Threat Roundup for June 16 to June 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 16 and June 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Win.Downloader.Zbot-10004448-0	Downloader	Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Dropper.Kuluoz-10004513-0	Dropper	Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Doc.Downloader.Valyria-10004543-0	Downloader	Valyria is a malicious Microsoft Word document family that distributes other malware such as Emotet.
Win.Dropper.Tofsee-10004548-0	Dropper	Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Malware.Bublik-10004580-0	Malware	Bublik is a downloader that targets Windows hosts. Although it's primarily used as malware to distribute various banking trojans, it's also capable of extracting and exfiltrating sensitive information from the host.
Win.Trojan.RevengeRAT-10004611-1	Trojan	The RevengeRAT remote access tool allows the operator to perform a wide range of actions on the infected system, including eavesdropping on the user, exfiltrating data, and running additional malicious software.
Win.Dropper.XtremeRAT-10004704-1	Dropper	XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Packed.Upatre-10004837-0	Packed	Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.

Threat Breakdown

Win.Downloader.Zbot-10004448-0

Indicators of Compromise

IOCs collected from dynamic analysis of 29 samples

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`pro-viewer[.]com`	29
`agrimarsystem[.]pe`	29

Files and or directories created	Occurrences
`%TEMP%\realupdater.exe`	29

File Hashes

053a330f699d8c4699b1c6bc7ec2f2a2bd6b9257c4a0eee8d514b2ad4b55e88c
096401e776c273e5c580f401cbaab5d2b74a1541299d8d0add5d99d68866958c
0a0e51d77206354a7a525c0ca44835e7657ec25378f814ae0ecab0dee94a9800
0a43fe36f8e691f067eb8b2fc41a186c53808c6e606d31c66360a2778497f738
0c555bbddffcc35759b381e0508cf0666fc1b0f9e5aba0d6f5f125c42acb903b
0fecc3ec5645e4b7d93650d5ddfcbe87705828aefdcc3125ad3fb11361780703
15156356f6965001ad4f3cc867352f5c9b4c5bed56b16a9562e2f6d5ddd1f01b
15cd28a2bf63f2d5398e6ff68bb2c18a5ccab0deb03dc875d6113520a2f82b4d
1d292629b26d830c600d93d71e944daca4d84f57a065f3a24f30e2faf5d56809
227c80b9ffc7b3aedb0331fa2c558e5691758a11c1409b3e229998ee10477481
239cb1e55ddbb69bb3d00572d58384aadbcf2a6fa609b69fe761220bb5ae7894
248625ec043b72d80c240b9513123a05fe9066756e76c846a7ff3413e7823416
27700ad54347a4cb183652fb686c4ea73ac6651b3a6af40c694fdd0a632922b9
28959a0fac78cefae567abc5fe3cd33183c26ba73cf349befe43ac832848022a
3a3283e24b8693a60341593cf3d57e5e279305a9607d30ca8b948fd9f866eca8
518253b8c0fad2934c8d06195a63030b99b7bfe2962fe42248b9e5572e435e59
53d4b89860e7b7cc296cd5917d46a9720b8b0baacb7b31db7d571e61c591a181
5936c22f97b9933088de3d142707736a64744e81c372183f8fee986328d919d5
5d75c21c11022d4fdfc7fd6591b59111982aa567bc69e3fccf6298da1055b515
5de5879da208a90f46d08c6bb416a5a2f78c804ea20464dbabc34eb0390aa4f5
6103228f4365322d5ceae300620cc66fbf84eb9dfdbc6a0022c268dc83aa65a6
63ab006084041b1b6bf6f260f412c34fc56664a3a2ab0faf6a454233530b2e5d
762d6eb6820eefbf2e46e2174a9ada9841d3ed55a09ac3d62fd97a14077304df
79b060e8975e684bda3cf79b45ccf9389b5679cbef2cb63656b94ee2ff34f5e1
89ba7325f5bcd26a21c89daa30726013bb6d59812ec104b81a7229024f91510d
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Kuluoz-10004513-0

