Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 3 and Sept. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Malware.Razy-9891222-0
Malware
Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, eventually sending it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functions by setting and creating a value in the registry for persistence.
Win.Trojan.DarkComet-9890268-1
Trojan
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Dropper.Upatre-9891078-1
Dropper
Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Malware.Tofsee-9890511-1
Malware
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Dropper.Ramnit-9890464-0
Dropper
Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also can steal browser cookies and attempts to hide from popular antivirus software.
Win.Packed.Nymaim-9890476-1
Packed
Nymaim is malware that can deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential C2 domains to connect to additional payloads.
Win.Trojan.Chthonic-9890512-1
Trojan
Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and steals sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer.
Win.Malware.Zusy-9891219-0
Malware
Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Packed.Dridex-9890608-1
Packed
Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.
Threat Breakdown Win.Malware.Razy-9891222-0 Indicators of Compromise IOCs collected from dynamic analysis of 14 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 103[.]88[.]33[.]222
11
58[.]216[.]118[.]228
4
58[.]216[.]118[.]224
4
47[.]91[.]170[.]222
3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences o4qa2f[.]cn
14
test[.]besthotel360[.]com
4
http[.]besthotel360[.]com
4
Files and or directories created Occurrences \TEMP\Config.ini
4
\4AwGEGfGA3h.exe
2
\HgJT01uTL.exe
1
\TEMP\6pp0O2.exe
1
%TEMP%\9RLV6zkZOU3Z8D
1
%TEMP%\9RLV6zkZOU3Z8D\....
1
\TEMP\42PWRiTEYEkT.exe
1
%TEMP%\Wxkm8L3ax
1
%TEMP%\Wxkm8L3ax\....
1
\TEMP\Ekme9xLaS1V.exe
1
%TEMP%\H8iQr
1
%TEMP%\H8iQr\....
1
\TEMP\8gKcGE0KKCU8lE.exe
1
\TEMP\zmxnSBFD0aBbnl.exe
1
%TEMP%\LHgT369hjDu
1
\TEMP\CgKpP1tuLvMVtw.exe
1
%TEMP%\0Hg6HRxSkwm
1
%TEMP%\0Hg6HRxSkwm\....
1
%TEMP%\cn4FJFizFBb
1
%TEMP%\LHgT369hjDu\....
1
%TEMP%\cn4FJFizFBb\....
1
\TEMP\HwJvG0Xp.exe
1
%TEMP%\jXfMX
1
%TEMP%\jXfMX\....
1
\TEMP\3UfJlWyhXZZ.exe
1
*See JSON for more IOCs
File Hashes 012dc012f809d3d94f65e92d05414e07c533c9e33c9d8bf46ce01596e69cccb1
056b88b77183c14ee11ab4713821a182ee7af81e3f2aa1582b42120a0a86d783
35e900550c33c17c135e6533bc65221bb6a4b6a71c43e253c920c53a63899341
4283f0193b064e88faa422058167327c873dad1552433040f96c8813a5e8a9e4
6580caefd51964f714dee00e378bda1f2af75c073dee8142dbf6aacc34481a42
796a51500ea42301926a39aef70abfa445e8d2309dcad857b2f495eb9cf57fa3
acf1353a0601836fb7e1ab71de98d99458c993cb3e0e159c340daf5214935fcd
aef4e47eaa6f3ce6b07419bf10e79c86d5e3817ad35a664f45ba77576a1c6ab9
c3165aa927f5fa0e9c70a99a7a7cce9c8974304372f62c6c9fc380bcc322a6c6
c41983f9d48a4a421e2e97d95f615cc1f7514d2a4f087e7e7d6b824d69b8014f
e9dbf668c99239a1db23b9b169eb1f4b31823b2c2fcf4bfb01828590d57db794
f7a8ccffd1992f80a2de8549f817ce829f6e0a021c32dee2e59887f9fe4df8a7
fab6fee261abbb56112af5b82b36c2b9bccefdd7f996349746517ea1c5d6e3d6
fdc64d0401630ccb10b6d8fa9847988340ef156f2219f31acb436e2cb3f72a6d
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Trojan.DarkComet-9890268-1 Indicators of Compromise IOCs collected from dynamic analysis of 17 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
16
<HKCU>\SOFTWARE\DC3_FEXEC
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: DarkComet RAT
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT SCRIPT HOST\MICROSOFT DXDIAG\WINSETTINGS
Value Name: Bulas
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT SCRIPT HOST\MICROSOFT DXDIAG\WINSETTINGS
Value Name: FW_KILL
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT SCRIPT HOST\MICROSOFT DXDIAG\WINSETTINGS
Value Name: XP_FW_Disable
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT SCRIPT HOST\MICROSOFT DXDIAG\WINSETTINGS
Value Name: XP_SYS_Recovery
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT SCRIPT HOST\MICROSOFT DXDIAG\WINSETTINGS
Value Name: Port
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT SCRIPT HOST\MICROSOFT DXDIAG\WINSETTINGS
Value Name: LanNotifie
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: DirectX For Microsoft® Windows
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5Y99AE78-58TT-11DW-BE53-Y67078979Y}
Value Name: StubPath
1
Mutexes Occurrences DC_MUTEX-<random, matching [A-Z0-9]{7}>
6
DCPERSFWBP
3
_x_X_BLOCKMOUSE_X_x_
2
_x_X_PASSWORDLIST_X_x_
2
_x_X_UPDATE_X_x_
2
DCMIN_MUTEX-6JEE131
1
DCMIN_MUTEX-8V8XHPG
1
DCMIN_MUTEX-FD396R8
1
DCMIN_MUTEX-EDJ525M
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 23[.]36[.]85[.]183
3
23[.]38[.]131[.]139
3
23[.]78[.]173[.]83
3
44[.]238[.]161[.]76
3
52[.]34[.]145[.]111
3
94[.]73[.]36[.]254
2
140[.]82[.]113[.]3
2
23[.]10[.]88[.]237
2
13[.]107[.]213[.]40
2
52[.]24[.]23[.]122
2
104[.]104[.]80[.]110
2
52[.]37[.]141[.]62
2
13[.]107[.]21[.]200
1
104[.]18[.]11[.]39
1
140[.]82[.]113[.]4
1
140[.]82[.]112[.]3
1
13[.]107[.]22[.]200
1
185[.]199[.]110[.]133
1
185[.]199[.]108[.]133
1
185[.]199[.]111[.]133
1
13[.]107[.]246[.]40
1
52[.]26[.]168[.]11
1
52[.]42[.]128[.]29
1
34[.]214[.]179[.]131
1
54[.]186[.]176[.]112
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences github[.]com
3
docs[.]microsoft[.]com
3
go[.]microsoft[.]com
3
wcpstatic[.]microsoft[.]com
3
www[.]bing[.]com
3
e11290[.]dspg[.]akamaiedge[.]net
3
avatars[.]githubusercontent[.]com
3
js[.]monitor[.]azure[.]com
3
kurbanlikkoyun[.]sytes[.]net
3
e13630[.]dscb[.]akamaiedge[.]net
2
prod-tp[.]sumo[.]mozit[.]cloud
2
support[.]mozilla[.]org
2
cacerts[.]digicert[.]com
1
yunuspalon[.]noip[.]me
1
fedai007[.]no-ip[.]biz
1
mubarhack[.]no-ip[.]biz
1
Files and or directories created Occurrences %APPDATA%\dclogs
10
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-harmful-simple.sbstore
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-harmful-simple.sbstore (copy)
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-malware-simple-1.sbstore
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-malware-simple.pset
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-malware-simple.sbstore
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-malware-simple.sbstore (copy)
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-phish-simple-1.sbstore
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-phish-simple.pset
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-phish-simple.sbstore
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-phish-simple.sbstore (copy)
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-track-simple-1.sbstore
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-track-simple.pset
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-track-simple.sbstore
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-track-simple.sbstore (copy)
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-trackwhite-simple-1.sbstore
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-trackwhite-simple.pset
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-trackwhite-simple.sbstore
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-trackwhite-simple.sbstore (copy)
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-unwanted-simple-1.sbstore
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-unwanted-simple.pset
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-unwanted-simple.sbstore
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\safebrowsing-updating\test-unwanted-simple.sbstore (copy)
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache-new.bin
3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache.bin (copy)
3
*See JSON for more IOCs
File Hashes 0c9e25ae663a02c16684fc6117211d541047cf581b41712b336ee5c75be623d2
1d5d6219a7cba722842dc9fda70563ae5a1e98ce8eae0c039950978842ae5239
207ef9516ae65918a1f0b7cefe61b88bd50f573620552b4fc55f3e353652c655
2df2e7bc6ece168068b0bbad79f4341505b4a6476a149b959a3d2fff32284b22
3aa47ba611ca682157f941f6ca6a8162cd52fbfe48af41364d2e833ac2dd1e0c
3fb315bf129311f7d2049e6389e579d2ffba05c8475507e4c9175a254d0cd66d
59a3dbaaef20f2e7e6db5f12815e3a8fdaa514a8ad469affb508a15ff2a6cb1b
63de8e57cde2b28aafe98139387edd337ad9cf2ff6bd6b6dd2f23e0fa8c6d2d7
6b9364e52522220fed5f2c2dce530c5817ed50542a9d00893434fcf4dd1b6f31
915986e9f6ecb814d4c5321fc9f74bfe3436e7d4d79428922e7257ea9d8c2c77
a03c55746fdfca47e1d330fbbde77a0f88de57501af179a1a7fab5b5d9eea74e
a6d87dcde17345d9a5758b0b6abff41c16fd02f2db4c615a8dff1a1bc86b09f1
b9d58b8be3dcb3408db5959914c745f33b2d4799255f280b783c833e0aa8882f
d41d5255fe1387ddaa4dadd14e57254fe4d77385862a8306874facd9ba50178f
f302cacd51bba40b0cc019c29cdbb5dc41ab023b9d90c174788d44397d6689fc
f8fca62ee4ac303df8077749e57297b7752747de8964c01f2daf6033810f3fe5
fec6d6c406eecfa96d84711c07696daa851a1da45177b788e9f379e09d5d6f7b
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Dropper.Upatre-9891078-1 Indicators of Compromise IOCs collected from dynamic analysis of 16 samples Registry Keys Occurrences <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wextract_cleanup0
16
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
15
<HKCU>\SOFTWARE\BROWSEROFDEA\BROWSEROFDEA
11
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableBehaviorMonitoring
8
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableOnAccessProtection
8
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableScanOnRealtimeEnable
8
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableIOAVProtection
8
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER
8
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
8
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableRawWriteNotification
8
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE
8
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableRealtimeMonitoring
8
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM 64-BIT
8
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM 64-BIT
Value Name: Version
8
<HKLM>\SOFTWARE\CLASSES\CLSID\{1DR57FKR-8LH5-APDI-WL15-D7E36D092O6R}
8
<HKLM>\SOFTWARE\CLASSES\CLSID\{0JM26DTV-2IP2-VVKK-WQ72-M5P76R119V7P}
8
<HKLM>\SOFTWARE\CLASSES\CLSID\{3IM35UGV-5AZ2-MYEB-TR30-E5J75Y142M0Z}
8
<HKLM>\SOFTWARE\CLASSES\CLSID\{5BI26ZPE-2CT2-LOXC-YG96-J1B76T524D3T}
8
<HKLM>\SOFTWARE\CLASSES\CLSID\{5BI26ZPE-2CT2-LOXC-YG96-J1B76T524D3T}
Value Name: 1
8
<HKLM>\SOFTWARE\CLASSES\CLSID\{1DR57FKR-8LH5-APDI-WL15-D7E36D092O6R}
Value Name: 1
8
<HKLM>\SOFTWARE\CLASSES\CLSID\{3IM35UGV-5AZ2-MYEB-TR30-E5J75Y142M0Z}
Value Name: 1
8
<HKLM>\SOFTWARE\CLASSES\CLSID\{0JM26DTV-2IP2-VVKK-WQ72-M5P76R119V7P}
Value Name: 1
8
<HKCU>\SOFTWARE\BROWSEROFDEA
8
<HKCU>\SOFTWARE\BROWSEROFDEA\BROWSEROFDEA
Value Name: path
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: PatchTime
1
Mutexes Occurrences Global\<random guid>
11
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18
8
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 88[.]99[.]66[.]31
16
185[.]215[.]113[.]15
13
74[.]114[.]154[.]22
11
172[.]67[.]176[.]199
11
37[.]0[.]10[.]236/31
11
162[.]159[.]135[.]233
9
172[.]67[.]222[.]125
9
208[.]95[.]112[.]1
8
162[.]159[.]130[.]233
8
74[.]114[.]154[.]18
8
34[.]117[.]59[.]81
8
34[.]97[.]69[.]225
8
37[.]0[.]8[.]235
8
104[.]21[.]70[.]98
8
31[.]31[.]196[.]102
8
37[.]0[.]11[.]8
8
37[.]0[.]10[.]214
8
194[.]145[.]227[.]159
8
185[.]92[.]73[.]174
8
162[.]159[.]134[.]233
7
172[.]67[.]153[.]179
6
104[.]21[.]5[.]208
6
172[.]67[.]133[.]215
6
104[.]21[.]85[.]232
6
104[.]21[.]17[.]130
5
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences s[.]lletlee[.]com
16
live[.]goatgame[.]live
16
iplogger[.]org
14
lenak513[.]tumblr[.]com
14
cdn[.]discordapp[.]com
12
ip-api[.]com
8
ipinfo[.]io
8
google[.]vrthcobj[.]com
8
i[.]spesgrt[.]com
8
wfsdragon[.]ru
8
ifarlab[.]com
8
softusa[.]info
8
aa[.]goatgamea[.]com
8
foxyinternetdownloadmanager[.]com
8
a767[.]dspw65[.]akamai[.]net
6
payments-online[.]xyz
6
drbpbukqxjgjxlbjzpni[.]drbpbukqxjgjxlbjzpni
6
watira[.]xyz
5
marisana[.]xyz
5
bb[.]goatgameb[.]com
5
eurekabike[.]com
5
manager4youdrivers[.]ru
5
2551889d-a2db-4908-a9a2-6b0fab0a7a78[.]s3[.]eu-west-2[.]amazonaws[.]com
5
qwertys[.]info
4
allblockchainsolutions[.]xyz
4
*See JSON for more IOCs
Files and or directories created Occurrences %TEMP%\sqlite.dat
15
%TEMP%\sqlite.dll
15
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\<exe name>.log
14
%TEMP%\LzmwAqmV.exe
11
%TEMP%\IXP000.TMP\H
8
%HOMEPATH%\Documents\b6N2Xdh3CYw5lop_S5WM5ERo.dll
8
%TEMP%\Chrome 5.exe
7
%TEMP%\IXP000.TMP\K
6
%TEMP%\IXP000.TMP\Dal.pdf
6
%TEMP%\IXP000.TMP\Dir.pdf
6
%TEMP%\IXP000.TMP\Vai.pdf
6
%TEMP%\IXP000.TMP\Verita.pdf
6
%TEMP%\IXP000.TMP\Volevo.exe.com
6
%TEMP%\IXP000.TMP\Cercare.xlam
6
%TEMP%\IXP000.TMP\Conservava.xlam
6
%TEMP%\IXP000.TMP\Passaggio.xlam
6
%TEMP%\IXP000.TMP\Suoi.xlam
6
%TEMP%\IXP000.TMP\Talune.exe.com
6
%System32%\Tasks\services64
4
%APPDATA%\services64.exe
4
%TEMP%\dcc7975c8a99514da06323f0994cd79b.exe
4
%TEMP%\BearVpn 3.exe
4
%TEMP%\IXP000.TMP\Dai.doc
4
%TEMP%\IXP000.TMP\Del.doc
4
%TEMP%\IXP000.TMP\Sguardo.doc
4
*See JSON for more IOCs
File Hashes 500cdb14740fb8624dc8a392e2f6b6dce4e0ea6e651f3339528186661d004367
59babf45239a61449061a606bd3f578c3caf0d604c1b9db4504e74582c6a4d30
5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb
5e0dc47ad46d9518cab8c9dc50bcbbdd2fdc80929e106f06cfba8ff9f33c4731
66bd98c6adec4e82f68d240aef5a1fd1031686b9f1528cb45046f2601b01a4ed
71fc5c463e1ff79747d4e4b592ed388473ebbe9e244efcbbbc490847dee9c6a2
7d8461e69a04060320dc818d2bd21f70dffe0e1490a477ef412a682b96c6e65a
8af50ce0ca5b165006440e1dc064a53de49343c40a6aaec015fdbba85a4545e8
8ba4bd3b729779ced975109d4c7c427baf7ab6b011bf9ac1c0ea0419c102bb60
8eba93076a641eb00e13ead65541c11a13e3b38e2179df07e79403990256ed7f
962c871c4fc7f41cecd20d3dfc5bba758b1995afaf8ccd2cde99fc81d2c975cf
a0529bad7cecaa1b85e963a104612e6c04cf144bd706e6ca472acdc929a93a08
a76df46e8dc156833ad68ec8c83f05b15eda29cc2ef1f6b77536d0d8043fb119
b89fdf606986324fa9260f434dc1561d716985d0886fba180b88f3afb9dec729
ba0da6a3639ca5192cc50b70f1b9e5bb86be36a53a8b1cfacf3f5f35d2ab5c0b
f016c626150ee3f1f378c923441e15548bda33100c500065b710044c963c24b8
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Malware.Tofsee-9890511-1 Indicators of Compromise IOCs collected from dynamic analysis of 31 samples Registry Keys Occurrences <HKU>\.DEFAULT\CONTROL PANEL\BUSES
31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
31
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
31
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
31
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
31
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
30
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
27
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
21
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
21
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
20
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mftzygmb
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gzntsagv
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 43[.]231[.]4[.]7
31
193[.]56[.]146[.]188
31
5[.]61[.]37[.]41
21
95[.]216[.]195[.]92
21
213[.]227[.]140[.]23
21
193[.]56[.]146[.]41
21
193[.]56[.]146[.]42/31
21
192[.]0[.]47[.]59
20
157[.]240[.]229[.]174
17
40[.]93[.]207[.]0/31
16
67[.]195[.]204[.]72/30
14
216[.]146[.]35[.]35
13
104[.]44[.]194[.]232/31
13
208[.]76[.]51[.]51
12
64[.]233[.]184[.]26/31
12
199[.]71[.]0[.]46
11
209[.]85[.]202[.]26/31
11
142[.]250[.]153[.]26/31
11
96[.]114[.]157[.]80
10
208[.]76[.]50[.]50
10
209[.]85[.]201[.]26/31
10
142[.]250[.]80[.]4
10
74[.]208[.]5[.]20
9
40[.]76[.]4[.]15
9
212[.]77[.]101[.]4
9
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 249[.]5[.]55[.]69[.]in-addr[.]arpa
31
microsoft-com[.]mail[.]protection[.]outlook[.]com
31
microsoft[.]com
31
lazystax[.]ru
31
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net
21
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
21
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
21
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
21
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
21
www[.]google[.]com
21
whois[.]arin[.]net
20
whois[.]iana[.]org
20
mta5[.]am0[.]yahoodns[.]net
20
mx1[.]hotmail[.]com
20
mta6[.]am0[.]yahoodns[.]net
19
mx2[.]hotmail[.]com
19
mta7[.]am0[.]yahoodns[.]net
18
www[.]instagram[.]com
17
mx3[.]hotmail[.]com
17
mx4[.]hotmail[.]com
17
trends[.]google[.]com
11
alt2[.]gmail-smtp-in[.]l[.]google[.]com
11
alt4[.]gmail-smtp-in[.]l[.]google[.]com
11
alt3[.]gmail-smtp-in[.]l[.]google[.]com
11
gmail-smtp-in[.]l[.]google[.]com
10
*See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SysWOW64\config\systemprofile
31
%SystemRoot%\SysWOW64\config\systemprofile:.repos
31
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
31
%TEMP%\<random, matching '[a-z]{8}'>.exe
30
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy)
28
%System32%\config\systemprofile:.repos
19
%TEMP%\yavbuhr.exe
1
%TEMP%\fhciboy.exe
1
%TEMP%\dfagzmw.exe
1
File Hashes 0980ad37745920fbb5ad0fb8e5553383bc12f22a945efe4c8bccb8c3eedbc8d2
0f6e6f9d9ae54e307124d705bf75ef4ffc983e3ef58be63877ad911ff58d6890
10f718f754ee2cfae23cf774e2c9dc99ddd6bcb8bc8a696eebd5bcca5a96b81e
183dd3a5af4f3d67cc8c812b90e7b32136eef7b09640cb6ac1d4d17297c73b6a
185af4b1155181a6de707fa3c183bff818c71fc706d2fc85d01b542f4a596e7a
3cfff524b4df8025a8adf797e91c874140c476b0bda4dac49f1adde92206e569
3fe61480f815bc679d95952f0e1e8b4ab36a489aabe25c6f057f5df83599f289
429cfefdd30c15864e56173ffc0d002ee1e9b7f4ae8d72af438a1ba3ca56fffa
47c9cc81b1e34bf9e6250217ac8a712683d74677b6fe7af45a5a0087a297df9c
500c95174934f0c3e42d6a6f71567f48566214ce2c579991f3f12b385d25e733
558404f70257893f0efa21d65a5eb6b4314dcdd1f730ea168eeb7895581fda1b
55a04083e4a4f0f0c72f8a6540f337dd68fa3fb3bf271cf949630094fc87cf16
5fff7f937abfb11b547f104d496746918b23bc6d7edc60d05579f38d5b6ace11
6108a5310dfb09c55b1d5dcfd51f84cc67a654cc1b32e0227b728ff8f68bb038
6940d89647dc8ba30f96cca899b17dd27b7a5f24a18f0bb0c9a49e44131e9553
6a1941a1fc965c2a718dbdda6578d70ecf912490d1708205b89969ef262c5185
7224657179522ae773c8c5b0fb8f22b4f5f584083063f37c15aad609d834ba64
744855cfea24112a74641509acce9de09ad17b673c9513dbb18d25f0e3c35f47
8b752e72fd7e23ad0595b7389e4e56b337221f624c0f73c650e6f959998cdaac
8b9d92bb8df532a60bbdca5a035a7f1a65e319d576f3df73cd3dc187aad2e312
8e1d637127fcc3f8ba513194dd37c315e7df0c5a1d48bbe01be79dc02042657b
965e6260010cd104c80c6b3a3cc4c796799f2a65a6c6e152a159ea1150206877
9cba459a2b09a5415f1718e26c14102aeb3e7f9d617e5849486636a5275ba9bf
b1790cfae625dfa20573f73fb03accf5b899062e2de6b4c0f9c2cc3b133262b3
badafb0fd432b51fa6fe355209eb17cb1168e384565a95f6b6bd9721c9833f57
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Dropper.Ramnit-9890464-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
25
Mutexes Occurrences {7930D12C-1D38-EB63-89CF-4C8161B79ED4}
25
{<random GUID>}
25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 72[.]26[.]218[.]70
25
195[.]201[.]179[.]207
25
208[.]100[.]26[.]245
25
46[.]165[.]220[.]155
25
63[.]251[.]235[.]76
25
142[.]250[.]176[.]206
25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences google[.]com
25
gjvoemsjvb[.]com
25
ahpygyxe[.]com
25
msoalrhvphqrnjv[.]com
25
rdslmvlipid[.]com
25
jpcqdmfvn[.]com
25
rrmlyaviljwuoph[.]com
25
maajnyhst[.]com
25
enbbojmjpss[.]com
25
oqmfrxak[.]com
25
tdccjwtetv[.]com
25
tpxobasr[.]com
25
xpdsuvpcvrcrnwbxqfx[.]com
25
fbrlgikmlriqlvel[.]com
25
boeyrhmrd[.]com
25
ugcukkcpplmouoah[.]com
25
gugendolik[.]com
25
Files and or directories created Occurrences %LOCALAPPDATA%\bolpidti
25
%LOCALAPPDATA%\bolpidti\judcsgdy.exe
25
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe
25
%LOCALAPPDATA%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe
25
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<random, matching '[a-z]{8}'>.exe
25
File Hashes 092bd0e4f22e7454750b913519b5ffa49152c2bcaddb20353d2bf46d28a9d21f
0e8baababb41f036b098cdaf9944e58998c701c7da1b06a0df2df747dbd04598
0faa9c1ad028e454bbc362b13422a6b734bfd2641411b2296d559a8159b862d8
14c16cec3242a1b510579246314914a50f08fe1557387fdd3e5afc53f2035923
21c618a49056a3a4094443ae772576840f7422d434587087e14542036c345564
2768b3390cc361e57d2ae2d753a6f6d7c9a578f663b25e920661935dee194f1f
316c147d72e41a0a178e077c3f1d1976852bc5a39b0ac7d944963663f6307b4b
360ad9536ea046b76b749f39d43c7bf8ee36a3e255b6911c41ffb9198fba990d
3722b3b1b952e1d32be26a3a4338025604b50aef4072083e2bdd523e066d734b
3954c07addca46c6bed8690846af18d199584cf16fca9c5b12b0551d0ef5ba7c
5a11cb1704af873b6b7bdf3e46d778e3dd930fa5440ae64aa3d4c02736dcfd60
6499a0e6cdd081a25f52a7b07b3642e781c4efa3c4c28cf46ee412b95b74a5bb
6ccbafb918d327a7250c0878599226074c8b583e8c41eccfc67443cda46d1c58
6f6c926ea48a8bdad90d3acf3218aa26cedb13f5d12303ec41d211292dcb4bea
754020992a05597524d6da13fe0e2509cf119d85b939f0921b3822b7916b45ab
819f1b73883c0269751c89fc361a2041e78b03e890b9db1aecacedf56db38245
84a0d07766a9e6bf84e453f9d05743c9bb77230a408563cb9772c331d1d19041
97ef9686e34eced47e0697ec687390d9e61c2dfdbb18c3d7b094298f6b597b1d
9b49b7858e1d28f09b654e792ccd3e65dadcea23f1900ce6fa1dbb3da06fe440
ad237fdcdd4afa150e1a517933de1684f335834b6416330d1cec61401cae94fa
d4bdd7eb06cc6b07de8b9f25101f612b81c99d5cd84cc1b4632b13fcc63aae8f
d92e41245d4511610d3698f674fcd236b0fbede55343da87aff3c02ad2c101c1
e64b148bb9ce76e4f7cc34121fcb9b8d8ed86ae00fa54b970257135586e00a54
e659f36426ac76fcb3f80b7165eeacb0364e976e0a5363ad5396f452ba9117fd
e8530e36d974d45eae79a64cb16938c8001397e9429da1573a863f65d75f464a
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Packed.Nymaim-9890476-1 Indicators of Compromise IOCs collected from dynamic analysis of 20 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\GOCFK
20
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
20
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
20
Mutexes Occurrences Local\{1181F583-B634-69BF-E703-D4756599024F}
20
Local\{180BBEAD-0447-044A-68BD-247EB6D0E352}
20
Local\{18DD7903-1E96-FEAF-92BF-014008A1248C}
20
Local\{92502033-C012-7F46-D6A8-0AC972DF6662}
20
Local\{25754F3F-7A37-56CA-31BB-3C9D33DA226B}
20
Local\{8B75523D-CAF4-D06B-A2AD-13EEF593AC52}
20
Local\{D2CC4CCA-CB77-CF10-8293-17C78DEC853F}
20
Local\{1BA4FBB1-2AF7-D3D2-BAF5-898C7EE06B8A}
20
Local\{69772866-F6F4-97E9-A872-7187EB923167}
20
Domain Names contacted by malware. Does not indicate maliciousness Occurrences microsoft[.]com
20
lijxtd[.]com
20
ihonp[.]in
20
blddoaulh[.]net
20
detyifhful[.]in
20
jssqpehhro[.]in
20
yiukmafs[.]com
20
tatwuej[.]com
20
dpsvetjcnyq[.]com
20
dgyfcmvpb[.]net
