Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 17 and June 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Ransomware.Cerber-9952230-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Packed.Shiz-9953408-0 Packed Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Win.Packed.Ursnif-9952366-0 Packed Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Packed.Upatre-9952760-0 Packed Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Malware.Gamarue-9952453-0 Malware Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Packed.Razy-9953445-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.TinyBanker-9952565-1 Dropper TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Kuluoz-9952603-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.TrickBot-9952626-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.

Threat Breakdown

Win.Ransomware.Cerber-9952230-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run 		20
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun 		20
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} 20
<HKCU>\PRINTERS\DEFAULTS 20
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_01 		20
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_00 		20
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: netbtugc 		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: netbtugc 		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: javaw 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: javaw 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: help 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: help 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: EhStorAuthn 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: EhStorAuthn 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rdrleakdiag 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: rdrleakdiag 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: w32tm 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: w32tm 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ntkrnlpa 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ntkrnlpa 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dialer 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: dialer 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lodctr 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: lodctr 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wuapp 		1
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 20
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
85[.]93[.]0[.]2/31 20
85[.]93[.]0[.]92/30 20
85[.]93[.]0[.]96/28 20
85[.]93[.]0[.]112/30 20
85[.]93[.]0[.]116/31 20
85[.]93[.]3[.]224/27 20
85[.]93[.]4[.]0/25 20
85[.]93[.]4[.]128/26 20
85[.]93[.]4[.]192/27 20
85[.]93[.]4[.]224/29 20
85[.]93[.]4[.]232/30 20
85[.]93[.]39[.]8/29 20
85[.]93[.]39[.]16/28 20
85[.]93[.]39[.]32/27 20
85[.]93[.]39[.]64/26 20
85[.]93[.]39[.]128/25 20
85[.]93[.]40[.]0/21 20
85[.]93[.]48[.]0/24 20
85[.]93[.]49[.]0/25 20
85[.]93[.]49[.]128/28 20
85[.]93[.]0[.]4 19
85[.]93[.]0[.]118 19
85[.]93[.]49[.]144/31 19
85[.]93[.]0[.]91 1
85[.]93[.]0[.]1 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2} 20
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\netbtugc.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\netbtugc.exe 2
%System32%\Tasks\netbtugc 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\en-US\netbtugc.exe.mui 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\en\netbtugc.exe.mui 2
%System32%\Tasks\help 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\sdchange.exe 1
%System32%\Tasks\sdchange 1
%System32%\Tasks\dialer 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\dialer.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\dialer.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\wuapp.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\wuapp.exe 1
%System32%\Tasks\bootcfg 1
%System32%\Tasks\ntkrnlpa 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\ntkrnlpa.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\ntkrnlpa.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\EhStorAuthn.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\EhStorAuthn.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\unlodctr.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\unlodctr.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\icacls.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\icacls.exe 1

*See JSON for more IOCs

File Hashes

001d87b0eb5d103187f4e3188c7484a33d62fb0634819a90e185fc2e4c310d91
034cb8befd39e03fd9b1e90b2555657bcb4ee518dc36e944c6dedac8b92b021f
1051753e469a984319fd659bcf5c8f2c120dae6ec8ad9b87f84c207f8265f5db
288539c8f98053db83b9da5ecae06fb9c8e4c8a1064f192b59f19caf120a1dd8
4e7f1ecc835b0e46501bb7da4942297b02623de18dcc2ff86ccb9028da1b92d8
51f2f2f9f60d555a51155d5408df0448de7dd9806ddb7178b14bec3a5bc5fe7f
54fb7fe722e92ea69d78ed72ab4a5e9b300e3b5137e2a74c520e1f14a59617a0
595d0bcaf5f889abdc1c331cbd1ea13403360cad3495bc8a9e0ce1413723cddd
643796efb211a67dc9edcf392fbf041c690dd8e48a1eae639e04ca80a8501363
78e60d8eced38cb527e37fccce1f2dfa4c5cc4f939ff2e2ea14b5659db469548
79377a77ab515c88211d25f3224d9e5d6550a1fbb4a3e63c56afbd891bf9f636
8ea20ee1fc33ee8693802a521f1518843af13b003c3cb03498df94705adeeae8
9971a760ad96ac142cba642cbed9c58905415bf7fcb35e46431cc22dcdda93b1
c59d9dbeea0b66f1b602d3f7d3248e47f5e030e2d1d83b4cbb6dfd78e3421549
c885fa84b8919abf8ea574db4b520b54f27c6a23dfba74f9f77340240544d95a
dfa17e1496d92dfc4b2d29aad3e3b5a5ac4ef6a0ee469281ee86c2ad2ff1691f
e8090b7bf26e05f8cad1da0dd92764b1cf394ecf410acd802c4c60ebf47889a6
f280ca62d46fd562e6c38a886d4a95f29f4dbf9cb2260397935ac7d0f931d4e3
f6edb3a69f673fb1e31e3f3cab164553fcf9737703613bca4a5ea1954e523ccc
fd4d220494338fb9645b6bfe84d168a745672cda112bbc8dda68680cf4618ec5

