Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for July 15 to July 22

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 15 and July 22. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:

Threat Name    Type    Description

Win.Virus.Ramnit-9957454-0 Virus Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It could also steal browser cookies and hides from popular antivirus software. Win.Malware.Kovter-9957371-0 Malware Kovter is known for it’s fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. Win.Ransomware.TeslaCrypt-9957356-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the extortion request, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily. Win.Dropper.Shiz-9957241-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by victims visiting a malicious site. Win.Dropper.Zeus-9957126-0 Dropper Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing. Win.Dropper.Tofsee-9957067-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the botnet and send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control. Win.Packed.Nanocore-9957022-0 Packed Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes. Win.Dropper.LokiBot-9957019-0 Dropper Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature and can steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.

Threat Breakdown

Win.Virus.Ramnit-9957454-0

Indicators of Compromise

IOCs collected from dynamic analysis of 16 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: AntiVirusOverride                            16        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: AntiVirusDisableNotify                            16        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: FirewallDisableNotify                            16        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: FirewallOverride                            16        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UpdatesDisableNotify                            16        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UacDisableNotify                            16        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: EnableLUA                            16        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: EnableFirewall                            16        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DoNotAllowExceptions                            16        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DisableNotifications                            16        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC                          
        Value Name: Start                            16        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND                          
        Value Name: Start                            16        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC                          
        Value Name: Start                            16        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION                          
        Value Name: jfghdug_ooetvtgk                            16        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: JudCsgdy                            16        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV                          
        Value Name: Start                            16        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Windows Defender                            16        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: Userinit                            16        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: Userinit                            16        
                     
                
            
        Mutexes            Occurrences        
                                 
        {7930D12C-1D38-EB63-89CF-4C8161B79ED4}            16            
                 
        {79345B6A-421F-2958-EA08-07396ADB9E27}            16            
                 
        {7930D12D-1D38-EB63-89CF-4C8161B79ED4}            16            
                 
        {7930CC18-1D38-EB63-89CF-4C8161B79ED4}            16            
                 
        {7930DB19-1D38-EB63-89CF-4C8161B79ED4}            16            
                 
        {<random GUID>}            16            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        195[.]201[.]179[.]207            16            
                 
        142[.]251[.]40[.]142            16            
                 
        46[.]165[.]220[.]145            15            
                 
        72[.]26[.]218[.]70            15            
                 
        208[.]100[.]26[.]245            14            
                 
        35[.]205[.]61[.]67            14            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        google[.]com            16            
                 
        bungetragecomedy9238[.]com            16            
                 
        kbivgyaakcntdet[.]com            16            
                 
        oawvuycoy[.]com            16            
                 
        fmsqakcxgr[.]com            15            
                 
        jlaabpmergjoflssyg[.]com            15            
                 
        kbodfwsbgfmoneuoj[.]com            15            
                 
        oeuwldhkrnvxg[.]com            15            
                 
        wstujheiancyv[.]com            15            
                 
        yrkbpnnlxrxrbpett[.]com            15            
                 
        ausprcogpngdpkaf[.]com            14            
                 
        citnngljfbhbqtlqlrn[.]com            14            
                 
        dvwtcefqgfnixlrdb[.]com            14            
                 
        qislvfqqp[.]com            14            
                 
        ypwosgnjytynbqin[.]com            14            
                 
        wdgqvaya[.]com            14            
                 
        gfaronvw[.]com            14            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe            16            
                 
        %LOCALAPPDATA%\bolpidti            16            
                 
        %LOCALAPPDATA%\bolpidti\judcsgdy.exe            16            
                 
        %TEMP%\squhapjc.exe            16            
                 
        %TEMP%\aacwxnxw.exe            16            
                 
        %ProgramData%\qvqdlyny.log            16            
                 
        %LOCALAPPDATA%\yjghhxdl.log            16            
                 
        %LOCALAPPDATA%\aanqrsjf.log            16            
                 
        \TEMP\naEnI23            6            
                 
        \TEMP\YsbJf23            3            
                 
        \TEMP\tbii193            3            
                 
        \TEMP\sXw0IB2            1            
                 
        \TEMP\DrPmx23            1            
                 
        %LOCALAPPDATA%\bolpidti\pxAA0.tmp            1            
                 
        \TEMP\48at1iwB            1            
                 
        \TEMP\bvr7hgqN            1            

File Hashes

             040aba270ceca1eb00733e6733d2aa1da65f7a2c1f7aeff8f17c5d1070752535              0f95459d96bc1dd999753862126023c5a868d6b4350b6e72b6ca7aa683c3ade1              126aeea38387066d0cb15d2bf6476e7324abf67168defbc9e18352e68ef1174d              1d2f933a0c2c448e55f4106dae274696717ace70131035a4df42b6c5a373bb3e              283d8a891f3e3f478a74a3e5eacb12e4bcc803be1219c9c38cfdfb5890e2279e              2fbbaed010dc46bb6dac16bab57ee04e96965bea8142d37f7b3cb88a1e476e4f              587d34dd12dde3d009c85ba20416f1b354a4ae643777d28bb52ad8f9168cd4b0              5d490643405c093eab1f1a5b864943b0507400f0f3141de7f089c6ccc12fd316              7cacb6c76f80a1f500eacb7e9145fb7da0726343b54c547a4dc560d2f37fb18f              8f8d34773a5bfa95aea47bac3fb05fb11786312b6ef2a9223012b0bd88e167f9              99dafa7b30b55ca6c088739a27f3704862ba99fe051884478c5337ab5d507679              b297360c21d003261c25e314a2f16905086202ddc203765adc263ca5b6436ae0              b5f278f958e930c42e168e091ca7ff369aeab730d6626e6661bd51224ed93506              ba7ca9f0aa3d6ce0c63a81411e97deda8d952d06e9307f0058e0b3d08de72b87              c176340ea7e16d209b904405281425983679182aa7765e7a67646c87aa81c661              f7a787118f46b489f2a45ca7228322bebba7eb10aa00183cbde74773aa3753da              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Kovter-9957371-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE                          
        Value Name: DisableOSUpgrade                            25        
             
    <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE                          
        Value Name: ReservationsAllowed                            25        
             
    <HKLM>\SOFTWARE\WOW6432NODE\XVYG                          
        Value Name: xedvpa                            25        
             
    <HKCU>\SOFTWARE\XVYG                          
        Value Name: xedvpa                            25        
             
    <HKCR>\.8CA9D79                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: vrxzdhbyv                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ssishoff                            25        
             
    <HKLM>\SOFTWARE\WOW6432NODE\XVYG                          
        Value Name: tbqjcmuct                            25        
             
    <HKCU>\SOFTWARE\XVYG                          
        Value Name: tbqjcmuct                            25        
             
    <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE                             25        
             
    <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE                             25        
             
    <HKCU>\SOFTWARE\XVYG                             25        
             
    <HKLM>\SOFTWARE\WOW6432NODE\XVYG                             25        
             
    <HKCR>\C3B616                             25        
             
    <HKCR>\C3B616\SHELL                             25        
             
    <HKCR>\C3B616\SHELL\OPEN                             25        
             
    <HKCR>\C3B616\SHELL\OPEN\COMMAND                             25        
             
    <HKCR>\.8CA9D79                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103                          
        Value Name: CheckSetting                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100                          
        Value Name: CheckSetting                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102                          
        Value Name: CheckSetting                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104                          
        Value Name: CheckSetting                            25        
             
    <HKLM>\SOFTWARE\WOW6432NODE\XVYG                          
        Value Name: svdjlvs                            25        
             
    <HKCU>\SOFTWARE\XVYG                          
        Value Name: svdjlvs                            25        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: fcbburq                            25        
                     
                
            
        Mutexes            Occurrences        
                                 
        EA4EC370D1E573DA            25            
                 
        A83BAA13F950654C            25            
                 
        Global\7A7146875A8CDE1E            25            
                 
        B3E8F6F86CDD9D8B            25            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        95[.]124[.]204[.]21            1            
                 
        4[.]241[.]178[.]108            1            
                 
        13[.]128[.]69[.]186            1            
                 
        109[.]227[.]104[.]183            1            
                 
        221[.]105[.]207[.]89            1            
                 
        137[.]201[.]198[.]88            1            
                 
        39[.]19[.]244[.]52            1            
                 
        155[.]145[.]195[.]61            1            
                 
        33[.]32[.]249[.]162            1            
                 
        83[.]31[.]52[.]148            1            
                 
        129[.]233[.]227[.]218            1            
                 
        62[.]40[.]76[.]178            1            
                 
        69[.]247[.]75[.]163            1            
                 
        119[.]31[.]244[.]99            1            
                 
        18[.]90[.]144[.]73            1            
                 
        199[.]77[.]183[.]213            1            
                 
        130[.]86[.]117[.]171            1            
                 
        68[.]21[.]73[.]93            1            
                 
        39[.]232[.]85[.]81            1            
                 
        66[.]33[.]222[.]234            1            
                 
        222[.]207[.]122[.]202            1            
                 
        110[.]56[.]135[.]234            1            
                 
        6[.]22[.]73[.]16            1            
                 
        50[.]159[.]160[.]25            1            
                 
        217[.]52[.]47[.]12            1            

*See JSON for more IOCs

        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        apps[.]identrust[.]com            1            
                 
        reflex-demo-use-4[.]hannover-re[.]cloud            1            
                 
        flyttstadning-stockholm[.]nu            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %LOCALAPPDATA%\4dd3cc            25            
                 
        %LOCALAPPDATA%\4dd3cc\519d0f.bat            25            
                 
        %LOCALAPPDATA%\4dd3cc\8e9866.8ca9d79            25            
                 
        %LOCALAPPDATA%\4dd3cc\d95adb.lnk            25            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\91b4e5.lnk            25            
                 
        %APPDATA%\b08d66            25            
                 
        %APPDATA%\b08d66\0b3c0b.8ca9d79            25            
                 
        %TEMP%\VB<random, matching [A-F0-9]{3,4}>.tmp            25            

File Hashes

             00ebcb2374583159529a8dcb4d27e851246914eacfd1a3cf12d2cbd73f064294              093389823f1de777d5601b06cd106ff4380e408c1c8b39ac11cbfd93353d6314              0d93c80c3af7d2121af1d853585efd98693a06d376fd13464b3f52ca159c4cf1              0d947efab08d1bfc21b5abd2734ddfdbeeb9cb1d29346670a0128f7a531c6547              0dcc6cf63dc618f450127306942d91f8404e6a2cdb8326412f93ad36a892e9bb              134fea9f96af3845790cd2f8ba6f0a93b208469ae1a592da0135234387ef9410              194acafcf8cb53f889a9d77c8fb2cf511b3c27a989f4ce5e91e55153583fe318              1ee9b6d5909664f7d6d247088033be88d56aa674af63ae751ea625d9768b144b              26ce967cffd3a8650b2475553ecf09333dd04068f840c0d9f5077909766648e7              304c9568e3381dc75ec2f853c19d1de4f47fb40cf55f12d48612631728cb9740              3368e5d1bf347cd4cd6df01e4f60491d747adf1545a4e9006f062adc08eb95a3              35a3111fa824abf5130d52c377999d15450a7018a93ca406d88ccfe3e0913712              4084b83687be14dd8c8a98026c810fb0961abf771c8827b4779872b276055249              43ed7041f9096db31d7dad4f9cff7d6cd00c1ccdce383421638f8847b6bc568e              450f32871f007b32bdd06b40d1804b6e67c5625121eb0b2adbd276c8f48c1434              4625ab6090ec735194bac9aa2ce1cfc7fe9ad3db30cd2a220f4e1d1368878fdf              46c753dd41ac83e7f2a8b1dda5c2d46eddbd1f42a2197843ed6f7dff817f5a8b              477d345de8b818c1d855ab9d64578c1b39915624926108e97b9a9e65b2696bbd              488f1209f28a4be1f9c4fb2798de2bbcef4e1c8949467eee0cc8546abbd663d0              491d36c6a9d19e3e37871e83ac2fa710020093a7105617c9e371b5f1a6099b38              4a11d5d14df0fbb67f813a7425b4a9be69c5a33b0cc930c3f3886374b57eee43              4aabb5ca1a96a55395e53d8dd17e27552319b14264efca554c1fc78bec39a589              4bc7ba250aa345e8c96f8df64e846aeca90f8add2db2f269bdf452843c574398              4f4e505d0f4b1dca299ac0cbd8749adb91994e144e314f11e7677a4dc91a2f30              503d20ae3e5d78acf6a367f1f1c2fc177683e8136a5571e5320c3834070c3e97              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.TeslaCrypt-9957356-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: EnableLinkedConnections                            25        
             
    <HKCU>\SOFTWARE\XXXSYS                             25        
             
    <HKCU>\SOFTWARE\XXXSYS                          
        Value Name: ID                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0                          
        Value Name: CheckSetting                            25        
             
    <HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>                             24        
             
    <HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>                          
        Value Name: data                            24        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: hdtjbroygvvb                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: owvhajogulen                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: pyfepfifrjwi                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: xbmnkkfnowvh                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: gulenopvybnq                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: tbqdqvojagik                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: hajogulenopv                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: mgtbqdqvcoqj                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ulenopvybnqj                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: lpyfepfifrjw                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: epfifrjwiqou                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ifrjwiqouteu                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: teumgtbqdqvo                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: nrxbmnkkfnow                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: whmtlmoxvcsc                            1        
             
    <HKCU>\SOFTWARE\159643D83772F                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: bmnkkfnowvha                            1        
             
    <HKCU>\SOFTWARE\159643D83772F                          
        Value Name: data                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: vcscusnnmyjx                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        ityeofm9234-23423            25            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        107[.]6[.]161[.]162            25            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        jessforkicks[.]com            25            
                 
        heizhuangym[.]com            25            
                 
        infotlogomas[.]malangkota[.]go[.]id            25            
                 
        csucanuevo[.]csuca[.]org            25            
                 
        snibi[.]se            25            
                 
        danecobain[.]com            25            
                 
        www[.]danecobain[.]com            25            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %ProgramFiles%\7-Zip\Lang\ka.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\kaa.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\kab.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\kk.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ko.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ku-ckb.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ku.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ky.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\lij.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\lt.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\lv.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\mk.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\mn.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\mng.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\mng2.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\mr.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ms.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\nb.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ne.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\nl.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\nn.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\pa-in.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\pl.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ps.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\pt-br.txt            25            

*See JSON for more IOCs

File Hashes

             11bf02df58d00bf7dfc22e46b27db8a2cfcb9c8d03ad38b2e3baafa193bbbd89              1a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0              1c2ddbf956ee1e2b40472b70603371ed21817fbf95d5825b2f75bbf6f9728089              1d4114c8ee19f343f3dcf80a542295af29df63d9745ad77cce43562c909551c5              2f1f927c219ccfcffeb997c9433733a04200ae35a2fc0c48fc07cb49062cddc7              3ef3021ce3ffdffcfba2bd590c4186c3a3ecdd3b6ce40d51d2500897fb55ffb0              41ab6446df889a5a24e4e859146c0225d13a2ba8553c83cb93e45017212884b2              4bae8a4e0124724e695c10202a94eec99cf5990507fbc94ec3f08e11de3ce2c2              4dc12416bf7c3be9d573c8fa07847050307bd05cb67480e3c3874696614b73e9              4fa8c1eaa4846a8a06fb2480a746d5526f743cee314f7101db0508577bdd3776              5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f              5aaad74cb36db78ad6da4d499a75c41d2ace8b97ff8f88c5bc7f738ad353d3d7              67e2caf00dd0293080cb5b45d2db11d4f567ce9a3d6fd5c9723358d18da80e71              6a9e6e5c50b3b90376530ee4e9e81cdf5cdc9b7c07cdb71207b3a1799f77ec7a              6ab8f9569a70beb0f96bf4e030381e70bcce7703b308a05542f4ccf1b6002af9              71f0f23220cb0f5d8b31fce30f08bc1687acd675b7c3a8ae7e0538bacb0d3eec              a3a6b4f405f2175af97128c64d9ad68700e05e22d66c43dad966add8436af79f              a760b60722cfa7c719e79b5c97cfe789720c6300a200421c846e13287cdb160a              d8be6b950a872b1b7c752cc83a5440b4cfe62870097df78794f10986fb7fcb63              dd6483183967845c18a3d5cc6154233aa8f3a48acb4e9cccd3606afe7d4d7eef              de5dc2aed0e06894e0bb1292fb68343fadc46b489e6c85e6cca56cf5bad70c09              e1a00e6beb02475b4bdd8d821ccac3e67bbafd182332cbf35a45c6766ad83b87              e8c460f171e964db6fff16eb38684b9ec82134c4fd1a1cdc64ba338941ef1199              f69edf352cdca309c7faa71f87a429daf2b46e4ae6ed85a25ff03aa34b4702c4              fbcec257455e5546a294ec1534f7e11f05d144c73ef583a0e891e14759e133eb              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Shiz-9957241-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\MICROSOFT                          
        Value Name: 67497551a                            23        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: 98b68e3c                            23        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: userinit                            23        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: System                            23        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: load                            23        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: run                            23        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: userinit                            23        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\674972E3a            23            
                 
        Global\MicrosoftSysenterGate7            23            
                 
        internal_wutex_0x000000e0            23            
                 
        internal_wutex_0x0000038c            23            
                 
        internal_wutex_0x<random, matching [0-9a-f]{8}>            23            
                 
        internal_wutex_0x00000448            22            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        13[.]107[.]21[.]200            11            
                 
        45[.]33[.]23[.]183            7            
                 
        45[.]79[.]19[.]196            6            
                 
        198[.]58[.]118[.]167            5            
                 
        45[.]33[.]30[.]197            5            
                 
        72[.]14[.]185[.]43            4            
                 
        45[.]56[.]79[.]23            3            
                 
        45[.]33[.]20[.]235            3            
                 
        72[.]14[.]178[.]174            3            
                 
        96[.]126[.]123[.]244            2            
                 
        45[.]33[.]2[.]79            2            
                 
        45[.]33[.]18[.]44            2            
                 
        85[.]94[.]194[.]169            1            
                 
        173[.]255[.]194[.]134            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        fotaqizymig[.]eu            23            
                 
        cidufitojex[.]eu            23            
                 
        xukuxaxidub[.]eu            23            
                 
        digofasexal[.]eu            23            
                 
        gatuvesisak[.]eu            23            
                 
        lyvywyduroq[.]eu            23            
                 
        qetekugexom[.]eu            23            
                 
        puvacigakog[.]eu            23            
                 
        xuboninogyt[.]eu            23            
                 
        cicezomaxyz[.]eu            23            
                 
        dixyjohevon[.]eu            23            
                 
        fokisohurif[.]eu            23            
                 
        volugomymet[.]eu            23            
                 
        maganomojer[.]eu            23            
                 
        jefecajazif[.]eu            23            
                 
        qedylaqecel[.]eu            23            
                 
        nojotomipel[.]eu            23            
                 
        rytifaquwer[.]eu            23            
                 
        kepujajynib[.]eu            23            
                 
        tuwaraqidek[.]eu            23            
                 
        xuqeqejohiv[.]eu            23            
                 
        pumebeqalew[.]eu            23            
                 
        cinycekecid[.]eu            23            
                 
        divulewybek[.]eu            23            
                 
        nozulufynax[.]eu            23            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %TEMP%\<random, matching [A-F0-9]{1,4}>.tmp            23            

File Hashes

             00180daca1b8b50f272a020eee54d9fa90094881d1d5ac3cfd9b8ef75cf1e6f4              0782fb4469241b17dacdb3040403425c5dfa726afe7608695d798c40ba0468df              096567f0324ce9d8dafbd8b2fa07baa4c024e734cee78966a2e1bda01cc6aab1              0b575be1b7f34effd28837fcbd89afb217202ce9dc99c23bd59d858343a2cebe              0b579d7b50d2036a46977367a6673faf3e7c1861f30138f19cfc64e2240f7ef4              0e4553fcdf4b905c069986826b4190fae4c301a72a31d84f70ebc82a3a4e08d2              10845e4f34b629a880154930d82e6533e4f2988ff7f8d190da77258b04c53a33              1422cdfe1c27c71dc5cac99bc1b94da21730d123c84808fb275a0a9ad4608ea6              1613108f8d6a07cf52c9342e2bc34ef95c142ccd0945e8863876499f373ee276              1a1075298b76367a0f09e1d32a33f3795d7fcedfbf562f8e97a73fd84b044d44              1a776926ba733dd76ac52335f28bca9f834eb424b9c3344e18c53be7bc488e16              1b2b7d611569a0ed98e7c8592b1ab68f89e5f9b9bb46004f40ab8e238da58c68              1b658f725eccb4d5b15339017f834e54e03280757ef214f98ebf7c02584b1259              1cafff0eb6f9b746d49ce3e6b29dc0581145df229089c43f234693a7f3c01911              1d6a5170f8caf1bac36b69953b6df43da07b1b5fbd2c6c135146edfb975d6c0d              1e12db0b8596f9b40eb120f663796ea2067a5af27fdc9c892d4ffdb042a88df7              1f16c27403f51502cd5cb7b15eac5e53c23b8f8d25f647ebc216cf5f2e57940a              206ffd6d82b9934e50b1de5555e5a544353f4dd8c59c7fe4c8c501024fc12438              25c3635d6874809bb1163763187c72f827756d773cca5aaf93d288015275ba50              27f644aed21754919d8236e2ec0c07ac85a65694a4c2eab289cef54905460545              2a01ca9a1bedc3d53bf5514fb3e3c62275aba7d4536c806a227f83b3265458d0              2a7755e96cff2e3186fde0936b3cf86648f242a5d9c0c3ba8903852905a5bfbf              2bb61e2487b38915a8a0a5b46ea26ea16b931a09a0acd9fe93fe58f63608caa5              2be38d866007d818551826d7b4eb1187f0a2e881634caa08d281ad11fed50b8f              2c77f57754219ee31db301679821ce62e0f2ba5326c04cc0685c53b7135c5a24              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Zeus-9957126-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY                          
        Value Name: CleanCookies                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\XODYUZ                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Savyomzauc                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\XODYUZ                          
        Value Name: Seroymo                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        GLOBAL\{<random GUID>}            1            
                 
        Local\{<random GUID>}            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        199[.]2[.]137[.]201            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        wearesofamousthatwestayontop[.]com            1            
                 
        sunobowttteek2[.]biz            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\tmp8f23b8f6.bat            1            
                 
        %APPDATA%\Axfo            1            
                 
        %APPDATA%\Axfo\ycner.elz            1            
                 
        %APPDATA%\Ebyhvo            1            
                 
        %APPDATA%\Ebyhvo\feyn.exe            1            
                 
        %APPDATA%\Iqxa            1            
                 
        %APPDATA%\Iqxa\oviku.ibc            1            

File Hashes

             01e483b094b3112e7cec3c76f73158d4b1897dedabef0bc03cdfe2e8fcfa7e9e              0439391736bebd073343fa84a894df1729747504cd228bea68b0657c4912bfcf              04b75511bf54e30bb62c43021b92070444fcaae9a6f461339efb112eb1ee9154              1308d38b43ffa2dca4d4a86d80cc69e14608c4f0f8e91c422ecbaf4886d088b2              182cc0c11d4cd6193428bd463b14df9b00bb2f69c351790142d660ed7d0f446b              1849049071f08094dc3b8fd471a77df1d4a06583e1a118bcdcf9668990ae4bf0              1fe334f9fb9b43a9a4ab48df2cf6612037bb12dd4b614379766567cfa70a788e              2580d43c6b5a0ce5556bce9857ebb208be8f3bc82705b1cd9df990cca3bea01d              2b14c895108d261f1dfa2ee718cda6c9aadf85540469c870d5c5ad8b10357a30              4248058bec9172b47b4b55e51a06f9bf57d9e848f35f0c0b42695ce9d66c0fab              43d0cbec39e4b9b041353774272484ed5074ec6dfd4a6fbd090a8a4ba3408b8b              517770a8a2092e068ad8d3eafb35039542500297426aab7be084eb7688639093              5ee6e167282e0c6917d36029e08cddf2d4d05121c48b4700782534427c72ce0b              623bcd68d0f7827540471935161c4d5094c3a88965f186a1492822ffb3ff1f18              6bbe78119dac51783873c433e28a5d24851b6fe7da23c822ec2ace75fd9c4153              702808b62a234ddbdb1d48c904ea6028d63f2d69782cc1e5ee5fe7c18e732376              79cbbb34180a74893002d4532e8310bc44a0718a3b990e866e1f4ad3ba82765a              807dea0f6d360b8de2df42defa29edf406b3596e78afca618ea984b2b9396272              8245c00bc1c311baba9ca23653af3432e2d8a084309c32dbc04da5adbf17bea8              8703fccdeecb0ce3afa979c06385e7e9d4361272aa2999c5f1eeba9ee9d6c174              99acfdfb1b763979e7507c245cc25849c09fa5bfcbf830b3f6d7638663e8f772              9b0f72b4ba66d99726123b379fed030b9257281b9f493e15b21e5dbc0b1b392e              a546480f68c4789f6630260b515e30ba27d53cdb256d186018c29ab89c279f8b              a70d2c24cc882a37161aed809bb1311edfe9fabfecb3496872884de46bcd30f2              a7dfcc11b3d17fa4f66cfc5bd08872f286705056bf283fca4e3bb3b4310ef407              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Tofsee-9957067-0

Indicators of Compromise

IOCs collected from dynamic analysis of 17 samples

        Registry Keys            Occurrences        
                             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config4                            4        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                             4        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config0                            4        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config1                            4        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config2                            4        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config3                            4        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                             1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: Type                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: Start                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: ErrorControl                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: DisplayName                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: WOW64                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: ObjectName                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: Description                            1        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS                          
        Value Name: C:\Windows\SysWOW64\nxzuqihd                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                             1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: Type                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: Start                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: ErrorControl                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: DisplayName                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: WOW64                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: ObjectName                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: Description                            1        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS                          
        Value Name: C:\Windows\SysWOW64\eoqlhzyu                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TDFAWONJ                             1        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\07ada3c1-08f4-11ed-b5f8-00501e3ae7b6            1            
                 
        Global\067cf3c1-08f4-11ed-b5f8-00501e3ae7b6            1            
                 
        Global\08e8d341-08f4-11ed-b5f8-00501e3ae7b6            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        212[.]77[.]101[.]4            4            
                 
        142[.]250[.]72[.]100            4            
                 
        31[.]41[.]244[.]82            4            
                 
        31[.]41[.]244[.]85            4            
                 
        80[.]66[.]75[.]254            4            
                 
        80[.]66[.]75[.]4            4            
                 
        31[.]41[.]244[.]128            4            
                 
        31[.]41[.]244[.]126/31            4            
                 
        185[.]165[.]123[.]13            4            
                 
        208[.]71[.]35[.]137            3            
                 
        208[.]76[.]51[.]51            3            
                 
        216[.]146[.]35[.]35            3            
                 
        199[.]5[.]157[.]131            3            
                 
        208[.]76[.]50[.]50            3            
                 
        195[.]46[.]39[.]39            3            
                 
        23[.]90[.]4[.]6            3            
                 
        194[.]25[.]134[.]8            3            
                 
        144[.]160[.]235[.]143            3            
                 
        193[.]222[.]135[.]150            3            
                 
        209[.]244[.]0[.]3            3            
                 
        119[.]205[.]212[.]219            3            
                 
        67[.]231[.]152[.]94            3            
                 
        31[.]13[.]65[.]174            3            
                 
        117[.]53[.]116[.]15            3            
                 
        172[.]253[.]115[.]26/31            3            

*See JSON for more IOCs

        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        249[.]5[.]55[.]69[.]bl[.]spamcop[.]net            4            
                 
        249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org            4            
                 
        249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net            4            
                 
        249[.]5[.]55[.]69[.]in-addr[.]arpa            4            
                 
        249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org            4            
                 
        249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org            4            
                 
        microsoft-com[.]mail[.]protection[.]outlook[.]com            4            
                 
        microsoft[.]com            4            
                 
        www[.]google[.]com            4            
                 
        whois[.]arin[.]net            4            
                 
        whois[.]iana[.]org            4            
                 
        aspmx[.]l[.]google[.]com            4            
                 
        wp[.]pl            4            
                 
        ameritrade[.]com            4            
                 
        mxa-000cb501[.]gslb[.]pphosted[.]com            4            
                 
        mx[.]wp[.]pl            4            
                 
        svartalfheim[.]top            4            
                 
        www[.]instagram[.]com            3            
                 
        mta5[.]am0[.]yahoodns[.]net            3            
                 
        hanmail[.]net            3            
                 
        freenet[.]de            3            
                 
        korea[.]com            3            
                 
        t-online[.]de            3            
                 
        o2[.]pl            3            
                 
        nate[.]com            3            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %SystemRoot%\SysWOW64\config\systemprofile            4            
                 
        %SystemRoot%\SysWOW64\config\systemprofile:.repos            4            
                 
        %SystemRoot%\SysWOW64\nxzuqihd            1            
                 
        %SystemRoot%\SysWOW64\eoqlhzyu            1            
                 
        %SystemRoot%\SysWOW64\tdfawonj            1            
                 
        %SystemRoot%\SysWOW64\hrtokcbx            1            
                 
        %TEMP%\oacsevkh.exe            1            
                 
        %TEMP%\htrzurov.exe            1            
                 
        %TEMP%\rzwntxyj.exe            1            
                 
        %TEMP%\mcilsztg.exe            1            

File Hashes

             1b64011f2f80b0ded096cbdb81c2bdac9786dc8a4ea7425b15547bdca34e043f              34c17bb102b2ed718471668da1ddc7daf397175979582942bf89d8e272cfa141              59bdcd1599938f1c5c2845d1fef198a0d97b03744432fc6705c9c67f13eedab4              64d6709c3cfbf8765e9434abfe6fc8bad67d87a3e4fe0622e68aa1d15aac8d6b              6857bce2c5f73e1d1bc4b14cb7b281beb33fed8cb580a43f236460c2af0e65e2              6eb7dd7f943a22822b0aaef6301d32b54eb43e432070c41b7d3c6a3d041ec8b3              6f3ef01ce9f2896b54c06fe4cd5e5769dda3a958868557a20469feb21c7e1273              79699aa58081b925c0b75140f0110f3ebf9a47e9bc8ba1699d53d7b14cb49591              7e2975f6cb11bb324bd49ec6fd4b77478e3488bf99fe623851a29f06e9b1fb37              89974e5d8be578da3cc6c0a33398659aabb160cdb03f7158066969f430dab796              9449f5dd9a6728664a3be973ccb91adbf64ffe980ff96de05a0419eb0a77bbd7              b77c2b3942f50e8fef2440481de894d506418f7a7c35fb29d40cfa8ce795ebf4              cbbc899843ca8f5908c27645960a33952fbecbf3d5cefc5054ab1dd023bb8582              d0596ec9d08cdd81f86e07d5ab70b518c6ca23a9ed4f557d041d3307b3ca7020              d518bbcb40208cfd7cbb6965e1647fabd5f65f2f1c1520e1217996957a1ada8d              e6411e18f8a1096f9b5d7528a24f6acdf1f97d120dd0dae4d76703c8eb5e4040              efced050e17235d050db86e0d763a07cfff375771d586736bbd17520725f1ebf              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Nanocore-9957022-0

Indicators of Compromise

IOCs collected from dynamic analysis of 10 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\WINRAR SFX                          
        Value Name: C%%Users%ADMINI~1%AppData%Local%Temp                            9        
             
    <HKCU>\SOFTWARE\WINRAR SFX                             9        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: AGP Manager                            4        
             
    <HKCU>\SOFTWARE\7E3975E4EF230D7D9195                             2        
             
    <HKCU>\SOFTWARE\7E3975E4EF230D7D9195                          
        Value Name: 7E3975E4EF230D7D9195                            2        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\{8c60c66e-3013-47af-8bbe-7df02dd28d12}            4            
                 
        Global\Protect7d723a8e.dll            2            
                 
        \x6f21\x705\x43\x8f323\x746a3\xb096e\x27\x99491\xfa05\xe581\x7c\x22\x199\x3b2f\x1a33\x92ec\x7e\x4b\x55\x5b8c1\xa5894\x10e\x21a1\x4f\xfeaaf\x36a\x466\x78a\x1670\x1e3\x9f\x4a3\xe19a\x3c2\x253bd\x79\x7e\x6ce\x3a\x768\x1ae2\x36\x1bd43\x2ec0a\x58e\x75\x1994\x3bd\x25\x74c\xd0e0e\xfff90\x99de\x66a\x4c\x343\x5a554\x6a\x157\x3a\x39\x231\xb1cb0\x415\xe25f\x799\xd31\x57\x61e\x78678\x62\x1db\xc42cb\x314fd\x7e8\x748\x1bf1\xd40d\x3c9\xff4a\x34\x1ce54\x24\x3a33\xd89ea\x1a44d\xa08a7\x415\x62\x10e\x381\xd5\xbb640\x53c3\xea65\x34c\x74\x3d5e4\x4f\xf1948\x42050\xcb0fc\x46\x41e\x742d\xa328\x256\x3a\xfffd\xccc7\x14b54\x5a\x5c7\xa9ef7\x5ab\x7b\x10b246\x32123\x86f8\x77\x662\x41c3\x6bf9\x4a9\x367\x76\x328\x66e\xdfbe8\x424ec\x4239\x45\x87d0e\x8b461\x63\x6c9\xa8344\x65\xba571\x2d5a5\xc4236\x5d\x438f\xd2\x31\x6bb\x45\xb5d8d\x6d69f\x14ee6            2            
                 
        Global\11971d21-08aa-11ed-b5f8-00501e3ae7b6            1            
                 
        Global\15c3b7a1-08aa-11ed-b5f8-00501e3ae7b6            1            
                 
        Global\1bb73741-08aa-11ed-b5f8-00501e3ae7b6            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        74[.]139[.]80[.]187            6            
                 
        145[.]14[.]144[.]94            1            
                 
        145[.]14[.]144[.]171            1            
                 
        145[.]14[.]145[.]198            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        wirelock[.]000webhostapp[.]com            3            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\RarSFX1            10            
                 
        %TEMP%\RarSFX0            10            
                 
        %TEMP%\RarSFX2            5            
                 
        %ProgramFiles(x86)%\AGP Manager            4            
                 
        %ProgramFiles(x86)%\AGP Manager\agpmgr.exe            4            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5            4            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs            4            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator            4            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat            4            
                 
        %TEMP%\RarSFX3            3            
                 
        %TEMP%\RarSFX1\BouncyCastle.Crypto.dll            3            
                 
        %TEMP%\RarSFX1\Google.Protobuf.dll            3            
                 
        %TEMP%\RarSFX1\JLibrary.dll            3            
                 
        %TEMP%\RarSFX1\MySql.Data.dll            3            
                 
        %TEMP%\RarSFX1\Newtonsoft.Json.dll            3            
                 
        %TEMP%\RarSFX1\Renci.SshNet.dll            3            
                 
        %TEMP%\RarSFX1\Ubiety.Dns.Core.dll            3            
                 
        %TEMP%\RarSFX0\Release.exe            3            
                 
        %TEMP%\RarSFX1\VACBypass.exe            3            
                 
        %TEMP%\RarSFX0\VACBypass.sfx.exe            3            
                 
        %TEMP%\RarSFX1\ProcessInjector.dll            2            
                 
        %TEMP%\RarSFX1\Venge.exe            2            
                 
        %TEMP%\Protect7d723a8e.dll            2            
                 
        %APPDATA%\MSConfig.exe            2            
                 
        %System32%\Tasks\'MSConfig'            2            

*See JSON for more IOCs

File Hashes

             057168fa7b59c38e34fddae10931b74390d7b16488c6ad927bdd1f463041667c              18f9814993009f5ef87b0e0703644273e51658f5882344b562501c0039931a4d              2425730fc69eb3d59994dfbec8080540a2df37d62d76668aa7f6253631ec697c              66598101b17560cb540cf640137d5dac28c5845f00aceca4262a56461219ccdc              afdd30c190cf43d78f3cdee38bdc2786dfbbaf2d3c2be8f6d9a7c539f097f4fc              c08c4a75c4a5e26e98643b054d0dd19b7c2b729531402d97ac75a17aeef7d17d              c1c5d36e2794e08c6b400476b1a51f4c1c9b27ffee593dac838730ba27cc363b              d675794864f828743967e774b888663ee3dbff471c159fbadb3a699c7085e658              df9cb829ee95a1722dd61bfcb10145e1b11881fe1a86b296936a8aaa3011fcff              e6f42069d0c8ef236da20b41e61c25cc593ac7265057c996b35b67d73b7154e8              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.LokiBot-9957019-0

Indicators of Compromise

IOCs collected from dynamic analysis of 16 samples

        Mutexes            Occurrences        
                                 
        3749282D282E1E80C56CAE5A            7            
                 
        uoXVcKrtOqoPVAWBhQA            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        198[.]187[.]30[.]47            4            
                 
        193[.]122[.]130[.]0            2            
                 
        132[.]226[.]247[.]73            2            
                 
        158[.]101[.]44[.]242            2            
                 
        37[.]0[.]11[.]227            1            
                 
        45[.]133[.]1[.]20            1            
                 
        47[.]88[.]22[.]122            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        checkip[.]dyndns[.]org            6            
                 
        sempersim[.]su            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\D282E1            7            
                 
        %APPDATA%\D282E1\1E80C5.lck            7            
                 
        %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5            7            
                 
        %System32%\Tasks\Updates            1            
                 
        %TEMP%\tmp4B83.tmp            1            
                 
        %APPDATA%\VQJJRC.exe            1            
                 
        %System32%\Tasks\Updates\VQJJRC            1            

File Hashes

             22265bacbef33a949cd224cf527e8338b03f8d8a5e04acbbd3632e28af7e785a              2c93ec8bdcb28ec4793fb55a4ce8159287745c11d5cf36ca085c74c3925ff2e2              3e93bbc3ac47bb2cd468a1e58e9369a54215dfaaece767e99e40057ed7dd4c50              669363383d4189a6716b953aaf4663655dc22e960e002f100c3ef5012275db79              67fb6d554fb4128454a0fbaa1dd0becda062d72be7dfbb37a4b5dc1b7b5629ce              6bacc8bd474bde817e968bcedfe508492a100eb73749894ba4b61b2f6d0dec0d              6da89945dd9f904c718c4ae1de7aae9d311ac71317865718aca051854ff4913d              87878b131d80c5ad134ee68932fe4defbf5067a0a871f0cadba3e163f5e3cefd              99606bfc40c8743b6bc1a3059cf491b9105d1bbc5d3bd3de647781bce6d9636a              998474158374c53d0b802f00e92e9ef00d398321b90dab0464d50df65225a5e5              bf4a9315215e16a2239e01125082218867ffc5900e44de517d4c2b786ff1fa8a              c29b9d1075e86788bab4a9e75334f36de07c1feb22500759db93d9379c875171              c86ba22021597e8876b4432a5ffb954f495e7f2a0a926af5f630e1f3e3e8acf5              d94a1e9281426e715a46338e94e6b16c614a9ff271da27b3a52c3ddc2985d914              df0fdfa13f4682ea0ca69bd3aeac4894184cd8aa1be913ca5954bb4394af1b2e              df77c795653ea7686d5525118bc05d748a3393793a99960946dfa3bc5e188e02              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS
#sql#vulnerability#web#mac#windows#google#microsoft#js#botnet#ssh

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 15 and July 22. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Virus.Ramnit-9957454-0

Virus

Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It could also steal browser cookies and hides from popular antivirus software.

Win.Malware.Kovter-9957371-0

Malware

Kovter is known for it’s fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.

Win.Ransomware.TeslaCrypt-9957356-0

Ransomware

TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the extortion request, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.

Win.Dropper.Shiz-9957241-0

Dropper

Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by victims visiting a malicious site.

Win.Dropper.Zeus-9957126-0

Dropper

Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing.

Win.Dropper.Tofsee-9957067-0

Dropper

Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the botnet and send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control.

Win.Packed.Nanocore-9957022-0

Packed

Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.

Win.Dropper.LokiBot-9957019-0

Dropper

Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature and can steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.

Threat Breakdown****Win.Virus.Ramnit-9957454-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusOverride

16

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusDisableNotify

16

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallDisableNotify

16

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallOverride

16

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UpdatesDisableNotify

16

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UacDisableNotify

16

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLUA

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: EnableFirewall

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DoNotAllowExceptions

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DisableNotifications

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC

        Value Name: Start

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND

        Value Name: Start

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC

        Value Name: Start

16

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION

        Value Name: jfghdug_ooetvtgk

16

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: JudCsgdy

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV

        Value Name: Start

16

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Windows Defender

16

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Userinit

16

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Userinit

16

Mutexes

Occurrences

{7930D12C-1D38-EB63-89CF-4C8161B79ED4}

16

{79345B6A-421F-2958-EA08-07396ADB9E27}

16

{7930D12D-1D38-EB63-89CF-4C8161B79ED4}

16

{7930CC18-1D38-EB63-89CF-4C8161B79ED4}

16

{7930DB19-1D38-EB63-89CF-4C8161B79ED4}

16

{<random GUID>}

16

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

195[.]201[.]179[.]207

16

142[.]251[.]40[.]142

16

46[.]165[.]220[.]145

15

72[.]26[.]218[.]70

15

208[.]100[.]26[.]245

14

35[.]205[.]61[.]67

14

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

google[.]com

16

bungetragecomedy9238[.]com

16

kbivgyaakcntdet[.]com

16

oawvuycoy[.]com

16

fmsqakcxgr[.]com

15

jlaabpmergjoflssyg[.]com

15

kbodfwsbgfmoneuoj[.]com

15

oeuwldhkrnvxg[.]com

15

wstujheiancyv[.]com

15

yrkbpnnlxrxrbpett[.]com

15

ausprcogpngdpkaf[.]com

14

citnngljfbhbqtlqlrn[.]com

14

dvwtcefqgfnixlrdb[.]com

14

qislvfqqp[.]com

14

ypwosgnjytynbqin[.]com

14

wdgqvaya[.]com

14

gfaronvw[.]com

14

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe

16

%LOCALAPPDATA%\bolpidti

16

%LOCALAPPDATA%\bolpidti\judcsgdy.exe

16

%TEMP%\squhapjc.exe

16

%TEMP%\aacwxnxw.exe

16

%ProgramData%\qvqdlyny.log

16

%LOCALAPPDATA%\yjghhxdl.log

16

%LOCALAPPDATA%\aanqrsjf.log

16

\TEMP\naEnI23

6

\TEMP\YsbJf23

3

\TEMP\tbii193

3

\TEMP\sXw0IB2

1

\TEMP\DrPmx23

1

%LOCALAPPDATA%\bolpidti\pxAA0.tmp

1

\TEMP\48at1iwB

1

\TEMP\bvr7hgqN

1

File Hashes

    040aba270ceca1eb00733e6733d2aa1da65f7a2c1f7aeff8f17c5d1070752535

    0f95459d96bc1dd999753862126023c5a868d6b4350b6e72b6ca7aa683c3ade1

    126aeea38387066d0cb15d2bf6476e7324abf67168defbc9e18352e68ef1174d

    1d2f933a0c2c448e55f4106dae274696717ace70131035a4df42b6c5a373bb3e

    283d8a891f3e3f478a74a3e5eacb12e4bcc803be1219c9c38cfdfb5890e2279e

    2fbbaed010dc46bb6dac16bab57ee04e96965bea8142d37f7b3cb88a1e476e4f

    587d34dd12dde3d009c85ba20416f1b354a4ae643777d28bb52ad8f9168cd4b0

    5d490643405c093eab1f1a5b864943b0507400f0f3141de7f089c6ccc12fd316

    7cacb6c76f80a1f500eacb7e9145fb7da0726343b54c547a4dc560d2f37fb18f

    8f8d34773a5bfa95aea47bac3fb05fb11786312b6ef2a9223012b0bd88e167f9

    99dafa7b30b55ca6c088739a27f3704862ba99fe051884478c5337ab5d507679

    b297360c21d003261c25e314a2f16905086202ddc203765adc263ca5b6436ae0

    b5f278f958e930c42e168e091ca7ff369aeab730d6626e6661bd51224ed93506

    ba7ca9f0aa3d6ce0c63a81411e97deda8d952d06e9307f0058e0b3d08de72b87

    c176340ea7e16d209b904405281425983679182aa7765e7a67646c87aa81c661

    f7a787118f46b489f2a45ca7228322bebba7eb10aa00183cbde74773aa3753da

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Kovter-9957371-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE

        Value Name: DisableOSUpgrade

25

<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE

        Value Name: ReservationsAllowed

25

<HKLM>\SOFTWARE\WOW6432NODE\XVYG

        Value Name: xedvpa

25

<HKCU>\SOFTWARE\XVYG

        Value Name: xedvpa

25

<HKCR>.8CA9D79

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: vrxzdhbyv

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ssishoff

25

<HKLM>\SOFTWARE\WOW6432NODE\XVYG

        Value Name: tbqjcmuct

25

<HKCU>\SOFTWARE\XVYG

        Value Name: tbqjcmuct

25

<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE

25

<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE

25

<HKCU>\SOFTWARE\XVYG

25

<HKLM>\SOFTWARE\WOW6432NODE\XVYG

25

<HKCR>\C3B616

25

<HKCR>\C3B616\SHELL

25

<HKCR>\C3B616\SHELL\OPEN

25

<HKCR>\C3B616\SHELL\OPEN\COMMAND

25

<HKCR>.8CA9D79

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103

        Value Name: CheckSetting

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100

        Value Name: CheckSetting

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102

        Value Name: CheckSetting

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104

        Value Name: CheckSetting

25

<HKLM>\SOFTWARE\WOW6432NODE\XVYG

        Value Name: svdjlvs

25

<HKCU>\SOFTWARE\XVYG

        Value Name: svdjlvs

25

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: fcbburq

25

Mutexes

Occurrences

EA4EC370D1E573DA

25

A83BAA13F950654C

25

Global\7A7146875A8CDE1E

25

B3E8F6F86CDD9D8B

25

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

95[.]124[.]204[.]21

1

4[.]241[.]178[.]108

1

13[.]128[.]69[.]186

1

109[.]227[.]104[.]183

1

221[.]105[.]207[.]89

1

137[.]201[.]198[.]88

1

39[.]19[.]244[.]52

1

155[.]145[.]195[.]61

1

33[.]32[.]249[.]162

1

83[.]31[.]52[.]148

1

129[.]233[.]227[.]218

1

62[.]40[.]76[.]178

1

69[.]247[.]75[.]163

1

119[.]31[.]244[.]99

1

18[.]90[.]144[.]73

1

199[.]77[.]183[.]213

1

130[.]86[.]117[.]171

1

68[.]21[.]73[.]93

1

39[.]232[.]85[.]81

1

66[.]33[.]222[.]234

1

222[.]207[.]122[.]202

1

110[.]56[.]135[.]234

1

6[.]22[.]73[.]16

1

50[.]159[.]160[.]25

1

217[.]52[.]47[.]12

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

apps[.]identrust[.]com

1

reflex-demo-use-4[.]hannover-re[.]cloud

1

flyttstadning-stockholm[.]nu

1

Files and or directories created

Occurrences

%LOCALAPPDATA%\4dd3cc

25

%LOCALAPPDATA%\4dd3cc\519d0f.bat

25

%LOCALAPPDATA%\4dd3cc\8e9866.8ca9d79

25

%LOCALAPPDATA%\4dd3cc\d95adb.lnk

25

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\91b4e5.lnk

25

%APPDATA%\b08d66

25

%APPDATA%\b08d66\0b3c0b.8ca9d79

25

%TEMP%\VB<random, matching [A-F0-9]{3,4}>.tmp

25

File Hashes

    00ebcb2374583159529a8dcb4d27e851246914eacfd1a3cf12d2cbd73f064294

    093389823f1de777d5601b06cd106ff4380e408c1c8b39ac11cbfd93353d6314

    0d93c80c3af7d2121af1d853585efd98693a06d376fd13464b3f52ca159c4cf1

    0d947efab08d1bfc21b5abd2734ddfdbeeb9cb1d29346670a0128f7a531c6547

    0dcc6cf63dc618f450127306942d91f8404e6a2cdb8326412f93ad36a892e9bb

    134fea9f96af3845790cd2f8ba6f0a93b208469ae1a592da0135234387ef9410

    194acafcf8cb53f889a9d77c8fb2cf511b3c27a989f4ce5e91e55153583fe318

    1ee9b6d5909664f7d6d247088033be88d56aa674af63ae751ea625d9768b144b

    26ce967cffd3a8650b2475553ecf09333dd04068f840c0d9f5077909766648e7

    304c9568e3381dc75ec2f853c19d1de4f47fb40cf55f12d48612631728cb9740

    3368e5d1bf347cd4cd6df01e4f60491d747adf1545a4e9006f062adc08eb95a3

    35a3111fa824abf5130d52c377999d15450a7018a93ca406d88ccfe3e0913712

    4084b83687be14dd8c8a98026c810fb0961abf771c8827b4779872b276055249

    43ed7041f9096db31d7dad4f9cff7d6cd00c1ccdce383421638f8847b6bc568e

    450f32871f007b32bdd06b40d1804b6e67c5625121eb0b2adbd276c8f48c1434

    4625ab6090ec735194bac9aa2ce1cfc7fe9ad3db30cd2a220f4e1d1368878fdf

    46c753dd41ac83e7f2a8b1dda5c2d46eddbd1f42a2197843ed6f7dff817f5a8b

    477d345de8b818c1d855ab9d64578c1b39915624926108e97b9a9e65b2696bbd

    488f1209f28a4be1f9c4fb2798de2bbcef4e1c8949467eee0cc8546abbd663d0

    491d36c6a9d19e3e37871e83ac2fa710020093a7105617c9e371b5f1a6099b38

    4a11d5d14df0fbb67f813a7425b4a9be69c5a33b0cc930c3f3886374b57eee43

    4aabb5ca1a96a55395e53d8dd17e27552319b14264efca554c1fc78bec39a589

    4bc7ba250aa345e8c96f8df64e846aeca90f8add2db2f269bdf452843c574398

    4f4e505d0f4b1dca299ac0cbd8749adb91994e144e314f11e7677a4dc91a2f30

    503d20ae3e5d78acf6a367f1f1c2fc177683e8136a5571e5320c3834070c3e97

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.TeslaCrypt-9957356-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLinkedConnections

25

<HKCU>\SOFTWARE\XXXSYS

25

<HKCU>\SOFTWARE\XXXSYS

        Value Name: ID

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0

        Value Name: CheckSetting

25

<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>

24

<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>

        Value Name: data

24

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: hdtjbroygvvb

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: owvhajogulen

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: pyfepfifrjwi

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: xbmnkkfnowvh

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: gulenopvybnq

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: tbqdqvojagik

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: hajogulenopv

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: mgtbqdqvcoqj

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ulenopvybnqj

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: lpyfepfifrjw

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: epfifrjwiqou

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ifrjwiqouteu

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: teumgtbqdqvo

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: nrxbmnkkfnow

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: whmtlmoxvcsc

1

<HKCU>\SOFTWARE\159643D83772F

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: bmnkkfnowvha

1

<HKCU>\SOFTWARE\159643D83772F

        Value Name: data

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: vcscusnnmyjx

1

Mutexes

Occurrences

ityeofm9234-23423

25

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

107[.]6[.]161[.]162

25

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

jessforkicks[.]com

25

heizhuangym[.]com

25

infotlogomas[.]malangkota[.]go[.]id

25

csucanuevo[.]csuca[.]org

25

snibi[.]se

25

danecobain[.]com

25

www[.]danecobain[.]com

25

Files and or directories created

Occurrences

%ProgramFiles%\7-Zip\Lang\ka.txt

25

%ProgramFiles%\7-Zip\Lang\kaa.txt

25

%ProgramFiles%\7-Zip\Lang\kab.txt

25

%ProgramFiles%\7-Zip\Lang\kk.txt

25

%ProgramFiles%\7-Zip\Lang\ko.txt

25

%ProgramFiles%\7-Zip\Lang\ku-ckb.txt

25

%ProgramFiles%\7-Zip\Lang\ku.txt

25

%ProgramFiles%\7-Zip\Lang\ky.txt

25

%ProgramFiles%\7-Zip\Lang\lij.txt

25

%ProgramFiles%\7-Zip\Lang\lt.txt

25

%ProgramFiles%\7-Zip\Lang\lv.txt

25

%ProgramFiles%\7-Zip\Lang\mk.txt

25

%ProgramFiles%\7-Zip\Lang\mn.txt

25

%ProgramFiles%\7-Zip\Lang\mng.txt

25

%ProgramFiles%\7-Zip\Lang\mng2.txt

25

%ProgramFiles%\7-Zip\Lang\mr.txt

25

%ProgramFiles%\7-Zip\Lang\ms.txt

25

%ProgramFiles%\7-Zip\Lang\nb.txt

25

%ProgramFiles%\7-Zip\Lang\ne.txt

25

%ProgramFiles%\7-Zip\Lang\nl.txt

25

%ProgramFiles%\7-Zip\Lang\nn.txt

25

%ProgramFiles%\7-Zip\Lang\pa-in.txt

25

%ProgramFiles%\7-Zip\Lang\pl.txt

25

%ProgramFiles%\7-Zip\Lang\ps.txt

25

%ProgramFiles%\7-Zip\Lang\pt-br.txt

25

*See JSON for more IOCs

File Hashes

    11bf02df58d00bf7dfc22e46b27db8a2cfcb9c8d03ad38b2e3baafa193bbbd89

    1a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0

    1c2ddbf956ee1e2b40472b70603371ed21817fbf95d5825b2f75bbf6f9728089

    1d4114c8ee19f343f3dcf80a542295af29df63d9745ad77cce43562c909551c5

    2f1f927c219ccfcffeb997c9433733a04200ae35a2fc0c48fc07cb49062cddc7

    3ef3021ce3ffdffcfba2bd590c4186c3a3ecdd3b6ce40d51d2500897fb55ffb0

    41ab6446df889a5a24e4e859146c0225d13a2ba8553c83cb93e45017212884b2

    4bae8a4e0124724e695c10202a94eec99cf5990507fbc94ec3f08e11de3ce2c2

    4dc12416bf7c3be9d573c8fa07847050307bd05cb67480e3c3874696614b73e9

    4fa8c1eaa4846a8a06fb2480a746d5526f743cee314f7101db0508577bdd3776

    5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f

    5aaad74cb36db78ad6da4d499a75c41d2ace8b97ff8f88c5bc7f738ad353d3d7

    67e2caf00dd0293080cb5b45d2db11d4f567ce9a3d6fd5c9723358d18da80e71

    6a9e6e5c50b3b90376530ee4e9e81cdf5cdc9b7c07cdb71207b3a1799f77ec7a

    6ab8f9569a70beb0f96bf4e030381e70bcce7703b308a05542f4ccf1b6002af9

    71f0f23220cb0f5d8b31fce30f08bc1687acd675b7c3a8ae7e0538bacb0d3eec

    a3a6b4f405f2175af97128c64d9ad68700e05e22d66c43dad966add8436af79f

    a760b60722cfa7c719e79b5c97cfe789720c6300a200421c846e13287cdb160a

    d8be6b950a872b1b7c752cc83a5440b4cfe62870097df78794f10986fb7fcb63

    dd6483183967845c18a3d5cc6154233aa8f3a48acb4e9cccd3606afe7d4d7eef

    de5dc2aed0e06894e0bb1292fb68343fadc46b489e6c85e6cca56cf5bad70c09

    e1a00e6beb02475b4bdd8d821ccac3e67bbafd182332cbf35a45c6766ad83b87

    e8c460f171e964db6fff16eb38684b9ec82134c4fd1a1cdc64ba338941ef1199

    f69edf352cdca309c7faa71f87a429daf2b46e4ae6ed85a25ff03aa34b4702c4

    fbcec257455e5546a294ec1534f7e11f05d144c73ef583a0e891e14759e133eb

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Shiz-9957241-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\MICROSOFT

        Value Name: 67497551a

23

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: 98b68e3c

23

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: userinit

23

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: System

23

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: load

23

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: run

23

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: userinit

23

Mutexes

Occurrences

Global\674972E3a

23

Global\MicrosoftSysenterGate7

23

internal_wutex_0x000000e0

23

internal_wutex_0x0000038c

23

internal_wutex_0x<random, matching [0-9a-f]{8}>

23

internal_wutex_0x00000448

22

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

13[.]107[.]21[.]200

11

45[.]33[.]23[.]183

7

45[.]79[.]19[.]196

6

198[.]58[.]118[.]167

5

45[.]33[.]30[.]197

5

72[.]14[.]185[.]43

4

45[.]56[.]79[.]23

3

45[.]33[.]20[.]235

3

72[.]14[.]178[.]174

3

96[.]126[.]123[.]244

2

45[.]33[.]2[.]79

2

45[.]33[.]18[.]44

2

85[.]94[.]194[.]169

1

173[.]255[.]194[.]134

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

fotaqizymig[.]eu

23

cidufitojex[.]eu

23

xukuxaxidub[.]eu

23

digofasexal[.]eu

23

gatuvesisak[.]eu

23

lyvywyduroq[.]eu

23

qetekugexom[.]eu

23

puvacigakog[.]eu

23

xuboninogyt[.]eu

23

cicezomaxyz[.]eu

23

dixyjohevon[.]eu

23

fokisohurif[.]eu

23

volugomymet[.]eu

23

maganomojer[.]eu

23

jefecajazif[.]eu

23

qedylaqecel[.]eu

23

nojotomipel[.]eu

23

rytifaquwer[.]eu

23

kepujajynib[.]eu

23

tuwaraqidek[.]eu

23

xuqeqejohiv[.]eu

23

pumebeqalew[.]eu

23

cinycekecid[.]eu

23

divulewybek[.]eu

23

nozulufynax[.]eu

23

*See JSON for more IOCs

Files and or directories created

Occurrences

%TEMP%<random, matching [A-F0-9]{1,4}>.tmp

23

File Hashes

    00180daca1b8b50f272a020eee54d9fa90094881d1d5ac3cfd9b8ef75cf1e6f4

    0782fb4469241b17dacdb3040403425c5dfa726afe7608695d798c40ba0468df

    096567f0324ce9d8dafbd8b2fa07baa4c024e734cee78966a2e1bda01cc6aab1

    0b575be1b7f34effd28837fcbd89afb217202ce9dc99c23bd59d858343a2cebe

    0b579d7b50d2036a46977367a6673faf3e7c1861f30138f19cfc64e2240f7ef4

    0e4553fcdf4b905c069986826b4190fae4c301a72a31d84f70ebc82a3a4e08d2

    10845e4f34b629a880154930d82e6533e4f2988ff7f8d190da77258b04c53a33

    1422cdfe1c27c71dc5cac99bc1b94da21730d123c84808fb275a0a9ad4608ea6

    1613108f8d6a07cf52c9342e2bc34ef95c142ccd0945e8863876499f373ee276

    1a1075298b76367a0f09e1d32a33f3795d7fcedfbf562f8e97a73fd84b044d44

    1a776926ba733dd76ac52335f28bca9f834eb424b9c3344e18c53be7bc488e16

    1b2b7d611569a0ed98e7c8592b1ab68f89e5f9b9bb46004f40ab8e238da58c68

    1b658f725eccb4d5b15339017f834e54e03280757ef214f98ebf7c02584b1259

    1cafff0eb6f9b746d49ce3e6b29dc0581145df229089c43f234693a7f3c01911

    1d6a5170f8caf1bac36b69953b6df43da07b1b5fbd2c6c135146edfb975d6c0d

    1e12db0b8596f9b40eb120f663796ea2067a5af27fdc9c892d4ffdb042a88df7

    1f16c27403f51502cd5cb7b15eac5e53c23b8f8d25f647ebc216cf5f2e57940a

    206ffd6d82b9934e50b1de5555e5a544353f4dd8c59c7fe4c8c501024fc12438

    25c3635d6874809bb1163763187c72f827756d773cca5aaf93d288015275ba50

    27f644aed21754919d8236e2ec0c07ac85a65694a4c2eab289cef54905460545

    2a01ca9a1bedc3d53bf5514fb3e3c62275aba7d4536c806a227f83b3265458d0

    2a7755e96cff2e3186fde0936b3cf86648f242a5d9c0c3ba8903852905a5bfbf

    2bb61e2487b38915a8a0a5b46ea26ea16b931a09a0acd9fe93fe58f63608caa5

    2be38d866007d818551826d7b4eb1187f0a2e881634caa08d281ad11fed50b8f

    2c77f57754219ee31db301679821ce62e0f2ba5326c04cc0685c53b7135c5a24

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Zeus-9957126-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY

        Value Name: CleanCookies

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\XODYUZ

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Savyomzauc

1

<HKCU>\SOFTWARE\MICROSOFT\XODYUZ

        Value Name: Seroymo

1

Mutexes

Occurrences

GLOBAL{<random GUID>}

1

Local{<random GUID>}

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

199[.]2[.]137[.]201

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wearesofamousthatwestayontop[.]com

1

sunobowttteek2[.]biz

1

Files and or directories created

Occurrences

%TEMP%\tmp8f23b8f6.bat

1

%APPDATA%\Axfo

1

%APPDATA%\Axfo\ycner.elz

1

%APPDATA%\Ebyhvo

1

%APPDATA%\Ebyhvo\feyn.exe

1

%APPDATA%\Iqxa

1

%APPDATA%\Iqxa\oviku.ibc

1

File Hashes

    01e483b094b3112e7cec3c76f73158d4b1897dedabef0bc03cdfe2e8fcfa7e9e

    0439391736bebd073343fa84a894df1729747504cd228bea68b0657c4912bfcf

    04b75511bf54e30bb62c43021b92070444fcaae9a6f461339efb112eb1ee9154

    1308d38b43ffa2dca4d4a86d80cc69e14608c4f0f8e91c422ecbaf4886d088b2

    182cc0c11d4cd6193428bd463b14df9b00bb2f69c351790142d660ed7d0f446b

    1849049071f08094dc3b8fd471a77df1d4a06583e1a118bcdcf9668990ae4bf0

    1fe334f9fb9b43a9a4ab48df2cf6612037bb12dd4b614379766567cfa70a788e

    2580d43c6b5a0ce5556bce9857ebb208be8f3bc82705b1cd9df990cca3bea01d

    2b14c895108d261f1dfa2ee718cda6c9aadf85540469c870d5c5ad8b10357a30

    4248058bec9172b47b4b55e51a06f9bf57d9e848f35f0c0b42695ce9d66c0fab

    43d0cbec39e4b9b041353774272484ed5074ec6dfd4a6fbd090a8a4ba3408b8b

    517770a8a2092e068ad8d3eafb35039542500297426aab7be084eb7688639093

    5ee6e167282e0c6917d36029e08cddf2d4d05121c48b4700782534427c72ce0b

    623bcd68d0f7827540471935161c4d5094c3a88965f186a1492822ffb3ff1f18

    6bbe78119dac51783873c433e28a5d24851b6fe7da23c822ec2ace75fd9c4153

    702808b62a234ddbdb1d48c904ea6028d63f2d69782cc1e5ee5fe7c18e732376

    79cbbb34180a74893002d4532e8310bc44a0718a3b990e866e1f4ad3ba82765a

    807dea0f6d360b8de2df42defa29edf406b3596e78afca618ea984b2b9396272

    8245c00bc1c311baba9ca23653af3432e2d8a084309c32dbc04da5adbf17bea8

    8703fccdeecb0ce3afa979c06385e7e9d4361272aa2999c5f1eeba9ee9d6c174

    99acfdfb1b763979e7507c245cc25849c09fa5bfcbf830b3f6d7638663e8f772

    9b0f72b4ba66d99726123b379fed030b9257281b9f493e15b21e5dbc0b1b392e

    a546480f68c4789f6630260b515e30ba27d53cdb256d186018c29ab89c279f8b

    a70d2c24cc882a37161aed809bb1311edfe9fabfecb3496872884de46bcd30f2

    a7dfcc11b3d17fa4f66cfc5bd08872f286705056bf283fca4e3bb3b4310ef407

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Tofsee-9957067-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples

Registry Keys

Occurrences

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config4

4

<HKU>.DEFAULT\CONTROL PANEL\BUSES

4

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config0

4

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config1

4

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config2

4

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config3

4

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: ErrorControl

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: DisplayName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: WOW64

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: ObjectName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: Description

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\nxzuqihd

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: ErrorControl

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: DisplayName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: WOW64

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: ObjectName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: Description

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\eoqlhzyu

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TDFAWONJ

1

Mutexes

Occurrences

Global\07ada3c1-08f4-11ed-b5f8-00501e3ae7b6

1

Global\067cf3c1-08f4-11ed-b5f8-00501e3ae7b6

1

Global\08e8d341-08f4-11ed-b5f8-00501e3ae7b6

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

212[.]77[.]101[.]4

4

142[.]250[.]72[.]100

4

31[.]41[.]244[.]82

4

31[.]41[.]244[.]85

4

80[.]66[.]75[.]254

4

80[.]66[.]75[.]4

4

31[.]41[.]244[.]128

4

31[.]41[.]244[.]126/31

4

185[.]165[.]123[.]13

4

208[.]71[.]35[.]137

3

208[.]76[.]51[.]51

3

216[.]146[.]35[.]35

3

199[.]5[.]157[.]131

3

208[.]76[.]50[.]50

3

195[.]46[.]39[.]39

3

23[.]90[.]4[.]6

3

194[.]25[.]134[.]8

3

144[.]160[.]235[.]143

3

193[.]222[.]135[.]150

3

209[.]244[.]0[.]3

3

119[.]205[.]212[.]219

3

67[.]231[.]152[.]94

3

31[.]13[.]65[.]174

3

117[.]53[.]116[.]15

3

172[.]253[.]115[.]26/31

3

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

249[.]5[.]55[.]69[.]bl[.]spamcop[.]net

4

249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org

4

249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net

4

249[.]5[.]55[.]69[.]in-addr[.]arpa

4

249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org

4

249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org

4

microsoft-com[.]mail[.]protection[.]outlook[.]com

4

microsoft[.]com

4

www[.]google[.]com

4

whois[.]arin[.]net

4

whois[.]iana[.]org

4

aspmx[.]l[.]google[.]com

4

wp[.]pl

4

ameritrade[.]com

4

mxa-000cb501[.]gslb[.]pphosted[.]com

4

mx[.]wp[.]pl

4

svartalfheim[.]top

4

www[.]instagram[.]com

3

mta5[.]am0[.]yahoodns[.]net

3

hanmail[.]net

3

freenet[.]de

3

korea[.]com

3

t-online[.]de

3

o2[.]pl

3

nate[.]com

3

*See JSON for more IOCs

Files and or directories created

Occurrences

%SystemRoot%\SysWOW64\config\systemprofile

4

%SystemRoot%\SysWOW64\config\systemprofile:.repos

4

%SystemRoot%\SysWOW64\nxzuqihd

1

%SystemRoot%\SysWOW64\eoqlhzyu

1

%SystemRoot%\SysWOW64\tdfawonj

1

%SystemRoot%\SysWOW64\hrtokcbx

1

%TEMP%\oacsevkh.exe

1

%TEMP%\htrzurov.exe

1

%TEMP%\rzwntxyj.exe

1

%TEMP%\mcilsztg.exe

1

File Hashes

    1b64011f2f80b0ded096cbdb81c2bdac9786dc8a4ea7425b15547bdca34e043f

    34c17bb102b2ed718471668da1ddc7daf397175979582942bf89d8e272cfa141

    59bdcd1599938f1c5c2845d1fef198a0d97b03744432fc6705c9c67f13eedab4

    64d6709c3cfbf8765e9434abfe6fc8bad67d87a3e4fe0622e68aa1d15aac8d6b

    6857bce2c5f73e1d1bc4b14cb7b281beb33fed8cb580a43f236460c2af0e65e2

    6eb7dd7f943a22822b0aaef6301d32b54eb43e432070c41b7d3c6a3d041ec8b3

    6f3ef01ce9f2896b54c06fe4cd5e5769dda3a958868557a20469feb21c7e1273

    79699aa58081b925c0b75140f0110f3ebf9a47e9bc8ba1699d53d7b14cb49591

    7e2975f6cb11bb324bd49ec6fd4b77478e3488bf99fe623851a29f06e9b1fb37

    89974e5d8be578da3cc6c0a33398659aabb160cdb03f7158066969f430dab796

    9449f5dd9a6728664a3be973ccb91adbf64ffe980ff96de05a0419eb0a77bbd7

    b77c2b3942f50e8fef2440481de894d506418f7a7c35fb29d40cfa8ce795ebf4

    cbbc899843ca8f5908c27645960a33952fbecbf3d5cefc5054ab1dd023bb8582

    d0596ec9d08cdd81f86e07d5ab70b518c6ca23a9ed4f557d041d3307b3ca7020

    d518bbcb40208cfd7cbb6965e1647fabd5f65f2f1c1520e1217996957a1ada8d

    e6411e18f8a1096f9b5d7528a24f6acdf1f97d120dd0dae4d76703c8eb5e4040

    efced050e17235d050db86e0d763a07cfff375771d586736bbd17520725f1ebf

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Nanocore-9957022-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\WINRAR SFX

        Value Name: C%%Users%ADMINI~1%AppData%Local%Temp

9

<HKCU>\SOFTWARE\WINRAR SFX

9

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: AGP Manager

4

<HKCU>\SOFTWARE\7E3975E4EF230D7D9195

2

<HKCU>\SOFTWARE\7E3975E4EF230D7D9195

        Value Name: 7E3975E4EF230D7D9195

2

Mutexes

Occurrences

Global{8c60c66e-3013-47af-8bbe-7df02dd28d12}

4

Global\Protect7d723a8e.dll

2

\x6f21\x705\x43\x8f323\x746a3\xb096e\x27\x99491\xfa05\xe581\x7c\x22\x199\x3b2f\x1a33\x92ec\x7e\x4b\x55\x5b8c1\xa5894\x10e\x21a1\x4f\xfeaaf\x36a\x466\x78a\x1670\x1e3\x9f\x4a3\xe19a\x3c2\x253bd\x79\x7e\x6ce\x3a\x768\x1ae2\x36\x1bd43\x2ec0a\x58e\x75\x1994\x3bd\x25\x74c\xd0e0e\xfff90\x99de\x66a\x4c\x343\x5a554\x6a\x157\x3a\x39\x231\xb1cb0\x415\xe25f\x799\xd31\x57\x61e\x78678\x62\x1db\xc42cb\x314fd\x7e8\x748\x1bf1\xd40d\x3c9\xff4a\x34\x1ce54\x24\x3a33\xd89ea\x1a44d\xa08a7\x415\x62\x10e\x381\xd5\xbb640\x53c3\xea65\x34c\x74\x3d5e4\x4f\xf1948\x42050\xcb0fc\x46\x41e\x742d\xa328\x256\x3a\xfffd\xccc7\x14b54\x5a\x5c7\xa9ef7\x5ab\x7b\x10b246\x32123\x86f8\x77\x662\x41c3\x6bf9\x4a9\x367\x76\x328\x66e\xdfbe8\x424ec\x4239\x45\x87d0e\x8b461\x63\x6c9\xa8344\x65\xba571\x2d5a5\xc4236\x5d\x438f\xd2\x31\x6bb\x45\xb5d8d\x6d69f\x14ee6

2

Global\11971d21-08aa-11ed-b5f8-00501e3ae7b6

1

Global\15c3b7a1-08aa-11ed-b5f8-00501e3ae7b6

1

Global\1bb73741-08aa-11ed-b5f8-00501e3ae7b6

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

74[.]139[.]80[.]187

6

145[.]14[.]144[.]94

1

145[.]14[.]144[.]171

1

145[.]14[.]145[.]198

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wirelock[.]000webhostapp[.]com

3

Files and or directories created

Occurrences

%TEMP%\RarSFX1

10

%TEMP%\RarSFX0

10

%TEMP%\RarSFX2

5

%ProgramFiles(x86)%\AGP Manager

4

%ProgramFiles(x86)%\AGP Manager\agpmgr.exe

4

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5

4

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs

4

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator

4

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat

4

%TEMP%\RarSFX3

3

%TEMP%\RarSFX1\BouncyCastle.Crypto.dll

3

%TEMP%\RarSFX1\Google.Protobuf.dll

3

%TEMP%\RarSFX1\JLibrary.dll

3

%TEMP%\RarSFX1\MySql.Data.dll

3

%TEMP%\RarSFX1\Newtonsoft.Json.dll

3

%TEMP%\RarSFX1\Renci.SshNet.dll

3

%TEMP%\RarSFX1\Ubiety.Dns.Core.dll

3

%TEMP%\RarSFX0\Release.exe

3

%TEMP%\RarSFX1\VACBypass.exe

3

%TEMP%\RarSFX0\VACBypass.sfx.exe

3

%TEMP%\RarSFX1\ProcessInjector.dll

2

%TEMP%\RarSFX1\Venge.exe

2

%TEMP%\Protect7d723a8e.dll

2

%APPDATA%\MSConfig.exe

2

%System32%\Tasks’MSConfig’

2

*See JSON for more IOCs

File Hashes

    057168fa7b59c38e34fddae10931b74390d7b16488c6ad927bdd1f463041667c

    18f9814993009f5ef87b0e0703644273e51658f5882344b562501c0039931a4d

    2425730fc69eb3d59994dfbec8080540a2df37d62d76668aa7f6253631ec697c

    66598101b17560cb540cf640137d5dac28c5845f00aceca4262a56461219ccdc

    afdd30c190cf43d78f3cdee38bdc2786dfbbaf2d3c2be8f6d9a7c539f097f4fc

    c08c4a75c4a5e26e98643b054d0dd19b7c2b729531402d97ac75a17aeef7d17d

    c1c5d36e2794e08c6b400476b1a51f4c1c9b27ffee593dac838730ba27cc363b

    d675794864f828743967e774b888663ee3dbff471c159fbadb3a699c7085e658

    df9cb829ee95a1722dd61bfcb10145e1b11881fe1a86b296936a8aaa3011fcff

    e6f42069d0c8ef236da20b41e61c25cc593ac7265057c996b35b67d73b7154e8

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.LokiBot-9957019-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples

Mutexes

Occurrences

3749282D282E1E80C56CAE5A

7

uoXVcKrtOqoPVAWBhQA

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

198[.]187[.]30[.]47

4

193[.]122[.]130[.]0

2

132[.]226[.]247[.]73

2

158[.]101[.]44[.]242

2

37[.]0[.]11[.]227

1

45[.]133[.]1[.]20

1

47[.]88[.]22[.]122

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

checkip[.]dyndns[.]org

6

sempersim[.]su

1

Files and or directories created

Occurrences

%APPDATA%\D282E1

7

%APPDATA%\D282E1\1E80C5.lck

7

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5

7

%System32%\Tasks\Updates

1

%TEMP%\tmp4B83.tmp

1

%APPDATA%\VQJJRC.exe

1

%System32%\Tasks\Updates\VQJJRC

1

File Hashes

    22265bacbef33a949cd224cf527e8338b03f8d8a5e04acbbd3632e28af7e785a

    2c93ec8bdcb28ec4793fb55a4ce8159287745c11d5cf36ca085c74c3925ff2e2

    3e93bbc3ac47bb2cd468a1e58e9369a54215dfaaece767e99e40057ed7dd4c50

    669363383d4189a6716b953aaf4663655dc22e960e002f100c3ef5012275db79

    67fb6d554fb4128454a0fbaa1dd0becda062d72be7dfbb37a4b5dc1b7b5629ce

    6bacc8bd474bde817e968bcedfe508492a100eb73749894ba4b61b2f6d0dec0d

    6da89945dd9f904c718c4ae1de7aae9d311ac71317865718aca051854ff4913d

    87878b131d80c5ad134ee68932fe4defbf5067a0a871f0cadba3e163f5e3cefd

    99606bfc40c8743b6bc1a3059cf491b9105d1bbc5d3bd3de647781bce6d9636a

    998474158374c53d0b802f00e92e9ef00d398321b90dab0464d50df65225a5e5

    bf4a9315215e16a2239e01125082218867ffc5900e44de517d4c2b786ff1fa8a

    c29b9d1075e86788bab4a9e75334f36de07c1feb22500759db93d9379c875171

    c86ba22021597e8876b4432a5ffb954f495e7f2a0a926af5f630e1f3e3e8acf5

    d94a1e9281426e715a46338e94e6b16c614a9ff271da27b3a52c3ddc2985d914

    df0fdfa13f4682ea0ca69bd3aeac4894184cd8aa1be913ca5954bb4394af1b2e

    df77c795653ea7686d5525118bc05d748a3393793a99960946dfa3bc5e188e02

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information