Indicators of Compromise

IOCs collected from dynamic analysis of 43 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>`	43
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ewdtednn`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: kfgsdpdv`	1
`<HKCU>\SOFTWARE\XLWVBVLN Value Name: xtxmwque`	1
`<HKCU>\SOFTWARE\ERIUEKCR Value Name: dwpjqlpa`	1
`<HKCU>\SOFTWARE\FKGDWLFC Value Name: btcgqtxv`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: pwjcpvtg`	1
`<HKCU>\SOFTWARE\TRDDWSJW Value Name: hkwogctf`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: lwrnfwdh`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: btomjvqp`	1
`<HKCU>\SOFTWARE\BUGITDDP Value Name: txxsdgjg`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: doviudox`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: tuqsrtec`	1
`<HKCU>\SOFTWARE\EOBOTIUK Value Name: ulgvwopi`	1
`<HKCU>\SOFTWARE\PILXJFXK Value Name: ktkriwfo`	1
`<HKCU>\SOFTWARE\IDCCIMKF Value Name: tmumianw`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: lwkqralw`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: vuemrbob`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: rssaalxp`	1
`<HKCU>\SOFTWARE\EFOKESHU Value Name: xulsnjws`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: fllgmrwq`	1
`<HKCU>\SOFTWARE\GIEJFQCE Value Name: iuqwifxx`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: toqdahjd`	1
`<HKCU>\SOFTWARE\ELNQDQUF Value Name: uhvnsbhc`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: vtjkaseh`	1

Mutexes	Occurrences
`2GVWNQJz1`	43

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`78[.]157[.]209[.]228`	28
`85[.]25[.]108[.]164`	27
`94[.]23[.]84[.]94`	26
`94[.]32[.]66[.]56`	25
`177[.]87[.]64[.]25`	22
`109[.]169[.]46[.]59`	20
`176[.]31[.]110[.]165`	18
`91[.]121[.]98[.]60`	16

Files and or directories created	Occurrences
`%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe`	43

File Hashes

04be2d1165429f6a1fc8217db32e549eeeb54983aa4c44f26e1147d054d954e1
0672e260b9febfd47b8536c8cd17866dc5cad82fbd9acf6778225c69617f8df4
13f0e1860121210bdcfd59887053156fee80c0e7e61ad1b2109a3ca027060ef5
161dd94d902139168107ee72aa66fc2bb00ecbe72a9ea3a2645a2e5f3edb43bc
1c5e6a11a293501d1bd41d302a7cbde8e8efc67916e4a063a5757f476190c48f
31c10bfe9039675974640b3404fbbdccf660bbef3319ed011766f4e7e2dc6d48
34861226330e4af50b8e03f6e9d8457ff1d1c9a7d3eeb1fc930a9f70a315dd54
360e964ae4aaf043ea27780f20ab266bf55470e3d58fa20550c9f2c520823fbe
42657321367294c31f060614894a0f13b1f38613cf3e013c94a835496e86a537
45bedf4f08cc21eb94088a7ebd942915d8e3f834d0632cfb9264d92228c8a4f1
47ea467e5da54049ec9c40d2173a97fb87dae67546faba7dce0631ad88fa3fa9
47f9eabe7f83bbce4b0d52282ba627f678ecc48604201101f7650ecc72a3b714
6ceeb2ab8b3d41fb927e0ffdcada6da07cac54124cdb8f0c9de15553a4254af5
75ed32ca3cc84d402a91fb13088ac3421917d427efb55bf2442b71f6dfd6a398
7ef5f3c744b456b04c79e14c5923a7cfbc3894f14a473a564d843dce62293b5a
86497472773d474e05b8ecccc82dfd17d7a4ad6c38e6911d03d6956aedadd49a
92f407eb8a0b4562acd7f1c27c86ed365b37c37bbc2fda343efd0fe22ea73bd1
95528ad474a06ae5c23200fac691561cae115466dd07e7f60cb5e9bf667443f5
97fc7992ceecb79f0e43c702fc69a564941b9c909ffd422a7af6a8d1c575ffdd
9f8eaa58bddf52d4ebc3603f00b6b19d76fe5ae486a308ac7d21330486fa0f87
a23c17fe1c893ac18bcc2d524adc6b8be07ee6ed2277701d2b43a1681ba60a29
a3a34b395a54043f247e09b8f6656ed66c74c6d02735e49a87e118749a1daa37
ac097abc44ceac4f6f0b6a33e876a76284a9aad676ce924bda277925b3f12bf5
ae08cd70435a6eacc7097babc6c26ecae3484bf8ca73ac1ae4f8078eef69d017
ae622c4057b66fb39cc1a341f50ceaaa7146fe4c1e06d0d6e316547cff821da4
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Doc.Downloader.Valyria-10004543-0

Indicators of Compromise

IOCs collected from dynamic analysis of 16 samples

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\RECOVER Value Name: Name`	16
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\RECOVER Value Name: Path`	16
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\RECOVER Value Name: Extensions`	16
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WRDPRFCTDOS Value Name: Name`	16
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WRDPRFCTDOS Value Name: Path`	16
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WRDPRFCTDOS Value Name: Extensions`	16
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WORDPERFECT6X Value Name: Name`	16
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WORDPERFECT6X Value Name: Path`	16
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WORDPERFECT6X Value Name: Extensions`	16

Mutexes	Occurrences
`Local\10MU_ACB10_S-1-5-5-0-67863`	16
`Local\10MU_ACBPIDS_S-1-5-5-0-67863`	16
`Local\WinSpl64To32Mutex_10960_0_3000`	15

Files and or directories created	Occurrences
`%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc`	16
`%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp`	16

File Hashes

03467831309586db00451ece187de1b4294ccfe4df9c3a44b554632b5bf42be7
168707fcadc59088773a10141ea7a5d4d586e345e6637c6f831df0423f330f61
2651e81960ba8b4d9f71beff3402bfe03e4bc5a328b9ccf58a49fa10e7029720
2f2ced0420e68ca325fc6a4c03bec2945b0164ed7cc4e1f3fbf4ff1e8baa92af
3324bb313bdf400aa777d05e8f7d0368c708c45857661fb75d5d89a7fb8ccfdb
4fa10efe326beacbacd2fd9751b69fa54a3086454e627c6be454bfb4760e09cd
688d6753c1d46a3f0938b3eb151b48ce50b191477ee048af86944a84fcef9e70
7681a084c13f352046dd0d519198210ecf0ac7d5f821e629b39eb7aa8ba0d342
7efbb2480cd82231f9d9c81e40745ecb2aa0c7228ad6383a8b929215bed753ff
8cf066b7f08cc018e28fff8b6de40d86382967ea5c63df2fb2dc3e8e0ee46727
a0ee2881f4992d7f256b824fb535cd19524d487edc590951cc7c47164aee1db0
a2419f02381d9e7301ae637aa4e5c905f7e1d81d92fbf893e8ef68754bf08305
b3eb9b1a7c972460fa7c9fe3aa911cc505c5b4b9804d6c71678da99c178b6d18
b78259b174c68679a885425d64d9d8c46c163358b658553533f35f08e696b937
c07dc139b1d0a717071bccb552bb394afc3012f960cc182d7a934144492d6520
e7feb77a1b6b712a0c22e855974f564cde98aaa927ea989aa8747bbb5833f321

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Tofsee-10004548-0

Indicators of Compromise

IOCs collected from dynamic analysis of 16 samples

Registry Keys	Occurrences
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Type`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Start`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ErrorControl`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: DisplayName`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: WOW64`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ObjectName`	15
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Description`	15
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0`	15
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1`	15
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config2`	11
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ImagePath`	11
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\scezvnmi`	3
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\kuwrnfea`	2
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\tdfawonj`	2
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\qacxtlkg`	2
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\isupldcy`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\wgidzrqm`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\pzbwskjf`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\cmojfxws`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\dnpkgyxt`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\lvxsogfb`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`91[.]203[.]192[.]78`	15
`80[.]66[.]75[.]254`	14
`31[.]13[.]65[.]52`	11
`176[.]113[.]115[.]136`	11
`80[.]66[.]75[.]4`	11
`176[.]113[.]115[.]239`	11
`176[.]113[.]115[.]135`	11
`45[.]143[.]201[.]238`	11
`176[.]113[.]115[.]84`	11
`31[.]13[.]65[.]174`	10
`142[.]250[.]176[.]196`	10
`157[.]240[.]205[.]63`	8
`5[.]61[.]236[.]235`	8
`34[.]117[.]59[.]81`	6
`20[.]84[.]181[.]62`	5
`77[.]75[.]78[.]104`	5
`104[.]47[.]53[.]36`	4
`20[.]112[.]52[.]29`	4
`104[.]18[.]12[.]33`	4
`104[.]18[.]13[.]33`	4
`93[.]115[.]25[.]10`	4
`212[.]227[.]17[.]186`	3
`104[.]47[.]54[.]36`	3
`104[.]16[.]120[.]50`	3
`142[.]251[.]40[.]131`	3

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`microsoft-com[.]mail[.]protection[.]outlook[.]com`	15
`microsoft[.]com`	15
`vanaheim[.]cn`	15
`249[.]5[.]55[.]69[.]bl[.]spamcop[.]net`	11
`249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org`	11
`249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net`	11
`249[.]5[.]55[.]69[.]in-addr[.]arpa`	11
`249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org`	11
`249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org`	11
`i[.]instagram[.]com`	11
`www[.]google[.]com`	11
`www[.]instagram[.]com`	10
`api[.]youla[.]io`	8
`identity[.]bitwarden[.]com`	7
`login[.]szn[.]cz`	5
`78[.]192[.]203[.]91[.]in-addr[.]arpa`	4
`api[.]debank[.]com`	4
`www[.]google[.]de`	3
`api[.]twitter[.]com`	3
`imap[.]gmx[.]net`	3
`in-jsproxy[.]globh[.]com`	3
`www[.]bing[.]com`	2
`www[.]yahoo[.]com`	2
`twitter[.]com`	2
`www[.]google[.]co[.]nz`	2

*See JSON for more IOCs

Files and or directories created	Occurrences
`%SystemRoot%\SysWOW64\config\systemprofile`	15
`%SystemRoot%\SysWOW64\config\systemprofile:.repos`	15
`%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>`	15
`%TEMP%\<random, matching '[a-z]{8}'>.exe`	13
`%TEMP%\yhnywld.exe`	1
`%TEMP%\jsyjhwo.exe`	1

File Hashes

044c17fc7e490ab96ab3dccf6175835de270084d56655f52ec151d4401620d0d
06e591c1937a87cf3cb761600917baec71b79e735d4f709b61de0e498d3e341d
07d4da3a27188a788540f90c842de1d2bb6afb225c1a7d131a54e40bf511fd50
0cb53f5d3a4a05fb3194456f40cbe544d5756a472a8309baa3e057ec05a67bf2
19b0a306ef0d0410815f39e2276bd5ae2ca123229b7c542fd3b72d457dffcd44
395f1e0d90a33b3ae5a53e6c3681dc78ee92049f47fb0730e7125b0d8c864e3a
3a94a34b9a894ae78e3b3ecd80696c38d4365586ec04fb3b11792d3bd50b32e1
4a69cb97a79e0847fb09982fe2f1a882c8747bd31e35d7d5cdadd4c10abce623
4bcb95f3d5f545d546036460b6738428a9ed2b29b0ef47a9dcef958e8481ef81
55d72870eb0c4f64fa1c586856e93a470718497a5145e4c73407e55656968b5a
9ed0459acce7f212e4a05c8dab6924927c070985ac2290501744868fbebb0a05
d92be544ba54da794f253b8341715b09c2fa1b79e90492ab30ab3fad0108457d
e69ab82896844467cb51d5f4e374eda1c27424062830dcbb7bd040e6bfb4e13b
ea1e4c113df6a534213ddd95745d5d39b9064cd80dbe9f8c0f5164e14cf83d55
f99c02ea4c0ffa3c2d792df9a040fe3deabafb56cae22d0995116f962037c587
fc98619ec7847e749b3865dec97103f7a6f2eccbd0af1b5f9172e39ef183d139

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Bublik-10004580-0

Indicators of Compromise

IOCs collected from dynamic analysis of 118 samples

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`69[.]10[.]32[.]149`	118
`66[.]23[.]234[.]229`	118

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`double-six[.]com`	118
`cocoon-beach[.]com`	118

Files and or directories created	Occurrences
`%TEMP%\gike.exe`	118

File Hashes

008272d4b93a5cefd6943952d63388198b67a34e06a93dca0e9698c0639f4f02
017c9042d7cfab02d6444805d617bfda04a590d8ee0131f0dcbb73d9f422264e
01d019832f6f09a0eab7ffcb294466825148ef642519b37f225cea25fd8ccd82
05878e434aefab9098e57e734d21ba96eb2731dc2022e7619ff42e6c283ac1c5
07f8041820745c7de03ab380cdbc33fad9da6c9e87243ce4d6af1664ab2e5cae
08de6b552e704a0bb100dcd244c0950ffb90d7d021d042f3bad4b66eab1c633b
09e30d34ef79c10fd0f431ba287a8e89ea08c7919501a42e95ddf0b02b7a54dd
0d970e4dca39e6ac5d389f25ba528eac251bff7df4c15aa85e96d3c680dea37a
1078763c2070758f2d7af2a32cfeac195b1b19af9d7f83433451469a6456d69a
116eb648e4098b4994e20822ae2dea5f9a05bf280774e96e7f17537eeea128c1
127769bcc6688cc1c682313689d4c0ce7915a8295797a90f4586fb379694c3fe
12d38c601be82a710b29744fa9856add702bba2c1cfc9d8f36726df449fa90ea
146acf9b7a358237258cebeaa0870b7500c470d65855832a79ad1858de485ba4
15c9b7a21edfd29a057d881d7f4a98405dd530122b29c7d5ab15042b9f25536c
163a3b460ddcdb4561169c9466d48ded8d4535e34e4d51fee2713f6f2006f472
173272cf5e8e9349b8d4ff45e6f9378fbfcd437bfaa10fc5c7b7d8adabdd998d
17e0b0e3be6ebbf026d4b7ff6da60925516f6b29e2b5f5bfd33f49544659d031
1895e011ecb8c5efa5610c55e27a8f32dd6d4e2e24aad0f7375c6b22b13a3673
18b0fe90a4749d21a70e7775e456f3b258638de1b10dc7c8dfad2c87bb4b4150
193de0289b48eec0d8da266d3f1ff3e5a265fa72cff2db27b45a96f58f8f3c60
195c1acc646ec1f37bba891e6b6448734361ce77b79e99cb7f3d6a54e5265da1
1961cf9e8b78d5a638cf76bdaa2144a559056acbb97c7658cd3e3338016ff1f8
1ae225224fdb2f8a7ecd7420c3b5f85600b87445e6ac9810978e8f21fcb8de3d
1b16fc65b34fb4cb5de9a4660bc53f3c4f27ef2d69d88f82e150eca94495471a
1b21be6f06de9138a7131f2c037d1cf3aafb0cbc7e05f9e7111649593cb3f736
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.RevengeRAT-10004611-1

