Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 26 and May 03. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Shadowbrokers-6958490-0
    Malware
    Uiwix uses ETERNALBLUE and DOUBLEPULSAR to install ransomware on the infected system. Encrypted file names include "UIWIX" as part of the file extension. Unlike the well-known WannaCry ransomware, Uiwix doesn't "worm itself." It only installs itself on the system.
  • Win.Malware.Fareit-6958493-0
    Malware
    The Fareit trojan is primarily an information stealer that downloads and installs other malware.
  • Win.Malware.Ursnif-6957672-0
    Malware
    Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
  • Win.Ransomware.Cerber-6957317-0
    Ransomware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
  • Win.Dropper.Nymaim-6956636-0
    Dropper
    Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
  • Win.Dropper.Qakbot-6956539-0
    Dropper
    Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
  • Win.Malware.Tovkater-6956309-0
    Malware
    This malware is able to download and upload files, inject malicious code and install additional malware.
  • Doc.Downloader.Powload-6956274-0
    Downloader
    Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing Emotet malware.
  • Win.Dropper.Kovter-6956146-0
    Dropper
    Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
  • Win.Trojan.Razy-6956092-0
    Trojan
    Razy is oftentimes a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.

THREATS

Win.Malware.Shadowbrokers-6958490-0

INDICATORS OF COMPROMISE

Registry KeysOccurrences
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABC\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB7
Value Name: _FileId_		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB7\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: 100000000928D		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB7
Value Name: AeFileID		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB8
Value Name: _FileId_		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB8\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: 1000000009511		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB8
Value Name: AeFileID		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB9
Value Name: _FileId_		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB9\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: 1000000009362		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB9
Value Name: AeFileID		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: _ObjectId_		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: _FileId_		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: _Usn_		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: _UsnJournalId_		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: 1000000009363		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: AeFileID		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABA
Value Name: AeProgramID		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: _ObjectId_		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: _FileId_		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: _Usn_		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: _UsnJournalId_		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: 10000000095D4		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: AeFileID		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABB
Value Name: AeProgramID		19
<A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\ABC
Value Name: _ObjectId_		19
MutexesOccurrences
Global\2f6e8021-6b52-11e9-a007-00501e3ae7b51
Global\2f7cc861-6b52-11e9-a007-00501e3ae7b51
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
69[.]55[.]1[.]14618
69[.]55[.]1[.]10018
69[.]55[.]4[.]19618
69[.]55[.]2[.]20118
69[.]55[.]4[.]15518
69[.]55[.]2[.]13118
69[.]55[.]4[.]17918
69[.]55[.]4[.]17818
69[.]55[.]2[.]13018
69[.]55[.]4[.]21718
69[.]55[.]1[.]3618
69[.]55[.]1[.]3718
69[.]55[.]4[.]17118
69[.]55[.]4[.]17018
69[.]55[.]4[.]17318
69[.]55[.]4[.]17218
69[.]55[.]1[.]3018
69[.]55[.]4[.]17418
69[.]55[.]4[.]17718
69[.]55[.]4[.]17618
69[.]55[.]5[.]7518
69[.]55[.]5[.]7418
69[.]55[.]5[.]7918
69[.]55[.]5[.]7818
69[.]55[.]5[.]8118
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
v4[.]ipv6-test[.]com11
sex[.]kuai-go[.]com4
ilo[.]brenz[.]pl1
teetah[.]com1
thmqyo[.]com1
iadaef[.]com1
yvyqyr[.]com1
yyhhwt[.]com1
yoiupy[.]com1
abvyoh[.]com1
evoyci[.]com1
nzooyn[.]com1
niulzo[.]com1
meadgz[.]com1
yxpwly[.]com1
cberyk[.]com1
xuvvie[.]com1
nfgesv[.]com1
rjodmz[.]com1
ygjuju[.]com1
iauany[.]com1
zopkpn[.]com1
ubnuov[.]com1
kroqzu[.]com1
uxmaie[.]com1
See JSON for more IOCs
Files and or directories createdOccurrences
%SystemRoot%\Fonts\Mysql21
%SystemRoot%\Fonts\Mysql\bat.bat21
%SystemRoot%\Fonts\Mysql\Doublepulsar.dll20
%SystemRoot%\Fonts\Mysql\Doublepulsar2.dll20
%SystemRoot%\Fonts\Mysql\Eter.exe20
%SystemRoot%\Fonts\Mysql\Eter.xml20
%SystemRoot%\Fonts\Mysql\Eternalblue.dll20
%SystemRoot%\Fonts\Mysql\Eternalblue2.dll20
%SystemRoot%\Fonts\Mysql\NansHou.dll20
%SystemRoot%\Fonts\Mysql\cmd.bat20
%SystemRoot%\Fonts\Mysql\cnli-1.dll20
%SystemRoot%\Fonts\Mysql\coli-0.dll20
%SystemRoot%\Fonts\Mysql\crli-0.dll20
%SystemRoot%\Fonts\Mysql\dmgd-4.dll20
%SystemRoot%\Fonts\Mysql\exma-1.dll20
%SystemRoot%\Fonts\Mysql\file.txt20
%SystemRoot%\Fonts\Mysql\libeay32.dll20
%SystemRoot%\Fonts\Mysql\libxml2.dll20
%SystemRoot%\Fonts\Mysql\loab.bat20
%SystemRoot%\Fonts\Mysql\load.bat20
%SystemRoot%\Fonts\Mysql\mance.exe20
%SystemRoot%\Fonts\Mysql\mance.xml20
%SystemRoot%\Fonts\Mysql\nei.bat20
%SystemRoot%\Fonts\Mysql\p.txt20
%SystemRoot%\Fonts\Mysql\poab.bat20
See JSON for more IOCs

File Hashes

  • 00e8030802e8f6b32c9e9b5167ba6854797af91947d605889b5dba3b2a29b74e
  • 054441dbcac05960e2ba1ae81903f4ed48786be51aeb346f4c2cc1162ba1749f
  • 0fa0b6d80e850f42f7d17681b2ff2147694053aa4680ddfcf632ee89d183a6fc
  • 16488c72a0c92c8a72dc78ee9d52cfc4ebf8a6392d9f91f2c966fc99abe05a03
  • 181ce9db0dea2a3a2e08860620c3015e61995a93729cb07e0b157d0e75c73343
  • 229ab5a9502a4f9efaf6b1ae193d49cd529479e4adf0475caa80f0086dd20c31
  • 23e3a6d9ce11a9ceef4f1a0731368a85587d612063d67fb518156fa88e20a277
  • 5a831048eaeed5fa07ae830ebe1ac176cdffd0764a978c89228f45125a8c07c3
  • 749cdaf3de5490da6a5c1900b415e1a10cba45d19593ca98378781d9488b6bee
  • 77f5a8b8c3d9091b5d3f050b2ac6183a9bfb86e8fd1085e96926c513c69cbffb
  • 811fc3535e7e4e67164d12a3a8a5d839365873b53e20f1ac3b5638cba279d0e9
  • 96799361f9e214dcdb35d14f3b93e35736d4f5e11a25e4672989c9b436ee6cdc
  • a013f2631ac35d43652d5ab7fd30e71187398b5c6ede6081fa6c73fb3f0b469a
  • ac80e17388fbd1f59b80c411d1449ce90a4ce5ada9d6ced63dc9890bfe5249ea
  • c29ae0b2992a0320c5d584a7af6ff8dfc590140d0652aa22b374a8b6946a76f3
  • c74a2a95439224bdef39354f37ccb4ded7ce7ba071aac9d5efe505cdb7a828ac
  • db1b669b7daffcb3b6be5ba635afe5890d85e3f734a74e9a97c864ebb23ffd30
  • dc814196d52db10a9231754a3c33b58af9c995490a16c20328a954d8c1918589
  • e3e7c5bcb49da52952d85f30efbc86830536593e96e6b29f05f22ac14e208ce5
  • e6d879189c9cfe58aa9f83856eb4849caee841eb71557522c14d38bdd8bc8efe
  • fcad77aba9a0290e0f25b0512ceadf102aff36c955a319275b3f44565d53c383

COVERAGE


SCREENSHOTS OF DETECTIONAMP


ThreatGrid


Umbrella


Win.Malware.Fareit-6958493-0

INDICATORS OF COMPROMISE

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe		4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager		3
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASAPI322
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASMANCS2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: EnableFileTracing		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: EnableConsoleTracing		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: FileTracingMask		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: ConsoleTracingMask		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: MaxFileSize		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: FileDirectory		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: EnableFileTracing		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: EnableConsoleTracing		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: FileTracingMask		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: ConsoleTracingMask		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: MaxFileSize		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: FileDirectory		2
<HKCU>\Software\Microsoft\Windows Script Host\Settings2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: AGP Manager.job		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: AGP Manager.job.fp		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER
Value Name: Index		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: AGP Manager Task.job		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: AGP Manager Task.job.fp		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER TASK
Value Name: Index		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER
Value Name: Id		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGP MANAGER TASK
Value Name: Id		2
MutexesOccurrences
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A2
Remcos_Mutex_Inj1
rdyboost_Perf_Library_Lock_PID_2101
usbhub_Perf_Library_Lock_PID_2101
.NET CLR Data_Perf_Library_Lock_PID_5b81
.NET CLR Networking 4.0.0.0_Perf_Library_Lock_PID_5b81
.NET CLR Networking_Perf_Library_Lock_PID_5b81
.NET Data Provider for Oracle_Perf_Library_Lock_PID_5b81
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_5b81
.NET Memory Cache 4.0_Perf_Library_Lock_PID_5b81
.NETFramework_Perf_Library_Lock_PID_5b81
ASP.NET_1.1.4322_Perf_Library_Lock_PID_5b81
ASP.NET_4.0.30319_Perf_Library_Lock_PID_5b81
ASP.NET_Perf_Library_Lock_PID_5b81
BITS_Perf_Library_Lock_PID_5b81
ESENT_Perf_Library_Lock_PID_5b81
Lsa_Perf_Library_Lock_PID_5b81
MSDTC Bridge 3.0.0.0_Perf_Library_Lock_PID_5b81
MSDTC Bridge 4.0.0.0_Perf_Library_Lock_PID_5b81
MSDTC_Perf_Library_Lock_PID_5b81
Outlook_Perf_Library_Lock_PID_5b81
PerfDisk_Perf_Library_Lock_PID_5b81
PerfNet_Perf_Library_Lock_PID_5b81
PerfOS_Perf_Library_Lock_PID_5b81
PerfProc_Perf_Library_Lock_PID_5b81
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
47[.]254[.]132[.]2172
5[.]8[.]88[.]2132
91[.]192[.]100[.]41
185[.]165[.]153[.]191
91[.]193[.]75[.]331
194[.]5[.]99[.]41
103[.]200[.]5[.]1861
185[.]165[.]153[.]1351
105[.]112[.]98[.]981
129[.]205[.]112[.]1321
212[.]7[.]192[.]2411
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
snooper112[.]ddns[.]net1
harryng[.]ddns[.]net1
popen[.]ru1
hfgdhgjkgf[.]ru1
rtyrtygjgf[.]ru1
icabodgroup[.]hopto[.]org1
Files and or directories createdOccurrences
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C53
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs3
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator3
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat3
%ProgramFiles(x86)%\AGP Manager3
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe3
%System32%\Tasks\AGP Manager2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat2
%APPDATA%\Install2
%APPDATA%\Install\Host.exe2
%System32%\Tasks\AGP Manager Task2
%ProgramData%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol1
%LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol1
%APPDATA%\remcos1
%APPDATA%\remcos\logs.dat1
%APPDATA%\remcos\remcos.exe1
%System32%\drivers\etc\hosts1
%APPDATA%\Screenshots1
%TEMP%\install.vbs1
\??\scsi#disk&ven_red_hat&prod_virtio#4&2556063a&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1
%TEMP%\MyttloApp1
%TEMP%\tmpD22A.tmp1
%TEMP%\subos1
%TEMP%\tmpD4E9.tmp1
%TEMP%\subos\subose.exe1
See JSON for more IOCs

File Hashes

  • 0758f55d7c977e33b0c64c6bdf273d1fc639440505d3f015c5d519dc6200017f
  • 17537f41d384c9a3fe385e6ec51feacf23dcab755b26e274bddcb25ad51f3b20
  • 3409a0970239cd2fc61b66db3c6e7c49921b2c828b59530e37dc34504ee46081
  • 446166d1a9e7e1b7e12547510f7de7bc4c281681cce1f9f8576fce9de7b1dc05
  • 5c0016d2122382734395929696e2d737162f797bb4e21ab1cb9af7c9429823bf
  • 63053625336da966b1c41eae9b39dfc6dd6829be50852d657f48cf6351102955
  • 71795cda989e98003d22a59a88951ce0c2b1dd472b5c1bea4f79f03e0f22747c
  • 7634476cf6e1d538bbf9b5dc0b2dad3f55d78a7a0699f0aa3ec1a926867b602d
  • b0ab801164d28470c2e76fa775ace286b9c218eed099373ba6a6b879cb9473f4
  • c433ec83fd1ab4c370c218feda1fde4514573278464cff96c053479d5c6aea95
  • c68c68c512cd5b66fbc56df273f55bc8e9db9e5c3840dc28d905ca676029f86b
  • dfaf92e94e698ded2dfec6fde877118a2ed30d2709ce8c431d35ca3ce9d7f836
  • e6a4c246c552c5152b500443a603304bac2edbeb2925c4da2e3bf457351b66c1
  • f08bf06ef32de3aea50ded12434753f08c336408715fdcc7ab263cf95892bd5b
  • f5f336ac45dec2fa199ce54cc93035967037f7550ad9ddc89f9dfc91918d57c8

COVERAGE


SCREENSHOTS OF DETECTIONAMP


ThreatGrid


Umbrella


Win.Malware.Ursnif-6957672-0

INDICATORS OF COMPROMISE

Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\JAVASOFT\JAVA WEB START\1.6.0_41
Value Name: Home		19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY
Value Name: AddToFavoritesInitialSelection		19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY
Value Name: AddToFeedsInitialSelection		19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\WINDOWSSEARCH
Value Name: Version		19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\PENDINGRECOVERY
Value Name: AdminActive		19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP
Value Name: ChangeNotice		19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MINIE
Value Name: TabBandWidth		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
Value Name: NewInstallPromptCount		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
Value Name: CompatBlockPromptCount		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Value Name: NewInstallPromptCount		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Value Name: CompatBlockPromptCount		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
Value Name: NewInstallPromptCount		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
Value Name: CompatBlockPromptCount		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Value Name: NewInstallPromptCount		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Value Name: CompatBlockPromptCount		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
Value Name: NewInstallPromptCount		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
Value Name: CompatBlockPromptCount		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{DBC80044-A445-435B-BC74-9C25C1C588A9}
Value Name: NewInstallPromptCount		19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{DBC80044-A445-435B-BC74-9C25C1C588A9}
Value Name: CompatBlockPromptCount		19
<HKU>\Software\Microsoft\Internet Explorer\Recovery\Active19
<HKU>\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}19
<HKLM>\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win3219
<HKU>\Software\Microsoft\Internet Explorer\Suggested Sites19
<HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links19
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore19
MutexesOccurrences
!PrivacIE!SharedMem!Mutex19
Local\VERMGMTBlockListFileMutex19
Local\!BrowserEmulation!SharedMemory!Mutex19
Local\URLBLOCK_DOWNLOAD_MUTEX19
Local\URLBLOCK_HASHFILESWITCH_MUTEX19
UpdatingNewTabPageData19
{5312EE61-79E3-4A24-BFE1-132B85B23C3A}19
{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}19
{A7AAF118-DA27-71D5-1CCB-AE35102FC239}18
Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}18
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1}18
Local\{B1443895-5CF6-0B1E-EE75-506F02798413}18
CommunicationManager_Mutex15
SmartScreen_AppRepSettings_Mutex15
SmartScreen_ClientId_Mutex15
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_17606
{33B6645E-F685-DDC4-9817-8A614C3B5E25}6
{9FB8F914-72AD-292E-7443-C66DE8275AF1}4
{EF2CA93C-8275-F9B6-0493-D63D78776AC1}3
{1FE6DE6D-F2FC-A937-F4C3-46ED68A7DA71}3
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_19163
{27CB7058-5ACE-F149-9C4B-2EB590AF42B9}3
\BaseNamedObjects\Local\{FCAA51DD-2B0A-8E99-95F0-8FA2992433F6}3
\BaseNamedObjects\Local\{6AE7CB31-C1EF-2C06-9B3E-8520FF528954}3
\BaseNamedObjects\Local\{72534A3F-299C-7437-43C6-6DE8275AF19C}3
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]20019
185[.]193[.]141[.]6019
208[.]67[.]222[.]22218
194[.]147[.]35[.]9518
13[.]107[.]21[.]20013
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
vmelynaa[.]club19
resolver1[.]opendns[.]com18
222[.]222[.]67[.]208[.]in-addr[.]arpa18
myip[.]opendns[.]com18
ciemona[.]top18
zwbaoeladiou[.]xyz16
fqwalfredoesheridan[.]info16
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred19
%LOCALAPPDATA%Low\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V0100008.log19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V0100009.log19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000A.log19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000B.log19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000D.log19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000F.log19
%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\MSHist012018082820180829\container.dat19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\suggestions[2].en-US19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[2].ico19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\views[2]19
%LOCALAPPDATA%\Microsoft\Internet Explorer\imagestore\aowwxkh\imagestore.dat19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\favicon[1].ico19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\favicon[2].png19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\views[1]19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[1].ico19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL219
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW19
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\desktop.ini19
%TEMP%\www2.tmp19
%TEMP%\www3.tmp19
%TEMP%\www4.tmp19
%HOMEPATH%\Favorites\Links\Suggested Sites.url19
%HOMEPATH%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms19
See JSON for more IOCs

File Hashes

  • 0870f99237954ec3b6c5d2bef78a68484ec211bdd3f98439570d6a316c8a15ee
  • 395a5bb5a15f3d0c277835b62372c985cf718cdd2b1a5a504b5e9433c5dab8a5
  • 44e6613a20fda10678242f331152b6377edc18a3bbece8a7546ef54fe2dbb9d2
  • 4509bfad5dacb2f5ac43483fb991fa5bba25b90a46a1829d5d812be529dff930
  • 5bdab30c2318e1a15917c5a5fa5a970845e473c3df7e3baf134393d9fe7dd1c5
  • 6c29026c61c2bcf1502ffa77b56d2b41504598e6b660cb4f4aadeef547248861
  • 8caac9f128ef6d7cd20ad6395b16fc180456eed45d86b68b49b87b4b57aa0142
  • 8cc7ec0c3662c3e68a0063f9aa37943eb83ac6cd472a76f9f047e0fad21f9875
  • 8df6c10dd50118b2fc7bd380d0423ad0d7a36630f2f6be81fe508eb0b7d409cb
  • b824f4bb9174eda6738710e1fed13a74088e2c23d8c31ce81ecde3cd03260396
  • c3f72c971d83fd3ac32d8bbee2d94fe78bcbde553212f3e4c3d626a8d124ccb6
  • d1d54cc60dfc5957d76c37218d89bf59aaa45c4cc45067af83429280463923e5
  • e450ad1c3dad95a579f43bf2deb9b58acc8c661e0090a162da75dd66ef608e8b
  • e7f7e41a55b11e5aee84f519b267c19c5943ca923b8c05d3aff99a47ab074f58
  • f1fc8274b0155470b6983ba68c70ea5df59196ae8b89366fc4fe922575719536
  • f58c95835e8a08cbef55c00ae86d03399302cdf7d500ab499f312156f275f2f9
  • f5e3128f71497dd5ee29c05296c3815466fd2eacc714ce914771d0ede672639c
  • fb7592a3c2994ba426046328c87f08574c7d367b0c75e206ddfd32cc5d7bfcd0
  • fb76a896e5ead6658b589c20e715fe18ffec03b9f57f895e14a0d43574de71e3

COVERAGE


SCREENSHOTS OF DETECTIONAMP


ThreatGrid


Win.Ransomware.Cerber-6957317-0

INDICATORS OF COMPROMISE

Registry KeysOccurrences
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas25
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs25
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage225
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI25
<HKLM>\System\CurrentControlSet\Control\Session Manager25
<HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache25
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: Wallpaper		25
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations		25
<HKLM>\SYSTEM\ControlSet001\Control\Session Manager25
<HKLM>\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\189271E573FED295A8C130EAF357A20C4A9F115E9
<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel6
MutexesOccurrences
Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb725
shell.{381828AA-8B28-3374-1B67-35680555C5EF}25
\BaseNamedObjects\shell.{718951EE-6DB9-E41A-53AA-8B715AE18B45}2
\BaseNamedObjects\shell.{493BC5E1-8EB5-5EFC-281D-65B759CEECC3}2
\BaseNamedObjects\shell.{B1A92788-E01E-5F0F-2EBD-8C1B64B4440E}1
\BaseNamedObjects\shell.{3B5BBD57-DC86-C667-6198-1ED86151C492}1
\BaseNamedObjects\shell.{3290A7F9-5947-C52F-A9C4-FFC568696593}1
\BaseNamedObjects\shell.{A90EDFAB-A502-430E-BDBC-2A277AABA37D}1
\BaseNamedObjects\shell.{FCDAE584-CD77-B6D4-3AF3-33D1E72CBBA2}1
\BaseNamedObjects\shell.{5ED88314-B21B-6A1E-9E28-1194C46E655A}1
\BaseNamedObjects\shell.{0382099C-AC13-59BE-3A2C-B533D776D30C}1
\BaseNamedObjects\shell.{8A1F6AB1-121B-A240-F2AC-6815C5405429}1
\BaseNamedObjects\shell.{6B956E68-ABAA-AB50-EB9F-299C556E0FC1}1
\BaseNamedObjects\shell.{D593CF55-EF38-7E41-B3D1-189932BF5ACA}1
\BaseNamedObjects\shell.{6E8CD1E8-3AA4-8152-A1AC-9DF81B4CF52F}1
\BaseNamedObjects\shell.{CA80F6A6-97F3-B746-F936-72E156EADCA1}1
\BaseNamedObjects\shell.{77337C05-6A9D-48D8-548B-5BC4EDE52644}1
\BaseNamedObjects\shell.{5F59AF38-9EAC-3B8F-A08E-700EC4307348}1
\BaseNamedObjects\shell.{1DEF893E-C150-B52C-8B2C-18DC50905097}1
\BaseNamedObjects\shell.{114716B6-D98A-FB35-E73B-ABDB1C2ECBE3}1
\BaseNamedObjects\shell.{940BFEC0-D658-3349-9964-7D4820AF7C5D}1
\BaseNamedObjects\shell.{DCA07E8B-8FF0-AAD5-5A30-43E0A4FC3355}1
\BaseNamedObjects\shell.{9F3E7036-D399-5D1C-15F0-27F90C81CEA7}1
\BaseNamedObjects\shell.{4D979936-6ECD-C1FC-8B7E-C65E6397B59E}1
\BaseNamedObjects\shell.{2981A90C-3618-499B-5205-FD704DC8D53D}1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
178[.]33[.]160[.]17625
178[.]33[.]160[.]17525
178[.]33[.]160[.]17825
178[.]33[.]160[.]17725
178[.]33[.]160[.]17925
178[.]33[.]160[.]17025
178[.]33[.]160[.]17225
178[.]33[.]160[.]17125
178[.]33[.]160[.]19625
178[.]33[.]160[.]19525
178[.]33[.]160[.]19825
178[.]33[.]160[.]19725
178[.]33[.]160[.]19925
178[.]33[.]160[.]19025
178[.]33[.]160[.]19225
178[.]33[.]160[.]19125
178[.]33[.]160[.]19425
178[.]33[.]160[.]19325
178[.]33[.]159[.]3125
178[.]33[.]159[.]3025
178[.]33[.]159[.]2925
178[.]33[.]159[.]2825
178[.]33[.]159[.]2725
178[.]33[.]159[.]2625
178[.]33[.]159[.]2525
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]blockcypher[.]com25
chain[.]so13
bitaps[.]com13
btc[.]blockr[.]io13
hjhqmbxyinislkkt[.]1j9r76[.]top12
www[.]coinbase[.]com9
p27dokhpz2n7nvgr[.]1j9r76[.]top6
hjhqmbxyinislkkt[.]1bxzyr[.]top3
Files and or directories createdOccurrences
%HOMEPATH%\Documents\OneNote Notebooks\Personal\General.one25
%HOMEPATH%\Documents\OneNote Notebooks\Personal\Unfiled Notes.one25
%HOMEPATH%\Documents\Outlook Files\Outlook.pst25
%HOMEPATH%\Documents\RILLReturn.ppt25
%HOMEPATH%\Documents\SerialsOverview.ppt25
%HOMEPATH%\Documents\TSR_Observations_2-14-2007.doc25
%HOMEPATH%\Documents\VISSpring13Schedule.pdf25
%HOMEPATH%\Documents\booklaunch_e.doc25
%HOMEPATH%\Documents\featureb0906.pdf25
%HOMEPATH%\Documents\genealogy.ppt25
%HOMEPATH%\Documents\greenpaper.doc25
%HOMEPATH%\Documents\james_harrison_public_forum_presentation_e.doc25
%HOMEPATH%\Documents\self-guided_SoE_Tour.pdf25
%HOMEPATH%\Documents\sshws_2012rev.pdf25
%HOMEPATH%\Documents\timeentrylimit.xlsx25
%HOMEPATH%\Documents\workshopagenda10may2001_e.doc25
%TEMP%\d19ab98925
%TEMP%\d19ab989\4710.tmp25
%TEMP%\d19ab989\a35f.tmp25
%LOCALAPPDATA%\Microsoft\Office\Groove\System\CSMIPC.dat25
\DAV RPC SERVICE25
\Device\Null25
%APPDATA%\Microsoft\Outlook\Outlook.srs25
%APPDATA%\Microsoft\Outlook\Outlook.xml25
%HOMEPATH%\Local Settings\Application Data\Microsoft\Office\ONetConfig\21d4feba3519c30e149fdf62432f198a.xml25
See JSON for more IOCs

File Hashes

  • 0536d5867571e0ed9998dfe458e7cf42334a9abc67e1cbd9ea3004507f899e3c
  • 17f6fab817ae1a1ac4478c121c3dcfed044924ba4beac8cae734cd14d453596b
  • 212ef6edb374b8aab38ad19fa15e2e2f4674b7d2cbb024f36b9477fc71c71769
  • 276438f97b45ccd5ff93586ae0adfa3c4e4ba92f1adc87fca607eb6d6bd17919
  • 2b7669616638e5976b1c65b492d9e775ab668648d0b2ca5df81bcbe26b7e1123
  • 33dcb7c8ce845f1840cb6508a67595d415227babe474eae0f3a06383eab16e63
  • 3d5bab5798ad6d27131075732d829b90f3f37d5e63bab43b53a071c002678fce
  • 418a712f9e44f3adba6125d9f3d7ad4a52ffef9d8ad5b485e903a984a4cd8c63
  • 420dc43a8c9200df4138d720415304017b861b3cfddfb5de16af50099f3b0e37
  • 436e308c38fb3872fe1a64be90eed2a86d7f9806cd163c83e83fbfd0edf3f8d8
  • 55e8cb67e967b51aacd85258cc4c5a2d8c7c2ad48e44d6f4ecf9c0a721d4fbfe
  • 57de16edb0bd7e590ad1adf4474b18eb968d72781f0d34f33ee51cf6ed71763e
  • 5da318b569c3cbad701f06f4b26905c5ac95048b748481fae2552653acdeb25b
  • 629c1b76328b10077af530bfc5526fcb5592eefd8fb0b618179a8429bf6b6259
  • 64b193a1fcdd2d2ec2444e989ecb9283a5f7679abfc5dc3efa9a248793e0197c
  • 6e7bc2af711eac2a82384b3738229d3b69f60f1522a0c59f781f4d6731b1f198
  • 763b5c07061e6f306399991efd08ac8b9efb74c37ab6280c840a779fb7ca929c
  • 77ee427b01cecdc4adcdee50b679ddab7ae6175a9ec3ec199b81cbfb3684a172
  • 7e93d6b812b9ba8833a2f6727e35714ae301c8ab8ac9988ae540f4a993e41c05
  • 84d4734cd55e627870c58fe07bd29895cc40726ea235de6980c1ebe73c8f838c
  • 9d60618b662ed064573688abf10cb3eb562b46baceb864a4343e8851b2e6686e
  • a2dd530ea97e84d507d13eccef73f736ef1c7c2722b82c84e6d84c61f9406f9b
  • a6943fd03952cc9d1b7a492ca30cc75ecaefdb54e20af0fc0dcbbcc93483d031
  • a9efbbec61b1901e23bd5d29f2e1c34e9d0e7c41dbd216386ec52489239068fe
  • b0ba2997331995d24a85a7d4f586fcaaeb4e6b62de46f068d165ef0d13b172cc
  • See JSON for more IOCs

COVERAGE


SCREENSHOTS OF DETECTIONAMP


ThreatGrid


Umbrella


Malware


Win.Dropper.Nymaim-6956636-0

INDICATORS OF COMPROMISE

Registry KeysOccurrences
<HKCU>\Software\Microsoft\GOCFK19
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\tapi319
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: EnableFileTracing		19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: EnableConsoleTracing		19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: FileTracingMask		19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: ConsoleTracingMask		19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: MaxFileSize		19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TAPI3
Value Name: FileDirectory		19
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg		19
<HKCU>\Software\Microsoft\FROD18
MutexesOccurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}19
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}19
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}19
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}19
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4}19
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A}19
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}19
Local\{B888AC68-15DA-9362-2153-60CCDE3753D5}19
Local\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E}19
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
otmqa[.]in18
nuyfyp[.]in18
omctebl[.]pw18
qxqdslcvhs[.]pw18
eyhwvkyswsts[.]in18
lqeyztwnmqw[.]pw18
tgkddewbn[.]in18
bibmbkjvelox[.]net18
mpoghxb[.]net18
zglevl[.]net18
cixhrfbok[.]com18
yqxpvvbvncxr[.]com18
vhmfwvrbln[.]net18
pyioepars[.]com18
iwxbgsvj[.]net18
Files and or directories createdOccurrences
%ProgramData%\ph19
%ProgramData%\ph\fktiipx.ftf19
%TEMP%\gocf.ksv19
%TEMP%\fro.dfx18
\Documents and Settings\All Users\pxs\pil.ohu18
%LOCALAPPDATA%\7z25
%APPDATA%\s2695
%ProgramData%\hm94p643
%LOCALAPPDATA%\28703
%APPDATA%\710i5v83
%ProgramData%\05n33
%ProgramData%\0m23
%ProgramData%\j91z2
%LOCALAPPDATA%\9b82
%APPDATA%\mb312
%ProgramData%\6745h2
%ProgramData%\63h6c2
%LOCALAPPDATA%\546byxl2
%APPDATA%\k5f52
%APPDATA%\1ok411c1
%ProgramData%\84q9q1
%LOCALAPPDATA%\6b0d19t1
%APPDATA%\9980c1
%ProgramData%\2p077d1
%LOCALAPPDATA%\ja68siv1
See JSON for more IOCs

File Hashes

  • 0a79d985e81449aeabc401545955323e3d9fa0951a6fabe8727370679cee362c
  • 2d7e1dee56892ffe3fa7b85e33ef512e8017ce690a1118ad743736ba03c70c29
  • 2f017b1f3b3d430266be3da2be7b050dad8d2bbdfe457d6d053f2ca312c90691
  • 33c2883874a24e9abbd993f5d06b8596483d33a388b4832f7e8ed3585dab0f80
  • 4268fb8266c18ba7392e2ac655dad69b952bcfce10a71b34a821f0ea32a02954
  • 470dad272252de1d8631e7026ee324fa9238f722707a26f56b6377f2588a7b16
  • 4ff4835419292e13a5d7be1fe2b3b6a000a07f733948e5865b09082e91ef364b
  • 50bc7a1d67f67fbe4faaa7e1968addc631ee65c05dffdac6decfd021306d17c7
  • 5814f51e35d047cfd4e2b4d76bb2b401d70a860747b7ba817fe3bb035dea1b98
  • 68e743d3ab393a17a9120260b6e2c1a1fcea3ba32cebc06aa1970d62198f266d
  • 7e95831b38b1a32402ba5b6251180aca1b1cad457be756612b3ffe1ebf40dce2
  • 8b307748efc603648524dc47202a550bfcaee9a3a23da4f99802aef2e789d6cd
  • 9260c5ea2694dd47cbe563d7d39518d4b4f1249499dcae387e2da9955723286f
  • a92aec525fddbe52002ba700344043cd99b8d1323728b9cc2114e64bf83c7ce3
  • aca7c6cb8d0edcb41b44a0f53460ee8ac3078aca97f03979da0b1d4d5dfb860b
  • b01ecd3e51d9efea860568d3ae336c7d3514f08bca6d3ba9c5cfd3ad069ec3fe
  • d618459cbcf86c6797850757003d53db2f8bcc89364bf7de806f89f1736bf1cd
  • d6a5f0855e7e2c8968e90159b42853361187b41d692626273807361c27bd5a37
  • db421df81c436e54428bcaddcb394568afcd6769e88809a2634ea678643ec811

COVERAGE


SCREENSHOTS OF DETECTIONAMP


ThreatGrid


Umbrella


Win.Dropper.Qakbot-6956539-0

INDICATORS OF COMPROMISE

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe		25
<HKCU>\Software\Microsoft\SystemCertificates\UserDS25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\aqejpwsx25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Type		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Start		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ErrorControl		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ImagePath		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DisplayName		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnService		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnGroup		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: WOW64		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ObjectName		25
<HKLM>\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD783759313
<HKLM>\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC63
Note that other Registry Keys are leveraged that may contain unicode characters. See JSON for more IOCs
MutexesOccurrences
Global\eqfik25
llzeou25
eqfika25
Global\epieuxzk25
Global\ulnahjoi25
Global\utjvfi25
bzqjzpdrfpamvq25
\BaseNamedObjects\Global\uvesyw2
\BaseNamedObjects\Global\vqxcpp2
\BaseNamedObjects\hxsgmprzlpnnqw2
\BaseNamedObjects\Global\imyuiwlg2
\BaseNamedObjects\Global\vtqux2
\BaseNamedObjects\imyuiwlga2
\BaseNamedObjects\yspopald2
\BaseNamedObjects\Global\rhjga2
\BaseNamedObjects\afalya2
\BaseNamedObjects\iykps2
\BaseNamedObjects\Global\ilkcmoq2
\BaseNamedObjects\Global\afaly2
\BaseNamedObjects\Global\dgialgoh2
\BaseNamedObjects\Global\yvbnyn2
\BaseNamedObjects\Global\knpog2
\BaseNamedObjects\crcbzy2
\BaseNamedObjects\Global\esroi2
\BaseNamedObjects\knpoga2
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]12[.]17425
69[.]241[.]80[.]16221
209[.]126[.]124[.]17321
69[.]195[.]124[.]6020
162[.]144[.]12[.]24120
50[.]87[.]150[.]20319
181[.]224[.]138[.]24019
35[.]225[.]160[.]24518
172[.]217[.]164[.]14218
45[.]38[.]189[.]10318
68[.]87[.]56[.]13018
85[.]93[.]89[.]610
209[.]126[.]124[.]1666
207[.]38[.]89[.]1155
85[.]93[.]88[.]2515
69[.]241[.]74[.]1703
69[.]241[.]108[.]583
69[.]241[.]106[.]1023
64[.]34[.]169[.]2442
208[.]100[.]26[.]2341
216[.]218[.]206[.]691
216[.]58[.]217[.]1421
173[.]227[.]247[.]491
173[.]227[.]247[.]541
69[.]64[.]56[.]2441
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
jpfdtbmvuygvyyrebxfxy[.]info25
hknkmwfdngcfavzhqd[.]biz25
ywubouysdukndoakclnr[.]org25
uwujtnymeyeqovftsc[.]org21
kaaovcddwmwwlolecr[.]org21
ijdlykvhnvrnauvz[.]com21
www[.]ip-adress[.]com21
stc-hstn-03[.]sys[.]comcast[.]net21
boston[.]speedtest[.]comcast[.]net21
houston[.]speedtest[.]comcast[.]net21
sanjose[.]speedtest[.]comcast[.]net21
jacksonville[.]speedtest[.]comcast[.]net21
lunkduuumhmgpnoxkbcjqcex[.]org19
hsyglhiwqfc[.]org18
forumity[.]com18
zebxhuvsz[.]com18
yxssppysgteyylwwprsyyvgf[.]com18
fcptxaleu[.]net18
olosnxfocnlmuw[.]biz18
cbqjxatxrumjpyvp[.]biz18
sproccszyne[.]org18
uschunmmotkylgsfe[.]biz18
wgysvrmqugtimwhozoyst[.]biz18
tkpxkpgldkuyjduoauvwoiwcg[.]org18
cufgghfrxaujbdb[.]com18
See JSON for more IOCs
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Windows\Cookies\QA752KCC.txt25
%APPDATA%\Microsoft\Windows\Cookies\QP9V2VPK.txt25
%APPDATA%\Microsoft\Windows\Cookies\QTOORX9Q.txt25
%APPDATA%\Microsoft\Windows\Cookies\RPE3LD3D.txt25
%APPDATA%\Microsoft\Windows\Cookies\RYU7B1BB.txt25
%APPDATA%\Microsoft\Windows\Cookies\RZ1EYTQG.txt25
%APPDATA%\Microsoft\Windows\Cookies\SCT1A3Q5.txt25
%APPDATA%\Microsoft\Windows\Cookies\SL2DQ447.txt25
%APPDATA%\Microsoft\Windows\Cookies\SUA0P3GL.txt25
%APPDATA%\Microsoft\Windows\Cookies\T28YM23R.txt25
%APPDATA%\Microsoft\Windows\Cookies\TC61OXS2.txt25
%APPDATA%\Microsoft\Windows\Cookies\TWNEP5LZ.txt25
%APPDATA%\Microsoft\Windows\Cookies\TX9TW6ML.txt25
%APPDATA%\Microsoft\Windows\Cookies\U5T0RELM.txt25
%APPDATA%\Microsoft\Windows\Cookies\UCPG9KND.txt25
%APPDATA%\Microsoft\Windows\Cookies\UD8XCJVS.txt25
%APPDATA%\Microsoft\Windows\Cookies\UGY2NFKJ.txt25
%APPDATA%\Microsoft\Windows\Cookies\UOVVJUXY.txt25
%APPDATA%\Microsoft\Windows\Cookies\UVFN9CGJ.txt25
%APPDATA%\Microsoft\Windows\Cookies\V6G9AWM4.txt25
%APPDATA%\Microsoft\Windows\Cookies\VFVD9E5C.txt25
%APPDATA%\Microsoft\Windows\Cookies\VK4YOOAG.txt25
%APPDATA%\Microsoft\Windows\Cookies\VP01LDK3.txt25
%APPDATA%\Microsoft\Windows\Cookies\VPK8RY5C.txt25
%APPDATA%\Microsoft\Windows\Cookies\VYUA6F7D.txt25
See JSON for more IOCs

File Hashes

  • 04a19e4e2d700292ba4ce5659e97413112bd079dacdbaf8a2387e6f6559dcba3
  • 117466b3e9dabd69d510d9e034eec875d9ca2ad9dbb8c5d123b388ac2a65ebbf
  • 17d23f910311aeb341ee348586bb212d1cddb70152bc4d1bc31ac579693d7741
  • 1b0573fb381b291b12cf7db4bfb6deb78e688c9c3076908e8581199169b8514a
  • 1c0c7d00ccfb9f12299fd7df7ec2ad497cb6c8fa60b903694f2d2bf54af7c30c
  • 278bc2f23ef0a5a79e36f1dca261bbf67f87aef637e76373061654353fc3f716
  • 33ba38fa1bfaab98c6ba48eb2a2fb3155b51118e9ef79642418e0903e2b2e008
  • 51390b6bde9196f7c0319c1253d08233202f6b4110b8c33557a2d2895f868769
  • 548c5b819c109a61e1ff6bc74bd43ad2702ed44e479dd6600da3bb9d5a9ca72e
  • 5b3cd274c3c0349f7d67238994e53e4a842a82e9e15905510a93b4d6643621e7
  • 611f34dcdcce11b0e48779e0fcfd950437614e603673903c8b342bdd2a34ce1a
  • 620e4f53e698c59971f4633cad4c7966f3432aeec0a6315b82a5dae8c13577c9
  • 6f6e53de5fb48c34cce494113f04e1b32d3dd85d8071023b2dff1febb1686c7f
  • 6fd63887adf0e0d4894d3b648e8be0d20474579f60138915b5e3e3a9761f43bc
  • 783a7e50bddf9b5c9547a8fabc7470fabdbe4410df76148dd6c5c81dfb7e6506
  • 7e7e09137fda05e6292d8d9646ab5bc18fd136b06aa77833819ccc46d79c4859
  • 7e9ab6bf4ee2141f4702e0cf4348340293c429416f7676c7946e940321220375
  • 8412cd2e7e60ac2d32bf43f350f8ce806876f54c2ed9b6d0f895179d289a1803
  • 84e0ad1b2d1ca15e2ea16d6d57b81a63af18f664b171ad9d144e710ad2e3cb75
  • 8786a734c5f7fccca5b87c04c5531bff6ec323a29860063c2ba31941706c83a3
  • 914960db7ffbdd3a5a5a98b740f724c0ab9469fcbdd547561622809e5d3c6396
  • 93ac57e8f8e341c84e25dd0c14f014d23f55e24a175b443f4cd399a086e70965
  • 98170c08d421f79a308074befb2c4e799db06e28ce10cea9d435c5868d1e6f36
  • 9d8dfe92711ea955120f4fdbb3b2d0cf37ff79ac74572c867c44da7d404213fa
  • a0903affbe9bd3176863d83a9e57808aa55a3ea8695d09dbbd2d8f3f1d22e812
  • See JSON for more IOCs

COVERAGE


SCREENSHOTS OF DETECTIONAMP


ThreatGrid


Umbrella


Win.Malware.Tovkater-6956309-0

INDICATORS OF COMPROMISE

Registry KeysOccurrences
<HKLM>\System\CurrentControlSet\Control\Session Manager25
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations		25
<HKLM>\SYSTEM\ControlSet001\Control\Session Manager25
MutexesOccurrences
N/A-
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
caribz[.]club10
fruitnext[.]top9
mirraclez[.]club5
liquidmiracle[.]top4
SMILESAWAY[.]TOP3
duckandbear[.]top2
skycrimes[.]top2
fowlerfootball[.]top2
gratify[.]triobol[.]ru1
shipboard[.]dicier[.]ru1
giroboard[.]top1
skeleton[.]walforder[.]ru1
shadeunit[.]club1
strangerthingz[.]club1
Files and or directories createdOccurrences
imasrr13.exe22
%TEMP%\nsw2.tmp\nsJSON.dll3
%TEMP%\nso74D7.tmp\INetC.dll1
%TEMP%\nso74D7.tmp\nsJSON.dll1
%TEMP%\nso74D7.tmp\xantacla.exe1
%TEMP%\nsuC6AE.tmp\INetC.dll1
%TEMP%\nsuC6AE.tmp\nsJSON.dll1
%TEMP%\nsuC6AE.tmp\santacla.exe1
%TEMP%\nsj9A32.tmp\INetC.dll1
%TEMP%\nsj9A32.tmp\nsJSON.dll1
%TEMP%\nse1441.tmp\INetC.dll1
%TEMP%\nsj9A32.tmp\xantacla.exe1
%TEMP%\nse1441.tmp\nsJSON.dll1
%TEMP%\nse1441.tmp\santacla.exe1
%TEMP%\nsa3ED.tmp\INetC.dll1
%TEMP%\nsa3ED.tmp\nsJSON.dll1
%TEMP%\nsa3ED.tmp\xantacla.exe1
%TEMP%\nseEB6D.tmp\INetC.dll1
%TEMP%\nseEB6D.tmp\nsJSON.dll1
%TEMP%\nseEB6D.tmp\xantacla.exe1
%TEMP%\nskC2A9.tmp\INetC.dll1
%TEMP%\nskC2A9.tmp\nsJSON.dll1
%TEMP%\nskC2A9.tmp\santacla.exe1
%TEMP%\nsp547C.tmp\INetC.dll1
%TEMP%\nsp547C.tmp\nsJSON.dll1
See JSON for more IOCs

File Hashes

  • 0b1c46b5535b4fc30fd8d813255220d3715d0bd7623e094e684af13a1c12f579
  • 0d806734aacf391b1c304155e8f186d7c354c46d08b5f2cb70c2a6029dba2e0e
  • 1187cf65c782ea451e0a46f8e5ea18f8133cc209d58db1c08793bb086b96df4f
  • 21a9fb85cec099bdc2bf419b9bc07dbe6f9b1dc40b8e2853c119093706d1a3a8
  • 2e23eb71950087f2212e0e591fa462b1706571fe55c87454de7003de4a982d95
  • 30d525e4acb5cbd5dd5fe9508cb0cf053c4b0480ab53168e9a06e58c2e9b323b
  • 35dae148e6507526256336e36eb9858dcf17c73f86c332582cd53af43c887f0a
  • 368e24183133ba0c4a7fb06b255458754e6662d6be0df18f44b7304b7f1438d7
  • 3dc644f5a69d86aeab33c6879bb508b59049d17a74cca73f15b160578ee0a358
  • 42f86e50ca2180192d30c556d001cf8720d17094850164e811872f1c864f10cb
  • 43150f037e396e69ff8e1e1d1da7e33614f100fba6b6133a99174a8bcc56d8c5
  • 46e6b3d8c0cff0c9dca7ee7fae9b15c7b23865f546533ee00be0d594f6d03a40
  • 4b0232b305a8504700570c6e177d0c1815924031908f2f2d5fe61510174804c5
  • 52e70ec3517105cdabea6b3448d4568fbca560683e7e90070d0209ea1a002de7
  • 5b1a72a9d50e9e41662848965957cf3b537a923f12a02d022d7e40bc76d6a59d
  • 5f16228ceca9d4d628bcddf5da07ddd8140b19c3458ba287b5e0a9a4533929c9
  • 626f2dbe08fcf4192f709111ca3f2ce5975cb9ac7bac7b007158b8e74070c403
  • 62bae87f17d56c22f89ec9c41c2e3bf76139df7a4a4c710e088ec9483918cf9b
  • 63d3a47aa0f89009ecc37199d269c8c3184d32e0632c3f1c1857dafd2aee7ae4
  • 67b73d01d619d30bc56d0f772207df38b68a433b1050137bb93a54e746c1c34f
  • 67ffbd39d1ebbceb4936645c822a10b6b71dc289acd026b1b4259f01c2168e8f
  • 6c2eae55f0ff4cb79a53f932a481812c7b8c5d61ff0aadf47c4211d676cc97b4
  • 6d0f17cdc45a3867ec8c89ae3cf9ef2264b4889fc135417857e04d8109ec62ec
  • 7b4c241497ba6cef5a8abc35d4c795e7c8b0b3d4a292a843d14d4389ddef57b7
  • 7dbb52a1de75d201b0565062452e81a210cc597ac4626aa95bf478562aa082cd
  • See JSON for more IOCs

COVERAGE


SCREENSHOTS OF DETECTIONAMP


ThreatGrid


Umbrella


Doc.Downloader.Powload-6956274-0

INDICATORS OF COMPROMISE

Registry KeysOccurrences
<HKCR>\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}29
<HKCR>\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}29
<HKCR>\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}29
<HKCR>\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}29
<HKCR>\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}29
<HKCR>\INTERFACE\{79176FB2-B7F2-11CE-97EF-00AA006D2776}29
<HKCR>\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9}29
<HKCR>\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}29
<HKCR>\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}29
<HKCR>\INTERFACE\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}29
<HKCR>\INTERFACE\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}29
<HKCR>\INTERFACE\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}29
<HKCR>\INTERFACE\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}29
<HKCR>\INTERFACE\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}29
<HKCR>\INTERFACE\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}29
<HKCR>\INTERFACE\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}29
<HKCR>\INTERFACE\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}29
<HKCR>\INTERFACE\{5CEF5613-713D-11CE-80C9-00AA00611080}29
<HKCR>\INTERFACE\{92E11A03-7358-11CE-80CB-00AA00611080}29
<HKCR>\INTERFACE\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}29
<HKCR>\INTERFACE\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}29
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\sourcebulk29
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Type		29
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Start		29
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: ErrorControl		29
MutexesOccurrences
Global\I98B68E3C29
Global\M98B68E3C29
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
159[.]0[.]130[.]14929
191[.]92[.]69[.]11529
69[.]25[.]11[.]2829
88[.]198[.]20[.]5729
212[.]129[.]63[.]13224
198[.]58[.]114[.]9118
74[.]208[.]5[.]1516
209[.]85[.]144[.]10910
77[.]111[.]149[.]559
74[.]6[.]141[.]508
173[.]201[.]192[.]2298
74[.]208[.]5[.]27
209[.]85[.]144[.]1087
17[.]36[.]205[.]747
182[.]50[.]145[.]36
67[.]195[.]228[.]956
196[.]35[.]198[.]1346
54[.]88[.]144[.]2116
149[.]255[.]56[.]2426
184[.]106[.]54[.]105
64[.]26[.]60[.]2295
173[.]203[.]187[.]145
205[.]178[.]146[.]2355
212[.]227[.]15[.]1675
212[.]227[.]15[.]1835
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ises[.]com[.]pl29
ingenla[.]com29
hicast[.]tn24
smtp[.]mail[.]com16
secure[.]emailsrvr[.]com14
smtpout[.]secureserver[.]net14
smtp[.]office365[.]com13
smtp-mail[.]outlook[.]com10
smtp[.]1und1[.]de10
smtp[.]aol[.]com8
smtp[.]emailsrvr[.]com7
smtpout[.]asia[.]secureserver[.]net6
smtp[.]1and1[.]com6
smtp[.]rediffmailpro[.]com6
smtp[.]comcast[.]net6
smtp[.]263[.]net6
spam[.]pantos[.]com6
mail[.]longi-silicon[.]com5
smtp[.]prodigy[.]net[.]mx5
mail[.]huaqin[.]com5
betmngr[.]com5
smtp[.]yandex[.]com4
smtp[.]zoho[.]com4
smtp3[.]netcore[.]co[.]in4
smtp[.]mweb[.]co[.]za4
See JSON for more IOCs
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat29
%HOMEPATH%\423.exe29
%SystemRoot%\SysWOW64\version.dll1
%SystemRoot%\Globalization\Sorting\sortdefault.nls1
\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.81
%TEMP%\CVR90.tmp1
%SystemRoot%\SysWOW64\sourcebulka.exe1
%SystemRoot%\SysWOW64\3HqWfmuWUBgMP.exe1
%SystemRoot%\Temp\76D.tmp1
%SystemRoot%\SysWOW64\jq9Mk4Che.exe1

File Hashes

  • 1e0b73c5ec4b9516709c10ec708fc295df021451f958a89144d79d99604b3664
  • 325701284bf17203d71a9c5b4d46e4f7b651164ab92c643fe64a3e3bc2844dad
  • 3537f5cfc0ad20b8061b67f82dc43a7ac1856391bece8158023fcc3d6699f75a
  • 35965e3b9cff6a78e1331ed07f5e327a91301b5b023b20fb0c107bc3574b3a08
  • 3889458cad2eccfcd7f8ec5c842dd30edec24f36a37abde0e9359dd7117524e7
  • 3eb7c725b886abf672613a63d1c17c479f1144f1262a6c3cd66a44fe74581383
  • 407f21c8583dbf70a0069162b9f7c0ec142b63e05d4d94ec8e4c85345bf759d9
  • 51ee3cc17fa697ec7de8a60ea5ad2af4195de73c95401b1b17e7b9c346ed9c1a
  • 5a33cba1e854fb298486fe6ba6ebb071e045cb698aec109561178b2a66567662
  • 5eefdd75abcd812db0c1fe74f071dcb2c50ac7c9b73144900b9918fe8930af2b
  • 601804d1434691765b258649f0a9c8924bb1b28b5ff0dc2bafb3039b2c78f6a3
  • 65344e20c9e346e62bec15f369fcdbb619d64b362483feb36a6d60e3007c22db
  • 6f5795d34e8fa33548042554f0b05b6e79e9a68783f28a196476261a0de0e068
  • 72966d743059492c8caf5689758cdf98275e087cf5bf9d0e7914db1e4472fc05
  • 751ccbeabee910ea022ebc97fde11d5e1c3bba9f83b6d2df09a927924eb1e60e
  • 77ccc470c377e4a22e0091d0abd3f91cec17b6e06c0e17d8f87dbbbd735bfe0b
  • 7bfa867554a7f1a6a891712cfdaaf519bd44bdf53e0047930890495c9655ab7e
  • 8391f3706e60079dbdbeee083f8bda85915cc763bd683bb00270f694a031c66a
  • 9e40d6af4d13a6d65e179c109b4676c691fbf0b2de6deb0d84625e654989fa0d
  • 9fe28f27c0db9df3580f65069affb7f47171d910f69035ffdeeac5a545ab4ec9
  • a1be08364eef857af56f506b206e780c803c212b76dbac8dc17e7983d08f65ff
  • a50d314e9c13d667641b11c73695980d1fd4cc0020cd7f760bdbd88bf95b1c3c
  • a95ddd15ef6f38762fbc16ca31539aabbf15c3c10d0c103cb4c204c88bfbbadf
  • ac957b3a3b4e8d75ead5dabd4b70e28e27a697a719322071d66cfb796d3b28f6
  • b1709a55b71ba9559aa839eb5304e2fc2388ae6275771b6cbbf8f49ac3e355fa
  • See JSON for more IOCs

COVERAGE


SCREENSHOTS OF DETECTIONAMP


ThreatGrid


Umbrella


Malware


Win.Dropper.Kovter-6956146-0

INDICATORS OF COMPROMISE

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe		25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade		25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed		25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: xedvpa		25
<HKCU>\SOFTWARE\XVYG
Value Name: xedvpa		25
<HKCR>\.8CA9D7925
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vrxzdhbyv		25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ssishoff		25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUpgrade25
<HKCU>\SOFTWARE\xvyg25
<HKLM>\SOFTWARE\WOW6432NODE\xvyg25
<HKCR>\c3b61625
<HKCR>\C3B616\shell25
<HKCR>\C3B616\SHELL\open25
<HKCR>\C3B616\SHELL\OPEN\command25
<HKCR>\.8ca9d7925
<HKU>\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION25
<HKLM>\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting		25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting		25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting		25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting		25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting		25
<HKCU>\SOFTWARE\XVYG
Value Name: tnzok		25
MutexesOccurrences
EA4EC370D1E573DA25
A83BAA13F950654C25
Global\7A7146875A8CDE1E25
B3E8F6F86CDD9D8B25
\BaseNamedObjects\408D8D94EC4F66FC24
\BaseNamedObjects\Global\350160F4882D1C9824
\BaseNamedObjects\053C7D611BC8DF3A24
\BaseNamedObjects\Global\9F84EBC0DC30D3FA1
\BaseNamedObjects\CF2F399CCFD463691
\BaseNamedObjects\8450CD062CD6D8BB1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
107[.]160[.]89[.]932
123[.]94[.]5[.]731
6[.]179[.]232[.]2091
132[.]130[.]129[.]2021
87[.]221[.]222[.]1761
222[.]187[.]133[.]2381
126[.]207[.]27[.]581
191[.]12[.]150[.]1891
92[.]253[.]215[.]1241
53[.]136[.]182[.]721
188[.]232[.]142[.]2361
75[.]134[.]228[.]1371
15[.]17[.]189[.]2141
218[.]10[.]226[.]1841
160[.]60[.]207[.]381
107[.]98[.]132[.]1131
134[.]68[.]158[.]41
56[.]177[.]25[.]241
52[.]196[.]162[.]1381
133[.]251[.]164[.]1061
108[.]118[.]74[.]1421
33[.]198[.]16[.]91
18[.]75[.]88[.]1341
58[.]184[.]135[.]771
77[.]189[.]216[.]1941
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]cloudflare[.]com1
bleez[.]com[.]br1
lojadeunatelha[.]com[.]br1
revenda[.]lojadeunatelha[.]com[.]br1
easyfax[.]nrtnortheast[.]com1
www[.]username[.]n[.]nu1
www[.]n[.]nu1
staticjw[.]com1
www[.]acquia[.]com1
network[.]acquia[.]com1
Files and or directories createdOccurrences
%LOCALAPPDATA%\4dd3cc\519d0f.bat25
%LOCALAPPDATA%\4dd3cc\8e9866.8ca9d7925
%LOCALAPPDATA%\4dd3cc\d95adb.lnk25
%APPDATA%\b08d66\0b3c0b.8ca9d7925
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred25
%LOCALAPPDATA%\4dd3cc25
%APPDATA%\b08d6625
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\91b4e5.lnk25
%APPDATA%\db7a\c227.a778324
%HOMEPATH%\Local Settings\Application Data\f4fa\97ea.lnk24
%HOMEPATH%\Local Settings\Application Data\f4fa\c0ce.bat24
%HOMEPATH%\Local Settings\Application Data\f4fa\d5a9.a778324
%HOMEPATH%\Start Menu\Programs\Startup\d733.lnk24
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\desktop.ini3
%APPDATA%\Microsoft\Windows\Cookies\S2KTL2FI.txt2
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fd8-6118f60c376b2
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fd0-5619f60c376b2
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fdf-6619f60c376b2
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\1E8X74FH.htm2
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fdf-5e19f60c376b2
%APPDATA%\Microsoft\Windows\Cookies\0TSDIW0B.txt1
%APPDATA%\Microsoft\Windows\Cookies\UGH0HZQB.txt1
%APPDATA%\Microsoft\Windows\Cookies\ZLTD4G06.txt1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fd2-6219f60c376b1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\83549e0e-3d04-434f-8fdd-6619f60c376b1
See JSON for more IOCs

