Headline
Threat Roundup for March 24 to March 31
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between March 24 and March 31. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key
Friday, March 31, 2023 13:03
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between March 24 and March 31. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Ransomware.TeslaCrypt-9994144-1
Ransomware
TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Ransomware.Cerber-9994145-0
Ransomware
Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used.
Win.Dropper.Tofsee-9994178-0
Dropper
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the botnet and send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control.
Win.Dropper.Formbook-9994385-0
Dropper
Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Dropper.Kovter-9994588-1
Dropper
Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter can reinfect a system, even if the file system has been cleaned of the infection. The malware traditionally spreads ransomware and click-fraud malware.
Win.Dropper.TinyBanker-9994341-1
Dropper
TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Emotet-9994401-0
Dropper
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Fareit-9994421-1
Dropper
The Fareit trojan is an information stealer with the functionality to download and install other malware.
Win.Dropper.DarkComet-9994524-1
Dropper
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user’s machine and contains mechanisms for persistence and hiding, along with the ability to send back usernames and passwords from the infected system.
Threat Breakdown****Win.Ransomware.TeslaCrypt-9994144-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 17 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\XXXSYS
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: v23-deadbeef
17
<HKCU>\SOFTWARE\XXXSYS
Value Name: ID
17
<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>
17
<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>
Value Name: data
17
Mutexes
Occurrences
z_a_skh495ldfsgjl2935345
17
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
34[.]102[.]136[.]180
17
172[.]67[.]137[.]137
10
104[.]21[.]30[.]141
10
172[.]67[.]172[.]250
7
104[.]21[.]62[.]165
7
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
mhomeusa[.]com
17
internationalists[.]org
17
csopedro[.]org
17
fmc[.]org[.]in
17
jecit[.]ac[.]in
17
Files and or directories created
Occurrences
%ProgramFiles%\7-Zip\Lang\ka.txt
17
%ProgramFiles%\7-Zip\Lang\kaa.txt
17
%ProgramFiles%\7-Zip\Lang\kab.txt
17
%ProgramFiles%\7-Zip\Lang\kk.txt
17
%ProgramFiles%\7-Zip\Lang\ko.txt
17
%ProgramFiles%\7-Zip\Lang\ku-ckb.txt
17
%ProgramFiles%\7-Zip\Lang\ku.txt
17
%ProgramFiles%\7-Zip\Lang\ky.txt
17
%ProgramFiles%\7-Zip\Lang\lij.txt
17
%ProgramFiles%\7-Zip\Lang\lt.txt
17
%ProgramFiles%\7-Zip\Lang\lv.txt
17
%ProgramFiles%\7-Zip\Lang\mk.txt
17
%ProgramFiles%\7-Zip\Lang\mn.txt
17
%ProgramFiles%\7-Zip\Lang\mng.txt
17
%ProgramFiles%\7-Zip\Lang\mng2.txt
17
%ProgramFiles%\7-Zip\Lang\mr.txt
17
%ProgramFiles%\7-Zip\Lang\ms.txt
17
%ProgramFiles%\7-Zip\Lang\nb.txt
17
%ProgramFiles%\7-Zip\Lang\ne.txt
17
%ProgramFiles%\7-Zip\Lang\nl.txt
17
%ProgramFiles%\7-Zip\Lang\nn.txt
17
%ProgramFiles%\7-Zip\Lang\pa-in.txt
17
%ProgramFiles%\7-Zip\Lang\pl.txt
17
%ProgramFiles%\7-Zip\Lang\ps.txt
17
%ProgramFiles%\7-Zip\Lang\pt-br.txt
17
*See JSON for more IOCs
File Hashes
0d7d7c5ab235e283acdd6b51b9c999bea4bbfa4ffa58e03ba65a9908d391b20c
1c84a83693148026c1c56d2bf1bbc42fc00b9c7391d86b46e0cbdf1c1b8205c7
1eedbe6ece9bfb7d1f4fb736a3ddd1274360fb932c5ecb1e843bea94c472761e
35b2c9e1152704b48beff52488f94769213c0329117f4dd0a0a8e3781b63bdf4
3e55219fdf3b431fac2055cd3d3fe1df5cf8584688caeedefb42e4840e7e8e82
45e7d31d51548b8e319ed3efe76c0a4a76ebbfe5db77d20cd4278e1ff53b40bf
49cfb2ad073c9c3c54994b4d755e68b6bbf1c28ec226982a141a8645653e6965
575aa40fddba7556541259211b0e65736592e615e60b8b258476e12e61c2950f
69db0ecd9fb224db188edf645dfe37c192d06ff24ecf3d9da6c8fbc81b981a0d
75740399485a04493a4c07432c8753368baec315e42394752428519147b811ab
7a00e458f6cb3da91da97f2109188c3a70147aa6f22b1e884dbb81c9c78103ec
8020bb9feda720adbe902cef6a807e7763d14c605cdcc0974e854d23cedc7d9c
8243c174d73ae24698c901170463ac966c6e1996d45a480f6b1b11d726f54721
a51ddcf639a4b80286119568577bcd1067e1be514c48d25c774da2a34fabc9c7
a5fec2ff19af3099052f37a9b57b28edffcb6ab71778a6e3228cb020cde07972
d911ab5357f13ead71c6cf653ac309ea2f04c4bec995bfbb54dfae3185cbaef7
f401aa6387cf4860afe6a6c7c7d7d539c2d8ecff234a50e8ab6e5513ba620871
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.Cerber-9994145-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 270 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: NodeSlots
2
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: MRUListEx
2
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\1
Value Name: MRUListEx
2
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\1\0
Value Name: MRUListEx
2
<HKCU>\SOFTWARE\MICROSOFT\DIRECT3D
Value Name: Name
1
Mutexes
Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF}
270
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
149[.]202[.]64[.]0/27
270
149[.]202[.]122[.]0/27
270
149[.]202[.]248[.]0/22
270
178[.]128[.]255[.]179
202
172[.]66[.]42[.]238
103
172[.]66[.]41[.]18
99
104[.]20[.]21[.]251
94
104[.]20[.]20[.]251
93
172[.]67[.]2[.]88
83
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
api[.]blockcypher[.]com
270
bitaps[.]com
202
chain[.]so
202
btc[.]blockr[.]io
202
hjhqmbxyinislkkt[.]1j9r76[.]top
68
Files and or directories created
Occurrences
%TEMP%\d19ab989
270
%TEMP%\d19ab989\4710.tmp
270
%TEMP%\d19ab989\a35f.tmp
270
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat
270
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
270
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp
270
<dir>_READ_THI$FILE<random, matching [A-F0-9]{4,8}>_.hta
270
<dir>_READ_THI$FILE<random, matching [A-F0-9]{4,8}>_.txt
270
<dir>_READ_THI$FILE<random, matching [A-F0-9]{4,8}>_.jpeg
270
File Hashes
00b2a9bc73d10c724220de847c99f8756dcc86a245bd3b4e0f995510656f788f
00c7a7771f1f91494ead2115edc791ca35af078b929f91b408b9f11006cf83b5
0181a14708d21ce9ed344d796561e1359528949b1b09dbdc6ad9bad98988dfad
02444554961bc3b4ba3a6c8e2e85266cac482acdc0d6e2777187ef746ca1aacc
02cb2d24044d09e98c92869e78844f8b1a598410acf7573a5b5ea0f0714fff69
03b3e35f1183d76c14f9d8fbdf17b87b4e0334483e1a51f465fc97de6d607c45
03f719cc549c461a71c1d8f7889792d2f54ef571f8082abd8cdb00613d913d0e
04e8daa018dca72480648ab5a8c9de4491921e3250fa5a1cdf9ddea234dd1d81
05bca297ce941c298c72004a3e9b6567053e740967040e635b3ba3f3fa03d626
