Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 30 and May 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Trojan.Zusy-9857540-0 Trojan Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Packed.Xcnfe-9856622-0 Packed Xcnfe is a generic name for the Dridex banking trojan that's downloaded onto a target's machine.
Win.Downloader.Upatre-9856675-0 Downloader Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables such as banking malware.
Win.Packed.Tofsee-9856852-1 Packed Tofsee is multi-purpose malware that features several modules to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Packed.Razy-9857213-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. The malware collects sensitive information from the infected host and encrypts the data before sending it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.DarkComet-9856982-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Packed.Phorpiex-9857011-1 Packed Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads — from malware to send spam emails, to ransomware and cryptocurrency miners.
Win.Dropper.Bifrost-9857090-1 Dropper Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder and client backdoor program configuration to allow a remote attacker, who uses the client to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. Bifrost uses a mutex that may be named "Bif1234," or "Tr0gBot" to mark its presence on the system.
Win.Trojan.Zegost-9857108-0 Trojan Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.

Threat Breakdown

Win.Trojan.Zusy-9857540-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 31 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell
31
MutexesOccurrences
dzpovjma 31
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
wg6dsyguhifksyfhsjofhjs[.]org 31
sb6vdfysguftsgfuhiksnjdo[.]org 31
Files and or directories createdOccurrences
%ProgramData%\fxc_wzyx.exe 31
%LOCALAPPDATA%\fxc_wzyx.exe 31
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 31

File Hashes

06035f886b09035e71df96fc12870712bfa841261110b01231e124aeae07e8a7
09fc798237110e38513c36c79c529be481cf4832953e7c8d9057a66aef8d6caa
0b29ddc013bd2b8bb3a5b22d1eaa0ee57f3476e3446b312f305172058a2606ca
120acbbc025980662c8c8478fe98bfd8483495cf3a2e51ebefce1f188790e3ff
12455b2c320afe3622c9cb86720ae16fc35f87eb1230f3aaafd68f7683f7831f
243f1cb5084122a4f7b848441f4c81c866aaaea875368d5fa5d833b498228452
2962e46ac5d0d44ce429dbc59f61149fd8280e8216e23ea59186e9a1073d5f86
2bf868d445616ca4bc35705a3b87a7a5709c4dedeea5d4f29e46749ef67e8637
2d8bccf938838fc0b7ec96d1ac62f6f5ce144abd09269035913eccca8ca26b5d
34047d76a38bd7e2fd46c18db183d4ec3d66bd8a06be87542e137458f54df89c
40aeb900a3de01850c84de80ba4fac4057ed221a86b7c4cb6e74ad9759fc0a68
4101d1b29b55f148bcd4f7ab13d3c8c1b385e0668a6e508cb2fe5b295daf9bc5
44882e1a89ced6eb33147ef832f7b1c4264722e3a036f5678a539846de901403
4c5c3fb9e703354acbdd8b24e9ae74ae8b936772eaa647e13f3ce604d4c42702
4e8c829445cbf0e6afc4da43744603575d5c2cef10af756b35dc2ef65772128e
500300eb4bf85695396a2968a085c41ff977d0da8f115eabb5ad1ef93bbf589e
58bde4c589c1954b5f43269c2b9c9bc923b08bc628da5f1dc0e3a7f06a37efff
5a01d0fca9815d4b5e321d531ee0430098660588a050936910fea926a5028a99
5a65780a6b257b0f9be29be97bdb352adbdd84487fb9c61d306318adb4d55785
5c0f01e0a016b35764b831d21a3b29a264844ec97852376e7c0181231797d775
5ffabea11fda2f995ef8d456be5d86fbb368214df0ed9d25d78e7351d7fe4079
6414f4fae31ad23773e9240c4c6b8f9546c221bb8f78ce3d2c6f0ec52dd01d48
66e2278b448958d17d9bb761bd772ae32b91caeaa9ce7e34f0e761d880ca582b
6719b57a0187852cd3e918be1f670d1cd76c18d88c4a5581fdb8be19c7e35da1
73c3b35eddffa33d2e465eddad7e94ad1af1a8addf8d0693a0ed06f2329d3ff6

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Xcnfe-9856622-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
104[.]23[.]98[.]190 14
104[.]23[.]99[.]190 11
172[.]217[.]197[.]138/31 8
72[.]21[.]81[.]240 4
172[.]217[.]197[.]113 4
205[.]185[.]216[.]42 4
205[.]185[.]216[.]10 4
173[.]194[.]175[.]100/31 4
173[.]194[.]175[.]102 3
173[.]194[.]175[.]138/31 3
172[.]217[.]197[.]100/31 2
172[.]217[.]197[.]102 1
8[.]249[.]225[.]254 1
8[.]249[.]221[.]254 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 25
www3[.]l[.]google[.]com 25
w[.]google[.]com 25
cds[.]d2s7q6s2[.]hwcdn[.]net 8
cs11[.]wpc[.]v0cdn[.]net 4
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 2
www[.]gckdh5jtha[.]com 1
www[.]ki6b8pwcba[.]com 1
www[.]skuunwu53h[.]com 1
www[.]7tfy3f8570[.]com 1
www[.]e2wccp93ck[.]com 1
www[.]af5eo24rvq[.]com 1
www[.]jlpt6qt91n[.]com 1
www[.]dfr5lmyd6n[.]com 1
www[.]jlhjg2piqr[.]com 1
www[.]bsot1he1em[.]com 1
www[.]suswxxlgyg[.]com 1
www[.]vlbuiuiycr[.]com 1
www[.]hvtju38aml[.]com 1
www[.]ktdkvrhjg5[.]com 1
www[.]abuesyyhvw[.]com 1
www[.]u6apvcwrot[.]com 1
www[.]pybhpkdlpo[.]com 1
www[.]3p96ptxpcz[.]com 1
www[.]xm2bw0vfue[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 25

File Hashes

0b5cff79c4ea947e82186ef6780bb299d038f2b876c3a5dd92990c423c2f9357
0ea0200fcd8f7c7bf432425c6036eeb75ba6504fca1bfbef8654bf40e0b0f962
0f98927b4c5d572f7b3fb2764c0b9923864d501844e7e2db9fd2b77c1390a3fc
1d1dabc71dd73e27aab81e964e08e98306d5a54888d41eb5ae34eb8c542607ea
2405ac0e517a598b1df82ac9a4d8ed8dd834361630672338c9591a8faaf560b5
257f49a3f183760a191edec78e895d558eed18f8375d19218214051c5a2b2bca
26d6ee53eea4e4c07b94595227b2c37c44b57e96b9f3b93b8961f6b178ab8355
2b2750be19f2ddbcb9ac85d15741cf0f583cadec70e581a3dc6099ae6d2a6dce
2d506b758e08c42438161b639b7ce796385769764e441d8d99c669f00d9b9c23
34bf993d2d533a41779a725a7a6c851a2d52e93c6ff1cd894747594cef1a8a54
38689b757a603ecde144ff67471930f4dc778a03b9632d2ced2b230ea54ef136
39f5a906478f366310971fae2edaced72aa7a33a54f12ee3aba33ac775935395
3a83726474cd0c6a2b5538aea59a450979c2df5a9c114db547ba0d7b24620506
3dc0ab6bc35c37d6950fc1dd578890850fd9c58543fdc4a7f137f72564419966
466c538c98d9f9f4b19f7306875f9ca5f0cd171d2af8477b2fa7c26c23d5948e
4683f136711a6786ed1231320c71a54167483f6106d1155ada43edbe859f7595
474ed2e7904395a5f1b1ca5b5c779a5c5e134664c13ddb8cb00c9eb9e1659c4e
47adcde381cc05aafb7faf88c79d227217ac9e8257bd0454e98758aef6d401f6
4b112ef3f16c273d17f1923c3a7aabf263cae27e8bfcb6fcccde9d753adfc6fe
4ba2696c55736ce561d9e928b620f202aa1b65304885b581aef161f1075a1c1b
524a7bdbd32f62ad3579582b27b0c96ea871fa531376e59a3f32c56e4b17c3f1
528d0afda03c8eab4fda9b9fdf6ce8eea0327ec55ac084a6cc5f701ba23f0d9e
55136a4210988dfd843851f75d9b2a795a9591d032f5d26ae23c2f5bf01cff73
5e3c66c57c201684e4f42848eda36e722e2a28a1b8e7a7dcdbf12fbd91f54513
618663f400e50ad57801a1391a569c7f3bc9297251e886f03db24522a18e7b8c

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


Win.Downloader.Upatre-9856675-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
173[.]231[.]184[.]124 20
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
huyontop[.]com 20
Files and or directories createdOccurrences
%TEMP%\fcbnaf.exe 21
%TEMP%\nddkje.exe 20

File Hashes

1488dd7589ef5f44d74b0a336b41b6a3e374943d3d292081d873bbbb7347f59b
23c76f63196661cec37759c34c9458d5b9dde38d1d94cb6a5018600bda8ebfee
23f80b1bb6b00efdc18eb89125948281b127441d9be08269fad530394b6ad62f
39d355ff1e8b337502b7534a776900a8121eb048a247237a7d2c8057f1ac12a4
3ece0cb79b464d7eb9b0be5d779b5e19bffbab467ce1fc66e20fa208d59fe318
5e24ebd05fc903c10c9afd6d38a3c95e1c4bad40caae5132f4223f01f8de8ff2
7fdcd03ab6b5758e5d4400d480f4d01fadf1b9f48ea2d67f7f76672baaa1dc66
826779ea9bcd871036f75e54c5a7ea83ef7bed45c490c4e97b2da1b924df1d5a
8490056e0df92b9b8e4e67e961756eca704a056018246a9b43858c7d45263441
898e8518f286df76a03db99b37d0eb2313360ecfe43645367b7b60cf0d14cac6
8a4bb5d8db4a221e617d877ff3a6a280907ccdf135689bdf8615c424f836fe09
8c9b18bd200d8e45f237ff21e97e6eddfa5beaf9459a10cea83c3c59d28ec72d
91e5d46ff268cd7dac2be5178346059206166f6b2f401f513abdd48475e1461e
9ee8e00b7dcc1aa87e02ddec90516e667ff2d4585a7cdabcfa1a8eb0112b60be
9f8e3c029e4c15889e47b102b0394c69904094496f9e7368541b5aed08d3da82
ac43012434c8ab2da9ea17d7a7ede9134c3b7aa7013b294702e5b286595b74ce
c012f7ba047c89ca94e451e19e7ce41fe18bc24fcfbdca47d9bd937ef4520f72
c992fa92627a8e60692fdda6c6de4d0d5235fcca5e28a13db338e2c4efee9a2c
ce234dca13bf1eb088b07ff96b07d8c71ecba0a3170cd5b5f69cfe29701ac669
f48edcc1ea2d91aee5a5460a88ad17954351703f0d5aa93ba5b9dc16b84a9321
fcadf87202de3029fd4c195547dee02c4674948cdd06b5bfedc44f756a2928c6

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Tofsee-9856852-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
13
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
13
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
13
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gzntsagv
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\piwcbjpe
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dwkqpxds
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
157[.]240[.]18[.]174 13
217[.]172[.]179[.]54 13
144[.]76[.]108[.]82 13
51[.]178[.]207[.]67 13
195[.]242[.]110[.]99 13
87[.]251[.]71[.]150 13
43[.]231[.]4[.]7 10
212[.]22[.]87[.]191 10
104[.]47[.]53[.]36 9
216[.]239[.]36[.]126 8
172[.]217[.]12[.]164 7
91[.]203[.]5[.]144 7
172[.]217[.]10[.]35 6
142[.]250[.]64[.]99 6
5[.]8[.]10[.]237 6
13[.]107[.]21[.]200 5
40[.]112[.]72[.]205 5
172[.]217[.]10[.]228 5
37[.]1[.]217[.]172 5
104[.]47[.]54[.]36 4
67[.]195[.]228[.]106 4
188[.]125[.]72[.]74 4
98[.]136[.]96[.]76/31 4
67[.]195[.]204[.]72/31 4
40[.]113[.]200[.]201 3

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 13
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 13
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 13
249[.]5[.]55[.]69[.]in-addr[.]arpa 13
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 13
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 13
microsoft-com[.]mail[.]protection[.]outlook[.]com 13
microsoft[.]com 13
www[.]google[.]com 13
www[.]instagram[.]com 13
www[.]bing[.]com 9
app[.]snapchat[.]com 8
178[.]79[.]134[.]18[.]in-addr[.]arpa 7
234[.]172[.]168[.]18[.]in-addr[.]arpa 7
www[.]google[.]co[.]uk 6
www[.]google[.]ru 6
smtp[.]gmail[.]com 6
work[.]a-poster[.]info 5
api[.]sendspace[.]com 4
i[.]instagram[.]com 3
ip[.]pr-cy[.]hacklix[.]com 3
market[.]yandex[.]ru 3
iv0001-npxs01001-00[.]auth[.]np[.]ac[.]playstation[.]net 3
native-ps3[.]np[.]ac[.]playstation[.]net 3
www[.]amazon[.]com 2

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 13
%SystemRoot%\SysWOW64\config\systemprofile:.repos 13
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 13
%TEMP%\<random, matching '[a-z]{8}'>.exe 13
%System32%\config\systemprofile:.repos 11
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 11

File Hashes

18d33806c7741574d8b5b7879ff6b5a3c1e42731c71b4e6e86512814aa1b74cd
1cad43d5f9954e12b0616c0f12829fb7841be71f8c5069d02ae8749260649c87
3c8cf5564c128225d3a8b11b6b67a5ef5ffd3f27e9edd981f57c947bf8ec3753
4b158f87d776112d206b9403b7d3caa7c32505a07eab37b4fd03d62e58d5e918
6c7fd3ffd6b49f5c03c46982e11e8580f0697081792351fd034120572f73314c
8944f2138021eef95a30b1379aec3d0a6d988f2a67ff163ecc61855a0dfa4969
a449bd3034c4334786177ed3a4b08d8a3e71c0039820374ec26f674af35ef85a
af176828f435d1e3856cbfee4434bee9c365d70fb3a133a9a19ad551a9274610
b882495809482be25b52fdad2cf9b901f6a72adaaf7e53a14caa7fed2fe74dbd
cacfe9be55b14f48e1e956d532e36d33667e9417ae0fe9c5449da61a1f9390a4
f603bde0aedcf6627e68d85e61bda706f068b9425bc0eb24aed69973d02a876b
f6654f77b0090ddf5a55cc08303d1caaf8c29c3e2a1672e3e93fcec9b3e71a46
ffb5fe86bedeab738a65791888ac2cb95ed14e506462f74bf69bc2ae7651aa77

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Razy-9857213-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
104[.]21[.]73[.]114 11
172[.]217[.]11[.]14 10
104[.]21[.]44[.]20 10
172[.]217[.]197[.]100/31 8
172[.]67[.]144[.]180 7
172[.]217[.]197[.]113 6
172[.]217[.]197[.]138/31 6
172[.]67[.]193[.]243 4
172[.]217[.]197[.]102 3
205[.]185[.]216[.]10 1
8[.]248[.]157[.]254 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www3[.]l[.]google[.]com 20
w[.]google[.]com 10
zipansion[.]com 10
aporasal[.]net 10
cds[.]d2s7q6s2[.]hwcdn[.]net 1
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 1
www[.]1iuclz3kai[.]com 1
www[.]uzijpydycl[.]com 1
www[.]fexd5f6yac[.]com 1
www[.]vulu4td5xk[.]com 1
www[.]7580xuv89c[.]com 1
www[.]cgot2o3kjw[.]com 1
www[.]wuai8ol1cw[.]com 1
www[.]iyeuwyu5u6[.]com 1
www[.]68od3qrs52[.]com 1
www[.]leqpqulymk[.]com 1
www[.]q2bbsiudk0[.]com 1
www[.]g0icrrqa2q[.]com 1
www[.]rxc7vwmxqi[.]com 1
www[.]jrcfaazo8z[.]com 1
www[.]5v47ohilhw[.]com 1
www[.]1oukbejrcr[.]com 1
www[.]nndja1ttwi[.]com 1
www[.]cvfisaqbeo[.]com 1
Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 25
%System32%\Tasks\iuqcNinke7c5 10
\TEMP\15a1Apq.xml 1
\TEMP\Ytgr8x.xml 1
\TEMP\kCpvHy.xml 1
\TEMP\wIF3flF.xml 1
\TEMP\YWS7Dd.xml 1
\TEMP\Xy1hJzdy.xml 1
\TEMP\kwoOdY9a.xml 1
\TEMP\qwXRioF8.xml 1
\TEMP\Z1Gwu.xml 1
\TEMP\lhpI4S.xml 1
\0NY9K.xml 1
\ShdyS20.xml 1
\st95JF1HT.xml 1
\TaJgF0.xml 1
\FsPxeeL.xml 1
\F2w4Q.xml 1
\B2LMmE.xml 1
\abDqJqDm1.xml 1
\7DKpJkMW.xml 1
\7NC4rp1.xml 1
\MKeaR0p1G.xml 1
\h41ys.xml 1
\62b4RB.xml 1

*See JSON for more IOCs

File Hashes

03fc5c09b430f37bdc5df2e4c773d3e4dc978b3151fdfc917d7d5b058b86b7bf
0727012be539c40ae841b17df7a1b52cf428ea2674d5db31d8307c9471b6c474
0731f32286358942c98026d08bf39d92bc9c503c26057d702f1496095c571edb
09238e08797ebd4b533a365ba9b5f66502d1ee6f85fdd7c98cb67997b710e478
0a656c779ca035b0f15e284db3883be7f6c37620a72afd25b8f6d63b814eb2d8
0b46211ef29cabac96f5ee72074e962704a88a221727d4b23f33c289ae6d6df9
11ed0e62d2b36b855b72e7169455e89ab75da2de4de7a49e2ab23b3a86d06cb5
12b23a47708a30ea67ab737f0e47673bfed903acb626c41e133bedc14d5ba0ad
149059a0b7a2f76fa897b2ecf1eef0ce429652018a0487d2f8cd4b6be177a9a1
15fb6f562202b3494a47d81ca9cfbd9831f97c5158aff500f0aa05f40ef7b17c
1c71c888b9f11129f3a57ab3f3efa2385de92fc3abe5499c79b30a8b3c0e2492
1e9d0f7b5317e3abcd9375a3011ab5a4f3e8b3ef718c03bf27bb83166a671369
20bcbd8490ff5159808e9f83af717e99e35a4d78d5eeb310865200e86cea8ccb
2207d23c152e746d27405734e672b622f2f8a68559828d455f8652ef109e4302
23934941771b268976adae1d1fb54d030d1ef20024c430baf3a21c2c49ea2dc3
2426147f8ba671623ad46991a068487d6a78856e31fde53346b62924a1703a33
27975b0e34042d673025f38c0254b710b2b0a6575ddfdbc2e9edbcee5f9189a1
2c14d7a98dccae61a0a241d6106c8d57255859bc4ec8117b461041880927b6cb
2c497f4d6c09d98711d593bdf46219017596fb9d35fd9fc2e0284f812468d981
2ca06f5b86ce836f48e2254455c6834fcbc358ac9a26fec85d0c0a5a05630908
337c8d6181d52b6801447a125b450f8d6f1c8ad9eceb144fc888384f02ceb665
34e8b2f113a13287c546c7d2bfc76321479af1f47e6f9b8d342ee42274335466
373f7f60f81bc29bc02fc914fcb4b52de48cbdd9a094602b7577039452f98b93
3988b4c0e404cb5fbaa1f1faaba57ad4397f3f3a9d01842c904bf090c95add08
39c535cd96f9907faf4ffac4a4484485dcb4a8cd23e9ec6419766444e485481a

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.DarkComet-9856982-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\DC3_FEXEC 8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
2
<HKCU>\SOFTWARE\MYKO 2
<HKCU>\SOFTWARE\MYKO
Value Name: NewIdentification
2
<HKCU>\SOFTWARE\MYKO
Value Name: FirstExecution
2
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\WIN32 1
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\INPROCSERVER32 1
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TOOLBOXBITMAP32 1
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\INPROCSERVER32 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winupd32
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: \
1
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\WIN32 1
MutexesOccurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}> 9
DCPERSFWBP 5
_x_X_BLOCKMOUSE_X_x_ 3
_x_X_PASSWORDLIST_X_x_ 3
_x_X_UPDATE_X_x_ 3
***MUTEX*** 3
***MUTEX***_SAIR 3
***MUTEX***_PERSIST 2
Local\{D45184B2-D44D-4D99-931B-B84626BC5EF2} 1
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 1
Global\2aaa97e1-aa2f-11eb-b5f8-00501e3ae7b6 1
QKKV@KMOWNDAAREWYBUXHLXCWOWIDJVL 1
DCMIN_MUTEX-N0C67UE 1
PndrEK5SEP- PnDr 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
94[.]73[.]22[.]187 1
173[.]194[.]207[.]100 1
173[.]194[.]175[.]94 1
173[.]194[.]207[.]94 1
74[.]125[.]192[.]16 1
172[.]217[.]197[.]132 1
209[.]85[.]201[.]94 1
209[.]85[.]201[.]101 1
209[.]85[.]144[.]104 1
173[.]194[.]207[.]84 1
172[.]217[.]197[.]138/31 1
204[.]95[.]99[.]40 1
31[.]170[.]166[.]110 1
2[.]181[.]21[.]179 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
mykoreis55[.]no-ip[.]org 2
scorpion201[.]no-ip[.]biz 2
smtp[.]googlemail[.]com 1
w2[.]pusku[.]com 1
adobes[.]no-ip[.]org 1
ilkcans[.]no-ip[.]biz 1
suloooman[.]no-ip[.]biz 1
yunuspalon[.]noip[.]me 1
unluckyy[.]no-ip[.]org 1
Files and or directories createdOccurrences
%APPDATA%\dclogs 5
%TEMP%\XX--XX--XX.txt 3
%TEMP%\UuU.uUu 3
%TEMP%\XxX.xXx 3
%APPDATA%\logs.dat 3
%SystemRoot%\SysWOW64\install 3
%HOMEPATH%\Documents\MSDCSC 2
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 2
%SystemRoot%\NosBot v.1(64Bit).exe 2
\scanranges.txt 1
%HOMEPATH%\Cookies\MSDCSC\msdcsc.exe 1
%APPDATA%\Microsoft\Windows\Cookies\MSDCSC 1
%APPDATA%\Microsoft\Windows\Cookies\MSDCSC\msdcsc.exe 1
%TEMP%\winlogon.exe 1
%SystemRoot%\SysWOW64\MSWINSCK.OCX 1
%TEMP%\ddid 1
%System32%\drivers\etc\hosts 1
\java.exe 1
%ProgramData%\XFH 1
%SystemRoot%\SysWOW64\install\run32dll.exe 1
%SystemRoot%\NosBot v.1(32Bit).exe 1
%ProgramData%\WKODQB 1
%SystemRoot%\SysWOW64\install\nosbot.exe 1
%ProgramData%\WKODQB\BNQ.00 1
%ProgramData%\WKODQB\BNQ.01 1

*See JSON for more IOCs

File Hashes

122e3fbcc83775250b7f82d371aea1a2ac5ab90bfa78d2fac7b0e86c51fdc00a
29203df0cc62299c95e3489bb1fc765221e9467c83196791d8d008525a2050e6
2ff8aea2453cac540b24ec205968f370e3ca69ef8d3309e8633f32c8a6ada9a4
3a69896675c61b49ae9bc53429bfd9e2385b167d61267d521af60c5fbb9fe022
3d197e47b245198870c23786b63cd2cd1781fdaf18c78766a2b25f18b73d4723
3f342b83a383083e518e0ba9691df2f3e63b9042e2564fe5fcdcf3198b58ae8c
50164ae1061dcedf87dda17c8d2bae38cc190d313bcf15d269fcf9ef1c18ffec
5376c102bf941a26d25ee42a66546b2600da62a6f2f5caa2742ea44894db2667
54e4444d047cf6e5319d3ce462d6a2a69565371bbf58bb3ecfe8cf1c5d7ed8c1
5ba083bc4ba7e5035e723c186b3361fa972072d77de7f640cee396ceb2a2ffcc
61604334c548f33082a6554f21855ccd872d5d20a2c02b36959b805777eae92c
6369abc9e939af548125e49aa17ac509a85af4f8add224a272d6a9c2d9a6956a
669e85614561c59edb6a1f94ae1e1c71db86df13def025886b0a3b81759d8212
6aca30d0d7f15f6f6b6c1a9f69f1acab06edacbb4955c4ef5f18f41ec7b17984
6ae94873b9d2e21ea9d7ccb6e935d360630d7e6ee0e3439193b9d50f4c2b4111
6ecd752f4e926de282a5dec70f7d4cc48b5266493bf646b82180d5445d0c72b5
7e89204ad455a0ec5d98b8cf85d64e4632ad4d924262f780d1b197705a088ef0
87f26093f674d95d8b56f5dc97fcda5dbc29c9c8d2e8f9283e53d2329a41af6c
8af940f8d26765f1f3b6bd2e2c21c29c127a5139afc100dbc4e565a04f217aa4
93e5685f6b1d5b5263c1266479e44a4d6f6f7f82b9a842b5e206735c082b9f81
a75b9a10e13f21c0bc7d4f6fa3b4c4e4725e7930a777544d66a135cf488556c8
ac935ffa7c7f9b43b2edc3e79f88e0271bc6abe8e2a03c5efbf1d86a23070938
b407ab3633e36381ec8778c69097950dbfd4676ba37f4711064f2975f9d3eb96
b7f9e06d289e23cf2b1e6c3392c9cfab88444c4595b3a29bc109f578611b7c58
bd89f6e28818d522bf1a0c1b55606d406aea0b3ad5883c92ab422d061aa282e1

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Phorpiex-9857011-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Manager
24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Manager
24
MutexesOccurrences
b11 24
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
63[.]251[.]106[.]25 24
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
mokoaehaeihgiaheih[.]ru 24
gohorghosrsohgsri[.]ru 24
Files and or directories createdOccurrences
E:\autorun.inf 24
E:\.lnk 24
%APPDATA%\winmgr.txt 24
E:\_ 24
E:\DeviceConfigManager.vbs 24
E:\_\DeviceConfigManager.exe 24
\autorun.inf 24
%ProgramFiles(x86)% 24
%SystemRoot%\M-5050507854867567950797590 24
%SystemRoot%\M-5050507854867567950797590\winmgr.exe 24
\.lnk 24
\DeviceConfigManager.vbs 24
\_ 24
\_\DeviceConfigManager.exe 24
%TEMP%\<random, matching '[a-z]{10}'>.bat 24
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\<exe name>.log 9

File Hashes

028160862fd3e9bb7c79781718a1f791940015a0edd820fa70af63a0c25852b0
03873f366f1f1ab2bf7b25812b98f44456848ae26e135efe502f083ca28ed95f
0d7d70a6d61f029ec1bdcbd7013d64996a6680b237b6507eb6a4ac35e4a830f4
13090cb4121d40a3b4f5245d8bf6eb587a38cb4a9a9933ec9852a5b491fefd75
1d9bacfdddeee688da4fd1f73fd17da99e33df5ccadb13006a0f6b30ebc84261
20be53ed4b0bca75a4049068ea044b946c84fbde1fd0b942f37c96da72afa50c
25011d78fa1580e389580f2d262f66206b313defe7cdc804782fde13ea1426e7
2e9d4f4088c3581f56f096d1a1a551d6ccc8585822810efd41902734130e215c
2f04aea4d198a488b5c592939fb6066a0e561345b29a3a5a6e5e05314495ff00
30fcf61b16cd0b3db45b79622e5f6486c3cbeb15dba667eda29b2b34225f2da7
3280265d8b0f23eb6d0a5d6b788e44a2548a2b460b90def5af7428160bdd5ddd
364e7342cca68824f859e5bc2228d9c28f1ac2a1d6480017971fd3f062435599
39cabc3239d933d6f0b50a71a8a174eb7103224e134d025882d6d9f62d94f73f
3a3df0c1c4c7bfedb95aa2ceac510a60b7b2a0b9d30cef26bb46c505c77e38a6
4904e336980b9dde462f0c16440ce3c3527e0d0c14722f7991137e25580d2eb4
491c401f1e3f852fa1a03f2c178c2f8026bc72fcd259fd63e2e66863f4901cd3
4b340741ca06239222cfcaa647b2301c4fee681b9ff73da36dc6f97cfb00f182
512aa6f356b921dc383c9f29204edb61eda3647748c6c1edb0e9d2e85b63e061
56f14db6f5375418f58d644f908886b2a6a51e281353d9b04c421a03ed2eb139
598ad02eaa6f2c0ed679dda424ce108dcadb1a4d7777213292ea9164076e95f8
5a9fc126f73bb06aeb8294d99257cbc1e0b9477b2028d5bc85081dae5f228ae4
67e7426c723332ff41e0d5b6bc1d0687e91ebfc1c4eed489dd6aa0b0ceef0ce8
71a3e1c6d9b89f39754efd6ca12686a32fadb2d69f42017de120bc84108bd293
722f557af44820e7c9b9172c4c0bbbcea0be85923977df6ea262be1e9d91ea74
7574373699d95164cd6dbe975a0e71f0b7b24cc404c299661243a9ade5cc97db

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK


Win.Dropper.Bifrost-9857090-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 94 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: overdrive
94
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\PARAMETERS
Value Name: TrapPollTimeMilliSecs
52
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT 52
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION 52
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\PARAMETERS 52
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\NAMES\'JMALDIVE' 50
MutexesOccurrences
Tr0gBot 94
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]105[.]155[.]183 94
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
getmalware[.]com 94
Files and or directories createdOccurrences
%TEMP%\overdrive.exe 94

File Hashes

00a265909c53e5596e75680c1cc4c1825a4af771d0451fc451c3506f0bdb9500
036e70449af2b2884a7158d0e0b3bf8abd2d4d0f1ec903b4edec3b08884e7d92
09670ecfdd640d6b32303386cb6d33c2f575a0b4aeb367352aba0a4ff9dfaca1
1216804c5058cf39100a6689f8e5ab5ad40b6eed4de3385c7b81e0c8e6e849bc
1294e453ed31230709597612fc89ba645d3d1db029dcadb815f580f7a2d3106b
12e86bffaf9f04541aede958100e74dca0c13543a71ef590da3a30e9f5f3cfd9
1afa2dd88b4f6df135ca48a32a75a6638103ad86ed3cd28820d63525fb804415
1d641b47753d48c193c63f31ec1b186ad36f588dee7462d7e23a271708ca0967
20b924b7fbe95f7ea8c37526a118aba66fad0d600d0ccfd78ac30af0b3a6a33e
24e399d6c89cc23c6330e282d8fb0363c3a57c652c59525eec8b2a9c9a414762
26ea70f9b618e93f9275ee1fca5b23e2def4d00ab0a25da3e4fb987a49dc5a26
2c246da9abfb63b278fd22366f448a8dc7566a5d70f74b2e131e3cb934d910a4
2cc7fb9bf23f62784334d53b5158457307c7859cd4f543dcc6a7ef05ef8d83a7
2d1e2a72492c3730dc730361844011bd0058a6bba52738dafc937f53e348d4e6
30005ef3d79215aa36bcb3363e39b91382314fc2511b81c7c4186645114e6dc4
35abc44e6c8c6f6d403bf7f73b51a85116e0d3ebf3dfb2ee6e545cd6b3413ded
3601cfd9b6758641a969d8540d9167158d8ed4108b38e5fcfb0cdb238218bb5a
3b4301076ec65e3ce1faf410befbffe6a5aa29a342d48d8337cfbb055ad749e1
3c513455c090fb3c3b99f99155c54bd015d1d8bf5552aed719cb43d19e20d012
3da40029ff725065372a5daf42803dba1b220aea6612e93b54598db8d699d649
43a78a581c7c199b704a0196d20117bcc0edb7800e005cc07919f7bb0f50e8a8
45859753459ec2d9f292477f36a5f7fbe70bf4a04502bb3f6a35ff7de5ca21fa
4994156ba65b2b706d655ac87af8c015f60d9aa696ee089910d2eed3636c4778
4a347c8850faa0eb0a993dd674c67b7c3a80a2a53566400df0f4df590955cefa
4ce9e4f3e8f3a39b1bcab3a4534db3404e8e5dc5fec28f3a7e44f22513a98593

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Zegost-9857108-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: ConsentPromptBehaviorAdmin
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: PromptOnSecureDesktop
25
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\156 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BEEP
Value Name: BEEP
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BEEP
Value Name: ErrorService
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BEEP
Value Name: svcname
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ConnectGroup
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EL5DST3F\PARAMETERS 8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: El5dST3F
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EL5DST3F\PARAMETERS
Value Name: ServiceDll
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BIGBE3HE\PARAMETERS 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: BIgbe3he
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BIGBE3HE\PARAMETERS
Value Name: ServiceDll
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\HP5SEKDI\PARAMETERS 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: HP5SEkDi
5
MutexesOccurrences
Global\KFIStart Menu 25
CK8TDjZpBKIpmTIsETE1u-DgCTVRDKkh 3
86IRDTISDKVTE5cguP/5w5c17ftqETlRDHi= 2
yeY5uO/Sveo17jITE6lSmTIsETE1u-DgCTAP/m== 2
86tODK8TDThZEidsEjETmOgT7jNPDjVs/m== 1
EjATDjVpDTZSmTIsETE1u-DgCTVRDKoh 1
yfANCKtpE6tSDjV1EjITESc2yOhqC6lZD/i= 1
86VNDT8QBKtPE5cgveHRmOcewKNZBKUh 1
y6VSCKEZDjEPEidsEjETmOgT7jNZDKkh 1
86yPE6IND6E1EjITESc2yOhqDjhQ/m== 1
wPUUxOD1u6yODjhQmTIsETE1u-DgCTVRDKoh 1
8eAZE6yPDjIQDScgveHRmOcewKNZDKlR/m== 1
86ZpDjITE6tPDScgveHRmOcewKNQDTyZ/m== 1
yf/eD68sE6lSD68QmTIsETE1u-DgCTVRDKkh 1
y68REjZZEjhTD5dsEjETmOgT7jNSE6lS/m== 1
86ySDThSEjANCJdsEjETmOgT7jNZDKlR/m== 1
86hZETVNEThpDJdsEjETmOgT7jNSEjIZ/m== 1
y6yPETIRE6l17zYUxJc17ftqBKlRDHi= 1
y6yPETZRCKV1EjITESc2yOhqD6ER/m== 1
yfhsE6EODjlpCKh1EjITESc2yOhqBKlR/m== 1
y-7pu-7bveARmTIsETE1u-DgCTVRDKkh 1
86VsC6INETARDJdsEjETmOgT7jNZDKlR/m== 1
Global\7ddbbae1-aab9-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
157[.]122[.]62[.]205 5
59[.]42[.]71[.]178 4
14[.]210[.]222[.]241 3
189[.]163[.]17[.]5 2
183[.]236[.]2[.]18 1
188[.]5[.]4[.]96 1
77[.]4[.]7[.]92 1
23[.]89[.]5[.]60 1
219[.]132[.]66[.]14 1
183[.]44[.]163[.]231 1
14[.]210[.]98[.]141 1
59[.]35[.]32[.]87 1
219[.]132[.]74[.]85 1
14[.]113[.]128[.]191 1
64[.]106[.]148[.]71 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
452799839[.]3322[.]org 3
a306310821[.]gnway[.]net 2
qiangqiang32101[.]3322[.]org 2
q503983725[.]3322[.]org 1
a450526783[.]3322[.]org 1
312789691[.]3322[.]org 1
qq444914178[.]3322[.]org 1
a846578461[.]gicp[.]net 1
q814287263[.]3322[.]org 1
a6613452[.]3322[.]org 1
zxcvbnm65777[.]3322[.]org 1
aa81667376[.]gicp[.]net 1
qwe553101557[.]3322[.]org 1
a997321466[.]gicp[.]net 1
a616713144[.]3322[.]org 1
a782842790[.]3322[.]org 1
q6623010[.]gicp[.]net 1
q6629048[.]3322[.]org 1
qw312570947[.]3322[.]org 1
suyoujia0[.]3322[.]org 1
a839342100[.]3322[.]org 1
Files and or directories createdOccurrences
%ProgramFiles(x86)%\MSN 25
%SystemRoot%\SysWOW64\systemwin.log 25
%TEMP%\wqewqe.dat 25
%TEMP%\161186494.bmp 3
%TEMP%\161189490.bmp 2
%TEMP%\161186479.lz 2
%SystemRoot%\SysWOW64\VhToBr.pic 1
%TEMP%\161185886.bmp 1
%SystemRoot%\SysWOW64\038Aps.pic 1
%SystemRoot%\SysWOW64\Je2ZWV.pic 1
%TEMP%\161186806.jpg 1
%TEMP%\161186916.jpg 1
%TEMP%\161188913.bmp 1
%TEMP%\161188913.lz 1
%TEMP%\161189490.lz 1
%SystemRoot%\SysWOW64\lGBHcB.pic 1
%SystemRoot%\SysWOW64\7PDKlb.pic 1
%TEMP%\161186323.lz 1
%TEMP%\161186338.bmp 1
%SystemRoot%\SysWOW64\rS3buJ.pic 1
%TEMP%\161186697.jpg 1
%TEMP%\161189474.lz 1
%SystemRoot%\SysWOW64\VsoBPm.pic 1
%TEMP%\161184357.lz 1
%TEMP%\161184373.bmp 1

*See JSON for more IOCs

File Hashes

03221a44767c018311b56cc2dd52a656f68c2a82edac26a35a526a12d02efe55
05aaf5534e5755e9a1ccd33f98b501996e9c95e678aca9b08b10437fd02f742b
0dbe5b849434d15c423005e73b99f7ec01f6d87d1fca437e45a526a7b4a35949
13b9a471ed6c65cd3459ec0d61a24426b13fdbd1b11439810696735820bc3f45
1e2a3ccd1ec4b61410b6b25462353e42ef5497f1e68ba42722c4f95f085c6251
22381dcc47f682a96b7eb227ba17970e848a06bd3672025761a46043b55ecb8b
238794824497f63b6be25ade28b09b442e8a22b0762a81617004de7e6daefc58
24f54e86fe02c42f220fc4409fd27f7f4dbcbda4647e058a106b6dead9402135
27c55e598c8fd51fd55900fe32031d3a1067966337de9f55c68aa6dfefb5ab6b
2a231a53300e818227e2f5b2c24e361fbf191e5cdbfcf75fc1f17d1d6100afd3
3060de24eee6cc6b787542449d3dbd9776b96f2eafaf49e49fb803f8618040cd
33b3dfc398dbcf097a9857d9beb823194a2dd64f42d4de80077e2b24841c5339
417ba4d301ab99369ddcb5534ed6b9e95c52a7b071848fbf7c624db2ce17a1a2
422aeebf8d9fbd5f4a6140bf6a78563b224c3811116547eb30629f9f53d0da22
463300ad6d07e70f4dcc2dfc7b034173cd8e14bdc2796f068ab0c80a4d83a95e
47e7b910863c9fdcb7c170d285543f8ebf7163c79640f37fcc884c0cf0758754
54d1e4cabf546cb80b660a9df6ab3e7a3a2593bd66c748bc68f5b526e933dd92
57e7c6204658482c676b36d8ec11c62cbe44b23c81ba74909ea887b928833e4d
5bd0605867e662b8a32943db9ad2bf3df3b0524e3448ee65b2be7290442dee97
60af0304708602c1dc121f4067b6953de45bcf56dcb611ee496b62797f2943e5
63d0b752fa53dd45e0cd65e26fa952046be86fbeafdf3a63a8f8d838ed3e4b84
6865d809278b555dd6ce0db09421f5a4be871caa8420dd191638952f6bccc4fd
68bb4f6151b25933933e871d5619ae26dba2015b9499d89f66d1c9d5835ceaea
691682d25a004976d062e9cb1530d39408e52e8a0f25fd80cf6176870e6ba68f
7014b674bbccd49f3741ae51016a21c7d6d65ec2333b9fe05aea2f0672831369

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (10437)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (4198)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (2032)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Crystalbit-Apple DLL double hijack detected - (953)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Squiblydoo application whitelist bypass attempt detected. - (668)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (438)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Dealply adware detected - (320)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Gamarue malware detected - (96)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
CVE-2019-0708 detected - (73)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Trickbot malware detected - (64)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.