File Hashes

  • 0699fc68be026ed52555783f4ca395dcd68dd93898e9ee1756e0ffe9493c300a
  • 06a3a8ebf6965042378a003857434f775a014293830a3d02d468b02b02f13329
  • 0826313d6cdb1c85d39edf77f5faeaff0241f09a8bc6ad8ea4453cab46628dd6
  • 2adfbe4ebd34d062e774d20d300e80ec31cdf4d59b018be2a45e644341c55f97
  • 2e7aa46acaacad3f7e1675d3090ae7669efcffb91beb976cdf93d69782fe5453
  • 2fbdb93de7475386719d620bd685b955ec05cca0f458579daa9932023351040b
  • 31d170788a623341e4d6636e1dec87b9812a1967441415bcb8097d3b4a4bdfee
  • 3337a63c7f42977759f9a961af5c7265abfe0489d68c48f90d066b40d84c0ddd
  • 3754208c5f620f262726467daac435fbcc3a262dde1620c876b72459750fc90d
  • 39b74f9fad057cc9603e2a7a716236c9671dc08abdf7e64c37ef2d2b53acf691
  • 4297d27c8909c9c40b311827f40bf195ffbb6c1ee8bef5f9203465cb10cab9bc
  • 477c74758b4c59334fcdb2051089efbe191d2cda4252aecea59b13bb93bfb101
  • 4802c24fcb2d97233d22b26077714ca09fe47f6602586da0f96965af41adecb6
  • 4be5d24a7846b4ef102b47c0488140194b49c145353259fc581fa0da4068d84a
  • 4e3b31344f80b1693ee28cedb5109a9a4e522c8ef225f6087e480954fa76b3d6
  • 5061a14b94f0794e79e4cc57a49a38c422cf30171df07282a5de10fbac455b01
  • 50939d9ddcc87d1d2e8a3c81a7683b42beeb86471fd2e4da903f062086203d5e
  • 58f3ac23dd98672c20e01c5963b11fba8b077031c7ac41f156a37d2306b812aa
  • 66d2f5f39b4fbb1cab2a4c23d696add166f6dec3ae4dcba20a1c2f89b35d4b08
  • 7199c5b3a081ae13f6b6fc457196f62ecaf3240b39b728f1255f9d3ccc86f853
  • 812e4481d2e23732e41d4e58cd19eccbd53fceba8273ea9bbd1bcaf3da13766f
  • 822bf74cf43fdfd74ef7edd6a4c52dc2ca32dd8a866afbdbd4ae933cd531dd6e
  • 8580001fd28261a74f92594fe42a01012e202e3322a35004857b6881fa73ee9a
  • 8e9f427bca537dfa11df3360b71788dc2dd70cfad927d852094f1c07e8cf2c64
  • 94ff1192ecf870614b1f98103ade1ba1ad46153ddeb8a0c3a07a76ab4461e377
  • See JSON for more IOCs

COVERAGE


SCREENSHOTS OF DETECTIONAMP


ThreatGrid


Win.Trojan.Razy-6956092-0

INDICATORS OF COMPROMISE

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\avkaxoq19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: Type		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: Start		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ErrorControl		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ImagePath		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DisplayName		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DependOnService		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DependOnGroup		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: WOW64		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ObjectName		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\aqejpwsx6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Type		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Start		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ErrorControl		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ImagePath		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DisplayName		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnService		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnGroup		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: WOW64		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ObjectName		6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mrldn		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ovsuw		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: twgqm		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: eqlshtrx		1
MutexesOccurrences
llzeou25
Global\amztgg19
amztgga19
Global\eqfik6
eqfika6
\BaseNamedObjects\eucofa1
003c194a95c7849375590c48f1c5bc5fÐ÷XAdministra1
02b5f67a3eba31421dc595a7efed8e0a1
0e390dd0547334471c08c3b8b4e7ec3aÐ÷IAdministra1
087ddce345ea3ed2fed8d02dd466026cÐ÷QAdministra1
14a95d66f90495fcc278258097ed704aÐ÷ Administra1
10435b4efc8049d260d4b36673f7d656Ð÷.Administra1
1dd13f0648a70754c883c6262c3633c1Ð÷CAdministra1
3afec20c013fca0abef646a7a6f0f5cdÐ÷dAdministra1
385f6390936d000f4d9db3e30b117aca1
3dede5abeacdabc758f70beef2984aca1
3f61be1a4bcb773c48a6dc7ed4898387Ð÷:Administra1
401b399a3aa67d42306ce7291299b7f2Ð÷6Administra1
897b0a510174cbc4757982703e42a0ca1
76097734f64ce5ae9b008273431fa4c8Ð÷9Administra1
8ae8d944960e54c7a833875f71bdae62Ð÷2Administra1
88cb1af973183aa93bf10d74440333b6Ð÷/Administra1
\BaseNamedObjects\380065180a1
\BaseNamedObjects\getnia1
\BaseNamedObjects\xabzsenoa1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Amztggm19
%APPDATA%\Microsoft\Amztggm\amztg.dll19
%APPDATA%\Microsoft\Amztggm\amztgg.exe19
%TEMP%\~amztgg.tmp19
%APPDATA%\Microsoft\Eqfikq6
%APPDATA%\Microsoft\Eqfikq\eqfi.dll6
%APPDATA%\Microsoft\Eqfikq\eqfik.exe6
%TEMP%\~eqfik.tmp6
%APPDATA%\Microsoft\Ilgqyl\ilgqy.exe1
%APPDATA%\Microsoft\Duazxlbu\duazxl.dll1
%APPDATA%\Microsoft\Duazxlbu\duazxlb.exe1
%APPDATA%\Microsoft\Jeofze\jeof.dll1
%APPDATA%\Microsoft\Jeofze\jeofz.exe1
%APPDATA%\Microsoft\Ssfsns\ssfs.dll1
%APPDATA%\Microsoft\Ssfsns\ssfsn.exe1
%APPDATA%\Microsoft\Dcpptfmac\dcpptfm.dll1
%APPDATA%\Microsoft\Dcpptfmac\dcpptfma.exe1
%APPDATA%\Microsoft\Taozsa\taoz.dll1
%APPDATA%\Microsoft\Taozsa\taozs.exe1
%APPDATA%\Microsoft\Eucofu\euco.dll1
%APPDATA%\Microsoft\Eucofu\eucof.exe1
%APPDATA%\Microsoft\Getnie\getn.dll1
%APPDATA%\Microsoft\Getnie\getni.exe1
%APPDATA%\Microsoft\Xabzsenoa\xabzsen.dll1
%APPDATA%\Microsoft\Xabzsenoa\xabzseno.exe1
See JSON for more IOCs

File Hashes

  • 003c194a95c7849375590c48f1c5bc5fa23099976e09c997f29b22b367c1d3d2
  • 005055ca28d6866f033aff3753a1ef7c4064b5e094eaa663953407a9b19c6a71
  • 02b5f67a3eba31421dc595a7efed8e04834e9f0121c8bcd0186e99dba9781171
  • 087ddce345ea3ed2fed8d02dd466026c0fc0fa5aa7749b392683311fd97a80e2
  • 0e390dd0547334471c08c3b8b4e7ec3ad1d8fe4facabdb5df674af76c8e149d0
  • 10435b4efc8049d260d4b36673f7d656b9fa7163d00840acd0860175e2a79f47
  • 14a95d66f90495fcc278258097ed704aca265dd6bbb966903abe00dd7225cd11
  • 1dd13f0648a70754c883c6262c3633c19aeffa4e3558f0f16da78fc796a76cf1
  • 385f6390936d000f4d9db3e30b117ac382f70f4b7d1f3f4af06808e26683bf3d
  • 3afec20c013fca0abef646a7a6f0f5cdd3826541587cfd93c25033a35e588cb2
  • 3dede5abeacdabc758f70beef2984ac184bbec3112be97e891bb64abb2981373
  • 3f61be1a4bcb773c48a6dc7ed489838796a6b512bc14a517a667fb28a2a8e3ee
  • 401b399a3aa67d42306ce7291299b7f25a24345a980a7bd719c96a6834b9bf48
  • 52c90c5917cb1c6955f68c5b03e448b976ec3f1c258eb6039c5da399b2fd41db
  • 581d9e271871b1948191755bc99e2e9ec5346408f39613aec5c3b1e52d0449bd
  • 649e6217744762016fadb2f7f36a654c607ad160d136714946aa6e0478dc7a87
  • 673e3e8e62b09e39c161091ee70f046c038ba6f24f2a1da135af23bcc1701c20
  • 69c3c4ee664fc814ef070ae902ebaa305eda6ffd23a10e5b97afe49c1300ebff
  • 69d9d27ab1c802cd322c1b7795bda4de65cc7447982076f1e2d6873a8423d57f
  • 6aad36b27c188e73090f3b79352750489a1dce20f5396e63b2af3e998eba0f0a
  • 6e01014528a359c81851b2197a4656e13d87b15424dc961cc6d770e4d4c747ee
  • 76097734f64ce5ae9b008273431fa4c81e32b05a9b8586c39b80e68ee70d0a8a
  • 88cb1af973183aa93bf10d74440333b622206be6d0bd77322c6f8689f2cf24ec
  • 897b0a510174cbc4757982703e42a0c14c4bdba0e6bf77db5a6f94a3c2651f3a
  • 8ae8d944960e54c7a833875f71bdae6243e7fa380ae3fd8176b07cb7d7819508
  • See JSON for more IOCs

COVERAGE


SCREENSHOTS OF DETECTIONAMP


ThreatGrid


EXPREVCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

  • Kovter injection detected (4469)
    A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
  • Madshi injection detected (3542)
    Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
  • PowerShell file-less infection detected (2488)
    A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
  • Process hollowing detected (541)
    Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
  • Gamarue malware detected (240)
    Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
  • Dealply adware detected (221)
    DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
  • Suspicious PowerShell execution detected (156)
    A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
  • Installcore adware detected (65)
    Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
  • Atom Bombing code injection technique detected (65)
    A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
  • Excessively long PowerShell command detected (57)
    A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.