Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 28 and March 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness. The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Dropper.Emotet-7600941-0
Dropper
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Downloader.Upatre-7601201-0
Downloader
Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Malware.Kovter-7601670-0
Malware
Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Malware.Trickbot-7603048-1
Malware
Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Malware.Nymaim-7602109-1
Malware
Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Packed.Bifrost-7603033-1
Packed
Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. Bifrost uses a mutex that may be named "Bif1234," or "Tr0gBot" as signs
that it's been successful.
Win.Packed.Tofsee-7603095-1
Packed
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Ransomware.Nemty-7603722-1
Ransomware
Nemty is ransomware that encrypts files and demands payment in Bitcoin for files to be recovered.
Win.Trojan.Gh0stRAT-7603864-1
Trojan
Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Threat Breakdown Win.Dropper.Emotet-7600941-0 Indicators of Compromise IOCs collected from dynamic analysis of 15 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\API-MS-WIN-CORE-DEBUG-L1-1-0
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\API-MS-WIN-CORE-DEBUG-L1-1-0
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\API-MS-WIN-CORE-DEBUG-L1-1-0
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\API-MS-WIN-CORE-DEBUG-L1-1-0
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\API-MS-WIN-CORE-DEBUG-L1-1-0
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASGCW
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSUTB
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASDATASTORE
Value Name: WOW64
1
Mutexes Occurrences Global\I98B68E3C
15
Global\M98B68E3C
15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 104[.]32[.]141[.]43
7
139[.]47[.]135[.]215
6
181[.]61[.]224[.]26
6
216[.]75[.]37[.]196
2
212[.]174[.]57[.]124
2
89[.]108[.]158[.]234
2
74[.]105[.]51[.]75
1
189[.]201[.]197[.]106
1
Files and or directories created Occurrences %TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt
15
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp
15
%SystemRoot%\SysWOW64\KBDRO
1
%SystemRoot%\SysWOW64\rasser
1
%SystemRoot%\SysWOW64\sppc
1
%SystemRoot%\SysWOW64\rdpencom
1
%SystemRoot%\SysWOW64\ias
1
%SystemRoot%\SysWOW64\msctfui
1
%SystemRoot%\SysWOW64\sppinst
1
%ProgramData%\RPjyQXrZOqjIXJnOwMa.exe
1
%SystemRoot%\SysWOW64\iasdatastore
1
%SystemRoot%\SysWOW64\iprtprio
1
%SystemRoot%\SysWOW64\acppage
1
%SystemRoot%\SysWOW64\rasgcw
1
%SystemRoot%\SysWOW64\api-ms-win-core-debug-l1-1-0
1
%SystemRoot%\SysWOW64\msutb
1
%SystemRoot%\SysWOW64\dsquery
1
%SystemRoot%\SysWOW64\api-ms-win-core-misc-l1-1-0
1
%ProgramData%\PJiawWEgBV.exe
1
File Hashes 0e4056035379093c420b6d84d9bcd77d2789c80d7729eb7e8635e489cfb0b9c0
0eabba5e6d29aadd3551715bab5279a1a2faf19f90a24f0168b8d903acee0d26
1afd9903eb0ba0b06fd05672c52a361551848d94215cf4071a329c3cd2743634
45bb0185b3b111814469ce0ec2d2e03e4c7e469170d42ae9733402c63f804431
486d1ab587964c3783faf01d9fb9b72c0719b512826984f17fb4b42553d2ad29
67baea8bd29156a72ecbf6d75c2abe452cf428aaa0503e3de41c93445f1bc163
6a1b89dc82ca6fe2944fb21d89e2e9cd50e18d7c102cef1986d9aebbb080b852
77110ce382c087ef3b89f354e0ff2362da40500c425e97e34c2e297d8ce83970
8257c2e631751a8a6114d4463debb0dfc2021a2630a7f463a928a4fe6c3bc211
83605486c96943d2a8a30a40b43c38dc588e86a05a667842132d69c5a0d7cac1
94a354a98259a0d92248531bd3c8ee59ebad766bc7c3cff4a4739bd467b1d244
96d43323599a68012b79990a2d2b861f6266a7c48ae3409f6f92aee912cb6fd4
bae886d7885453947e93c457f93b18c50cede1b7e17daebd2c934d32917d8d13
bd2e823604e511efa9b864d6e40d93b8d1f38d600c4ae6302e19078bd4ff0d0f
de54dc917bcc60957bf16bc876080e485d5d2939c542057afc5aa5c098c2bc7e
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
Screenshots of Detection AMP ThreatGrid Win.Downloader.Upatre-7601201-0 Indicators of Compromise IOCs collected from dynamic analysis of 15 samples IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 181[.]143[.]164[.]189
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences grupodolcearte[.]com
15
Files and or directories created Occurrences %TEMP%\vitra.exe
15
File Hashes 02e92a155d33c4ca944d13f25efc1cb64e18fe9a2f3343cb26abb1e898f03311
20ca23453249306f1b2f7e36cbca3f7b99daced979bbc6131d6cb6950bfb739f
23d112d78879dde9cd9f38b3de9b6fd41191a8a64d77734886b6e971fc0ca4cc
3595f2059b5d2ac9c110fa15ec32b94da8fe9fb2937327ec5fcd60dcf0c7669a
439a8dc0f85467bc1e34ea057e5f529aeea392a677db8e1fc2cd32a4b5c5011a
79cb02073d36f32ce34cad9618a3bebdf09c38c1c46629e3acd76c03dd0d9ba1
83fff77b45dab7b20920a22207a202cfeebfc4b0e19b1efff8ce1dac7cd2c5c9
b3368d3532c08ed8fd83aef55d0d10d55479c686a7b9659f598772c17abe2919
b4679d7520c1769e1bb4cd0d1a88652a036346c6de7d7d30ee1dd59a8d90251b
dfb32e641900be3f65c7af2ba26c7728883ed123e6246808d2068444a1338f8a
e42bd741b4596381169df7b9643466422cc0e071fbd4d69d4acfc08df00692da
eb4abbc6e8b7980686f07344ef0ecb7cef00188339e65fa16258feab7be0dd02
f81d5c1f44065d3bf471255104b9740930b88347fb55fbd7116a967c1a6d3225
f95e463db1ea767128da0df3fa48817084e2522393a1758e70d80e9d17077927
fc9ab4d96279fc746aa4730ef51d9034fedb0eb3775e4a1aa29505261a5a8332
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid Win.Malware.Kovter-7601670-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: xedvpa
25
<HKCU>\SOFTWARE\XVYG
Value Name: xedvpa
25
<HKCR>\.8CA9D79
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vrxzdhbyv
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ssishoff
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
25
<HKCU>\SOFTWARE\XVYG
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
25
<HKCR>\C3B616
25
<HKCR>\C3B616\SHELL
25
<HKCR>\C3B616\SHELL\OPEN
25
<HKCR>\C3B616\SHELL\OPEN\COMMAND
25
<HKCR>\.8CA9D79
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: svdjlvs
25
<HKCU>\SOFTWARE\XVYG
Value Name: svdjlvs
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: lujyoqmfl
23
<HKCU>\SOFTWARE\XVYG
Value Name: lujyoqmfl
23
<HKLM>\SOFTWARE\WOW6432NODE\6EDCD1ACE8E1BEB04F
1
<HKLM>\SOFTWARE\WOW6432NODE\AYIWU21XG
1
<HKLM>\SOFTWARE\WOW6432NODE\6EDCD1ACE8E1BEB04F
Value Name: 7627520618DA5D099
1
<HKLM>\SOFTWARE\WOW6432NODE\AYIWU21XG
Value Name: 30CCbFnYqq
1
<HKLM>\SOFTWARE\WOW6432NODE\AYIWU21XG
Value Name: 3WBi1nRFP
1
Mutexes Occurrences EA4EC370D1E573DA
25
A83BAA13F950654C
25
Global\7A7146875A8CDE1E
25
B3E8F6F86CDD9D8B
25
Global\350160F4882D1C98
20
053C7D611BC8DF3A
20
408D8D94EC4F66FC
19
1F7768DE4B445CA4
1
45D0E7B493967BD3
1
Global\BBADD150515CFAC6
1
Global\B8F225B5B0E54634
1
389405CE233FA3A9
1
2F37600C5F8C3F9D
1
B5169E04A784F73A
1
Global\0E043F99F52ADD23
1
28F3C9E454B2BE4D
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 195[.]66[.]169[.]214
1
193[.]89[.]27[.]38
1
82[.]26[.]6[.]183
1
110[.]19[.]168[.]112
1
205[.]74[.]243[.]98
1
175[.]129[.]208[.]52
1
75[.]78[.]164[.]64
1
129[.]131[.]39[.]141
1
202[.]80[.]190[.]29
1
2[.]92[.]35[.]198
1
78[.]174[.]172[.]25
1
157[.]249[.]101[.]131
1
50[.]76[.]35[.]183
1
108[.]61[.]180[.]5
1
89[.]115[.]171[.]148
1
33[.]237[.]143[.]29
1
68[.]197[.]76[.]18
1
39[.]92[.]225[.]165
1
50[.]185[.]184[.]107
1
216[.]28[.]85[.]142
1
74[.]50[.]14[.]5
1
102[.]220[.]95[.]104
1
88[.]29[.]104[.]209
1
179[.]52[.]109[.]188
1
217[.]42[.]217[.]105
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences maxcdn[.]bootstrapcdn[.]com
1
cpanel[.]com
1
certificates[.]godaddy[.]com
1
crt[.]sectigo[.]com
1
qdrtjvht[.]cn
1
Files and or directories created Occurrences %LOCALAPPDATA%\4dd3cc
25
%LOCALAPPDATA%\4dd3cc\519d0f.bat
25
%LOCALAPPDATA%\4dd3cc\8e9866.8ca9d79
25
%LOCALAPPDATA%\4dd3cc\d95adb.lnk
25
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\91b4e5.lnk
25
%APPDATA%\b08d66
25
%APPDATA%\b08d66\0b3c0b.8ca9d79
25
%APPDATA%\db7a\c227.a7783
20
%HOMEPATH%\Local Settings\Application Data\f4fa\97ea.lnk
20
%HOMEPATH%\Local Settings\Application Data\f4fa\c0ce.bat
20
%HOMEPATH%\Local Settings\Application Data\f4fa\d5a9.a7783
20
%HOMEPATH%\Start Menu\Programs\Startup\d733.lnk
20
\REGISTRY\MACHINE\SOFTWARE\Classes\.bat
2
\REGISTRY\MACHINE\SOFTWARE\Classes\exefile
1
%APPDATA%\904327\acf971.5ad8d0d
1
%HOMEPATH%\Local Settings\Application Data\d23b56\48c11b.lnk
1
%HOMEPATH%\Local Settings\Application Data\d23b56\56341e.bat
1
%HOMEPATH%\Local Settings\Application Data\d23b56\8ed9fe.5ad8d0d
1
%HOMEPATH%\Start Menu\Programs\Startup\8f3c0b.lnk
1
%APPDATA%\ef9fd\dc166.73309a
1
%HOMEPATH%\Local Settings\Application Data\00594\249d2.73309a
1
%HOMEPATH%\Local Settings\Application Data\00594\7957c.bat
1
%HOMEPATH%\Local Settings\Application Data\00594\7b643.lnk
1
%HOMEPATH%\Start Menu\Programs\Startup\61575.lnk
1
%APPDATA%\2b7b\8e52.5c403
1
*See JSON for more IOCs
File Hashes 019b344a8e7f3c77456904825315980c4470a207baeaf73e4b27e806d3d29cb3
1bb5bc698bf1c157fd1d59a93b05042191cf10faf717f4a275a65d692b47b6b4
2865baa489d087b61ade44ab6dcc5cde74b460d7c6253e35df27c8ba083b2ade
29c170c9817f4e027bca34e4f18213e2fcd320706c626f9c5831b901b0069092
2d1675a1e1ab54f9fedf904a3b9d81a42c96da4a044a2bda43e226050f71bfcc
2dee218bbc4b07efb543c50b6d55e3e685a4c2e57b6c4d7c059823a1ec43ece7
3d481ecedf7418ce930c8291375b043fbc3a879a01b8719b93296680d86a8162
4bf67a114270f6506f6552ac552d9b9ef5a8f3a5bc8dd16a8a8a932d4706e1ba
4c9ab51001bd342ca1ce44e5ca4427e11006bf4499399789dc9343eaf3576e77
506b98313e47d5437a0e0d690c40f3501314a15b46e3be245a659e3729f70258
5547747470941e6f2b4c76ab2e811f61a0676b2112629bc45750ba5ec96007e0
5b870a8c9b77afc82f629efb7bde9f96e8546e53122011b41336eb5553c6e4ca
6402c25ebcf11608c1b05d27fe6642b47638d3546713766762e50d2d3d83ca09
6a53862c999e92e936492a1bf45823aa4bf0072bcbb4b451f47870ad6c077f76
720609e2de6c8210effaf2870d9cb2d09b11940a6806e79d23187a658379f660
75f47542b9efdd3a8e1ae7e149fd1017db8dddd414d1abe5c877e4d33c2f51f5
7799dafddc4a5e548d953d26ae900690445de42ced9b2cacf272291129980577
7f16e38c960c0db1e5f5fc9324e83bef46f6c55ed8efd0c11d44d56505590615
8252a6deb89935b6d4d28ae5e4d3309ecb13453a8c283314d2e7be1ec4953cb1
85bea08924265155253c171276bd3258037c0deaabc0e6e5f3788bb64125344e
8b8240abba2d007dfecff03fdf9dc46355056aec7f00e8693f07002455c821c5
8b9c2df052ae2d6809ff2d268fd0c7cc58df677aa90d83f527f59cc1781a7c7e
8f0e0af7ba99a4ba8e908562d084d23daa9d31ebd5d48f6990628711cd2b1c90
9ebe5a5b6e7219498b3c869207cc5c6fe989ea7045b8beae473199de36ef935a
a657fa50766ac0c785be910723473c307f4bb9c4770f73afc94c096df8d4d353
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid Win.Malware.Trickbot-7603048-1 Indicators of Compromise IOCs collected from dynamic analysis of 18 samples Mutexes Occurrences Global\VLock
18
SafeGuard
18
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 216[.]239[.]32[.]21
5
216[.]239[.]34[.]21
4
116[.]203[.]16[.]95
4
195[.]62[.]52[.]96
3
194[.]87[.]92[.]113
3
67[.]21[.]90[.]106
3
216[.]239[.]38[.]21
2
216[.]239[.]36[.]21
2
87[.]121[.]76[.]172
2
69[.]195[.]159[.]158
2
91[.]219[.]28[.]58
2
104[.]20[.]17[.]242
1
191[.]7[.]30[.]30
1
192[.]35[.]177[.]64
1
51[.]254[.]164[.]249
1
84[.]238[.]198[.]166
1
67[.]21[.]90[.]109
1
91[.]219[.]28[.]80
1
193[.]124[.]117[.]189
1
194[.]87[.]144[.]16
1
185[.]86[.]150[.]89
1
34[.]192[.]250[.]175
1
37[.]59[.]183[.]142
1
107[.]181[.]246[.]213
1
54[.]225[.]159[.]35
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences myexternalip[.]com
4
ip[.]anysrc[.]net
4
ipinfo[.]io
4
elb097307-934924932[.]us-east-1[.]elb[.]amazonaws[.]com
4
api[.]ipify[.]org
4
wtfismyip[.]com
2
ipecho[.]net
2
checkip[.]us-east-1[.]prod[.]check-ip[.]aws[.]a2z[.]com
2
checkip[.]amazonaws[.]com
2
icanhazip[.]com
1
apps[.]digsigtrust[.]com
1
apps[.]identrust[.]com
1
Files and or directories created Occurrences %APPDATA%\winapp\Modules
18
%System32%\Tasks\services update
18
%APPDATA%\winapp\client_id
18
%APPDATA%\winapp\group_tag
18
%APPDATA%\winapp
18
%APPDATA%\WINAPP\<original file name>.exe
18
%SystemRoot%\Tasks\services update.job
14
File Hashes 0734537582744df9451325031e9e8731642f668eccf59befd64edb7bc8fafe7e
6689bd8590bd31ff3527c49b5b11679264a1b9b10849dcc66cbe6900478eb871
67f0429ee85995d64131c87b6838e69ca53aa9e7b25d3ada30c97dab269ba7cd
7180b1814adf4ede4bdab8b9c61c81af3b170cdbcc12ad847f47690e2e526644
755a16e14820e83967b4b3e21f238fbd0a161032d1f6e837c21a1059678c1e94
84f89b0fd428f6932f1053d6456cddb2545f4de476e55029d410f1808fbf2a30
887e3e74d1c5d39a5bc52544fdb246b2c715068eb699cec7ad7adbe0c41afcba
903ac66acff8f25f7990d205cece0c3be4cf19782b81ef25dba48eb3d8deaf56
91894e74967a409a1237940d4e2c6bbe76399dedf57c771cb558aa12cfa5e3d1
9363dc1d3c9b8a07f523624f55707ce3c0d1723dad1efbbfe3f515008601cb96
b2103964af0368affa8fba5d7f6d240f4da2be650082498cfd7748c345275084
b892a452a962407b340e01b761b37a33e75a5dcfd06df33f24c6f12af68f88a3
c0189f5e94156e85176424967870b93eaadf3c56d6f37c71186aadb774e6339a
c5f3bde9423af4d58282c14cf1b38ee6dd71982def8c3f6182ce1b75ecfda479
d94c6866a52bb26ed7b15e72f4ee8d762876a29a2e9efa6875aaf85899d49d0c
dc47b07c0dafe93644c39795780bb3f73727fa1b9d18f45e6e5aa6445eebfa0c
e2e0f5369df5a08b124098492de660aba4bdfbeb08fbe8af1ed86e165a45782a
f04cda7271ff361471a8dc27f9d6de94255df35c15842fa65e030f27077d6ebd
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid Win.Malware.Nymaim-7602109-1 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\GOCFK
25
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
25
Mutexes Occurrences Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}
25
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}
25
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}
25
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}
25
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4}
25
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A}
25
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}
25
Local\{B888AC68-15DA-9362-2153-60CCDE3753D5}
25
Local\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E}
25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences msmumcsogb[.]com
20
xoisb[.]com
20
fhcbczook[.]com
20
vkeumq[.]net
20
cuxpehneqok[.]com
20
owirepdi[.]net
20
kmwiwxxhst[.]net
20
scsutgsikbf[.]com
20
hpneu[.]com
20
vsnoaue[.]net
20
nzkmud[.]com
20
zaljqgpthcoh[.]pw
20
sasrqtpipjfa[.]pw
20
aonibtaatpb[.]in
20
klrjxmici[.]pw
20
kvowzwz[.]in
1
wkrpqmneiaq[.]pw
1
stspxcbi[.]pw
1
kunygnck[.]in
1
esqxhtdjfsy[.]net
1
dsnquebpv[.]net
1
kbicwcs[.]com
1
ehigsgoht[.]in
1
meeidu[.]in
1
mofmwfsocpdd[.]com
1
*See JSON for more IOCs
Files and or directories created Occurrences %ProgramData%\ph
25
%ProgramData%\ph\fktiipx.ftf
25
%TEMP%\gocf.ksv
25
%ProgramData%\<random, matching '[a-z0-9]{3,7}'>
25
%APPDATA%\<random, matching '[a-z0-9]{3,7}'>
25
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'>
25
%TEMP%\fro.dfx
24
\Documents and Settings\All Users\pxs\pil.ohu
24
%TEMP%\bpnb.skg
3
File Hashes 0350f9f2984dac2a7a6770f5bf5870ad016b95d26feecde54f1dc7f6a7321c29
0b1d7aa06898c58946bad39134dafc13439a5db0e5dc2dc40ee4553dc3d29975
0c01e7d6a858233dd58b8b872e4893742455f50b76abff789ab29e1c483fde68
149b63f40ca4848f1ed92a281b1b4d069b93629062bbc581564c59b8c48b047a
149f0e351809f6cf4ad993a656ff6756dda959a8daee038be2d24fdfc8c8b007
1d813f7e5f17acf6d2181f544c00a9e1a990ed176fb33605f0e017cac91467bd
248e50d7d496167e3846f9093a70d875ad97c8654ae531c00b93c67d52cbb7bd
25c352c873caa5213f0665a9ce58ea7e348d8d203377742c377ede93e8b93cd7
26293d2fa07bbf9ed68c7d241e9b28ca4c644798d8f3fc33ef8616a6f6c74774
2ac299dd30fe2ca31768e34b8c75134dcfbfcff6c3457e6f2ae8385822a496be
2acf8806700ad8c0c6fa22b4fec49b63217c9be39f504feaee7de09e9bf49df8
363144700426ca0fad29bd473528038c1341991a941986eb609b4d5083efbb28
3b9103d8b1ea2bf26c2b8028caf6bdd9e1ad67b0e9db8b3067fd290b38c0c58f
46e04a66e76addea2a565390ee816c56ea118681c360f736ccd220edbbd86864
4c6902db08c7e033540304c254649849f49eebe6d91145d5d45c0fee95e2d80f
4e1bcc088361db93034f59a5b0c96f098def9b8ccd9959157f67e410423b41d7
526358c39c4015b12ae74212615fb4568b056f6b6a79272d71c77cab9f04aae8
68197f9c992f00577f0a25fa16c30f51fb21c4e263108eff26fecc4dc2ad79eb
7208ba495ff3980c1a1bc0221a5734cc27c87ce7c21fb9f4e9047bb46ce95555
819914daa5710e05f7eca95e29810ce75b9debb4d3cc9507c1baa18749d4b96d
83782a979f1f6d2a01c9872135f03ae220a48b405413cd8c149c1d009b4fba5b
86928bb41c2f85970a86fc00d6f8905dec0c90306e49efb5dba681eeca92c038
8c0d83941179966af6df1dc4d0ed5f96930e0df8f071451349ce51497d2d9aa7
8fbc0816bd1df870987de293d24e866ff98ea18fd0f22220556ae974cc4f9f8e
957160926bb20fec0fd05d4f50e41cc263f523616e5c27bb79a4523bdf7b96df
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Win.Packed.Bifrost-7603033-1 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Mutexes Occurrences Bif1234
17
0ok3s
11
explore
1
shhhhd
1
run
1
dll
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 79[.]210[.]124[.]47
1
50[.]22[.]169[.]26
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences hh[.]servecounterstrike[.]com
1
dzalgerdz[.]no-ip[.]org
1
Files and or directories created Occurrences %ProgramFiles%\Bifrost\server.exe
8
%System32%\Bifrost\server.exe
4
%APPDATA%\addons.dat
3
%SystemRoot%\Bifrost\server.exe
1
%ProgramFiles%\Java\java.exe
1
%ProgramFiles%\ \explorer.exe
1
%System32%\skype\sytem.exe
1
%System32%\drivers\win3r.exe
1
%System32%\system\wimsn.exe
1
File Hashes 03558014784b043450fb11acd7fe1a8a8582f8b663766a8019053c76ef7215c5
08541f2d74b94ca3f90b039d2525340448b71460899b368aa1ee15bfc0d54390
0edb3da0e2cae96a8cffb48f8f5655fd039b01c7d2d79272232202f959d1af6b
13e9c893b0135a03ec67f4dbbb43e59981a35989777eff4477bce63a7fe49727
154e008a36ace894fb97b5e3738cfa0055d0fed2004f67e954c438812d20cc3b
16588e48147f6ef7182fa47399c520c95b559d11e69749027d16f7c6cb127725
26401cc5346770c7023dee159079637155a6292f096bc0fa47cf91b74a927570
29456dcc06e1d342c9d6c6afa5f7a445839853395e5cb624c44f1fd9b5390500
2daced6a63c11b3399b36c23214d73e026cff2907b559c288db2a03e7ca7da57
3159696d5d368ad8d214b668556c8cc8071e7a83331c7812f893af9125de092b
32e9d1f5e0764c7471775247ad0b06680980f9db491b92281de56e93d1594c91
3ee1fa6daec1659e53d238dda830f6c344f65b32ea3c90c9b441a92b5d4b8b78
4d94d1641c75b880e31dbb5948c8727f82858c56480a8ed1832bedebc0cceb1a
54b54ca691dde91cf1f3e1db60eea375ea280d100dc6a5f5ea1c3b39cc4ef7f1
61071881d3e077cbb87783faf73532e7dbca80c3252d1a398d96da0818dacc2a
68fa9c845333388e4f2f44aa79db05c0fc10c91ebcce819f6959feec7a3ccce3
76d71fad336a1082358567a0c5ef949bc4748397ab1258327673c316e1820c84
83f1bd6ff8de246bdf3b8e5a7549f26eed7a5dbcce9156ca12601ff7f7b0db55
8e95da958f0e5beae769d9adf0bd523a4cba0a97abebee99d51642a0c484a193
9620adde046b1ad8291d817e5b06c7eaeda4b5db457e5c5541cfac83806c049d
97dc870dd36389d74e9f77c725f513654c62b7152a5f18387dfb8e6c300e2415
9b8f14dea7b8f6f88606f2451fe8c0e51dd029aa95180e2e08e4f7833405e104
a51c89aa132abce4937e32d57a2d9903e507a89a1c696767164d6a33ce3eb28e
b81853affa6b46779eb7024f5bc388ed406d337a1913f4b15788e6e54e969dc1
b8f1c8dcef8270105cae8058740b64dea319f284c20bbcc1a0640b011d6784ea
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Win.Packed.Tofsee-7603095-1 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples Registry Keys Occurrences <HKU>\.DEFAULT\CONTROL PANEL\BUSES
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
26
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
26
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
26
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
22
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jcqwvdjy
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mftzygmb
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dwkqpxds
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gzntsagv
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 43[.]231[.]4[.]7
26
69[.]55[.]5[.]252
26
85[.]114[.]134[.]88
26
239[.]255[.]255[.]250
22
46[.]4[.]52[.]109
22
192[.]0[.]47[.]59
22
46[.]28[.]66[.]2
22
78[.]31[.]67[.]23
22
188[.]165[.]238[.]150
22
93[.]179[.]69[.]109
22
176[.]9[.]114[.]177
22
12[.]167[.]151[.]116/31
21
172[.]253[.]63[.]94
21
173[.]194[.]204[.]26/31
19
67[.]195[.]204[.]72/30
17
104[.]47[.]54[.]36
16
172[.]217[.]7[.]227
16
157[.]240[.]18[.]174
15
64[.]233[.]186[.]26/31
15
172[.]217[.]197[.]26/31
15
98[.]136[.]96[.]76/31
15
172[.]217[.]7[.]132
15
216[.]239[.]32[.]21
14
216[.]239[.]34[.]21
14
211[.]231[.]108[.]46
14
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences microsoft-com[.]mail[.]protection[.]outlook[.]com
26
252[.]5[.]55[.]69[.]in-addr[.]arpa
26
schema[.]org
22
whois[.]iana[.]org
22
whois[.]arin[.]net
22
bestladies[.]cn
22
bestdates[.]cn
22
bestgirlsdates[.]cn
22
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
22
252[.]5[.]55[.]69[.]bl[.]spamcop[.]net
22
252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
22
252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
22
252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
22
hotmail-com[.]olc[.]protection[.]outlook[.]com
21
www[.]google[.]co[.]uk
21
sex-finder4you1[.]com
21
eur[.]olc[.]protection[.]outlook[.]com
19
ipinfo[.]io
18
www[.]google[.]ru
16
auth[.]riotgames[.]com
16
msn-com[.]olc[.]protection[.]outlook[.]com
15
msn[.]com
15
mta6[.]am0[.]yahoodns[.]net
15
hanmail[.]net
14
mx0a-001b2d01[.]pphosted[.]com
14
*See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SysWOW64\config\systemprofile
26
%SystemRoot%\SysWOW64\config\systemprofile:.repos
26
%TEMP%\<random, matching '[a-z]{8}'>.exe
26
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
25
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy)
21
%TEMP%\wvlhokp.exe
1
%TEMP%\poeahdi.exe
1
File Hashes 0054ae6df8395634c36f1a99f4b4df3edd3ca28e515b90a3a3eb30e0808bc640
006fe42eaaadf87e7ce537f1c2b2a9930a2cfa8cf5ec44a87c221b3f7ab1f9c1
0232e76cabc4c09b8191691e41ffd0cc2b9f1a88c762128cd179998148a5d111
05279b3deda1fd52dff2cda7700bcf0856584a25ed6f43eb9171ad60b943c081
0875682d36433cb0e7ac2d6fa0e6938189937260e150680b0b97c5c55efe73ac
0890de225e6d85aad88e5f99da81acb5a11148586eb39d02bf0a9fb9daf0525b
0b4fef0e6e222e43c42fed0bbdd300e997f7811a952dc1ff8a01f01500634412
0dbc8d645507f63e94d6d66646bd33c27a5e3b1409941453b6dc85b3fffe6cf8
12e14f7b0a204406116cc09ceea2c1b4d8f08feca9e2d6e7dd12c10916681121
1417719dfd0bc1acfbb76e86b3113759165e66e8e22062f27b173cdb8a7679fa
1426700dc20043556efa4c1c8c269117e1a1d09c7ca991f7bff0f63ba0db91a5
164c4890fff93d7cb73b341c111d911022500ee9da52450f97b2f68f8106fd2c
1997d4dda81bf4b308fbade5e162f5854c384c5e9cf0f7681e0c77ab9a60a772
1e0a9bca0a83e65ecd1a2b5752adf0795abec4109b6b61434d53ba42b393b40c
1e1769e2f970bc0b1c1d5d46ec4922c6de04e86ca5741a5007378ad18574d583
223f7e305d45ea14fb64b89ef9c16389325070c95eae48a30d31b421f3535df6
27bb321ef817b127f2f49c38d65811432dae5d940e32b9fc2d54234cbc63071e
28c25b55f98a02762851825a7c1748f70ed5426fd80431c7bd5dcc6d340b849b
34e436d8a2f7af8dfc8e5e90ba44536983849aa398058de2be70ca8c87d54133
370a67967f9728399e59a6bf28697bef6272e3ecbf1800ec0f0dab7df9961caa
37aa3e2ae08143083f21cbfaf8477d8b2def9bec4e219732387d91c102bb5e0d
3a400bef1869adb2525b641f1f7425fd882a26df1b1533ce56c66729461ab311
3fec44d6ea7f776d9446b54e3acd858af66713177fe216cde91441069c85d9ed
4161ceee9fcc738a00cbddfaba624b29484aab3376a14a9c3539d321e26a14cb
41bdc0e1616182febe37864cff2f7fd011615b33796e5443ef7fad0f497eb924
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Umbrella Win.Ransomware.Nemty-7603722-1 Indicators of Compromise IOCs collected from dynamic analysis of 15 samples Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
6
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2
3
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX
3
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000001
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000002
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000003
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\0A0D020000000000C000000000000046
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\13DBB0C8AA05101A9BB000AA002FC45A
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\33FD244257221B4AA4A1D9E6CACF8474
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\3517490D76624C419A828607E2A54604
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\4C8F4917D8AB2943A2B2D4227B0585BF
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\5309EDC19DC6C14CBAD5BA06BDBDABD9
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\82FA2A40D311B5469A626349C16CE09B
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\8503020000000000C000000000000046
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9207F3E0A3B11019908B08002B2A56C2
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9E71065376EE7F459F30EA2534981B83
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\A88F7DCF2E30234E8288283D75A65EFB
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\C02EBC5353D9CD11975200AA004AE40E
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\D33FC3B19A738142B2FC0C56BD56AD8C
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\DDB0922FC50B8D42BE5A821EDE840761
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\DF18513432D1694F96E6423201804111
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\ECD15244C3E90A4FBD0588A41AB27C55
3
Mutexes Occurrences 8-3503835SZBFHHZ
3
Global\<<BID>>98B68E3C00000000
1
Global\<<BID>>98B68E3C00000001
1
K41BS5D2301JFDHG
1
S-1-5-21-2580483-10603899367670
1
6Q9114S7BUVv1I9Z
1
L157BD647S7vKCZY
1
S-1-5-21-2580483-10602865790989
1
S-1-5-21-2580483-888606054490
1
S-1-5-21-2580483-10602417393080
1
da mne pohui chto tebe tam bol'no... dlya menya veshica i ne bolee...
1
S-1-5-21-2580483-14842513634586
1
S-1-5-21-2580483-1924291306070
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 172[.]217[.]7[.]238
5
23[.]20[.]239[.]12
3
172[.]217[.]9[.]193
3
172[.]217[.]7[.]206
3
13[.]107[.]42[.]12/31
3
172[.]217[.]7[.]174
3
170[.]250[.]53[.]240
2
205[.]144[.]171[.]155
1
192[.]0[.]78[.]25
1
184[.]168[.]221[.]66
1
50[.]63[.]202[.]39
1
185[.]230[.]60[.]211
1
146[.]66[.]113[.]187
1
138[.]201[.]168[.]29
1
81[.]19[.]186[.]167
1
3[.]234[.]181[.]234
1
40[.]90[.]22[.]187
1
40[.]90[.]22[.]188
1
23[.]21[.]50[.]37
1
63[.]250[.]41[.]107
1
172[.]217[.]7[.]193
1
104[.]26[.]5[.]15
1
162[.]213[.]253[.]192
1
31[.]220[.]121[.]73
1
103[.]72[.]146[.]121
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]hugedomains[.]com
3
securepasswel[.]ru
3
api[.]ipify[.]org
1
data-vocabulary[.]org
1
balancer[.]wixdns[.]net
1
www[.]namebright[.]com
1
miowweb[.]gr
1
api[.]db-ip[.]com
1
doc-0o-28-docs[.]googleusercontent[.]com
1
www[.]somebodydial911[.]com
1
www[.]prefre[.]com
1
www[.]slacktracks[.]info
1
www[.]befitbehealthybeyou[.]com
1
doc-0o-2k-docs[.]googleusercontent[.]com
1
www[.]showshow[.]club
1
www[.]eleumedia[.]com
1
www[.]spiritindosolo[.]com
1
www[.]worstig[.]com
1
www[.]baiyuetongxun[.]com
1
www[.]illuminatiam666[.]world
1
www[.]jackiesj[.]com
1
www[.]vierhimmelsrichtungen[.]com
1
www[.]zlateprase[.]com
1
www[.]wide-saddle[.]com
1
www[.]barayehfarda[.]com
1
*See JSON for more IOCs
Files and or directories created Occurrences \$Recycle.Bin\<user SID>\$<random, matching '[A-Z0-9]{7}'>.txt
1
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\desktop.ini.id[98B68E3C-2275].[checkcheck07@qq.com].Adame
1
%HOMEPATH%\subfolder1\filename1.exe
1
%HOMEPATH%\subfolder1\filename1.vbs
1
%HOMEPATH%\Subla\Mot1.exe
1
%HOMEPATH%\Subla\Mot1.vbs
1
%HOMEPATH%\ecstas\Toxino7.exe
1
%HOMEPATH%\ecstas\Toxino7.vbs
1
%APPDATA%\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Desktop\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Documents\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Downloads\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Favorites\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Favorites\Windows Live\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Links\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Local Settings\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\NetHood\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\PrintHood\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Recent\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Saved Games\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Searches\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\SendTo\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Start Menu\NEMTY_U1XTAJZ-DECRYPT.txt
1
%HOMEPATH%\Templates\NEMTY_U1XTAJZ-DECRYPT.txt
1
*See JSON for more IOCs
File Hashes 1d65adf3d53d2e6a7967de17f625d0556f0821958816637c60f76940e4c28520
211c8a29f76ac8521b51ba578764c2c22a18472c4bcc5e19f7e321951243b97c
21264886ed27cea1812b312ff85d2262b72e8af026dc290da8214e1e8960972b
232573e18d3f45b5b9a9abb50e09eb67ffe2e049d63dd602f411d46b02f18f2e
2c2635859e5436830913c41981130ca02b9ff1f91f6149702af84243f42ac225
31dccda43edcd3002ceb8f7cbc68bd749309ba953e592a48da0cf45b8d482d0b
4036eef611df5fafcff1ea69bd37bffb2b0b091b6421100c671aa40b7d807f8a
9ea864bf39f23d4115db192bdddda486c9ac67bd74ac0320900cdb75d048d674
a6421d2ffa3af855b46ccf0c2d9ba0c763ef16f8c80c41a7dc74412e4787217d
af8f4b4b4cefaf594499c086483b94a43efc151cfe102f04bdb2451beeda269f
b51d82b498581119a661400c90e9dc0b6cb15ba011f0fe55aa2e0bc4b6f64f30
bcaf8b9b2ad9a86c500055a3d4879ab37ecf475dd459a1781e586dbba4f1209c
bd4a8ff85771eb162655f05317ec893041abf532b4b1a7313c9d86e0f4ad6bb5
f730d7caf3e44c1429cb7bbabeb2d801c4f49f100c834b26eb4fab8d72528a98
fdbc0107fa0fa6923e0caa39bdbb2e04c72134879ac845ecc6992301d2fc5784
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Umbrella Win.Trojan.Gh0stRAT-7603864-1 Indicators of Compromise IOCs collected from dynamic analysis of 20 samples Registry Keys Occurrences <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SelfRunDemo
17
Mutexes Occurrences 127.0.0.1
2
101.200.58.177
2
117.78.50.197
2
112.74.75.143
2
210.222.25.223
1
192.168.99.25
1
118.125.192.112
1
60.190.216.225
1
w1464642840.f3322.org
1
www.cq52.top
1
xiaoxinzadan.gicp.net
1
113.214.1.34
1
69.165.69.98
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 103[.]45[.]105[.]244
3
101[.]200[.]58[.]177
2
117[.]78[.]50[.]197
2
112[.]74[.]75[.]143
2
210[.]222[.]25[.]223
1
117[.]168[.]99[.]164
1
118[.]125[.]192[.]112
1
60[.]190[.]216[.]225
1
113[.]214[.]1[.]34
1
69[.]165[.]69[.]98
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ip[.]aa2[.]cn
3
whois[.]aa2[.]cn
2
www[.]1182[.]org
2
site[.]aa2[.]cn
2
beian[.]aa2[.]cn
2
fl[.]aa2[.]cn
2
www[.]aa2[.]cn
2
pr[.]aa2[.]cn
2
link[.]aa2[.]cn
2
www[.]jqgcw[.]com
2
File Hashes 2737d0c8ab41b5bf6abf457fb940b7a4f8f90c7688600a4df87fbdb654623779
550d6397943cd525439a0d62c79459519d29438f1b1fcfddbbf2eb4a48660e63
60d7cae08475fb78cab77e09df43468cc0f6d2f01f847fc7582f56731672b0e8
699d3462c7c71c5bf0ad9c2dfc15faceb7d4858d2d0c341c9e18c27398718a40
8f3642fef8a0f84c1615efd6e3b90e26fcb8907d9a6e4904d2587dacd741932b
9d2c079618d2b3cbaa4c022048da451ecf0148fbae4cf41f8f19c363e9c23736
a9722843aa8d6b1b5a5e5400556c57b9cc31bf5a216bb5b458ce9241e818469d
ac0ad4dc0abc6563b1ed7dc14703d2b77dfc606cffe875776c1167a95d6faba8
ac1807117ea4b5221dad637a8891e567849473d15cdfe49856d38877e1463019
b3ca2156cb96fb2d609bcf2b31080884d9a5621a3e1973c5338be746aec8317e
b49b9e9f1457c63665a8e58d4f09a4811b0fa7733f650d163b87d686f4326203
b927b88cb9fb216b54b307fbf9d90fe6189af102d6b2b65a6e82ec1ee8cb7d7b
c353e7a5e14c1aecae9d044da58c51daa0446118bbda54bc58777e9f39cdbfee
cc2f2e01b07ea319cf4d5953bcf96c2c58ec218a4d0090b968291977d2e5b5f3
d43226aa4cba93b5bee9797da90d9a703c209cc8188693f93a603fdb60340063
d8b1847f025c2d48f775099421979c788816a1ea2c527f3c16f28aad1bc12d81
da7cd6233482da9114bf51bd6fb42825d4f4a044c4239a6e267d2134eb21282b
e1ce464fd9c93969082c215d2358e6fb3e84e173fdaf36b1b1ddf6918a949109
e333a3c187ceea41f37e91b83dd79b5b6de3d96dfaa4dd76b9f5c9689683206b
fede423fee4e77f708b95fb3e6efc2262e333fc295b1576f7f5b3163b053b565
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. CVE-2019-0708 detected - (3886)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (189)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected - (120)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Excessively long PowerShell command detected - (117)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Installcore adware detected - (95)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (73)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Dealply adware detected - (59)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Fusion adware detected - (13)
Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.
Corebot malware detected - (12)
Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.
A Microsoft Office process has started a windows utility. - (10)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.