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

Mutexes	Occurrences
`RV_MUTEX-PiGGjjtnxDpn`	25
`cacls`	25

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`186[.]85[.]86[.]137`	25

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`marzorevenger[.]duckdns[.]org`	25

Files and or directories created	Occurrences
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.url`	25
`%APPDATA%\at`	25
`%APPDATA%\at\AudioHandlers.vbs`	25
`%APPDATA%\at\MicrosoftEdgeCP.exe`	25

File Hashes

0117e5f0ed99601ec0c14007fe47f9595c1c8eeb1e02ddec403051d930fd75e9
015bb3bb231fcc3c3d713891ab7f6e38aaf58df3b071c013a0a7b6c45eed7368
01ad4793cc16f1a08ea244cbfa95f140591d34069a2195816afe15648a7c505d
0309ad59c21006514055ef9354e2dae635c26d3c2d990559615526a9fe72ff54
032ec8facc409ce44eb692039a972d305213033060b16c0b74a4e8c4612b15d3
042d6522cbe511cb76ba9e2541765697c444e149461fc5f16d0f836fc837d934
049b5956595ccc11469be36bb2486c84491ff6caf63480a9f5e41dcda29d2e6a
05fc5d966f35135922a80ea79a61bdfdbde06ac33a8f02f8fc8928831208b03c
062a17b83b98fb2fe0263a1a24c4ebd04545a7503fbeba00bac6abe24905b790
07827334bbbbd7bb30a4a0b18eedfad4cedb9a95165e74203ddc57af84036007
08e942f92597380308bdf60888cf976732fe581d73b06bcce1414acf72ff23e9
096c931004be830b3447cbd1e311c5b5040d06aa37e5b15e2a03a67f87e5c5d2
0ae3a8fe5d4d198339a6e0ac66db05aac82c3fabca4c94e5073b5fcc9adc33d6
0e0866a83d3f643b698ddd1110014afd436509d6e43282f8a95b9b29c876f4fd
0e41b57c5d12757477f5a55a6ef4249382cb00b9647d16b4088020c77d9d4bf0
107375aeb10e843e51c1f58395d0d116f866564b225d41acd0ba673ffaa521f3
123fb6d0a6007cfc3bfc66afbd4bf783c3c2a178a61052363a9bc4a1a6dbbe9e
1248073a0c941d199fb86632cd612d42f7ea6c7000c66162eac5e254298b6c0b
127bd3b50ba83a61fa6d2e578ae65a7bf35582f9e3c91aaa26e346feb8d4a8fd
12bfae2e5e4d8a4e8966677ff4235a56fca5fbfeb5abd71b8d4b469358db7558
133b506e59475c536601b8121c75b5060c3de8a12f7d94e5980903af85fc6f6a
1425ef0c15d0d2d9a791c5cbf94ced34972ba6f6f44490a4cb5a82bcfd2f8ded
1533454353df127eb59613f0adbcdf7f2f5278b97cf59bcf815e0bd675edc5a0
1615738e28738e78deed28921851783adc75a45e5f7258be1802e98d8f889f5a
16659f71c91f7a0bf4dfb354dc3222d128159d8862febd0810564c606d4d4b26
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.XtremeRAT-10004704-1

Indicators of Compromise

IOCs collected from dynamic analysis of 11 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\XTREMERAT`	10
`<HKCU>\SOFTWARE\XTREMERAT Value Name: Mutex`	10
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKLM`	6
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKCU`	6
`<HKCU>\SOFTWARE\6JHGESKCRETMKY0GNF`	3
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4J2HF5HQ-7067-T665-0KA3-I527GLTEG0RC}`	3
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4J2HF5HQ-7067-T665-0KA3-I527GLTEG0RC} Value Name: StubPath`	3
`<HKCU>\SOFTWARE\6JHGESKCRETMKY0GNF Value Name: ServerStarted`	3
`<HKCU>\SOFTWARE\--((MUTEX))--`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{UDSJO3L5-XD46-H5T2-PNM2-886W401Q2WFR}`	2
`<HKCU>\SOFTWARE\ZMZE16K9PQ`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5TT7UVKI-8JUS-13K8-RDC6-4BUSL8303LK2}`	2
`<HKCU>\SOFTWARE\ZMZE16K9PQ Value Name: ServerStarted`	2
`<HKCU>\SOFTWARE\ZMZE16K9PQ Value Name: ServerName`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5TT7UVKI-8JUS-13K8-RDC6-4BUSL8303LK2} Value Name: StubPath`	2
`<HKCU>\SOFTWARE\--((MUTEX))-- Value Name: ServerStarted`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: flood`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: update`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{UDSJO3L5-XD46-H5T2-PNM2-886W401Q2WFR} Value Name: StubPath`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: floods`	2
`<HKCU>\SOFTWARE\DHA1Y0SUCZS`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{BWTHDBX6-O60P-1046-3686-46E7X3KCQBDG}`	1
`<HKCU>\SOFTWARE\DHA1Y0SUCZS Value Name: ServerStarted`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{BWTHDBX6-O60P-1046-3686-46E7X3KCQBDG} Value Name: StubPath`	1

Mutexes	Occurrences
`--((Mutex))--`	4
`6JhgEskcretMKY0gNf`	3
`--((Mutex))--PERSIST`	2
`ZmzE16K9PQ`	2
`ZmzE16K9PQPERSIST`	2
`ZmzE16K9PQEXIT`	2
`dHa1Y0sucZs`	1
`Global\a0262f01-0e7a-11ee-9660-001517a883dc`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`hack4ps[.]no-ip[.]info`	3
`xkiller[.]no-ip[.]info`	3
`jooh2010[.]no-ip[.]biz`	2
`deadsand[.]no-ip[.]biz`	2
`xn8n8[.]sytes[.]net`	1

Files and or directories created	Occurrences
`%SystemRoot%\InstallDir`	5
`%SystemRoot%\InstallDir\Server.exe`	5
`%APPDATA%\Microsoft\Windows\6JhgEskcretMKY0gNf.dat`	3
`%TEMP%\x.html`	2
`%APPDATA%\Microsoft\Windows\--((Mutex))--.dat`	2
`%TEMP%\InstallDir`	2
`%TEMP%\InstallDir\wintimer.exe`	2
`%APPDATA%\Microsoft\Windows\ZmzE16K9PQ.dat`	2
`%SystemRoot%\SysWOW64\drivers\system32.exe`	1
`%APPDATA%\Microsoft\Windows\dHa1Y0sucZs.dat`	1

File Hashes

373af591f388320bc53b81a7b272480cf9f64e63879bcdc726fd68350eb2a679
3876228e644d8117295f156ae0e3bc71ea821806301e48f3d81d0fe3835af68e
3c8dccb3be508a396735bbc358cd002a8d9b064429d1d5ceee153ded6f67132b
4daebecc3d8de610264cfece61b81fbb6534259a0d886bee388b4bfa9321035e
682ff093d570a76206a45da68991ccfddb4a080cbdaac25372462527ed273707
7c366012bb68cd70ca388426bd9de1bb61385d6842357bc6e76d868b1e930f39
868f2651415676ed612a62774f40f2ef3cbd2b3eec34ab279ddcefb5a335e680
9d7bee885e6c6182d7615e375cc5c27a2f926f5d38b8c50dc46f359fb15f57e4
b856a0ffda82e57693282206de21373d1628ec70326b84ff8f0930cc2f4a51be
bcc11d1f898b2747579fe559497a83872a62c4ea2dd264b5149b86e41306ab0f
f40eb3e9eb7c09a4bf83dded46a98fb11e134dd38662c4e61151067f18a5bc1c

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Upatre-10004837-0

Indicators of Compromise

IOCs collected from dynamic analysis of 26 samples

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`77[.]68[.]74[.]189`	26
`23[.]221[.]227[.]174`	14
`23[.]221[.]227[.]176`	11
`23[.]193[.]194[.]138`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`apps[.]identrust[.]com`	26
`benefitanswers[.]co[.]uk`	26
`turnaliinsaat[.]com`	26

Files and or directories created	Occurrences
`%TEMP%\updtool.exe`	26

File Hashes

009bd2bdbfa4169b22ffd51316b4d6d971e9133928899af2208c72408eb095ac
024f0326c797d429a4dcecc5f1662a9cbb969bc5b0129c78c4c90dcbdd4069bc
04c3de6445aefd13b88212d29589db04d7f6412bfee3e80d66513d259555d2fe
0584d6cbafdec4ddaaba676ee9930af23dcdbb5e181d2203d936bfe78533022d
0688967894c414690f2b7de3dcf6c63036c5ce61e8bb4c6db3f3e691cfdefc34
079f9fdb7e1ae7c9547460b35cee345b3659e206752462a7f51a0fe31ef758c8
07ad32619621f1ce3c9329e64cb51c24b23971fc9caffd27891e7cacb781381c
0b6f1f1b68e8352e642d12009ce48934e763ca1ee263ebf822670835937cb6e4
0b727beadc2a3f3afcd9d682932a9c6f392ba2a8c635de8290aaa671344e6e13
0c39e82c2b7da1d44e2686b0721616cbb04a26dcda7c896249426b1349546f72
0c6905dfc5d219d7405783ceba466330985ff038ce77c1448622b6ead9a8fedd
0cd2f46a6d76025030ba0516e6ef5d935dee87aa1128fb9029810481604007ea
0dcf26c0fdad8837add51b5268b5f3cf02ec9e3d8936f166bb164f2610f92ce8
10dc3db45b5ad14d8bb58ebfe38d87f316a82f625145a6940ed6d2cffc3d3413
10dd94a660c56eef86d3c4cb9ff8b1311e22e758a1d0b79c70fa23d3dec6fc44
11ea59d574a39a7b2c60867451384e7cc9d33ae88c645bf641e861463d587e8e
1201d6a2e6658cc9d6bbd03b22d4a8197a6aa7f3b550782c1c59b8015b26e190
125266dc5e9a92d17d4469fed2cd60d0c76e3c90a469aed67a24308fa0b9f3e5
125fd5f9590f0212ce2a55458ae5100d9296443b6b7cebbf17c577becb2c4150
150c6538ad632823036986338622382a62fe871cb2e99aa45a6e94b64f4c485f
1b66181c20015201e6216f8151dd6d83f3becf83f47d4a16ab894e497804ed8e
1c2e0a6d68ae602e91db7269d692b746d38724cc46511716253d35c4a77b9918
1db13bbbe5da803bad25cef3241af377e04b66bee57653c1804903587663ff67
1e343f2293fa3247342f1b831cabd98115fd0f282e2c5693736359c70cf44706
1ea6fc867b76d2f596f5e139fb3288e07525075bc116605c399995aef7d3d843
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Threat Roundup for June 16 to June 23

Threat Breakdown

Win.Downloader.Zbot-10004448-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Kuluoz-10004513-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Doc.Downloader.Valyria-10004543-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Tofsee-10004548-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Bublik-10004580-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.RevengeRAT-10004611-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.XtremeRAT-10004704-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Upatre-10004837-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Share this post

Related Content

Threat Roundup for November 3 to November 10

Threat Roundup for October 27 to November 3

Threat Roundup for October 13 to October 20

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Support

Company