Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 19 and July 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Dropper.Kovter-7079842-0 Dropper Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. It has been used to spread ransomware and click-fraud malware.
Win.Dropper.Qakbot-7079811-0 Dropper Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Malware.Nymaim-7077794-1 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Virus.Expiro-7077458-0 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Trojan.Lokibot-7077039-1 Trojan Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Gh0stRAT-7073937-0 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Dropper.TrickBot-7071016-0 Dropper Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Trojan.Tofsee-7067486-0 Trojan Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
Win.Malware.XtremeRAT-7070642-1 Malware XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.

Threat Breakdown

Win.Dropper.Kovter-7079842-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade 		25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed 		25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ssishoff 		25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate 25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUpgrade 25
<HKCU>\SOFTWARE\xvyg 25
<HKLM>\SOFTWARE\WOW6432NODE\xvyg 25
<HKCR>\7b507 25
<HKCR>\7B507\shell 25
<HKCR>\7B507\SHELL\open 25
<HKCR>\7B507\SHELL\OPEN\command 25
<HKCR>\.16a05d 25
<HKCR>\.16A05D 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vrxzdhbyv 		25
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 22
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob 		7
<HKCU>\SOFTWARE\9OVFKL4
Value Name: DC1iXk9 		1
<HKCU>\SOFTWARE\IUV2K1GDZ
Value Name: IxF25a 		1
<HKCU>\SOFTWARE\IUV2K1GDZ
Value Name: xSnk64X 		1
<HKCU>\SOFTWARE\TYG6ZX
Value Name: Y4d5jxtm 		1
<HKCU>\SOFTWARE\TYG6ZX
Value Name: 49rU6evnxC 		1
<HKCU>\SOFTWARE\5WGIB69
Value Name: VR6KTbo 		1
<HKCU>\SOFTWARE\5WGIB69
Value Name: VuVY43ROT 		1
<HKCU>\SOFTWARE\0wn0hDCj1e 1
<HKCU>\SOFTWARE\0WN0HDCJ1E
Value Name: CURAMV 		1
MutexesOccurrences
EA4EC370D1E573DA 25
A83BAA13F950654C 25
Global\7A7146875A8CDE1E 25
B3E8F6F86CDD9D8B 25
\BaseNamedObjects\408D8D94EC4F66FC 24
\BaseNamedObjects\Global\350160F4882D1C98 24
\BaseNamedObjects\053C7D611BC8DF3A 24
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
50[.]146[.]204[.]212 1
94[.]30[.]53[.]92 1
75[.]127[.]77[.]20 1
202[.]102[.]245[.]233 1
34[.]209[.]49[.]182 1
92[.]45[.]45[.]116 1
54[.]81[.]147[.]123 1
145[.]176[.]133[.]219 1
146[.]220[.]4[.]69 1
85[.]110[.]127[.]16 1
108[.]101[.]90[.]162 1
217[.]139[.]102[.]35 1
223[.]4[.]245[.]214 1
46[.]26[.]51[.]52 1
2[.]28[.]17[.]56 1
179[.]50[.]78[.]173 1
198[.]59[.]65[.]159 1
173[.]197[.]223[.]51 1
115[.]97[.]126[.]95 1
73[.]83[.]125[.]50 1
91[.]159[.]138[.]54 1
201[.]209[.]158[.]28 1
37[.]128[.]128[.]198 1
20[.]253[.]19[.]194 1
141[.]85[.]236[.]229 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]cloudflare[.]com 5
www[.]beian[.]gov[.]cn 1
httpd[.]apache[.]org 1
bugs[.]debian[.]org 1
apps[.]digsigtrust[.]com 1
apps[.]identrust[.]com 1
music[.]taihe[.]com 1
www[.]hao123[.]com 1
vh74[.]timeweb[.]ru 1
cloud[.]mobiledatasciences[.]com 1
www[.]flaik[.]com 1
flaik[.]com 1
coolertags[.]com 1
hydra-pilot[.]skillwise[.]net 1
Files and or directories createdOccurrences
%LOCALAPPDATA%\39b03 25
%LOCALAPPDATA%\39b03\6a5cc.16a05d 25
%LOCALAPPDATA%\39b03\7cbdf.bat 25
%HOMEPATH%\Local Settings\Application Data\2501\1ffa.41d68 24
%HOMEPATH%\Local Settings\Application Data\2501\aae7.bat 24

File Hashes

29b60b1870d5c5e5d43c5464f835bcbfa314e5b0ac9cdfb7c224a24b1a378997
3783c9eafb1545bf643fcfac6c8ff7b23b122b6e295fc55d86f20aa6efc10416
3d965e1ccb25b5a245ff78d2f94c428acf9e888308ac4b63b017dbdfa2e3f52b
41cfb4585f9a85975f2c2a97b8b658a4f87b8e124400299d6418622cbd6d1105
441ff5b57de23331617d3de7af3d99d42ec1d64333d681c495ec9138744f659f
4c02bb11cd484d34262107fc5be9293bb3ce30b34d101696da61f19c3dea6c49
58e483d3179ba0713713a15c636d91f7e91a5df9ff657fcabfcc83bdf75c6db8
5b9f29cf93e099afc38387244e0e236aba1657d21ece357d1a17e02b7de92849
5ca6cdcf11c74c3530edd621378e73b976d5ebe43e335bed462bb7391df03781
61d9a9c1fdc2eaac37b3fc96e7eda980ae1f597891a3fc17e3011881602e146b
6e1e0f2754045a60f4a8e60762355470a2d8c1da7f5017f9c48932ea68a03667
6eccddc1173278809cf6954b640dbd56bd85003444d7d8204db677f15e609bcc
70b67aed1ad4bf81c53345ba3adc83bac92421190c47e9e660a245f2f36db338
710d7f0f75f89d3982ddd157eacacb9679c55a849193cbbea54cd28e04fe0fba
7239bfb7bd55e894b780a148a7416d6e8bf5cf30570dfc9a0cfcbae036054447
7bfd1327e87da19a4c68c9039871fa4bbebd0f25e1dfe197a7362f3a2f47bfa5
808d2f09dd84f42bde3d16f2df0de3fd08574a576ba6a73b59c0bcd8eabcbf1c
964bc3e1921c620b04fee83c440a666505bc8e6ca83d861e7bd435e2c3b89e0f
96621d3887a64e2e5b7539c11b6f3392fabfc4d1662330f06aa1ec9d2619e761
b2ae8ded94a877da3fc61c59afcbe77f10c498a0bc1739237736a3106ad63dfb
ba694da7444f518b3e2e01dd2c198ec172313d229ecfee591112de710935ff85
bb43faf1b229d23b6c9ee025b69ccf8b0280107214d8f04fb5194d0de3832345
c7961d7d76cb4794e8a1bf3495373b293633bc1338cba6e9ef2553486e1fecdf
cf4a0f9af6afb96e7b8dad098db397530f4fe7fb69790b87f17713655e4534c4
d19e5ca2f10019456bb4d2508ba78fb172108d08df769a259ee2ff1d0730fcda

