Headline
Threat Roundup for August 26 to September 2
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 26 and Sept. 2. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Dropper.DarkKomet-9966191-0 Dropper DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.
Win.Packed.AgentTesla-9966126-1 Packed AgentTesla is a Remote Access Trojan that records keystrokes and attempts to steal sensitive information from web browsers and other installed applications.
Win.Virus.Xpiro-9965977-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Nanocore-9965501-0 Dropper Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Packed.Bandook-9965180-1 Packed Bandook is a remote-access trojan (RAT) written in C++ and Delphi. It provides attackers with several abilities common to RATs such as taking screenshots or file uploading, downloading or executing. Bandook is usually delivered through spear-phishing emails containing malicious attachments.
Win.Ransomware.BlackMatter-9965914-0 Ransomware BlackCat ransomware, also known as "ALPHV", has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on victim’s computer.
Win.Dropper.Formbook-9965920-0 Dropper Formbook is an information stealer that collects sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Threat Breakdown
Win.Dropper.DarkKomet-9966191-0
Indicators of Compromise
IOCs collected from dynamic analysis of 84 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 18
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-50504578520758924620\winmgr.exe 10
<HKCU>\SOFTWARE\DC3_FEXEC 8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050756432604649683503740\winsvc.exe 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate 2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102 2
Mutexes Occurrences
t8 6
DC_MUTEX-<random, matching [A-Z0-9]{7}> 5
t10 4
w3 3
w2 2
DCMIN_MUTEX-WG79R6U 2
uxJLpe1m 1
2562100796 1
lol 1
FvLQ49IlzIyLjj6m 1
e621ca05-Mutex 1
{D9961D0B-0106-5584-AD6D-884HSI64CNI9} 1
{D0001D0B-0106-5584-AD6D-884HSI64CNI9} 1
TLS 1
yourhavebecracked 1
crapponce 1
CCC 1
7QSDIYQXU3 1
DCMIN_MUTEX-W1AEX56 1
2CC 1
4444 1
5555 1
CC02 1
w4 1
e2b9ef1ee9bca34ce51187acb9a0f411 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
58[.]158[.]177[.]102 3
35[.]205[.]61[.]67 1
198[.]49[.]23[.]144/31 1
20[.]72[.]235[.]82 1
20[.]81[.]111[.]85 1
23[.]221[.]227[.]172 1
184[.]105[.]237[.]196 1
188[.]165[.]227[.]65 1
140[.]228[.]29[.]110 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
srv50[.]ru 11
trik[.]su 11
trkbox[.]ru 6
srv60[.]su 5
srv70[.]ru 4
wrksrv[.]ru 4
markben390[.]no-ip[.]org 3
avget[.]ru 2
microsoft[.]com 1
bermanstreetllc[.]com 1
biggymoney01[.]no-ip[.]biz 1
biggymoney03[.]no-ip[.]biz 1
biggymoney2[.]no-ip[.]biz 1
businessswitchedmylife[.]biz 1
nobemetalkam[.]com 1
heavensbreedonline[.]com 1
heavensbreedonline[.]biz 1
heavensbreedonline[.]co 1
heavensbreedonline[.]org 1
seadeeponline[.]com 1
eurofreightglobalonline[.]com 1
swrenvgloballtd[.]com 1
mailsecuredssl[.]com 1
ssl32bit[.]com 1
128bitsecured[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
\autorun.inf 11
\windrv.exe 11
E:\autorun.inf 11
E:\windrv.exe 11
%SystemRoot%\M-50504578520758924620 10
%SystemRoot%\M-50504578520758924620\winmgr.exe 10
%APPDATA%\dclogs 8
%SystemRoot%\M-5050756432604649683503740 3
%SystemRoot%\M-5050756432604649683503740\winsvc.exe 3
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 2
%TEMP%\a 2
%TEMP%\incl2 2
%SystemRoot%\M-50507564324649683503740\winsvc.exe 2
%TEMP%\c 2
%TEMP%\incl1 2
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 2
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_LinkNoDrop32x32.gif 1
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveDrop32x32.gif 1
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveNoDrop32x32.gif 1
%HOMEPATH%\Y44VPhclUOy\lib\jce.jar 1
%HOMEPATH%\Y44VPhclUOy\lib\jfr.jar 1
%HOMEPATH%\Y44VPhclUOy\lib\jfr\default.jfc 1
%HOMEPATH%\Y44VPhclUOy\lib\jfr\profile.jfc 1
%HOMEPATH%\Y44VPhclUOy\lib\jsse.jar 1
%HOMEPATH%\Y44VPhclUOy\lib\jvm.hprof.txt 1
*See JSON for more IOCs
File Hashes
01d99de8be5d399beb94238ded93f68cecce9b05010ec2095fb88dfea30be905 01dc08a7611de9ed95addbdc484f028da8c4cc4f2f04bf007955e8e7771af2ad 0521c25b0e73636633fc888ecb616c71e37cc63cdef64d531938fb41cb5190c3 07fb7af6f5ebe683cea86ec012a0a002771d658873ea3428d989f8ecaccc2e0b 0b8d380e9ff7c2cdd17b4e95d6663d1b21db1c955b0c933d68bd66c9c8b1b74b 0ce96b476d6d0aeaa983de1cf41c4553f68156d6cbbe9d48ae852ef0e5143de7 0edde1077db95438d2598acd555a39b3c2ac432f98b60d3c77415fd650b13516 1a85cf3317d5a030ab87d02649769a6a0bfb1b342ecc46f1bc26e1f651fbb1ed 1abb5ce77ce286aac491f9363161554eb0894dfb425e4457aee3cd3fc22982e9 1dc5ac655a745dc442a017eb4fe0d86a0877726d4c84a026e8eb3dbe528953f9 234eb8f2d2c1a731eb5672006b5c449761e8536b2f6d4b40d20f54e74d631807 259941e22122288262ef81fd0d0412a9b2725a9a0d77f7c6442020b0733ebbed 2b6326b6b21207fd649683ac43062c06eace7074bbd3f726f200a8717b02c75f 2ba447c32a9cfa066bbc502772d11c9fb62404c090a9de7c83d9aa4151dbf35c 2bc2fc0088f069fb5bb5e448b106a6dc91e5177e00c443571baecac8b8afd8f9 2f6fa4f49fb85c80342285a08bd5fc0b9e3f3198f4854973824567fb131b07e0 32c9b04c79b44e5c331c6497b9c11ce942b53e9fe6d6b57211e2dac442bb4d8b 34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313 35a047096848277ecedf71875652c55466a6d1a167bb82e810591951d991c0ff 3adb310c1ed97474f55974c05a17c56a89d082eb3069592d5734f91b330a8d96 4326fb1eabf2fd7bde99777bc0283746791e7398cacdf575affe537ab33cf16f 433bedd8a7ee7e1585a93cc9076941d3d31c33c602f116e407da8bddd9db9ea6 44317a91b1c813dc8423423cc5a1130e34264f5ab8cc4b35e05da3b7eaacc3f2 483c61bf01f6404f78a83413bf011e0e86c6adae8cce6e1a622ff1ee6e95c1ee 4bb436856e6c78ebac6ef0f48a76fad96268add5dc1583a0e20b986d4532bce4
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.AgentTesla-9966126-1
Indicators of Compromise
IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW75
Value Name: wNHJwQzhBIRVra53 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW75 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR178 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED51 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR178
Value Name: m2shbluBdxk2hpHhWEya7LtO7ceN81 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED51
Value Name: OqbazG7tyhTA228 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B753 11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B753
Value Name: YapCUbb9WtpskyCIcpUrqGtTVZssZFZv9xzmYaD128 11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: newApp 4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: newapp 4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: DisableSR 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Registry Key Name 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MyyyyZApp 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: services 1
Mutexes Occurrences
Global\536fbb71-288b-11ed-9660-00151721fd34 1
Global\5c7184b1-288b-11ed-9660-001517bb55ad 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
3[.]93[.]18[.]244 1
3[.]217[.]248[.]28 1
34[.]200[.]207[.]31 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
checkip[.]amazonaws[.]com 3
smtp[.]tetenel[.]com 1
mail[.]orncbbq[.]com 1
smtp[.]ssgtoolz[.]net 1
Files and or directories created Occurrences
%TEMP%\<random, matching '[0-9]{15}'>000_<random GUID>.db 9
%APPDATA%\newapp 4
%APPDATA%\newapp\newapp.exe 4
%APPDATA%\Postbox\profiles.ini 2
%System32%\drivers\etc\hosts 1
%HOMEPATH%\subfolder 1
%HOMEPATH%\subfolder\filename.exe 1
%HOMEPATH%\subfolder\filename.vbs 1
%APPDATA%\services 1
%TEMP%\MyyyyZApp 1
%TEMP%\MyyyyZApp\MyyyyZApp.exe 1
%APPDATA%\jddbt225.sux 1
%APPDATA%\jddbt225.sux.zip 1
%APPDATA%\jddbt225.sux\Firefox 1
%APPDATA%\jddbt225.sux\Firefox\Profiles 1
%APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default 1
%APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite 1
%APPDATA%\hqbkc1l0.fyj 1
%APPDATA%\hqbkc1l0.fyj.zip 1
%APPDATA%\hqbkc1l0.fyj\Firefox 1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles 1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default 1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite 1
%APPDATA%\services\services.exe 1
%APPDATA%\jntv4ane.ztp 1
*See JSON for more IOCs
File Hashes
02876781ecf3b9c9dfa90f74ef4fb7d6bb60a35a2c09d3895dff3b6d5a1ebb8b 3030ebe65fb01ddf2cbc83340226a872a0a156d8dc3b4a6faaaef651e3d83e1c 3cc3993e6a4ebfc9cb0f9b3b0859d067648d988b77f993aea203ac80179b97d4 5e87c3c6d7b7b6bacb185a11916876fff30634d7f62e4856634b2ee9238618de 671cd596e79c90f7c37085ba263ae4d677edfee99fc3c8306b8ec6d85133e2af 8e433d9d938adaad4c710c6ea1d24aad1689eb96e33d4cc2e81120c9c4d54197 9aa8ef433012e7b4662a4e36dd41df76b5be268f7cc2073a7361467509d5256a 9ffdf9f36b00abef356517cf38d5bf881959ebbf7af9474b1bd3e673db97cd54 b62a36fa9279443fd389580f809b95a37b0de981ec7c4338826e9ee859ce4847 b91c165d0aa38b11ab8dd8d8d00a460b78302c331478cc04b60f98eddecb1356 f8ce5974e752acd2cb2e90690eb86bb5246cc736482cae4578619cc861dcaaf5
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Virus.Xpiro-9965977-1
Indicators of Compromise
IOCs collected from dynamic analysis of 45 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\DB-LIB 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB 45
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime 45
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB
Value Name: Encrypt 45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT
Value Name: SharedMemoryOn 45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type 44
Mutexes Occurrences
kkq-vx_mtx62 45
kkq-vx_mtx63 45
kkq-vx_mtx64 45
kkq-vx_mtx65 45
kkq-vx_mtx66 45
kkq-vx_mtx67 45
kkq-vx_mtx68 45
kkq-vx_mtx69 45
kkq-vx_mtx70 45
kkq-vx_mtx71 45
kkq-vx_mtx72 45
kkq-vx_mtx73 45
kkq-vx_mtx74 45
kkq-vx_mtx75 45
kkq-vx_mtx76 45
kkq-vx_mtx77 45
kkq-vx_mtx78 45
kkq-vx_mtx79 45
kkq-vx_mtx80 45
kkq-vx_mtx81 45
kkq-vx_mtx82 45
kkq-vx_mtx83 45
kkq-vx_mtx84 45
kkq-vx_mtx85 45
kkq-vx_mtx86 45
*See JSON for more IOCs
Files and or directories created Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 45
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 45
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 45
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 45
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 45
%System32%\alg.exe 45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 45
%SystemRoot%\SysWOW64\svchost.exe 45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log 45
%SystemRoot%\SysWOW64\svchost.vir 45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat 45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock 45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat 45
%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir 45
%ProgramFiles(x86)%\microsoft office\office14\groove.vir 45
%ProgramFiles(x86)%\mozilla maintenance service\maintenanceservice.vir 45
%CommonProgramFiles%\microsoft shared\officesoftwareprotectionplatform\osppsvc.vir 45
%SystemRoot%\microsoft.net\framework64\v2.0.50727\mscorsvw.vir 45
%SystemRoot%\microsoft.net\framework64\v4.0.30319\mscorsvw.vir 45
*See JSON for more IOCs
File Hashes
