Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for November 3 to November 10

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov. 3 and Nov. 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key

TALOS
#vulnerability#web#mac#windows#google#microsoft#js#botnet#acer#oauth#auth

Thursday, November 9, 2023 13:11

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov. 3 and Nov. 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Dropper.njRAT-10013547-0

Dropper

njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim’s webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.

Win.Dropper.Zeus-10013588-0

Dropper

Ponystealer is known to steal credentials from more than 100 different applications and may also install other malware such as a remote access tool (RAT).

Win.Dropper.Tofsee-10013531-0

Dropper

Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control.

Win.Dropper.Glupteba-10013467-0

Dropper

Glupteba is a multi-purpose trojan that uses the infected machine to mine cryptocurrency and steal sensitive information like usernames and passwords, spreads over the network using exploits like EternalBlue, and leverages a rootkit component to remain hidden. Glupteba has also been observed using the Bitcoin blockchain to store configuration information.

Win.Downloader.Upatre-10013406-0

Downloader

Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.

Win.Malware.Diztakun-10013372-0

Malware

Diztakun is a trojan dropped by another malware family or downloaded by a user that will modify system settings. This malware is known for its use of Image File Execution Options (IFEO) to gain persistence and inject itself into other executables.

Doc.Malware.Valyria-10013349-0

Malware

These variants of Valyria are malicious Microsoft Word documents that contain embedded VBA macros used to distribute other malware.

Threat Breakdown****Win.Dropper.njRAT-10013547-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples

Registry Keys

Occurrences

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA

12

\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di

12

\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS

12

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: ConsentPromptBehaviorAdmin

12

\SOFTWARE\7657C14284185FBD3FB108B43C7467BA

12

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 7657c14284185fbd3fb108b43c7467ba

12

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 7657c14284185fbd3fb108b43c7467ba

12

\SOFTWARE\7657C14284185FBD3FB108B43C7467BA
Value Name: [kl]

12

\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: NodeSlots

1

\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: MRUListEx

1

\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\1
Value Name: MRUListEx

1

\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\1\0
Value Name: MRUListEx

1

Mutexes

Occurrences

7657c14284185fbd3fb108b43c7467ba

12

Files and or directories created

Occurrences

%TEMP%\server.exe

12

%TEMP%\

12

%TEMP%\2922\2922.exe

1

%TEMP%\6781\6781.exe

1

%TEMP%\4928\4928.exe

1

%TEMP%\2924\2924.exe

1

%TEMP%\6119\6119.exe

1

%TEMP%\2989\2989.exe

1

%TEMP%\2369\2369.exe

1

%TEMP%\2894\2894.exe

1

%TEMP%\4627\4627.exe

1

%TEMP%\960\960.exe

1

%TEMP%\7015\7015.exe

1

%TEMP%\6329\6329.exe

1

File Hashes

00ac33ba819475ab380691c51b37ef3f0aae4789dea3ee19a941dc2875350a91
0dcd6cf9cca20830f39bf99fc803ce4036f60a8c9599cbf8d690d63b15edd7c4
1047e229661a188dd1b094366c558834435208bb909b2ad14bb221eb1c2c81b7
113f0a0e7072f324ad84c649d08970ee7e68e334061a099f0c1b6d9413951985
1987b7a30ffdcca9651037e997520d4326271232f8ac40e470c5697ae1a74d92
48144f08dfb3de926ad22f24b600bea45c1138fd7d4581b32aa25662439c6d82
4ffc3afac19e6da3d800391745ce2ff9eedc1d8b19de0cf5ab95cd432a55829c
58fe188a03e36361c73216b1fca0c3f471e1b5b582af50d4755f681fad664790
6a81e146ef0ebf60390eefd50f8ba98b1bb003bbb14ed0d358be18a5810db989
7e7e12bca94dedba69a99691400bd54adcedb12ccb39a98c663e553c882d3f52
c9d1a2d3921d5aa33d493069c33a8a852df063f0e4b9313b05fc1c7a1eec4fbe
d5f6dadb21774b0ddcef4a8ee027e6c953701a3a2b3744eed53664da88a4f1f0