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Qakbot-7079811-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\aqejpwsx 22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Type 		22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Start 		22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ErrorControl 		22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ImagePath 		22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DisplayName 		22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnService 		22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnGroup 		22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: WOW64 		22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ObjectName 		22
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CRLs 1
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CTLs 1
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\Certificates 1
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CRLs 1
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CTLs 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\Certificates 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CRLs 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CTLs 1
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\Certificates 1
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CRLs 1
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CTLs 1
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\AUTHROOTd7Q`\Certificates 1
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\AUTHROOTd7Q`\CRLs 1
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\AUTHROOTd7Q`\CTLs 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: djce 		1
MutexesOccurrences
\BaseNamedObjects\393733234a 24
Global\eqfik 22
llzeou 22
eqfika 22
Global\epieuxzk 22
Global\ulnahjoi 22
Global\utjvfi 22
bzqjzpdrfpamvq 22
\BaseNamedObjects\vjviza 18
\BaseNamedObjects\Global\yfpeuru 2
\BaseNamedObjects\Global\uazov 2
\BaseNamedObjects\Global\orpoamc 2
\BaseNamedObjects\lwwveb 2
\BaseNamedObjects\Global\vyczm 2
\BaseNamedObjects\paoiea 2
\BaseNamedObjects\Global\uxxgniue 2
\BaseNamedObjects\Global\yusia 2
\BaseNamedObjects\Global\paoie 2
\BaseNamedObjects\uvkfavmyiwoktbx 2
\BaseNamedObjects\gpgpzbxkqqqpyc 2
\BaseNamedObjects\Global\ubezkvio 2
\BaseNamedObjects\Global\lqwii 2
\BaseNamedObjects\Global\nanwvx 2
\BaseNamedObjects\Global\ylijdnyu 2
\BaseNamedObjects\Global\ioyyjlyp 2

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]100[.]26[.]251 22
172[.]217[.]12[.]142 22
181[.]224[.]138[.]240 22
69[.]195[.]124[.]60 17
162[.]144[.]12[.]241 16
50[.]87[.]150[.]203 16
52[.]201[.]200[.]28 15
52[.]45[.]143[.]178 10
209[.]126[.]124[.]166 8
207[.]38[.]89[.]115 7
85[.]93[.]88[.]251 4
85[.]93[.]89[.]6 3
69[.]64[.]56[.]244 2
173[.]227[.]247[.]54 1
195[.]22[.]28[.]222 1
173[.]227[.]247[.]50 1
5[.]136[.]131[.]34 1
12[.]167[.]151[.]79 1
12[.]167[.]151[.]87 1
195[.]22[.]28[.]196 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
forumity[.]com 22
www[.]ip-adress[.]com 22
www[.]NameBright[.]com 22
zqpbnjvmfkfzbyko[.]info 22
uofdwoxezbdujgadioqvy[.]net 22
hibqrywwciwhbks[.]net 22
aqksafpuovjyfrzit[.]org 22
wupgkipgaiu[.]biz 22
ymoabqpo[.]com 22
erbqfnvqsahyshygeglwhxhvd[.]org 22
yaznaovutvzwgp[.]net 22
vljfhvniqpl[.]org 22
aulmkpipscpopgwrtzhlnqmjk[.]info 22
nwocsvuw[.]net 22
bmbtgoova[.]com 22
wlakhytkctowfowlzyehtt[.]net 22
pzsbodhuinrzhcjin[.]org 22
vwsbvkpkzgsvyhapfcm[.]org 22
cagkhrabktfwkuroydfwtta[.]org 21
doiknfcneeeydnyofyurzy[.]info 21
nbparking-lb-1977168523[.]us-east-1[.]elb[.]amazonaws[.]com 19
jkijlzrsvic[.]com 19
jueafvkiigmul[.]org 17
mgpepssjlpytbdktejekl[.]net 17
tvntnfczmfiewin[.]info 7

*See JSON for more IOCs

Files and or directories createdOccurrences
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 22
%APPDATA%\Microsoft\Eqfikq 22
%APPDATA%\Microsoft\Eqfikq\eqfi.dll 22
%APPDATA%\Microsoft\Eqfikq\eqfik.exe 22
%TEMP%\~eqfik.tmp 22
%APPDATA%\Microsoft\Eqfikq\ceqfik32.dll 22
%APPDATA%\Microsoft\Eqfikq\eqfik32.dll 22
%APPDATA%\Microsoft\Yfpeuruf\yfpeur.dll 2
%APPDATA%\Microsoft\Yfpeuruf\yfpeuru.exe 2
%APPDATA%\Microsoft\Uazova\uazo.dll 2
%APPDATA%\Microsoft\Uazova\uazov.exe 2
%APPDATA%\Microsoft\Orpoamcr\orpoam.dll 2
%APPDATA%\Microsoft\Orpoamcr\orpoamc.exe 2
%APPDATA%\Microsoft\Paoiea\cpaoie32.dll 2
%APPDATA%\Microsoft\Paoiea\paoi.dll 2
%APPDATA%\Microsoft\Paoiea\paoie.exe 2
%APPDATA%\Microsoft\Paoiea\paoie32.dll 2
%APPDATA%\Microsoft\Orpoamcr\corpoamc32.dll 2
%APPDATA%\Microsoft\Orpoamcr\orpoamc32.dll 2
%APPDATA%\Microsoft\Ioyyjlypo\cioyyjlyp32.dll 2
%APPDATA%\Microsoft\Ioyyjlypo\ioyyjly.dll 2
%APPDATA%\Microsoft\Ioyyjlypo\ioyyjlyp.exe 2
%APPDATA%\Microsoft\Ioyyjlypo\ioyyjlyp32.dll 2
%APPDATA%\Microsoft\Yfpeuruf\cyfpeuru32.dll 2
%APPDATA%\Microsoft\Yfpeuruf\yfpeuru32.dll 2

*See JSON for more IOCs

File Hashes

0440f27f5ec6a3b96a5ac1a56c3071c2fb671794b558d0c340755fed8dbbcbdf
07a387b7fe3fd93eccb572a851c8d0d7bb8bee2a43a6efb7bea8063df339c5fc
08b3f64d69cb5d5a799fcc1604b95f3dc85f033cceb7f29664bcb2abe184010d
2c20bf3afca2d75888c4d3442387f23f9d85457f4a52e2164ea75854d1eee21a
3de9a7c47558120acd829bc1ae1cd77662e17a078c6af82fbbdd20b8dc656c82
404e3ed4451c7b151e95fe9c8c09f411d57ee04116c7b82b239b9d8baf7999d4
456445f92ca18a7803c0e59199034ebde11f954a82fd787b1ef09bb62c9553cd
4ce1cdf63b0a137680c1c3e1bdf6731c77560ca03f82a8654236cdd01beaa0c5
58df7f7c7e9cee07a09a22ceb8567cabfa55455b959e09410a072b2270a8b09b
5eb66c06f7052ea6498241906973894e9fdb91e87c3a49d46a249584139eacb1
6d355205908b972cfbc28968cff4af3ef82ee4b01ad96ee1a2a278da107eaa52
7148c12097deebd480a77358fe0b6fcde38748926268b0b7b1b5391424240cd9
7a5b774c96e44c8699f629a3302e542445a8ecea2f6dd144daeeea5a633b7ac7
92681cfdfae3ff339edac84854c97ff7addb8527a687fecfa67da455c9bfa928
9a118f361bf191b02014ee42c2b0f1123d532e6e71c00c8ab2184bb49f654250
9e26b2631e0378a16727b2d4a87ea1767ee2906300169a9da57a591e0e87bf6f
c171ecf4a11c6803799df9c478456e614877b3864ab413d96e2af1fb7c250e25
c2a935ba2e9b4a8cc1d72ce148146733e4c0a9cc991a28f6fe705979236d7923
cd2199f303e84e7914bb05549ec0de6854f7f99e1b2324aedbdac57c35f7d327
cf3ebd8f260a8e3edcb37e6abf9a08b691f68a4868ed1e6f86bb225005df6bcb
da4f0ca86ce54cac893b9fc4391060512ad684211a7c6515756fc90b4d523616
e61741ec46c8530acc6b3fb3f90d0c0ce16290b3f2db67a1f6470879d5042d4e
e7908bce85cd610f8e156e9ecee9a39d5d96d684748178f9007d7236f5e7a74b
f1bb3c10b9330a92bd31a38483fe56f9e8ef30d79c1d07517f6632f389968319
f20d6347774835c9fd25d3134b9e0bda0fb66a0ca5728339ac28d67bec80df7c

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Nymaim-7077794-1

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\Software\Microsoft\GOCFK 18
<HKCU>\Software\Microsoft\KPQL 18
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg 		18
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp 		18
MutexesOccurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} 18
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 18
Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606} 18
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} 18
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} 18
Local\{9AF4643E-0898-BB80-6A14-0133AB3F8A5C} 18
Local\{AC7E1B07-D66B-D6D7-68B8-F1D274B98185} 18
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
GOBEZJ[.]IN 18
jqmxfop[.]in 18
ICSCHQDJWQ[.]COM 18
OINCXXQTDBH[.]NET 18
gxeiohsixfc[.]com 18
pmxwbnpc[.]pw 18
fzfpwupqpryc[.]com 18
wglcpwdbg[.]net 18
NFOOJZPDTSL[.]IN 18
OTQFOI[.]IN 18
ticfwfen[.]pw 17
qxeejy[.]pw 17
ahvcnjqki[.]in 17
wyftxsolryia[.]in 17
klwrihhgj[.]pw 17
ldssmbugesb[.]in 17
dobra[.]in 17
yeqmndxtavuf[.]in 17
txvzjzoosogn[.]in 17
euvee[.]com 17
gyxsvdvcilju[.]net 17
djxexguecx[.]com 17
euharm[.]net 17
jgpazdzh[.]com 17
lqtcrom[.]net 17

*See JSON for more IOCs

Files and or directories createdOccurrences
%ProgramData%\ph 18
%ProgramData%\ph\eqdw.dbc 18
%ProgramData%\ph\fktiipx.ftf 18
%TEMP%\gocf.ksv 18
%TEMP%\kpqlnn.iuy 18
%TEMP%\fro.dfx 17
%TEMP%\npsosm.pan 17
\Documents and Settings\All Users\pxs\dvf.evp 17
\Documents and Settings\All Users\pxs\pil.ohu 17

File Hashes

103dd76b28018b8c7060c010c991e512101224e1d606189e54196012af3aeca3
25d88513e5e7ee69cca49695f1a1b2aff798289e3a3f2ad9b8d7ca40c8c7b1e3
378459b44562c821612f32b44ecd5a99cc052feb585f2cf07dd89e0b30e0e46a
47a7aff55e7601a0375f0a247a9d34448494a18b0883cb35df18620f2defee5c
525b8633165d7dcf019047154eb33611b019568b82c38ff32901bd3a47029420
5c3d514d21793bfb4f61ab1f3b6d56471181f49747f1bccc124c07a25f3003a6
5cb52e9cbb50b96a9a6af88de2991148b047da4e87e9b7bb11729fcc483591af
60587d89f106426713d8ed1fc03a44709573aa5bf8bc3dd1df11c764323a4bf0
617963a3ccefd5e0d5a27d7107c60913b303e3ea95a9ccef14bc5fd5e30c005b
797dc8c6d07d24d9b962483d79b007e2dd79f885834abf69d3e98db25267f186
7ca0c09b2560427969859f394e5d23816c6d055385f934fb25e38cbf3382d8d3
86394ba7ec72599cf0bea11b8208f355f11e4c2b97650a71cea1627a02f2a45d
9cf35426ad14545658eea6da023763c5ae509d331d98a000af227072511bcef6
a1503f23fd579b896cad65d9efc508edd42bff231d7ccc89b9d77b586a852468
b716cb702d977f2dae682b60a257675de65041d4573100d7619e1210fe66a428
c0bc0b9c5c86fcaae425af50f3c4a63fee282545b5cb35f8b72227645ababb6b
f0cc095352ba5dde07da8aac3404655a32ca95ad0efc8d4bff73001efc81817e
f1c66096f2af78b2482e81d744e2be043c5ab4e2ac38e432f2106bf8b36e6d7a

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Virus.Expiro-7077458-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\CLASSES\.vcf 15
<HKLM>\SOFTWARE\CLASSES\.wab 14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting 		14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting 		14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting 		14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting 		14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting 		14
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102 1
MutexesOccurrences
kkq-vx_mtx1 14
kkq-vx_mtx81 14
kkq-vx_mtx82 14
kkq-vx_mtx83 14
kkq-vx_mtx84 14
kkq-vx_mtx85 14
kkq-vx_mtx86 14
kkq-vx_mtx87 14
kkq-vx_mtx88 14
kkq-vx_mtx89 14
kkq-vx_mtx90 14
kkq-vx_mtx91 14
kkq-vx_mtx92 14
kkq-vx_mtx93 14
kkq-vx_mtx94 14
kkq-vx_mtx95 14
kkq-vx_mtx96 14
kkq-vx_mtx97 14
kkq-vx_mtx98 14
kkq-vx_mtx99 14
kkq-vx_mtx31 14
kkq-vx_mtx32 14
kkq-vx_mtx33 14
kkq-vx_mtx34 14
kkq-vx_mtx35 14

*See JSON for more IOCs

Files and or directories createdOccurrences
%System32%\notepad.exe 15
%ProgramFiles%\Outlook Express\msimn.exe 15
%ProgramFiles%\Outlook Express\wab.exe 15
%ProgramFiles%\Windows Media Player\wmplayer.exe 15
\SfcApi 15
%ComSpec% 15
%System32%\magnify.exe 15
%System32%\mobsync.exe 15
%System32%\narrator.exe 15
%System32%\osk.exe 15
%System32%\utilman.exe 15
%System32%\rcimlby.exe 15
%System32%\tourstart.exe 15
%ProgramFiles%\Outlook Express\msimn.ivr 15
%ProgramFiles%\Outlook Express\wab.ivr 15
%ProgramFiles%\Windows Media Player\wmplayer.ivr 15
%System32%\cmd.ivr 15
%System32%\magnify.ivr 15
%System32%\mobsync.ivr 15
%System32%\narrator.ivr 15
%System32%\notepad.ivr 15
%System32%\osk.ivr 15
%System32%\rcimlby.ivr 15
%System32%\tourstart.ivr 15
%System32%\utilman.ivr 15

*See JSON for more IOCs

File Hashes

0287f750c02c8179cc04627b01f33ba36d3918abcf4878fb671ccdcc73c7ca63
08c5f2ff3ddf2a310c820b160e849813ec817d2fce37d185215404dd069c5566
0aa836462926c36d56ac69dfb924bfbfa534faa15c6a4d886a3a8dcfe814e23f
4a8dd8754167a319f12a7ee150b2a46dc6c1e8613eb923009912ac85ddccd732
4f1776195e9504bfe938841f4d77449302719d55b809d1189aa7774a2bcd1df8
576df1b91051f7a8e44b828669fbf46602e94aaf35faef9d88d71dc675d3d7b4
6898956f391244367a61e555ebc77e9e90dd446212a7521a590f772d7c175a91
6fb10a72e40505b431994eeef6aff6a050fb3eeaed57030a552172103ddf4171
83c8cca17f61612b7b64f502fb65e882579663135654e10956ae2ef26316dccf
9631fc0cb55a3063d6a4ea563b013b72cac38371482775e5e15c377b22eca569
98f91b16eb7721cd9af879b2871b5a3e72683886cd6c06a74783d50b49e4535e
9c6b7a22580451dfaf6893e02093cf6e6ffc68109ea170340ce3c12681e8581a
a3c60be24a879356f3cdffd3549f95b24bd42986ca8b0c196575fbbde42575bc
cc7b2d1f1321776ff48f45bd637299b671dec4a462c1f72128afd83b770ccd32
de0c25d47b8a2690e7db1796a981869c1ac7cd1701285ce92dad6f8459c31612

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.Lokibot-7077039-1

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\Software\VB and VBA Program Settings\HcMI61124620925\x60E5372900416 25
<HKCU>\SOFTWARE\VB and VBA Program Settings 24
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\HcMI61124620925 24
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\HCMI61124620925\X60E5372900416
Value Name: bnVpl1584056334 		24
<HKCU>\Software\Microsoft\Windows Script Host\Settings 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Registry Key Name 		4
<HKLM>\Software\Microsoft\RADAR\HeapLeakDetection\Settings\LeakDiagnosisAttempted 1
<HKLM>\http://chartinductries.com/nwata/fre.php 1
None 1
<HKLM>\http://lapphuongshoe.com/dino/five/fre.php 1
<HKLM>\http://suksez-ab.com/cola/five/fre.php 1
<HKLM>\http://tqe2009.com/bjoe/herold/fre.php 1
<HKLM>\http://www.runtaichem.info/rick/la/fre.php 1
<HKLM>\http://www.willhelmsen.com/orange/rok3/fre.php 1
<HKLM>\http://www.exwelloilfleld.com/fresh/julxxx/fre.php 1
<HKLM>\http://galeadz.info/jp/five/fre.php 1
<HKLM>\https://granjepages.com/wpincludes/star/png/jpeg/wpcontent/fre.php 1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\40413c204bb0867c9e93f83dc86d23cfcd420485519ffe9d27557585677d66d6.exe 1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\40413C204BB0867C9E93F83DC86D23CFCD420485519FFE9D27557585677D66D6.EXE
Value Name: LastDetectionTime 		1
<HKLM>\http://zooptiyoupoiunert.tk/fre.php 1
<HKLM>\http://hszna.com/class/five/fre.php 1
<HKLM>\http://lapphuongshoe.com/deal/five/fre.php 1
<HKLM>\http://www.ferosdwitama.pw/osi/la/fre.php 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cghjjfygjhkjhgfghjt 		1
<HKLM>\http://versuvius.ru/java1/Panel/fre.php 1
MutexesOccurrences
3749282D282E1E80C56CAE5A 24
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
192[.]185[.]129[.]109 2
185[.]144[.]28[.]196 1
37[.]49[.]224[.]146 1
37[.]49[.]225[.]217 1
185[.]80[.]128[.]19 1
194[.]67[.]78[.]62 1
199[.]192[.]26[.]147 1
104[.]31[.]82[.]175 1
192[.]185[.]131[.]58 1
37[.]49[.]224[.]209 1
104[.]18[.]48[.]19 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]cloudflare[.]com 2
lapphuongshoe[.]com 2
chartinductries[.]com 2
www[.]ferosdwitama[.]pw 2
www[.]exwelloilfleld[.]com 1
www[.]willhelmsen[.]com 1
hszna[.]com 1
SUKSEZ-AB[.]COM 1
VERSUVIUS[.]RU 1
newmarken[.]tk 1
fundrises[.]com 1
pastipasterputgripe[.]tk 1
womarpool[.]com 1
TQE2009[.]COM 1
WWW[.]SCM-HK[.]COM 1
www[.]runtaichem[.]info 1
GALEADZ[.]INFO 1
GRANJEPAGES[.]COM 1
chikasixtus[.]ml 1
melia[.]cam 1
i9contabilidadeadm[.]com[.]br 1
zooptiyoupoiunert[.]tk 1
Files and or directories createdOccurrences
%APPDATA%\D282E1\1E80C5.lck 24
%APPDATA%\D282E1 24
%TEMP%\subfolder\filename.vbs 4
%TEMP%\subfolder 4
%TEMP%\subfolder\filename.exe 4
%TEMP%\cghjjfygjhkjhgfghjt 1
%TEMP%\cghjjfygjhkjhgfghjt\cghjjfygjhkjhgfghjt.exe 1
%TEMP%\cghjjfygjhkjhgfghjt\cghjjfygjhkjhgfghjt.vbs 1

File Hashes

075cf35b3b963211fb7bba6ede59114206ddbf321ec642f0f7b347a11b8b6fef
0967bfac099b4ecf2e76c45ac95e43c638d1e8bd47de72e53ec44e87f11d393c
0a6766bc092647edf1f56c993458a7902425111914ca609da2e02278ca483cfc
0a7a5afe3ca9d7bcb99c4281d58a2c9781701f33000ed3dbf563cc8b8a61bd3e
0c4b3e770540676c8395d4bb955e669332017804f9d4e17a92bdd4d184fed8bc
0cf69c5d348932c346ca90146dda2191f61402719d3408d5515e89057004d263
1214fc13e9595cbd87428a0c8ab76fac9e6717680d17029dda4321e901880e4d
1c3057da6dc19df586271526e765039fe828065dd8d1a307f6f6f6ac39da0b55
2acf4434083ca7b1beb0819dc039949b7cae49bdc89124698190f4a45e11e679
3753908ecd911647acfe191c9d3c7cfbb213103e9da8c070dd05de9c3ec52588
40413c204bb0867c9e93f83dc86d23cfcd420485519ffe9d27557585677d66d6
5132fd6dafe1a5a2f793d7fb2646b1f2b375657e68a37791ce7823c89671b792
5b8534960b823d8503a2efa4cf657338c398d8df712343fd8910e99b6005f7de
5bb27e37d3eb360c40f622224bae2869ddfacdd6c0977cad4121d4058f7010ac
6898b07a8c5340a5ec0d0c5a049ce8a44da2e8ae065abcc377a226bb5e4d8444
6a8ee2c77d39ffd21b04fd334ce5aa339d6ea6d8d7aea2d897037c6b34784f8a
7df27d7eaab754928d250ec4250b29c129dd07c1cad340383b29064f0b9eae93
8bbc7518497873e1da26379f5d1857ce3b3f18133ba492dc5c6295f7549b231b
93ba0b74bdd57936fb44449614aae5605da21f186048701339bafc2b94913395
9835c5bbde2381c1c9de6adb80b66b22ea7ed6618518a9c96deac38b3d57d6de
a12bb223d5b78ced5f9f5898edae53c963a88364d4e5a86ab40ea3254c719bcb
a4a67f78dbcfdd9751f16c66d7c9ac79fbef28fab95aa3788f5772dab9ff1c1f
b28c369a00801f63fe7c9d9bf8fc0a0053a12f843075513cac455f475e743f92
b80a76e0a7ef63564724e5c060136a98659752f57f0664452cea3ff92b5aec5e
b8cf7f4b17617f508e819e91e9bf68711abaca523859c14d8bae1323b3533b54

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Gh0stRAT-7073937-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SYSTEM\CurrentControlSet\Services\System Remote Data 11
<HKLM>\SYSTEM\CurrentControlSet\Services\System Remote Data\Parameters 11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA
Value Name: Description 		11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: System Remote Data 		11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA
Value Name: Group 		11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA
Value Name: InstallTime 		11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\System Remote Data 11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA
Value Name: Type 		11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA
Value Name: Start 		11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA
Value Name: ErrorControl 		11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA
Value Name: ImagePath 		11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA
Value Name: DisplayName 		11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA
Value Name: WOW64 		11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA
Value Name: ObjectName 		11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA
Value Name: FailureActions 		11
<HKLM>\SYSTEM\CurrentControlSet\Services\SRDSL 3
<HKLM>\SYSTEM\CurrentControlSet\Services\SRDSL\Parameters 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL
Value Name: Description 		3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: SRDSL 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL
Value Name: Group 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL
Value Name: Type 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL
Value Name: Start 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL
Value Name: ErrorControl 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL
Value Name: ImagePath 		3
MutexesOccurrences
pzss.f3322.org:10010:System Remote Data 4
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18 1
\BaseNamedObjects\254143.f3322.net:10010:Apple SPPER 1
\BaseNamedObjects\254143.f3322.net:10010:apple.com1 1
\BaseNamedObjects\www.foxdos.cc:10010:System Remote Data 1
\BaseNamedObjects\separa.f3322.org:8002:saufjj1 1
\BaseNamedObjects\192.168.0.100:8001:SRDSL 1
\BaseNamedObjects\53ca.meibu.net:1993:SRDSL 1
\BaseNamedObjects\1321.f3322.org:10010:System Rem2ote Data 1
\BaseNamedObjects\39.109.5.112:8998:SRDSL 1
\BaseNamedObjects\123.129.113.61:10010:System Remote Data 1
\BaseNamedObjects\pzss.f3322.org:10010:System. Remote. Data. 1
\BaseNamedObjects\feng12763.3322.org:888:Poweri 1
\BaseNamedObjects\pass.5sfox.com:10010:System Remote Data 1
\BaseNamedObjects\688300.com:9999:svchost 1
\BaseNamedObjects\219.235.4.247:10010:System Remote Data 1
254143.f3322.net:10010:System. Remote Data. 1
pzss.foxdos.cc:10010:System Remote Data 1
wfs2015.f3322.net:1083:SRDSLr 1
121.41.74.174:8001:System Remote Data 1
jwl520.xicp.net:8000:Mttack wocaonimei Service test 1
27.202.226.109:10010:System Remote Data 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
111[.]74[.]238[.]109 3
119[.]29[.]53[.]144 2
61[.]147[.]125[.]184 1
117[.]21[.]224[.]222 1
115[.]49[.]170[.]77 1
61[.]155[.]136[.]233 1
61[.]160[.]41[.]103 1
39[.]109[.]5[.]112 1
123[.]129[.]113[.]61 1
107[.]160[.]240[.]196 1
219[.]235[.]4[.]247 1
119[.]124[.]0[.]7 1
121[.]41[.]74[.]174 1
27[.]202[.]226[.]109 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
PZSS[.]F3322[.]ORG 6
254143[.]f3322[.]net 3
cncert-sinkhole[.]net 1
jwl520[.]xicp[.]net 1
www[.]foxdos[.]cc 1
separa[.]f3322[.]org 1
1321[.]f3322[.]org 1
feng12763[.]3322[.]org 1
53ca[.]meibu[.]net 1
PASS[.]5SFOX[.]COM 1
PZSS[.]FOXDOS[.]CC 1
wfs2015[.]f3322[.]net 1
Files and or directories createdOccurrences
%TEMP%\-<random, matching '[0-9]{9,10}'>.dll 19
%SystemRoot%\SysWOW64\System Remote Data.exe 11
%SystemRoot%\SysWOW64\-<random, matching '[0-9]{9,10}'>.dll 5
%SystemRoot%\SysWOW64\SRDSL.exe 3
%ProgramFiles%\Google\28484.dll 2
%SystemRoot%\SysWOW64\System. Remote. Data..exe 2
%SystemRoot%\SysWOW64\en-US\svchost.exe.mui 1
%ProgramFiles%\Google\32640.dll 1
%ProgramFiles%\Google\29703.dll 1
%ProgramFiles%\Google\661453.dll 1
%System32%\660125.dll 1
%ProgramFiles%\Google\638859.dll 1
%ProgramFiles%\Google\693828.dll 1
%ProgramFiles%\StormII\668515.dll 1
%System32%\33625.dll 1
%ProgramData%\DRM\32046.dll 1
%System32%\30421.dll 1
%ProgramData%\DRM\36265.dll 1
%ProgramFiles%\Google\32812.dll 1
%ProgramFiles%\Google\33718.dll 1
%ProgramFiles%\Google\28281.dll 1
%ProgramFiles%\33234.dll 1
%ProgramFiles%\Google\32250.dll 1
%ProgramFiles(x86)%\-1672280194.dll 1
%SystemRoot%\SysWOW64\System Rem2ote Data.exe 1

*See JSON for more IOCs

File Hashes

035e3a8317ddd6aa352df4b3e088bbff2f1e482feb527ca9c159d1896370a8b4
0433376629abc250a4b4200df8a28d6fdf7fc7dff45bdaa5841fe1e98bb21ec9
0747b22ff9bc71d2f8da3d15b900e3553f80351a80126dbe67ed01b6c7ab19e6
0bd96f8c2fcce6fc384113844241dbf4d14b1251d1b56571831dc7d34b5ce147
1124d96932cf836d96b69ccaa1c8511f587a5f9c52bf7498d61382141afbf592
15f09c89df13858abe6905a55d6f5a0de9cfb3c346182b539759d5aacbe0a721
180a88e9a96ac2fa5645585af4c24fd899605a81ce8d989f24b06253e9444214
1d9a87e2ce471d4826f46f71947f1348562a98eef54270d195bb26ce6a0d829e
1e7161c1274747b441d9f4f48bae13a3b342b64c73afb6a96b21d3842932c2f7
23f57ad22964d920fce6873c0b8f554b4ffab4eacf10f9a2bb12a32d2671b13c
27033a0e98907fd2c5cfdb7b5dfaa3c6d35affef323b3e79a04c400aa6659203
281723771bc6562bce0c4661dd595ad3afeeba79e62194669a30f2dc46ab2098
2fb9683a78a4c0c3f15f60bc9028f243244f9fab0e0bb69c865b32f75c67fb0d
39b28e0d4f2a4fb04b634bcd68364bbbaa541be8eb39dcb35253292cde0e457d
3cab4e999db0485a15803cef539571dd66b507a33194c68268b01c7efb989b74
3d3555311f1023b76e5c070aa1146e92c762ba3c4685b2f22ce273b873f729e1
43b4996fa8ecc58c4a04f4ca080d4ea57b25c10612c61ec8052239cfd76feec1
453db1ba955324d4152924f47dfde9c5d2f4162b646eb599773cebdfe7984850
510b27c5b138e1d5b4a7fc274511cc036a9744d0e1747a6b7c1f6dfb9c025d6c
5463a5a7591c51caf1f7a4996b6296977e9a0dfba3e86505199be3f83ccc2995
57bdf55ccf70525364a33e49f08416b19574ac5b79912058fa8eab4ee7f74e7a
5e0e8552bf3c110b409b9798a110b498c1ffd0945ede6c26d2da0fe6769fe36d
615803622ef8cac2aac9fcb25dd0c78ce3f74ac61b2e8d4a245396f4f3cae259
6fa8b278efb2358b37dbddd6d234337e4b90a30557612de0ebc8c1b4419e833e
6fab0bb5f3536763a05af8a9632259152f50f3eb42fa63102215dc729f160a78

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.TrickBot-7071016-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob 		23
MutexesOccurrences
\BaseNamedObjects\Global\TrickBot 20
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
207[.]35[.]75[.]110 22
192[.]189[.]25[.]143 20
36[.]37[.]176[.]6 20
216[.]239[.]38[.]21 11
216[.]239[.]32[.]21 6
216[.]239[.]34[.]21 6
216[.]239[.]36[.]21 4
54[.]243[.]198[.]12 4
54[.]204[.]36[.]156 2
107[.]22[.]215[.]20 2
78[.]47[.]139[.]102 2
54[.]243[.]147[.]226 2
54[.]235[.]124[.]112 2
50[.]16[.]229[.]140 2
23[.]23[.]243[.]154 2
50[.]19[.]247[.]198 1
23[.]21[.]121[.]219 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
myexternalip[.]com 2
Files and or directories createdOccurrences
Modules 23
client_id 23
group_tag 23
%System32%\Tasks\Bot 23
%System32%\config\systemprofile\AppData\Roaming\client_id 23
%System32%\config\systemprofile\AppData\Roaming\group_tag 23
%APPDATA%\client_id 20
%APPDATA%\group_tag 20
%SystemRoot%\Tasks\Bot.job 20

File Hashes

027285368ca802e7fce3dd6de901dd68f86d05f464addaa81b4bb1961fcf9be2
0955213e2d07b8ed5ccd0ba0977d55da06d481e323959d8bbee0dcd0e83b85e4
0a0425f7cfe29f069045214fb1600e60a88e0d89e309818acbe66a347e6401dc
2886837dc5baed1a22dd46782f63c9d6c5db2c929dc8a88657c4059e599e2673
2f2053e002951fac67da2f6052900cb244632bfe4a8153cf56798ce0656ab6ee
402978f2746c3411677f4b05c4fb68b80baf44e8d4d92bfd343fe583e161365f
4c38cb3fe5c84ef22b7b604a8f28bf3bc9454af0645a8c847ed4699d3a428293
50084b6e587eb489aa823567c684e40b009eb8a2927a251ccf8fe47a8dfbc812
5394a7638b734bb070132904ffa31cb689cc8a1af55088836c054c546bf37338
561efa6f7e1e13645be8f30e4aba5316bfc18efaa0dd78f666b252a484d4dc08
5bac218180dcd885641b550f6c98919ba40208e0a5427b0f58177f7e047f2819
5d89a114fbb50329669e9497936860c4f7503eeac9d3906b5ba5623e720c85ab
5f003b9b1d68cc22e895bfabd0aea197a5a36ec6f1f3fbd1842265111890e6d5
64dcdd701c313c860d65127ebac397eb4137850aeb387dd3492e2553bb07fd88
691be5f3dfac97406df0d1582c90c60446fafcc9d342ca512bcfda5e6ecb8696
774851bc757d11226036b52eb8a2e994602d3ec32aacaf7d98230e7c7c3fa856
7edb72dffccef26433320595bdead4743f015901cc45d42d3786b7bfa27e2267
84a81ab2dd2bbfbcd86b236bf19ac7056e065616e650e040cfffabc3de7ab4cb
86b865d8a3fa6cce2558d2af3a1c93ddcacf58111820e16c923cf2bc542532d9
8c6d865e07dbe05f27ddfe2e785f8b7383f71f694e6d2a63630a18c7f95ab702
93b05e686c6e133e09fe98a144c4434982ff63556a4dc1ffe06fe3fa49a2c6a3
9ed083fc3988a56256f149bb0fb1113088a4302402b505b6365edcdc628e872a
a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8
acabdcfa9a083fe2dc5be7680c2fc0454b930d6607248fe9536f0fc6fa808300
b019141f31cce8683375cbec4cd75b66e5b3e4eded495d4d757d048978c855c4

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.Tofsee-7067486-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas 25
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs 25
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI 25
<HKU>\.DEFAULT\Control Panel\Buses 25
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3 		25
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0 		25
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1 		25
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2 		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type 		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start 		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl 		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName 		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64 		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName 		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description 		25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu 		4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: ImagePath 		4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap 		3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BUIONVBQ
Value Name: ImagePath 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATHNMUAP
Value Name: ImagePath 		3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc 		2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
239[.]255[.]255[.]250 25
69[.]55[.]5[.]250 25
46[.]4[.]52[.]109 25
176[.]111[.]49[.]43 25
85[.]25[.]119[.]25 25
144[.]76[.]199[.]2 25
144[.]76[.]199[.]43 25
43[.]231[.]4[.]7 25
192[.]0[.]47[.]59 25
172[.]217[.]10[.]36 25
144[.]76[.]108[.]92 25
172[.]217[.]15[.]100 24
213[.]205[.]33[.]63 24
64[.]233[.]186[.]27 24
209[.]85[.]202[.]27 23
213[.]205[.]33[.]61 22
213[.]205[.]33[.]64 21
211[.]231[.]108[.]46 21
69[.]31[.]136[.]5 20
74[.]125[.]192[.]27 20
96[.]114[.]157[.]80 19
212[.]227[.]15[.]40 19
216[.]146[.]35[.]35 18
104[.]47[.]53[.]36 18
125[.]209[.]238[.]100 18

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa 25
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 25
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 25
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 25
whois[.]iana[.]org 25
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net 25
whois[.]arin[.]net 25
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 25
microsoft-com[.]mail[.]protection[.]outlook[.]com 25
honeypus[.]rusladies[.]cn 25
marina99[.]ruladies[.]cn 25
sexual-pattern3[.]com 25
coolsex-finders5[.]com 25
hotmail[.]com''stat=0x0brsnds=4resp='s10s78i3' 24
etb-1[.]mail[.]tiscali[.]it 23
eur[.]olc[.]protection[.]outlook[.]com 22
tiscalinet[.]it 22
tiscali[.]it 22
smtp[.]secureserver[.]net 21
mx-eu[.]mail[.]am0[.]yahoodns[.]net 21
ipinfo[.]io 20
mta5[.]am0[.]yahoodns[.]net 20
yahoo[.]com''stat=0x0brsnds=4resp='s10s78a7' 20
mx1[.]comcast[.]net 19
comcast[.]net 19

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile:.repos 25
%SystemRoot%\SysWOW64\config\systemprofile 25
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 25
%TEMP%\<random, matching '[a-z]{8}'>.exe 25
%HOMEPATH% 24
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 24
%TEMP%\rqgcjfk.exe 1
%TEMP%\wvlhokp.exe 1
%TEMP%\utjfmin.exe 1

File Hashes

06442a39540917cfa3370f3427023cfb2592c31de5c5f9370f012e734731f4ac
14f6caa0a689e466b2dbfce5e9945e5d3950cdbad1bd92fecd882004aa4b012e
185a939b94aa56b0aa736d2e31911c666302e52716ad6305f66e2e38aa0f7885
1c3e1fff7351f002df5cc7ef00c41dea632bc4e00689002c9ddf176fc6d4c906
302e3489f9f3f342adb3d94d42ecd241b6fddf6f3ec181398f228ed206ec74ca
30ecc33b922369a5b52669ab3567c065a15e4e6eb4098e7d81dffe33d16a0f8f
3333e26a6437b72d1d3a5512d430dc11c7c099af0367c0c9e7914a5c56a0efa1
36c758a5c3eb289ab2937a5921187c2f4ba75c5531d4f6fc9e1db585b920e6b6
3b89d6c2c0f064f0856c853dec187bbefcbca5cdc281f5cd46ee92df7386dd74
3c971b975da95610f8907002e5f221ea3db3ab0accb35c6aa8a481d1ca2f8762
3d993e6a7801a6935ff137004041a3eb50c97296159777207e72033e858f8054
4197745f05150f4395779b7107ec9088fd36e276dbab2819e7f2a5feec55679e
42545b6f5866b07980ed750b68f71f3d2c27f5bc3ddf3a568c86ba4cca0b0906
4292cd3eb1fb432cdcfc389baed6296cd840e356fa5c56527a57f3615416a738
4e8c43751f3364735c739ab34c28db0e13554d8ef7d21e64a1357b9bcb01e388
524ad24ee4bcb940533e9c994ca043332108f4837fa0537735e6866fb714687b
56c31cf0ffe2d5bb9cee137d912742c286d19b7834991a4861db9c95ad7c0142
5d14a447be266c4c9e81b30b3e965635f942bf2bfe7645b81790836678b3941b
60b37f2cbcabca3ffa70adf368298d11f687094e34a6fb35695a756666dfb9ad
662fa2498447a789ddc76a2c52a8e5ec2d53288b1b8bef61847344907393b12a
66f58cdc04793f275d5658c2cb134d48a8415dba37f1f09b8849a79c689bb459
6a61dbf1df22534f74bc604755ab6f28d3413d3c8fe8b5f59e48f041315a5e68
6b17990069791ada47ce0ef4bd1658929147ed93009eec390733654146655f6c
6eb838b70b81c3e65f0f7fa304697e81cfc75294a42683f056323b786e66e90c
703f6a71baf18e2ebdb9d512ff9ef76736ea2202ae92dcb9e50173aec9bba09c

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.XtremeRAT-7070642-1

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\XtremeRAT 5
<HKCU>\SOFTWARE\XTREMERAT
Value Name: Mutex 		5
<HKLM>\Software\Wow6432Node\Microsoft\DownloadManager 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM 		3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU 		3
<HKCU>\SOFTWARE\P@-zxRM2 2
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W8E4P17Q-7F6G-I050-W34W-7RI0JXOG67T2} 2
<HKCU>\SOFTWARE\P@-ZXRM2
Value Name: ServerStarted 		2
<HKCU>\SOFTWARE\P@-ZXRM2
Value Name: InstalledServer 		2
<HKCU>\SOFTWARE\XTREMERAT
Value Name: TDados 		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{W8E4P17Q-7F6G-I050-W34W-7RI0JXOG67T2}
Value Name: StubPath 		2
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob 		1
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 1
<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\upnps.exe 		1
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BBB9B0D-C1D4-6CDA-BC8D-D19CCBC6ACD3} 1
<HKCU>\SOFTWARE\Microsoft\Active Setup\Installed Components\{1BBB9B0D-C1D4-6CDA-BC8D-D19CCBC6ACD3} 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Taskhost 		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Taskhost 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Taskhost 		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1BBB9B0D-C1D4-6CDA-BC8D-D19CCBC6ACD3}
Value Name: StubPath 		1
<HKCU>\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1BBB9B0D-C1D4-6CDA-BC8D-D19CCBC6ACD3}
Value Name: StubPath 		1
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID
Value Name: XEJJI3T7BL 		1
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE
Value Name: XEJJI3T7BL 		1
MutexesOccurrences
Global\5fc48401-ace7-11e9-a007-00501e3ae7b5 6
UFR3 5
XTREMEUPDATE 4
Administrator1 2
Administrator4 2
Administrator5 2
--((Mutex))-- 2
--((Mutex))--PERSIST 2
\BaseNamedObjects\--((Mutex))--EXIT 2
STUBXTREMEINJECTED 2
P@-zxRM2 2
P@-zxRM2PERSIST 2
P@-zxRM2EXIT 2
CWSPROT20S 1
Local\https://docs.microsoft.com/ 1
\BaseNamedObjects\CWSPROT20S 1
XEJJI3T7BL 1
9e47MGT34YL 1
9e47MGT34YLPERSIST 1
CoFsQ3su@ 1
yrRJ1 1
yrRJ1EXIT 1
yrRJ1PERSIST 1
\BaseNamedObjects\9e47MGT34YLEXIT 1
\BaseNamedObjects\_kuku_joker_v4.00 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
217[.]69[.]139[.]160 3
23[.]62[.]7[.]138 2
208[.]185[.]118[.]89 2
13[.]107[.]21[.]200 1
204[.]79[.]197[.]200 1
172[.]217[.]9[.]238 1
94[.]100[.]180[.]160 1
208[.]100[.]26[.]251 1
206[.]189[.]61[.]126 1
192[.]30[.]253[.]113 1
151[.]101[.]0[.]133 1
72[.]22[.]185[.]201 1
193[.]166[.]255[.]171 1
152[.]199[.]4[.]33 1
65[.]55[.]44[.]109 1
20[.]36[.]253[.]92 1
151[.]101[.]64[.]133 1
151[.]101[.]192[.]133 1
85[.]17[.]31[.]122 1
178[.]162[.]203[.]211 1
5[.]79[.]71[.]205 1
85[.]17[.]31[.]82 1
96[.]17[.]236[.]131 1
104[.]107[.]7[.]25 1
23[.]32[.]81[.]118 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
smtp[.]mail[.]ru 4
whatismyip[.]akamai[.]com 3
5noseqwa[.]no-ip[.]info 2
a1524[.]g[.]akamai[.]net 2
mariokart[.]no-ip[.]biz 2
chan4chan[.]no-ip[.]biz 2
schema[.]org 1
www[.]google-analytics[.]com 1
stats[.]g[.]doubleclick[.]net 1
github[.]com 1
e13678[.]dspb[.]akamaiedge[.]net 1
ajax[.]aspnetcdn[.]com 1
img-prod-cms-rt-microsoft-com[.]akamaized[.]net 1
avatars0[.]githubusercontent[.]com 1
avatars1[.]githubusercontent[.]com 1
az725175[.]vo[.]msecnd[.]net 1
aka[.]ms 1
avatars3[.]githubusercontent[.]com 1
developercommunity[.]visualstudio[.]com 1
static[.]docs[.]com 1
6noseqwa[.]no-ip[.]info 1
avatars2[.]githubusercontent[.]com 1
entony[.]no-ip[.]org 1
absoluthack[.]no-ip[.]org 1
MRPIKO[.]WBH[.]HU 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\x.html 3
%SystemRoot%\SysWOW64\hackersi.dll 3
%System32%\hackersi.dll 3
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp 3
%SystemRoot%\SysWOW64\InstallDir 2
%SystemRoot%\InstallDir\Server.exe 2
%TEMP%\ïðåñåðâû.jpg 2
%APPDATA%\Microsoft\Windows\P@-zxRM2.cfg 2
%SystemRoot%\SysWOW64\InstallDir\Svchos.exe 2
%APPDATA%\Microsoft\Windows\P@-zxRM2.dat 2
%TEMP%\ .jpg 2
%System32%\InstallDir\Svchos.exe 2
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 1
%APPDATA%\Microsoft\lorinsk 1
%APPDATA%\Microsoft\upnps.exe 1
%TEMP%\report_22-07-2019_20-15-23-4F87A9367435FE0BD80DBD46B859D933-ABCC.bin 1
%TEMP%\NO_PWDS_report_22-07-2019_20-15-23-4F87A9367435FE0BD80DBD46B859D933-ABCC.bin 1
%TEMP%\report_22-07-2019_20-15-23-4F87A9367435FE0BD80DBD46B859D933-FDGM.bin 1
%TEMP%\NO_PWDS_report_22-07-2019_20-15-23-4F87A9367435FE0BD80DBD46B859D933-FDGM.bin 1
%TEMP%\fcwxfBuH5r.ini 1
%TEMP%\7h2nNSO06Q.ini 1
%APPDATA%\Microsoft\Windows\CoFsQ3su@.cfg 1
%SystemRoot%\25440efbff3a567fe49111131c0266fab38.jpg 1
%SystemRoot%\25440efbff3a567fe49111131c0266fab38.jpg.exe 1
%APPDATA%\Microsoft\Windows\CoFsQ3su@.dat 1

*See JSON for more IOCs

File Hashes

0606cb23c9f53b8733da8f468f07cc3946268e0b61e5365c4e0c68f62738f9a4
06c472a7fa697a598789f11f504b52440475645ef0cc2724632824b813834f51
10e6a8b2e0099fbf14b0321f76f0967f3d9887bda985fe44848121ddef549940
19101b1bb2a3e755719b76bb3da51a5a68edc049f7c319a34c77e971a5962d49
19e466e5bc75837312b910189374fc16d5b70b3dc6acb2ed0bbc706ea9067633
21a1d982819a068c7e90a3af6e9b87a0b16218888433b8bcb8376eaefb047406
235a23a1ca798d25cecab5a643c1d21eb2a583ff0ab4e21ebd8cf723c64d2a02
23f58dfb6c889c626e130c10eedf2edf4b752cc9447c76b6b9e0febe7f7b678c
257af09cb154acf881269aaf64cc73010ee8d56382dd4c93897e1990627ccfbd
29d41e65ef7d0b66dfc0c714f4395da21929b6a2af8105022f5a562cc7f6b774
2b47901571451ff5474dc296ef22d4d256921acb97574dbc071f10748bf7cb60
481f4de864a9837cbdc2e122bfe34899463f56ae5b15ba07c0959cda3f161afb
48455f9cd96de211b57b244fdea79023d46b047f5ea0f8e61742a34c877c7eea
4f7385b3060fcaefa29ac3f916ff39baadbea77c98cc22a1f6ae2a670a937545
5517c9483d3dfcbc9eaceb72644a2ef4c9f13d3eea113c883c195866da561347
584cbda453a9a037b5b641c8fdc3fe70765427a50633014e4dea2344049bcda4
67436d748f0c7752295bec9f3f1e4aed9412c2795bfbebbc153b3c16e67301c8
6a12cfdc5b1a52f608e83154a2afa020ce5f895fb07f60bef1eb26981ec8e16a
6aa650a6322d68336b844608cd0acaee3d39921003d620d27365c8637c2eb6b6
770ca6daee2d99bb27ac27b291fb1fcf88949ca86e0744c5b77d41bd5e44ada4
7f5c1dde2982c0294a195e362a1a94c5567feeba0e450ac25899d0bbed4c44d8
8290d1138fce94bec6379ba5989bec612b8ee728cbe869eda0b4dc79dfc01373
82f9d4b98c5388ad9436b377bb35c49f72fdafae13dadc6311115de2db5d93d7
896e26d91c4a5eaa3ac2eea1d6140ff7a3f62de61f9d28ad46d98e4a08d88541
9689cd800c21fa168fc34f7e183fd30b2b354fcaae0e5ef2411785ebbab911e5

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Excessively long PowerShell command detected - (1614)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Madshi injection detected - (1552)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Kovter injection detected - (1374)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Trickbot malware detected - (666)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Process hollowing detected - (381)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected - (183)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Dealply adware detected - (130)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Installcore adware detected - (49)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
WinExec payload detected - (42)
An exploit payload intended to execute commands on an attacker controlled host using WinExec has been detected.
PowerShell file-less infection detected - (25)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.