Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 30 and Oct. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Dropper.Formbook-9972419-1 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard. Win.Downloader.Banload-9973408-0 Downloader Banload is a banking trojan believed to be developed by Brazilian cybercriminals and is used primarily to infect machines in Latin America. One notable aspect of Banload is it's use of custom kernel-drivers to evade detection. Win.Trojan.Zusy-9972437-0 Trojan Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information. Win.Ransomware.TeslaCrypt-9972505-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily. Win.Ransomware.Cerber-9972520-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used. Win.Virus.Xpiro-9972647-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks. Win.Trojan.Zbot-9972724-0 Trojan Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing. Win.Dropper.Kuluoz-9972735-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. Win.Trojan.Qakbot-9972834-1 Trojan Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Threat Breakdown Indicators of Compromise IOCs collected from dynamic analysis of 10 samples Registry Keys Occurrences <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: WindowsUpdate 2 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: AGP Manager 1 <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS1 <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SETTINGS1 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7EValue Name: LanguageList 1 <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SETTINGSValue Name: GetCOOKIESreg 1 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: AutoUpdate 1
Mutexes Occurrences 8-3503835SZBFHHZ7 1N6PO-QCTT825WY-2 073A3D-6T418-C-B2 73M9N-T0-UB83K6J1 S-1-5-21-2580483-12444652989721 3MAM487FD866043M1 S-1-5-21-2580483-124431068402011 S-1-5-21-2580483-1244234476521 S-1-5-21-2580483-124439999126741 0Q85PR27T0CZAGEI1 Global\{7c2a2886-3e3d-47a1-aa60-5afb9d57c7cc}1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 34[.]102[.]136[.]1806 142[.]251[.]41[.]193 23[.]227[.]38[.]742 198[.]54[.]117[.]210/312 199[.]59[.]243[.]2222 198[.]54[.]117[.]2181 198[.]54[.]117[.]2161 23[.]227[.]38[.]321 149[.]154[.]167[.]2201 185[.]107[.]56[.]591 52[.]20[.]84[.]621 99[.]83[.]154[.]1181 52[.]86[.]6[.]1131 35[.]227[.]197[.]361 35[.]164[.]33[.]01 162[.]241[.]203[.]1611 76[.]76[.]21[.]1231 69[.]163[.]224[.]2311 104[.]247[.]82[.]921 194[.]5[.]98[.]2131 216[.]40[.]34[.]411 185[.]104[.]45[.]631 154[.]218[.]122[.]21 207[.]60[.]202[.]871 45[.]77[.]55[.]1611
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]kice1[.]xyz1 www[.]ltgpd[.]com1 www[.]fbo[.]app1 www[.]texasonmission[.]com1 www[.]omgsweepsship[.]com1 www[.]chadwelchart[.]com1 www[.]fabricsandfashion[.]com1 www[.]565548[.]com1 www[.]digigold[.]info1 www[.]rooterphd[.]com1 www[.]usuariosconsultasnet[.]store1 www[.]xlgzkg[.]com1 www[.]stjohnzone6[.]com1 www[.]co-gpco[.]com1 www[.]idaparry[.]cfd1 www[.]mr5g[.]com1 www[.]mintager[.]com1 www[.]zjpbhsuz[.]top1 www[.]tigermedlagroup[.]com1 www[.]unclonedmarketingschool[.]com1 www[.]manaako[.]com1 www[.]sagaming168[.]info1 www[.]jpearce[.]co[.]uk1 www[.]boxofberries[.]com1 www[.]ukcarbonoffsetting[.]com1
*See JSON for more IOCs
Files and or directories created Occurrences %HOMEPATH%\temp10 %TEMP%\RegSvcs.exe2 \5_74\nppwa.xls1 %HOMEPATH%\4_63\thwkrjmb.xml1 %TEMP%\5_102\smvado.ini1 %APPDATA%\7_25\dqlhevp.dat1 \5_74\peaxwfuc.icm1 %HOMEPATH%\4_63\ugmtasr.icm1 %TEMP%\5_102\vblguxk.mp31 %APPDATA%\7_25\egkaa.txt1 \5_74\pxbnv.msc1 %HOMEPATH%\4_63\uldu.xl1 %TEMP%\5_102\vjxwe.fip1 %APPDATA%\7_25\gdlnews.log1 \5_74\qjigr.pif1 %HOMEPATH%\4_63\vgdifjj.msc1 %TEMP%\5_102\wgbmm.icm1 %APPDATA%\7_25\gjdv.txt1 \5_74\qscumbks.cpl1 %HOMEPATH%\4_63\xekqtqbfs.log1 %TEMP%\5_102\wjiawtugb.xls1 \5_74\qxoa.dat1 %APPDATA%\7_25\hlgdgmodk.exe1 %TEMP%\5_102\wwhjv.chi1 \5_74\sovh.xls1
*See JSON for more IOCs
File Hashes 02bdbd4777fc54081f239ce8936bb56d899ec58fe61437875f09227a55a74920 24945c49bbd2d14de4d8bcfe1b382d77a8a25d6432993d8abce14149234c9d83 2587b76912cdfbb81fb4a07c9a2747d0ed8177eb6b5237e7ef945fd912c19f9c 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5 46837b2b83edea93a312915b020a2aad926e18fcee577c8442853ebb8fabea13 52f9dd59ecdb5aed12a20226b0b53454f1f7f8e48eb3c3d3189511007c38863a 75e94edca8e24facdf40d786d44e9c4573e746d7da7445184d0b31ad9314a781 8185505ac7d543abcecc7118a29a4ba28534d12226928854e968e2adb1440c55 87fdf41f3af47dc20348fe21148546a943111c455ffb9a8cd73b1beb77513ce4 b0581f39843e7c4c2c91aac86855d2638f87347e029ea878dac555c9d49a0059
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Downloader.Banload-9973408-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7EValue Name: LanguageList 16 <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}Value Name: FaviconPath 14 <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}Value Name: Deleted 14 <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPESValue Name: DefaultScope 14 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}14 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7EValue Name: @C:\Windows\system32\DeviceCenter.dll,-2000 10
Mutexes Occurrences Global\95764121-4446-11ed-9660-001517ca4fbc1 Global\95659781-4446-11ed-9660-0015171b69301
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 142[.]251[.]32[.]11013 142[.]251[.]35[.]16413 142[.]251[.]40[.]14213 13[.]107[.]21[.]2007 94[.]23[.]250[.]511
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]bing[.]com14 www[.]google[.]com13 picasaweb[.]google[.]com13 get[.]google[.]com13 goo[.]gl11 realamizades[.]com8 mc8park[.]com[.]br5 www[.]acheiarte[.]com1
Files and or directories created Occurrences %TEMP%\config.log14 %HOMEPATH%\AppData\LocalFiles14 %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Atalho_.pif14
File Hashes 088010ddb5193de497c632c7843682905ae4877301ce593424aac87acbeff479 14787f442cd48c7b204f9718b22f64fab14dd54ed7bd506ef30c6a3d80cd7896 2be840d1782207d25aaa1572809bb5bed91f149aa8214d542d6854099a8c78e7 349fe84e2af3a05aea74e79976efb1474631c0f46e1a8d961d943a0d185e8a51 4667b78d423c3f8e94a1ff6cb4a31aec7398a824159cefd78ad73582f3b3fdf1 57e9911db668b3def30a7cb073f08d8f454366b6c3637f2fdb437bc3c61d2936 5bd3faee290e5ce04fec62a8f79159398639a1c0ab603239670e409af7fd5e79 62adb1e9354bc8a93379ab3aa6b2410f8b2e00978b19c624eb62d9c912bb1fb8 62f238cf96f906e0d7a118d19a752a78d7d95007c997575d781da5316045ccec 69798312028fe674fcecb0993cffaef2f0f6321f7d96516c63fca400594f08f0 6a0b4688de97b2d334fb43370275003e086088d53a7a4ac9aa5609943e0f98b8 6e6a8f094a4aa2e428d1d8c47afd77d32b23286af2b46a6cb6fc171efd1e7572 6f9fda4380c33497e187d5ce0e99d8f28aa63e662252b1e2f2ca4c0c1c80d2e4 7182d670734aa4eddd53c107c017c576a5e48335f743940fd700b0096d0780ca 7c2e9fbac433fed50ddbca31627cba58c8e86e623b941405b72dd0935992cab8 7e9ce12462a6462e5ea3335c00fe4b61327d4fc1db52faac068a04bc6ac8b60a 80a413bf7a8b77b51874eef7ad3571389bfe6fb7a70a1e5511603fd66180a892 880675bfc7c14d7ecb9c00bbbce7b5ed3dbb59ddb3777686fd12e643ba78d568 8e4ba813aa375aaa3bfe3f96462ced837f12a0f0a58362f3507cfd5fb5c18e32 92a5792f78ab05da79ed8797d359e9b2219274a36615141896df2159d3baccc1 aa6422f84e14d0b9d382f122f8e117860ab789fc5067245ebb39fb883f6d354c b5df2a668ea57041f56d69b2ca2979659a240b7056657e5392c525745e79305a b8b45e2a659226f461c127712272176ed69219af1944ae5e8b65551838a3441f b982e00e6d06b46b8e8ce33503883b3f6a1b1e609ca178245a8777b53a5a6f1e bd8482492f5a716f3f4352a5bc2571c143748a5fc4e66637e776d7a752a75c68*See JSON for more IOCs
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Zusy-9972437-0 Indicators of Compromise IOCs collected from dynamic analysis of 27 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7EValue Name: LanguageList 27 <HKLM>\SYSTEM\CONTROLSET001\ENUM\SW\\ASYNCMACValue Name: CustomPropertyHwIdKey 1 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7EValue Name: @explorer.exe,-7001 1
Mutexes Occurrences Local\10MU_ACB10_S-1-5-5-0-6786327 Local\10MU_ACBPIDS_S-1-5-5-0-6786327 Local\WinSpl64To32Mutex_10960_0_300027
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 20[.]109[.]209[.]10816 20[.]72[.]235[.]8211
Domain Names contacted by malware. Does not indicate maliciousness Occurrences windowsupdate[.]microsoft[.]com27
Files and or directories created Occurrences %TEMP%\236b0f4b7893907bb0dc93af0c2a505ca3af3d5f9f6bb9128c97d7f3cbcfa9c1.rtf1 %TEMP%\temp_cab_-1226192130.cab1 %TEMP%\~$6b0f4b7893907bb0dc93af0c2a505ca3af3d5f9f6bb9128c97d7f3cbcfa9c1.rtf1 %TEMP%\2e8f00a6543ebed2e4a822d39a86e228f704656fbc75d687ad2d98b5ffd7e9be.rtf1 %TEMP%\temp_cab_-1226182504.cab1 %TEMP%\msoCD0.tmp1 %TEMP%\~$8f00a6543ebed2e4a822d39a86e228f704656fbc75d687ad2d98b5ffd7e9be.rtf1 %TEMP%\2f3c90bf18457463a03e1f14decc069f09aa7be83d865aaee07dcfb573fbded5.rtf1 %TEMP%\2d5ff462b24139471954cecb53b8c32d786cca7f0dbe8b659ca54e1d4dacaf6e.rtf1 %TEMP%\temp_cab_-1226182036.cab1 %TEMP%\~$3c90bf18457463a03e1f14decc069f09aa7be83d865aaee07dcfb573fbded5.rtf1 %TEMP%\temp_cab_-1226190663.cab1 %TEMP%\~$5ff462b24139471954cecb53b8c32d786cca7f0dbe8b659ca54e1d4dacaf6e.rtf1 %TEMP%\48f8c92e3b3d82bdc011476b5aa012a46a849a2229714bae4166b00d9b09d122.rtf1 %TEMP%\temp_cab_-1226173144.cab1 %TEMP%\2f96ceac3a3043d57e6df78df5cd36b3ee2f79d0a983e454adc0baa22c7880ce.rtf1 %TEMP%\~$f8c92e3b3d82bdc011476b5aa012a46a849a2229714bae4166b00d9b09d122.rtf1 %TEMP%\temp_cab_-1226182801.cab1 %TEMP%\msoC82.tmp1 %TEMP%\~$96ceac3a3043d57e6df78df5cd36b3ee2f79d0a983e454adc0baa22c7880ce.rtf1 %TEMP%\50891ef026bd10528bc51972ac5bee469bf5a28322f39dbb5b68098d7ba45971.rtf1 %TEMP%\temp_cab_-1226173675.cab1 %TEMP%\~$891ef026bd10528bc51972ac5bee469bf5a28322f39dbb5b68098d7ba45971.rtf1 %TEMP%\6bc6ecc0f25d2472fc1600c031de35c61603c07b530f5a10d3a3a5ceac700afd.rtf1 %TEMP%\temp_cab_-1226164907.cab1
*See JSON for more IOCs
File Hashes 01c0c7f67c0b7f80af1dac23face65820c076b8cf819a0834cba2c9c4821cbd8 02d85c839f268ddc7775fa3b97a5edffbc4a56cd38f998ca3a855893325e3b22 08b7644d1f878d4d4f037d6bc0935181c70e30517ec10a0e2ef9a6664ad5937b 098fce3888092c3ea6a14d64f5ae321335e6413317afb21106718b978a131363 09d0f73b9518e447dad0bdaf75c18a984a69717ceaeab7e18eff40de34895340 0bcf8c547d9bf981b43fc911839fa20fd03a002664aa2612a83f77a21c2bc704 0d1179862c1eff540972af18d1ab513837fca591311661983c2c60c625a67e6d 107823ce4680d6dc30869e5fb5a8d915baf080e2a2fe5ec8de709f7a1b14b9b0 15f841285ed01805c593d6b73c617f29264fb3ccab3b59ee379db58c73f21eff 236b0f4b7893907bb0dc93af0c2a505ca3af3d5f9f6bb9128c97d7f3cbcfa9c1 2d5ff462b24139471954cecb53b8c32d786cca7f0dbe8b659ca54e1d4dacaf6e 2e8f00a6543ebed2e4a822d39a86e228f704656fbc75d687ad2d98b5ffd7e9be 2f3c90bf18457463a03e1f14decc069f09aa7be83d865aaee07dcfb573fbded5 2f96ceac3a3043d57e6df78df5cd36b3ee2f79d0a983e454adc0baa22c7880ce 48f8c92e3b3d82bdc011476b5aa012a46a849a2229714bae4166b00d9b09d122 50891ef026bd10528bc51972ac5bee469bf5a28322f39dbb5b68098d7ba45971 669c85491087f3050135330eb1ea7d4b53d27f75b04fa26be651944c2d099a79 6bc6ecc0f25d2472fc1600c031de35c61603c07b530f5a10d3a3a5ceac700afd 72854daf36aa3568be5178ea984cd1acb1de9fe939ebdc1379d3e9b5e0df9ba4 762d000685a08620f23bb3b1eac6d5e5566839e3345700f8feff505d1b5c8ab5 84485d05542acc47b7d17197894af35114cf02886d468b40111620c6d0f9c6a1 851564492f26a349fd730ff1ef8213b0e7526a44f00c2ed305908c045af955fd 8a68686ef06978754ce55ae2b0de128b6f2818b8d2c2b538293a40f2c6e636ed 8a6f8710dbff2d1fe7f0b039d4d3312fba21cc52df0283c607958018ed400a87 92614b51012dadfa944974085e64789e15f38200bb0837663d143736ec248196*See JSON for more IOCs
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.TeslaCrypt-9972505-0 Indicators of Compromise IOCs collected from dynamic analysis of 19 samples Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEMValue Name: EnableLinkedConnections 19 <HKCU>\SOFTWARE\XXXSYS19 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7EValue Name: LanguageList 19 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0Value Name: CheckSetting 19 <HKCU>\SOFTWARE\XXXSYSValue Name: ID 19 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEValue Name: 1qwqwqe-r213 19 <HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>19 <HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>Value Name: data 19
Mutexes Occurrences __sys_23423823329519
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 217[.]116[.]196[.]23919 27[.]254[.]33[.]4419 23[.]221[.]227[.]16913 104[.]21[.]63[.]7411 172[.]67[.]170[.]688 185[.]230[.]63[.]1717 23[.]221[.]227[.]1657 185[.]230[.]63[.]1866 185[.]230[.]63[.]1076
Domain Names contacted by malware. Does not indicate maliciousness Occurrences chonburicoop[.]net19 ladiesdehaan[.]be19 actionpourisrael[.]com19 hnb[.]net19 firecheerleaders[.]fr19 passlift[.]com19 apps[.]identrust[.]com19
Files and or directories created Occurrences %ProgramFiles%\7-Zip\Lang\mng.txt19 %ProgramFiles%\7-Zip\Lang\mng2.txt19 %ProgramFiles%\7-Zip\Lang\mr.txt19 %ProgramFiles%\7-Zip\Lang\ms.txt19 %ProgramFiles%\7-Zip\Lang\nb.txt19 %ProgramFiles%\7-Zip\Lang\ne.txt19 %ProgramFiles%\7-Zip\Lang\nl.txt19 %ProgramFiles%\7-Zip\Lang\nn.txt19 %ProgramFiles%\7-Zip\Lang\pa-in.txt19 %ProgramFiles%\7-Zip\Lang\pl.txt19 %ProgramFiles%\7-Zip\Lang\ps.txt19 %ProgramFiles%\7-Zip\Lang\pt-br.txt19 %ProgramFiles%\7-Zip\Lang\pt.txt19 %ProgramFiles%\7-Zip\Lang\ro.txt19 %ProgramFiles%\7-Zip\Lang\ru.txt19 %ProgramFiles%\7-Zip\Lang\sa.txt19 %ProgramFiles%\7-Zip\Lang\si.txt19 %ProgramFiles%\7-Zip\Lang\sk.txt19 %ProgramFiles%\7-Zip\Lang\sl.txt19 %ProgramFiles%\7-Zip\Lang\sq.txt19 %ProgramFiles%\7-Zip\Lang\sr-spc.txt19 %ProgramFiles%\7-Zip\Lang\sr-spl.txt19 %ProgramFiles%\7-Zip\Lang\sv.txt19 %ProgramFiles%\7-Zip\Lang\ta.txt19 %ProgramFiles%\7-Zip\Lang\th.txt19
*See JSON for more IOCs
File Hashes 0aac8016a240da6caba10d61a644b27b75975d3560407d6ea097308aeb470b9e 13b9d082901d9d0608e87c114af8763094c10142d7394fd57e94e88101780c10 23d40e0777ec7d49883818310a265051ebb6ae97603fdc59ba3e5c6b843fe0bd 365d84800d9e8a683770478b21f8ff95af5a5e6c49491a4d29f9770c97c6749b 44dc523fce3124abb61430329ec664094d9365bfe5fdf657ca7aeff27674e863 48dd2915d3404e6149f2b0b1c68223131f860e103fa98f076cc0603da2b68cd1 4de6675c089aad8a52993b1a21afd06dc7086f4ea948755c09a7a8471e4fddbd 65bfdfabf0a6f8937118db94cbcab36e9a0abc5de986c4d8d7c9876f55110b4b 660031fa2a2fbf6a4cf24a019da764d0069dd4830c56e647bc59aa0073eb6044 79fd01f7b47fdfee48983565b9481b91d30bca7cbac9039b0422cd7b82c21e67 7ebfbcad908fa1ee22db680772f716ef9a5b42ce59e293c81185754be26206be 86ea4df17ba0a68276d5a13534d0b70482e5b97f0da3013dc757c79018de1077 893d875bd015aea541453e93f3a2756b31560c3d372a4191b06fb2f7613903ff 8982563b88cc88b1a28764c5ffb847681b347e7c3f9d811ee917dd97a823afe7 89992094e7c6200e72f0b5be234c82c4dfdfd9679795d2f9ece85af65282ce2e bb35d6fea828d528dbaac0ab1b269e7124bf42ea61f7125f622c7cc0578e2927 bc3bf0b19db80fd01c7d44609424a6b396558a017be7dab8b27880ba2157fec6 cde1f8429bd3a171435825f58d5957a5cc0ab164ec30ca701999afd5c71faf16 fd4ab3f109b5f3c0dffa7842490044218a49e99dd1940c5adb0ec042fefe0d07
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.Cerber-9972520-0 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples Registry Keys Occurrences <HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}26 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORERValue Name: Run 26 <HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSORValue Name: AutoRun 26 <HKCU>\PRINTERS\DEFAULTS26 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: expand 2 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEValue Name: expand 2 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: RMActivate_ssp 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEValue Name: RMActivate_ssp 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: rasdial 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEValue Name: rasdial 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: systeminfo 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEValue Name: systeminfo 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: ntoskrnl 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEValue Name: ntoskrnl 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: waitfor 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEValue Name: waitfor 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: TapiUnattend 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEValue Name: TapiUnattend 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: ipconfig 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEValue Name: ipconfig 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: cipher 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEValue Name: cipher 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: msdt 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEValue Name: msdt 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: wuapp 1
Mutexes Occurrences shell.{381828AA-8B28-3374-1B67-35680555C5EF}26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 208[.]95[.]112[.]126 31[.]184[.]234[.]0/2326
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ip-api[.]com26
Files and or directories created Occurrences %APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}26 %APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk2 %APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\expand.exe2 %System32%\Tasks\expand2 %APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\cipher.exe1 %APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\RMActivate_ssp.lnk1 %APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\RMActivate_ssp.exe1 %System32%\Tasks\RMActivate_ssp1 %APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\rasdial.lnk1 %APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\rasdial.exe1 %System32%\Tasks\waitfor1 %APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\waitfor.lnk1 %APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\waitfor.exe1 %APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\systeminfo.lnk1 %APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\systeminfo.exe1 %APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\msdt.lnk1 %APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\msdt.exe1 %System32%\Tasks\osk1 %System32%\Tasks\cipher1 %System32%\Tasks\upnpcont1 %APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\upnpcont.lnk1 %APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\upnpcont.exe1 %APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\PkgMgr.lnk1 %APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\PkgMgr.exe1 %System32%\Tasks\PkgMgr1
*See JSON for more IOCs
File Hashes 0356531648ab4411f5f350096c303c8f1a83028cd44a2cf54afbf0c7d524fdbb 0763d45d5c507f58d94f48e83df180b50506ccb4a37d3c6a295c72b132b2a6ca 105e1dc7b5427fc6ec03d85babf6b06076ae77584af978b9780a3c38079b14b8 1122b26a4019ec83fab65658fe3111e68b1e8b0be5c430355d3da8071ca10e2a 127facd115346c4f5363ffcbf9c84005ac78a276af5a79503d3784c4d356ca76 138cfda30c320d579922f0ba8a27559bc7e255848f46a49172fcad5666c17844 13ec4157c4a3de32cf913e1a6cb3eedb3cd4944ef982aafce36b727858ac632b 197df7641497a63ca533ce42bf60da19436ebb5d37e2d48f0a8729078ce8133f 200f2572a4f6ac43dd4e174d4051662d5b334d7eecac7726faeb4ea226e4c8ea 23458406bd7f16dae66c0db26a919e55692fecb1f8efd505844c13be41457aaa 2fecb09e01ffcd3365d89da9ed7da1860cf4a2ab383ca384577aa4fa4a872801 305df060b375af6922e7bb38cfef8290787ef1bcc43740bdb8dd40d91e6ab33c 39bfbdfdc34559ad7893ff5a666ea4ca591c1e54288752a8958f62922a76dc88 4a17cd2abc60459e8f4e70047fd986aebb2f178e05eb1e0869cd56f752f5e0f6 4d9ffc147efb29f2ed7e8f8e0c106fb49a124c366ac8bc9279c9052145387ffc 513c35c43300038ca4065013ff5fc8b1ae809c353ae5a3c896f33493d8357ac4 5c814970df47b6be03b265aa8912e7b9d88044b5b5cfa8042c03cf4df268ebe3 5f1612638feae15e1ed1957845e94573a556d4dc3fa890980e3d8f5f5b45f205 5f8cd7a2bd99a8214c7a25a6784d082abf440f17b916df09f73270903f465543 63a50198f7d03b021e2d7f06ed51fb4e847fadd3529c54658d40d10676576f74 652d84eb8fccf048292a2e3aabf3c04535648af5e691d915cedf24478738da43 6e080f3afc5d9b4c55b46723c471b638655425df7f569b5283902e077e6ae362 799f19155411d98e3c69c4d005678c0efae337e5212f16d475e26650e61a242f 7b9374fd33a31b2f39d536bc394b26ab045369cd3b903c6a98de2237751663ad 7de9fe531c7a049139b75f97f311ef487faacbd2a848ea767232e0c444c0d79f*See JSON for more IOCs
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Virus.Xpiro-9972647-1 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVCValue Name: Start 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFENDValue Name: Start 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32Value Name: Type 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32Value Name: Type 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32Value Name: Start 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPPValue Name: Type 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPPValue Name: Start 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCEValue Name: Type 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCEValue Name: Start 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVERValue Name: Type 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVERValue Name: Start 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSEValue Name: Type 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSEValue Name: Start 25 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-50025 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500Value Name: EnableNotifications 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32Value Name: Start 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\AELOOKUPSVCValue Name: Type 25 <HKLM>\SYSTEM\CONTROLSET001\SERVICES\AELOOKUPSVCValue Name: Start 25 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATEValue Name: AccumulatedWaitIdleTime 25 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATEValue Name: RootstoreDirty 25
Mutexes Occurrences kkq-vx_mtx6725 kkq-vx_mtx6825 kkq-vx_mtx6925 kkq-vx_mtx7025 kkq-vx_mtx7125 kkq-vx_mtx7225 kkq-vx_mtx7325 kkq-vx_mtx7425 kkq-vx_mtx7525 kkq-vx_mtx7625 kkq-vx_mtx7725 kkq-vx_mtx7825 kkq-vx_mtx7925 kkq-vx_mtx8025 kkq-vx_mtx8125 kkq-vx_mtx8225 kkq-vx_mtx8325 kkq-vx_mtx8425 kkq-vx_mtx8525 kkq-vx_mtx8625 kkq-vx_mtx8725 kkq-vx_mtx8825 kkq-vx_mtx8925 kkq-vx_mtx9025 kkq-vx_mtx9125
*See JSON for more IOCs
Files and or directories created Occurrences %CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE25 %ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE25 %ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe25 %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe25 %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe25 %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log25 %SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog25 %SystemRoot%\SysWOW64\dllhost.exe25 %SystemRoot%\SysWOW64\msiexec.exe25 %SystemRoot%\SysWOW64\svchost.exe25 %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log25 %SystemRoot%\SysWOW64\dllhost.vir25 %SystemRoot%\SysWOW64\msiexec.vir25 %SystemRoot%\SysWOW64\svchost.vir25 %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat25 %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock25 %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat25 %CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir25 %ProgramFiles(x86)%\microsoft office\office14\groove.vir25 %ProgramFiles(x86)%\mozilla maintenance service\maintenanceservice.vir25 %SystemRoot%\microsoft.net\framework\v2.0.50727\mscorsvw.vir25 %SystemRoot%\microsoft.net\framework\v4.0.30319\mscorsvw.vir25 %ProgramData%\Mozilla\logs\maintenanceservice.log25 %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat25 %SystemRoot%\Microsoft.NET\ngenservice_pri1_lock.dat25
*See JSON for more IOCs
File Hashes 080a1db230eaaf408fea0e76fc32baf288bb5cc29a690be8e6a0eb2d98d72069 092facc597b03b52d67baf47cf3a0a2ac61bc18b2d300ff23a8ddcc51dae7381 09cb753436065b7734c3f13a80e837575e5953433a0cd3e03d8736e802d47e6e 0c992aadb78c91d777d2f82a47e8bf4fc3df5944efbc96cf13f40220af4dff16 1d3750731ee032528891a55113cff2ae5834c423679a84c835c5dfe527ada46f 1e7cd7bef018b3b416e6b9ebf80616df50430ff8fa0f8013a38bb50c1484ad07 2307d4c01fd3409dd09cb4d4410e6b9e732933e607dca0ec788eaeb653498b7e 2fa967b0c8c3d63bbbfc9ffcf62f07491fcc945bba13d818c089da6562002521 30fc613150e07680acebaef73e7d2e90323ff2fc25cef83bada71e5cd2e488a5 36d14b93e74bec6e9e65a0adce04d283b0ba652d1cea34531327f982e26026fa 40099123e2553642318e963fb644aa998871069a99fec399fff56812ecfb9f3a 4e253d34579924dd8f6dfc0db889fbd11e8bbedc9e97dcfed3a2c66d8bc539f5 573e44560ec03a480499c33e208f07694fbf9014624e8458a11acf3c91d4ac86 5e4dd297b77b22d5af4f1e0a2d6491faee63321ce78e8fbeabd99e60f5875071 74cb267ae42cb4d05b5824b8b15b143ce966db6b9826dcc5d059b63f3a4472ee 7cbdf8cba9c0a6ba7e088ab1f169392b57a691132d73392a1649eab0afe42a9f 99f58513264d50d442f6f05074f7cff9703caa1eb3f9fc087e48bd1bd236759f 9d4fb7c69ed2e30ad402fc536caae122ace345d95ff306c026b3262558f7c5a6 bfc69100e2055bfb88171d88616fa70afb0b6170d944bdf068953c7cd9d04368 da7c97b9fa3fcd2823d28477aa13372cd2a1e8645f20d12e85afbba5baa5adbd efce6cd3e73a416d0cc920ca76f148499f78080ffbbc166bf535f37854a57fe7 f76e338c200b85d9761f81835729cede7d6255f2da04e87bb651943be7cdf97c fb33d2b921ba402f9557709f3991f37e64084e6e56968a2e3d111c758b270202 fc9d5c1729a6f5c1ea3ffbb242c344ea475f029dbfb98d966885a89a0cd965ab fe485abd2c82271a87c0bdb10db4efff2f64debdc31b4d1abf52e3bfbaef4cff*See JSON for more IOCs
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Zbot-9972724-0 Indicators of Compromise IOCs collected from dynamic analysis of 28 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: FAFEB955 24 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: {32382BC4-48A5-6DE8-F0EE-B8109DEC3228} 1 <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTERValue Name: EnabledV8 1 <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTERValue Name: EnabledV9 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1591 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: MsDtc 1 <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: yremyhov 1
Mutexes Occurrences qazwsxedc28 FAFEB95524 Global\ukacizefetatoxonoxajozeliriwoca1 Global\yjabekozydyhygulyhexeso1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 201[.]175[.]17[.]351 173[.]230[.]130[.]2521 188[.]165[.]235[.]131
Domain Names contacted by malware. Does not indicate maliciousness Occurrences scrafort[.]ru1 pokamelix[.]net1
Files and or directories created Occurrences %HOMEPATH%\AppData\LocalLow\FAFEB95524 %APPDATA%\FAFEB95524 %APPDATA%\FAFEB955\bin.exe24 %APPDATA%\s928_043.bat1 %APPDATA%\MsDtc1 %ProgramData%\ubabehuzohahirol1 %ProgramData%\ubabehuzohahirol\010000001 %ProgramData%\ubabehuzohahirol\000000001 %ProgramData%\ubabehuzohahirol\020000001 %SystemRoot%\yrimonoj.exe1
File Hashes 0390003f4f7ba18e64912fe1337a696cc6f1872716e5b61e0da335a403ded7c5 0423c8c664cb4342a836416a387ef7c5f0cfb027b5a5f4f9d6826e6e43c69142 0a82bb4da5e5e843c17889aa698caf818a34f8ed3c58bb5525f2eb7fd79f83af 0a9ad9e5a4502f5afaa5c103a72181f8db387c03ff238fa884e09092ca1aec10 1000afbdd91acf747e303a770740980dc1bbeaaed0f132237fe1b5c45ee7e4f4 11d5962aed7e8ae84506dace35f101b591002c16bdf296c134a35809f7824ab9 14002cc935cf0d9c0b97ce8dac13ea405bc227d3595285f2ff7c5911eca59665 18f1d6253f5a88894645692a0cf212573be11bc0831c53f0349f30114863439a 1917791b75d7ec9c5254e199ac1335fd764a69cd16a3022332f667769afb11ec 1a189efb3c9b8c7db21f14864d858cdccbe2a0c36e0bd5948f55a799133bf02f 1be9a459e5469612fef17f3fa51ed68c9c1f663ce8bbdd2d47052185f60e1aba 1e2ef6d2489dcef6f4314ce1f91692c52ce64cc18cfff8df04eab8f8eab512b9 1f7025b0f9f0cf1795744cad7a8757fac3ee1fea9de51ae367f199ddf153c778 1f9db435ecfb896e390f90a8163a33014103f90193670709c3c74b984830fcad 214471bd376458cdccae3f64db91bfa101e5e132aa37fda9f78680d82f1a9a61 23484d080f3a9dbbbf945afac92564cc0ef6c472891d4ec73ca9f5d9f33af754 27f08c6ea7a3ce291d3db43b2905192d015854b37eb5292dafebca4673900917 28c8ad043a20c5ccecabc7a9bd6a3c42ef354c37469f050469bb8a8686ad5637 2d3ddfe686cb054acb5ae562cbe8dcc69d93cacc47dee09dbe074a02d67cee7d 2df729a212bbd48be67d830a3ba5b4f6560e499fd1be303910b81fe608bf1846 2f34e105b042e555059d04d448a68a0504b038649f326a884b15b6a11bab9207 33171e47458e55fd3231b38d9ec33973bbb290611abfe956105831315bed943c 33736967493c8526aa2e5e544c4353ea769ece401020e2b18eb13a6026d5be59 38b417c20d96d86e55ba3785d7671fadb081b7df7b68e53f621dac966bc7f337 3b7e84c3c45c35df400f20c6b6d9be4c1ad198e330ce224b7b02066b91332996*See JSON for more IOCs
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Kuluoz-9972735-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>25 <HKCU>\SOFTWARE\GSJVNITLValue Name: vhpprofa 2 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: jintssul 2 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7EValue Name: @explorer.exe,-7001 1 <HKCU>\SOFTWARE\IBQNGRRJValue Name: lrihkesw 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: jsjvfjml 1 <HKCU>\SOFTWARE\ISEXODUXValue Name: klxdvqlb 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: irvnwbmg 1 <HKCU>\SOFTWARE\KIPTHOSTValue Name: tkcofvhr 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: esnklnfh 1 <HKCU>\SOFTWARE\HGLMDQGGValue Name: hvpqeoep 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: cljiohww 1 <HKCU>\SOFTWARE\PIXXVEDRValue Name: fvtnlluj 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: qbvkabll 1 <HKCU>\SOFTWARE\OGIWSKLJValue Name: kwbfngcr 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: ajjptuhl 1 <HKCU>\SOFTWARE\EBWFKRUQValue Name: ocvuwatc 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: utxbmdsc 1 <HKCU>\SOFTWARE\LMJTIFNQValue Name: vbxnvqar 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: wcwwwfok 1 <HKCU>\SOFTWARE\WAPRAFPNValue Name: ccgddubh 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: cfiaevsd 1 <HKCU>\SOFTWARE\CDEOQJNVValue Name: hfjwqkiv 1 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNValue Name: bkrdfcrr 1 <HKCU>\SOFTWARE\VCOKJEHVValue Name: nwedcqwe 1
Mutexes Occurrences aaAdministrator25 abAdministrator25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 82[.]165[.]155[.]7719 69[.]64[.]32[.]24719 96[.]30[.]22[.]9617 85[.]12[.]29[.]25415 74[.]221[.]221[.]5812 110[.]77[.]220[.]6612 95[.]131[.]70[.]16811 195[.]28[.]181[.]1849
Files and or directories created Occurrences %LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe25
File Hashes 06587673163e3102cffdf7e9d54eefbf8b57e3ec4e118d31c4a647e500783007 0d4819020d9bf81fef8590eb7bcb24874c8d525e782e84d8568a835684c8b0d2 17a9142fbcf022a56e72b62050ad20abbc083a07180b7ee61dc506d9c4073c09 1dd4e2ac41eb1f9c40e33c19c6dbd18216bb88a43835ed1157faa9913459c793 3d5e9d863a64702b596416c0ecfa9541668e8d4c29f9c17c0c16cb2971c31aea 3f7e294c82e7b197f46a415f47cf185a16ed6e341e37011636a8fa92373922c4 47acefdcb7658ab8ccd31ea9fb971bbc1312341a6148c53b7b23da0d5e362b39 5020fc995eca392204546421a6d7108a67e05e3b1d5542aa76240126d94fa8c1 5284522fa9edfbe776f1bba4e31a7e27319ef29ce5a8878ebb79c40d66e7e21b 6131584ef645e47e997a3ba334e9eaf76f52eb47e164d345b62bd6175a776cf5 6b1aabdf6652cc85fe060d76482ac6e5c13b92a624bd925506872b29977364f3 6fc550f88166e80b91e8b1546e06629d5e8d5697b009cee05581ce1765e51638 7fbdc0cbb6086ada84ed5ea5b439847aa882e540914fce381abea115c137fc10 939699e4649833eb081dce8a60e00f37581e4db6961d320adba950b0ee1dd05c a20bb344fd87f2c0ee3747d1886973df1c738d5f5e062df4e51296767eb72a33 a53a1993f4e589299bfdfeb4fcdd2447b1836462332459b35d97a975508f4b6c b123a1f1c0e425e1b77dad3441e130bfc6a2bbdd9e01b560dab27e58820a5c29 b25a6edd96f4737b1e82a62387b43d8fdb65c167367c0c9ee4ef7ae8c7a6ff3f b3581d3b3893d7de52c0ca9f8c7fd95e8e421d792f5969c69562ca144cd9bbef cc9941784371880ed99ee0904c901266fad3074f34d302233f0741cfe6657eb6 e04b52d40866c70df0634266dc8e650712c30f39d69d44a2c38ff65e4948c8bd e2e8b6db48528177a29181418fba40d1c836ede4617159f55a0e96f9fe0ec984 ed62393540e6672d74dab74381427a334a1d64b7a0425d6a91fb6ea6141221e7 efe642fd78561c05dfc2b3d63235d91a3c8b56345249632eefebcc4a5feab3db f7ac29e25c12c504e255e45e507391d9a0cdbbcbc338c5dc0fd596afbc35deee
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Qakbot-9972834-1 Indicators of Compromise IOCs collected from dynamic analysis of 28 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\DFWOFIK27 <HKCU>\SOFTWARE\MICROSOFT\DFWOFIKValue Name: bd63ad6b 27 <HKCU>\SOFTWARE\MICROSOFT\DFWOFIKValue Name: bf228d17 27 <HKCU>\SOFTWARE\MICROSOFT\DFWOFIKValue Name: 79eea72 27 <HKCU>\SOFTWARE\MICROSOFT\DFWOFIKValue Name: 7a96a5f8 27 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\32\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: Sort 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\32\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: ColInfo 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\32\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: GroupCollapseState 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\32\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: GroupView 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\32\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: GroupByKey:FMTID 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\32\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: GroupByKey:PID 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\32\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: GroupByDirection 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: Rev 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: Vid 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: Mode 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: LogicalViewMode 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: FFlags 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: IconSize 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: Sort 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: ColInfo 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: GroupCollapseState 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: GroupView 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: GroupByKey:FMTID 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: GroupByKey:PID 1 <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\73\SHELL\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}Value Name: GroupByDirection 1
Mutexes Occurrences Global\{06253ADC-953E-436E-8695-87FADA31FDFB}27 {06253ADC-953E-436E-8695-87FADA31FDFB}27 {357206BB-1CE6-4313-A3FA-D21258CBCDE6}27 Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!076981 Global\{7B79CCF3-2543-4418-9AE3-13A412B9485A}1 {4D75F9BA-3625-4505-A691-ED1227F4B50E}1 {7B79CCF3-2543-4418-9AE3-13A412B9485A}1
Files and or directories created Occurrences %APPDATA%\Microsoft\Xtuou27 %ProgramFiles%\7-Zip\Lang\mng2.txt1 %ProgramFiles%\7-Zip\Lang\mr.txt1 %ProgramFiles%\7-Zip\Lang\ms.txt1 %ProgramFiles%\7-Zip\Lang\nb.txt1 %ProgramFiles%\7-Zip\Lang\ne.txt1 %ProgramFiles%\7-Zip\Lang\nl.txt1 %ProgramFiles%\7-Zip\Lang\nn.txt1 %ProgramFiles%\7-Zip\Lang\pa-in.txt1 %ProgramFiles%\7-Zip\Lang\pl.txt1 %ProgramFiles%\7-Zip\Lang\ps.txt1 %ProgramFiles%\7-Zip\Lang\pt-br.txt1 %ProgramFiles%\7-Zip\Lang\pt.txt1 %ProgramFiles%\7-Zip\Lang\ro.txt1 %ProgramFiles%\7-Zip\Lang\ru.txt1 %ProgramFiles%\7-Zip\Lang\sa.txt1 %ProgramFiles%\7-Zip\Lang\si.txt1 %ProgramFiles%\7-Zip\Lang\sk.txt1 %ProgramFiles%\7-Zip\Lang\sl.txt1 %ProgramFiles%\7-Zip\Lang\sq.txt1 %ProgramFiles%\7-Zip\Lang\sr-spc.txt1 %ProgramFiles%\7-Zip\Lang\sr-spl.txt1 %ProgramFiles%\7-Zip\Lang\sv.txt1 %ProgramFiles%\7-Zip\Lang\ta.txt1 %ProgramFiles%\7-Zip\Lang\th.txt1
*See JSON for more IOCs
File Hashes 0026645145cebe394c4fb8f5bebdf4d3199bff9053ce92c334bcb8b5f66a5832 01e37dcd8e487e821f4267d990296dc3e73fd67a3af4e5be3c11db442acab16a 0c35fa0501b7b4c766ed9de8ba3b23773c2e02c6df5c488e768ac71057816bcf 0ea87d7270f57c9469a357541c0ba167f031438b80381e8e99e4bed9cacb19f3 11b161e294f2be47ebae7d9419868135a0410023eae236076562a3331030dc3c 1521bf5d38a02cae5e2020c1c11216b438793bc4de2498d3564a7f33f334827e 1831e80b0f1fff4282c01d5b8a8e08dc7a05ecdcebb278efbb509706ad369967 18cf23a68ba15d06373314737d6ec8b59199c8ef9af0dccde7150716532baaac 1b5e1690492b71173a2a078ff8a75d66c4a8b11e9617ad360af0452997e14ac9 1c7a2cf4823a32c5b8b9f32fd3a754023497a299c502dce042ded24a0d7fc764 1ff6ab173a9fe5a38a73680b289a4d6fd676ff5d5926ca331d8454bf3fe8afa9 25bdc9afcddff2556eaa821e25e2291381c4f2155fc9122d2e4113ee7a6a2748 2a1dd679211581bfdcdfbe9e0ae692d432a1079443c21d3219a0d72b06aa0046 2f693b3ecf07154d148563aa0525d0521e46f46529ef44bd1d947b3d636f929f 339ee32915a3ced968e781a66caa65dcf0cb614e4cc7990db3a10021d97c5906 36f1ef38bf37a0cb55c1bb8ceab684485f0e306c98b52cb068fb587fc5a2fcf4 38a3d39aa9d88941b7267c2a360872eb201c1d1a8421f5426610b5d6c5152538 3e5174c91dacc54cc6082d45b7253194743e307c7d775574e0100b0860ddbe16 41196d7bdc074db56deca5a0fef682d2cb167628de8907ad0dbd6e7321ff5389 43e05dac1b91b212c4f0da1279e2f8d966b52b04f7e428a6d2b1da3565470914 466484398eb25d42b0e0b095f10590a566610447eb212d1dc7f7bd342e89fe5a 499d168c92421b16b5e91609207cf4c7cc92db93a1d33c63866db77ed0bdac7f 4bbb72953a3ba582f0be37eea5d616f4b63bb0b569eb9589e67cf4152e026f51 4ff872d196dbb0d23c4bc96311372f9b0cd9f8b9ea00fa4b5041fa9ea49a1442 5699d1e398d0d8ffd7d118e67862ef8a048d7057bae8507fc07dca8149cdeab0*See JSON for more IOCs
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