07883b2bec4bb5804938dec4b37619c77ad9fc925b52bdd4368faa9416afdbf2 118989bae4bc156627ed91ecc03e9a9a01635f624b00dad94c801ba95da08130 127b5c9fee91c095376a75ee583bc452c269735a94a9381bd262c5cfd2163deb 150587b20269ad5520861cd61fd6eeceddd61e5e05ff27de39189542e1f6f45a 171d6d2f93370d7afd1875a1f7d0a59aef5d46a7d553df98d12855cca5d437a6 1bcb487b3582e158e38e1d76365254022f18a3033c9ca23b5da0c964ead1147a 1d2f153a4f58438ad61950c4468b95358d5aab9356f138d7b74dcadec2afdae1 22ccda550e90cbdc7b115fc3b2d082190df9935b01ea1d8c3923445c759aa477 270a4deb05747829e8a95f5718214bce934ab251f204d1828e3d2a1201caab1d 2817d1aa30164faad40ff66eea5743106219fe83b20ae96523be7691ffbf467b 2b89cd04def8bda3701849a58ebca23151b94b98db25351c7b98d0228d021db7 2d8fcc7e70b0b9721164bf886c297355030b7c7af7904898c96757c522fe051c 2ffe5d618f015af6681482a2347ccb631eb7df646d2d619c38fdb5fc70786ae3 3d61c2d8682ba543026d4a1afa98409938bc28fd09aa327e1058c8abbf9d44b8 3f11dec1f3cd0e3ef1fe0249d656394c2053ae2dd834328d82a7a5b8e7c75a88 44515f7babd049693c6941b93b09f39944caf9038e0216ecf3cdd5ec2a02bb19 4683415d7ef8a0aff6a2cba601d70a150391e59dd8dd4cdb71c6024bfffd9fd5 515cf18bdd0820d02b2233b2ff897e3e957db3d90c9b977ab3480dc4360bb749 537eb171bbe2059013f3b5335724a5da631085ca038e0e1c9082c352e9373d0f 565d18219289992baa30b55dc7d41f0eb74bd557c47305d80257aab8f2dd43f9 5de1d780d6bb9e646e53613cd36bede221b8fd79f2ebe461c075eb1c29fa596b 6e92ff9fc26469a4ab8d7e380a54192d9f3d9a8c7022797053734594b5ebfbc8 73505bcbd55074beee93cc69877a5c6fa1a52b21ef59c9935292daa776e79563 761445a4c924c9575115b2df05a6340b213b88ce4433ef81d0758ee5b794e42d 76f07678f7860611016dd78352f83e636be8686ec312ec869fc4a170249bb93a
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Nanocore-9965501-0
Indicators of Compromise
IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Firefox 6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Google Chrome 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Rauzvon 2
Mutexes Occurrences
Global\{507a688d-5e7f-4ee3-978d-22cfb8649ae5} 6
IuRNZvTk9FliRK7fos 3
85af4115-b1eb-4cf2-a465-c0c97232a10e 2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
208[.]95[.]112[.]1 3
194[.]233[.]95[.]52 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
maniac[.]http80[.]info 6
ip-api[.]com 3
zub[.]http80[.]info 3
salak[.]pw 2
methodist[.]sch[.]id 1
Files and or directories created Occurrences
%TEMP%\subfolder 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 6
%TEMP%\subfolder\firefox.exe 6
%TEMP%\subfolder\firefox.vbs 6
%APPDATA%\Logs 3
%APPDATA%\Logs\08-27-2022 3
%TEMP%\subfolder\chromee.exe 3
%TEMP%\subfolder\chromee.vbs 3
%TEMP%\Rezmac 2
%TEMP%\Rezmac\reuzcms.exe 2
%TEMP%\Rezmac\reuzcms.vbs 2
File Hashes
18402b2ca4fc7f307ac6df1c12224af6233b42e157d048524ff02eabc5574b3a 2ae13d3cf6ee39ceac1add91e50c25860fa9bc2a9768f1cc5e623211659b14f2 2f9bd77b89fd409ab141f02853f28979675cc109a5b0841476d23b046ffd1a1e 2fc799408a67dc0a572a65bb27b2390731a64984f60409ce054469e2a7a6a46b 374f83f762b8894f5cf1b48334e4ca74ba0664d39f0367e80e3065b138fc9643 83ed0a21ba22c6c5029a5c4d7bc520a6c01665a34d5a085baeb14299d2fb611e 8f1cf8c17179a49c27b10c2ab14b47a2f97b24dcf51483349138a2eb7e10be20 969401a830e00003b591c0123c7ded0e52ceb274b31714fb199bb1ed155a4e67 a51a1959e27231e0cfbecc2dae8144a3ddbca1721bafc8a4ff09e3dd2a6f65e2 ba08670b6879155fa420eed444e3835d2d5fa94061e87d5c27a0b0eaf8a1c847 d4624f001b7c6081a9fe97fa1385cb6ff0f78adeeb9408a4ac0bc26dd2e3925c eac6474104a6ccaa562bc3de90adaf756c236fcc19e3d9db96047c269f664cce
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Bandook-9965180-1
Indicators of Compromise
IOCs collected from dynamic analysis of 14 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: SysHelper 14
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SysHelper 14
Mutexes Occurrences
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 14
Global\<random guid> 12
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
162[.]0[.]217[.]254 14
149[.]154[.]167[.]99 12
116[.]202[.]178[.]78 11
211[.]53[.]230[.]67 5
116[.]121[.]62[.]237 3
109[.]102[.]255[.]230 2
115[.]88[.]24[.]202 2
210[.]182[.]29[.]70 2
186[.]7[.]80[.]197 2
41[.]41[.]255[.]235 1
110[.]14[.]121[.]125 1
222[.]236[.]49[.]124 1
211[.]40[.]39[.]251 1
211[.]171[.]233[.]126 1
190[.]219[.]54[.]242 1
195[.]158[.]3[.]162 1
58[.]235[.]189[.]192 1
187[.]190[.]48[.]135 1
187[.]195[.]212[.]6 1
189[.]164[.]252[.]207 1
88[.]198[.]122[.]116 1
201[.]22[.]188[.]119 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]2ip[.]ua 14
rgyui[.]top 14
acacaca[.]org 14
t[.]me 12
Files and or directories created Occurrences
I:\5d2860c89d774.jpg 14
\SystemID 14
\SystemID\PersonalID.txt 14
%LOCALAPPDATA%\bowsakkdestx.txt 14
%System32%\Tasks\Time Trigger Task 14
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65 14
%ProgramData%\freebl3.dll 12
%ProgramData%\mozglue.dll 12
%ProgramData%\msvcp140.dll 12
%ProgramData%\nss3.dll 12
%ProgramData%\softokn3.dll 12
%ProgramData%\vcruntime140.dll 12
%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262 12
%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262\build2.exe 11
%LOCALAPPDATA%\66848c81-aae5-4fb7-b7d5-caf7cfaf5685\build2.exe 2
%ProgramData%\38004316577355091428719705 2
%ProgramData%\38004316577355091428719705-shm 2
%ProgramData%\38004316577355091428719705-wal 2
%ProgramData%\71584480118905964190690196 1
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65\e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd.exe 1
%ProgramData%\74266566668491997434247038 1
%ProgramData%\08802376146419947648049053 1
%ProgramData%\78905701483251681848013193 1
%ProgramData%\87138039098365190229474947 1
%ProgramData%\11794213916832836750166526 1
*See JSON for more IOCs
File Hashes
01983ca201f706146be28b5533ee7d96bdf48dcb27e49859366ccb2c8ad86447 0ad916703820d701658f7a8979bad219b7785517a4d3756e9cd7f45018c88f2a 56cd4a53bf45294705a27acc356f8bc2621d48e902ef6ebc739622ae6f93ca6d 5aceb15695c7bb34d473ad77b0bd26e3c63d1b76e3ad4e9bdd5c790e16daf27a 649c98faeafe332823d7c78c2cad20f00f3e23ea85bfccc744a8ea003b58db07 71c7d15d6d1ec0964b2b5a53ff9c71377978e00b297dceb6d958d10a9d2c30a0 79e53831488d7cf38bb7d23afa49a79ff5ec83003dc5b7d061b25689af111a47 84fad9f56332fd8d21e6a4aa6e73b168a02603a8329fa084f11496484f1aeedb 8c61ec9a90c74ae499c8d62d81478addbed60084b54fdb7873edbd3fd604c3d0 a4c1acf7975cb9fa1e3c191dd6f644159e24008929d54b1fbf716523ad06508e afc2efd52b6d261df9f8e6f45a80480f6873281980ce5accc3b64cd00b630727 c31c18f761d14cbaaff14a15cb1c15937c9d9a9910f1db2823e8b89b1fbc14e3 c3f9b1f639069bea05ced05cb4971720f6ae0bdca58ac1d3be31829513ce4d58 e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.BlackMatter-9965914-0
Indicators of Compromise
IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: DeleteFlag 17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start 17
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter 16
Mutexes Occurrences
Local\SHResolveLibrary:C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Libraries/Music.library-ms 2
Global\160e9ee717cce91f13d77a3a825f0c36 2
Global\97dd24c9bf8e7c0cbf96f37f87229698 1
Global\d33eaa6f804fb26ad354969330593cc2 1
Global\87157f060adf9f831ce0dc0cb3f23616 1
Global\894f56e5131f56d3248c4e688de24b70 1
Global\e3bb7e34789420de468428f3c22d9d74 1
Global\21cb1589097551b53e4b6dd91c431ec7 1
Global\1bb52c4380360c6c5ede0e9633f41905 1
Global\286849ac1f88a55fdd83f9a2fd92cc8c 1
Global\911dfc525e2ca360ae05fdde5aa84df4 1
Global\64b3e687a1e5d07fe5e0c7a162866a7b 1
Global\ca37097bb37bda10e9e84e42619ea25e 1
Global\f95807e1444ab674c068082d2b3a4883 1
Global\9a70b72fa75e9f9c3e2497457d332c26 1
Global\ea05f6895900370af4c4072c97ed86a2 1
Global\00348b0aaf40155607fc2b57eb660ea0 1
Files and or directories created Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\desktop.ini 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I08BO8F.xlsx 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I11KHR4.doc 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QKHLN.doc 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I62TWBD.ppt 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I6FZORX.doc 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IABMX83.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAJ2Y6R.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IALGTCS.xlsx 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAPSNOM.tsv 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGORSF7.xsn 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGTBBSA.accdb 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH49RPF.ppt 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH71GGR.ppt 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJKODPH.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJP965K.accdb 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKY5R3M.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IMYCSIT.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISLP722.doc 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXLC77A.pdf 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXUL2U1.doc 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IYSR1FU.ppt 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ2GMJW.XLSX 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc 17
*See JSON for more IOCs
File Hashes
00d3f19ff84cddc5b0cfc9d9b053a99b493add5a9bf8ec74659ef9b3d9298de6 0400ee8269aba8f79bfd0c65f64689b06febae22a7535c9fda728a7eaa29ae0d 060bd55768e0edc037651bf50c54248e9451d57d4da795b9d8ea03829085cea1 0bfd5fbf610b76c84abbdefcdaee8c0d09c002e40f69fe86db39478931aea73a 15f56da9d9888fbad8bc428b72b4d06c736b38392ff41b94ae06c27864a9dee1 2e641dbe994f931adeff6b65fb9db481a42717454a0ea6b1e2222ba24d890fa9 333f19529de011757c299888e57b8d37801b6adbf7e2d270b71726150aeef90c 4707b114756307df755bbe231a468d02503d82947d32f9037d011075d826445e 55b45145bf1ed50d1e72c74c0743ce36e279a10e55dada004824f3eb7db5646d 80e9ee47dafde64d31cf494ecea11923f5b1646d5e8bc9d7e51999bd79334db5 95ddbeacd79ad7d944e75f55ca323a13076b756c4accefd28e206a76b3ea268b 9c25081891c1c1ff09c6bde2e8a9bed6022d6cc9edda9abdd7a771f68264bce6 a24db7475958186ec57258d44edd465b1a060b52aff714e7f261cce41d052deb a6f7f973e63f3c2ef886a98663bd4aa08deb3ec9a4a8c60ead43ce5a9b9787f5 e4eda1e494929b5bf8a5affbbe56d8fa89e4868042cf844c9124d58c9094d77b e5bb89bea6c854818b9b5884bf9e46e51873ccba73e73ef61ff2e63def151ce0 fe20b163358d90a39f3afc632dedd029231428474dd42c71a333b2a6d514f1e8
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Formbook-9965920-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Mutexes Occurrences
8-3503835SZBFHHZ 1
S-1-5-21-2580483-1244278791147 1
3Q694U0B59Bv9yz0 1
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sdhoston.vbs 1
%APPDATA%\sdhoston 1
%APPDATA%\sdhoston\sdhoston.exe 1
%APPDATA%\sdhoston\sdhoston.exe:ZoneIdentifier 1
File Hashes
01bb00216bf6742ac525cb9c6bfefefd250ab0ad14f477c2aad4146b7ea3336e 0f32a114f06e8282588d6e5e47063bcf79348d49744f0acc72b01c296be229a0 103fa3b007fc5e06fccd36f15eddc56071666c220a74ae20d851e635a0aede78 142e773ad2c9e16c377fbf9c61e93eafac2bea3d863c360c8cbd6b2d54082a51 1cfad9e7b4cff0eb8814b80f2281980982f0b2085c6247eac8cc930db08a173b 1e7afe66d3b124abf916c542d5e5fbc1b8922bc928eba5e406bca0b39f0d7019 1fb04ac0a06d4f3598c0ee3533a28b87fe2a0e7af4e13e49e76b9e13a39bc256 215ab3d9e9b4caadde378383717a29b9a52f97ffdd38ef26dd5453b896c72442 24a08963a436434d2ed1a6f82fea0e7b18ad037e6a602ca5dfbe740a11f6fbcf 2c73b7270d050779ac974267fe31ce3ca2d93d8c6a2cc2b1dccef1ef358ffd95 30c8eaf7b304700c5b3a61fa740e3ebb930b03302ad2cc3805fa38d106d302d5 33773be67a946828b9d2c89ba742fbcf71ffd03988291e243ee3744081060cc3 375b00de8de38ec7af0a4b0bef42ed556ce7d5c141c8b72389700ad34d1bd461 3af09a9a2fd53cbafcbb7925f694b8d37f1fd2d40f0f1600288021909b7c4335 3c5895384984695318ac23be4049b059aa60980d614fac5c5a88bf6b0fdb22d5 4b98da8fd57d0c095683b4d3ce85b2120ac8759c184934528105eecd3cb1971b 4ba20254c0e238f1ca4c86b1ebd13536dbd2d7d5bd248ab60e887a22bba9fc26 5a2c975aaa1ed0b722bb5f4098be703728b5419ab1d52616866962bb0fc3c520 5a2eda2ada26ec8e4794d472275294cbd1de7acdad334182798a7a6a1ff4e194 5b24d13171a030fd84cf2638a9072121b1919aa8e02a1170bd247eb3f07fde6a 5f1f6aed00db04bcc2079784d758151589dbcf3eda4394711336cb0a7f7802e4 5ffa9c9d4e5f28a60c40c42b6ccb84eb39be453f556a18cc25ca2d7e3efc80f3 67081c3564081660f61db2b0e4ec525a16bfe0250d8d7496a49bb65aaafffd24 6d00edf9e45e24712b2aa52af50be59081ebf770571a09c6001046dd77ecdc53 6ff434f03d48677e5768cc58c83aa817790fd9506376837e802eaab90a9d5975
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 26 and Sept. 2. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Dropper.DarkKomet-9966191-0
Dropper
DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.