20
nkzhzmnbsua[.]in
20
dltvpw[.]net
20
qgklpx[.]net
20
nlqepj[.]com
20
ropdqukadxi[.]pw
20
wspvw[.]pw
20
tohjkk[.]in
20
gvzhoqb[.]net
20
ovqnmgb[.]pw
20
kipftm[.]pw
20
wtuwmixd[.]pw
20
fqghj[.]in
20
bqgafyypom[.]net
20
oililtzk[.]net
20
kbpbwzrpa[.]com
20
*See JSON for more IOCs
Files and or directories created Occurrences %ProgramData%\ph
20
%ProgramData%\ph\fktiipx.ftf
20
%TEMP%\gocf.ksv
20
%ProgramData%\jzk\icolry.ylg
20
%TEMP%\qnvgtx.eww
20
%ProgramData%\<random, matching '[a-z0-9]{3,7}'>
20
%APPDATA%\<random, matching '[a-z0-9]{3,7}'>
20
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'>
20
File Hashes 0b28c9ee7cceef68a7cfe794b6a0492f13caa06dc5e0f20767e1e9b8702ed909
1e622f14f57f55810f74755a5edbef62f9d2844c6786261cc1d06c5f6ef3a26a
4444e7f0e507d90faee2344481f02aa299878013c06ac076ec36b08002c12af0
55ebb633b43ba911a970729ab4b9a18e776e373e2fc8234e9b16bf9ea271c752
63e8e92d8f40518f8deb26e55af578982d3a16013c42eab4b951c56be28732b9
68ee130fa373d3bec5315bf826491ab8b271cd9e95de09697a755e72c3e9b88b
6a4638b878e10c32c0cae0c9ea82492422378916642af1025822306a5b05b71c
76746b358416dabf17bc5beb3657871fcf0c05287246eaed711e43fc2c1b0ccb
7c86f5749bb8f80384275e69e00df1fda886f5f019c2a70b321415c408bbf233
7da3c215c67c640ff5a3b743c782e71459f40dbe5ad57b6826aa780d29ab04ef
9a2f003a61e84a82136b5d98f89750d9efc242113956adb816d5a9b48517182c
9fc5f272811a6ed0c67422887a77a4daec69c179263c81cd7761d4ab32af413c
a32403e4d4a28ec2e11e33b78c3bcd18441132fba48b94534f2f6ae1f3935c87
c16d63ec027125f8c52f05db701e520aea0a610ee2c734ef5ea3760af3288802
c8e1de32780835c2a6c7cb50d5a453f6ece3c50a60f12ef0716e99fc27e526c0
ccee84ddbdfc8224683beb1a51d07444204b3b62eed45875bb8ae03c4ce6bc04
dac36258f5aa6cd69b45991d4097bc4b6de93b440af20a81801d4de8a7bd9d49
dc07d09739b18c1ae09f02f5ac1bb8198bda19069dd205296ffb05628f51d475
f0b3c4c61287b3df9bf55fb104fc3cc78cd5cb1a861eccf3a64bb1d1e71f362c
f34bec87d82336c1e21fa29af5de04be1747cba7d67ceb14eb622599c640663b
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Trojan.Chthonic-9890512-1 Indicators of Compromise IOCs collected from dynamic analysis of 12 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
12
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 2827271685
12
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
12
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
12
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
12
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 2827271685
12
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
12
Mutexes Occurrences Frz_State
12
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 52[.]137[.]90[.]34
11
52[.]185[.]71[.]28
3
104[.]215[.]148[.]63
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences bestjokestories[.]com
12
majimoeleanallin30minutes[.]com
12
ourpatientsprivatestories[.]com
12
mywernevuefinergrbod[.]com
11
redir[.]update[.]microsoft[.]com[.]nsatc[.]net
6
microsoft[.]com
1
Files and or directories created Occurrences %ProgramData%\Media Center Programs
2
%ProgramData%\Macromedia
2
%ProgramData%\Identities
2
%LOCALAPPDATA%\Microsoft\Windows\ActionCenterCache\{82383584-0D02-4094-BFE7-C3AE17F0019A}.png
1
%LOCALAPPDATA%\Microsoft\Windows\ActionCenterCache\{CC66C293-602E-4F7C-8617-CF8B52C4844D}.png
1
%LOCALAPPDATA%\Microsoft\Windows\ActionCenterCache\{91C5E41C-DE13-4C23-B3AE-13DC222A23A4}.png
1
%LOCALAPPDATA%\Microsoft\Windows\ActionCenterCache\{16BC40D1-91CE-4BC2-978E-9A650C591BDF}.png
1
%LOCALAPPDATA%\Microsoft\Windows\ActionCenterCache\{C475FE0D-7788-4A80-B395-1C1C633882FF}.png
1
%LOCALAPPDATA%\Microsoft\Windows\ActionCenterCache\{0D32B394-8407-420A-A8BB-304233EA8A53}.png
1
%LOCALAPPDATA%\Microsoft\Windows\ActionCenterCache\{AB6F9068-2C0C-4BF8-89F5-314901AAB006}.png
1
%LOCALAPPDATA%\Microsoft\Windows\ActionCenterCache\{250ECBC9-E460-49D0-85B4-2FEE1FBCEC0B}.png
1
%LOCALAPPDATA%\Microsoft\Windows\ActionCenterCache\{06C4E9C2-B95F-4921-84AE-A498E38A199F}.png
1
File Hashes 110258afe7180e835a6388f63f44e2be5df5859610eba3306e2968ec8e9625fd
12c2fefe3b7c233f3f08ccd95cb956ebeee5ad5ccad26cef41f036bc8ffe1d63
25d12fa4832dec302a7c4f8ea9242d2236dc50c19ad1fb2d8981df380f5b0a85
2686c83169d3e2c5caacb08d3e4c6a1efae37d36d40ed4d8a5b4382022fea305
3f84ff7a71d5b9f465a4b9a9d440f4f801f5a9eac7de6ae21f09acff9395c609
73e2ec59f6d0faad114ea452e9173cf0e77ebb120feea0c1a535c3d58e770caa
8b618395e700e9115431a420755748089d303ce55bd5d00f0beb2f1052a73c70
acbb1798102314cda754c7ebc6616734493e5ab373fd58bd0d1cc7e4b1fef622
d4afe8e25d9226571ad91c8ce3c2a4c58a793e548d92ebb4a074dc05c185f538
db223583f0f58ed0f9dff5626ed818446984323c54c016eee43f5fb8abf3c2ed
df84b3ea23c8e53476c50b91d199332de986cd4d7569d0a96a9072809f5d339b
f162f87ff7167b24f33b6cf0065ba0864f6fec34a4a027857b2f17cee547df69
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Malware.Zusy-9891219-0 Indicators of Compromise IOCs collected from dynamic analysis of 34 samples Registry Keys Occurrences <HKCU>\SOFTWARE\GOUWOBRO
33
<HKCU>\SOFTWARE\GOUWOBRO
Value Name: pathfile
29
<HKCU>\SOFTWARE\GOUWOBRO
Value Name: version
29
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAO SETTINGS
Value Name: SuppressPerfBarUntil
9
Mutexes Occurrences simdownmutex
30
{9FDA14C7-38AB-4555-B8FB-B90F02EE367D}
29
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 42[.]62[.]20[.]137
29
36[.]249[.]67[.]210
27
52[.]34[.]145[.]111
10
13[.]107[.]21[.]200
9
34[.]214[.]179[.]131
7
52[.]24[.]23[.]122
6
143[.]204[.]178[.]103
6
143[.]204[.]178[.]71
6
44[.]238[.]161[.]76
5
143[.]204[.]178[.]47
5
52[.]37[.]141[.]62
4
143[.]204[.]178[.]53
4
44[.]240[.]138[.]42
3
54[.]186[.]176[.]112
3
221[.]234[.]42[.]141
3
183[.]61[.]119[.]204/31
3
52[.]26[.]168[.]11
2
52[.]42[.]128[.]29
2
111[.]6[.]191[.]72
2
118[.]191[.]0[.]66
2
111[.]6[.]191[.]71
1
58[.]254[.]145[.]7
1
119[.]134[.]255[.]253
1
119[.]147[.]184[.]98
1
118[.]191[.]0[.]88
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]bing[.]com
30
game[.]kugou[.]com
30
downmini[.]kugou[.]com
30
app[.]box[.]kugou[.]com
29
gamelog[.]kugou[.]com
29
log[.]kugou[.]com
29
boxapi[.]kugou[.]com
29
prod-tp[.]sumo[.]mozit[.]cloud
21
support[.]mozilla[.]org
21
yd01[.]topgslb[.]com
5
kgnop1[.]kugou[.]com
4
srv205[.]kugou[.]com
3
yxcname[.]kugou[.]com
3
srv204[.]kugou[.]com
3
Files and or directories created Occurrences %APPDATA%\GouWo\1006\SkinRes\Default\menu_selected.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\menu_shotcut.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\menu_strategy.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\menu_update.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\more_history_bnt.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\my_account_node_header.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\nodownload.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\nogame.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\notice0.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\notice1.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\notice2.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\notice3.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\notice4.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\notice5.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\pageprev.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\pnlControl.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\pnlTip.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\pnlTipClose.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\pnlWebTip.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\pnlWebTip1.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\progress_back.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\progress_fore.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\progressback.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\progressface.png
33
%APPDATA%\GouWo\1006\SkinRes\Default\recommend_node_header.png
33
*See JSON for more IOCs
File Hashes 02696b8efaa1035c1da88759823053652ce3afd5829344d40f4fbe047734d644
03368c670054a3d6c6024026fb25f51b663595be400cb76a0d4106e98fcb315f
04467a75798224cfc97b8996c8f45915abe99df1036b2177e04bef88896c5304
06da3b722c82734f23b6aa841cdccca172d6a8021e531c17eaefe1e90acc880c
09584403e7f768f21b9d80edb1733eee3566904362d84472d18bfe7a6715e708
0a2c472d6a46fd9f2a95fa047e02cf44aad3c7d70bd4dcefc0a19d7e5adb2ea2
0b744476f11a11f77f5e47d7d0be38ff1ac247ef7b576c1520ad643a1473e0cd
0c3a8bd279d62107cbe80dbd657696f5d480f354fb56e4da03abb7d139c142a8
0d0a8557c95f2f667a472bf730df057eb55c3bebc7c8dea6918d7a3a61585ae7
0d255901b55d915e2383d64c1c3dda826fbd6cd1785ab01cfe3cd715eeb61918
0fb06a1d66f806ca688fd90f7de852090e0ae043527877218d9fc288009e872b
1356ad251060b8f21c244eb9ed0ae015c4bb03c68ea7081bce4dec2885c76e86
1415b477930b657aa7a5c5f1fb607c99176913317c8ba524085f4c6babd65ec9
167758a3d63d93259c24c70f212a27c9d12e1eaff81be707ce0ee2fa068c19d3
16e6c5330937b8993425b88af13726cd2b76ccbc71bb7c77666d5b51cb6d6fc8
1771065d9ea35c99ffc4c2e8b29781d944c08f04cda10499ee4ae1fcf39236be
177fdb78ab7e2ed148930ca09fac810c47fdcc0fcab6a4142c420db8cb47307a
179fe950986b6cc0efff83719447c0fc815de62a82ca8aa8f97542f4af29606a
19b4dff48bb65ce90ad35d42273668dd8febecd31444a05d77cc895db7d90812
19cbc0ec09b9a747839f0a6bdbceb2536e85ead517fee5df72d2cdfb59c69346
1a398ce071c6c1dc3c9003a40a2b700653745cbf99d742b6144d03c115b19c97
1b1b0866930da3fa7819aef96f9e6e6c6780eccc26885f86112f7a9aa5a45553
1d0d76720569afde7b9484c5189b7a8d99429acb71b33d78f9138e29e3747086
1daaf7acf6fb4665e550ecfb2f0ccb60dc9c60cb66eb911425ea06039e88797e
1fa386621efe9507130c74e139567cbd8bca1483fc54815195f8a57989195667
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Packed.Dridex-9890608-1 Indicators of Compromise IOCs collected from dynamic analysis of 17 samples Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
17
Mutexes Occurrences <random, matching [A-Z0-9]{10}>
17
\Sessions\2\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 142[.]250[.]80[.]14
17
104[.]23[.]98[.]190
9
104[.]23[.]99[.]190
8
23[.]199[.]71[.]136
6
172[.]217[.]222[.]100/31
6
23[.]199[.]71[.]185
3
172[.]217[.]222[.]138/31
3
172[.]217[.]222[.]102
2
172[.]217[.]222[.]113
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences pastebin[.]com
17
w[.]google[.]com
17
www3[.]l[.]google[.]com
12
a767[.]dspw65[.]akamai[.]net
9
www[.]9aybubknaf[.]com
1
www[.]fvleci5tia[.]com
1
www[.]ssdvvin5tr[.]com
1
www[.]dja4kpyrbf[.]com
1
www[.]hqsngxbvca[.]com
1
www[.]2x1lpgjayd[.]com
1
www[.]ezfqw1giap[.]com
1
www[.]88dygbelxb[.]com
1
www[.]4kpoamuohk[.]com
1
www[.]ddnrfuuerw[.]com
1
www[.]k3vuurtwiq[.]com
1
www[.]s1e2one72h[.]com
1
www[.]6h1mt9f2ns[.]com
1
www[.]gzwxrvosj0[.]com
1
www[.]wcyizquper[.]com
1
www[.]hrrt1gijwl[.]com
1
www[.]xhdvglkwid[.]com
1
www[.]ltavctul3b[.]com
1
www[.]i0e2oggaso[.]com
1
www[.]zxyqvizjlf[.]com
1
www[.]zrt1lebbzc[.]com
1
*See JSON for more IOCs
Files and or directories created Occurrences <malware cwd>\old_<malware exe name> (copy)
17
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy)
2
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp
2
\Temp\HncDownload\Update.log
1
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\HncCheck.exe.log
1
%LOCALAPPDATA%\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl
1
\TEMP\95c00a7306313741c4de9c883797d585.exe
1
File Hashes 186d8eeb0ae8047c35d5dde82a9e2bc33cb97ec771d5e94540388307f4d83258
19e1638796d7a2173433e7df7db70afc96a2d17c4738928306100bd603bae32c
1b354805302e0d77cf26f3b69b8862a15dbce75a318bc15e9043eadad54a9293
1d193e9208205888d3404e1fb8114c4b7eb246f7ec3b23de127d8e4c68b0a48d
1e8ccb4026b6e6a8d1c1765168aa6953ee9e291a1a3ff2120ebdf5d872639bb5
43d8898b810f199ec3b7c484f60fa61fdc4453265ab551be0262ed00db2670d8
8555ec04dc35cddb1b0f7eb791938e45f769ccf76b5b6022d5b82b79c70c3ed7
8a16dc6d63056979065cd777eec0040d1950d9f89ca2c64a770632c86bec7263
8c5fb6692bbf49f8a376d0282ebff61191970b54cf05e0e39eb7b8728f849f66
9e57af134a983b320271ab1bc1d48a69e0c5d922023d12808fe2de46cc02dc97
a93d88e9a0f4573646a93259122fabd3f70ff4e4bd2b6b79df31350024de1816
adef2b626d72b73cd3fc58c31a84993aa8c6c04f413fb415298ee4f12f82ae8d
b418b4fa27da10c6eb4381349603489aa675564e5c524eba9ab6afd894b938fe
c7e1ffe849e3083694169e82911226e03e6bf18afc335e15132e375635109985
cd58949a5baf0fedee691e8a7f1505578e8a296e222ad7535363159250ab4aa5
eea524de07338ef45488cda7d97f2fa43e056a4e257e85e88a38bf3cb775ecb3
f349393fc6916fd4533a7e698fb80f1f52af885c589b8a3826e260b507d03a68
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Process hollowing detected - (18784)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Crystalbit-Apple DLL double hijack detected - (7016)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (6528)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (5693)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Reverse tcp payload detected - (4998)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Expiro Malware detected - (2935)
Expiro malware is unique in that it infiltrates executable files on both 32- and 64-bit Windows systems by appending its viral code to the host. It can be used to install malicious browser extensions, lower browser security settings, and steal account credentials.
CVE-2020-1472 exploit detected - (2322)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Dealply adware detected - (1733)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Squiblydoo application control bypass attempt detected. - (899)
An attempt to bypass application control via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (810)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.