Friday, August 13, 2021

Threat Roundup for August 6 to August 13


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 6 and Aug. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Malware.Kuluoz-9883945-1 Malware Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Malware.Razy-9884256-0 Malware Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, and sends it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Remcos-9884820-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Ursnif-9884109-0 Dropper Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Malware.Swisyn-9884099-1 Malware Swisyn is a family of trojans that disguises itself as system files and services and is known to drop follow-on malware on an infected system. It is often associated with rootkits that further conceal themselves on an infected machine.
Win.Trojan.Qakbot-9884111-1 Trojan Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Packed.Tofsee-9884271-1 Packed Tofsee is multi-purpose malware that features several modules to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Malware.DarkComet-9884444-1 Malware DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user's machine and includes mechanisms for persistence and hiding. It also can steal login credentials and send them back to the attacker.
Win.Trojan.Zusy-9884534-0 Trojan Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Threat Breakdown

Win.Malware.Kuluoz-9883945-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 25
<HKCU>\SOFTWARE\HWJLCKFO
Value Name: sreqjdsb
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pjgalguc
2
<HKCU>\SOFTWARE\MNCBBLBD
Value Name: mfhvxcjo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: upglavcp
1
<HKCU>\SOFTWARE\ABCDMUBJ
Value Name: cfahttjk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fapoafeg
1
<HKCU>\SOFTWARE\GOCTVLLA
Value Name: rojxvcen
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fmjkjcbd
1
<HKCU>\SOFTWARE\SAXENRKP
Value Name: qorqagng
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: evrejkde
1
<HKCU>\SOFTWARE\LKGWTCID
Value Name: mgdnhqdj
1
<HKCU>\SOFTWARE\AOSLHLNT
Value Name: lqqqjocf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wtrnxwqe
1
<HKCU>\SOFTWARE\MDHAECPF
Value Name: gfpgbdqj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kfsemksj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rgssokgk
1
<HKCU>\SOFTWARE\SSAHGTWO
Value Name: tthmtxnw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: motxvrff
1
<HKCU>\SOFTWARE\FPPIDNCE
Value Name: blicxbxg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pbjmbinp
1
<HKCU>\SOFTWARE\XRUMXUPL
Value Name: abfghctw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tssqwqrh
1
<HKCU>\SOFTWARE\COEDQHAB
Value Name: bgrbchmb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: aeflpaow
1
Mutexes Occurrences
aaAdministrator 25
abAdministrator 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
96[.]30[.]22[.]96 21
74[.]221[.]221[.]58 17
85[.]12[.]29[.]254 17
82[.]165[.]155[.]77 16
69[.]64[.]32[.]247 14
110[.]77[.]220[.]66 13
37[.]59[.]24[.]98 12
195[.]28[.]181[.]184 7
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 25

File Hashes

05b8b3d0834207d3e718c000e920e704bc65c6b1bfbb638f3843fc4a26b867a2 090b7a368b261b9e48cf67498671d5f17805902d314731ba7e4f7c17441935ca 0f4c5e961866dd46ae096f7c04f1b45b3ded7f1c12b52f5f44dc19d7ea9eac36 11032e23c07326c484dae2c226da1dc142077e747a068ed45f71c3af600a8040 162748ef4bd32b8da036dcc04563128180e76999261c13740e21567d712247fb 19081d5e0638f7a4c119e33f3ea90ffe78c7d422da9eb752470c54f3adad3318 194d2b8b233876aad6f7875d9ae9c7547d4033bfd0e8a769794ed8388734612d 19a6251c963016df9a9f209765c1f27a7d685398f37b9756da94db64a1f1ec69 1d2595bfce45630f50d2169bcbafd4448d0132e082e7bdce3ebf21d73cbbe592 2082193f5a5ca59d57d310e8c38358b6f7a1cfe4e9500b58b4c19305facb8588 2172c2ae86f2eb06c38791b142dcda0580ab21ce67b603f8c4152b3eca9530b8 2541433b0da6d4e4e1a81c644515422d9ad86663a259cd200d2c052ece9d2357 336e53510be09f61ea9d5a9557b24f7b67ade369168380b429825c296c5a7d5f 36d670753f7ae9937a242f64691b19ade2652fe724349388a0d2131841cc075b 371bc0bb9158e8ddda342465877358fccb6823bd4f0a7230c480ea2ba94af56f 3a905333c0597c42b37f45c88f7f2f8cf0eb9a1a3cf64016740941d1c063c270 3d7033398b21750f5c580e1dd37e470922642b2a9cd0bc897135f3aeb9473f55 47a78e5e5f9c70e0b2d41b565532f11c8a573a620eae5d361792129f8e3f4ee5 4a5b19b533cebc75c41804384b7adf798b4e7600ab5a70c95541bb534d489516 5241179ae063ee3fbc5b1512c2924e0482cd29b1d4247378ef818445e6c575ce 583cb7ac9e4fda982f94cf5d752bfd19eec7e5f2bdd042022e86792cb950b6ff 5a805c7180f94ca9e3a73b302a8496edc7580cb2d8a85cef11c8bc612e07b525 5c1727ce8a67bd217a649836f33f38942414ba1a94433f543dd1aec9302c26bd 6b0a054dac1fd58581745144163b9d11dc4b63908d8ccec105aaf89e3d92a538 6d90c7a70892f56555ea6b2a183b97b255d8801dda339c91bd74fca7feb2aa6a
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Malware.Razy-9884256-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.106
Value Name: CheckSetting
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.100
Value Name: CheckSetting
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.101
Value Name: CheckSetting
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{01979C6A-42FA-414C-B8AA-EEE2C8202018}.CHECK.100
Value Name: CheckSetting
11
Mutexes Occurrences
EVERYTHING_MUTEX 24
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
112[.]34[.]111[.]74/31 12
124[.]237[.]176[.]132 6
183[.]232[.]231[.]225 6
220[.]181[.]107[.]148 5
14[.]215[.]177[.]34 5
110[.]242[.]68[.]177 2
110[.]242[.]68[.]178 2
107[.]167[.]110[.]218 1
37[.]228[.]108[.]132 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
hi[.]baidu[.]com 19
infoflow[.]baidu[.]com 19
in[.]m[.]wshifen[.]com 12
Files and or directories created Occurrences
%LOCALAPPDATA%\Microsoft\Windows\WER\ERC\statecache.lock 12
\502022434.exe.bak (copy) 1
\502022442.exe.bak (copy) 1
\502022404.exe.bak (copy) 1
\502022444.exe.bak (copy) 1
\502022420.exe.bak (copy) 1
\502022504.exe.bak (copy) 1
\502022478.exe.bak (copy) 1
\502022406.exe.bak (copy) 1
\502022402.exe.bak (copy) 1
\502022416.exe.bak (copy) 1
\502022422.exe.bak (copy) 1
\502022432.exe.bak (copy) 1
\502022430.exe.bak (copy) 1
\502022446.exe.bak (copy) 1
\502022452.exe.bak (copy) 1
\502022454.exe.bak (copy) 1
\502022450.exe.bak (copy) 1
\502022466.exe.bak (copy) 1
\502022464.exe.bak (copy) 1
\502022480.exe.bak (copy) 1
\502022488.exe.bak (copy) 1
\502022502.exe.bak (copy) 1
\502022490.exe.bak (copy) 1
\502022516.exe.bak (copy) 1

File Hashes

081e7a43899df5ed1f8afe0b7fbc94d6396761e79a2d400745542d70da9aec32 092bd938779e1706f6834465dd28d4f05d0e1c716acea0361ee9a4ce31e8142a 13bae156da737072688ec3b3ce46bac88a771179b899c9e4a15bacff9587acc1 16830511fe445b162c2430826ada8597b7153619740c9731f7f83a7ae710f398 16bfe7a7b9b9cce48dc8adf3e669ba24b5a2e7403d8358e69338038fb17e0cce 170de3038c83f40286e6ca843ecfd541f7b509e53d21848673d313c05ea0e233 2c3b6a8eabc7c102007f6802a5272dd3567374bf2e9cc8c7ee6c7e94887ae4be 31d6514aaa66b40ebe0fc8cc5b74c65e4f0a247a85296ee18d8b6a5275828d7d 51338e5df94150d7e8a52fd3ce5a55fc6266a2f6cba41a82e697bf90e472a6c9 6e2659d28fa3c948fd4e7c304e02bc1096a00ab3a7c77eb0940090e66b6dd1fb 794f8bd0277dfdec300f24ba4f90b4d0177d2b42abdb410ba049cddd05304bc6 89b16e5b2474a0090be385dbebe9a0da78b3d17f75f707495746c6cfd1447dd3 913378cfe37c55a093295bb041d503a07938d240d9d01a41008150815e0888da 98af759705a21ec5e42fabddaf3ef92fad766288a581febba50a66ab78ad3fb1 a8c25552deffab5bf8e6fae545e066ba75ebf00386f5c8a5f61086c99de3ce72 ab7578b435d337a6e25d9151249c9ed4f2db198f3f642de5a5824ae110bdc25b b39887a31edefcb349f309369eb0a4fb912d979b034f4f6d24428d47615c6bd1 b8b4840ceb1b9ad015b9e0002e83dbaf404569a3f63be99d8c3181d3c567c8f6 bb0c74a008d9cbe96a886d7ff1d9fc672e7b47088fcff6facac7016f2ea1071c c7d90a65a495dc7c0a37e0aa5fa25d411cba6c66b8c440be271edd30510245ee d1feff69d116e0cdb2c8278af20072277de5957055b709a8b113b621d267eb01 db83299d0a93d6d7fae3723d60a77e48c2222389792f537e62194e2e7418f869 f5b86a7d0dcf91a12e59fef493d1641731371e58c864bdfa8c494b3246bb02ef fff327ae9f9c867bb7c04a2f6514f811386bc594702b3862933e0b16554083b5

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Remcos-9884820-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: doraskeanbackspacesheathberrie
25
<HKCU>\SOFTWARE\REUYRDSFQWE-4DI7Y3 25
<HKCU>\SOFTWARE\REUYRDSFQWE-4DI7Y3
Value Name: exepath
25
<HKCU>\SOFTWARE\REUYRDSFQWE-4DI7Y3
Value Name: licence
25
Mutexes Occurrences
Remcos_Mutex_Inj 25
Reuyrdsfqwe-4DI7Y3 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]125[.]205[.]91 1
185[.]244[.]30[.]102 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
markaug[.]ddns[.]net 25
Files and or directories created Occurrences
%APPDATA%\remcos 25
%APPDATA%\remcos\logs.dat 25
%TEMP%\tematiseringgalopperedepoletse.exe 25

File Hashes

094850ea73f8f4086e88bf44df5a483f03909202cc78ad718866f8e19b5b9a53 109690a4baee04d9e64e7179bcd31a6c6bde15a347b76edc0494c9d31fa7a367 22f0c9dbef3c30aef61fcb511c2b11b6b61423005049ccc1be3c08c1a47b621c 2bc09aca7b3f3e9722b86fa849c929b35f1761c4d95a85389e947dc0a96edf24 3ce5d01bbfac60553507f8407696ed7b5de2ee135a561e199862f5cf9666015e 41f6e76078b6ddfeea53f073d2b0b26eaec4c6502d5655c6dd777c41ca72bc8b 455eeab54f59d6df61fa615a11288f90aa0b61fd6d77832796967d8c57f78812 6bc49d8fc692613d4d049b8eaa38cf4bcac73fe93df4a62d96da01120367c324 6cb2189eaf43e5b07d4aa80c7d5906ed62107eda77bbfb244282cc9f85f6c3a9 6e6b12209476c178f102c61b07535773ac104ad2db1dcbd45f3941e6eb1886a9 76bee560d3c66c09e99d4d9d06930b3adca4228f9563b7aeb6aa7a63d1c21294 781b85da9284614bf045583a9ac92f8352216b26a279e3c86120238c093ba5f8 a87938f29ac7651fca266438f3a12642c4a64a278223108aa78d64628de04130 a8f52c8eb58f3f5eb7482da1529d1c8381ce899f57ffe20b5c6b3646f6d900fd b24c1787745cbae8149e424f4b6a4cf0e045af75af90beaa69d45715d2b79406 c1f7d696a180ba71289f76348fe7e0fe18ef48eb305cab79962502685652fe36 cf513f09f5cecead22e48c65e335d1d4317c91627efaa8860bdc130b5bb852d2 d68e723e40db42965ad791f5292806d034292dfeecdf2d35db455cb75ae347ed d8215eb8483fa584cf7b6f56d0cb3d565163b44987981ad862dc1d05f6a2acca e29a0c37e1f1d043387d3ef265504bdbcc8d38562ebc4c899d9e55f03637f400 f19cd71951ec11a043f70b4fa0c5e6eb2f1e8048a3d9bbe3b3358b43e3bf60d2 f247a055bbc16e5b3e3c2da4b048de92dee78c3bfce423d26d90a14eb83c67cc f25671d6c836df96b4e3e4b3b54fee0da5eb3194c2547f62f35a4d23d36e326f fd11cebf67ccb2cdadb8c99254a5f32311bda36d8aee7c58822c33fcc1811d78 fd9791589ed383bd040f5afaf818d8f7de23a5e7db99436818dc2823a9e9d0b6
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Ursnif-9884109-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 65 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: SysHelper
3
<HKCU>\SOFTWARE\BUBBLEBROWSERUPDATER\STARTED 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SysHelper
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
2
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 2
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
2
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
2
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
2
<HKCR>\LOCAL SETTINGS\MUICACHE\\52C64B7E
Value Name: LanguageList
1
<HKCU>\SOFTWARE\BUBBLEBROWSERUPDATER 1
<HKCU>\SOFTWARE\BUBBLEBROWSERUPDATER\STARTED
Value Name: Started
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DPAGNQYT 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DPAGNQYT
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DPAGNQYT
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DPAGNQYT
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DPAGNQYT
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DPAGNQYT
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DPAGNQYT
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DPAGNQYT
Value Name: Description
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dpagnqyt
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DPAGNQYT
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JVGMTWEZ 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JVGMTWEZ
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JVGMTWEZ
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JVGMTWEZ
Value Name: ErrorControl
1
Mutexes Occurrences
Administrator/m-e0m 13
Global\<random guid> 6
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 3
uiabfqwfu ' w 3
M5/610HP/STAGE2 3
uiabfqwfuAdministrator 2
G2A/CLP/05/RYS 2
uiabfqwfu '2w 1
uiabfqwfu '(w 1
uiabfqwfu ' v 1
uiabfqwfu 'iw 1
uiabfqwfu '`w 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
192[.]35[.]177[.]64 16
195[.]201[.]225[.]248 16
5[.]252[.]179[.]21 16
23[.]3[.]13[.]154 5
23[.]3[.]13[.]88 5
193[.]56[.]146[.]40/30 4
173[.]194[.]207[.]26/31 3
74[.]114[.]154[.]22 3
77[.]123[.]139[.]190 3
104[.]47[.]54[.]36 2
193[.]252[.]22[.]65 2
68[.]87[.]20[.]5 2
212[.]227[.]17[.]5 2
82[.]57[.]200[.]133 2
212[.]227[.]15[.]17 2
61[.]47[.]43[.]194 2
72[.]21[.]81[.]240 2
31[.]13[.]65[.]174 2
88[.]99[.]66[.]31 2
205[.]185[.]216[.]10 2
98[.]136[.]96[.]74 2
104[.]47[.]18[.]97 2
104[.]47[.]17[.]161 2
104[.]47[.]22[.]161 2
8[.]253[.]45[.]214 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
apps[.]digsigtrust[.]com 12
apps[.]identrust[.]com 12
telete[.]in 4
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 3
api[.]2ip[.]ua 3
astdg[.]top 3
securebiz[.]org 3
prophefliloc[.]tumblr[.]com 3
www[.]google[.]com 2
eur[.]olc[.]protection[.]outlook[.]com 2
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 2
smtp-in[.]orange[.]fr 2
aspmx[.]l[.]google[.]com 2
hotmail-com[.]olc[.]protection[.]outlook[.]com 2
hotmail[.]fr 2
gmail[.]com 2
web[.]de 2
comcast[.]net 2
msn[.]com 2
hotmail[.]com 2
yahoo[.]com 2
aol[.]com 2
gmail-smtp-in[.]l[.]google[.]com 2
mta5[.]am0[.]yahoodns[.]net 2
hotmail[.]es 2
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\AppData\LocalLow\sqlite3.dll 21
%HOMEPATH%\AppData\LocalLow\1xVPfvJcrg 19
%HOMEPATH%\AppData\LocalLow\RYwTiizs2t 19
%HOMEPATH%\AppData\LocalLow\frAQBc8Wsa 19
%HOMEPATH%\AppData\LocalLow\rQF69AzBla 19
%HOMEPATH%\AppData\LocalLow\frAQBc8Ws 17
%HOMEPATH%\AppData\LocalLow\qT1wG2cI7tX5f 14
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\sY9eU8qD7hB3_m.zip 14
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-profile-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-rtlsupport-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-string-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-synch-l1-2-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-sysinfo-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-timezone-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-core-util-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-conio-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-convert-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-environment-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-filesystem-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-heap-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-locale-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-math-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-multibyte-l1-1-0.dll 11
%HOMEPATH%\AppData\LocalLow\wG3cB0qZ3rM5x\api-ms-win-crt-private-l1-1-0.dll 11
*See JSON for more IOCs

File Hashes

00481d790b375a8c427b2bb79aa345667e7250f0c76624c3c1e5c522c46a1832 027ba300ceb2dcd1369abd1493c66bde8800c26cd15ff062c7ccf99c10865b69 0fb7ffc5ccc6a4250153508f8af38b9f70aa06516164c441aa2ef81cf1289cd5 16e0219a1ff89822cfabbc9f584b3168882bbed09296f3f871a95e1e2d0be48a 18c16c49723dc928fa82844f0789dbe0a09e71f867995782b297134a02665d1b 19e1b9fc4fe08a5115b6b6853ec704d673683100038cca2d1450135e101bc3b8 1b13eb517fe256fb3ae78eedebd763ca6b9d84cb5bca832f4b5ecc4267ab24e8 21b4634e17ab1de4e533f9b1a82c0dfdf53cf1ecf9eb17979dedd0cd78ceadba 23df7ab5c611d90d853895fac5fd83714315d5f3bb754c3cbbc104d0185c59d6 2583fac05346c76f46b50fef5e888be81dc68b70c5ce02f65f75bcef273c3145 280d700d6c96eb71c5a87678e750b121ccaffa063d176659824f23506a61b8da 2dc66fa82db06bed4725c376f1fddbf331f27caca8352993df3896bfd60d4df5 2e28e78b9a67c92fd6768b1f4f3ea7dca94f421f66fefad627c5c079047da060 30ad84861978e3d472833f2ab1862f9628c7cd59bb46a5a5f5a0ddc95a4aabd5 33f6dd4c2ff2d0efd1d9ffb404283a2b0be8d461482fe055bb63d4f012e97019 36a577dbd7557a52b6d422adf5fa98ed2f44379be60aebaa7a0dc970b249ef96 3adb37bbe880d92ab48f92849ecc877a336e734b3e6a2345824f856c1052911e 3cb3070e943ac93e5d0ee53ceac1c849462e8d35f0450a890381c27e78c71546 3dd2da6cd1450e56523609dac0353da3ab911e190abb689b8306a0a717272d22 419b5579c28b4c1b5efe0db559a646de49610f64a3ecac1edbb701b7ed7886e7 41ccd5d6f3e1bba6090a0d17708c2e5e85c570279192c4efb64d3e7161942814 455f506ca5312c201aa7084ad772da9128295c52b77d17f160263b5a36901cfd 577b702838edeb698bc8cf4f0ee5f7cc00e7053ea736b075b9542fc0a0e8fe95 57961f963b59dac4e66b07a2de7ba1bbbcac4b43202359690a5095cb8dfdb4a1 592b3336a16c2c028b275aefd6306e46f626d029504ced82ac5e8bac97b69f28
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Malware.Swisyn-9884099-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Host Service
7
Mutexes Occurrences
Global\AlreadyExist 4
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
116[.]202[.]155[.]223 7
188[.]127[.]69[.]60 6
51[.]254[.]45[.]43 6
185[.]21[.]217[.]33 6
178[.]63[.]40[.]189 6
89[.]163[.]128[.]28/31 6
185[.]76[.]191[.]72/30 6
185[.]76[.]191[.]80/31 6
148[.]251[.]190[.]229 5
85[.]208[.]144[.]164 5
51[.]91[.]73[.]194 5
5[.]39[.]72[.]2 5
82[.]149[.]227[.]236 5
85[.]25[.]185[.]17 5
185[.]76[.]191[.]84/30 5
194[.]180[.]154[.]74/31 5
136[.]243[.]82[.]188 4
188[.]114[.]140[.]233 4
193[.]108[.]117[.]41 4
89[.]163[.]128[.]26 4
185[.]76[.]191[.]83 4
194[.]109[.]193[.]142 4
176[.]9[.]53[.]202 4
95[.]214[.]54[.]163 4
141[.]20[.]103[.]33 4
*See JSON for more IOCs
Files and or directories created Occurrences
%System16%\xxx1.bak 12
%TEMP%\MpCmdRun.log 11
%System16%\spoolsvx.tar 11
%System16%\spoolsvx.tarx 11
%System16%\svchost.exe 11
%APPDATA%\tor 10
%APPDATA%\tor\lock 10
%APPDATA%\tor\state.tmp 10
%APPDATA%\tor\cached-certs.tmp 10
%APPDATA%\tor\cached-microdesc-consensus.tmp 10
%APPDATA%\tor\cached-microdescs.new 10
%APPDATA%\tor\unverified-microdesc-consensus.tmp 10
%System16%\spoolsv.exe 10
%APPDATA%\tor\keys 10
%System32%\Tasks\Timer 4
%APPDATA%\tor\cached-microdescs.tmp 1
%TEMP%\~tl579A.tmp 1

File Hashes

140323aad2d37f98b09bbf8d710a9180f55faa70b102cb25327ee9d44e30ab37 3643663d8d2ef58aaf10daa91ceb24b9edb962f7af268d62afdfd93726b3b311 473935a02827eef38192ecc62c38e270eb275961cad98c1ce9f71a796921783b 661f8ca34eaabf8eb763d1281067c8becb4f2d132ab157d1b347bbe6ef639797 808a9950ca78ae40a50fa75cc9e9d6a64dda7b0aaba7aa934b3f6008fd8704a2 8e6b1ae9a9f62d32b08320bbf3eb3484148ad7ccc08515502ab709772cde3fa2 add0181dda3145b94a95dc3a4adb0791366ca254f5049941e76c94c4734ea8e3 bb831e54e41d0090904658059ae6650ad85fc87e0011169b9d676797c6ec63b0 c8c5d7de785141f15e7d628602a4a3875916b3964f5e1b0cf3dd8d013eb0da13 ca92deed4df8b54c6401b7fe950989cdf53d270b8db7ba9e023a005af9b03250 de8a32ab1d07b5eb72c5ba26abeeca7df793819e2fa50f36efcd2954cdae9e49 eec287dc0bbee89b56a8d71066a3feaf4a317d00778687e456da25b5eeba65fe f15d02556958ae9b2c4461e3bdf6b3780560f207522d1771ce41406e5023ce6f f530f928dcccf13e81219a77469c3d1a76195dd1d28f63a9d203de92b2af3e1d fc58cf5fc046cf3e0106aed3b992fd35d448502ec5763bcf62c53fa4d01256a2

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Trojan.Qakbot-9884111-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 26
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bd63ad6b
26
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bf228d17
26
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: f7b512d3
26
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 79eea72
26
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 7a96a5f8
26
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: c22ac29d
26
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 5dfca0e
26
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 88fc7d25
26
Mutexes Occurrences
Global\{06253ADC-953E-436E-8695-87FADA31FDFB} 26
{06253ADC-953E-436E-8695-87FADA31FDFB} 26
{357206BB-1CE6-4313-A3FA-D21258CBCDE6} 26
Files and or directories created Occurrences
%APPDATA%\Microsoft\Xtuou 26
\TEMP\0b8e8b7608c03f1f047801abab14a130.dll 1
%System32%\Tasks\vfbsjvof 1
%System32%\Tasks\vqrmpyvmz 1
%System32%\Tasks\pqrthcncn 1
%System32%\Tasks\pltdajuhsx 1
%System32%\Tasks\ovcdbwz 1
%System32%\Tasks\ushbcrbwi 1
%System32%\Tasks\gataches 1
%System32%\Tasks\fojvtbktup 1
%System32%\Tasks\odgyjgj 1
%System32%\Tasks\wcakzvs 1
%System32%\Tasks\gzkkenjux 1
%System32%\Tasks\flvwmmid 1
%System32%\Tasks\uituljxzb 1
%System32%\Tasks\bdojxnzpa 1
%System32%\Tasks\zzskziq 1
%System32%\Tasks\uqlwhusvex 1
%System32%\Tasks\hlerchh 1
%System32%\Tasks\tsjlmcxbu 1
%System32%\Tasks\vcsqiosz 1
%System32%\Tasks\myigvkekew 1
%System32%\Tasks\uzvlfhu 1
%System32%\Tasks\xrxiswwbp 1
%System32%\Tasks\usvrvdwfng 1
*See JSON for more IOCs

File Hashes

03cb6dc235578dd1562851d4d06555af1cf9382353ba3f54306a27e37a5305a1 03fe14caddbd6902e265a566efcbeacda1a413065a98b66b4e74fa59cea083e4 06d5ca9ab245e57ad65d2afa9633a2b7e11eca16555f5c5bf9f7a92d8f78e87d 07f0e31106f56a2af7eb4e283625b4b3408f0eeb74c09b1ade3840daa4d1b8bb 0b77fdf610d7444d1fe1a7f5098d45152936fc48ca601b929281c587bb5133b8 0d2aad6da1068580e457b85c1df14497b1f66870c73d9c7b60d387a8ecc587ba 0ea2f761e10efb2a635185671de8ca90837745f5da186d84e6a3c564bd020903 1502723beda5c3fc95c3532d89ee16bdd3ad5ead9f323ee48be4d653474110bc 16ad7701d366ef3dab53c0979741279b684f2f94fb52398a788071438921b31d 172b6ada107441489b8abc961f2548486487a15d5e3375417b9c6981e5d676e9 209b3eeabd048f7cb2c634bf1e7414262ded407ae41b25d00db5db86008aa84f 20d724fc562fa14b107c292020f6d03cb3c958d90a79ce3476e3f877f46ea0e8 23c3b45782c70bccb1ca807e59486247c5b9074228e14ce9b3994003b354919f 240e331b52966de8e05cea16155fb5cbf97ccc934af991f7d794107302665b4c 2c4541a8d520b195f8dda3f731584e6391f714e2c4b01f4f97523728511dfb5c 2edf0dabcb16bde79ecddafaaa52644de1229db74ba8e1abf6fe868e8e1c4447 3136bf60107ecc6bcf659edd6e60cf01b3228fc7098a4bf2acf7d5a250ac3f29 3337b985888559a139cd62e925156264e64b8a1a8943bbb08ccb7a8c2684b570 3383b0672661207be263722ba4cd2341bb90f680819359cb07c26c6b7dfcaa9b 35150a082f7fc90418facbde01f262cee672ae4dfd34b0aae06da95ec064b580 357be50930bd829907a4068b1017b945263a56bc12cc9728977d3c866c9a68a6 3a1e5884cf079fdca3cb5b8385c53f780dd4c17a3165ccb4148f9916c3740614 3b06eecb334b5f57bde24eeb0a7c4147fc01713c8c3e8f0a660a4e8a9a5df3e1 3c4e2eb21f26dee76e957a5c46b0492a43bf4dd53651615b2a84940011257929 40934bae7c322b0d6ae26a5a90dc17ad28f5d964a9c2032de0243043781c586d
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Tofsee-9884271-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 119 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 119
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 119
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
119
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
119
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
119
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
119
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
119
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
119
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
119
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
119
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
119
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
102
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
98
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lesyxfla
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mftzygmb
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jcqwvdjy
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk
5
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
43[.]231[.]4[.]7 119
192[.]162[.]246[.]7 87
5[.]61[.]37[.]41 87
95[.]216[.]195[.]92 87
142[.]250[.]65[.]164 63
104[.]47[.]53[.]36 62
173[.]194[.]68[.]26/31 62
104[.]47[.]54[.]36 57
193[.]56[.]146[.]40/30 49
208[.]76[.]51[.]51 42
208[.]76[.]50[.]50 41
192[.]0[.]47[.]59 39
216[.]146[.]35[.]35 38
31[.]13[.]65[.]174 38
208[.]71[.]35[.]137 35
199[.]5[.]157[.]131 34
144[.]160[.]235[.]143 30
104[.]215[.]148[.]63 27
23[.]90[.]4[.]6 27
195[.]46[.]39[.]39 26
40[.]112[.]72[.]205 24
96[.]114[.]157[.]80 23
67[.]195[.]204[.]72/30 23
64[.]136[.]44[.]37 21
40[.]76[.]4[.]15 21
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
249[.]5[.]55[.]69[.]in-addr[.]arpa 119
microsoft-com[.]mail[.]protection[.]outlook[.]com 119
microsoft[.]com 119
lazystax[.]ru 119
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 102
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 101
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 97
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 94
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 92
www[.]google[.]com 81
gmail[.]com 71
gmail-smtp-in[.]l[.]google[.]com 67
mta5[.]am0[.]yahoodns[.]net 58
yahoo[.]com 57
hotmail-com[.]olc[.]protection[.]outlook[.]com 50
hotmail[.]com 50
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 42
whois[.]iana[.]org 40
whois[.]arin[.]net 39
www[.]instagram[.]com 38
aol[.]com 34
al-ip4-mx-vip1[.]prodigy[.]net 31
eur[.]olc[.]protection[.]outlook[.]com 29
msn[.]com 25
msn-com[.]olc[.]protection[.]outlook[.]com 25
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 119
%SystemRoot%\SysWOW64\config\systemprofile:.repos 119
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 118
%TEMP%\<random, matching '[a-z]{8}'>.exe 114
%System32%\config\systemprofile:.repos 30
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 30
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 9

File Hashes

00648a04fc723925ac103f26a8f6420c32da9038fc1d58ca5c037eb29461622d 02b89b06dc6e456051ed4c4670eb9d2041d6c2f949e7fd527fbf749f96b43e31 033d40969959043acd3d53c9f8b0a5321fa11533a8c33b0a341133a8b60c0b07 0a17d899767ba1bc99f2d56c5ea049ff68f6a1d2a5debc56b744e273c3b17969 0a9c165848b887d60f905e503ab8c9918a3300b999b206dc4e91429efc2d4256 0bde394b4387f6853393a0e4742aa0fede0652a40d82452594b878bc6dbf8d42 0cebe431390ffb41b3fe7fc921a477257c3516b97ac48fab74f04495dcb19b32 100ec7a6ad31a6adc5ffb4c02e18e53de634677bea7ddd81ba97bed869820b56 10db944ebab48eba12c8db04fb511b6eea8ae6ae5f690ae9fd12c5ad736a9803 12828f1d4f7c0712053dfcb206f44f2d64eba8e9d9c5454c39b24553b6dd1721 12cdb5982898810f2b0f25b2d9b5489387927dc5cd9bed38b9205b5a2b2157e1 130367bf969101c487af25574c5f5da158bf059b7d1f4cef0f867327c73b2dd8 1a6001b1156d05b284fb239ff785c02a4c6a33d61041ce9631d3533820eaf503 1d13a6b142fd6c24248a44ba35526b3dc058520792b17cb6f96d3e6070ff9256 1f3399e6d37a98bffb03a8e40fec12163db23a5088240229c0b9816e6c79d494 221a30be1c2fa46fdc50337a98298714ae0ee7ca9d725c100889d463e4801c30 238894cb4732295a561d95c570025ce3edb907a8b989cd4ae64550b82c7ce406 2396e2c32b73d201fb2b6397412c4fd0d40d0486119966989241749649c7fd37 24cb939d5a4d8de7c0326d5e23f4ad3a7a6c2e3a738ce6ffea27c11ee54ec839 27cc83e29093d7878a16cedd20226ee8ea452c0f47f303a35bfe19a2edb411c6 28862859e0ffbbe3d103fdd2d0c83cb9c9b7d40ea5c3f0b7e0e38944ca86bcff 29ce47d65aa2049d4b786255ff8b9b1a9a8d9c664026b737a1c2ecd3fb6e519f 2ac72960a87d6deca00ed4b9d8f32b0113fe4ef5cde73c218a60be5ddd972769 2b01d8af177debea8016eaf6fa9fc875fd3cee6fbcc1dd3d354e438bdef901e0 2b2efc73fcbc97e66c7c200e6b3bc3e85a5412ac8b4f0a085a5f1062ca73c4fe
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Malware.DarkComet-9884444-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\NOUVEAUX 26
<HKCU>\SOFTWARE\NOUVEAUX
Value Name: FirstExecution
26
<HKCU>\SOFTWARE\NOUVEAUX
Value Name: NewIdentification
26
<HKCU>\SOFTWARE\NOUVEAUX
Value Name: NewGroup
26
Mutexes Occurrences
Administrator5 24
1PFS7II63848P3 24
1PFS7II63848P3_RESTART 24
1PFS7II63848P3_SAIR 24
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
154[.]16[.]220[.]209 24
67[.]214[.]175[.]69 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]wallou[.]publicvm[.]com 26
mediafire[.]chickenkiller[.]com 26
wallou[.]publicvm[.]com 15
Files and or directories created Occurrences
%TEMP%\Administrator2.txt 26
%TEMP%\Administrator7 26
%TEMP%\Administrator8 26
\TEMP\Dsl32.txt 26
%ProgramData%\2.exe 26
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2.com.url 26
\Dsl32.txt 24

File Hashes

001276dd30093a56534c93cf39335eb23943ab0b532c9ab4bfac250485355b8e 0063112e85dfaf4331c73ad5a73856cfa5a29911ef8d80c12250a874f60c48ba 03da512c836f7f3aa610c89f6530227f50972d9f35825b7ebbbf35a4b99de7a8 06cc9a66099e3a7b1cfb87a005501ec3410a280521e02fe39674bf31d4bc4c17 0a4acb875e2052335654082e77210a8a30001d2847532ae2a58066efafb37c5e 0c14c868d645b8c01c873f5cda5f03f66bf9c2d7207aada6a34af94f3b779ced 0d08e3c0b2f6668387b90dc0d21ebd8fec5de6393580cff145cdff8a32c10ea6 0db3f1fdb14ab26067db2b64446a31933ff0ec0570d0f5a171d0e8fb933a1401 0f08b7adecebbe1149b7be0966fa6b69aa5d5e3f03fa96ad35ddb07199084b22 1845ebdef56daeb7edebc6677864436a036d3b043b7e1923b75c65594d4345a9 20cb8fe07f5e3ce18eb9aabafc93974be79f9f1935650ab1820a8ebc6ca3f296 254b0754656291f75de40e1c34f633f5df5a02b1330374fcdc2af795b30df731 291e7983cab8a8ca27a375dc7450efd992091ffa4df9dc62373c835d14aee431 302085c4d19e84b33f64b7f177dcb5bdf31a919917e27c54691e599b65ec550f 36ebb70c3fa7f455f8cec1e9c92daa907503d98c8e62c0f001b5441d7043e197 42c2c565e5844ee30f45e046984956949aa7b4268fa79fa3bca325079a0199b5 445d9223cdc386994df6089ab69340c195b06125cf30b9424d44c0eb24b0d502 4bff08590e863279e04681f752fac6770a3863b7000e8a49c0e9c9e1fd3c1863 4efae949b98bf76d42f3613a7864e3d70ada3d1b2824149b3a40a07a3654160d 5174169e7a1ef4ba358189dafac7eb4c514e4c12ecdc9525e2fe6cb5b35265ad 52488393180ab2539a941636a5143eedc8845240a5beeeb740d6416e934d73e6 5492366ceb99bb0f4e8322eae89e9674974aa0b66435678d9fd5f9550603567d 5730e6c5c52c0cc8847c9dc85f5a093c5a4322d598fd519ace19af87bb2faa75 5e4c76e6c275cfd91c107a7471cdfbbe97c206d9749c76a173bcc0944b5b9c16 615453b9561c9c612ae38166917e9a34f67d5012ce0ed946a0eff07dbb9a7ae1
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Trojan.Zusy-9884534-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Mutexes Occurrences
GLOBAL\{<random GUID>} 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
207[.]231[.]106[.]130 8
45[.]239[.]234[.]2 8
41[.]57[.]156[.]203 8
118[.]173[.]233[.]64 8
186[.]225[.]119[.]170 7
185[.]17[.]105[.]236 7
34[.]117[.]59[.]81 6
177[.]10[.]90[.]29 6
185[.]189[.]55[.]207 6
91[.]237[.]161[.]87 6
119[.]202[.]8[.]249 6
38[.]110[.]100[.]64 6
181[.]114[.]215[.]239 6
176[.]58[.]123[.]25 5
192[.]35[.]177[.]64 5
14[.]232[.]161[.]45 5
23[.]3[.]13[.]154 4
23[.]3[.]13[.]88 4
143[.]0[.]208[.]20 4
222[.]124[.]16[.]74 4
196[.]216[.]220[.]211 4
8[.]248[.]153[.]254 3
8[.]249[.]223[.]254 3
45[.]239[.]233[.]131 3
43[.]252[.]159[.]63 3
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
9[.]116[.]131[.]216[.]zen[.]spamhaus[.]org 13
28[.]116[.]131[.]216[.]zen[.]spamhaus[.]org 12
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 9
wtfismyip[.]com 8
apps[.]digsigtrust[.]com 5
apps[.]identrust[.]com 5
ident[.]me 5
icanhazip[.]com 3
ipinfo[.]io 2
elb097307-934924932[.]us-east-1[.]elb[.]amazonaws[.]com 2
api[.]ipify[.]org 2
myexternalip[.]com 2
ipecho[.]net 2
ip[.]anysrc[.]net 1

File Hashes

030b5440c89d6890d1e2a12f2643ee1b83c87bf87a4f5583d3d264f3333849c6 099f71d091ef7977d4ed532b5989a0bd7e2dba2756df82cd30e3a271debdebe0 188902aff209c46ed8f3018de451590fa58f306cef66bb804316165fa349bedb 23674a3831ab7a7427f3a4cd3031d4e3c361f3f8a97a9a42ad723cc0d71a409c 2b15df3199f11e25f73e30f3c921c854a421747864a7e62852658d179393d529 3ae06e543ecfd267006a95fe8a8e2410e326fc877aa6bbe38b3d53ca16d4de80 4bb81a635c264ddde15e87b3f6182ae707e02f5e1c3f68d8cd10b3813f7ad9c6 4d060bd1b295b2952625b471e8324d764ede5e53c827d4b3a3ae6baba27b7b5f 517b93d074ef4f108aa84c588377242547b3a43f869f06f2dfbb457222499dd1 54e2ef113d9b8084424e1133314d59d07a81ae2b26264d33a979f8150ce5991e 69529025c15f3625e6aa5367dda783a701249c3c196b23af9dfbb76a58a5f368 6aae645789f16aa25555dabca7887b4f595716575e76ff485d835240bb6edec1 6b4513dfebf14e5e5d53f0743c7ea2c7e617a8486c09fb148b6d86284104df59 827bdbf8fc8545b5e73b916333d0490a7851f7973631dea267ca2aa3e0b5c04b 85b9f85a584228a35f8fae58101c4046fa2c0ac072667b5b017d46750d8cda06 8a4138f00ed07780021aeee5daefeaadc365966407c1318e3078a292a91a7abb 916b73efef24bad9024c50696acf3279a707ad08983e408e292d22937b5f45a3 9b6500e9e5bf5b125ea43fb40caf3c66354834204902bb68959ae503b8d2446f 9d82f169fcbb774495a2f6cbd104aa8594fde661f11b2cebba2cb299f1542c1e a32fcd7935b6a2e707a2ac3ac4db0a0b12a9884074f3a947b3783d3ec57499ec acba8a921cc9e2a12b87e24b45f6e7136ce7cc9dd1d9d171d1561f993d9f00e5 acfdeaa4b7c76d2461cd3b85c4813e1e278d1766f5005381d8d07fd9735294fb afa2c90e8c2f8d69e12bda8cfd52ec8117b04ffcc1bf33097950555bfc244347 bcf5c64e8919fd0d51a990512acf1b562bda8c929dc5e475559b39c1d14d96d7 c8b5d08fc00f2febfa862df9a1e6b1b908dba619558615013e860598aff50228
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (18318)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
A Microsoft Office process has started a windows utility. - (12318)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Excessively long PowerShell command detected - (4305)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse tcp payload detected - (2982)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Dealply adware detected - (1294)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2020-1472 exploit detected - (1153)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Crystalbit-Apple DLL double hijack detected - (1149)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Malware dropper detected - (934)
A malware dropper has been detected. A dropper will download or unpack addtional malware during it's execution. A variety of techniques can be employed for the payload to gain persistence and escalate privelege if neccessary.
Maze ransomware detected - (830)
Maze ransomware has been detected injecting into rundll32.exe or regsvr32.exe. Maze can encrypt files on the victim and demand a ransom. It can also exfiltrate data back to the attacker prior to encryption.
Cobalt Strike activity detected - (580)
Cobalt Strike is a tool used by both penetration testers and malicious actors. It has been observed being used to deliver Ryuk ransomware and other payloads.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.