Friday, April 22, 2022

Threat Roundup for April 15 to April 22


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 15 and April 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Packed.Razy-9944943-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, eventually sending it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Trojan.Zegost-9944345-0 Trojan Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Win.Dropper.Formbook-9944286-0 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Ransomware.Cerber-9944814-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware replaces files with encrypted versions and adds the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Dropper.Upatre-9944336-0 Dropper Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Trojan.Fareit-9944778-0 Trojan The Fareit trojan is primarily an information stealer with functionality to download and install other malware.
Win.Trojan.Zbot-9944779-0 Trojan Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Downloader.Banload-9944679-0 Downloader Banload is a banking trojan believed to be developed by Brazilian cybercriminals and is used primarily to infect machines in Latin America. One notable aspect of Banload is its use of custom kernel drivers to evade detection.
Win.Trojan.Miner-9944721-0 Trojan This malware installs and executes cryptocurrency mining software.

Threat Breakdown

Win.Packed.Razy-9944943-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 28 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET CLR DATA\LINKAGE
Value Name: Export
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET CLR NETWORKING\LINKAGE
Value Name: Export
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET DATA PROVIDER FOR ORACLE\LINKAGE
Value Name: Export
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET DATA PROVIDER FOR SQLSERVER\LINKAGE
Value Name: Export
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\AUTOENROLLMENT 25
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: PlexService
25
Mutexes Occurrences
65845562146GZ23 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
corporation[.]warzonedns[.]com 25
Files and or directories created Occurrences
%APPDATA%\PlexService 25
%APPDATA%\PlexService\PlexMedia.bat 25
%APPDATA%\PlexService\PlexMedia.exe 25

File Hashes

068a3ee10b9c9ebd6f0313a641f448b6014cd8e7ec0f22152a10a236ed4c6b45 07aa79f924445e867ab77d769a490040776dfd2eab89e22825a89313179676db 0da129e88db6b27bed612cf8ee035bfa40848be932e41eb45da313700960253d 11c22f9c2fe94f8ff90361bbb9a96fe4c3f4da98b67cbf0724d2f9947b0b04a2 177ef73bc608d6b91b393a7cd6610e4747b669df93b953a96f81673609a4c034 1a82aed6c9c1869ff98da8abbaec637607eb29689ac6098d94b4be1319af7f07 1cb5a0ecb44c5f89bbb17f1562cc17525aca13451c344eba4c2ca9dc088073c5 2361ca96e659eed25263dc63407a802ee5d07c0c3e99ab7a1ad2a14875588213 269f5257b774289201d71efaa27bc67437111ebf7f452b5a8a29cc8bbbb4d219 27558fb9c0137fc15536c4f3cea9d010b7bffb14780d016916be1d5a50c617ab 28c38ebb8c671e1b48a82c01a4b85ef262954609530d39998be47cbd0c9648ea 2b2151e143c123febba7c443f23fc726a0f0da0be5669a5ed85c99695737a304 2d3e189b1e137a2f6cd70fef2fb91ea2dcf92ffa8f4669f8df0cabd5ecbb4d48 359b98632577507b103da0d4ff145e4db7d3a5d2dda2ca37c7d262e5bbd348b9 3ee21210560ea2fd7d2fcf2b2447836b8bc4074b7231fb896852650e76d78eaf 4345df8337a451f9f93fbca70c995a4010445361376013beedce950c0a714f0f 45ea008f432728955aaf2178889bac21866970208bd2c91f325b33c87394e957 4d0c3453d16c5b6889f1f2d60e13c685fd931589040840c9a19ead43496cca2f 4fcc1bdef68f2c8faff38761a5c9ca160c9cebd942b00ac920f605119771774c 4fd51fa019a71b648a167935479589cfc99d4071753d47c03fad0e27438b50cd 52986ada0835e3680df5f8bd84a87f6197d4897f4b941e0f3d67e9d0bd304bd2 529c7a90435d28b1bfaa712ff010c80e953ba94963166b83a5999c36540f93b1 5a58119f1e8bcbba381184c41e00d8d8f333ffec921996ca8641fc2e27335432 5af088d7e60b29f97097f6b9591f8e1f0de6fc009ac050715e5908f1d68e5642 5bbc4e75654fd2172777fdd99ccd355b75f3ca24d53773a37e5147c05793a1f0
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Zegost-9944345-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 69 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY
Value Name: Start
39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY
Value Name: ImagePath
39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY
Value Name: WOW64
39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY
Value Name: ObjectName
39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY
Value Name: Type
39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY
Value Name: Description
39
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM
Value Name: Version
39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY\PARAMETERS
Value Name: Module
39
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\COMFASTUSERSWITCHINGCOMPATIBILITY70
Value Name: Description
39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY
Value Name: dElEtEflAG
39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY
Value Name: ErrorControl
39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY
Value Name: FailureActions
39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY\PARAMETERS 39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY 39
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE 39
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM 39
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\COMFASTUSERSWITCHINGCOMPATIBILITY70 39
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FASTUSERSWITCHINGCOMPATIBILITY
Value Name: DisplayName
39
<HKLM>\SOFTWARE\WOW6432NODE\DFBQWKFXSB
Value Name: servicemaiN
1
<HKLM>\SOFTWARE\WOW6432NODE\DFBQWKFXSB
Value Name: serviceDlL
1
<HKLM>\SOFTWARE\WOW6432NODE\DFBQWKFXSB
Value Name: module
1
<HKLM>\SOFTWARE\WOW6432NODE\EIHPHWCOYY 1
<HKLM>\SOFTWARE\WOW6432NODE\EIHPHWCOYY
Value Name: servicemaiN
1
<HKLM>\SOFTWARE\WOW6432NODE\EIHPHWCOYY
Value Name: serviceDlL
1
Mutexes Occurrences
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18 39
Global\b-1759044459_2012j 39
Global\1708c5a1-bc93-11ec-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
149[.]28[.]39[.]151 39
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 65
conf[.]f[.]qh-lb[.]com 64
computer[.]example[.]org 62
conf[.]f[.]360[.]cn 39
gbwd[.]hmjxjn[.]com 39
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 17
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 15
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 13
www[.]msftncsi[.]com 2
Files and or directories created Occurrences
%ProgramFiles(x86)%\StormII 39
%ProgramFiles(x86)%\StormII\%SESSIONNAME% 39
\<random, matching [a-z]{7,15}> 16
%SystemRoot%\SysWOW64\yynodukngm 13
\fhytubgidr 9
\filycpdkcx 8
%SystemRoot%\SysWOW64\yqyvuripsr 8
%SystemRoot%\SysWOW64\yhbilxnlsh 7
\ecxbwdgcos 6
\fohnepjmxs 6
\fekkxwhilf 5
%SystemRoot%\SysWOW64\bjlmdboddh 4
%SystemRoot%\SysWOW64\aovbtseiyb 3
%SystemRoot%\SysWOW64\yppbtbpjgd 2
%SystemRoot%\SysWOW64\apxlyqidlt 2
%SystemRoot%\SysWOW64\awjtcvggmw 2
\Users\user\glejtcydml 2
\Users\user\glejtcydml:Zone.Identifier 2
\Users\user\jorcsjcinh 2
\Users\user\jorcsjcinh:Zone.Identifier 2
\Users\user\kgdivufblf 2
\Users\user\kgdivufblf:Zone.Identifier 2
%SystemRoot%\SysWOW64\rwrnswjdvg 2
%TEMP%\whjsbbernj.dat 1
%TEMP%\njqxjkqphs.dat 1
*See JSON for more IOCs

File Hashes

01a779215e4d35a10112cb8511546d44e0ed09c0c07c45d27e0c0f3a5e3ce7f1 02efc66bb4e3c2e14c7df7644325d215be41d8139eed12dd3404658ca9fd592d 03850eeb28ebd672968037eee12058034ac4707dc769e29bea413ee35be15113 03a5bdd18cd5d305d392d0d5bf787324346a20cc81b683d43a7152228777be78 04cd27985d8905443484714589cb011d64cdaa1c467f244caa6f733711ab1621 05926960be90a69d40fdfc8bb5f5e233f6c2e43e6028e12686661d49a9a07e10 06b1d0824f83abed6afcdab337e8156e5e12a476dfa1e76d677eafbe9175465d 06c1bf196994fe4bea82eee9061f5508e2f411ac0dbad4d49ac7db385d18437f 0a8d8b590dc5cb8a0cc884d0cef4f106ca17878c4993e21aebe8df248a6e8650 0b007efb88401921742899a5c84ff4f95f053ebca9a46c2aa5b9be35b673a25b 0cc9dfe2b1f34b1405342acd769b1a1ccc10c4d16444fafb64c9a554bc99bf51 0ed7be8f938f1b9ed8f3861bfc8a24ea8103722f763e7157bd07e0e7b5f41c19 10065fde00c728c2f86ce3c493f7e11e07c5d2bd01d78bc50bcc27451aad6e16 10ad4201ab0a8b4e589a82eb39a1a8e73a21fa4b6949eae413d441814996a955 10d35b4f9dd7a30670571fefa5c2c2fef60dd054298088a1500b895283f4cf15 12178037648d75f2b2f2b67688f6cc51e77b65d7aceaa19d6466f3c4131adc36 13a79e861c07a43f98cd35778f8f7fa47e1b64d563f5016e80f42c509a0732f1 1a268b0e9a12ed6c09f147d10f0bcedf62b8b14c82655531ca735a5d49c208e2 1accbd29e0fb5138f228f62a9c10f55e9874d892f31aa641439729cde677f64c 1be6a64b5e232705b749c748781fa81a77c0cdeffe07f9a3c2312f5978711020 1bfd059ea01d76f84215eacc82353acabe378ce6193cb7dfca12db4149902a93 1c32f32213127fbfca688437c0b01d47933810ad6566ef01d90352fbf3888b1a 1c768561ec97f8dc6b16704f7020916af8134976b9264e254b36a3d7a6e180b9 1d15bdca32984afc083a36b7a9dc177ca73b28fd2edfe91a52b8118698e7880e 1d95e4141a47e8eb1b8516fd1701e38832124f16011a696d503a23ad185f24db
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Formbook-9944286-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 15
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD 1
<HKCU>\SOFTWARE\IUYHG-CNQUL6 1
<HKCU>\SOFTWARE\IUYHG-CNQUL6
Value Name: licence
1
<HKCU>\SOFTWARE\IUYHG-CNQUL6
Value Name: exepath
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Iwywbzy
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Jsdpjwg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Pahykku
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Cjiqhgy
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Wzjjgma
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Weypqbt
1
<HKCU>\SOFTWARE\2022-10TNV5 1
<HKCU>\SOFTWARE\2022-10TNV5
Value Name: exepath
1
<HKCU>\SOFTWARE\2022-10TNV5
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Zezpbsi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Xadwsvm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Jpgsqas
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Gkngpli
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Hogsygo
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HTNTCTG0DHU
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Gsvozuj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Cnjhrkv
1
Mutexes Occurrences
8-3503835SZBFHHZ 1
Remcos_Mutex_Inj 1
O094-12BWX2JKxyZ 1
3L8B461U70EZ33HE 1
-5ORC052W9B28YHZ 1
J10M58T8AHVYX-ED 1
935809RVSYB2Hy4z 1
O4220SB6GX4E0K0K 1
iuyhg-CNQUL6 1
16L80R97WADJxxY4 1
JL8QNOB8WV4WJx8Y 1
S-1-5-21-2580483-9081590734655 1
9M2P0PD01AVUFDyZ 1
2022-10TNV5 1
68636P16AXAVHY9J 1
0N11726CWTU6H25B 1
0P9O879VFA8vVx9K 1
112A172-TSDG0BHZ 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
34[.]102[.]136[.]180 5
23[.]227[.]38[.]74 5
13[.]107[.]42[.]13 4
13[.]107[.]43[.]13 3
198[.]54[.]117[.]218 2
198[.]54[.]117[.]210 2
198[.]54[.]117[.]216/31 2
37[.]123[.]118[.]150 2
15[.]197[.]142[.]173 2
142[.]251[.]41[.]19 2
52[.]228[.]36[.]228 2
13[.]104[.]158[.]180 2
112[.]213[.]124[.]70 1
172[.]67[.]215[.]246 1
216[.]218[.]206[.]40 1
104[.]164[.]133[.]180 1
74[.]208[.]236[.]150 1
52[.]20[.]218[.]92 1
104[.]21[.]32[.]128 1
13[.]104[.]158[.]177 1
103[.]147[.]185[.]100 1
44[.]194[.]24[.]167 1
142[.]251[.]40[.]211 1
38[.]63[.]50[.]68 1
217[.]21[.]190[.]139 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
onedrive[.]live[.]com 9
www[.]hbsckj[.]net 1
www[.]awp[.]email 1
www[.]amelntl[.]net 1
www[.]fabio[.]tools 1
www[.]hdlypx[.]com 1
www[.]lshdkj[.]com 1
www[.]theeastendvoice[.]com 1
www[.]cgbbqllc[.]com 1
www[.]supraforward[.]com 1
www[.]dynwa[.]com 1
www[.]stronyinternetower[.]com 1
www[.]carfik[.]com 1
www[.]5151vip25[.]com 1
www[.]aestheticpls[.]com 1
www[.]bucariito[.]com 1
www[.]jakubkokoszka[.]net 1
www[.]positiontrader[.]club 1
www[.]fujistrek[.]quest 1
www[.]amazonbrickandmortarretail[.]net 1
www[.]ideastax[.]com 1
www[.]nbsze0[.]com 1
www[.]beylikduzuhatunlar[.]com 1
www[.]sauqenta[.]com 1
www[.]cherrythechickenandfriends[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramFiles%\Microsoft DN1 7
%PUBLIC%\Libraries\Cdex.bat 7
%PUBLIC%\Libraries\Null 7
%APPDATA%\juhg\uhyg.dat 1
%PUBLIC%\Libraries\Iwywbzy.exe 1
%PUBLIC%\Libraries\yzbwywI.url 1
%PUBLIC%\Libraries\Jsdpjwg.exe 1
%PUBLIC%\Libraries\JsdpjwgO.bat 1
%PUBLIC%\Libraries\Jsdpjwgt.bat 1
%PUBLIC%\Libraries\gwjpdsJ.url 1
%PUBLIC%\Libraries\Pahykku.exe 1
%PUBLIC%\Libraries\PahykkuO.bat 1
%PUBLIC%\Libraries\Pahykkut.bat 1
%PUBLIC%\Libraries\ukkyhaP.url 1
%PUBLIC%\Libraries\Cjiqhgy.exe 1
%PUBLIC%\Libraries\yghqijC.url 1
%PUBLIC%\Libraries\Wzjjgma.exe 1
%PUBLIC%\Libraries\WzjjgmaO.bat 1
%PUBLIC%\Libraries\Wzjjgmat.bat 1
%PUBLIC%\Libraries\amgjjzW.url 1
%PUBLIC%\Libraries\Weypqbt.exe 1
%PUBLIC%\Libraries\WeypqbtO.bat 1
%PUBLIC%\Libraries\Weypqbtt.bat 1
%PUBLIC%\Libraries\tbqpyeW.url 1
%PUBLIC%\Libraries\Zezpbsi.exe 1
*See JSON for more IOCs

File Hashes

0740e382a0c41661aefbd38aa819fa21bc2c14a2cffc6209b361d07dae5cee3d 11a49d25cf098a273e94cfd206a62cec5ce647e946d2e696db28bddbb05b42ce 13362eb5bba08696533b5e3196ca0700ace9291e8f5a969c3c1b83d4d0e4667c 1e35356036799e52aa7c40c2cf4aa8975eadd9fb71446ea2626b1b2a5b31efcd 26b24f28b0173c020071085d65b260207d5856a8a93c1c1acce7d5cca5e8835f 4365d53513b910bfea66669db212ec18f2ba9ab2cf461d140fe42a61b8f0e7e2 47bbde8a83ef8df67fc61f9bf6df87802e31fa8d3a15cc8efe9e3ad1ebcc6fa6 70eb3857b235b6374a891d8d2136506b52e660ed1339921b913af29a0be6e9dc 713114d1dcb9d12994f1cfcb7cc765283cff3f2242ee57cdf15e849e15213a0b 7d60a35b972f1d9341f85029bb2d31244a0075a291507fcf5337f73002fa7e2d a3a2d9a377922a592c46004c66ae748433c1874396168c575a26f744f05b6bf7 bc40f738486b53814c364435be4e8ef8ec4ac584e47360aac29d0d73f12c0037 bd09b7f6ad0ca7e7c74eee9ecab5fd3de92f24529c708370710161847d0861be cb3764453fec3d5302500cc885406c7d905cb3bf50197a84ad9be459d45dde88 dd1e3e11bf3a43ebd5f3c8b877baf458481dd917edca070a98f8b3bfe0d6589c e5a2e93403f1a6df948697530112dd27440a6b0abce3c9b63eaf64dd6dad17bc f43ec67b5158f58273a216cbc49003c55b8f0e6316a3390823348924e38507be

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.Cerber-9944814-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 31 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 22
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 21
Global\<random guid> 5
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]128[.]255[.]179 21
149[.]202[.]122[.]0/27 21
149[.]202[.]64[.]0/27 20
149[.]202[.]248[.]0/22 20
104[.]20[.]20[.]251 9
104[.]20[.]21[.]251 7
172[.]67[.]2[.]88 5
20[.]189[.]173[.]21 2
172[.]66[.]41[.]18 1
20[.]189[.]173[.]22 1
104[.]208[.]16[.]94 1
209[.]126[.]118[.]124 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 27
computer[.]example[.]org 26
api[.]blockcypher[.]com 21
bitaps[.]com 21
btc[.]blockr[.]io 21
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 9
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 7
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 7
clientconfig[.]passport[.]net 4
onedsblobprdwus16[.]westus[.]cloudapp[.]azure[.]com 2
chain[.]so 1
onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com 1
onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com 1
acvqxi[.]com 1
aotcye[.]com 1
Files and or directories created Occurrences
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta 24
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt 24
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg 24
%TEMP%\d19ab989 21
%TEMP%\d19ab989\4710.tmp 21
%TEMP%\d19ab989\a35f.tmp 21
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat 21
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 21
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 21
\Users\user\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\CentralTable.accdb 20
\Users\user\Documents\Documents\resume.docx 20
\Users\user\Documents\Documents\resume.pdf 20
\Users\user\Documents\Documents\resume.rtf 20
\Users\user\Documents\Documents\resume.x.odt 20
\Users\user\Documents\Presentations\Presentation 1.ppt 20
\Users\user\Documents\Presentations\Presentation 1.pptx 20
\Users\user\Documents\Sheets\budget.5.xls 20
\Users\user\Documents\Sheets\budget.xls 20
\Users\user\AppData\Local\Temp\24e2b309\1719.tmp 20
\Users\user\AppData\Local\Temp\24e2b309\4436.tmp 20
\Users\user\Documents\Documents\resume.docm 20
\Users\user\Documents\Documents\resume.dot 20
\Users\user\Documents\Documents\resume.dotm 20
\Users\user\Documents\Documents\resume.dotx 20
\Users\user\Documents\Documents\resume.x.xml 20
*See JSON for more IOCs

File Hashes

02c6a36e44b292f5b1d22dbb1b4d5a579439d224623ee1b4c0c1caceb2f16f6a 0af669cce769dc7c2b0cff2d574d8ed1ba73f836f4bd5013b048cc09dc4426a6 3458612721f225aeee4b474976070ba1f41b17ab08bde13faa0904a76ebabcff 37d9ce68dc0d2c0ae951587257545f3a8f17af009f44ee7789e3aa91826c4b74 3b986b7fd2eab8063df599dfaa7375831364ffc18b49f7edb32d40414fcea26f 47f4a1e92985bdff3ff06ae9d48ebca9298f92ca28607066178220c5e5dec7ca 6206f6ebaec0109c9dc3e9b0d7ec1ed15e7f0642ccf31757c55494b03f63f1ac 63d19c22386e7659362133968e1f571f11f083b2e78e2dcdd1cf5da98f828224 677bd793beda8cbf84df1785df5896b85eccbb36808bd7fe39b2c573fc6f15f1 7048d8c578dd490328cafce671eec2f324495a58d6b6b4449cd62244bc0c5387 72f18931d8dbd1a2559280d553afd5569f36422895eb771ef748047c0e7e57a3 7d721d0e9e209a8ecb18d3baaf0511570d68db70fe4912d72034acbad09685a1 848fcfd0b1646b3edb4a5e6d0041859296046de57691e2aa7dea1e1acbc01623 8e6fa0449256bf9d7f179425a8120312753f5b95a442c85d161ca375932302fa 965b5af826c43ef4b559bd2a2fca8ca32734a4c667d94e90f31289b45ff80c86 a31839107f0e0ec930ea18fee9dff3672870d736dbbaf6e3ea2c2d0c7b2e5906 a5d0889335c679c1ae374e960004f536923849616bda3c36fd2813c849b179ea a8b8bd4876cff6c3645da4b4835860d6253311b5156cb3baaf54ad3ee3e2a14a aa547346a6163b93f2ec8bc3f74fce240adf33134f80677a2e15b6606d9d4adc b7347d9888c585bc8a05d52d0204fea1ae51cfbe6c76a623c5cc3ed137de276b c624adbede90ccb4a61ac7125bef7921e5601c3da9770fb5656f0a5d1029e092 d0639e813ab71b125289f92094803b8becf3cc6ce06060e83e74eb58592eba4a d09c177ad11b37ede495e462a9adc78398e3740039a3e920e894aa84383df01a d9e034e955db9826506e393ee6c5f80e0f452eb4b5b97f3170934fb7898e5a74 e1a112a64249095ac3093952883f046746633321c169299f452026fb7c239681
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Upatre-9944336-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 36 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 36
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
207[.]148[.]248[.]143 36
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
aatextiles[.]com 36
Files and or directories created Occurrences
%TEMP%\budha.exe 36

File Hashes

04262ed39b2626755887b938fb5c44f4a2a9288de0c65c465879088a367be5b7 047ff0f102294a029e74efeb7d1dd98053ca149383c77a046b74d264bf15af20 05da23bdbe2177164a50d67116c1b7db07e7ac6845e099e7a6541c4daf8b6e15 06ff0f00379a01129abc56b99b8f987f0c69a9d452c0e60320270a9c9f27d86d 0c82c1967cb5ac458d40e77bab1289b0c5d2c245296adea44ac27b5e1ed9059e 0e96385f9ac256a2c0b1038341f2eeffd598177ad29593ab4217e7dc095e605d 1030688471696927c2bd5db64b144dd9616cf7f568e2c8c5ffa69a3ae75132c1 10cfd9d0c24622a03752f70f257af98d66e7f4b7d155b6ffe2b8089bea6b7f2e 183d65da16b08049bccc46aecc85740b6de9abbf7a2bafca4c4764495cd1f01a 19583d45cc828a423fa50b0a154f07867999bd590356d8e0b5b3fda4aba34ff5 1b286997145c64250498594329291ed3c3a7e8cfd96db445bff4665d63176aaf 1be5f03f9fdcdbf8d76501a533a253a704ac35e70874f0d7b0eb32629f79d6d4 1ef5aba4583f69d1805f1e87f06a618ab66248131cd175e1bfa44e6ff1384786 1f94b3e5761ed84b6b570dfb60c25792336e234eefb9de9d26947e104ed63bc0 2049a23fadf2a6b9a41149a869aec85f72876c57447bf10f150915147f442d2b 21fda16fd82258fa62df6cdaec300fc5049971dc7d1a1fb3b87ad643509088df 26c19de8832bddc868f90c79c0e158ab21b7e9ea24127ca02c4d47e5601076fd 2849b3b3354caf3edd15c5e9601a58e27415a3f68f97f2e1bc064eec73b138da 2890cb7a1776dfc48bc97483ee3c1995b3ec78c1aad85d56d4bd17c7a6c93414 2896670d04bbb1b544318d6d1eea870b89d86fd285a64b4646d747fabe485d8e 2a0c29f8f89cb1e2e564b3f24b445ceba0c1dcb2bfff49c73c3a4b2095a92fd9 2ba5aaca3a299d3908913f7cca086298aaf13bf804c2dd57d7d6129347e5748a 34b2be6f923b8bce54cef690a32fd9cd0e308d0b4facb257a685b9a178df2f16 34fd7f61a3b540af93e847635b120e785296c642d79c96c72817f0fc66b56da2 35a9c3addb60ddae771f4505d2db8768f660c89d122d3464097d9eef33ed0fd5
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Fareit-9944778-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 48 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 48
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: NextAtJobId
42
<HKCU>\SOFTWARE\WINRAR 42
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
42
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
42
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
42
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
42
<HKCU>\SOFTWARE\Z 37
<HKCU>\SOFTWARE\Z\RECENT FILE LIST 37
<HKCU>\SOFTWARE\Z\SETTINGS 37
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: shell
1
Mutexes Occurrences
Global\<random guid> 48
85485515 44
UACMutexxxxx 42
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
20[.]189[.]173[.]22 2
52[.]182[.]143[.]212 1
20[.]42[.]73[.]29 1
104[.]208[.]16[.]94 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 46
computer[.]example[.]org 43
vkwoucy[.]pw 31
sdideme[.]pw 31
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 19
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 14
xirukitu[.]pw 11
ckimajuy[.]pw 11
rosatip[.]pw 11
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 10
clientconfig[.]passport[.]net 5
windowsupdatebg[.]s[.]llnwi[.]net 3
onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com 2
onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com 1
onedsblobprdeus15[.]eastus[.]cloudapp[.]azure[.]com 1
onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com 1
zzoygsulaeli[.]com 1
qcmldfo[.]com 1
micnetwork100[.]com 1
xuuvbrhkevi[.]com 1
vbtlnzluxcyioi[.]com 1
oygsulaeliaa[.]com 1
tor-connect-secure[.]com 1
fieoarrzfvi[.]com 1
network-dnsspace[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%System32%\drivers\etc\hosts 42
%System32%\Tasks\At1 42
%SystemRoot%\Tasks\At1.job 42
%System32%\drivers\etc\hosts.sam 42
%SystemRoot%\SelfNotepad.exe 42
%TEMP%\371893187 2
%TEMP%\371894981 2
%TEMP%\371895340 2
%APPDATA%\skype.dat 1
%TEMP%\rhmrszrphk.pre 1
%TEMP%\371895090 1
%TEMP%\371892298 1
%TEMP%\371895746 1
%TEMP%\371892906 1
%TEMP%\371894669 1
%TEMP%\371894030 1
%TEMP%\371893998 1
%TEMP%\371894108 1
%TEMP%\371893499 1
%TEMP%\371893562 1
%TEMP%\371892844 1
%TEMP%\371896058 1
%TEMP%\371894451 1
%TEMP%\371895730 1
%TEMP%\371896167 1
*See JSON for more IOCs

File Hashes

020068017f1f40595fc03344e59414b7fc606a6f92ab63b088ac0995eee272b4 0275e077882d97349eeafa966d9d8b24c3b8b821c1d1ba5a94e1a603b9342086 05cb3c02a56b9e88601290a0451fef44d817517cf49e6145f3d5319fe7d07ac2 0a79838e89cc670429ff1aa7db9e20e3f838ff59901129896b292c4c70b12875 1060f9796eeb053c3b7a67edf88ff7b33ce83d92410a58a8aab7f5dbfdc72936 12e605dfd33e68e663a4db6629675a699c661461c3e48aff6d271e257f177d22 13d0eff9f710d256af961d391fcc94f007c029bcf71ad0b0a354aa6908a6c50e 16b1639f5ac41b0f9e8f846bf7930e041ba0a61f95f16cb9a809d791b87d08c6 1aa883b64cf541198a9d13b6846777131cf8938f4997230a0043b82cee0d0585 2ba23e4c7db7aa0de83d5cde1e8aadaa05f105353a02a68eb7ff87e6f0c6265d 31b7439894f33eeafdfa44fa1225d78b9d54f70c8da343605f3c20d6a842efa0 35dd39dfd253e7b40de2ac652547f1158712c71b98ef26d66d24ee6cc9fcc11b 376a2b3de0d6c40f7c48e135add3345070089d5a2921ab78e148a5dbf96b788b 38924cd6ac1cf2e20dd38ec5b84aab8deb1642929899879255feee54b4efcabd 45a3801408c3520f58fba1aa2bd8636448b75022b96b0af1377b930f77807cfd 485cdf46a93e5b37b4aadbf5d8a2589afd9fd6d6398d6ffcf936f71b4fefaba4 493cd1f281f660cfaca59d44f5b542086a9d02b9167e6e4f9d6d339786c1c5ca 4b156532190c11573cc086fbecbccde9e9c16e76053093cab9dc204d060a0f72 5452a932699000c728b8e9c7a0359244ae9edb5bcda26cc242abe86838444058 54fa762e6c6ea2b739b680aae27f232b28c8ac2d98b92aee1ee5c3025a2c7f57 557df8e22c7ca92520bfcef789da472d0fd19da277c7d200b38ce9095d712ad3 57b68e7c4c19ce2db5b5f59ad801b7b2193f1f7dd3f480267c67e8376ec13014 57c8224acd53a9ae45fd6de271552038a13ef8d53eba47416a65505f104b2eca 601a8aed6b10d7f57c3604fdbfb1eabfdc27476dff030a1d20210007155a32d1 62a467a87f61a97f61db6c7ede969fd37c1dcb042456e2c077d77bb92b85277e
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Zbot-9944779-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\DIRECT3D
Value Name: LA
25
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: NextAtJobId
25
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\S0 25
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\S0\RECENT FILE LIST 25
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\S0\SETTINGS 25
Mutexes Occurrences
85485515 25
Global\hfdjfodfjd 25
Global\dasjfoisajfodsjf 25
Global\e2jor3j 25
Global\fjoidsfjodfj 25
Global\fdsjofidjfoidjfad 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
94[.]228[.]209[.]132 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
b48b4b4c879e7211d6a13e26a8a914aaf6c218653840e81d9f[.]0[.]0[.]f3[.]method[.]in 25
wpad[.]example[.]org 25
6[.]0[.]0[.]609[.]2863923067[.]3163759174[.]0[.]0[.]b48b4b4c879e7211d6a13e26a8a914aaf6c218653840e81d9f[.]method[.]in 25
609[.]b48b4b4c879e7211d6a13e26a8a914aaf6c218653840e81d9f[.]ofi[.]method[.]in 25
computer[.]example[.]org 24
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 11
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 8
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 5
d2c0695a0769ff12288ba69fb11e0af359535884ecab0759bb[.]0[.]0[.]f3[.]method[.]in 1
609[.]b87d1bc12f9cb258ada26bc6df5262a3fa055172129bde7cb4[.]ofi[.]method[.]in 1
609[.]d2c0695a0769ff12288ba69fb11e0af359535884ecab0759bb[.]ofi[.]method[.]in 1
b87d1bc12f9cb258ada26bc6df5262a3fa055172129bde7cb4[.]0[.]0[.]f3[.]method[.]in 1
6[.]0[.]0[.]609[.]2902517135[.]125478764[.]0[.]1[.]d2c0695a0769ff12288ba69fb11e0af359535884ecab0759bb[.]method[.]in 1
6[.]0[.]0[.]609[.]4275042737[.]1258892621[.]0[.]1[.]b87d1bc12f9cb258ada26bc6df5262a3fa055172129bde7cb4[.]method[.]in 1
6[.]0[.]0[.]609[.]1016122232[.]3724806370[.]0[.]1[.]724aa02abdd63fe3c18870a2c1df84cb736adc287b72e33b14[.]method[.]in 1
724aa02abdd63fe3c18870a2c1df84cb736adc287b72e33b14[.]0[.]0[.]f3[.]method[.]in 1
6[.]0[.]0[.]609[.]3888551047[.]2272603056[.]0[.]1[.]fba5f83ba54c4af2afdaf3541afa94f949f74b3b1e9471ce08[.]method[.]in 1
609[.]724aa02abdd63fe3c18870a2c1df84cb736adc287b72e33b14[.]ofi[.]method[.]in 1
609[.]fba5f83ba54c4af2afdaf3541afa94f949f74b3b1e9471ce08[.]ofi[.]method[.]in 1
fba5f83ba54c4af2afdaf3541afa94f949f74b3b1e9471ce08[.]0[.]0[.]f3[.]method[.]in 1
609[.]a6025df4318e42aa7667fd8b0fde432c205df9e59413377709[.]ofi[.]method[.]in 1
a6025df4318e42aa7667fd8b0fde432c205df9e59413377709[.]0[.]0[.]f3[.]method[.]in 1
6[.]0[.]0[.]609[.]1498414586[.]656237423[.]0[.]1[.]a6025df4318e42aa7667fd8b0fde432c205df9e59413377709[.]method[.]in 1
6[.]0[.]0[.]609[.]2635499747[.]3812587964[.]0[.]1[.]28bc88bae72017739b7e58329b29ac5b299cf4b82184cbab4e[.]method[.]in 1
609[.]28bc88bae72017739b7e58329b29ac5b299cf4b82184cbab4e[.]ofi[.]method[.]in 1
*See JSON for more IOCs
Files and or directories created Occurrences
%System32%\Tasks\At25 25
%System32%\Tasks\At26 25
%System32%\Tasks\At27 25
%System32%\Tasks\At28 25
%System32%\Tasks\At29 25
%System32%\Tasks\At30 25
%System32%\Tasks\At31 25
%System32%\Tasks\At32 25
%System32%\Tasks\At33 25
%System32%\Tasks\At34 25
%System32%\Tasks\At35 25
%System32%\Tasks\At36 25
%System32%\Tasks\At37 25
%System32%\Tasks\At38 25
%System32%\Tasks\At39 25
%System32%\Tasks\At40 25
%System32%\Tasks\At41 25
%System32%\Tasks\At42 25
%System32%\Tasks\At43 25
%System32%\Tasks\At44 25
%System32%\Tasks\At45 25
%System32%\Tasks\At46 25
%System32%\Tasks\At47 25
%System32%\Tasks\At48 25
%SystemRoot%\Tasks\At25.job 25
*See JSON for more IOCs

File Hashes

0300b2675abcbf21db5e97a36f9e091751872dc257e130af98fd4b10bf499696 0510ed5456e4bbce01cceb01666e8ae24ce7c95199273ed4f925f32b4a55cebe 09a9da4c73df7cdee323a25cacb777c4a6eec59aedbae1fac74fe5ead98ab335 0e9c204b0b517578b7b55253ac1f72adcd82300124a4766cdd186f297089d9be 11ab35c7796e53c9791fee0bf9f246c181b9d39a25b8f26362783852e8a2cf70 1496641a7ecebb0d7efbd8f4a15827a2ceac7750dff23f36507c2fa8805df68e 17139ef1297335a774429dddc40ecd8175709f9bb15919c00229668b14e43b66 17468bb72d1fc5ff1ba573433c584de2011981af133cd43d3d0a7b76435b32a6 17ba615707dc3801d4eb6bdcee1a15453f839191f6f9ba1acde5734574ca6ef9 1c45781b83aec8e12a8a367a8d25ed3f2c88212db10ecc8eb107cb09464505ee 23effdda466d05c04851d7c24c5c01d5c70f1b0c788120d6c110c446453caa06 2946646456ed67a37a35a85f55443e52d57d2d469703d000791251d53b0cd58a 29bcecb23328021aa8d549e1b5ebb415c04e3a6387de9b5726b52d616b71ddda 2e43e8419afe37118db8ff571717c01908be71403b709ba714dc18fce139820a 2f2c348a9bd01a8358ef0fad13ec867f285461d6f66ccaef32482390fd2036da 36e3d79fd7995f44c25261101a4145e8c47bd598b935facd58a77432c02796ba 39fe30b10918d57818125a3fd807c925d8435ccb63d53336771bfa2b39aa3b7e 406cc460d6c842650abef0b30d0f0669499d6e7f5ed8fb385bf3277cd69a5ff0 46b5eb754539c4b41fd84f870118aebe36246182b4c303a6d8fac86e71071002 49ef63b7625964ab183603437769e1b7d28b5a3bc837b1863092c6f4781ace5e 4ac817a7b3e74ab9a309a5d81428efe49bee6d650d8e3e59fe8e82574aacd0b9 502673f79ee90568efc721d3fd76bf46bfc242f1bf0db0658c87ad69e28a87e2 5038fe90e18af46f33f1d1f3e2297674efa6f56550feb1590f22012ea797e249 547a8bb06a123e6e2a06ee9d95dac4860d163fdc2ff9ff9a3ca39dda52edefc3 55ae0dc5d942e64b86eb9e6bb2ed648437517f82e51550c1baaab2a9434a937a
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Downloader.Banload-9944679-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
<HKCU>\FRMPRINCIPAL 25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: avgtrail
25
Mutexes Occurrences
Global\<random guid> 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
5[.]57[.]226[.]202 13
107[.]152[.]27[.]193 6
208[.]75[.]230[.]46 4
174[.]120[.]59[.]187 2
174[.]120[.]59[.]189 2
107[.]152[.]27[.]201 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]argonios[.]webcindario[.]com 6
argonios[.]webcindario[.]com 6
typgutierres[.]webcindario[.]com 6
www[.]reserva2[.]webcindario[.]com 6
reserva2[.]webcindario[.]com 6
www[.]box[.]net 5
www[.]freewebtown[.]com 4
www[.]tintalita[.]webcindario[.]com 4
tintalita[.]webcindario[.]com 4
www[.]lojacfsantos[.]kinghost[.]net 3
www[.]tocadobrinquedo[.]com 2
www[.]acetato[.]webcindario[.]com 2
acetato[.]webcindario[.]com 2
79[.]app[.]box[.]com 1
vulcano[.]79[.]box[.]net 1
users[.]cjb[.]net 1
admarq[.]110mb[.]com 1
www[.]argonio[.]webcindario[.]com 1
argonio[.]webcindario[.]com 1
www[.]albumfotos[.]webcindario[.]com 1
albumfotos[.]webcindario[.]com 1
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\service 25
%SystemRoot%\SysWOW64\service\dhuidjkqwld 25
%SystemRoot%\SysWOW64\service\dsanuix.dll 13
%SystemRoot%\SysWOW64\service\02b2b1dc960b0b33e4b3c07a0e332f684554198591a46ad0df60ed6c00955fa8.exe 1
%SystemRoot%\SysWOW64\service\0195a110d2acd6e1d96898a4c25ece898edc25b4d526db9124097770e32d8959.exe 1
%SystemRoot%\SysWOW64\service\0ec3d674ada8eed243db8c33ea67edb6e8a46c21b28d883da2daef6e185d8b94.exe 1
%SystemRoot%\SysWOW64\service\364d2ccf7728f575c61dbb223c509a5b159936540c5132081ef31c9167c2c86a.exe 1
%SystemRoot%\SysWOW64\service\12d2e30887fe1a8fbf62ac87cbe320dbcb74f8ee19c00da8a29ef4741a857328.exe 1
%SystemRoot%\SysWOW64\service\081b5279c8ca45a0265e1741617bc6dab432510d3f4e430eb1050a492b268d19.exe 1
%SystemRoot%\SysWOW64\service\39d54ab89b5124062ed0f3a8167a39f2f72171640a098df11253615511b548f9.exe 1
%SystemRoot%\SysWOW64\service\0ef657a40ef7b2c4d415552ed15d844dccc18fa8bbcffa40f8a13c0004af33be.exe 1
%SystemRoot%\SysWOW64\service\393ca1fc5614e5c8c7d0dfa284eb79b7c8b11e301622e1bd62b11c1037431343.exe 1
%SystemRoot%\SysWOW64\service\16036dd9d032db894ffc5370ac8285577426c06ad0467d696390eee81579cf39.exe 1
%SystemRoot%\SysWOW64\service\1fb8413c5ed1afb34c9c4e89a3c8f2a15c40af76bb335097971c6fff0676006e.exe 1
%SystemRoot%\SysWOW64\service\3ba485f04b12f653c8330c8d86a23460dc6387b8fb32579e147b42848a01be7f.exe 1
%SystemRoot%\SysWOW64\service\3293ad6ab0b5a70ea83ac294007d24e9a7813026fcb479248928923e2811f0f3.exe 1
%SystemRoot%\SysWOW64\service\3066f7a4f3da2c263181e50a79a3ed232b4a5921ebd3a2317f199ace8136b3db.exe 1
%SystemRoot%\SysWOW64\service\0c82f9d452d8fc4306b2f018492581d458e7ce57bd43fdc4838d0d71a4e0ce00.exe 1
%SystemRoot%\SysWOW64\service\3c9c1d8bdde803ee4edb4d35676358e366ef8573413a73a7c361d93f3a73dbc1.exe 1
%SystemRoot%\SysWOW64\service\38dd0a85b6e84609b98039005a3d7d2ab90c4482163d89bc47cba37a283113a1.exe 1
%SystemRoot%\SysWOW64\service\37d4778cee0166402a365e254df3f12c97ed1570b7fbad5b916a9c116bdfd698.exe 1
%SystemRoot%\SysWOW64\service\4727015c94da26ef85aaf82cc3f1b5984c4df6e8d4bd01138fbcf6061baed3f3.exe 1
%SystemRoot%\SysWOW64\service\1dd30000885dcf04580f7079df62e70cba43d237f566d784dfb2a360690ba05a.exe 1
%SystemRoot%\SysWOW64\service\42aecbf7891ed110dc5c80968d658b048865c95b2d5695ebf10141ff0a4aaacf.exe 1
%SystemRoot%\SysWOW64\service\5531a05f0ea677a30beade771ec23bdfbb4830577a02794ff55259fbffeb601b.exe 1
*See JSON for more IOCs

File Hashes

0195a110d2acd6e1d96898a4c25ece898edc25b4d526db9124097770e32d8959 02b2b1dc960b0b33e4b3c07a0e332f684554198591a46ad0df60ed6c00955fa8 081b5279c8ca45a0265e1741617bc6dab432510d3f4e430eb1050a492b268d19 0c82f9d452d8fc4306b2f018492581d458e7ce57bd43fdc4838d0d71a4e0ce00 0ec3d674ada8eed243db8c33ea67edb6e8a46c21b28d883da2daef6e185d8b94 0ef657a40ef7b2c4d415552ed15d844dccc18fa8bbcffa40f8a13c0004af33be 12d2e30887fe1a8fbf62ac87cbe320dbcb74f8ee19c00da8a29ef4741a857328 16036dd9d032db894ffc5370ac8285577426c06ad0467d696390eee81579cf39 1dd30000885dcf04580f7079df62e70cba43d237f566d784dfb2a360690ba05a 1fb8413c5ed1afb34c9c4e89a3c8f2a15c40af76bb335097971c6fff0676006e 3066f7a4f3da2c263181e50a79a3ed232b4a5921ebd3a2317f199ace8136b3db 3293ad6ab0b5a70ea83ac294007d24e9a7813026fcb479248928923e2811f0f3 364d2ccf7728f575c61dbb223c509a5b159936540c5132081ef31c9167c2c86a 37d4778cee0166402a365e254df3f12c97ed1570b7fbad5b916a9c116bdfd698 38dd0a85b6e84609b98039005a3d7d2ab90c4482163d89bc47cba37a283113a1 393ca1fc5614e5c8c7d0dfa284eb79b7c8b11e301622e1bd62b11c1037431343 39d54ab89b5124062ed0f3a8167a39f2f72171640a098df11253615511b548f9 3ba485f04b12f653c8330c8d86a23460dc6387b8fb32579e147b42848a01be7f 3c9c1d8bdde803ee4edb4d35676358e366ef8573413a73a7c361d93f3a73dbc1 42aecbf7891ed110dc5c80968d658b048865c95b2d5695ebf10141ff0a4aaacf 4727015c94da26ef85aaf82cc3f1b5984c4df6e8d4bd01138fbcf6061baed3f3 4bb943491dd24b5983557d0080c675b0637323425b2f574e94e0e6ab805d3648 4ead99c96ced1cec5987e6492b62d8039f9aef40506af54f8219586138e05528 544d94c4086ebcd4487760974ca3469cb3223ee3bc7a63cef5f5d09416abc041 5531a05f0ea677a30beade771ec23bdfbb4830577a02794ff55259fbffeb601b
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Miner-9944721-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
Mutexes Occurrences
4pC39Ev2yuzFY8izw76DGDJR 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]10[.]68[.]220 13
185[.]10[.]68[.]123 12
91[.]211[.]89[.]29 6
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
eu[.]minerpool[.]pw 25

File Hashes

01b7e86d2925a3f65e7ded5966f21168c98d8eaeaef1757ba5aed24c32b8e024 0781ea60bd2cb928383af1073bebd6925b3f9b7cf3f6c53d2cc1da694be54a36 0ff381624efcc5a744e0cf2100035144111e0c2a5afa47713b896c581b13ee20 1111c6b3695099646f041c52a121b414c51dae804fb42f05e43350d7fdc1c4ff 17cffe2427097eb490ffe945cb02ce60b98ddcbb9f11c0e80b594332b3b58051 44a8f57b1733e94308c4478ef5d390cba0e2b896244ffbb28ebf3d01e4a4a410 4b7b0d7eb009bbf4409b2aeeb5ec7c26bb0ca280467867bc7c7f7a3fcc957967 56852bd8289dd9d56f650cd26c178fe9528bdd113a0a8f4b938113d8cd2e7fd1 5da22ae0744fba1edcc413ce109bc86da84630f55d16fdb57473ac9919859c2e 60f87050b4ba9b84bd7660eccca3b83598d41884cc9f92a4f6be231455539461 612c1f72048e28b9c22063ecc68a0690808d0a4f7d4ec4fce625989919d90e23 6afd0d6b2b5b4c8b161c1fecd394df7fbfe9d4c87709dfed1a515d38f67fc09f 719f44c5fac7dd508419e869750037b2b32e11c236ea6f1bb27f07b0c5313752 7430208ca68090a9c5ab8651c9c878ae00557a89213c447c73dcf2f28343d8bd 822f024a30ed68d42baf3c272ba9aae77e640cdd8803b9610c23f233ea575833 8949dae0e51052d128a99c79b3f99953020d843d1fa12fa9948e7b116d54a8ff 8b9cf6ab5b7364f88e21bd38c9713365d5a84faa2e4fc90c4163967eca29e309 9483e1d2da98a5a32be8a96b0703ee9520444e96c6b7bc7eaaf135d47ab72d2f 9983cda0ad1fa6233d78dc82816f7d8be529c9b938b4f478bb0f3456de42e6e5 9b1357513663adbfbb9f611310c45cc44b2b41f615c52134dab8263494d5dea9 9b3916b40d4fd02c8c47688a80ac12a6addbcbc6dde5c94bdc2aec7c4efea49f b0ba1a0ff172477273402b048cb37874aa367ab31e4239016c7de95b88d978bb b9d18413ec0b73f5dea538ee2f8ddcee07b42dd8aa4d4c0146fe9a4439051076 ba84e6e773655a2dc829794c7a77261a1df93b8dd8710ac92fb424895a20dee0 c10ff3c0d078d88aab7f570ed7bb9f63c99990132068d908de2a9ca0de56fcdf
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





No comments:

Post a Comment

Note: Only a member of this blog may post a comment.