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK

Win.Packed.Shiz-9953408-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 112 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a 		94
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c 		94
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit 		94
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System 		94
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load 		94
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run 		94
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit 		94
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time 		2
MutexesOccurrences
Global\674972E3a 94
Global\MicrosoftSysenterGate7 94
internal_wutex_0x000000e0 94
internal_wutex_0x0000038c 94
internal_wutex_0x00000448 91
internal_wutex_0x000007d0 21
internal_wutex_0x000006a0 19
internal_wutex_0x<random, matching [0-9a-f]{8}> 16
internal_wutex_0x00000640 15
internal_wutex_0x0000072c 12
internal_wutex_0x00000310 11
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
13[.]107[.]21[.]200 39
45[.]79[.]19[.]196 24
45[.]33[.]23[.]183 17
45[.]33[.]2[.]79 17
45[.]33[.]20[.]235 17
45[.]56[.]79[.]23 16
72[.]14[.]178[.]174 16
96[.]126[.]123[.]244 15
173[.]255[.]194[.]134 14
198[.]58[.]118[.]167 13
45[.]33[.]30[.]197 12
45[.]33[.]18[.]44 11
85[.]94[.]194[.]169 10
72[.]14[.]185[.]43 8
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ryqozapaleb[.]eu 94
lymajaxecir[.]eu 94
tunegapenef[.]eu 94
xubysaxywil[.]eu 94
dixonesohed[.]eu 94
volocecaluk[.]eu 94
fokalesaxav[.]eu 94
nojejecebuw[.]eu 94
qedoqyvoguq[.]eu 94
kepabydokas[.]eu 94
marawukyqos[.]eu 94
dikuvizigiz[.]eu 94
puvutaputeb[.]eu 94
ciciqacidir[.]eu 94
gahyfesyqad[.]eu 94
ryhuneqevyv[.]eu 94
kejywajazok[.]eu 94
xudakejupok[.]eu 94
lygivejynow[.]eu 94
tufozequwyd[.]eu 94
pupegeqifev[.]eu 94
citydekohiw[.]eu 94
vowuqykecij[.]eu 94
dirutewaled[.]eu 94
nomocykyqiq[.]eu 94

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 94

File Hashes

00fdd08d0d3deb0c619edffb8e2256bfaff042aebfede20450a6fc08b6523152
03241934f19d9106d1de2aec66620f554d7124f5a4f4a7ed3283a41d283f7cb0
041e082f62e7dcece1ae39b4be3a2f0a4f439776ec2ee80b5f49f8bcec37222d
049f79478b838b94348f93f496bc2faeca290c44a571845fd3fb5c9508271360
068b394d2b3c7d886ba09ff72dafbd1af6152ecd4e97cbed400ed255009d96b6
06f05a265c1812865f66ce09db34981f6f314feb48d99ced9bebadc0bd059b17
077d870d15285b79a367b2af9997c0785bd8c33524a828867ef081552061c9e3
08567b509fcc32690798fc1ce4b6e43983654d1bb9c534742828119f85301ea8
09cd0f278b780c6f60584b5742987b65d1e6e2352449494f530f53f33ef7a9bd
0a1f66e74ea563106cf1374fd18c95451b30f05a94c8c4c720b8c8aad02592fe
0a44d61232cf88b65acf91c276513aabe12ae6c42db25cbf48084ea478996490
0bc7952c7d9f697f5e0ec1c6ce9036e686ea7036159b34aeeb6e35137332ee10
0bd13cab271bc4469cdb09cb1a08e410cbcaf52ee12054bca41930262359eb2f
0c44ef031d50ad13ec6910d7fa613714974817741fee8762c4b588d25f58b469
0f1427c414a8a32d99ad9fdf83dbb7ad3401dcf61c4e46f99265abb6a7c0e435
100d1bbafdd01d6bbb07763493367ac944d39199a5acf6a17ebb30927d2b5186
12c5f916a1a50b89574dc9fb14b68eb94344e573cbd68b6ff2920a94020abf75
13470bc15b3cfa0c0b9147d629ffc2ab1b831bcbdac780cd5b2f8ad7bd6af650
17c4d0ec8d60e9487f5ae0bdca661e6b2792d1800239659d0a9ec6ca7c747fc5
1853109b51d09efeab1c503109ffb090118c5a85bf572eaacc736c63042e9ba7
1aa325d8b142678ea2ba3d08f594f4f60dd3ddb14fd6af9ee34501d7e63df8cd
1ac6a0f1e58b700c8ddafb0c680a444152c96ef31b7422f3b7a632248f202b76
1b0231c1291c54f7611bb956f715329f568a31702b14016d8bc8a5443c7bf15d
1b6215715e89f9d9944b3dff1636494b28c11607e6c5aef9a759101a513aba4e
251240c2652f569c198e6570aaf945d8dbe08a4ff0105064cf4dfd0fcfa705ca

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK

Win.Packed.Ursnif-9952366-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath 		26
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted 		26
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope 		26
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
13[.]107[.]21[.]200 11
142[.]251[.]40[.]228/31 11
13[.]107[.]22[.]200 6
142[.]250[.]188[.]36 3
131[.]253[.]33[.]200 2
142[.]250[.]31[.]103 2
142[.]250[.]188[.]196 2
172[.]253[.]122[.]105 1
172[.]253[.]63[.]104 1
172[.]253[.]122[.]99 1
142[.]251[.]16[.]103 1
142[.]251[.]41[.]4/31 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]bing[.]com 26
www[.]google[.]com 26
gmail[.]com 26
greatestcups[.]com 2

File Hashes

00a8dd60eddb7ef0f93b182b3710b1280786a1cbc463cf170fc2507f260c9952
0161f6feb3b7dac7bdca6802cd9eca99d9388156abcffa92914b24668323b461
01f0790aa502b86e65fdb6ae4438c7a6d1479d4a6f230e8a62e3871aafe74d89
055ff29e1087a61a61855b36e69df4395a3d38c28f56cc214949085aca40001e
063fef4ed15c29e5a7baf19f39e1f608d2d675005ac5b23f68f466973b289a76
0aa50123c5dd1b7b8cbcaa3b4144246353ab032fc298b0f045ec489e13bfffb7
0c6ac8735ea3b36a3ee6068591978d600025d9ca545068f312dcdaf83e645be3
147332e9dbdc3a7613343f4bc052a7e9510a82ce4e26276fbf616aa3b72737a0
177cf4120ee74450f5bdb6639df0595d8784478832d2934c60160d7c9f06818a
22ce9d8618b2f21fa17eaf1471d183fcb7d6bb4ecf11f5e6db12a7e741b3e948
292e21e9e1af8d73942afa3e2dc999344adf8bfddd65440bc2b52940122e39ad
2aefc37a24f431af9981823031178533a15fc418fba02d5d92c6e209ff165803
30957dbdba1fd19a8c9bcf53161a944c245de598b55868b5e7cb9774959e84a1
35c1313bcda0f6afdd8df73bc13212f5bd194a14edb4bc0d1ce72e69cbbc05cb
39f196d2539de56e7d7b7cba38d0258a6cd9ef34f92aa78a050b6984a58a94ea
401acbfc3b42f0100ff4d391acdd8cb610b70ad350bfdd90810ee65e667fc6cc
4321ae3a329be2785857d3116729017cf9b2b4a4b71356781a25389249ad781d
47ca7e7e1c7388e7c4bf962f4f50a40ef486c1c81e835968abb926b3dcd89f5f
4c9b68ddaf8201b78866be56f736f5756ab33d1525d2a9066401473107d7da20
4dabc932fd394870b5ff36f95d024de5783a5442c0e5506f2ec27205f08a54bc
506af2a26f2816d6e8d58760d1c8914e6e62c341b103a2e27fdc385dec2805ac
53c5507560643f9dbcda96db6fe0dc54a8341113225fc22f69c477047da93151
592a6adbd41f8ac7146816ec8e770267e79bc414453b7d03ce2d33a687142a02
599f961b1e19f56dec30737d48e7fd79fabef003fcd7afb2b50f3b4c268eef9c
5bd8bee3c7cfc96519e84f07906a3d64831e0acecdc58e0ce4ec3e5367adff32

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK

Win.Packed.Upatre-9952760-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 36 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
52[.]56[.]229[.]15 36
162[.]144[.]254[.]155 36
162[.]241[.]6[.]138 36
23[.]46[.]150[.]72 21
23[.]46[.]150[.]48 14
23[.]1[.]236[.]16 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
apps[.]identrust[.]com 36
nimbacreations[.]com 36
www[.]nimbacreations[.]comvideo 36
eganchurchsupply[.]com 36
laurencechurchsupplies[.]com 36
Files and or directories createdOccurrences
%TEMP%\viewpdf_update.exe 36

File Hashes

049fb580d507ba01b406e5e5ec7a4224ad45f2537fe927dcb95671ef33b09b58
051ccdd98a3bc5cf475aa3767da22a3a6a24ea6d6107703ff1ee9b767afc3003
185640676598e653064dc63025672ad0c3befaadadd25c1c52e47448f9a99587
23f94e8d8d2531d43e775d6628a9961d1f8e2580368b098510808b33bf001d3f
3010e16a38dc9f89e03490e8458d4a24d5a16c300d32df7d0c906d410c7580c8
31dd2a7e3ccb35c881c12155add524032a75bfcff1be047d094b1499d0985e08
3d162d2208a8f1d9a00374a2a020c7f3478c2cf8e1fe0891208e0ae6bd455424
3d7df14de16c35245ad10085c414728015b653cc3d4d53ce959d2ee0d399fd63
436045273c493ed09596c4806ce5282c4182e3f4f43cb4609e870d0cd67265e5
4f49bd0e441705f615d29072856961d99ed67e82c0b7a2d6c79d66f098b97339
53f5a69f79fa09bde08e0c685a13068de375fac3ca35fb6ea4e81525e16036d6
56812033c6d262e88a3ffbb8d86df98e8a03eb5fac3f79b08de8d1707a912b27
59c823687a0bb2239b623f2cd1bc1dfe05f7446b0f67d8d934406edf66fec899
62c4468e45ab5ecb14939c40fb98d10baadcc5fef0fc6c71ecbbc074cf2c0e4d
658cdc238144d33997a2aaf6816873eb88df56fa4b97fe7aa92d942064b3dabc
66d5cfac4093f51505cfaabcb7bcf72e93c4509ae1006fdd0d5146f65463968b
672e18b01195958e49922db9996b85b36e0dd84f5c7469fd60d2e648038a8f1f
6ab8996071016f3f8401dc07bf35c0fab3de4917d9bcd2a9fd7ab8888cbf3d4c
78cd2b7e0908fa7981f7e93056bc614fd895f848bbe52e9559bfde7b38eb9dd1
7ccebcf883a47c02012d38db52ed0721f5a8279aef87c0a60d31bd44a4d2ce1b
87319147eade6dc8955c2ad8aae2004d2754bdb10ad4f586bb62b3f52be88f1e
9264177719fa725205c94d48cf28ca399d03042603276ab8d6d3510ed3ffda27
96e582e3f3abf7d4dc70958614808b9579a66ce692f478f3cddbc7d8c4d66254
9bac54a662a1719dcce7696b4881603f7ddfe01e84e26aec69e2cffbb6b87b5a
9f6d771b89d265268ba987c6bfdd7d8d69102810267c75f55101e6b57e915be4

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK

Win.Malware.Gamarue-9952453-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 30 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AhnUpadate 		30
MutexesOccurrences
345rdxcvgt567yhjm 30
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
175[.]126[.]111[.]143 30
211[.]43[.]203[.]28 30
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]hellobetta[.]com 30
www[.]aega[.]co[.]kr 30
Files and or directories createdOccurrences
%ProgramData%\AhnLab\AhnSvc.exe 30
%ProgramData%\AhnLab 30

File Hashes

01369a57c3ff4aac43b9b32940ba0e6266ab59bc7ca494b050c1b368ba59f63b
01f245ca3f46dc757bec57ec72663921c212c8bd4aa428a979c0ce5281a7cc59
02790d40cc1bec162ae71f2a07b458436069d17881dae036cd5b66d002ed353a
0305809f57cbbb3b77887ddd4d8fd773c26b64a5ca778194f23910fc3068395a
03a95c85704b779e7e567bef48efe1a568b83009a91b804c3527d61a3128a6bf
0427a620e90ac9ef63604fadde7d29b83a9a436bf77a5379e6c29d60be9cabd3
0bc473b1333b01b134c140ff84f0c0577dedd8355de11459f6e78a49b1ef3209
0d1d6fdd42506925cdd591e6e1937e0ca700acadb96b84105c2ad0c896d8654e
0e5598348a8a169b8200db978dd941804ddd26cf2bfd4f894f32d24829950fc1
0e73563979295f961e3efa15c9feea5e9ab563a5f1e5951f97100897acf6dd4b
0f14936181bf66d953049f2b3773ab21454630c1c89814b3f3625ef69748865e
1197004d327cf90d046b76e1583eafb948e3d1c4fec2633beb03984dfe081a02
11b8882e4b57cd2bfb9983a4c4834b6cdaa333a70a23c122239cd557e32fc4d9
123c43a6eb32fcd0218d59c8c65ce064b4ce307c89319fec49303c4d5039fb54
15820afe0d765bfb5bd4801516e9c6b837796cac354e93b398d72e1a14d85a3e
1809966444e6d698474d4e0a7f79218318beb82f29ab2c22e979d1b35524c014
18f0ffcc1d1ba6b6088a6bbdcc85c4a49e932a8250193be18496634903f30bfb
19091358be18e480437b6d681782309cd63a87377cd6fbd807cc4e821423bcd8
1997d9b57a35492a00181ab2991d801b9b7009528351f281b982a10a783f1dba
19f5bb9e7e78da536d1623407d10b0702f008008bcef66ff11838a4248d93caf
1a7bf9542c232c8bb7988e2d983fc11494316515102750dfa6b69da58561465a
1a92ba667ee165a80326fae74af7cedf8eacbc97edc0623fc92a21918062ed04
1b3590917d3cf25450d66f2c4bd9a7a9bd45a8628d9f04f8731bb24518d20881
1b74245e622f51c04daed48cb8e464732ec5ef8e26d3ed2d6e06be7696b41f0c
209e035ae0466fab69f5fc4b2bf69a5cb30e80b22d29558ef2d3074da57fdb03

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK

Win.Packed.Razy-9953445-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 16
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
142[.]250[.]72[.]110 9
172[.]67[.]34[.]170 8
104[.]20[.]68[.]143 6
142[.]250[.]176[.]206 6
104[.]20[.]67[.]143 2
142[.]250[.]80[.]110 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 16
w[.]google[.]com 16
www[.]pmsiuv2egu[.]com 1
www[.]pjo4lk3lvp[.]com 1
www[.]xuzdlwf11z[.]com 1
www[.]9umr3xr0vf[.]com 1
www[.]phwpsjm6ji[.]com 1
www[.]jmynj5jgr4[.]com 1
www[.]b8wbmktdse[.]com 1
www[.]yfpsjoxgiu[.]com 1
www[.]xcnvk6lg46[.]com 1
www[.]qxkzoeroiz[.]com 1
www[.]qa0vhboy2f[.]com 1
www[.]j6lqyapabz[.]com 1
www[.]482gaw0sq9[.]com 1
www[.]t2p13nfjuf[.]com 1
www[.]knqqiu9lwb[.]com 1
www[.]flc4hf8xai[.]com 1
Files and or directories createdOccurrences
%System32%\Tasks\Google_Trk_Updater 16

File Hashes

23e04b2105540815c6e9e7bad4e63d20f2e97ed6e256bdf8fce5c10a4d5bf37e
2a32c0c612dd5f63a93f55b5cbb4510299e1658426409a9a74d4655d0d781dbd
2f6acff2815f96fb82d47f73701b5e1caa4c16c6dddd037982b7b12b42df830b
5949977d2293812b80c8db0ba11c6220c7d7c506a6b528d5740c04fd3cde7606
5c5a57d04b059b56ee2a4667671ebc57113d27f003f7c3efd835ece2189ded57
64de66d129b5ad4d49a13570539424bd2a843dee03672f1d08b35a87c1483ef8
6b9050550e4e785dab68c8aa700536ca0011b1eeb7cfe539d2ba4a0602a2f676
72a5749d3cf7d37685da08d50f981e352504a73a08f6f8a1ef3b18652aaeb7e1
7a8c44608f3f0bdc7f38959d5db07be4ff7d7b4c09855e4b0f195fe5a67f4a82
b4d0fca568810ffa9d7651a2ab2650b96128cfe42ad549d346fda67d20ea55a0
be27ae89c8c75724007a1755d735766ab050649d9f1f9b664fb89df90197b68b
c8b55a224d4868b9f2786f63bfa861a340370e06f2619a8b67e077415d32194a
cc86a7ca299925e93897df7a7d471527d5cbacf0927a171697b16e7d8101a4b9
cf97248bbd0a39d045c1274eda86d2faba6473cd0beeb8bcb432d7059f45dde7
f24a788c00eb40cbe789a389817d82c639aed5c883f1c0b6f5a1d0d5b95ce27b
fec8d786aac1ad1fca04b17be44ab5a3311611e0e89755a2189533597580b247

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK

Win.Dropper.TinyBanker-9952565-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: EEFEB657 		25
MutexesOccurrences
EEFEB657 25
Files and or directories createdOccurrences
%HOMEPATH%\AppData\LocalLow\EEFEB657 25
%APPDATA%\EEFEB657 25
%APPDATA%\EEFEB657\bin.exe 25

File Hashes

0ce4fcc13380c284705db4a9bf6a2a3729bf85716447a7656ccc443ce2cbe971
102ee4f77f958107eead41d9f66750944a4c898ef554cecfd0d0a71f21c436b8
212c8deae8f9423ab8d07362645be0e3c9a0336e5c0e365c92ecf973f50a569d
221dd85fb8af714896e2b69c55e7db52425b43418d924db03e929c5fc76d62da
3586164ca9899172f3d35f22cf86dd36bfce6f2eae8b0cf958c9ceb864796f44
369611c4e4d6b878fc7e9ea61dd4481d957813bf7285926bfab962c31335d458
3f5825dfae0e8f6705793c7e75cefa2d641566fdc1141f54e01d8bf26369e01d
49afa1d1ea690425c88935b91ccc584e05cd0de0e5cebd35e0092ddce57801df
4ee65ec12adb00e5680ab258ec901c119d64adadebc00416f4e5b355da2cece7
543a83a7e7f445dce8c65f84d12f33db9767a498f97355c3886df06771b89ee7
5da8a2aab78ad3347543c0831641fa10e3372bac3b7f68e796d8c385c3ae71ea
72232d1d7942046a2a5d2cc1777bdbf5db63a57d69a10b0ea79736bde1c53a2c
85da6fe9501781ef9affde3bc93c4540b25a34511354b65b157b6336ee246137
8ede35a7bfe70a30d2cb02a5df621ff6414d93d0ac0c25257d5934247fcdfedf
8fd6cd0ebb2ac3a928f9e64de5f9449624e38de8bf7c52cd5be634afa62acb4c
9a627c90f050619cf79d1bcb7d847f4f15fffd5b16afd30817dea65493593aa4
a609fcc51158efc4b6571a907f8ade4b19d6040a252930b1079f44b285552d6d
ac554462d78001819de32e9ef0fad185abf8b3784f38bb691b5aa5ddd2071c09
b77da0c6c536d4a688cb95e5d228d83c62957d1179ff3562b4a48d09ffdef6a2
baaa6d4b2919174462f1f72598011fe3b2209b78e3b112385d668fb387f5f1d5
c74b1fe2019073f05f0c84b9d2a75dd5a2cb1cd620587ca510280fc24fe93262
c7c643afb9e3009c95a9c5cc766283c3fdbcbd1105d231f94ca42ef1c92da5c4
c9766b97cafcbc2a8bdf8db400f820d51a998d8e31c899f6216b90be6d9b609f
e729e73f5d79087ba5da5357e12e6e79dea87509d27380e9ae52046b38356c59
e89ccd2da7bd28dc7eab0c3dd449e764d5284be13babf00bec553d50dc51edcd

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK

Win.Dropper.Kuluoz-9952603-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 27
<HKCU>\SOFTWARE\AQRVIBWV
Value Name: avajnbgg 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ihnluxxw 		1
<HKCU>\SOFTWARE\HQIHBRGD
Value Name: capvgwgc 		1
<HKCU>\SOFTWARE\TENSKJJJ
Value Name: efgtdthk 		1
<HKCU>\SOFTWARE\IGGULPUX
Value Name: knhspcfj 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xntuedmm 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gxfbptiw 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vwctkmkr 		1
<HKCU>\SOFTWARE\CLTPMXNU
Value Name: arenjpah 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dchjdqqf 		1
<HKCU>\SOFTWARE\KLATBKGR
Value Name: uavtpojk 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pvujnklh 		1
<HKCU>\SOFTWARE\TQDECVLO
Value Name: bnhlsgoc 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uhsmcver 		1
<HKCU>\SOFTWARE\NJQSNVQJ
Value Name: efgnkasb 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bdmwgwso 		1
<HKCU>\SOFTWARE\OVRQHJHQ
Value Name: kxlohbjj 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: suronehb 		1
<HKCU>\SOFTWARE\HCCLNEXF
Value Name: lbcrmohg 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: viqtnwtw 		1
<HKCU>\SOFTWARE\MGUMQTHW
Value Name: bvqqkvuo 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jvfsfovv 		1
<HKCU>\SOFTWARE\XWRSHPSW
Value Name: nijmlqgo 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qglqiqfn 		1
MutexesOccurrences
aaAdministrator 27
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
37[.]35[.]107[.]208 21
195[.]154[.]225[.]137 18
222[.]236[.]47[.]53 16
37[.]59[.]212[.]214 16
198[.]74[.]56[.]121 16
202[.]75[.]53[.]48 15
91[.]121[.]13[.]78 14
Files and or directories createdOccurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 27

File Hashes

018a9a6506abbf3d87b7065b5d9c00a06aeddd87499bbeaba56bfa5195977af1
02670ffe35affff3eebd82c1e536437d7a0dcd59236e38089313edd9501ac1b3
034c356d5f8263827380ede3895c161f25a17be7c400fde6f47b6b458a35f8f3
095fc0d8bfb12acbd8e2f16cc7bcfb071a841a45d43ce32a70e46352efbdffa9
09968d167a3f05e62a94622b64cd1f802a8daeb64e29f37eb26dc90a096b541e
0d076d2c83183b2b2ed5ca38b45d757c9fe3fd2f23f996839ed54d536564e662
0f1756dfbef2a491e3b5b2b4a60147823435360fca75c410ff19078959ddf7e5
1264db659467b88f2041f4a17098a14d06d722f1441f092f69b1f4e360fc296f
145eec46abed77a674dbe1e0c6f1700562d3b99573ab4d7ceda4b1134e56649b
184dc9313aae7234b638eb0ef00edad9e351c82a0140a964bd37d4653cedb4ef
1a5bb4848635f5958277be673ad3c2cb5b618b7e770d5a05a6e207466aaa11a5
1ba73bab6a55a7efa7ed0d64288d351d9b3281417eb94e842e3c5944b5c12dba
1e055012ca2748e1c4431389de1051a3f9f6613e17a16bf5190f91702af32d71
1e0880f750a1837d3ed8665ce029afeba06ecd23bed8485d14a198d9a9b7a489
1f88704003273dd55bc6d926ba52a761ec3f0f7a7e34c50bbf8896a1976bee8f
2189b9cf4f5e94c55a73fd9eafdab61f9644874709596240b4cb3ad15ea81d12
2dcd40d930ff91bb46e0bf5d430538e296b64ec4e05a61a5420bc5b3d2671882
2e95c3384cd030e893793b89e35953ec6ca0954e9bada9f553850764b772c1ee
311df4ba4aea044a0f1bdbc748e35fa9f7014465c0c2df7d7e3d6a8d338ac497
351462d707e3a10bd7b731f6d1d6de0f527bb36bd11fb5799c3becd03587acd8
362f57ebdca7ec7605eb1c884c95247c73e747e5cdf4c3f05af9ab34380c1954
369be3fec44520ed544b4ab174ad24be9b8bf89750d7430e6d2214a734bae6dc
381338e111db697ec76bcac469061ac9266021e1a6d371bb3cc99c6a3801502b
3b2c692d2e67047fc62e3f1c2dc83e1d19593c42685270f971f60551aa8e5a66
3cdba2258d1133d8d853325800e879faa63a82ff2088c29844a33c57d8e4c85a

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK

Win.Dropper.TrickBot-9952626-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
MutexesOccurrences
316D1C7871E00 26
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
23[.]19[.]31[.]135 6
34[.]117[.]59[.]81 4
104[.]18[.]115[.]97 4
166[.]70[.]170[.]198 4
116[.]203[.]16[.]95 3
92[.]63[.]102[.]64 2
194[.]87[.]236[.]59 2
78[.]24[.]217[.]227 2
54[.]243[.]208[.]112 2
195[.]133[.]48[.]67 2
162[.]255[.]93[.]51 2
3[.]209[.]171[.]143 2
188[.]227[.]75[.]224 2
195[.]133[.]146[.]232 2
46[.]237[.]117[.]193 1
104[.]18[.]114[.]97 1
52[.]20[.]78[.]240 1
194[.]87[.]239[.]28 1
82[.]146[.]40[.]206 1
194[.]87[.]102[.]14 1
89[.]231[.]13[.]38 1
194[.]87[.]92[.]191 1
82[.]146[.]47[.]127 1
3[.]231[.]23[.]10 1
3[.]217[.]175[.]153 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
checkip[.]amazonaws[.]com 7
wtfismyip[.]com 6
icanhazip[.]com 5
ip[.]anysrc[.]net 3
myexternalip[.]com 3
api[.]ipify[.]org 1
ipecho[.]net 1
Files and or directories createdOccurrences
%APPDATA%\winapp\Modules 26
%System32%\Tasks\services update 26
%APPDATA%\winapp\client_id 26
%APPDATA%\winapp\group_tag 26
%APPDATA%\winapp 26
%APPDATA%\winapp\79dc697d57f0cfd07702c94e066c466f.exe 1
%APPDATA%\winapp\302cgfe268e96d6c4e2995520fcg5ee47d49f2f4gdce65g700a688f4eg246864.exe 1
%APPDATA%\winapp\4599de7267946e5g6cd7a66676e2e86e5c3gf3c330492aa666c86g9f654f3cad.exe 1
%APPDATA%\winapp\096e968g87e76f052663667ddgf9f0c38f3ce2694d6a763aa978c47747aff242.exe 1
%APPDATA%\winapp\45ag25d6gdaec8f4c2860e648dfee22f973923g76c6702d8264fa268ddae66a3.exe 1
%APPDATA%\winapp\43a598fe6cg050cg6gg876a986fg99d30ee00296648820446ea674gdfd43e80g.exe 1
%APPDATA%\winapp\0fe6ggcf83da064gd3406c66dc9dd8c46fgae5feg934gf228aa68a60d0d83ee5.exe 1
%APPDATA%\winapp\4566e5953835g3d93g3g53e52d644a5af6aea8g9247954g53d247fa24geggef6.exe 1
%APPDATA%\winapp\2g84e8e99400f228607e20f5c4e536c82090e6c3g4a9egc30gd30923g2g370ee.exe 1
%APPDATA%\winapp\3ed6e02765cd8d7egd26673g52660d52a354d8a52349654g9cc5a04cf3d75g07.exe 1
%APPDATA%\winapp\594g06207g08eg4d622d60g0cd3327030f7e707dd6f85g3c6e458768c20acca9.exe 1
%APPDATA%\winapp\570657c3028676f5d5d3566gd46505c05a58389g7g8603de55c02655af9g72g0.exe 1
%APPDATA%\winapp\57458d060c0676ff22g73a7f59c8d39696a96d69795cgd6895d6e469826e3d28.exe 1
%APPDATA%\winapp\68eg9594e807c4dfe05c09880gf9462a59ceg69c4g42496gga4e6cd254d28f2e.exe 1
%APPDATA%\winapp\668243accg68f96663360decf0cc864362f656c76d47c632d22e7572af420a62.exe 1
%APPDATA%\winapp\52379cd0697g5a9dd6c065f69364d346aaa9fc0c88aaa646e47f060309fg8936.exe 1
%APPDATA%\winapp\58adc29f27a020f69g45gd3740565d8d8ea949e7ca7g63a884657ge93f0c67a9.exe 1
%APPDATA%\winapp\467cf4cfc6f5582e59932cgff5g9ac365e667e0ac60ca7g80654a7eed486gc3g.exe 1
%APPDATA%\winapp\596f82497c49576afcc7e75434fgc8d6f0d5d06596ae5e266dggc626705e435d.exe 1
%APPDATA%\winapp\0d9c2c6df4742cg8ecgf20543c2g0d3gg58e4ddeae6a38a6784e209c2cd07284.exe 1

*See JSON for more IOCs

File Hashes

096d968f87d75e041662657ccfe9e0b28e2bd1593c5a762aa978b37737aee131
0c9b1b5ce3731bf8dbfe10432b1f0c2ff48d3ccdad6a28a6783d109b1bc07183
0ed6ffbe82ca063fc2306b66cb9cc8b36efad4edf923fe118aa68a60c0c82dd4
1f83d8d99300e118507d10e4b3d425b81090d6b2f3a9dfb20fc20912f1f270dd
201bfed168d95c5b3d1994410ebf4dd37c39e1e3fcbd64f700a688e3df136863
2dc5d01754bc8c7dfc15572f41560c41a243c8a41239543f9bb4a03be2c74f07
32a498ed5bf040bf5ff875a986ef99c20dd00195638810336da573fcec32d80f
3455d4942824f2c92f2f42d41c533a4ae6ada8f9137943f42c137ea13fdffde5
3499cd7167936d4f5bc7a65675d1d86d4b2fe2b220391aa666b85f9e643e2bac
34af14c6fcadb8e3b1860d638cedd11e972912f76b5701c8153ea158ccad56a2
3662df206caec93703cb296cbe512336938e22fb3575c778672babc95e5cb2fd
367be3beb6e4481d49921bfee4f9ab254d667d0ab60ba7f80643a7ddc386fb2f
397bbf16f3dfc872408e41bdcd9cf84d69c945b747eaae310f6a28fe6cb55c3d
398db6543fd61e2163e80b59226e233b605bb9d75e4880a6441d4dc1f759f281
3d7ee12da08de01772a9db6f2f286601a742cae5f1e6b227eda17190b6e8a83d
41279bc0597f4a9cc6b064e69263c236aaa9eb0b88aaa535d37e060209ef8926
465c783f5e56f6be601390efa6df907f473b7c63668d39f91e183ed050985ae8
470547b2018576e4c4c2455fc35404b04a48289f7f8602cd44b01544ae9f71f0
47348c050b0675ee11f72a7e49b8c29595a95c59794bfc6894c6d359815d2c18
48acb19e17a010e59f34fc2730464c8c8da939d7ba7f52a883547fd92e0b67a9
493f06107f08df3c611c50f0bc2217020e7d707cc5e84f2b5d348758b10abba9
496e81397b39476aebb7d74323efb8c6e0c4c06495ad4d165cffb615704d324c
51ffb4c8feb1dfc70974864e0644eb77ab6b72f87f89ad65570b38f334ab2a37
58df9493d807b3ced04b09880fe9351a49bdf69b3f31395ffa3d5bc143c18e1d
668132abbf58e95662250cdbe0bb853261e545b75c37b521c11d7471ae310a61

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK