Threat Roundup for June 9 to June 16

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 9 and June 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Breakdown

Win.Dropper.Zeus-10004541-0

Indicators of Compromise

• IOCs collected from dynamic analysis of 15 samples

File Hashes

0eae875ca8ee8ea1875cab7a5d0e3c9c7af1a402cb978503c794453b613e614c
23ec2f58279589e488b31acbe11616e9330e797478153693f830b89d22acd7d3
2e1b0cdae24a711bbf07934bcef5d729c984cc4d075d7a88334f2a434d09cd72
37af0d523354241a0e0c39786f158e24c17f394d3211fcc0f7a3422e85823518
5ac479b9b3acc452dfe29c18a06ed5dfca8844ef7dbdf695a215a7b9316d6d95
60fd5cbf3e51f74d45c4821043e303d6c4f6b1e108c3fab7049a7f361bbffd46
61d04496b6765bd8adc5e5d6beaacdec45a943e55d8eb5566331829815aae8de
6d8f1d0bbf470a12b700813c309e7b1c641667be9ee4d07ddc5b9670e147e797
6ff603ff02897c372646410cc8e3b62a2759d333d469ca3c6b0a88c5829a2796
8dd6322a5fca13c5888901c97e995a61cd55d43c695c423bc7cb9fbeea67a14a
903ed73feb1f20767ab7032f389e1595fe91c3cad364d53e8386ee86c14776ff
c64bc76836aa66b5602911eb766d82a70f2d503a3df88907c453dfa783eb4621
ce06e1e2b1b89ad5e98499910d0e4151ccf49fb6c806b1f13e28551c1ca58aef
de6d74aba65daf28da4d18c0ea604a6919ffdd9c59beb07f9aa159b8d74cc8f4
eff388de6e2e104e64d0d28fe61837afd2cf053ddb3ca40d8ad5ed6654570d9c

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Kuluoz-10004513-0

Indicators of Compromise

• IOCs collected from dynamic analysis of 43 samples

File Hashes

04be2d1165429f6a1fc8217db32e549eeeb54983aa4c44f26e1147d054d954e1
0672e260b9febfd47b8536c8cd17866dc5cad82fbd9acf6778225c69617f8df4
13f0e1860121210bdcfd59887053156fee80c0e7e61ad1b2109a3ca027060ef5
161dd94d902139168107ee72aa66fc2bb00ecbe72a9ea3a2645a2e5f3edb43bc
1c5e6a11a293501d1bd41d302a7cbde8e8efc67916e4a063a5757f476190c48f
31c10bfe9039675974640b3404fbbdccf660bbef3319ed011766f4e7e2dc6d48
34861226330e4af50b8e03f6e9d8457ff1d1c9a7d3eeb1fc930a9f70a315dd54
360e964ae4aaf043ea27780f20ab266bf55470e3d58fa20550c9f2c520823fbe
42657321367294c31f060614894a0f13b1f38613cf3e013c94a835496e86a537
45bedf4f08cc21eb94088a7ebd942915d8e3f834d0632cfb9264d92228c8a4f1
47ea467e5da54049ec9c40d2173a97fb87dae67546faba7dce0631ad88fa3fa9
47f9eabe7f83bbce4b0d52282ba627f678ecc48604201101f7650ecc72a3b714
6ceeb2ab8b3d41fb927e0ffdcada6da07cac54124cdb8f0c9de15553a4254af5
75ed32ca3cc84d402a91fb13088ac3421917d427efb55bf2442b71f6dfd6a398
7ef5f3c744b456b04c79e14c5923a7cfbc3894f14a473a564d843dce62293b5a
86497472773d474e05b8ecccc82dfd17d7a4ad6c38e6911d03d6956aedadd49a
92f407eb8a0b4562acd7f1c27c86ed365b37c37bbc2fda343efd0fe22ea73bd1
95528ad474a06ae5c23200fac691561cae115466dd07e7f60cb5e9bf667443f5
97fc7992ceecb79f0e43c702fc69a564941b9c909ffd422a7af6a8d1c575ffdd
9f8eaa58bddf52d4ebc3603f00b6b19d76fe5ae486a308ac7d21330486fa0f87
a23c17fe1c893ac18bcc2d524adc6b8be07ee6ed2277701d2b43a1681ba60a29
a3a34b395a54043f247e09b8f6656ed66c74c6d02735e49a87e118749a1daa37
ac097abc44ceac4f6f0b6a33e876a76284a9aad676ce924bda277925b3f12bf5
ae08cd70435a6eacc7097babc6c26ecae3484bf8ca73ac1ae4f8078eef69d017
ae622c4057b66fb39cc1a341f50ceaaa7146fe4c1e06d0d6e316547cff821da4
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Redline-10004447-0

Indicators of Compromise

• IOCs collected from dynamic analysis of 21 samples

File Hashes

0468aed948c966d973379f3321ad632bdb47462597eb37293fa63a6df50e786e
0687ed000a8d454afd71dd8d2e434e05c292549453d1180fd870f1dd587ef257
2e2d5d81146d974295d70f7f95da3f5889d6b89d9f6f74a106a67aa18c46c256
33e02bfb76e29daba2408b0b54204bcf31322e43db27b9bf07f500d098b21c2a
3d902c3c1daeee902e45427922d488b20bdb888bab2903e1c3a5bac13e0840f3
4454448516eadaed2c73673e3c679d00701a2d3f507cbe91e7a7ddf83a5229f0
52f0a8605e16fee96555022ae5a2582a8f0a1c9ca9e2edf8370aa5036d580340
5857ead2de1bdd70583dc0bac98fa748e394a8f84eedfef2b181fffc6d0df097
5c4b0c1c06ee33622fb00eca697f4b938b920f06fd14639d19f38356d0e93391
6eb8c09718aab1e22c32014d73bfa92dc1407f09329c46e61623576f74a8b7cf
7083871d557bb3098401cf258925cd1ab00f18f323520bbb782009adad502072
74aa4dfe0587680b1ec5ce307fbfa72e4292717f1a9332ff6b0e468c6ad0ba3a
7c83d296cd1bc895b62a94b332de51759bcdc7d91bbeaf405bd9bc0577646721
7ff6bef8276020721e56160e9a442802174452775c16e794045eb99d2ca503ca
8a51f12210bccebcf84558d3897b8bce2031698e62d83631d9fa1cab68ef0ef8
991ef14f09db06924ccfcdd44b4ea839c6b9560a97a39608501fbf966606f592
a05410fc760c1241b56d09033c1064bdecc8e722e5e65d21bc23120b27f70852
a89ac9215339a2ec16d4d7246f12e4c481af063f727fd1246fe786cca1a2aefa
b41f1d01b3d5ef152d8b444a519a87b361977c4a126aff585ca79c5ef3d4d41c
e59fdf54e139fd6637781a4f59ac8024338e8f4488792d927c1d02999e6e93bb
ea06e33529354e8d2569880a850d7f62307bedb2b91f1f5f7c3a1d48c859bb9c

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Nanocore-10004398-0

Indicators of Compromise

• IOCs collected from dynamic analysis of 18 samples

*See JSON for more IOCs

File Hashes

097d71f426327cb3ffb6f83f5751a9a81dd7e8ad0a854f66882f7de1c572a34b
16ef953132f6f51c904ccd3e04c933c20110c1dcbab443059df7218392291d5f
3e7d7ffec0914a65f010b8a994fe91efa814e2e2a99ba5e6d349aa0b6aa4a19c
3f5edf6f921e14f2640763e7178c2646a2131df0f8f447ae59100f3110939d9d
5bed2e9d405ecb76915833a5b3e5c81afbfdc4b0bb742c4524e740dd25582eb7
6fa4a794d4d0968b2aa5aa59739952e3d45f44d8a9cc73c75c138fcb789914fa
7f368076cc5c5cee446a8491832c17332673709bc739f6e3e3deeddfaf2f5326
7f9b57c29724dc1ff00b7760dcce1e38bf94335a2e44393882b276205f7ed218
81d6168162bbf9e13bde19c24fd797075a7ddde876c233f971c9114f1b0334fb
8b6d1769bdcbfe25f0fb3e1cd47b99e71d8dbecd010c0e1456529f43d4a0a8c4
9e3dd1cab3bb5c9980d75079dd5525cf724e0e496bf6fd7db27bf8124506b883
b0664bf756d2e493d222fc3e52f2ae50e9a1b29582ad345979e76695442ff984
ba9882d95e3ae22ec4ed90535f81b6396a259a5e1ea940cec487b4b1d6ff9e41
c5c46c7bdb0a6a9db80a1b2393a2d2dcb2cc497f678779c3aac38b2b0db3f80c
caf3bf03258eea3f9dc186324f276796170edb45560f68226ef651190a18f5b7
d26c2932bf50586ecc8c7f9df6d07116f7bea135ab4ebd51ce0dccf0d48b640e
d547ab6d0b28d86c32e3d981adc3c5476797c58a6a684a45c3ee0a74847fb571
f17c5f11699824e0256b4b0b8ac64a97bf0ba7545e9149cf5f3b0e7f10cc4828

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Ap0calypseRAT-10004380-0

Indicators of Compromise

• IOCs collected from dynamic analysis of 16 samples

File Hashes

0215d4876a89e1e97d9d16fcb8d4293b70874e880da2a790324f4ba1c89fa677
0c280a807d5204b88c7b97a0e340dcb7ff02dbfd6624cc604810c827b19bf6ef
0fafb3b24927a122e09d985b46892183525e8d2761a9664bd6c315077b8426e3
22935e7dd6dcac90dcb7bd7c8673d698cf0d9ce1ba17e9521972e6cab3108ba1
4094a534c91356eb309950a2af41a71fa0946d0cd7805317add9301dff1a7c66
4dc3b2af98444125472257b2f71757780e397aedb40d3bc2bef6e802f51c8fdb
6c859987613e72c57035cfd1366c9459e3a9aab7c91ccdf1f62f72147b3403e1
794e30e6c7ee69b90c7c11604894960b12d6e91c9beae00b6eb8afec385a13f3
8575e16b50af09d45f8c41e53b6536e09eb9afbc8b64f28d53099e13a7e0a185
b2d844009088d53d786216d0e2fa7cae6f78e1c5bc0bbd13dde45793d768c285
ccb3df8c3b9282df23439b28521c55a02d6dbb26c5335649f5665a2c008fd316
ce16cc3411128c2468e8aa4243e06966f13a1bc2d2e1e095cee27385e90793e8
cfa8b22f7a6fa856dbd0dc0b7e65f3158aaffa6f5250d56c3359a492ca1ab5b1
d71388aa0d24fe340538c4e5afb0a31fc9d0d6e2e1d5a00f593b01c08080d636
df7a53b1caffc0b468a6d50e0e0e2702493ef0b6eb301f8056df68ecf77d0998
eaab6cf6107294be0dcfa7e7b613f958292b44fcd81ab8cf0689ef8046691bbf

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Upatre-10004369-0

Indicators of Compromise

• IOCs collected from dynamic analysis of 25 samples

File Hashes

0bd56e6e6f59c56b7c107cb5c4818d2fba44f5b6d90fbab7cc908277f3ab8fa3
15dac903808c9f19a7961f37efe828dac86499fe17b387aa6d0eff603b4e84c0
178d1a55d207bf045f46c06e1472c858be7fddf5b7e211d8177b4a8055bbfd7e
1d79a2799a768478a6ac9111d95de3007db84ae45db838111c639fe120a1b469
2084fb1579880cdac8757c9675305e7ec288696dfff8e6d54bc867297506b7dc
452e6481a7e3b68b60cf9070f226a226e2f25265fc912c7786a5e9980b2379d6
493483be6b18a1eb48c8f4d68540d89ebba2e61f510710ce37baa33acaa1d732
4df79454fea97f276930f3f1beca2428e6023667f1aeb8888a06b80507d34413
5345e4664c128601cd83db03478f1b56b0d243d220523ae06a8367249647b2c4
5a3a2c4fbd72c6899493fa8b62bffcd11577d0bf08efdca665928b375b6544df
6a233b869b6e42631810e63dfbcdc92b9dd2562c7b543c930c1ef03519038914
710a55ca42b9ef9157a180f121705b186ca703dcb486cdb409b4c4ed76ae4e41
7ac9aadae064910cc8dda80676b46a91129fc531c3b4ffa0c76a9d90add55cee
7ed5e9c3153bb9b3ba7ef009dd366ade67cdfd03c662dbd9214e7bbf5dcfe361
88f7031f98b73d4b64d77cca04ca9da65ab66b4cf4fb0b4aec24f60f74ae2afb
a0142cd7f3a3e9f9818dec2eed7b8e77adc7839345218fdd1aa36b98b0a10c48
b00a23aedf65dbf47724b491d79548b716473d0869bf3da8831e73d96a6cf583
b4d850d517edee9687b77db88e95fae97fd3a933afcdd34573a4a53b8fd6c532
bc79376797465a0d5372091b3aeb61a60a0156e3eef782c73643c8a054e287ae
bee9c3f33fd8395e24302b80270f34eb826449f16a3a24bb587e5280fe070bc3
c56848ba6e48aa286190532b3db0cbea18fa288dea3c172f7cde56e05a5d5b45
d605dfc24d5e87f32eb1183e3d98cf1fe7c9f803da3df91c5007c2ccb2c4831a
d76eeea034cbbc2963a8662ae9f8358d1bd8131d411d1fccae5b858baf354f1e
dbf2e22dc003baf9dc18eb9e9fb2fd4e30e1938e125b4daddc0a7060030fb2f1
f1796960b14a1acc6e311f2a4d8396c8cd3314cf633e5c0e45ecc853276aec93
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Doc.Malware.Valyria-10004248-0

Indicators of Compromise

• IOCs collected from dynamic analysis of 16 samples

File Hashes

107479966d4b35898bdeb753a278f768f528f1c80c7f47b04e6edd03299213da
1ba2125381e7bdead242b125c8738cd3f4f76461f49fbac4053ca16e485e4d98
305ac4ccfa8247c18ee6d7438b0b827cd3438d577bd21d72c60c85b1b1f238a2
3ed436702d2164ba3793c060aba4c59deb25a302937fbfe867b59f2f0500e9a7
4995552476481e01376eb5cc12e37ae790901269426391a8858aa16e098188ed
5d2587aa6f25a10fbd3b8fc785a45dba26e5af6e903be60c463260d9a23425e7
6ff9a9af5fa5dfb6ef845bbf477c51f7f7f353a8a16db6934c30de79ce9e7816
730bef2d9ab49edf6b7dd202eb53b9baf1d880e028c77a41bfc08624a28638a2
78d2d231cd0148c921922c39f55567ef427a70be683d191b7bebebe4a33e6d1f
7c9a7b2c38bd8cb013dbd0afa4dc04ed18192b446adce9b90f91e5a9fa63416b
a16d9ce88f407d4b6206b8e2247cc34c1c06024ccae288cddffd538bccc0e4cd
a451ede4494e70fc141fb41bab361e09a38999d2bc5d0892998b4776cea917e1
c3544f8a454aa3e1607c27daf1e066f6a46b6ab825732b1cd5b91f03613dc299
e18c7e50298f4d2376d4717b47c40d5cc1dc0420e067b689b2f2e89780de2212
e46ed5ef523d86713e96e26c59bfcb74e3827088d99789f03cac8a994648d181
ffaea1038257ef5cbdc371fecd200670002bf68e278130c3dba13476d61d2f02

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Cerber-10004233-0

Indicators of Compromise

• IOCs collected from dynamic analysis of 23 samples

*See JSON for more IOCs

File Hashes

014df8e6a9101e4bb3264ac22b8d9cc7e52d347345ed4c0b1cd14d74f274c8fd
44928f1ae73a27aa1efb8090ae480e0170efe804e20e326b670864e163db1427
45176a6084162f91e5bb0c7ecad4df0cf74c3d0b2cd4068d1e6cd955daef3734
45790f44b1fdb4bb6b6abad4c546c2cb123fc1ad6e24b2a628d1e8f1935fcade
45b258b3964c4a1a669a1b78abfd9c65482008517a1a8cf2b701372793e01b4a
6dd5b22b53d2b2188190fa41ecf428fbff415e647f84b6c2f99dc9173380bd2a
6e70ebf060d8eaa7082daaa93cf93e7e65fe2cf28ae1cd32de9e4b5581c24a86
75c07c449e5feaf70c3281fa229fea8899f4dce2679113590ab4bafdaee2eb81
7a7b239613d44d0b690cee93022de0a4171fc2040e6eafd6002fbd4a77f1685b
833f575a4adeab246ed7d030c7a6d04c6d9111fda1718e02e9806d429d6dc181
9f51c07df0b2abfa2fa3a57039d887563694b41e85eb117e6089480ea37345b4
a197f793517d4d1434ec520b1222022f78631bebf6ae1b97455969c0b073ff17
a80053812cc6891019818d073908f9e1c4c9a6b0c7463c57df063efe1ac0c834
aa7ca754bdd16d64f5f056b1168776d53ea277533ff9ea11ef9b39a59dcbca18
b0edafda97209ec938343ecdbc4f37e8ae504ca25a7ed7b3b9864351527c5d76
b4d519e8832cd8099d0d25b85356aa3f920d80324d21268b8bbaedff2338b14c
c119aa10c3c7c13b42139247e4f1677b769bbc5f349a12fad8367ca6ef8ca5d0
c9e36700005e5626e60c259b805c30693d1350f3bdfa20465ebbdb6af1b4d724
cbd226056cb33b29094eed23dcf9311952da3675350d934a0014c50b2e2e27c5
daf9fd8e34e9dfb0458ee5f1797316c67b7066a3a99393f8db3a96e86fd61dc4
dec9b3063fbce95033b844f69145d05c9911986195c80a9e1d69128d411b2653
dfccf92c7ab071fc8a664e4faaecc299dc3a0f10c4ff345d64c7364906d77533
e4bb6b5730b4d8689880f8e27996e16f9295087dcb8e612cf80c9be1c5b81c68

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Ramnit-10004200-0

Indicators of Compromise

• IOCs collected from dynamic analysis of 21 samples

*See JSON for more IOCs

File Hashes

182842a0a84e56435b8f7a625137a0d1bc0ab44be0df60bfe44d8b560842c939
24d69cf7dd629250d0cdebbae146525ec9db913b596c9c21ad22a7c54d39c9a3
3f9cdadb6bdffa0259111aef35af5b1cd49900a024181bdfaca49e00162edb8b
438259174450f0a034eb3356e5cd9fde06468fd71369fcf350d78ebc99e0a9ce
4adc301787ef8f4c954e69d7ef629657366e17f6a891c33c1eee3a83a7f64e9c
593487ca56545968d3b79d6d945f0747938b5d7c2fe3884e2e1d9bc0138f3af2
6d2133f6563cff051a57d19c50875a799b2490b686a7f1d11d2c13b342243509
755f131bf7d3438c2d49127dbce152bbb66b0954602775fa58d13a1584a43551
8202953b0fe4d73156bae712ab5cc481d5bc9134745dcd5b8b5c50e18a5500f3
83cc953df29bdf1a059cce0966a6f31defebc4c5709d149f38fbd3e04c7a0e85
91e436eb7463ff9ef416858a0e46b73fd4a8e738b504b7f8ebb27283eef65d47
a0bc4dc1f8cc7615a66d62afef67d2eee6af39c0ba59396bc5472c726474ae49
a24fc35cad24e3ed2357528adf84cc03b77205de39ed4e6922b676282150597f
a291dfed9100241eb471c331f70ac8b5c6c323d79e1252055bd7aa4e31c62be7
b29e1261cf467039caf09f2b63254c88a9cbca4fccbad91a5009572cda59e83b
c7c64e6d0e88a2663a8557f35d7aeeb15ee4ad281af6adfe1a26ca11b435ba9c
d66f497dcf49c54ca5ebeb7d6f19dc65e959ddaf288bb477884f5394c035bea1
ea892a3dc73f8dab3a84b24f88b843600e8357fd56d85f9fc90fb858ec2c4fa7
eb803216f92e5bf2cea2320d9e9490eda37655f6d51971a6ea83f99bf62c875b
fceccca0f030731609c20119d192627e92b55963e82ccbae5aab42cabf139e41
febb2993cbbb1593e630bd7d814115518fb038d81497e9945cb3c5da3de2d9ee

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK