Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for May 6 to May 13

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 6 and May 13. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics,…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

TALOS
#vulnerability#web#mac#windows#google#microsoft#js#java#php#backdoor#samba#sap

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 6 and May 13. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Trojan.Qakbot-9949393-1

Trojan

Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.

Win.Packed.Upatre-9949356-0

Packed

Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables such as banking malware.

Win.Dropper.Cerber-9949361-0

Dropper

Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used.

Win.Trojan.Hupigon-9949365-0

Trojan

Hupigon is a trojan that installs itself as a backdoor on a victim’s machine.

Win.Dropper.LokiBot-9949439-0

Dropper

Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.

Win.Malware.Barys-9949519-0

Malware

This is a trojan and downloader that allows malicious actors to upload files to a victim’s computer.

Win.Trojan.Ursnif-9949968-0

Trojan

Ursnif steals sensitive information from an infected host and can act as a malware downloader. It is commonly spread through malicious emails or exploit kits.

Win.Malware.Gh0stRAT-9949686-0

Malware

Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.

Threat Breakdown****Win.Trojan.Qakbot-9949393-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

20

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: bd63ad6b

20

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: bf228d17

20

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: f7b512d3

20

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

20

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: ff0b3567

20

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: fd4a151b

20

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\ProgramData\Microsoft\Ecrirfryzd

20

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Xtuou

20

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: b5dd8adf

20

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 79eea72

20

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 7a96a5f8

20

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 45f6727e

20

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 38fe3df4

20

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: ca94e529

20

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 80425a91

20

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: c22ac29d

20

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 5dfca0e

20

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 88fc7d25

20

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 47b75202

20

Mutexes

Occurrences

Global{06253ADC-953E-436E-8695-87FADA31FDFB}

20

{06253ADC-953E-436E-8695-87FADA31FDFB}

20

{357206BB-1CE6-4313-A3FA-D21258CBCDE6}

20

Global{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}

20

{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}

20

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

computer[.]example[.]org

20

wpad[.]example[.]org

20

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

7

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

7

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

6

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Xtuou

20

%ProgramData%\Microsoft\Ecrirfryzd

20

%System32%\Tasks\bbunkyn

1

%System32%\Tasks\hvtbnwcjlh

1

%System32%\Tasks\hntmwfospx

1

%System32%\Tasks\iiyfllwcgr

1

%System32%\Tasks\unfkmadrc

1

%System32%\Tasks\dxbgapbyrx

1

%System32%\Tasks\dlaiqiccus

1

%System32%\Tasks\rwskwjizy

1

%System32%\Tasks\xciomqaxl

1

%System32%\Tasks\bfaozvxhj

1

%System32%\Tasks\sxdadktqjh

1

%System32%\Tasks\qvujuvdhi

1

%System32%\Tasks\uiawgherg

1

%System32%\Tasks\ltrtmoto

1

%System32%\Tasks\zabdiwevod

1

%System32%\Tasks\wcdjtlq

1

%System32%\Tasks\qyxbolgs

1

%System32%\Tasks\bwnxbcwpdh

1

%System32%\Tasks\ccvgfmnfi

1

%System32%\Tasks\jiuofxtmvk

1

File Hashes

    0e1ecd8bb0d6b2aa8ad8d870399f83a1845f4422cb0259174d625fd4969f26bc

    194e95a5fca78bd3d650691ba8fa8e95300b425e217a8966e7d8e8dac4990775

    208e240cee08c65dd169e984db3d74358d18a3561266bfef204c9584fc6d40c9

    23af4f949ae3894208f042a879755ddcd9db4db7f44221baea3250c9616abd4e

    280fefd1ee9a63be73f06e0e2cd3a56b26e9bd5fe20e821ccf3dcb5a9aa8a83e

    2bc1b2b88825a47935687709b72ecf378acee5168a4b06eb21fe62d6de815b9f

    2f2002c559a94ffe0d3d21cf7b694658d5875b657a072e18fffc8da20427d1ca

    53aed422d0d0ccf5be31e57c618514b8164b8ab9150487d09b848ad920d6b2f1

    72683e2315b5c3ddcbcbadb9604fd862899ed915c4212b37fcc764b8331df9a7

    84a30368c5437d228200dc150c80e6d6fb9d707c848afb39f7af04968cc005ee

    84bec89658602090ba8cfe99ac3b344146a01dd37cc192f5e6db7ec644d3d048

    919851b34dc359b5b6297ef6555680d968abe9ce406d2c1f2d049ae6ea1c09a5

    9d87d19b45a63dc1a308d5bbc2cb1683372c6d94ffd6473f2929de91f0a28605

    b490c2128a69f6c354228fcd6c6fbff330820e41170e42d8dbe01395dbc20e0e

    be90989d192bed076c12bcd06836e7c2a1e5345fe89546eb7a2ffb9c5cbb12a0

    c59aee55339a7ab8c535a3724187f19fc46013a21688a4f7e2a8f967af35789e

    d42a4979d508374efb49a6449d96f36f92ff0616a92dd536566732fdf83adfbd

    e81de13b5b59747f58e25862a09be9eca5a50fe0b46228236eff00628de6c96f

    eef8d7592eaa435fb11599283160be28f54eb0112363c8eaa737e1c5fcc86b9b

    fa89f2031112558d9bc7d01fe653168aa1ede6e65d08a1e96c0fdb7ff94e973d

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Upatre-9949356-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 70 samples

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

75[.]2[.]18[.]233

59

154[.]80[.]152[.]80

10

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

intarefc[.]com

69

faithmentoringandmore[.]com

69

wpad[.]example[.]org

54

computer[.]example[.]org

43

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

18

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

17

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

10

www[.]msftncsi[.]com

2

Files and or directories created

Occurrences

%TEMP%\budha.exe

69

\Users\user\AppData\Local\Temp\budha.exe

54

File Hashes

    008e9007abacd17469bdd19b7b7289dc2ef810e5b424234c4b37521ea60cb52f

    00daa4da1496b9e8a5f5c67bfbcf7c195fff91cf848e2e1d6a5b358234db3652

    0136fb9f09ac45f8902efa415bfb9672a954fd77f0aee84894de540ec480ed97

    0227ad35909931237bba8b7728a2052b2238cbe93bf860adc245e928bb4bb4d6

    02e7a9dadf12d5b93386ceb471a2af98898f72b35855f42a91f3799256f8147b

    0312059e5625d61de88e315af848ce990dbf46d7d7ff68e562c0422f4e7e0ac9

    0384483086bf6fe2eedae350d35edb2ccc75249adcdb497061fe92181b7004ae

    041a749478724585174d780031388cd2c2947998d15ca26e7d068cbeab27e67b

    0449ddc41910d65914bc4b6badd94bafc80a3b3d6ea5acd7f6ad22aad596a4ad

    0497eb74d4cf4857e1d9653b61855c6bc1f3441ac29809d9a79fad3629e5a134

    0656bf2db4c1fe35cd82ce987e0b5eb78508e8a979d572b8d66d0654a3165052

    06fce4b6fc0b00b29a0eaf5860a7e00cb45ce92760bd11bb762428813347d047

    0813b7746ce561344167f83024bb353156b3bb3bfa4d557da090bcc1b4126602

    086dd6fc31d9ba2551056117122204b49c455cd78e696d58333d40979f0bed9f

    08b4fc05fd797828f8200414eb01b1bb9228fd428c0b6191670b970b5c9f8746

    099d70bd8992262fb8127115ec9fa75fbc552a2deb0b7a3ea855a00b258b4c20

    0b2d650d8dca8e7ad7571194e58f9c6fd6f013e6cfabc94d93a5b1b280ca32a6

    0b83cfe5493a51c65c59b942b2175371e7157ebc9c0dcb83cdd1b5fd1e0d490b

    0bdf41b5429bba69b53140f518d7c78c84b8babac5433f8160dbce57e3a7aac8

    0d5801e824b099ebdf406d6e07666b035157b560c191357a1b7c8878f6dbf38d

    0dcaa02bbbcafb06a101f81616fb9885918c74b3cc4888b19b982e4bf92990e6

    0ddeab2e94586b8286b06a7813343bfcff0b93a61008aa70f7d588b6332120fd

    13053fb5f25057f4def0b3d9b7940311e1162c4d5ce384d5adf2138359d2e2af

    13b04596f471657b8a5d3494345e029e16be5922237c23b97cd691be030fd30f

    13c39542cc41c8595a8c94ecb93bd55a08dc95196d5569d70fd2253b7bbb805c

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Cerber-9949361-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

24

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

        Value Name: Run

19

<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR

        Value Name: AutoRun

19

<HKCU>\PRINTERS\DEFAULTS{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}

19

<HKCU>\PRINTERS\DEFAULTS

19

<HKCU>\PRINTERS\DEFAULTS{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}

        Value Name: Component_01

19

<HKCU>\PRINTERS\DEFAULTS{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}

        Value Name: Component_00

19

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: {32382BC4-48A5-6DE8-F0EE-B8109DEC3228}

5

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: xwizard

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: xwizard

3

<HKCU>\PRINTERS\DEFAULTS{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}

        Value Name: Installed

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: DWWIN

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: DWWIN

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: winrs

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: winrs

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: AdapterTroubleshooter

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: AdapterTroubleshooter

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Utilman

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: Utilman

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: perfmon

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: perfmon

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: TCPSVCS

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: TCPSVCS

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: lodctr

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: lodctr

1

Mutexes

Occurrences

shell.{381828AA-8B28-3374-1B67-35680555C5EF}

19

shell.{2DA495A3-711D-597E-268E-77F8D29EB324}

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

208[.]95[.]112[.]1

19

127[.]0[.]0[.]1

18

31[.]184[.]234[.]0/23

18

104[.]26[.]15[.]73

8

104[.]26[.]14[.]73

8

172[.]67[.]75[.]176

8

69[.]195[.]146[.]130

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

22

computer[.]example[.]org

21

ip-api[.]com

19

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

10

ipinfo[.]io

8

freegeoip[.]net

8

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

6

www[.]msftncsi[.]com

5

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

4

Files and or directories created

Occurrences

%APPDATA%{6F885251-E36F-0FE6-9629-63208157D7A2}

19

%APPDATA%{6F885251-E36F-0FE6-9629-63208157D7A2}\Component_00

19

%APPDATA%{6F885251-E36F-0FE6-9629-63208157D7A2}\Component_01

19

<dir># DECRYPT MY FILES #.url

19

<dir># DECRYPT MY FILES #.vbs

19

<dir># DECRYPT MY FILES #.txt

19

<dir># DECRYPT MY FILES #.html

19

\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx

18

\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx

18

\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx

18

\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\15# DECRYPT MY FILES #.html

18

\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\15# DECRYPT MY FILES #.txt

18

\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\15# DECRYPT MY FILES #.url

18

\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\15# DECRYPT MY FILES #.vbs

18

\Users\user\AppData\Roaming\Microsoft\Publisher Building Blocks# DECRYPT MY FILES #.html

18

\Users\user\AppData\Roaming\Microsoft\Publisher Building Blocks# DECRYPT MY FILES #.txt

18

\Users\user\AppData\Roaming\Microsoft\Publisher Building Blocks# DECRYPT MY FILES #.url

18

\Users\user\AppData\Roaming\Microsoft\Publisher Building Blocks# DECRYPT MY FILES #.vbs

18

\Users\user\AppData\Roaming\Microsoft\Templates# DECRYPT MY FILES #.html

18

\Users\user\AppData\Roaming\Microsoft\Templates# DECRYPT MY FILES #.txt

18

\Users\user\AppData\Roaming\Microsoft\Templates# DECRYPT MY FILES #.url

18

\Users\user\AppData\Roaming\Microsoft\Templates# DECRYPT MY FILES #.vbs

18

\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033# DECRYPT MY FILES #.html

18

\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033# DECRYPT MY FILES #.txt

18

\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\15\Managed\Word Document Building Blocks\1033# DECRYPT MY FILES #.url

18

*See JSON for more IOCs

File Hashes

    127c0944ee4981a982237bf284781004ac12ae379f1c08f5e85a04bcbf6e7769

    253dd693a5e012b86f8988be750eba91a6323e9f0e64573502836a3cf671d9c8

    2fa6df2bacddddc15524cb40c13f797d791948d16293eb8bcfe6a625e0ca946f

    330c7fcf7b4ae9af4d727868aaf54f55b156343817eca9c40d36179244273683

    456318ce3f621dd0ce3211bc163402c9c9b058e0b6c8f996ffc1819442c7f773

    4c87c3612b51781669c78ac9b95b6efba95b7a824867df2fc23229085e125a3b

    4ce94edac8e3c6439f970e37aba4db4b330f5010ad903e3f3e8fa80374b45395

    6e1bd927f6c10186e6ed6fa80fff8660c4f616ae2cc83405c27a5128ae9e1652

    739e2a5ad30fcd975f7b862e5ef11cae15744ccf7e0feda6057f979fe2abe25a

    90efcc21d406dda3ba61a9e21469477773c48a64aebf17d2ec2510f348211485

    918c9deb21f439f587db3ffd7e38ce0ce5af812e8a0938d06903144f1a9ee6f8

    91f33fb79c7cfc7a4b8ed043ba677b4397e681728ed1d450594ac43562c348e2

    ad27ef02fedac6822f49369e09d736fbd156a7f683e9e8db55885621663ccaf2

    b4a093ca575e3ac6596db51631c8695ad993ec31c3674671345fd4454b304ec6

    bf05bad1fc4586f5da3ca5cf0d9523af9d20fb25ad4233336bf86fe8e360dc5b

    d0b73aaa4c84aac9334f72687611aaa13708432ae19d9a2f52e6d395d6b43c16

    deaec42ca4dfecb337bb74c9d556919c131aec4ff829af57ce697b3358c102c4

    df83667361487c078bc202d008124531769055f86a6be69b8826e9ac4807f5d7

    e3ca7f1095dbfcb149e8901b2ea15f660ac834bb94e78a3d3eabfcb0e9bee1c0

    e3ef6acb30b2623a1b2bebd6cd15564ea62bef5837bf0420bb7578561a6705b9

    e8c62cfcf8920197335b0373925b95ff968630925d1289da39c39ed860b803e7

    edb28644ec8e8d4b82a93d7a756f36c0e9ccae4ed518f010099f865b0d05cf7b

    f77406f0fc83887b6a4fb3f21ffe052f09a58cec65ff1a8a7f913b2ae1177d9c

    f916d5fcc4b76b27ee2ac1cd52fcc931c030d0c095e26dd706246e651fb6315d

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Hupigon-9949365-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER

        Value Name: Type

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER

        Value Name: Start

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER

        Value Name: ErrorControl

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER

        Value Name: DisplayName

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER

        Value Name: WOW64

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER

        Value Name: ObjectName

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER

        Value Name: ImagePath

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GRAYPIGEONSERVER

        Value Name: Description

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER

        Value Name: Type

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER

        Value Name: Start

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER

        Value Name: ErrorControl

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER

        Value Name: ImagePath

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER

        Value Name: DisplayName

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER

        Value Name: WOW64

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER

        Value Name: ObjectName

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NERWORKPROVIDER

        Value Name: Description

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE

        Value Name: Type

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE

        Value Name: Start

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE

        Value Name: ErrorControl

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE

        Value Name: ImagePath

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE

        Value Name: DisplayName

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YPIGEON_ERVE

        Value Name: WOW64

2

Mutexes

Occurrences

GRAYPIGEONVIP_MUTEX

9

VIP20060122MWTEX

2

GQJ0929_MUTEX

2

GSJ0929_MUTEX

2

H_G_Z_1.22_MUTEX

2

KQJ0929_MUTEX

1

IRAYpigeONVIP_MUTEX

1

J0929_MUTEX

1

klsdjfhqweiubvsa

1

Global\ce0436c1-cd16-11ec-b5f8-00501e3ae7b6

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

118[.]184[.]184[.]8

6

183[.]236[.]2[.]18

1

52[.]182[.]143[.]212

1

185[.]255[.]121[.]5

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

22

computer[.]example[.]org

20

vip[.]huigezi[.]com

13

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

10

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

7

ns1[.]3322[.]net

6

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

3

65004[.]huigezi[.]org

3

60049[.]huigezi[.]org

2

diy[.]qyun[.]net

2

clientconfig[.]passport[.]net

1

onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com

1

35176[.]huigezi[.]org

1

ljj78423[.]yeah[.]net

1

goofar[.]com

1

95570[.]huigezi[.]org

1

66034[.]huigezi[.]org

1

home[.]goofar[.]com

1

h2k3[.]3322[.]org

1

22217[.]huigezi[.]org

1

13732[.]huigezi[.]org

1

myth995[.]yeah[.]net

1

25551[.]huigezi[.]org

1

71261[.]huigezi[.]org

1

46355[.]huigezi[.]org

1

*See JSON for more IOCs

Files and or directories created

Occurrences

%SystemRoot%\G_Server1.2.exe

4

%SystemRoot%\G_Server1.2.exe:Zone.Identifier

4

%SystemRoot%\Nevwoek.exe

2

%SystemRoot%\erve.exe

2

%SystemRoot%\erve.exe:Zone.Identifier

2

%SystemRoot%\Nevwoek.exe:Zone.Identifier

2

%CommonProgramFiles%\svchost.exe

1

%SystemRoot%\system32.exe

1

%SystemRoot%\setup.exe

1

%CommonProgramFiles(x86)%\svchost.exe

1

%SystemRoot%\Microsoft WebServer.exe

1

%SystemRoot%\SysWOW64\shellext

1

%SystemRoot%\SysWOW64\shellext\services.exe

1

%SystemRoot%\W_Server.exe

1

%SystemRoot%\serivces.exe

1

%SystemRoot%\se.exe

1

%SystemRoot%\Servers.exe

1

%SystemRoot%\G_Server.exe

1

%SystemRoot%\MgSmPtmg.exe

1

%SystemRoot%\windons.exe

1

%SystemRoot%\setup.exe:Zone.Identifier

1

%SystemRoot%\system32.exe:Zone.Identifier

1

%System32%\shellext\services.exe

1

%System32%\shellext\services.exe:Zone.Identifier

1

%SystemRoot%\W_Server.exe:Zone.Identifier

1

*See JSON for more IOCs

File Hashes

    07d5c5e817a04a24afe129e3f05c42ca0ed9c4fba0f8c8ed464ef49aba1b2319

    114a95b36d5eb06500920fab99ae2827515af308635d2b61b62563badf1414c4

    13e4ffd70d314bd55ff275c34c8c0e17b68d0ade75a5a36d304e30a18e3695c5

    168fa17b19acbe49071979316b3d71b64eb1a28bf340cca9b5537fe6e7f872f7

    1850ed9626ce5dcae67338227f1596364cf5497bd43706b20f9867bf44bf734e

    1afa8bf0e717c709e3793ad09bd1a5c84eb55d492c6c3b79e91eb9e9626ff1e4

    1efc883750179e5b3bde866fc14b92a89231be24ae854a7a038781b0b927879e

    30371f13135df527a7454ec9e77df9692b96e40fd53d84ec34d3e4f5a5f572f1

    371852ac7b74eb35be9852a914a103b8033138adea0850c7f101b2945da538b5

    51972f701179f2a3d00afe06fa2cf44c70c9cc2e52b4825e443b51c631ca5c28

    55e93fe87b94d76f69d454de62dfed8dc7c0d97e2f3369aa346a27ba5f071534

    568c2616afc3c02bc1ecdd56e794e7518241337abb250e23d7d058c94e1c3a4d

    651b5e5f4f933fe94ae0d5438ed7af2f051db6c718150ab1538e41f4effc9f09

    66b1d91bade1537ceb60419cfa294cdf8c00f1a7479e0b87838aa8ea4ce645d2

    6ab58b19fa30990b48550fb6bdb26c8b4dbab5e03c15764f23c2d86aba65dac9

    780f97f11b68ba98658bbf5fc5716af7a303c76a02348fef98792b1065b96c46

    7834e2a91eea26e48e98a6b04d28f4f1432f808bb6c7d41e6a2a896f45c2bb46

    7edf7c40ae4faca38743888c32ea5f0ca9ba738de120ec6c21f08b46a2561e1a

    b83679856384e21172278479a81d0ccefb0b849f2643b65cf2f823b9c25dee7c

    cb4fcfdc6c787b264971a83772af1ecb872d45a07e8e28933a563366804f16b0

    cb94d6ac6f0200280bacb3a5436d2b768a8b5bb3f18a275853e9b6a4d577a794

    dc3b95c3c45f8aa3c95d58686b90492637cfc2dffbd0a553e6b0afefd0716c75

    e5c2cf38779a1bc5bc9837f32547153083a3fc890cab311ded8109bc72d8b3f5

    f75acca5bc2009ef78b856541bfac9e60d30298e742d781f07843a2330209415

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.LokiBot-9949439-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: WebMonitor-8c8b

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Office Manager

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Microsoft Word

1

<HKCU>\SOFTWARE\WINRAR

1

<HKCU>\SOFTWARE\KHEMLYSFDOU

1

<HKCU>\SOFTWARE\KHEMLYSFDOU

        Value Name: EXEpath

1

<HKCU>\SOFTWARE\UOKWVPDWFRAZMZA

1

<HKCU>\SOFTWARE\UOKWVPDWFRAZMZA

        Value Name: EXEpath

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Windows Logon

1

<HKCU>\SOFTWARE\DIMSOMHOSTS

1

<HKCU>\SOFTWARE\DIMSOMHOSTS

        Value Name: EXEpath

1

<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9

        Value Name: F

1

<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5

        Value Name: F

1

<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC

        Value Name: F

1

<HKCU>\SOFTWARE\WINRAR

        Value Name: HWID

1

Mutexes

Occurrences

3749282D282E1E80C56CAE5A

6

QSR_MUTEX_TUu2OxJvqHDQ2EbXPq

5

3BA87BBD1CC40F3583D46680

4

Remcos_Mutex_Inj

3

67ab8950-dc02-4a30-86c0-9a25a6f4b9ca

2

OXnpIgq5T09XE6k9UDSulFt669J2Q1qh2.00

2

khemlysfdou

1

dimsomhosts

1

uokwvpdwfrazmza

1

e6b19085-8d32-4797-ac8c-64b83fb9b463

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

208[.]95[.]112[.]1

5

80[.]209[.]240[.]47

5

91[.]235[.]116[.]227

3

114[.]114[.]114[.]114

2

1[.]2[.]4[.]8

2

131[.]153[.]37[.]4

2

185[.]243[.]215[.]214

2

127[.]0[.]0[.]1

2

192[.]169[.]69[.]25

1

91[.]184[.]0[.]100

1

217[.]12[.]210[.]23

1

91[.]235[.]116[.]232

1

198[.]54[.]117[.]218

1

104[.]26[.]8[.]44

1

162[.]210[.]199[.]87

1

104[.]21[.]74[.]43

1

198[.]54[.]116[.]183

1

15[.]197[.]142[.]173

1

3[.]130[.]204[.]160

1

104[.]21[.]24[.]209

1

18[.]118[.]182[.]0

1

67[.]195[.]197[.]24

1

34[.]77[.]10[.]20

1

162[.]241[.]253[.]57

1

96[.]45[.]83[.]56

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

19

ip-api[.]com

5

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

5

bosser[.]duckdns[.]org

5

computer[.]example[.]org

4

www[.]franklinegroup[.]ru

3

franklinegroup[.]ru

3

0

2

sdns[.]se

2

foobosmy[.]example[.]org

2

foobosmy

2

sararamirezdaily[.]com

2

378fad9658154c287c09623c4b8570ba[.]se

2

phprat[.]wm01[.]to

2

qbz[.]ddns[.]net

1

pxv[.]ddns[.]net

1

kzi[.]ddns[.]net

1

www[.]britanniapharmaceutical[.]net

1

schoolaredu[.]com

1

www[.]choductdy[.]com

1

www[.]sumarank[.]com

1

www[.]vinfastmienbac[.]com

1

www[.]sweetcity39[.]com

1

www[.]productionvideo[.]agency

1

www[.]asyh120[.]com

1

*See JSON for more IOCs

Files and or directories created

Occurrences

%APPDATA%<random, matching '[a-z0-9]{3,7}’>

18

%APPDATA%\D282E1\1E80C5.lck

6

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5

6

\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

5

\Users\user\AppData\Roaming\Logs\05-06-2022

5

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rpeecmnyjxmaamy.eu.url

5

\Users\user\AppData\Roaming\hkwxchtvsa\rpeecmnyjxmaamy.exe

5

%APPDATA%\Logs\05-06-2022

5

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\rpeecmnyjxmaamy.eu.url

5

%APPDATA%\hkwxchtvsa

5

%APPDATA%\hkwxchtvsa\rpeecmnyjxmaamy.exe

5

%APPDATA%\D1CC40\0F3583.hdb

4

%APPDATA%\D1CC40\0F3583.lck

4

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1258710499-2222286471-4214075941-500\a18ca4003deb042bbee7a40f15e1970b_8f793a96-da80-4751-83f9-b23d8b735fb1

4

%APPDATA%\D1CC40\0F3583.exe (copy)

4

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.eu.url

4

%APPDATA%\windows\taskmgr.exe

4

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.eu.url

4

\Users\user\AppData\Roaming\windows\taskmgr.exe

4

%TEMP%\install.bat

3

%APPDATA%\Imminent

2

%APPDATA%\Imminent\Logs

2

%SystemRoot%\assembly\Desktop.ini

2

\Users\user\AppData\Local\Temp\DB1

2

\Users\user\AppData\Roaming\7C7955\5D4644.lck

2

*See JSON for more IOCs

File Hashes

    1d7686bf0c4f51528d014a03515453ee7c319e644b103c358642a59c145ade47

    220e3ca77a6f3d13c9bf0f8b4dafff2972e5228b007aa62a28243d3d397177e4

    4c6fa78a344f5159a1716a88ccc7a60bb5c4968afc5546246e706233c466ba67

    619660f86b0a3c1235ff2ee32a7e0630d73b525d51cc55c46579fff056f56e2d

    66f15d02e1f4757719f48e0df25b23be59e28e75dc60d14c3e72849d7dd8bbcb

    68d1045538ff855af1e8f66b2cdb90366ff2d9b5af575f69fb3595d572f3aa97

    6e7acb19c316bacd560b5efc5a125ab3967cfeed4cecda43ed25390a94e1606f

    7f414bfd987dac4f682629fee5918f2b9de11758e6ec76b8a7671a9b4ab2873c

    80d8c85722c2bf596c6108bb925b339587e2745807edb4662a7262f5c032d65f

    acd3ea42be1e0468298581b9c980deb91bf158ebb63914131ba17a5c8574a2fa

    adc2cf718b9db8041d383770e67d18a71d3549a5cb6c51855b954b744b7a245f

    bbd056c56160a6da8a80cc61e434cbdb27c4c58e297cbd60e07d34726cf0ff3f

    bd8f1c3bae94984db5490181562ac60895c17f5d2782e2e9066d23f20a2fa5f5

    c69d37c34fb68ff713c76d84b4027475ed8ff7ecc0f0f6aa9760f5e873f5c21c

    c82b031981d9be3ec0b0516a4e77de3fd56dcca14dc4b916e7f6cf38265a3638

    cb1b5480b48011cea19ba3d49bb9359b7f25c4ebd462148fa9cba67e8f456984

    d507fba6ac7b28bb4d44b1fb2b98a5e5dcb3afa225e0284694e36bf34b6df200

    e27106c5805b34a508bb3ba49ceaae312b31513cb59daf08316a52bc3bab369e

    e3be29e3103854227c5b0567b25c45c5ba906a7b3663c0ef6b15f2970657f0ce

    ee88c52a644e1393da73ec2a4d4a0ce36eb38be0bbfa67b4e1c8d15ebe501dea

    f283e4265be559d1a93e48e26d6d235053121fed3a4d0d6b5c0a1e80e28169a1

    f38a8efbfb8f978bcec0955ac8f730fb102e2247f82fd0d73ed9ee43e9daf9cd

    f4b1526a1a78005bbd916ffb29c54c8eb03866ab27daedaac4ab58fc0c8fff73

    f7a9e13b7c7c1816b6097ddfde5a53b662c7bd58e9d7bd633a7a33c0733f4f1d

    ffefad3067653eae8ac4edab1cb37531841a7d850be89fae38f1f72a4e25ac68

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Barys-9949519-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 30 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL

        Value Name: {871C5380-42A0-1069-A2EA-08002B30309D}

30

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU

30

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU

        Value Name: {871C5380-42A0-1069-A2EA-08002B30309D}

30

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER

        Value Name: GlobalAssocChangedCounter

30

Mutexes

Occurrences

Q-$-EEE

30

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

30

computer[.]example[.]org

25

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

13

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

7

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

5

Files and or directories created

Occurrences

%CommonProgramFiles(x86)%\Microsoft Shared\WSF.dat

30

\xpx.bat

30

%CommonProgramFiles%\microsoft shared\WSF.dat

30

%CommonProgramFiles%\microsoft shared\WSF.dat:Zone.Identifier

30

\dayjbg.lnk

1

\ufhexg.url

1

\bwbggw.url

1

\mklwts.lnk

1

\bnkoum.url

1

\moluuh.lnk

1

\aovrgq.lnk

1

\jawywn.url

1

\bqbcfp.lnk

1

\yursdb.url

1

\algkcg.url

1

\gbblfn.lnk

1

\qxmhlh.lnk

1

\xsftjc.url

1

\fnjrdc.lnk

1

\qgabfu.url

1

\hlefpb.url

1

\myfabg.lnk

1

\bykwvy.url

1

\qkmmpw.lnk

1

\ewblii.lnk

1

*See JSON for more IOCs

File Hashes

    0813062f846161ed50fdd541140e686da20cfd91cd4d72bc2132ba80b0e73e22

    0958347a07cf14b3f28386eed1927a2d266ff0d13654bdc1fe1560beb30a3d96

    0b98e3bb6a35694af91bf306d618181048f86fe704a73969462a41587c3b7876

    17ea197b18ead5f24875c49d4570843d8c98c423a2179cb396b098c792b73dfc

    19d1c45f27913695000cf1a6a95b21f3db084c9a57f2435e7417c36304a098cd

    1a3fb2785a1b4e2fbcf762f4eb00400d829937a4b9695a44d9100af4c6b436dc

    21d52cdd871785ccb716b636eb0d21f7a3abdf6129fcfce33f1ed779443f863e

    3df2f26126935556a9f484683b4ba5f9c1dadf672e8e8192e74b80100b31e142

    4ff4025593526b24717b7ef06c2c17498ee20c28616aa4bd65500b684963dec4

    511c17b08fbe6e20f7db8997771196ae3b374398b708dfbd32736882edda5e3e

    5b3afb7f0a404cfe5a874dfb1b8280497e2120cbe97ebc82c5bbce3045de79aa

    6058f03073d79e51868c9171bcd669c8f94c891ad3218fc6d2d251f5bc2cc46f

    71586be8c3b7d3f5d6941ecffba6945d14f706a4d257d73bf27709550837fbd8

    71f5421ef04ae05d883a1dddc3be55a3a3b4b8bc3273daaf4274c464494704eb

    76a9f5dedfadb3eb31ba87c8675fecf589901abacabbe0b668b53b5da075a4e4

    7a7dd3dc7c8406fd9ff080a5d257d39a380cfed75f637bf379c4299a01341781

    7b06a02e12e4d29139ef9b7e0214f9e0da663ff63768aa381badefdd44f27f24

    835c71fbf9a931bff52d01449913d43f019eac255264b1f4e74434cc7f84d4b6

    876cd4901754ed356fa8f205b4dfa6e915edc5cfee8659b5d2e993c22a27ae9a

    8f319fcc9958b6cd4a029f7bfe33d0d36f7678803105e0383730b3fa729c65ae

    923649d9126f92da2b0d8f9b522766068207724950a61f40bea6c677e6abda73

    9f762428f1e64805ef0e622c492bb610a811f5bd85c0d859052efc10ce63819a

    a09bbfbead2195ca3619967ae4b5ce99eaa02b916b40bb18ef98420fe6391473

    bb820fbdf6453f1e896b50a577dec3b7bc00254a036bec399e0e0238240a6d2e

    c80982d896c4bd21a4b3bd0be472f45ce2b32590ef21678dbe8f257d99efd15e

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Ursnif-9949968-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

        Value Name: DefaultScope

19

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

        Value Name: FaviconPath

18

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

        Value Name: Deleted

18

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

11

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

        Value Name: FaviconPath

1

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

        Value Name: Deleted

1

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER

        Value Name: TabBandWidth

1

Mutexes

Occurrences

Global<random guid>

5

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

142[.]250[.]72[.]110

20

87[.]106[.]18[.]141

18

142[.]250[.]80[.]100

17

13[.]107[.]21[.]200

8

20[.]189[.]173[.]20/31

3

172[.]217[.]9[.]196

1

13[.]107[.]22[.]200

1

131[.]253[.]33[.]200

1

142[.]250[.]31[.]99

1

20[.]189[.]173[.]22

1

52[.]168[.]117[.]173

1

142[.]251[.]40[.]132

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

computer[.]example[.]org

25

wpad[.]example[.]org

25

www[.]bing[.]com

20

www[.]google[.]com

20

google[.]com

20

d33ounorbertoui[.]top

19

hclement28[.]com

19

wngtdpablo[.]com

19

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

11

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

10

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

5

clientconfig[.]passport[.]net

5

onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com

2

onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com

1

onedsblobprdwus16[.]westus[.]cloudapp[.]azure[.]com

1

onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com

1

windowsupdatebg[.]s[.]llnwi[.]net

1

Files and or directories created

Occurrences

\Users\user\AppData\Local\Temp\JavaDeployReg.log

20

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

20

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml

20

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml

20

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml

20

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

20

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml

20

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml

20

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

20

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml

20

\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata7.sqm

20

\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata8.sqm

20

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\errorPageStrings[1]

19

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\httpErrorPagesScripts[1]

19

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\NewErrorPageTemplate[1]

19

\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata9.sqm

19

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\googlelogo_color_150x54dp[1].png

19

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\robot[1].png

19

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\httpErrorPagesScripts[1]

18

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\NewErrorPageTemplate[1]

18

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\errorPageStrings[1]

18

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\dnserror[1]

18

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\dnserror[2]

18

\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata0.sqm

16

\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{E28F2047-D00B-11EC-93F9-00007D696965}.dat

1

*See JSON for more IOCs

File Hashes

    0b4e0d5af6940002dfec2c399eac4654f862165511a8e48a2064de0fc41cac33

    18281b8ef8f6aef4d89b2650f0ab99b7eda5c1bea501ee84011d2bd3759c594c

    18d28f28e826832ca89b47b8308c3a4e68694e3e5237fb1e209ab99af7e9fce8

    1abf885f446ab7a409a8794e24da04e528e13452753c1fd77afd02e30e7e987a

    2162f6fefaa85327fbe8ec3efaf6046824408bcac5adca48c8f007aa8d05962c

    3369fd5079ed8c89a5e873589432cf54fa694d7be4b49dc9b332699523998f6b

    3549fe94e98382fe823a6dbaae3cb3885c4839ae95b50cf3237bf3f631d50341

    385ae2eb42a6613002e43925d511367c202946d3d4b3420786b5e2da2bc66cfd

    385b2d198ca54e3af73eba0ffb2cbd43ab6c17e053751e7800d0199cbcea19b5

    3c59ab329f6f12dcf9137433c14aadd294d1784ef103f4fab4e98d045811817a

    4579025a293d21298407f23d6c83526113fa350b537e52ded55494d91cada6cf

    47d3a75e436f5c961a2853843241ad8369b5cff45a8c12a5658696c5b7d6c447

    5430447e21a21c895167f3d7b03625d72f0729143a3d9775d149198bb74f95bf

    573e34d1551fa8c782d9308b00d58682e0a4231304f5210c67c9669032048aaa

    579df9e5c79f35d24e76cd0af59d30fc1a5f0c09c6da5fe3b27846949e095a6c

    5af001e9a0c4ecf9befd5df025f691fb4636cec049cb643942145f0eb217e3ae

    60e982ff5c602f7bc50d2046d73d39c25cec7d1513fbd0526907094de356516f

    61ff8d15aed76be54d4d8551cff40d29ee73c50c3e02f680f8d5b81effc94ebb

    65312b555f55fe0e82e6b37dcf060084b19743125f42099d8fd8753fb99bea35

    6b50d809fa314c3771fe435bc1e3f06bb43deed5b42da64ddc1f272e5016d7bc

    7246ed187c270036a7e1adf41930892fa1fef30cd94513bd6c5d5464e649973a

    7c45a3d7104841bf1653b1af4380bcf23c059ea29009009519fd5a3f510a85d2

    7cef052fc952b9d470fd3ac2822bde8f1c0dedef1dfa2e07f690a6abde232418

    8631236776f98489f8601cc12cfa7b5eea05a97fbb80ef3c6be50ce98ee91a90

    8c0506d57259b66369035093f3b97845d3a7ea11c89042a92f57d9474126b079

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Gh0stRAT-9949686-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\MULTIMEDIA\DRAWDIB

15

<HKCU>\SOFTWARE\MICROSOFT\MULTIMEDIA\DRAWDIB

        Value Name:  1152x864x32(BGR 0)

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS

        Value Name: Type

14

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS

        Value Name: Start

14

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS

        Value Name: ErrorControl

14

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS

        Value Name: WOW64

14

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS

        Value Name: ObjectName

14

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS

14

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS

        Value Name: Group

14

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS

        Value Name: ImagePath

14

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS

        Value Name: DisplayName

14

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS

        Value Name: FailureActions

14

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWS

        Value Name: InstallTime

14

Mutexes

Occurrences

ini_read_write

15

1.15.252.63:3339:windows

14

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

1[.]15[.]252[.]63

14

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

computer[.]example[.]org

15

wpad[.]example[.]org

15

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

7

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

5

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

3

Files and or directories created

Occurrences

%ProgramFiles(x86)%\NetMeeting

14

%ProgramFiles(x86)%\Windows NT\csrss.exe

14

%ProgramFiles%\Windows NT\csrss.exe

14

%ProgramFiles(x86)%\NetMeeting\csrss.exe

14

File Hashes

    01e3172ff84571f7b1cbb4b28fe59eed1cabf1be8f5d4dc77fef5f11899befcb

    1d24852e58f6c3443e7633c897d15a1f22df53a38ac1e936e7e4b538bd80598f

    46edc30cf3cb53b76cb985fe5d5d086f42b2790636d15d955a1adbb656be8076

    6fcfc7785b990bdb6d976a2ba87b6799c1930980b07dc76a6f203f71d41090f1

    780f2faf0f4c0a519238962a30973f51826389b657ad798859935a48847dfdba

    8693b8bb5c55b5c3739c767339489ad9554e77b9c4cfd9ae5680d657e74c6dde

    88d2a856d6b0d7d1b51474c331e26a88e7514979b8878b43c5d379d410186b18

    b1ec0600a9183325664e91b51faf8672a4e1bfe131015e7ff87fae5a7048b2b5

    b466bd88c9931cee3e51a5376addf8f5e2967787778427158db38698bd821084

    c6aee16f27dd1d3658eb1bd82f6f41727d68e576f7306313c7e1fd061f15c49a

    d2cb6f30f58ce03b435e10ba2db2deb501eb426af12e8d35ed7bdd9b29d188f9

    e11ecc06c1b8c1bea06b6d5eb2e60b558ad0adf996f4b04a99ea65dccd1b623d

    e4a14a9533507ea16eeec69b1144fcb672df7b53c5614039340b41c24ca16a58

    e4a2ee5955535358fe53483bf2db58829d353babebd447d4ded4eabc834c51cb

    e7a84c29f347a728c06fed91740b8ce72a53beaa51e16f57c8d8fd874b8a2564

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information