Win.Packed.AgentTesla-9966126-1
Packed
AgentTesla is a Remote Access Trojan that records keystrokes and attempts to steal sensitive information from web browsers and other installed applications.
Win.Virus.Xpiro-9965977-1
Virus
Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Nanocore-9965501-0
Dropper
Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Packed.Bandook-9965180-1
Packed
Bandook is a remote-access trojan (RAT) written in C++ and Delphi. It provides attackers with several abilities common to RATs such as taking screenshots or file uploading, downloading or executing. Bandook is usually delivered through spear-phishing emails containing malicious attachments.
Win.Ransomware.BlackMatter-9965914-0
Ransomware
BlackCat ransomware, also known as "ALPHV", has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on victim’s computer.
Win.Dropper.Formbook-9965920-0
Dropper
Formbook is an information stealer that collects sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Threat Breakdown****Win.Dropper.DarkKomet-9966191-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 84 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
18
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-50504578520758924620\winmgr.exe
10
<HKCU>\SOFTWARE\DC3_FEXEC
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050756432604649683503740\winsvc.exe
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102
2
Mutexes
Occurrences
t8
6
DC_MUTEX-<random, matching [A-Z0-9]{7}>
5
t10
4
w3
3
w2
2
DCMIN_MUTEX-WG79R6U
2
uxJLpe1m
1
2562100796
1
lol
1
FvLQ49IlzIyLjj6m
1
e621ca05-Mutex
1
{D9961D0B-0106-5584-AD6D-884HSI64CNI9}
1
{D0001D0B-0106-5584-AD6D-884HSI64CNI9}
1
TLS
1
yourhavebecracked
1
crapponce
1
CCC
1
7QSDIYQXU3
1
DCMIN_MUTEX-W1AEX56
1
2CC
1
4444
1
5555
1
CC02
1
w4
1
e2b9ef1ee9bca34ce51187acb9a0f411
1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
58[.]158[.]177[.]102
3
35[.]205[.]61[.]67
1
198[.]49[.]23[.]144/31
1
20[.]72[.]235[.]82
1
20[.]81[.]111[.]85
1
23[.]221[.]227[.]172
1
184[.]105[.]237[.]196
1
188[.]165[.]227[.]65
1
140[.]228[.]29[.]110
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
srv50[.]ru
11
trik[.]su
11
trkbox[.]ru
6
srv60[.]su
5
srv70[.]ru
4
wrksrv[.]ru
4
markben390[.]no-ip[.]org
3
avget[.]ru
2
microsoft[.]com
1
bermanstreetllc[.]com
1
biggymoney01[.]no-ip[.]biz
1
biggymoney03[.]no-ip[.]biz
1
biggymoney2[.]no-ip[.]biz
1
businessswitchedmylife[.]biz
1
nobemetalkam[.]com
1
heavensbreedonline[.]com
1
heavensbreedonline[.]biz
1
heavensbreedonline[.]co
1
heavensbreedonline[.]org
1
seadeeponline[.]com
1
eurofreightglobalonline[.]com
1
swrenvgloballtd[.]com
1
mailsecuredssl[.]com
1
ssl32bit[.]com
1
128bitsecured[.]com
1
*See JSON for more IOCs
Files and or directories created
Occurrences
\autorun.inf
11
\windrv.exe
11
E:\autorun.inf
11
E:\windrv.exe
11
%SystemRoot%\M-50504578520758924620
10
%SystemRoot%\M-50504578520758924620\winmgr.exe
10
%APPDATA%\dclogs
8
%SystemRoot%\M-5050756432604649683503740
3
%SystemRoot%\M-5050756432604649683503740\winsvc.exe
3
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe
2
%TEMP%\a
2
%TEMP%\incl2
2
%SystemRoot%\M-50507564324649683503740\winsvc.exe
2
%TEMP%\c
2
%TEMP%\incl1
2
%TEMP%<random, matching '[a-z]{3}[A-F0-9]{3,4}’>.tmp
2
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_LinkNoDrop32x32.gif
1
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveDrop32x32.gif
1
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveNoDrop32x32.gif
1
%HOMEPATH%\Y44VPhclUOy\lib\jce.jar
1
%HOMEPATH%\Y44VPhclUOy\lib\jfr.jar
1
%HOMEPATH%\Y44VPhclUOy\lib\jfr\default.jfc
1
%HOMEPATH%\Y44VPhclUOy\lib\jfr\profile.jfc
1
%HOMEPATH%\Y44VPhclUOy\lib\jsse.jar
1
%HOMEPATH%\Y44VPhclUOy\lib\jvm.hprof.txt
1
*See JSON for more IOCs
File Hashes
01d99de8be5d399beb94238ded93f68cecce9b05010ec2095fb88dfea30be905
01dc08a7611de9ed95addbdc484f028da8c4cc4f2f04bf007955e8e7771af2ad
0521c25b0e73636633fc888ecb616c71e37cc63cdef64d531938fb41cb5190c3
07fb7af6f5ebe683cea86ec012a0a002771d658873ea3428d989f8ecaccc2e0b
0b8d380e9ff7c2cdd17b4e95d6663d1b21db1c955b0c933d68bd66c9c8b1b74b
0ce96b476d6d0aeaa983de1cf41c4553f68156d6cbbe9d48ae852ef0e5143de7
0edde1077db95438d2598acd555a39b3c2ac432f98b60d3c77415fd650b13516
1a85cf3317d5a030ab87d02649769a6a0bfb1b342ecc46f1bc26e1f651fbb1ed
1abb5ce77ce286aac491f9363161554eb0894dfb425e4457aee3cd3fc22982e9
1dc5ac655a745dc442a017eb4fe0d86a0877726d4c84a026e8eb3dbe528953f9
234eb8f2d2c1a731eb5672006b5c449761e8536b2f6d4b40d20f54e74d631807
259941e22122288262ef81fd0d0412a9b2725a9a0d77f7c6442020b0733ebbed
2b6326b6b21207fd649683ac43062c06eace7074bbd3f726f200a8717b02c75f
2ba447c32a9cfa066bbc502772d11c9fb62404c090a9de7c83d9aa4151dbf35c
2bc2fc0088f069fb5bb5e448b106a6dc91e5177e00c443571baecac8b8afd8f9
2f6fa4f49fb85c80342285a08bd5fc0b9e3f3198f4854973824567fb131b07e0
32c9b04c79b44e5c331c6497b9c11ce942b53e9fe6d6b57211e2dac442bb4d8b
34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313
35a047096848277ecedf71875652c55466a6d1a167bb82e810591951d991c0ff
3adb310c1ed97474f55974c05a17c56a89d082eb3069592d5734f91b330a8d96
4326fb1eabf2fd7bde99777bc0283746791e7398cacdf575affe537ab33cf16f
433bedd8a7ee7e1585a93cc9076941d3d31c33c602f116e407da8bddd9db9ea6
44317a91b1c813dc8423423cc5a1130e34264f5ab8cc4b35e05da3b7eaacc3f2
483c61bf01f6404f78a83413bf011e0e86c6adae8cce6e1a622ff1ee6e95c1ee
4bb436856e6c78ebac6ef0f48a76fad96268add5dc1583a0e20b986d4532bce4
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.AgentTesla-9966126-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 11 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW75
Value Name: wNHJwQzhBIRVra53
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW75
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR178
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED51
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR178
Value Name: m2shbluBdxk2hpHhWEya7LtO7ceN81
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED51
Value Name: OqbazG7tyhTA228
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B753
11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B753
Value Name: YapCUbb9WtpskyCIcpUrqGtTVZssZFZv9xzmYaD128
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: newApp
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: newapp
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: DisableSR
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Registry Key Name
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MyyyyZApp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: services
1
Mutexes
Occurrences
Global\536fbb71-288b-11ed-9660-00151721fd34
1
Global\5c7184b1-288b-11ed-9660-001517bb55ad
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
3[.]93[.]18[.]244
1
3[.]217[.]248[.]28
1
34[.]200[.]207[.]31
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
checkip[.]amazonaws[.]com
3
smtp[.]tetenel[.]com
1
mail[.]orncbbq[.]com
1
smtp[.]ssgtoolz[.]net
1
Files and or directories created
Occurrences
%TEMP%<random, matching '[0-9]{15}’>000_<random GUID>.db
9
%APPDATA%\newapp
4
%APPDATA%\newapp\newapp.exe
4
%APPDATA%\Postbox\profiles.ini
2
%System32%\drivers\etc\hosts
1
%HOMEPATH%\subfolder
1
%HOMEPATH%\subfolder\filename.exe
1
%HOMEPATH%\subfolder\filename.vbs
1
%APPDATA%\services
1
%TEMP%\MyyyyZApp
1
%TEMP%\MyyyyZApp\MyyyyZApp.exe
1
%APPDATA%\jddbt225.sux
1
%APPDATA%\jddbt225.sux.zip
1
%APPDATA%\jddbt225.sux\Firefox
1
%APPDATA%\jddbt225.sux\Firefox\Profiles
1
%APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default
1
%APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite
1
%APPDATA%\hqbkc1l0.fyj
1
%APPDATA%\hqbkc1l0.fyj.zip
1
%APPDATA%\hqbkc1l0.fyj\Firefox
1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles
1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default
1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite
1
%APPDATA%\services\services.exe
1
%APPDATA%\jntv4ane.ztp
1
*See JSON for more IOCs
File Hashes
02876781ecf3b9c9dfa90f74ef4fb7d6bb60a35a2c09d3895dff3b6d5a1ebb8b
3030ebe65fb01ddf2cbc83340226a872a0a156d8dc3b4a6faaaef651e3d83e1c
3cc3993e6a4ebfc9cb0f9b3b0859d067648d988b77f993aea203ac80179b97d4
5e87c3c6d7b7b6bacb185a11916876fff30634d7f62e4856634b2ee9238618de
671cd596e79c90f7c37085ba263ae4d677edfee99fc3c8306b8ec6d85133e2af
8e433d9d938adaad4c710c6ea1d24aad1689eb96e33d4cc2e81120c9c4d54197
9aa8ef433012e7b4662a4e36dd41df76b5be268f7cc2073a7361467509d5256a
9ffdf9f36b00abef356517cf38d5bf881959ebbf7af9474b1bd3e673db97cd54
b62a36fa9279443fd389580f809b95a37b0de981ec7c4338826e9ee859ce4847
b91c165d0aa38b11ab8dd8d8d00a460b78302c331478cc04b60f98eddecb1356
f8ce5974e752acd2cb2e90690eb86bb5246cc736482cae4578619cc861dcaaf5
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Virus.Xpiro-9965977-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 45 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\DB-LIB
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB
45
<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
45
<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB
Value Name: Encrypt
45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT
Value Name: SharedMemoryOn
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type
44
Mutexes
Occurrences
kkq-vx_mtx62
45
kkq-vx_mtx63
45
kkq-vx_mtx64
45
kkq-vx_mtx65
45
kkq-vx_mtx66
45
kkq-vx_mtx67
45
kkq-vx_mtx68
45
kkq-vx_mtx69
45
kkq-vx_mtx70
45
kkq-vx_mtx71
45
kkq-vx_mtx72
45
kkq-vx_mtx73
45
kkq-vx_mtx74
45
kkq-vx_mtx75
45
kkq-vx_mtx76
45
kkq-vx_mtx77
45
kkq-vx_mtx78
45
kkq-vx_mtx79
45
kkq-vx_mtx80
45
kkq-vx_mtx81
45
kkq-vx_mtx82
45
kkq-vx_mtx83
45
kkq-vx_mtx84
45
kkq-vx_mtx85
45
kkq-vx_mtx86
45
*See JSON for more IOCs
Files and or directories created
Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
45
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE
45
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE
45
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe
45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
45
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
45
%System32%\alg.exe
45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
45
%SystemRoot%\SysWOW64\svchost.exe
45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
45
%SystemRoot%\SysWOW64\svchost.vir
45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock
45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat
45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock
45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat
45
%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir
45
%ProgramFiles(x86)%\microsoft office\office14\groove.vir
45
%ProgramFiles(x86)%\mozilla maintenance service\maintenanceservice.vir
45
%CommonProgramFiles%\microsoft shared\officesoftwareprotectionplatform\osppsvc.vir
45
%SystemRoot%\microsoft.net\framework64\v2.0.50727\mscorsvw.vir
45
%SystemRoot%\microsoft.net\framework64\v4.0.30319\mscorsvw.vir
45
*See JSON for more IOCs
File Hashes
07883b2bec4bb5804938dec4b37619c77ad9fc925b52bdd4368faa9416afdbf2
118989bae4bc156627ed91ecc03e9a9a01635f624b00dad94c801ba95da08130
127b5c9fee91c095376a75ee583bc452c269735a94a9381bd262c5cfd2163deb
150587b20269ad5520861cd61fd6eeceddd61e5e05ff27de39189542e1f6f45a
171d6d2f93370d7afd1875a1f7d0a59aef5d46a7d553df98d12855cca5d437a6
1bcb487b3582e158e38e1d76365254022f18a3033c9ca23b5da0c964ead1147a
1d2f153a4f58438ad61950c4468b95358d5aab9356f138d7b74dcadec2afdae1
22ccda550e90cbdc7b115fc3b2d082190df9935b01ea1d8c3923445c759aa477
270a4deb05747829e8a95f5718214bce934ab251f204d1828e3d2a1201caab1d
2817d1aa30164faad40ff66eea5743106219fe83b20ae96523be7691ffbf467b
2b89cd04def8bda3701849a58ebca23151b94b98db25351c7b98d0228d021db7
2d8fcc7e70b0b9721164bf886c297355030b7c7af7904898c96757c522fe051c
2ffe5d618f015af6681482a2347ccb631eb7df646d2d619c38fdb5fc70786ae3
3d61c2d8682ba543026d4a1afa98409938bc28fd09aa327e1058c8abbf9d44b8
3f11dec1f3cd0e3ef1fe0249d656394c2053ae2dd834328d82a7a5b8e7c75a88
44515f7babd049693c6941b93b09f39944caf9038e0216ecf3cdd5ec2a02bb19
4683415d7ef8a0aff6a2cba601d70a150391e59dd8dd4cdb71c6024bfffd9fd5
515cf18bdd0820d02b2233b2ff897e3e957db3d90c9b977ab3480dc4360bb749
537eb171bbe2059013f3b5335724a5da631085ca038e0e1c9082c352e9373d0f
565d18219289992baa30b55dc7d41f0eb74bd557c47305d80257aab8f2dd43f9
5de1d780d6bb9e646e53613cd36bede221b8fd79f2ebe461c075eb1c29fa596b
6e92ff9fc26469a4ab8d7e380a54192d9f3d9a8c7022797053734594b5ebfbc8
73505bcbd55074beee93cc69877a5c6fa1a52b21ef59c9935292daa776e79563
761445a4c924c9575115b2df05a6340b213b88ce4433ef81d0758ee5b794e42d
76f07678f7860611016dd78352f83e636be8686ec312ec869fc4a170249bb93a
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Nanocore-9965501-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 12 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Firefox
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Google Chrome
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Rauzvon
2
Mutexes
Occurrences
Global{507a688d-5e7f-4ee3-978d-22cfb8649ae5}
6
IuRNZvTk9FliRK7fos
3
85af4115-b1eb-4cf2-a465-c0c97232a10e
2
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
208[.]95[.]112[.]1
3
194[.]233[.]95[.]52
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
maniac[.]http80[.]info
6
ip-api[.]com
3
zub[.]http80[.]info
3
salak[.]pw
2
methodist[.]sch[.]id
1
Files and or directories created
Occurrences
%TEMP%\subfolder
9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5
6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs
6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator
6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat
6
%TEMP%\subfolder\firefox.exe
6
%TEMP%\subfolder\firefox.vbs
6
%APPDATA%\Logs
3
%APPDATA%\Logs\08-27-2022
3
%TEMP%\subfolder\chromee.exe
3
%TEMP%\subfolder\chromee.vbs
3
%TEMP%\Rezmac
2
%TEMP%\Rezmac\reuzcms.exe
2
%TEMP%\Rezmac\reuzcms.vbs
2
File Hashes
18402b2ca4fc7f307ac6df1c12224af6233b42e157d048524ff02eabc5574b3a
2ae13d3cf6ee39ceac1add91e50c25860fa9bc2a9768f1cc5e623211659b14f2
2f9bd77b89fd409ab141f02853f28979675cc109a5b0841476d23b046ffd1a1e
2fc799408a67dc0a572a65bb27b2390731a64984f60409ce054469e2a7a6a46b
374f83f762b8894f5cf1b48334e4ca74ba0664d39f0367e80e3065b138fc9643
83ed0a21ba22c6c5029a5c4d7bc520a6c01665a34d5a085baeb14299d2fb611e
8f1cf8c17179a49c27b10c2ab14b47a2f97b24dcf51483349138a2eb7e10be20
969401a830e00003b591c0123c7ded0e52ceb274b31714fb199bb1ed155a4e67
a51a1959e27231e0cfbecc2dae8144a3ddbca1721bafc8a4ff09e3dd2a6f65e2
ba08670b6879155fa420eed444e3835d2d5fa94061e87d5c27a0b0eaf8a1c847
d4624f001b7c6081a9fe97fa1385cb6ff0f78adeeb9408a4ac0bc26dd2e3925c
eac6474104a6ccaa562bc3de90adaf756c236fcc19e3d9db96047c269f664cce
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Bandook-9965180-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 14 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: SysHelper
14
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SysHelper
14
Mutexes
Occurrences
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
14
Global<random guid>
12
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
162[.]0[.]217[.]254
14
149[.]154[.]167[.]99
12
116[.]202[.]178[.]78
11
211[.]53[.]230[.]67
5
116[.]121[.]62[.]237
3
109[.]102[.]255[.]230
2
115[.]88[.]24[.]202
2
210[.]182[.]29[.]70
2
186[.]7[.]80[.]197
2
41[.]41[.]255[.]235
1
110[.]14[.]121[.]125
1
222[.]236[.]49[.]124
1
211[.]40[.]39[.]251
1
211[.]171[.]233[.]126
1
190[.]219[.]54[.]242
1
195[.]158[.]3[.]162
1
58[.]235[.]189[.]192
1
187[.]190[.]48[.]135
1
187[.]195[.]212[.]6
1
189[.]164[.]252[.]207
1
88[.]198[.]122[.]116
1
201[.]22[.]188[.]119
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
api[.]2ip[.]ua
14
rgyui[.]top
14
acacaca[.]org
14
t[.]me
12
Files and or directories created
Occurrences
I:\5d2860c89d774.jpg
14
\SystemID
14
\SystemID\PersonalID.txt
14
%LOCALAPPDATA%\bowsakkdestx.txt
14
%System32%\Tasks\Time Trigger Task
14
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65
14
%ProgramData%\freebl3.dll
12
%ProgramData%\mozglue.dll
12
%ProgramData%\msvcp140.dll
12
%ProgramData%\nss3.dll
12
%ProgramData%\softokn3.dll
12
%ProgramData%\vcruntime140.dll
12
%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262
12
%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262\build2.exe
11
%LOCALAPPDATA%\66848c81-aae5-4fb7-b7d5-caf7cfaf5685\build2.exe
2
%ProgramData%\38004316577355091428719705
2
%ProgramData%\38004316577355091428719705-shm
2
%ProgramData%\38004316577355091428719705-wal
2
%ProgramData%\71584480118905964190690196
1
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65\e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd.exe
1
%ProgramData%\74266566668491997434247038
1
%ProgramData%\08802376146419947648049053
1
%ProgramData%\78905701483251681848013193
1
%ProgramData%\87138039098365190229474947
1
%ProgramData%\11794213916832836750166526
1
*See JSON for more IOCs
File Hashes
01983ca201f706146be28b5533ee7d96bdf48dcb27e49859366ccb2c8ad86447
0ad916703820d701658f7a8979bad219b7785517a4d3756e9cd7f45018c88f2a
56cd4a53bf45294705a27acc356f8bc2621d48e902ef6ebc739622ae6f93ca6d
5aceb15695c7bb34d473ad77b0bd26e3c63d1b76e3ad4e9bdd5c790e16daf27a
649c98faeafe332823d7c78c2cad20f00f3e23ea85bfccc744a8ea003b58db07
71c7d15d6d1ec0964b2b5a53ff9c71377978e00b297dceb6d958d10a9d2c30a0
79e53831488d7cf38bb7d23afa49a79ff5ec83003dc5b7d061b25689af111a47
84fad9f56332fd8d21e6a4aa6e73b168a02603a8329fa084f11496484f1aeedb
8c61ec9a90c74ae499c8d62d81478addbed60084b54fdb7873edbd3fd604c3d0
a4c1acf7975cb9fa1e3c191dd6f644159e24008929d54b1fbf716523ad06508e
afc2efd52b6d261df9f8e6f45a80480f6873281980ce5accc3b64cd00b630727
c31c18f761d14cbaaff14a15cb1c15937c9d9a9910f1db2823e8b89b1fbc14e3
c3f9b1f639069bea05ced05cb4971720f6ae0bdca58ac1d3be31829513ce4d58
e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.BlackMatter-9965914-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 17 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: DeleteFlag
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start
17
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter
16
Mutexes
Occurrences
Local\SHResolveLibrary:C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Libraries/Music.library-ms
2
Global\160e9ee717cce91f13d77a3a825f0c36
2
Global\97dd24c9bf8e7c0cbf96f37f87229698
1
Global\d33eaa6f804fb26ad354969330593cc2
1
Global\87157f060adf9f831ce0dc0cb3f23616
1
Global\894f56e5131f56d3248c4e688de24b70
1
Global\e3bb7e34789420de468428f3c22d9d74
1
Global\21cb1589097551b53e4b6dd91c431ec7
1
Global\1bb52c4380360c6c5ede0e9633f41905
1
Global\286849ac1f88a55fdd83f9a2fd92cc8c
1
Global\911dfc525e2ca360ae05fdde5aa84df4
1
Global\64b3e687a1e5d07fe5e0c7a162866a7b
1
Global\ca37097bb37bda10e9e84e42619ea25e
1
Global\f95807e1444ab674c068082d2b3a4883
1
Global\9a70b72fa75e9f9c3e2497457d332c26
1
Global\ea05f6895900370af4c4072c97ed86a2
1
Global\00348b0aaf40155607fc2b57eb660ea0
1
Files and or directories created
Occurrences
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\desktop.ini
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I08BO8F.xlsx
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I11KHR4.doc
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I5QKHLN.doc
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I62TWBD.ppt
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I6FZORX.doc
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IABMX83.pdf
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IAJ2Y6R.pdf
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IALGTCS.xlsx
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IAPSNOM.tsv
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IGORSF7.xsn
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IGTBBSA.accdb
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH49RPF.ppt
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH71GGR.ppt
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJKODPH.pdf
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJP965K.accdb
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IKY5R3M.pdf
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IMYCSIT.pdf
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$ISLP722.doc
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXLC77A.pdf
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXUL2U1.doc
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IYSR1FU.ppt
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IZ2GMJW.XLSX
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R08BO8F.xlsx
17
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R11KHR4.doc
17
*See JSON for more IOCs
File Hashes
00d3f19ff84cddc5b0cfc9d9b053a99b493add5a9bf8ec74659ef9b3d9298de6
0400ee8269aba8f79bfd0c65f64689b06febae22a7535c9fda728a7eaa29ae0d
060bd55768e0edc037651bf50c54248e9451d57d4da795b9d8ea03829085cea1
0bfd5fbf610b76c84abbdefcdaee8c0d09c002e40f69fe86db39478931aea73a
15f56da9d9888fbad8bc428b72b4d06c736b38392ff41b94ae06c27864a9dee1
2e641dbe994f931adeff6b65fb9db481a42717454a0ea6b1e2222ba24d890fa9
333f19529de011757c299888e57b8d37801b6adbf7e2d270b71726150aeef90c
4707b114756307df755bbe231a468d02503d82947d32f9037d011075d826445e
55b45145bf1ed50d1e72c74c0743ce36e279a10e55dada004824f3eb7db5646d
80e9ee47dafde64d31cf494ecea11923f5b1646d5e8bc9d7e51999bd79334db5
95ddbeacd79ad7d944e75f55ca323a13076b756c4accefd28e206a76b3ea268b
9c25081891c1c1ff09c6bde2e8a9bed6022d6cc9edda9abdd7a771f68264bce6
a24db7475958186ec57258d44edd465b1a060b52aff714e7f261cce41d052deb
a6f7f973e63f3c2ef886a98663bd4aa08deb3ec9a4a8c60ead43ce5a9b9787f5
e4eda1e494929b5bf8a5affbbe56d8fa89e4868042cf844c9124d58c9094d77b
e5bb89bea6c854818b9b5884bf9e46e51873ccba73e73ef61ff2e63def151ce0
fe20b163358d90a39f3afc632dedd029231428474dd42c71a333b2a6d514f1e8
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Formbook-9965920-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Mutexes
Occurrences
8-3503835SZBFHHZ
1
S-1-5-21-2580483-1244278791147
1
3Q694U0B59Bv9yz0
1
Files and or directories created
Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sdhoston.vbs
1
%APPDATA%\sdhoston
1
%APPDATA%\sdhoston\sdhoston.exe
1
%APPDATA%\sdhoston\sdhoston.exe:ZoneIdentifier
1
File Hashes
01bb00216bf6742ac525cb9c6bfefefd250ab0ad14f477c2aad4146b7ea3336e
0f32a114f06e8282588d6e5e47063bcf79348d49744f0acc72b01c296be229a0
103fa3b007fc5e06fccd36f15eddc56071666c220a74ae20d851e635a0aede78
142e773ad2c9e16c377fbf9c61e93eafac2bea3d863c360c8cbd6b2d54082a51
1cfad9e7b4cff0eb8814b80f2281980982f0b2085c6247eac8cc930db08a173b
1e7afe66d3b124abf916c542d5e5fbc1b8922bc928eba5e406bca0b39f0d7019
1fb04ac0a06d4f3598c0ee3533a28b87fe2a0e7af4e13e49e76b9e13a39bc256
215ab3d9e9b4caadde378383717a29b9a52f97ffdd38ef26dd5453b896c72442
24a08963a436434d2ed1a6f82fea0e7b18ad037e6a602ca5dfbe740a11f6fbcf
2c73b7270d050779ac974267fe31ce3ca2d93d8c6a2cc2b1dccef1ef358ffd95
30c8eaf7b304700c5b3a61fa740e3ebb930b03302ad2cc3805fa38d106d302d5
33773be67a946828b9d2c89ba742fbcf71ffd03988291e243ee3744081060cc3
375b00de8de38ec7af0a4b0bef42ed556ce7d5c141c8b72389700ad34d1bd461
3af09a9a2fd53cbafcbb7925f694b8d37f1fd2d40f0f1600288021909b7c4335
3c5895384984695318ac23be4049b059aa60980d614fac5c5a88bf6b0fdb22d5
4b98da8fd57d0c095683b4d3ce85b2120ac8759c184934528105eecd3cb1971b
4ba20254c0e238f1ca4c86b1ebd13536dbd2d7d5bd248ab60e887a22bba9fc26
5a2c975aaa1ed0b722bb5f4098be703728b5419ab1d52616866962bb0fc3c520
5a2eda2ada26ec8e4794d472275294cbd1de7acdad334182798a7a6a1ff4e194
5b24d13171a030fd84cf2638a9072121b1919aa8e02a1170bd247eb3f07fde6a
5f1f6aed00db04bcc2079784d758151589dbcf3eda4394711336cb0a7f7802e4
5ffa9c9d4e5f28a60c40c42b6ccb84eb39be453f556a18cc25ca2d7e3efc80f3
67081c3564081660f61db2b0e4ec525a16bfe0250d8d7496a49bb65aaafffd24
6d00edf9e45e24712b2aa52af50be59081ebf770571a09c6001046dd77ecdc53
6ff434f03d48677e5768cc58c83aa817790fd9506376837e802eaab90a9d5975
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK