Friday, September 17, 2021

Threat Roundup for September 10 to September 17


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 10 and Sept. 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Trojan.Autoit-9891607-0 Trojan This signature covers malware leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows the adversary to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions or download follow-on payloads.
Win.Malware.Zusy-9892604-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Malware.Razy-9891835-0 Malware Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information — sometimes including screenshots — from the infected host and encrypts the data, eventually sending it to a C2 server. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Packed.NetWire-9891837-1 Packed NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Lokibot-9891839-0 Packed Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from several popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Packed.Tofsee-9892915-1 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Dropper.Gh0stRAT-9892254-0 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. This trojan can monitor keystrokes, collect video footage from the victim's webcam, and download follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Virus.Ramnit-9892317-0 Virus Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also steals browser cookies and attempts to hide from popular antivirus software.
Win.Dropper.Remcos-9892963-1 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.

Threat Breakdown

Win.Trojan.Autoit-9891607-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
192[.]35[.]177[.]64 18
144[.]76[.]201[.]136 16
198[.]251[.]89[.]86 9
23[.]63[.]245[.]50 6
72[.]21[.]81[.]240 4
23[.]63[.]245[.]19 4
104[.]21[.]19[.]200 2
216[.]146[.]43[.]70 1
8[.]249[.]217[.]254 1
8[.]253[.]131[.]121 1
172[.]67[.]188[.]154 1
8[.]248[.]165[.]254 1
23[.]199[.]71[.]136 1
13[.]56[.]128[.]67 1
104[.]21[.]9[.]139 1
172[.]67[.]160[.]130 1
104[.]18[.]6[.]156 1
104[.]18[.]7[.]156 1
158[.]101[.]44[.]242 1
132[.]226[.]8[.]169 1
172[.]67[.]141[.]50 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
a[.]uguu[.]se 16
apps[.]digsigtrust[.]com 9
a[.]tmp[.]ninja 9
apps[.]identrust[.]com 8
a767[.]dspw65[.]akamai[.]net 6
cs11[.]wpc[.]v0cdn[.]net 2
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 2
freegeoip[.]app 1
checkip[.]dyndns[.]com 1
checkip[.]dyndns[.]org 1
api[.]mylnikov[.]org 1
icanhazip[.]com 1
242[.]116[.]3[.]0[.]in-addr[.]arpa 1
Files and or directories created Occurrences
\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects 1
%HOMEPATH%\BrowsersFiles.zip 1
%PUBLIC%\ogpxv0ba.default\cert9.db 1
%PUBLIC%\ogpxv0ba.default\key4.db 1
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.log 1
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\MZ.exe.log 1
%APPDATA%\Microsoft\Windows\Templates\MZ.exe 1
%APPDATA%\Microsoft\Windows\Templates\recommended.4NN 1
%TEMP%\bjlzipytlgnx 1
%TEMP%\tilerjgocitb 1
%TEMP%\huwltqpzqlde 1
%TEMP%\rikowpzuzoox 1
%TEMP%\mzalvlzqohyj 1
%TEMP%\mwnihoqotmmh 1
%TEMP%\zjjzuuaoeqaf 1

File Hashes

0667e96b8ed075a98bd3aa8a0c644783d6099252022aac26e1f10abb67ea5be4 197415627868c54325b4c522610047c4065e9b1e56a76b682e39b49df08425d5 1b6c93480e8f4f3b655aa9b6510425797a026510970562a02a9cb1737bfbb67d 2a873106ed6443e504114774fd430d123fff7b86fb04e065477a9a28a1c72a8c 345b44624fa1c10ee40b9a495ae085069663055d043d6d1adc9f3bfb24469c35 374554066bb64b56081b29dd2b6bb8cc8577846b9f1cc44067afe9c646af65a1 3b793bf9553f8393ebabc78df171e99a6268b5e8db18585f16d4d443b3eac57d 3c7c85408f17faa684136d197cd829d555c996c2a1fad4d1231a6f57f5bda471 44c9274112543814b782cb969bb6ec79a08854ac29bc88766e844630d1a1dab9 53403123b905ff94f9b4662eca7e654e99982deab4c930d9b6e3a0855cd2648a 54ee94f9a63b09c7a214a28fbd4510bc4431ec189c3eb7f1f6bd83d50b439ece 5d4f2ac3eb3aa0fa0e80eb3b8b51c6e9412ed52c44e63c656884e617c99c091d 5d52665f1016f8e612afc9d3d0c65f3ccfa3ca107c28bfa33308094a5697f0f9 6b2c4c14af6d0f86eb6f13522a1ce155c4b3b9f4ef4dde83f18bb3df4f3973a3 7d4b62df506cc80fc7f08d3d6dbf16384e69498b7152524c469d05afa6a636c5 818171d55b14238d9272608c372fb8070817bb8864a07e0796de6fc0665e084b 855f7ac0ae8611e11863825213ad294c1c0fdcdafb855aa6956fc9ccdd5cc8fb 8590da10589968a25c39614999fffced4e040df0cf58fac0b9bc02d500ab2893 85ec791b62e5d41b4bb17a570068cf5549cdf607ede625e87ff959eaf8280727 8b735f2c5419cce18231c475b612cab0fedc54bd5c13940c580cb5e024f1b335 95868a5c00170fa003ee859b09b0ed7df4d099c082b570e1abf4aa1d54605b37 9a2e05b07f7ddb0ca7bb45a298efe1e4b7ebfce3ef4d5a3581fd3978b6e61422 ac30f6838c6ffdd09340356d6e920d21741da53365ddbcc68393316fb07413ed b9fd9bd34b61fa484072c23d42d19f913bf1d78e57e84f9a011b960891a6bd82 c7fb2c5569b4243595e070076fd3c122235442c1a0e2d015891caf3edbecd1a6
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Malware.Zusy-9892604-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 36 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER 34
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION 34
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableBehaviorMonitoring
33
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableOnAccessProtection
33
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableScanOnRealtimeEnable
33
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableIOAVProtection
33
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableRawWriteNotification
33
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableRealtimeMonitoring
33
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 33
<HKCU>\SOFTWARE\FARLABUNINSTALLER 3
<HKCU>\SOFTWARE\FARLABUNINSTALLER\FARLABUNINSTALLER 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1 3
<HKCU>\SOFTWARE\FARLABUNINSTALLER\FARLABUNINSTALLER
Value Name: key
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: Inno Setup: Setup Version
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: Inno Setup: App Path
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: InstallLocation
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: Inno Setup: Icon Group
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: Inno Setup: User
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: Inno Setup: Selected Tasks
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: Inno Setup: Deselected Tasks
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: Inno Setup: Language
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: DisplayName
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: DisplayIcon
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: UninstallString
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FARLABUNINSTALLER.EXE_IS1
Value Name: QuietUninstallString
3
Mutexes Occurrences
NVIDIA OpenGL Driver An application has requested more GPU memory than is available in the system. The application will now be closed. Error code: 6 Would you like to visit http://nvidia.custhelp.com/app/answers/detail/a_id/3553 for help? 3
Global\SetupLog 2
Global\WdsSetupLogInit 2
Global\h48yorbq6rm87zot 2
Global\ewzy5hgt3x5sof4v 2
Global\xmrigMUTEX31337 2
WininetConnectionMutex 2
Global\9fc058dc-b674-11ea-93f1-005056939927 1
MyIclpAp 1
Global\a556d5a1-0a9f-11ec-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
37[.]0[.]10[.]214 34
34[.]117[.]59[.]81 33
45[.]144[.]225[.]236 32
185[.]215[.]113[.]119 30
72[.]167[.]225[.]156 27
195[.]2[.]74[.]104 27
185[.]183[.]96[.]3 25
31[.]31[.]196[.]102 24
172[.]67[.]211[.]228 15
172[.]67[.]221[.]12 14
104[.]21[.]88[.]226 12
104[.]21[.]85[.]232 12
185[.]215[.]113[.]107 12
208[.]95[.]112[.]1 11
104[.]21[.]62[.]66 11
162[.]159[.]133[.]233 8
162[.]159[.]129[.]233 8
172[.]67[.]171[.]156 8
162[.]159[.]134[.]233 7
104[.]21[.]28[.]120 7
162[.]159[.]130[.]233 6
162[.]159[.]135[.]233 6
172[.]67[.]211[.]161 6
45[.]9[.]20[.]202 6
195[.]22[.]149[.]63 6
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
cdn[.]discordapp[.]com 34
ipinfo[.]io 33
i[.]spesgrt[.]com 27
ifarlab[.]com 27
www[.]svanaturals[.]com 27
privacytoolz123foryou[.]xyz 25
aa[.]goatgamea[.]com 25
553835e4-8579-4eef-9487-08e116066fe4[.]s3[.]amazonaws[.]com 25
manager4youdrivers[.]ru 24
remotenetwork[.]xyz 12
ip-api[.]com 11
bb[.]goatgameb[.]com 11
mash2[.]info 10
startupmart[.]bar 9
api[.]ip[.]sb 5
iplis[.]ru 4
a[.]goatgame[.]co 4
twitter[.]com 3
apps[.]digsigtrust[.]com 3
apps[.]identrust[.]com 3
yandex[.]ru 3
api[.]ip[.]sb[.]cdn[.]cloudflare[.]net 3
iplogger[.]org 3
humisnee[.]com 3
spolaect[.]info 3
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\Documents\dh3CYw5lop_S5WM5ERoOPEmF.dll 21
%LOCALAPPDATA%\Programs 16
%LOCALAPPDATA%\Programs\Common 16
%HOMEPATH%\Documents\Ei8DrAmaYu9K8ghN89CsjOW1.dll 16
%TEMP%\IXP000.TMP\Hai.docm 8
%TEMP%\IXP000.TMP\Nobile.docm 8
%TEMP%\IXP000.TMP\Passaggio.docm 8
%TEMP%\IXP000.TMP\Vederlo.docm 8
%TEMP%\$inst\2.tmp 7
%TEMP%\sqlite.dat 7
%TEMP%\sqlite.dll 7
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 6
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\<exe name>.log 6
%SystemRoot%\Logs\CBS\CBS.log 5
%SystemRoot%\rss\csrss.exe 5
%ProgramFiles%\PowerControl\PowerControl_Svc.exe 5
%APPDATA%\WinHost\WinHoster.exe 4
%TEMP%\rOBCqJoQYC.eXe 4
%ProgramFiles(x86)%\FarLabUninstaller 3
%ProgramFiles(x86)%\FarLabUninstaller\unins000.dat 3
%ProgramFiles(x86)%\PowerControl 3
%ProgramFiles(x86)%\PowerControl\PowerControl_Svc.exe 3
%HOMEPATH%\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe 3
%TEMP%\IXP000.TMP\Col.aif 3
%TEMP%\IXP000.TMP\Conquista.aif 3
*See JSON for more IOCs

File Hashes

03ec4ae271a98c20b0af7631821e8178af92c15bb14336daf5a88f98c7184cf7 05e2540b7113609289ffb8ccdcb605aa6dac2873dcce104c43fbd4b7f58b8898 069834c0109d17508121653ab6d19d1a00bd6e0fb27e2248b0da94dffd517cb4 0feccf50b6bc26b318c690be38a2bf9834f01022b2e53107e6c86c1f4acf8a2d 10589c1fb2cba252e2abf20c365feabceaf207d24f122cbaa029c3db6bba13d1 10fe1805921ccea2cce4b75338b8024698067c54ff1590e747915885e491fa9b 1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482 1a58b7b0af76e0c441ca533ab088ce33d5c6d984fd95df7234911ad4fc6c70f9 1a73d71ec90d4fd1ab3e1af63d102c344b8821c6a451127a1d1e0294578ed32b 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031 2b110098b1d878eb537f0428fac2c24cf88d263d3f90e8fc285ee199704a95fd 435ecb52f149f02217a2b205a39e68776923f4c16a9ca4b8f2db0b3a9f297670 5036c2ca3fe09df5d326807251c8e38a4fba2c818ac8038888a3b73c2c3560b3 54c0f2313230d5825685fe8bf20c564d8501e577168db60571b3bad211e3467f 61a3ed8e5a8bfab4c4107fa0626e1f710cfe93fadb786f1154af9ea10e1b9daf 6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd 6f1a70bda961a4e9f0facb0b85625e2287fa74e5427f2cd298c1f8e4f7452781 719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255 7a6994f8fc9a7f5fcb18135c6e0ecb15fd40f2806c0570873f984562a79aa041 847a38c590090d40f07ba44dd60592cd40fe1d37e5f3b65bd6c980be752faafa 86fb8887ae2c351dcf40a5c42391c2af99c2f02f15142c1b3b0b7380131c3aab 8f2264c0e5b2814fc7ac9e7c5f8a38c90768657d3c371046f6254dce609d6352 8fc8410a0bac144821c804fcd4ef2b4fb4654e4f1e9fcc8670e768910c60faf4 a29856955e36576d7e39fd2ec8ada91d8095621106f328512270e104bb8b4e13
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Malware.Razy-9891835-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Logon Application
12
\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
149[.]154[.]167[.]220 12
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]telegram[.]org 12
Files and or directories created Occurrences
%ProgramData%\winlogin.exe 12
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 12
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\<exe name>.log 12

File Hashes

0128c244760679efa6ec6ff1eb57ad53a6d0068362faa305f3a2dc840c2f6883 0ceff0fd46aad24bd1bb7bd361d2983d05e5418ee5eadd16536732388340b58f 0ef548d24f438e8d987ecea47e224dd651bddc06c074af982be7c56d32c82a6d 1a3d7ff6cf14e4a141bd0a4f74ad0136ea460c70264409e5381c2946e478b36e 2c6eaecf9d9b77289d8b8db0ddd1b5239320d35976366b5226d46a278151be32 441106a3a7e8b058ae391ce900015fa3f999c3dd3ec93a7aafb630bef12dbe6c 4c3e9835fd7f6d8cadc6ad442a9156b34ad451bffda8c54a68a3fe760f8b08b7 5ba9be86040a265e39234c7ea7e793e7a6622b300d1c37c55fbb4391a8abb357 77c139095ef52688755b5007d6207976d1d59c7e86e117ed2a45ea1c43fb0d77 88d3489d07591d66434b8a89363690aef610132074452a915ea045fbe43e83bf de5693d053b7d31ecfece5e27b904a63e40fb76b0a9f0aa0ccfc8a55a95a1921 f9eded0a3f37c223d73f50a553c9d232a2985ea07489a93bee372f05daa5824e

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.NetWire-9891837-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 32 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 32
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: NetWire
28
<HKCU>\SOFTWARE\NETWIRE 28
<HKCU>\SOFTWARE\NETWIRE
Value Name: HostId
28
<HKCU>\SOFTWARE\NETWIRE
Value Name: Install Date
28
Mutexes Occurrences
HDPAYslj 28
Global\dbbc6501-11c1-11ec-b5f8-00501e3ae7b6 1
Global\c3cd1341-11c1-11ec-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
192[.]169[.]69[.]26 28
209[.]85[.]232[.]105 1
172[.]217[.]197[.]113 1
209[.]85[.]201[.]94 1
209[.]85[.]232[.]94 1
173[.]194[.]205[.]139 1
173[.]194[.]207[.]84 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
automan[.]duckdns[.]org 28
Files and or directories created Occurrences
%APPDATA%\Install 28
%APPDATA%\Install\Host.exe 28
\TEMP\test.exe 28
\test.exe 23

File Hashes

006af07619c154dffab53ec9da7f8f19031cdc21349673a60fcc0385ac58f6e8 05beb70f854cb9f2fbc39f5c765f4d8ac0d5fdd63a5465674acd50223f2e149d 0fba7ef93214450a7221e2e37743b49d6174f9f41269120811d76098a06accab 1112f923285e15a129023fa119ffd80a3c10ed760a4f43d22028d193c10c5f2d 16b36b54165a6471d01c01de68544bf8ddff419e82b0049c4c76e251e23879cf 1f2b572452b79214e7dde0c283460d82796cc4c2713e425670bb68032165ebe2 282f8f40565fe4a9015d7ce108ca929b9e69d62dc661f1c267311c0d5debde0e 387d9faded8a885cd4f913cd823c1fb5b0136f3289f7862575b84ce32a9ffe95 4255af62ab916955320b043c26cde2982c88cd160c9e047e8b2a0c4a5ba7fdec 48b828ebd4ac4a5e83babc533b793cdf3d71ef370c57fab3883f384ffe4295c1 4a69510803581bce564665e9fa5c98a44ed05d1ecb6f1dd400342fc8385aded1 54948baec0628167d7f8f0e97d58f1c02f3918ec8c44662543dd2b9e8213a196 66706549fdb756ee9bf6e68580e978e7dac27c67e77d954f53cbb486f1e54efb 6977335f4d1ff8fab10fda7ab27e4178b40b0660be7743980758f0b4942421dc 6cd5d57298c0af5f871b9b41658f175315d613aaf800cde2878c675640f269b7 745be3151a4ad43b2cb1145ba5aca8fda81c6389cebea25163d78bfeb9c7ff06 7796ffb387b707035fe1eceb5d923d62fe6f65a70f973e8f52f857b49c3c993c 7b6cbc1c9832fabefc8e27cceaf5b42e80062db13982e453f6fbed4ae00f26ea 7f8584dabdf598d3869fc118b3b8f5e58231601df918fa3c829ff75d18753123 825b1fb8e579d2a058193435ceaf66cfda68e914d243f056ca7460f7a10bd929 85ea745108cf488628f67cf853889a90c7ab69ccfdd7f129b3b0690fb0ffe007 8c639d46e9501c821552816e3af33db155650f38c706aa3c876ddd1c8034bd7c 8c7f8e0a696a1ebaec089faa06d27849ebe243c960e9967944276b4b826a64d0 93d9153bef6bc238ce4b25c0dd37cdf5a47c9148834ed09414e959e581c7c546 9403b29c749d382fdbb5b3cf39aae5859346bebe927aa79da9863aad63522b5d
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Lokibot-9891839-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 20
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\C67LIU0ZRS 1
Mutexes Occurrences
3749282D282E1E80C56CAE5A 18
9DAA44F7C7955D46445DC99B 18
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]94[.]191[.]80 18
194[.]5[.]98[.]94 1
Files and or directories created Occurrences
\test.exe 19
\TEMP\test.exe 19
%APPDATA%\D282E1 18
%APPDATA%\D282E1\1E80C5.lck 18
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 18
%APPDATA%\7C7955\5D4644.lck 18
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1 18
%APPDATA%\7C7955\5D4644.exe (copy) 18
%ProgramFiles%\Microsoft DN1 1
%LOCALAPPDATA%\Microsoft Vision 1

File Hashes

0e3fed824fac1cabe2f857a1d02a06fa8a69c0ab3905b5238d1cb33a74167640 265f7292e53b4a41c7cd065bd560d6e0de7f6a743e341131b3506956d125f01f 2e7f2c37cf935b53e9ab894b0a5a4ff6108ebec7ec113b9d6c103c226b750a6e 37562453d162b31cc245d0ed18bc8e6aadffce5089a59a48a632ccce71c05ddb 401910a9dfdf1900f1be377009d5e70393520ec7015d114549e538223c5183e9 458b945275df32476a65db408eb32a323b6cc184d7da1ae69be4638132426d62 4f0c48e921d3a71d96e4460aebd6abbd87640b54fb5287659c0873bcc7bfd059 775677d40c4ca9b67ab6e7e752aa8feb19e1070a7c83efb8c8a4274e9fb62655 7af72b32f3acb642c5c608459b1a6a0be9cae47903bd0697d328514ff78d5048 7e1181c2f92a1db56c0052cf239f90da6087ab6925316b72d22d8b967438fec6 89455c081d9baf57965ed2ada79f742b8ec91f5deedc8fdc512b0c2c28643fd4 8d5d7c307d1cf05745714109a2ed7ebe01fcfd4cb2139435965c088a05ef67e4 b86b82199660b2153a038ef0c2219fbd970a5e28df3c16b4f5ef4f0232757def b94dddf66500524362ebd504b96afeda69d47dc157fc96dcaee1a543109940ad bad9e330cbd33ddd9d499bfc7abce04874253fcfd0d85ea61a84cfed383389ab bd858bc8a1b238eafb107b5e8f0624279d31ca35fc8fb120f3019ae0b76b9adb cc081f2e04d7d19da8472ad4bb381676b0faee5cc6c2fc80cad728b07d01b2c0 ce37853230e3c31906b943729a29ac2dac5b4eaba25dc5df32dde1f16a050937 d46f4fdf1feff2dbeb4cbd99627a631adffbc0129f7ad85ebd28b9eacc0762b0 d841c38e0b3b01a10e13eb2317f483d4ea941d584733921db572023786f9a8cd e956610f17d065cecb6aabbc5b60fb410bfcd1f2f0a1b1120f0fa93a4a129298

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Tofsee-9892915-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 184 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
183
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 183
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 183
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 133
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
133
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
133
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
133
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
133
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
133
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
133
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
133
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Description
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nxzuqihd
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WGIDZRQM 10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WGIDZRQM
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WGIDZRQM
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WGIDZRQM
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WGIDZRQM
Value Name: DisplayName
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WGIDZRQM
Value Name: WOW64
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WGIDZRQM
Value Name: ObjectName
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WGIDZRQM
Value Name: Description
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wgidzrqm
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GQSNJBAW 10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GQSNJBAW
Value Name: Type
10
Mutexes Occurrences
Dmrc_mtx_409a9db1-a045-4296-8d2c-9d71016c846b 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
5[.]61[.]37[.]41 183
95[.]216[.]195[.]92 183
213[.]227[.]140[.]23 183
193[.]56[.]146[.]188 183
193[.]56[.]146[.]41 183
193[.]56[.]146[.]42/31 183
192[.]0[.]47[.]59 182
96[.]114[.]157[.]80 174
74[.]208[.]5[.]20/31 174
64[.]98[.]36[.]4 173
212[.]77[.]101[.]4 172
144[.]160[.]235[.]143 167
193[.]222[.]135[.]150 157
194[.]25[.]134[.]8/31 153
142[.]250[.]80[.]36 144
213[.]180[.]147[.]146 141
216[.]146[.]35[.]35 131
217[.]74[.]65[.]64 121
208[.]76[.]51[.]51 115
67[.]195[.]204[.]72/31 104
40[.]93[.]207[.]0/31 104
208[.]76[.]50[.]50 101
211[.]231[.]108[.]46/31 101
157[.]240[.]229[.]174 101
142[.]250[.]65[.]174 84
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 183
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 183
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 183
249[.]5[.]55[.]69[.]in-addr[.]arpa 183
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 183
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 183
microsoft-com[.]mail[.]protection[.]outlook[.]com 183
microsoft[.]com 183
www[.]google[.]com 183
defeatwax[.]ru 183
whois[.]arin[.]net 182
whois[.]iana[.]org 182
comcast[.]net 174
mx1[.]comcast[.]net 174
mx00[.]mail[.]com 173
wp[.]pl 172
mx[.]wp[.]pl 172
al-ip4-mx-vip1[.]prodigy[.]net 167
mta5[.]am0[.]yahoodns[.]net 166
mail[.]com 166
lycos[.]de 165
freenet[.]de 164
emig[.]freenet[.]de 164
rocketmail[.]com 164
mx[.]lycos[.]de[.]cust[.]b[.]hostedemail[.]com 164
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 183
%SystemRoot%\SysWOW64\config\systemprofile:.repos 183
%TEMP%\<random, matching '[a-z]{8}'>.exe 175
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 133
%System32%\config\systemprofile:.repos 38
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 38
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 11
%SystemRoot%\SysWOW64\nxzuqihd 10
%SystemRoot%\SysWOW64\wgidzrqm 10
%SystemRoot%\SysWOW64\gqsnjbaw 10
%SystemRoot%\SysWOW64\cmojfxws 10
%SystemRoot%\SysWOW64\rbdyumlh 10

File Hashes

01d337cb3af64786237787f58c9f3ce5e1b36690ff57ac0869aeed812273c55c 02f00a217392c2843ee33577e817c3588640c75e97d719a1d5e4cf97853a8409 03dfc436c589eec665354fddc024eb6f39a0217aefee15465bec7e31cc5df094 040dfcc9d9455a013f39f046a990b5c77e0792c0294d857280cb108c73ac0a39 04eeb55a3aec191af9195e75b6d3f55176cc54cc75010c2b40f7f2868ccde2e7 07c113c1dc731fa63488be6a39d45f47a7dfd3e0304a0c07f283dedd730de812 0b7b8b3660e7daef95bb17985a31134bf5f57c08d435570f185e0b049eb6d8ed 0c2da162ff92cd97520bb1071ef1e66dc2590e4820a8258c239d01b0d2ca4f37 0d32d1943663a6a865c2b0382a59a660ee29a581f2e9489b1329cc8ecae30aab 0e561a53a494c54ebde7566017db7463c5fdf3379d139939c2b3f9591b008302 0e6ebda20d155e84a18ef197096bda8a7f5ff1435c6220019c6c629ff4021909 10ccee39c01d6f7d594be4859876e7c4e28a43908ef3175f6bfd843a6aa6c982 10e124b6331386e686226828baa4d18f1e8496be4f04fc6c671aa30f88e6f050 137d88a088dc683010f59381bcb811bb697bcee60ece2f53d3160562e0209f53 145f11d25735dde7e5e1fc085337d15c44ee6eda69c81058b775dc746e2e0be0 15a8052dd794b696db644b105a94da6b165b12c6dd5d9763825305663b81f1d0 16e6e6a3e28dfaa318670b18bffd69e0e4d87cf7441d1c5af117d3dca9fae861 1a4881967d2232721c94042ee591352952539d6100a3bb28d12fe429edfbb04c 1a8e3086ad6e717c41f8069af312bc4cec0ceaec6abc5205b9f5e1b5cc279c57 1a8f5feb5b87fe8af67a5f68329b1c5ef3ab57a42cb9252b6f7d28776996c4ee 1acb973ef6f986d817d9fc1fc6215f738d11b9be57ff2ddc767bea183714b346 1b6af7754cfcfd55485debaa07c6f84928644151cc058065481e73eb1eedefb5 1bba3871999568711e6704a110a6fee0bf80317d35af9d4588d050071eba5d9f 23de0dff1e82388c839949dee77ec716f5f5e29bc5cbb608bd267f078d78eaae 24fad54d1af95edb1fa4fba949c0b620ab65d128094eec8ca0ad60258df9adef
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Gh0stRAT-9892254-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 108 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 95
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HFF
95
Mutexes Occurrences
107.183.41.149:3204 95
M107.183.41.149:3204 95
0x5d65r455f 21
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]163[.]56[.]110 95
107[.]183[.]17[.]212 95
107[.]183[.]41[.]149 95
107[.]183[.]17[.]214 95
218[.]30[.]115[.]123 21
123[.]126[.]45[.]92 8
157[.]240[.]2[.]174 1
172[.]67[.]190[.]13 1
213[.]91[.]128[.]133 1
172[.]67[.]208[.]60 1
104[.]21[.]21[.]155 1
104[.]21[.]81[.]245 1
104[.]21[.]20[.]73 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
blogx[.]sina[.]com[.]cn 31
blog[.]sina[.]com[.]cn 31
Files and or directories created Occurrences
\1.txt 108
%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.exe 108
%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.dll 108
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 106
%ProgramFiles%\<random, matching '[a-z]{5,8}'> 86
%TEMP%\<random, matching '[a-z]{8}'>.exe 15
%ProgramFiles%\fbcbtqsaq 2
%ProgramFiles%\fbcbtqsaq\11292259 2
%ProgramFiles%\jnklqbu\11292259 2
%ProgramFiles%\tdtkgfbl\11292259 1
%ProgramFiles%\tkdnib\11292259 1
%ProgramFiles%\lxzoe\11292259 1
%ProgramFiles%\lennn\11292259 1
%ProgramFiles%\bppxs\11292259 1
%ProgramFiles%\czspx\11292259 1
%ProgramFiles%\gjjixyvd\11292259 1
%ProgramFiles%\icwhd\11292259 1
%ProgramFiles%\smeet\11292259 1
%ProgramFiles%\ldvlp\11292259 1
%ProgramFiles%\wkboyak\11292259 1
%ProgramFiles%\akzeo\11292259 1
%ProgramFiles%\grdif\11292259 1
%ProgramFiles%\lrwsu\11292259 1
%ProgramFiles%\qfikv\11292259 1
%ProgramFiles%\sytfcd\11292259 1
*See JSON for more IOCs

File Hashes

00e3b8e69aa44067b54bc1ae6782ba0516f12e8a52ac179d570f034f4f2b51b0 0142aff97cb54fa7374cd2bcdf4b5d5c7d9a248888102fa0212570e79d7c5159 01cae7f89b08cdbc638d9877287ed1446cb0cbf6ec4f02623d6560d1d4a0fb88 02e4ef88864634e6dc5e6116fbcf7b48e9fb9ec00b147e30bb83502bfe926cd6 02f8f3df8431ebfd94883a4371db149bd56a0be361119917e110e8525592bcd3 03ab20c8652f04a14665d13d317320d5ee52adc585aac02a8effeb82911b96e4 04e659e9643b0b8dd2051264b89cdc745f080247257ac4686853496ddcebdb7f 069b0ae9a78de0f715079166410e5f19a149b3afeb42f24de28c9261c62d22ba 06dfe51c5242f7cd9b3d7292f7fa6bc41125b3284de59e472c5834965a9d31e2 09465f394cac6a0c1b4940b17e4976bb5d5fbe81aa1959eefaeba65685de9b47 0959881479eec075100f34b708776e3039a89f4660428962a30bc4c82c9b0b44 0962146c22ddd339bed084393f6e7294db073be111bfac00274029c63cd39b62 0a9904a30f8447ae35f9c3428e29436442d04d38cbf4d064a74fe5ab13331336 0cb596d6c40ec8da569102b07fae1d2aa54ca74f909366e11cabd4c87cd9918e 0d84f84b2ea7e345579083dfd01ef66078349305de2d6bf1ae06f9d5a2d8312d 0e66e1af7f8452aead25bf0660232efb0f03eb53fefa16334ab05d345834f962 0e8a6f4037adca10232d11c3c48a7f6f2057c2714df35a31a7e1a8679e8780c3 10e0ba595b81b05fe6156fa42b53540e50cf624f8dd56544353af0ceff0aa6ce 11a50d21d76c028607820ac421b954ef6b18e0faffd950e815ede4700892ad3d 12a9239bf0ca4be571ebcd1a99cf4821fc00011784f35e929ef666c4fc3cbff8 13162af2f183acdc8c986dead1d6cd0094cafa755ec581b1c7aa658b49b4e3cb 13788db1bc609b910137b380e51bbd0bde0938d92a3faf8520c4690aa566b2a1 13bbdcab4d1a21467e8507e805d5299bee0d222718501ecf8460c339efef3d1b 14503b5c22c4ac81a1e4424da30b12907e49c739a29096f41179d7eb2ae329d8 14eb700b0ec085ece8a58189c001c3b31505ef4f4bd9d5d1b224ce3b6c3812e9
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Virus.Ramnit-9892317-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 40 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
40
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
40
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
40
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
40
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
40
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
40
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
40
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
40
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
40
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
40
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
40
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
40
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CD5BA7FF-9071-40E9-A462-8DC5152B1776} 14
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CD5BA7FF-9071-40E9-A462-8DC5152B1776}\INPROCSERVER32 14
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\MEDIAFOUNDATION\TRANSFORMS\CD5BA7FF-9071-40E9-A462-8DC5152B1776 14
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\MEDIAFOUNDATION\TRANSFORMS\CATEGORIES\D6C02D4B-6833-45B4-971A-05A4B04BAB91\CD5BA7FF-9071-40E9-A462-8DC5152B1776 14
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CD5BA7FF-9071-40E9-A462-8DC5152B1776} 14
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CD5BA7FF-9071-40E9-A462-8DC5152B1776}\INPROCSERVER32
Value Name: ThreadingModel
14
Mutexes Occurrences
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 40
{79345B6A-421F-2958-EA08-07396ADB9E27} 40
{<random GUID>} 40
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
195[.]201[.]179[.]207 40
208[.]100[.]26[.]245 40
142[.]250[.]64[.]110 40
46[.]165[.]254[.]198 19
46[.]165[.]229[.]165 11
72[.]26[.]218[.]70 11
46[.]165[.]254[.]200 10
63[.]251[.]126[.]10 10
104[.]18[.]11[.]39 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
google[.]com 40
auqpdabknaty[.]com 19
cxownbsefbc[.]com 19
dnjvsqdkisxqtbyghsm[.]com 19
fnvweaywlctnxsi[.]com 19
ghvcoagkccor[.]com 19
iutwddseukcdplwpslq[.]com 19
lwqmgevnftflytvbgs[.]com 19
mpfyngouhnboktq[.]com 19
mudsaoojbjijj999[.]com 19
nvrnisdf[.]com 19
onaxjbfinflx[.]com 19
pkjkgprlgtu[.]com 19
qoraprfuu[.]com 19
wiulqdhkoqmih[.]com 19
wydvmjaantfg[.]com 19
xnvxmdujhycgicmgso[.]com 19
doisafjsnbjesfbejfbkjsej88[.]com 11
notalyyj[.]com 11
bheabfdfug[.]com 11
sinjydtrv[.]com 11
fbtsotbs[.]com 11
ctiprlgcxftdsaiqvk[.]com 11
fkqrjsghoradylfslg[.]com 11
aofmfaoc[.]com 11
*See JSON for more IOCs
Files and or directories created Occurrences
%LOCALAPPDATA%\bolpidti 40
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 40
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 40
%LOCALAPPDATA%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe 40
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<random, matching '[a-z]{8}'>.exe 40
\TEMP\Ie9U6w3 13
%HOMEPATH%\Desktop\Ie9U6w3 13
\TEMP\PHI3HYVpk 8
%HOMEPATH%\Desktop\PHI3HYVpk 8
\TEMP\jGmVAyK6m 5
%HOMEPATH%\Desktop\jGmVAyK6m 5
\TEMP\MmZTUz3 3
\TEMP\1uM6NPV 3
%HOMEPATH%\Desktop\1uM6NPV 3
%HOMEPATH%\Desktop\MmZTUz3 3
\TEMP\oohiJyR 2
\TEMP\NpLWRe3 2
\TEMP\f1LjRSgx 2
%HOMEPATH%\Desktop\oohiJyR 2
%HOMEPATH%\Desktop\NpLWRe3 2
%HOMEPATH%\Desktop\f1LjRSgx 2
\TEMP\0F8uLAb 1
%HOMEPATH%\Desktop\0F8uLAb 1
\TEMP\FwYdCh5I 1
%HOMEPATH%\Desktop\FwYdCh5I 1

File Hashes

07d7a173f1b2ad8026634f986973b91ffe419a34c0fcfb8c5c383cf92346ef9e 0808e5eb801b4c296859668c62510ffc7bcafe3af8cb2c7db2318adf311089f7 0d84b7d0ea14ed1d6e7c3633458727e9b5073c5969ce82f6e38c85261e59ce90 0f95acdc1356b68c1b5d3e8f5c8ae90fcd6fc0ade02e179e0881d77f84f24f50 1080edc42f5770f54fb08a763c4e6dd0673e98a47cd2472ecb1971d685048e8d 17b87bb0177b06186af0d002812a5729b718a9552f445dd6d91787a3a6d9711a 1edcf85e20407c0e4fe253c29108c552d5909f7254326dec3862cb447571fdc3 1f53b2bb2cdf231025629d111b3cbce1a2e24888eaf1a746d63e8db1ad1d9ac9 20c08af253aad222bb0fb48865c40ab39d9b68e9827c6178dc41a95928890f00 2801ade4a33e8995d105ca7c8f2357b89743b3dc14eafabf2939e4785e1e2abc 3800b722b732d64d8e802feaee98c86754ad0cd59074ff246afe5198dea925ed 3b25e7b0604abf38f9f2667229996b22701bc8a3d7083d34c34f9bcac0f40a21 3c02b84a2059ebd7e4fffc0cd54d129b6cd9d2211b4df27edf2330abf1d96801 3cf2ba04aefdb855d6d16cb80ea8127d649c9ed1900159f1f7e8829e6c63a217 4487b05f45126990d83bf85ece9881d322f8e838199a480c262739a56662571a 45a323dcc0a6da70ab782a7815ea6b2c321ec475af298dc615df8ca61bd8235e 4b44aa099d46daca89e2f7d5b1305daed3d520c2d771140dde297954f9de7bcb 4e682566a59f6f619398e927a155453418734b7bd0f0e84675f9ea670d50c135 5a0086bba6889e5c1ae1cea31d508689713c30966ae5a98fea2a9833a04120a8 6468a6014427f9472da81bedf7379a6321548c50e4906a7837b40e2711e6a80d 6c228fe25f33f517696373445d3b7fdc5705827047ad61bfdfd17307e47762b2 707344cfd6580bc7bbf4dd9504ca16472cef2b1e4fe97c41c6f57cd088cc0397 75c6dfdf32f830bd6e789a2bce16d4a4bbb8bf60afcc6653e43800acd97f6c03 7656fe348d4f3c1d28e02d2dabd32f3aea6f448b57a47b0a3e134fdeef2af0d4 780006fe63156c3a35c02dcf99dab725c0888ebafc305098a8c9003b60569b6a
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Remcos-9892963-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WindowsUpdate
9
<HKCU>\SOFTWARE\REMCOS-MBRADG 5
<HKCU>\SOFTWARE\REMCOS-MBRADG
Value Name: exepath
5
<HKCU>\SOFTWARE\REMCOS-MBRADG
Value Name: licence
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Chrome
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AutoUpdate
3
<HKCU>\SOFTWARE\REMCOS-UBUDTK 3
<HKCU>\SOFTWARE\REMCOS-UBUDTK
Value Name: exepath
3
<HKCU>\SOFTWARE\REMCOS-UBUDTK
Value Name: licence
3
Mutexes Occurrences
Remcos_Mutex_Inj 8
Remcos-MBRADG 5
Global\{8080abe9-dca0-4fda-b289-40c56bb7d446} 3
Remcos-UBUDTK 3
Global\{65c4cce3-96ed-4d8c-83a6-21005aeabacb} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
79[.]134[.]225[.]40 3
185[.]19[.]85[.]175 3
194[.]5[.]98[.]158 3
176[.]216[.]243[.]66 3
176[.]218[.]155[.]61 1
194[.]5[.]98[.]113 1
46[.]2[.]255[.]122 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
mgc001[.]hopto[.]org 5
strongodss[.]ddns[.]net 3
mgc0147[.]hopto[.]org 3
mgc007[.]ddns[.]net 1
Files and or directories created Occurrences
%HOMEPATH%\temp 12
%TEMP%\RegSvcs.exe 12
%APPDATA%\remcos 8
%APPDATA%\remcos\logs.dat 8
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 4
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 4
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 4
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 4
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat 4
%System32%\Tasks\AGP Manager 4
%APPDATA%\24E2B309-1719-4436-B195-573E7CB0F5B1\run.dat 4
%APPDATA%\24E2B309-1719-4436-B195-573E7CB0F5B1\task.dat 4
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 4
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 3
%System32%\Tasks\AGP Manager Task 3
%HOMEPATH%\17042966\krulwwjsfx.bdu 1
%HOMEPATH%\17042966\mdcreha.xls 1
%HOMEPATH%\17042966\nucdhin.jpg 1
%HOMEPATH%\17042966\pawgn.txt 1
%HOMEPATH%\17042966\unrxqju.bmp 1
%HOMEPATH%\17042966\vkxcqenmxf.pdf 1
%HOMEPATH%\17042966\vpjdoeg.ppt 1
%HOMEPATH%\17042966\vvxdbrlaxi.xls 1
%HOMEPATH%\17042966\wojmoim.jpg 1
%HOMEPATH%\17042966\xdpwfahwus.exe 1
*See JSON for more IOCs

File Hashes

0cb48daa5602c131301cf81a95027b29cb88ad479c45478f0cecd43159f6ff33 1931300ef0884f941f8bd25969bd06e351445eb9b2858aad4906190532bc9a6e 31f92969c392643e5f0c995d5909625ee7f73caace2159d139858f5d1cc8b3f1 420491b4a9f034d6ab1349e1f4653ad25b95167a153682f0482baf547240ec8e 49ba5c62d711962e856fd4fd3d1a39d349adff92cdc28bb60ec36e398884a953 69a2af535a65c3fe2419df3f6181a33e51797334b14daa6085c62b87c4866198 7cf95c0b9a54fa67fcd82ab0dc3dddbbb3861b9c4111a12e628f0003b02e41d9 7e2b18483fb6a01bc28b3f5b55c784d53fef643dbd5a1173ad1957620e196b22 8b13acacf54b7eff8aa2000392023b506eea5cc193dff68c3cdf444055c534d0 b48f0a69fbd7b2acff7ba78adabd07336879b1043261ecb46c1f29a6621bdf54 bc655bb0186bc666521d9e0bad2e2ff1d3c4deb2edaf7e2fff4dd67ba896169c e3191360fa158ec342501bdb061a123fe55da0b06077908b59a26ed66b946427

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (24727)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Crystalbit-Apple DLL double hijack detected - (8251)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (7055)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse tcp payload detected - (4945)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
A Microsoft Office process has started a windows utility. - (3980)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
mshta.exe proxy execution detected - (2711)
mshta.exe is a trusted Windows utility used by adversaries to proxy execution of malicious .hta, Javascript or VBScript files. Since mshta.exe executes outside of the Internet Explorer's security context, it can bypass browser security settings. Various malware uses this technique to execute additional stages of infection.
CVE-2020-1472 exploit detected - (2455)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Expiro Malware detected - (1652)
Expiro malware is unique in that it infiltrates executable files on both 32- and 64-bit Windows systems by appending its viral code to the host. It can be used to install malicious browser extensions, lower browser security settings, and steal account credentials.
Dealply adware detected - (1264)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Kovter injection detected - (840)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.