0833239e1520b5c9980f4c096f1081164501563df78dfcf3b710f4a203b53286
086166e0e02f55dd55f88dd6c974d3ea173db043f019c406e71e1882170ff1dd
088c4bfac4fec6b1a436613ac926e56d9535eca28f582ecb1bb9e80c8796ebbd
08c7f732210c4937cb948e29e2d222e915fb6d254a7ea6ee5838560dc734728c
0a33fe6dec023f8a23080a63292ae48bd0df5e650f95834f6f9d6481347526c1
0b0976ec5ee4160920f92f3b8a694f9fa4bce913830f528d899b9387ddacf594
0b7f32eaa6873c4802aa6d52fba60bb9d9121b3901d271fc4766d451f34009ad
0c07020e2cba9d84d45e0014618d42d85dd13c274aa80d8cefa961f9748ef875
0da012fc6f89c175ca4693e89c576a43195818f1becefbf281e6d822d0bd1995
0de70bd123d23b51d29279e8b3b6c13028b0a119d5eb4356e35111c7f2a533ea
0f0131f7938c6e69dd178fd43b3ffbd29615054c8841c5e44a022ff4f096c8f1
0f2a33db939580a739ddc4fa7cceaa29720305645b9b830d3f54555e8479caad
114f9dab0eb8023b81dd818503eac74386634900ab2b47b6768254d6424b3b4e
11b048fc725ceece2e24c5854c034abe891346af56e68b8d7ca4fabb6fc183e5
11c097a24e5eb0258824c2a5f7c31583249028dfde0762bc058a93946ae34bb2
11d27031aa8515af44fe76345881d5c3fca5f44429187d592cba786f14a72800
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Tofsee-9994178-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 84 samples
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
193[.]233[.]20[.]31
84
Files and or directories created
Occurrences
%LOCALAPPDATA%\Yandex
84
%LOCALAPPDATA%\Yandex\YaAddon
84
File Hashes
0470c3c5b735b2c1b5b07a833941ef7e9ac9fc8333c12750b88252b7a9d8876b
070338b01517f677407a63d124b8c049726a0e492416353bf50fa6ed7b20a0c7
0e843a71040bf57a24197afd129c26ca5065db2bbc0e3540626199f129b4ccd7
17369e3c91a3461e439832e1912b984c4e0bc1526ce48f6c2a7937565e001793
19208e193ccd5d6a10153d8d3a3f9075846ba42ec42f27a915857edc19f5dbcf
1be4e71e0c832208b940e817cf2489fcc904a2cc8bde5e12f85796039001e5d8
1eb5a9d34f001ece2d934d6759b92e57e3aceca91d93d76b86b423126bf29f8a
32c082e92a74b3ef0c29663cac017adcdb99fa86c92d75b95b67260480d1f261
349108a8623e59e3baee540b25a123a20c338b70a2a910da5900bb77e4619d21
3e1f8463cc20fdbce750170e1031074c1ec3f90482c2f05d55874d8510b039f8
40e48e71e057fa7159cc542572b2f54c25b2e7b43773eae757fd9f58cad303ef
437cfd2d9e2097f1bf9498be0df782dc03617eaf47d6f0daa5addf5bbbce9a9e
478ac6974c3766ee57e79ce003746f6b66b43cfc4c41cacca4ca0c78c9f6cc32
4ace3dd384423c110374abc61995c48618cb445c031ccdf6fd30cff5658968cc
4cb3253cb09d4765129b3379abae653a36da1db27b3dfc864606687523900cb1
4db03abd586331ffe27b89bf781ff665675a8d81259984c5a58e0a39e449b417
4f38c1bfa2a03d4e8b15ee2b3b85abbc667cf26394f8eb99e8217b3b3611ed25
4f6fe789af662e534743301d78f6b99baf0db39a542ea863e04511b99e4e261b
541ee37ecc69c60dca2c48e0e7990e2c7855cd709157896cc92e677d8484217c
543b84ef95aaf61436fc96073079a9ecfad60e55e77fc344f158d8426813dc37
5a1a019c8d099f5ba8a1a00e3ddca09f846db3af7e85f0312ca33df6cca6894a
5bc939edc308a59117f64c60b0897994a81d0d647b467a02558c31af281431f3
601a19783f711defe03791f2b6b628d7488528ebe1d66b20e460d468ca888eeb
691fd63aa95063cdeeb6e0b8c4b8be80713bebadd51fae4d9cb1de8d6509b2aa
726fef5283dd616e36f64ea50a8afc33726265ed60574f796546b3c0d30b4df8
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Formbook-9994385-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 28 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.IMAADPCM
Value Name: fdwSupport
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.IMAADPCM
Value Name: cFormatTags
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.IMAADPCM
Value Name: aFormatTagCache
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.IMAADPCM
Value Name: cFilterTags
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.MSG711
Value Name: fdwSupport
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.MSG711
Value Name: cFormatTags
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.MSG711
Value Name: aFormatTagCache
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.MSG711
Value Name: cFilterTags
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.MSGSM610
Value Name: fdwSupport
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.MSGSM610
Value Name: cFormatTags
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.MSGSM610
Value Name: aFormatTagCache
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\AUDIOCOMPRESSIONMANAGER\DRIVERCACHE\MSACM.MSGSM610
Value Name: cFilterTags
12
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
85[.]214[.]22[.]208
12
Files and or directories created
Occurrences
%LOCALAPPDATA%\SbmsftwVp
23
%LOCALAPPDATA%\SbmsftwVp\taskhost32.exe
9
%LOCALAPPDATA%\SbmsftwVp\system32.exe
8
%LOCALAPPDATA%\SbmsftwVp\Space.o9k
6
%LOCALAPPDATA%\SbmsftwVp\pcons.o9k
6
%LOCALAPPDATA%\SbmsftwVp\prova.o9k
5
%LOCALAPPDATA%\SbmsftwVp\chrome.exe
5
%LOCALAPPDATA%\SbmsftwVp\sc.o9k
2
%LOCALAPPDATA%\SbmsftwVp\chrome32.exe
1
%LOCALAPPDATA%\SbmsftwVp\pcons.au3
1
%LOCALAPPDATA%\SbmsftwVp\Usertemp.txt
1
%LOCALAPPDATA%\SbmsftwVp\Istat Febbraio 2019.zip
1
%LOCALAPPDATA%\SbmsftwVp\Usertemp.jpeg
1
File Hashes
013fa0a93b28f8b58b2ba0009fc127a8928ec7fb8d9985b31caae3c99f41b0ca
0860f64fe287c02077b8345dc0b2b8b62b65f24cf4acd660e34c1f5e0ab20948
10f484b167e53ac7d1ef580b7db909029043e3c84ffe6ff8f9ebe61f3f05a1d0
12fde2a7b8717082f257b389eda1b8a6cd99e300755daacaa4f2cc1f9433a22c
13f3049b1b31a8a8a37cef64f1eb56e0a33dae9e59793a438dc2c693ebc380af
13f668c4dcbf3056829a1429ebe500c77c8c97d8f8a6c2136371cca3fca3f450
1a00c3e800f895618776eef85c292d242931af16504fe0867e032441967f077a
1f6e4f8a970816e178d3cc15b970c1e124d91ff49de09bf37158ea64499484e3
21238f4dc280260c83300a79ef7b8835b5984886ab74f0f112f5bd7e8113cd7c
2b4df32209f34e7adadc69c2ea1e3f810b4f9f5e89705f047dd54aa97020c136
2b6bae898a46d6b10fda70b3ce23e6c4b53c3f1ccd59c2c848b1d6b7ab68dbf5
2c44b9a7fcbec0ef6f5251dd628591dff7dacf4a8a2108c41c4b5d7e134ccec0
3a3dfd35e5746024dbddff2519744cd86188516cccb0632ed8c1483ed1bc8d48
425e6f7557d09a00ac3cb7727dd3da730603080b7630c5313d5014b631e5b74e
438c3344a14bda9737b01d88332759365671c3f32e913347939880bc2c630ba8
4eeda267847e114344ffdf4dff447e2b03fa58defd3af1d787e9b05c2e12be3e
603641f8a14199a2d850f9eb6c3e987ae10472c1b1f4296a046245184a339909
65e2243e22224c73e8ce43f16a2906fdc7818acf8f12d56f104c9f19ee88c2ec
7137f1f56dbc98cbe68c211ca6743417dd01cb81d7cd772e36b2785d61acce2a
7987e2e41a89e067688c26129a44575063e371aaf91fb27954c10711334bfbcd
801c703b5540fc3d95b54c79951990c6d53f49c0175e4216f0e0019e04c51f66
98732b1197ffce108241b175b8104c36e40e8b191d9f9d6104702e144a079c67
a4499806ed8d92e212733ec8605e1028d94a1b2b82bcc98776d42ad6e27bb9bb
a469a0197cdab036e7d93a9da9ec9113a78b9e58ce024fa15078879a0035244d
a614a8dc837ccb52330bd6cd4f5732dbaff6cc94bb8ff1ca738feff50cfb0fe6
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Kovter-9994588-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 20 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade
20
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed
20
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 96f717b3
20
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 96f717b3
20
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 656f27d6
20
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 656f27d6
20
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
20
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
20
<HKCU>\SOFTWARE\3A91C13AB1
20
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
20
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
20
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 01b2a448
12
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 01b2a448
12
<HKLM>\SOFTWARE\WOW6432NODE\B1941377BA1C30B46D65
2
<HKLM>\SOFTWARE\WOW6432NODE\BOPM5S
2
<HKLM>\SOFTWARE\WOW6432NODE\B1941377BA1C30B46D65
Value Name: FD99B600636C23EE61F
2
<HKLM>\SOFTWARE\WOW6432NODE\BOPM5S
Value Name: ugLIgu
2
<HKLM>\SOFTWARE\WOW6432NODE\BOPM5S
Value Name: b9yMBZ0
2
<HKCR>\BGWJJ9Q
2
<HKCR>\BGWJJ9Q\SHELL
2
<HKCR>\BGWJJ9Q\SHELL\OPEN
2
<HKCR>\BGWJJ9Q\SHELL\OPEN\COMMAND
2
<HKCR>.KDPZPKZ04
2
<HKCR>\BGWJJ9Q\SHELL\OPEN\COMMAND
2
<HKCR>.KDPZPKZ04
2
Mutexes
Occurrences
EA4EC370D1E573DA
20
A83BAA13F950654C
20
Global\7A7146875A8CDE1E
20
B3E8F6F86CDD9D8B
20
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
25[.]184[.]178[.]209
2
65[.]61[.]21[.]126
2
33[.]59[.]53[.]75
2
148[.]95[.]103[.]157
2
208[.]83[.]179[.]177
2
216[.]141[.]67[.]221
2
33[.]9[.]30[.]178
2
214[.]113[.]157[.]33
2
128[.]196[.]44[.]189
2
106[.]167[.]173[.]107
2
124[.]79[.]107[.]172
2
78[.]178[.]65[.]24
2
43[.]210[.]195[.]200
2
29[.]196[.]11[.]208
2
123[.]75[.]123[.]182
2
208[.]102[.]210[.]101
2
193[.]94[.]77[.]253
2
172[.]49[.]78[.]21
2
8[.]47[.]183[.]57
2
108[.]7[.]213[.]243
2
145[.]55[.]254[.]153
2
184[.]181[.]140[.]89
2
34[.]32[.]121[.]51
2
115[.]68[.]254[.]111
2
159[.]177[.]136[.]205
2
*See JSON for more IOCs
Files and or directories created
Occurrences
%LOCALAPPDATA%<random, matching '[a-z0-9]{3,7}’>
20
%LOCALAPPDATA%\wega\Kp45cE.kdpzPkz04
2
%LOCALAPPDATA%\hori\SwPObjKl.Nlb2FsB77
1
%LOCALAPPDATA%\ogehu\Fparl.SKiGlq
1
%LOCALAPPDATA%\vamu\w5nuC6.WGTurLb
1
%LOCALAPPDATA%\ajogy\qGuhM3.GTfDMEKB
1
%LOCALAPPDATA%\uxyda\b5AtmVw.x5QJb
1
%LOCALAPPDATA%\cezihu\xQCDfCA.2MaJY8E2C
1
%LOCALAPPDATA%\vife\cX83.5f908v
1
%LOCALAPPDATA%\oqukot\B6Jj.9dBlAf
1
%LOCALAPPDATA%\ejahu\AXBlFqTI.g8zXYu
1
%LOCALAPPDATA%\ihar\QeVvU.1bLWpC7
1
%LOCALAPPDATA%\venivi\qwYoqIq.Ebz3M
1
%LOCALAPPDATA%\ozul\2ZQDlBeW.fDMBBQqb
1
%LOCALAPPDATA%\jazy\pyBDe3A.bVyh1t
1
%LOCALAPPDATA%\itoxan\9SqRjetq.xI40Zyq24
1
%LOCALAPPDATA%\ilet\9G3Co.vEXWb4JxN
1
%LOCALAPPDATA%\ubil\lTWPpC.foeSI81b
1
%LOCALAPPDATA%\uryfip\083ieXW5.S3s2vE
1
%LOCALAPPDATA%\apejer\xNSKBdUF.Wk2F8ZHc
1
File Hashes
05b59f2d2f563bec3929440f1934a0e38368e2d2a9846a04c4e23097f72a4bb2
1345a0c98f9346ad900072aaeba96b760d26fc4b7e8ed89950fcf41ea8340c65
24c2154b70a3ce56ccf1e42a6ee993a6e76c31ed6b4560bc7ca0247c05ccd6f6
41a82b412860774b20bf9562b453737d83f8eed41a54b87718580b38c53ff426
42029c42a98766c0ced24f34376fc46c64bf91e81f4d4a446eb883d2cec24d63
60941f0456a5def136eb637a846a0d05d6f917729faa2c015347137bc3adfd97
6ceb7ec11282ed100bbd6d155ac6950f312ff35882bf57ce6382a3e28deca1dd
7e98d8fe61e2414e89a6f8d40a7f4b2565367768e726b91cb32410e7386e9786
8492e74830e9524e07ddb11891b7c13bb88f2d0531241c878a39f3e9d509a4ac
84eee3d947706aa43cd9166b753162f807654c16fa4a956198c22f0fd3714196
8ec2235e1542206870f1176428ef361fb1e40a2f27b18a70a8bd97c6811a68b0
b93995d399154fc03b78501998173db0286b89bca3d1f25589a50100208f05ad
b9d086647099a1290d07eae291d976c2ee9783c1129ae529ee08b55184302b7d
bd1d4e24da7f0e753ecdfab3764c5ac0953c7746a67af82845435a8c3ad29c0d
bd2f685746355f614886a16466a57bd2058532b537a1f7293161b4e9f0af9ed7
c96ae9fc37071f091a7756331129930741f2c7e3452390f9f948107f181385e5
da7f437578196e4312b752fdadedc3f5c94654d6dfb3efe6cd9a01241405a8e1
ece7a983dd9e1d0fe4fd1b766f3b130ec35eb885d351ea224b2051bc08c45323
f014cc63389f1ef11379e783e0e36477741aa22bebac5addbea73ce19eaa6d63
fcba15982a854e57b6d4f65404de3ece75e38b8d4b671e67394961ec22fa6d65
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.TinyBanker-9994341-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 15 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: DA81EF4C
15
Mutexes
Occurrences
DA81EF4C
15
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]google[.]com
1
insamertojertoq[.]cc
1
Files and or directories created
Occurrences
%HOMEPATH%\AppData\LocalLow\DA81EF4C
15
%APPDATA%\DA81EF4C
15
%APPDATA%\DA81EF4C\bin.exe
15
File Hashes
01f5c62a2fc27a2b82ce42c823ef956b65571a8f4691cb662fcf3731760e608c
167919de0c9d3bd508e9018bafbb029113740a28b4885c0ffc0b2e2d9119cebd
1d5c53442df1c48bd18dd95753e74dbb226d42642301d078a359af04ece85958
1f70cbd79386ba8b4a13d9057be77762d55e5b9dd9f8874cdab4bc65abab5e4d
309f2be8022f4083f03730628d40032e5c404d5e9bc088cacf5bb2c3d99df9d8
5c74d0399e10b4c6e76e4853c202eed2f2e1855661e64ee3731f2eb4fc3db637
6a9b98c034e17154a69737e655f7dcfc07de0be68f2547e32b29cc36a5fe5f86
6bf18453b330e349516a4ece2841ea72e904dff6facc0f905a2150fcb626b8fd
6c0596e9d5a209a13e3c1a17b01d28273b0ec680df9004fbe27ab2bf2f3fcddd
88bd0c5645eb63caea334084e3031d066d712edc64884f8626886ffce9ad7e27
c461e50c6da421b2db71c6198a5661d25948e1c29911c2827d794799b57faad0
cda620b1141964b52eddc4bff940e5158f986361db94631ed0f0816a76c7f35d
dbc82464eb2e12a89f1bf17b17506bb3fe9e4c514c230f7082ea517af8ab10da
deb0de847b202a1bf0b53c86d921847e82df971c6e5d5cc0c6a06b7f311e5668
e7b73464492ff2674a94d95f6805e57bf2cdb2228aa58e6d05bcd713f2331029
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
Umbrella
MITRE ATT&CK
Win.Dropper.Emotet-9994401-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 19 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: Type
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: Start
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: ErrorControl
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: ImagePath
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: DisplayName
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: WOW64
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: ObjectName
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: Description
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
18
Mutexes
Occurrences
Global\I98B68E3C
18
Global\M98B68E3C
18
MC8D2645C
18
<random, matching [a-zA-Z0-9]{5,9}>
18
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
82[.]211[.]30[.]202
12
119[.]59[.]124[.]163
12
37[.]97[.]135[.]82
12
69[.]45[.]19[.]251
12
217[.]13[.]106[.]16
12
37[.]187[.]57[.]57
12
193[.]169[.]54[.]12
6
80[.]82[.]115[.]164
6
71[.]244[.]60[.]231
6
84[.]200[.]208[.]98
6
File Hashes
01593a61dbce3e76fc877e41431e50d3b4be87624d90a9775506d4bd71d2760a
0b27f786515e584d7d9be20bdb257cf7d530c04a50d1d6794e740b5f73a57acb
0ff608f42d1dd85c3f37da7036029364df52deb8f299ef80693fa8410f270880
14364e6d3b68bd897229beb3cfc403a97619159cd53eb743112e3e1aef41d91c
34812e948f6ce6f5fda8bb18b075e1ebe7edd54db906b51eb27e2578d837201b
3a7f15244ba98d41b5ff3e8923257a32c8c6e67708a156eda7e5cbb3ab44d34c
47f6b6f2a25fd83e38ddd870f534da9c54a5ffda8904b46f4bdc10429fc3fd8e
4d94ae394d3807f3825d4c98e146bcbc17dd60adfdf1518911b4c400b46d7758
5325f15a05b95eaefa9855f12413efeb3ecc339a41d3147676ec520db4d08fed
722786cb4c08c942596925e8da8a18cd829067c6714b951fa128311812c24b6a
7b0167a29632a92652aabe3b8eafbf98cb15e0dab643bfbc0256a77be7694258
7ef2a1f72aa702765b9c71b1a1de8db472650c02ae15eb70270b80f3c02f0db5
85fbacca424b9c58cf9ab6feeb3497d15529e6560b33a66f7f4c0458c80d5227
9349ce2527350b9c71a2b55ede69016bd463be73c019130fcb2790903f5abd0d
967733f0c45d0e19b53236d014f40543715e58d9e9958efd0a07723aeaa5c572
ac7a4050cd2c52ac442ef79b94b2af04ca1c9c7ceff05133c62fdd109907bc2d
e1132e32300dd6d0c780cf91906e641d04dce598ee5d3ef7c6d4a70713d07132
fc10181166fcf7253033da27bf25c1df2ea717704403331537768f231066c150
ffab3385e090744bb39a48f3cf1518363d17a91e24eb8c437ec96fc4dcd39487
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Fareit-9994421-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 22 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: NextAtJobId
22
<HKCU>\SOFTWARE\WINRAR
22
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
22
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
22
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
22
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
22
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\SIGNATURES
Value Name: At1.job
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\SIGNATURES
Value Name: At1.job.fp
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
splwiu[.]info
22
slepoz[.]info
22
Files and or directories created
Occurrences
%System32%\Tasks\At1
22
%SystemRoot%\Tasks\At1.job
22
%System32%\drivers\etc\hosts.sam
22
%System32%\drivers\etc\tmp.tmp
22
%TEMP%\1272824692aq
2
%TEMP%\1272825253aq
2
%TEMP%\1272824536aq
1
%TEMP%\1272824926aq
1
%TEMP%\1272822757aq
1
%TEMP%\1272824661aq
1
%TEMP%\1272823491aq
1
%TEMP%\1272824083aq
1
%TEMP%\1272822445aq
1
%TEMP%\1272822461aq
1
%TEMP%\1272822289aq
1
%TEMP%\1272822945aq
1
%TEMP%\1272832414aq
1
%TEMP%\1272825768aq
1
%TEMP%\1272822804aq
1
%TEMP%\1272824395aq
1
%TEMP%\1272822835aq
1
%TEMP%\1272825955aq
1
%TEMP%\1272826392aq
1
%TEMP%\1272826891aq
1
File Hashes
06d493c3c386cc9b4a79bf6210c1524f2a68096262666213e7941fc09fba692d
10dcb4196b851ee45e194f39d321a873c6d5c17b146e129ff8c231506e7e1357
16b8f159ccc693e8602b31eb7e04f47d2db91ca37848df223388915478e8990b
174ae749aa2e208acad6c027d3977d0c22d6b17045ba72ee8f707695d5cdbe85
1b97e18edea5050fc61daf4c599ba25529c0a96382468d2463cb2bb1f74f404b
200435f84a6648abb8a55ff866373bbf3a190e76e2e60ff66e77360bb303c2ec
3005bc9ea3ee984eca3179e6e87f1e6af59128889c5aa11d91b36b0ff62c00d2
4306980b56c70ee90d09e346efa9c4014ab4802ecc30c2c2f300cc410484a070
4508a96887fbfdf1d89bbf15bf1574da9a4d96abc51676848023f6ae4b5e090f
47c486a892f16b4244ada411669b9d785da83d71e2cf7bbc3e1192683cb59e68
4c96c23ece92a8ab414394a0a04402972145bce768012bb006d4622d9e46cc76
4ecf1bcae86f6a571312f5e0f2fb2387e66312c06976920daa74e9247f7fa6b1
5d611d8d139e50505c9ff71c08b3fa06824da478c5331db70e568c358b7c6036
62905eb2afc58013d38a4700d67b8607e6fdf30c68de86a50173bbfd9a870c5b
987a723c2d4c604367b28950eb7c70852c47346637123aa3f84a5d120912b583
b942e291b9b446c7940bbe8e31a8bda034337c49839ecaeb4bb03715ea8abc4e
b96194cf2dd05d226496c04a6a1307d703c3017c1a733655d4e14916668b5ddd
d736fc9cc5c87b1ce6f9addf8cdf6c19a2ccbe7a4b733efa9f06bfa237d8527a
d96cb7c1c8330b6ebaceb4025799156250450bdc1175b3a6916278ddde7186fa
e72269954fc113b52ac7be95229ad26322635621ecdf5431e3ee4bb1a6daf95f
ec5350e05ebe06c6246144e6456ae40294a5f738ee0006b4291919103b6a360c
f7e6866e63a3ffb4e3da8979a74f8c7013cad913275998ddab388353d6b8e6ed
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkComet-9994524-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 13 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
13
<HKCU>\SOFTWARE\REMOTE
Value Name: NewIdentification
13
<HKCU>\SOFTWARE\REMOTE
Value Name: NewGroup
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
13
<HKCU>\SOFTWARE\REMOTE
13
<HKCU>\SOFTWARE\REMOTE
Value Name: FirstExecution
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{4KB410KP-K47X-F1OS-P28S-4EM4PML0P85S}
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{4KB410KP-K47X-F1OS-P28S-4EM4PML0P85S}
Value Name: StubPath
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{QUESH2FS-EW8G-217P-W5KA-61WH6D6G0SHH}
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{QUESH2FS-EW8G-217P-W5KA-61WH6D6G0SHH}
Value Name: StubPath
1
Mutexes
Occurrences
Administrator5
13
DGUH4X41T1IOR4
12
DGUH4X41T1IOR4Administrator15
12
DGUH4X41T1IOR4_RESTART
12
DGUH4X41T1IOR4_SAIR
12
0T13YCQ10SV7R0
1
0T13YCQ10SV7R0Administrator15
1
0T13YCQ10SV7R0_RESTART
1
0T13YCQ10SV7R0_SAIR
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
dfuso[.]zapto[.]org
12
koort[.]zapto[.]org
1
Files and or directories created
Occurrences
%TEMP%\Administrator7
13
%TEMP%\Administrator8
13
%APPDATA%\Administratorv1.18.0 - Trial versionlog.dat
13
%TEMP%\Administrator2.txt
13
%SystemRoot%\SysWOW64\install
13
%SystemRoot%\SysWOW64\install\server.exe
13
File Hashes
1737a47c7c99e14900e7c0c50634d6c2d501b3791d3378023dd7c98cdd4a2092
1dc73c05eba96649d459e39f33678f6ef6b80068f1497fbdac3c0851f367d6b2
23fcef1c2aa3aaa06fba04edd246f3d540ba33dfcb48190c2ce68eed3b10488c
28db39898aa31ff39a363061f3a1185d3d9048ae43279f4db24806fb9091342d
32141021a611a0e52a74f81e2757b91369c5b90f23b63c3446afd0413492d855
5e27228a51e84b26e0075049b3fe4da31805894ddbe3b5fa11a5782f804dc34e
7ac698b31b4350f8b330fb85af049cd5d0ec35dc0272445c3eab61a67f0ae18e
8c33791c2fad6489ac0d30ab28682b07c1603e5cce0e0fcafca6513149a852dc
b523f3a0bbdb732742d9c34538b40a23613c46a425568f4e0d92ce35a3da7ea7
d531098fe1e0c6e1c6e0aac2248d8e316462dfc52bbf1e551833d4721fd3176b
ea9d1028dadc79eadf9eadf728d6c999fa429c05bffebbdfce34d4cf6c0b68f3
f863ec84969fbf861b13999d5d1a271864edf9f54d43412ecd79c1220ea6433e
fabc2eee42dc5af4e7aa7c97e7f97bbb2b8d81b47c4272ced6d35653f956ea81
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK