsiyyksslp.exe 1
%TEMP%\RarSFX0\Oenagxehdojkiicchm.xml 1
%APPDATA%\Wrxoeoao\Inmsiyyksslp.exe 1
%APPDATA%\Wrxoeoao\Oenagxehdojkiicchm.xml 1
%TEMP%\RarSFX0\Evxamvenagxehd.xml 1
%TEMP%\RarSFX0\Oiyyksslpjuy.exe 1
%APPDATA%\Zrrxoeoaonms\Evxamvenagxehd.xml 1
%APPDATA%\Zrrxoeoaonms\Oiyyksslpjuy.exe 1
%TEMP%\RarSFX0\Hamvenagxeh.xml 1
%TEMP%\RarSFX0\Xoaonms.exe 1
%APPDATA%\Zgrmkwhrrxoe\Hamvenagxeh.xml 1
%APPDATA%\Zgrmkwhrrxoe\Xoaonms.exe 1

*See JSON for more IOCs

File Hashes

0b469098eb822d843edab13c9a7a29ea50339b5e82ed27442cef30996eacd85c
0fca725683c5d572a8f21000b33ec148d84c9c9a00b983ce0a84ba0718571208
112cf4ffed8390bd69398dfc8070ef32fd301abb894de4b01299a6cf083575a8
14c3715a178765759a652bfa73550723d207a7e96baf3a34d5a511be8a1445da
1af4c300cfbd145f76fd2129fdd766e246c6f391785d4b21c706ff7ea97e5cee
485389b3d6cba1a66c20b373247c5e09872eb00450581d26f8e47ff5ff8f739f
6d2d281f931169f430123598f00e3f103d5a60f227d364bb7bcdf55762efac2b
77d0f97f1e3c0fa0e4d5ae51c2f4f472cb391df4db33b77be1823b0d247e84ef
a71f95541eb2fb9ca713cb7c83e8ae22324d08e35a2ac768ec559f5125af2a63
b0902c20a6d77d7b1c3ebe71ff4ca9d82971a7ad94ed9ef99f6957cf35db7089
ff8607cbb4774fe24d1c501179cb7e9044ea746e44d3ed0427eeba09d7c90814
ffc4a6ff0c7361f2fd5df8647de4c9e9a2e9eeb191937baf9796559e28c2d9e5

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (10974)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Trickbot malware detected - (6263)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Excessively long PowerShell command detected - (2221)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (1971)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Crystalbit-Apple DLL double hijack detected - (1456)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Squiblydoo application whitelist bypass attempt detected. - (632)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (490)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Dealply adware detected - (426)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Reverse http payload detected - (123)
An exploit payload intended to connect back to an attacker controlled host using http has been detected.
Gamarue malware detected - (116)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.