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Zeus-10013588-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 30 samples

Registry Keys

Occurrences

\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath

7

\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted

7

\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope

7

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

7

\Software\Microsoft\

7

\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies

4

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting

4

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting

4

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting

4

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting

4

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting

4

\SOFTWARE\DC3_FEXEC

3

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Taskmgr

2

\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit

2

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {1A01E4EA-2D84-D670-B0DB-AEA399D273CB}

2

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: LANDrivers

1

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: help

1

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: help

1

\SOFTWARE\MICROSOFT\KEWUZA
Value Name: Kuombao

1

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {8E249526-629F-428A-AE89-37BA344B74E9}

1

\SOFTWARE\MICROSOFT\PAHUIH
Value Name: Ozzunaso

1

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {ACEB48EA-5F14-3060-00C6-58E8C8BD1132}

1

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell

1

\SOFTWARE\MICROSOFT\DACOU
Value Name: Raohfyiqu

1

\SOFTWARE\MICROSOFT\MAQU
Value Name: Izalfe

1

Mutexes

Occurrences

UACMutexxxxx

16

Local{}

7

GLOBAL{}

6

UFR3

3

DC_MUTEX-TKAU2Y6

2

Global\19e8f421-7c3b-11ee-9660-001517aeb5c3

1

Global\1d29d6e1-7c3b-11ee-9660-0015174de944

1

Global\1ba38501-7c3b-11ee-9660-001517b129f4

1

DC_MUTEX-V8SHNMZ

1

Global\31c933c1-7c8b-11ee-9660-0015171a3bbd

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

192[.]229[.]211[.]108

7

13[.]107[.]21[.]200

5

142[.]250[.]64[.]65

1

31[.]170[.]164[.]170

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

www[.]bing[.]com

7

cacerts[.]digicert[.]com

7

c0p1[.]com

2

salarsokoot[.]no-ip[.]biz

2

www[.]unitedstateforus[.]com

2

tf2m[.]ru

1

pin47[.]blogspot[.]ru

1

ftp[.]ytruhgnhvjukuffkk[.]p[.]ht

1

gbproof[.]org

1

spitfire[.]ufcfan[.]org

1

maldovaars[.]com

1

Files and or directories created

Occurrences

%APPDATA%\

10

%TEMP%\tmp.bat

7

%APPDATA%.exe

7

%SystemRoot%\SysWOW64\Drivers\task.exe

2

%APPDATA%\InstallDir

1

%APPDATA%\InstallDir\help.exe

1

%System32%\windi32.exe

1

%ProgramData%\systemskey.ini

1

%APPDATA%\Utus\uvuw.oxi

1

%TEMP%\cd8e8b5b178c2d9e5acbdeda4854746eb2709cba2fbb2e986ae1dc25f6c0d575.exe

1

%TEMP%\YaCheck.exe

1

%APPDATA%\Weyf\eqsyl.vot

1

%APPDATA%\Ivlov\qinee.asy

1

%TEMP%\5d673897a553689e7b4ca6d3be149211f1027f9c82891af1ce65ea1c9639119b.exe

1

%TEMP%\report_05-11-2023_18-26-11-11B0A35710D760E40567A55CF3411F9E-NLGD.bin

1

%TEMP%\NO_PWDS_report_05-11-2023_18-26-11-11B0A35710D760E40567A55CF3411F9E-NLGD.bin

1

%APPDATA%\Hyraix\viaqf.alh

1

%APPDATA%\Onuvy\talyk.cea

1

%APPDATA%\Ypep\huni.ryo

1

%APPDATA%\Ziyblo\usoxh.ili

1

%SystemRoot%\serwos.exe

1

File Hashes

097f1d24084ad3668f6f92daa4fc05da8540623492c158ea41ee7ec86399bd21
1d5efb1de624668fa8dbc3bde4e29f3a1c57491afa34ed7006c01821fc9324d1
28ec85247bb5cfc649e866fd234cfa219ec1fc580dee22bb14889a7654361eb6
2cb399731194831e8aef70fa92249eae3ac2c53d78df8601e48d824315d0f507
4c91493d94e0dfb3e814f465e0cb050177168a6dbb916572d994f09b3c116c7c
4d565325e1c7e54210f3178909fc05d45984b4bc623d9fe3804497f713604e9c
4f23fa7f21f6b529f2581cee723ac0f4ceaefac922868063e0c4d533ac475ddd
4f3823d6c5cc2500edbfe0909c60667b126e0439e77c8b1d5c4c40d459b96387
527fad1b322cf36c0b367766e560f8bb18181c172d824884d1a2ebf40f6a35bd
55cc7012c73a0f31823c4bd740affc2eb1efdeecdfc7c7a569d5d666d6dc48d5
5d673897a553689e7b4ca6d3be149211f1027f9c82891af1ce65ea1c9639119b
5eba33c82756f682fab6f35ee6d16e3675d5cd611fbf1dc46996fd24fa7f5ea2
79b3c719494efd43623afeadf817746d663819c88f2b6f67e92fb48c5092eba4
7fc8139b2e5cace8c217c164f62097748cf1125fdba8de1b41e1858f540bf6c9
83053718f2278338d9b3c934c5645f94f5625d66a56d28e11424cd2f9e46004f
83a048271aefcc6707c1d994f55d78a85d3d05c734185b93381ed20888043c06
947d964061c1cb1ecf83cd9af68acd729ba992c807c6f2defbe0c595562c690b
956275197ed36332417fe84b947e5d7ac894fb67fa262dc765444c952a13b5bc
a4ab9fb82f2c093ea3466b57609da2503e28c245ea0554a2a228ab41dde68a5c
aa546035f13f04ca14585c866f35b54e38a631064cee8d8012d3a477b2c33d89
b6748ee9af728376aea6171e27fa0281421b9404e6ba150ff99fc726241db140
b9a641ff22644aa474e91b92b6e1c71b91d057b1315d291f2f22b9713dd5608a
bb8bbeb6a2496926919a70a4dd3817a20e8f0137afb3f13f3fc010b8681eed43
c0f4f1ac3a0ceb4d6623f88a54ee15e6e73bcecb02e0c4230d4acd9f00746e80
c2560bc32b415ad78cddee6794738b8484575932ea3237acd61a2d1e4389c412
*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Tofsee-10013531-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples

Registry Keys

Occurrences

\SYSTEM\CONTROLSET001\SERVICES\

14

\SYSTEM\CONTROLSET001\SERVICES\
Value Name: Type

14

\SYSTEM\CONTROLSET001\SERVICES\
Value Name: Start

14

\SYSTEM\CONTROLSET001\SERVICES\
Value Name: ErrorControl

14

\SYSTEM\CONTROLSET001\SERVICES\
Value Name: DisplayName

14

\SYSTEM\CONTROLSET001\SERVICES\
Value Name: WOW64

14

\SYSTEM\CONTROLSET001\SERVICES\
Value Name: ObjectName

14

.DEFAULT\CONTROL PANEL\BUSES

13

.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2

13

\SYSTEM\CONTROLSET001\SERVICES\
Value Name: Description

13

.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0

13

.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1

13

\SYSTEM\CONTROLSET001\SERVICES\
Value Name: ImagePath

13

\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\blniewvr

2

\SOFTWARE\MICROSOFT\ASSISTANCE\CLIENT\1.0\SETTINGS
Value Name: IsConnected

1

\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\isupldcy

1

\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\oyavrjie

1

\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vfhcyqpl

1

\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mwytphgc

1

\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\eoqlhzyu

1

\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gqsnjbaw

1

\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zjlgcutp

1

\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dnpkgyxt

1

\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lvxsogfb

1

\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\akmhdvuq

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

176[.]113[.]115[.]136

14

80[.]66[.]75[.]4

14

176[.]113[.]115[.]135

14

45[.]143[.]201[.]238

14

176[.]113[.]115[.]84

14

62[.]122[.]184[.]92

14

80[.]66[.]75[.]77

14

83[.]97[.]73[.]44

14

31[.]13[.]65[.]174

13

31[.]13[.]65[.]52

13

172[.]217[.]165[.]132

10

93[.]115[.]25[.]49

10

34[.]120[.]241[.]214

10

93[.]115[.]25[.]10

9

93[.]115[.]25[.]73

9

93[.]115[.]25[.]13

8

93[.]115[.]25[.]110

8

158[.]160[.]73[.]47

8

149[.]154[.]167[.]99

6

172[.]217[.]21[.]164

6

23[.]0[.]18[.]123

6

84[.]201[.]152[.]220

6

104[.]47[.]53[.]36

4

20[.]70[.]246[.]20

4

87[.]240[.]129[.]135

3

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

249[.]5[.]55[.]69[.]in-addr[.]arpa

14

www[.]google[.]com

14

vanaheim[.]cn

14

249[.]5[.]55[.]69[.]bl[.]spamcop[.]net

13

249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org

13

249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net

13

249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org

13

249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org

13

i[.]instagram[.]com

13

microsoft-com[.]mail[.]protection[.]outlook[.]com

13

microsoft[.]com

13

www[.]instagram[.]com

13

www[.]evernote[.]com

10

steamcommunity[.]com

7

www[.]tiktok[.]com

6

t[.]me

6

api[.]steampowered[.]com

6

www[.]youtube[.]com

4

oauth[.]vk[.]com

4

identity[.]bitwarden[.]com

4

www[.]ebay[.]co[.]uk

3

api[.]vk[.]com

3

ustawienia[.]poczta[.]onet[.]pl

3

work[.]a-poster[.]info

2

api[.]twitter[.]com

2

*See JSON for more IOCs

Files and or directories created

Occurrences

%SystemRoot%\SysWOW64\

14

%SystemRoot%\SysWOW64\config\systemprofile

13

%SystemRoot%\SysWOW64\config\systemprofile:.repos

13

%TEMP%.exe

12

%ProgramData%\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck

1

%TEMP%\qzfqodv.exe

1

%TEMP%\foufdsk.exe

1

File Hashes

03408910e1c86cc056f6135cb25bfdce0a3530c3dedd2d96dc6a40602f837c25
1599d9770df3e105a97d69cc47a49732db055e9e7a2dc5e7c777b8b33d3a7e35
1c1062e65701fdea8fa0eca0884f974b8c9e6cfe70391dfc33fcbf5594b1ebf8
201287642e01dd6fcc785929ac1dd66a9b9961f95128267d220993af7f3d4c88
2955d095548626a3a61cf4358d7d6de5f3233d14592f94e0616a74b3169dab96
2c4bb17a2e6d629b65c33e0c0c59ecf4dd36e5b8d51cb3c46ce9310f7c81138c
3d0d45b889aa467906cb79f015ea61d6b80f19b4d454affabe12bfe4bed95961
42ba3cb49ff67fd0526e68328c20c1387f8c671ccb5f0a2eb832c50d9c950770
518e73ce19f80568856c6fdc5256a36bce0e0a3d90c10fad0785a49126ac3773
70b11bca91cb73e563a87fd4a09fa1c8618c650cfb19d1ac7933c39b35cd8a0c
80015dfd0fb4f0867daa13132c1ac922cc94c850853b874bae77e42c5248a7ee
98c2ff26ab1bc639c2f1600d6127245b719dbfe619c784a9458b826d5aeeda4b
cc0cdaa2852647954c8cabd65e9643ce8ad5efd7b375aa8ebae117b6239aada1
d6ac332db3811db38ec9a3901df479e6e76a12f7cc2485d52ad6d3395f65006f
f73955aea9b55ae0a5088f688ab408a394c2a6cfb88d4a8ae55370ff4356fd16
f909a687d10996b76a0b847d7fbd686231b4f60c3c134e1bdb4144555fd67a13
ffb9de19ee6cc9a60877abaac8fb9aa14922438b47603084a2470330644de239

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Glupteba-10013467-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples

Registry Keys

Occurrences

\SOFTWARE\MICROSOFT\A1890984
Value Name: PatchTime

12

\SOFTWARE\MICROSOFT\A1890984
Value Name: PGDSE

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXWDDM
Value Name: DisplayName

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXWDDM
Value Name: WOW64

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXWDDM
Value Name: ObjectName

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXSF
Value Name: Type

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXSF
Value Name: Start

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXSF
Value Name: ErrorControl

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXSF
Value Name: ImagePath

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXSF
Value Name: DisplayName

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXSF
Value Name: WOW64

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXSF
Value Name: ObjectName

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE
Value Name: Type

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE
Value Name: Start

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE
Value Name: ErrorControl

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE
Value Name: ImagePath

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE
Value Name: DisplayName

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE
Value Name: WOW64

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE
Value Name: ObjectName

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST
Value Name: Type

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST
Value Name: Start

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST
Value Name: ErrorControl

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST
Value Name: ImagePath

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST
Value Name: DisplayName

12

\SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST
Value Name: WOW64

12

Mutexes

Occurrences

Global\SetupLog

12

Global\WdsSetupLogInit

12

Global\h48yorbq6rm87zot

12

WininetConnectionMutex

12

Global\qtxp9g8w

12

Global\xmrigMUTEX31337

6

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

204[.]79[.]197[.]219

12

20[.]150[.]79[.]68

9

104[.]21[.]23[.]184

8

20[.]150[.]38[.]228

6

142[.]250[.]15[.]127

5

20[.]150[.]70[.]36

5

162[.]159[.]134[.]233

4

172[.]67[.]212[.]188

4

185[.]82[.]216[.]104

4

162[.]159[.]130[.]233

3

3[.]33[.]249[.]248

3

185[.]82[.]216[.]108

3

185[.]82[.]216[.]111

3

162[.]159[.]133[.]233

2

162[.]159[.]129[.]233

2

74[.]125[.]128[.]127

2

172[.]253[.]120[.]127

2

185[.]82[.]216[.]96

2

162[.]159[.]135[.]233

1

81[.]3[.]27[.]44

1

142[.]250[.]112[.]127

1

142[.]250[.]144[.]127

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

msdl[.]microsoft[.]com

12

vsblobprodscussu5shard35[.]blob[.]core[.]windows[.]net

12

vsblobprodscussu5shard60[.]blob[.]core[.]windows[.]net

12

cdn[.]discordapp[.]com

12

walkinglate[.]com

12

stun1[.]l[.]google[.]com

5

stun[.]sipgate[.]net

3

79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]createupdate[.]org

3

stun4[.]l[.]google[.]com

2

stun3[.]l[.]google[.]com

2

79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]alldatadump[.]org

2

79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]localstats[.]org

2

server10[.]alldatadump[.]org

2

stun[.]l[.]google[.]com

1

stun[.]stunprotocol[.]org

1

stun2[.]l[.]google[.]com

1

stun[.]ipfire[.]org

1

79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]filesdumpplace[.]org

1

79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]allstatsin[.]ru

1

server3[.]statscreate[.]org

1

79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]statscreate[.]org

1

79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]theupdatetime[.]org

1

79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]myfastupdate[.]org

1

server3[.]createupdate[.]org

1

server1[.]myfastupdate[.]org

1

*See JSON for more IOCs

Files and or directories created

Occurrences

%SystemRoot%\Logs\CBS\CBS.log

12

%SystemRoot%\rss

12

%SystemRoot%\rss\csrss.exe

12

%TEMP%\csrss

12

%TEMP%\csrss\dsefix.exe

12

%TEMP%\csrss\patch.exe

12

%System32%\drivers\Winmon.sys

12

%System32%\drivers\WinmonFS.sys

12

%System32%\drivers\WinmonProcessMonitor.sys

12

%SystemRoot%\windefender.exe

12

%TEMP%\Symbols

12

%TEMP%\Symbols\ntkrnlmp.pdb

12

%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02

12

%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02\download.error

12

%TEMP%\Symbols\pingme.txt

12

%TEMP%\Symbols\winload_prod.pdb

12

%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361

12

%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361\download.error

12

%TEMP%\dbghelp.dll

12

%TEMP%\ntkrnlmp.exe

12

%TEMP%\osloader.exe

12

%TEMP%\symsrv.dll

12

%TEMP%\csrss\DBG0.tmp

12

%System32%\Tasks\csrss

12

%TEMP%\csrss\injector

12

*See JSON for more IOCs

File Hashes

053421a64d181eacb1e3c1bb16e87107462a32c11c91c7f77059adf82198dd4a
18e21947b1c4b6a364e6844183a2e1146a7aff868f7659de8ff4e2094c138aae
1ff3ea05dc55c0f1bcf63d5ed247c30db85ead74eb543e7fa42d612f5a877a58
2b6fe7559d8372ace429d8e8e96ff196d0af56593a31b33d8b6967f3e92de824
2c3498ae141cab2a551e48070676e127882cd72d56ac29b742a968042aa380ca
39322869eed23d913a8e2ab6fbd902e9bc1d1a2a5d2c537b9ecabe10172723c6
5bc8c1bfbf0506a24f4561666117a459f91404b859b61112a0a709404f2cb3d9
aa7c8cd6668998b0a41960ae3a65c30fec966c81c9ec49a3e8f6b85e1faeda34
ccfe83f9d4edf14bc10432f13b7d536893f967d9aba631c4a58c2333d78eb202
cfb46da0a07f529ccf93fa018e57a878ea1a8192587757d4e4d1789225787310
d29b1f159ddc23aa0ce5bd9603bce5707516d026da67cba7997a15ad06dd291a
eef3627e8e0145aa519300d639898f7478ae1f0151eb1b5b788c834ffc6f786b

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Downloader.Upatre-10013406-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 67 samples

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

104[.]18[.]114[.]97

36

104[.]18[.]115[.]97

30

95[.]143[.]141[.]50

1

68[.]55[.]59[.]145

1

37[.]57[.]144[.]177

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

icanhazip[.]com

66

Files and or directories created

Occurrences

%TEMP%\murzuja.exe

66

File Hashes

02627c827c7ed7cb06e0b8b8579f09d41309a34dedc21f6cbfda0c4ad111e633
02909ed4e0457bf8342cc7f6b5a40da25879b344b1193fa2902a946f35b87edf
036c65acf57caf215ad7f2b61b514588aaf57b834116c9414ccf4be0153d8dd0
04042ea6ec8b598fcb8ead8f8002f64568ead807aecb5801f44cc28a4ce034ff
0a6ffe8c5e7617aa0e44f415937d84008660f31af54d00322791dda2dba6a9be
0a9d65e29aff36bfd2c98bf5c0a8ccf246da39e11c3fc5b1a67c693c735a9f8a
0dbcd3c2f5e21d195f9061c8a8efdba3aa33ebe74dcff73cf5ecdca637b730f7
0e6bdb6f60252434dd2b0136025d7c1f3ef12f078a2223f8a249635cd56adeb3
0eb45a5851243f1f75a3c81ac14f13427dc57d9acf04557f0ef422cb105c4c96
1063a4d37d9f88b22d74bd04c0c6f7935ba89a6d2dbed6cc74b32c4fb8416647
11ab4795253d6c47f03139b8fbd20662798c4826b0499050497083452337918a
19ef0532a84339ab7cefb178631ea3715b27f9cfdf403428f584b5c609f9a21c
1b462cc5e7c02e976468b4385af3aa0fc331b92c5d26866b4d0828b6917778d7
1e69a3611389c0a022da61343c970fc223112e19770fce3eea6f5d6a7688da7a
206c7347eb7b833f93fbd9443946f58f5b186d12199d597b36ae3da0d59fd8d1
2171271cb6b501695f5d4ed386b756929e133b7d7ae4effb81d6297937dfd54e
22c28311a81fc7c7edf453514b2dacfa5740b770a1cb04ec2dcd5c3b142564b0
22df8ec37631f3914b9c533c50ba28ba603c04674300fedf032822830c110e16
248de47e1f95e84826ddd16ba9d75976ac08b2f964925317b9029c3e4f88a9f0
29355acdbb6325357a7e102ef75271e9a4b76584480dbe2684dbb67776beffb6
2a4a2c50d96b49fa61b1cccf3500db4a8e5a9b078bcf1a95a5f932c242fb1198
2a92e428519d5243b702cfbbd3d15470d68cf70b51b46234fb48a6f9c311b367
2aeba5724cde048b812473a94bfe63e6c781e498cf00c7b1c6202c6f3d717de7
2bf2d78f43dddf5b894a588e9a60cead65485dd4fe1934132e56f85bb72df707
2c5fe5a61d53230430f719ed030a92a52b14d62822db8386db1deb8bb9dff3cc
*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Diztakun-10013372-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr

25

\SYSTEM\CONTROLSET001\SERVICES\SR
Value Name: Start

25

\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start

25

\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
Value Name: DisableMSI

25

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

25

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY

25

\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER

25

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES

25

\SOFTWARE\POLICIES\MICROSOFT\WINDOWSFIREWALL

25

\SYSTEM\CONTROLSET001\SERVICES\SR

25

\SYSTEM\CONTROLSET001\SERVICES\ALERTER

25

\SYSTEM\CONTROLSET001\SERVICES\ALERTER
Value Name: Start

25

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: DisableCAD

25

\SOFTWARE\CLASSES\WINRAR

25

\SOFTWARE\CLASSES\WINRAR\SHELL

25

\SOFTWARE\CLASSES\WINRAR\SHELL\OPEN

25

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: SFCDisable

25

\SOFTWARE\POLICIES\INTERNET EXPLORER

25

\SOFTWARE\POLICIES\INTERNET EXPLORER\CONTROLPANEL

25

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\WINDOWSUPDATE

25

\SOFTWARE\CLASSES\FILTER

25

\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\DESKTOP

25

\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\DESKTOP\COMPONENTS

25

\SOFTWARE\WOW6432NODE\MICROSOFT\CTF\LANGBARADDIN

25

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHAREDTASKSCHEDULER

25

Mutexes

Occurrences

Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!010a0

25

Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!011ba4

25

Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!012c2c

25

Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!014d3c

25

Files and or directories created

Occurrences

%SystemRoot%\system.ini

25

\TEMP\autorun.inf

25

\config.sys

25

%SystemRoot%\winstart.bat

25

\autoexec.bat

25

\TEMP\winlogon.exe

25

\TEMP\AGENT.exe

25

\TEMP\SLEEP_TEST.sys

25

\TEMP\SPOOKY.sys

25

\TEMP\VAGRANT.exe

25

\TEMP\VIRUS.txt

25

\TEMP\wininit.ini

25

%SystemRoot%\dosstart.bat

25

%System16%\autoexec.nt

25

%System16%\config.nt

25

File Hashes

0021a7ecd30ec9e7d784c42ae64271b6048666c0a24505f7b35ef6398c6e67de
009086e24a5a00bddd3eba55592afdacdb8af0348aa92689317b53da6e75fe31
04697012f791c6f216166eb1f51ff28acdbfdc1d48bba4519e5f87fcec3ccc81
057c03cf6a446c6e6cc69410735bc5566aca6b67e6a0e6a047e599733f158aec
0655d055f9828c562a1b8c595da7cdffd364e6cc8f8cb4fb2dace02def3a72a2
06c6175c09dc4990aa5a585910133b1654d5ad9e830e055f0485eedcd9ccbf03
06d5e06ed0350ba3aceed5c8c4dc51a823a96356de2c643c3f82e0168b3c45e3
0942b6c9cae0fde214be04c00f82df9ba16b8807c15e9d77794c1eeaee529ee6
09b3aea967bd842df4122c7fe680177c8f61c1db2d7fab4b718226f3f49e0a88
0bb8cc324149c2667dd7ad9a3b0485ecfe28fc2d987351d3291eb6674d158f06
0c6665ef8f2b001e2b59c003d1b16620f914ef1b2942eb75042246c2a03a2acc
111969b54597e9302f881219a619bc5575860c6c7145cd7420c5d5ed3e7678f1
111a4c38d54f738ec137dbdb05fbca0b836297c1f1bdbe0d14af8c184c1e8285
1236be8ea5e03b19cdd1e426d363f3048ca0a0a2ca95bdb85354463ca2bb12ef
126bcb577c45b6a6d50686d695c7cf499ca56f3565b97a50b75fcfa1cd5436ef
13a8758f0372e94b3150a99d0f9eaba106888969602e97f111d8d9754bba5898
14519a8eea3064280ee285be6d20a9b115235a87911d4acd810a104136d941be
155ee1b57f1b81a893d8b4dc1e4d82bfc41aba7efa230efde3d4d799dd8bab96
165b625e83b0384f62ddce37be56c40f8f9edb963f6db4ce2ecc64eb76e48393
16bd1b3ae60631d1c6a5930370439c450a9dc7caf0bf830639211d639975ec26
16c0c7b6e6442a4c0474ca5d191264a720a21ea403c666bd7250730e6cc743ad
16f83afc6db86047f9e4052d1dbed7bbb863ef9b97b6952992da9dc1b5d3c37c
17154f668675360454fa5d307bdfa6460f2ac7c774934d823011290882f2d783
17853c83a9406c9ac07a189d3b968187f6c784f454da643ff816052e056e44f4
18140ff47b13e4a95522916681d8c47382fd7590730a2d03254119d09042d170
*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Doc.Malware.Valyria-10013349-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples

Registry Keys

Occurrences

\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\RECOVER
Value Name: Name

13

\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\RECOVER
Value Name: Path

13

\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\RECOVER
Value Name: Extensions

13

\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WRDPRFCTDOS
Value Name: Name

13

\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WRDPRFCTDOS
Value Name: Path

13

\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WRDPRFCTDOS
Value Name: Extensions

13

\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WORDPERFECT6X
Value Name: Name

13

\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WORDPERFECT6X
Value Name: Path

13

\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WORDPERFECT6X
Value Name: Extensions

13

Mutexes

Occurrences

Local\10MU_ACB10_S-1-5-5-0-67863

13

Local\10MU_ACBPIDS_S-1-5-5-0-67863

13

Local\WinSpl64To32Mutex_10960_0_3000

13

Files and or directories created

Occurrences

%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word~WRD0000.doc

13

%TEMP%.tmp

13

%TEMP%\tst69.tmp

1

%TEMP%\tstF7.tmp

1

File Hashes

000b51af496336d202cf40f4b0afa91ab678962705825d49d53454915b0fd651
1bbf337f74ddfc46c865bc1d0fab402ce75f7687a1081d791f89e3b97633038f
20cb7b1e4c59f6c9308d8a079fbf898b44222ec909ded047696261a849eeb033
28716226e1413862e88614d499c19a2d3b7ac8d3b2e0321a688ddf19af549056
4b4f60d8f108aca734d102581e253f16abed5e506b8cb51801f9b36b5ab0d8c4
776fbfaef493c436c8f7ea4f025e587734f48f67c7d5ad660275f4e40fcc6b47
79ae3f16462f7e32ad2e8a45f79f166a2321c78c16564af8ee36f32cf616ce4e
97f82ae47b756502c4db71811843856efce5c449e0bba48178b9c27d1f98f987
b83f2a183484e660d3b5b4399c7069f62a7b9b22b4461bf2961633c03cd3f944
c89c5bcd3a3a85c6b80005f47998b8cffbf08565c63f5805f3fb187c0b4c2c0b
d21913c6b3fd6e35c7c8346f336cd9b373babbbdbfcdc61e48a9f3360218542f
d665edff65709c124fc043bb61747a3a17e85bf6ed0ba666eca66dd02f5dec40
d74f29c45c88422bd8ec3d11b660677adb0eb8dfafb6dfc1d685ddf2cfe5fa54

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on