Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for September 23 to September 30

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 23 and Sept. 30. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:

Threat Name    Type    Description

Win.Virus.Parite-9970689-0 Virus Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives. Win.Malware.Zusy-9970856-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information. Win.Dropper.Remcos-9970861-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Malware.Emotet-9970880-0 Malware Emotet is currently one of the most widely distributed and active malware families. It is a highly modular threat that can deliver a wide variety of payloads. The botnet is commonly delivered via Microsoft Office documents with macros sent as attachments to malicious emails. Win.Dropper.TrickBot-9970890-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution such as VB scripts. Win.Dropper.XtremeRAT-9971238-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs. Win.Dropper.Kuluoz-9971090-0 Dropper Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that downloads and executes follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. Win.Dropper.Shiz-9971537-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site. Win.Packed.Fareit-9971247-1 Packed The Fareit trojan is primarily an information stealer with functionality to download and install other malware.

Threat Breakdown

Win.Virus.Parite-9970689-0

Indicators of Compromise

IOCs collected from dynamic analysis of 29 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED                          
        Value Name: HideFileExt                            29        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED                          
        Value Name: Hidden                            29        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE                          
        Value Name: fullpath                            29        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @explorer.exe,-7001                            1        
                     
                                     
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp            29            

File Hashes

             0536b9760519d832e0c5ff072cad054ef2ae43dbe57330d48c609aeb75e6ae43              0fb870a5615c6c24fa559ae795c3366d80a97622fe2efac880330772344a9760              10308179aec9cf03dfe7fcd95aba9f1da191f70406d653157ea3746e63423c93              15e5fc751dbee4b99c094bbfd15d5b4c3655e0a8a34af84cb4773f2bcd265db8              16048c5e4b000118579343bcf188dbb5bcc0d313bd144a08a76423a7ff990c58              1a16bf0852508c3742325cd1b25c6fa9f9580e42017f273ff81d41edea8bd579              23c44b2d663dcb0224e7a2dcbd9a179923baf1c1d95f221f0435eef3fa6c7913              264dfb45197cb3e37d2054313e54c5549dd53f9d6cbc4a7cf9963b8275e59811              3605daf57520cfe6759abc471cb9a55ff4a6b99711ee3718ce6db3438b63a7e0              39139ac00356189a53c9122b4efa10a9e5ca42b25656cc794d4199d5a0e6003a              3a19cc265b1767563c293cfe5dfd8083a1cb72e37625bd243538f210594bd9bf              51f14dad750e0a93bdf69200d726c8f929a6e903dc837fefc5b2efdf7b33493e              530e290a3e9383bc016d666d4829f2ca2c256f5f32e8c84e71346f1d4a65302a              58950830c787ae1768a8d5aab290270b089b04e61d39e6b82a7daf51696fea03              5b0d897a5c748d58c536b19b0d16b3262cc238d65ac41d22f4552d1a2a0ea966              66fe640d820e530e4554251bcb07177a4f2fdea28fc13beb588898a0374fd20d              714ced6bb466961048291a1f89355892490a10bd6e206a256b2e3b97bf1fec55              7dbd9b1e5792f9085af025e526f331e00c878b2adc2e0d8c4a2c5dba4d79a32b              8c8c7b2a40fcdff745e87d060daac5798bda65e8e1568dd46e69d703a5adace3              933768be5d22750f182e69c91630a6f7af6f5db309ba61f83d5547c9a8865273              95463bf7d0d934880a1292e479f56d69596e43062eb18265ef43905702551af0              a1af5ed894006b1690455b12e58c117725a5274e7fc6f8410af119429171372d              a9a2deaa34de9ebc68523c18ad02f8a27aae60818fda1583440df25f336f61c2              aedea0e8e6ee4e36191b3e67dcc71e169ea9c1419b5ad4a062f3f2d37a99f3a3              c000e844ca7377e4f3a8e4bfdf0962897effa1622660e8b48d190e2820ff4429              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Zusy-9970856-0

Indicators of Compromise

IOCs collected from dynamic analysis of 13 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            8        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @explorer.exe,-7001                            8        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\APPLICATIONDESTINATIONS                          
        Value Name: MaxEntries                            1        
                     
                       
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        47[.]111[.]103[.]192            13            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        os[.]ieycc[.]com            13            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        \Client.txt            13            
                 
        %TEMP%\Tomato.ini            13            
                 
        %APPDATA%\testing.dat            13            
                 
        \TEMP\1E0F0E0A120B156B155B15E0C0F160E0D160A.exe            1            
                 
        \TEMP\1F0F0D0C120A156D155E15E0A0E160B0C160F.exe            1            
                 
        \TEMP\1F0B0B0A120E156C155E15D0A0F160D0E160D.exe            1            
                 
        \TEMP\1C0B0F0A120C156F155C15E0B0A160F0E160D.exe            1            
                 
        \TEMP\1B0C0D0C120A156E155C15C0E0D160D0B160E.exe            1            
                 
        \TEMP\1B0F0A0D120F156E155C15F0C0E160E0F160A.exe            1            
                 
        \TEMP\1E0F0B0A120F156F155E15D0B0E160B0D160E.exe            1            
                 
        \TEMP\1D0D0C0E120C156D155F15A0A0E160C0C160A.exe            1            
                 
        \TEMP\1E0D0C0D120F156E155C15F0A0E160D0C160F.exe            1            
                 
        \TEMP\1C0B0C0B120D156E155E15A0E0F160B0D160D.exe            1            
                 
        \TEMP\1E0C0F0F120A156A155B15A0F0A160E0D160A.exe            1            
                 
        \TEMP\1E0C0A0A120B156F155D15A0E0F160B0A160A.exe            1            
                 
        \TEMP\1E0B0C0D120C156C155A15D0D0D160B0D160C.exe            1            

File Hashes

             015c6d06fe9aaa4844b5e008796cbb854cf6765c2ca398f596dd2fceeceb6c95              0de5af728d4834e450386979efd9681bd54bfeb65f687cccd621f3a20331c050              43d5fb959a8c848030537e37f0d0638bc57bb83652dba85ee2e868a17f1d10ef              568bc0b8c2e914ca7cb2f62bfd82839c584d14d3d47b96ea34703b9d024c78ec              7539e13bb8b001f08742f38c29b42135a2b414e2ba095cf3bf74f38db78f3e0f              80459aa210f4e16b123a27b47c1191872b79a6c6a8751613ad1b649a0f1f3426              974e745bbf32ea7bf0bcff7bd04e3b13f8f3c9cf8a79d01f34658729c793e333              aa22f56078cf431f2587ea270f428fff6d4eee5b08d542b40b89a9712e14e5b3              acf7e8303fd53c63b778a611773267ecf001225772bee1fccbd2a2370ad6e658              ae24b008cb2dc1855367cd814581f1092d9899a77e982f8fc746409c29afbaaa              b13513bd0c731f688fe25804c6dd74a3126d0494549368c8d692bd85d2024e5f              e35cb24702c24b57edf8f1439a1409b6c8c0f97bc30a90a3c396fdd0f3c38f84              f9501ffa9e293c88c61e0071fdc5b7ce2d00e1c8bc20a564ab906dfb9565e4c7              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Remcos-9970861-0

Indicators of Compromise

IOCs collected from dynamic analysis of 42 samples

        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        172[.]98[.]192[.]37            42            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        www[.]djapp[.]info            42            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp            42            
                 
        %APPDATA%\Microsoft\Windows\Cookies\NFIM9G9G.txt            10            
                 
        %TEMP%\FltFD54.exe            1            
                 
        %TEMP%\FltFAC5.exe            1            
                 
        %TEMP%\FltFF0C.exe            1            
                 
        %TEMP%\FltA28D.exe            1            
                 
        %TEMP%\FltE1AD.exe            1            
                 
        %TEMP%\FltFAB6.exe            1            
                 
        %TEMP%\Flt593A.exe            1            
                 
        %TEMP%\FltF8C2.exe            1            
                 
        %TEMP%\Flt4F6E.exe            1            
                 
        %TEMP%\FltFB71.exe            1            
                 
        %TEMP%\FltA461.exe            1            
                 
        %TEMP%\FltFD74.exe            1            
                 
        %TEMP%\Flt23BD.exe            1            
                 
        %TEMP%\Flt8A88.exe            1            
                 
        %TEMP%\FltBC04.exe            1            
                 
        %TEMP%\FltF633.exe            1            
                 
        %TEMP%\FltB040.exe            1            
                 
        %TEMP%\Flt6184.exe            1            
                 
        %TEMP%\Flt540D.exe            1            
                 
        %TEMP%\Flt5D82.exe            1            
                 
        %TEMP%\FltBD3A.exe            1            
                 
        %TEMP%\tnf5FD1.exe            1            
                 
        %TEMP%\FltC777.exe            1            

*See JSON for more IOCs

File Hashes

             00cda027a316d979f614cd747e8eea14fcc1f7a144b5eb5fc385ea3b52ada9ac              04a7c806cd6404d5547bf136331733e970364c0090c705b0002170ca7fa59882              06a0c6a86e47342846759164e0a7da0087e5926d1bdf48b64ad106b6e53951a4              0d103909b0c3e6ac0021b1aa8bbd17b50d1f94ccfb6011a1b70609b6a45668fe              0d503f2d89c74456f441b95033f1f7f1b5f8c9b9ef338c177beb7e22c3844cb8              13d63a2102b3685464c7f32f95fb4ed6287f51db1da590f7141ad36d2ec0fe00              16de9b5489c9bc4900f94a6939e4a5124caee0ce2ac4dcd938850385c35ecd94              16e1726e22af546ae83bf70500135f69e1f3805c2c49752b6098c07f0815307a              1bb3b038b6da9ca30bf12a24ab4e0361ff60c6375bed74492ac37652e2ecd3da              23f59e71fd7d520a50ae1aaea2c026ae2f05a85d6bf1f24301ceac52e713157b              24d621a695ef4fae5b296bc2bb6071cc90b9c56415f70464797e69080b6a7e75              2635c53ba6293fe95e539dfd0f480835ceb7b47c6971a3024ae8443893eca176              2c65cccfb66e0773395cd78f4c742f03cdf3d482357278cf53cd47ea87f62f04              2d82667b13cc3acb398ae87a83674ce3a334867e82d20b4fd809a14d10323084              2e53c50fd916da51599be464f226b09f28d70fe323cb292c115b9723d402ddde              3457b58ade09a9a581003687d9bd904c6200dcc96aafbb24450c371a165c96d8              3832ee4b74d72c5b4e8299cc9e20248145ff74a7364ebfeb2baa9ee60c0a00d8              38ff5081e308b00e57028e3ad749ae4dccf165796a073fafacd6e6cbad31cc21              3e278b7296bcb58b47e8d60ee9a7f44c548a6d790cdf45fcdff6bc526c395a93              3f4fa0de7c9e2b18b0e16b1cbd72dcc279d5ab6b727992a158ed4bced8663f87              40318b04af3f4761f989d5725e61fc41bd034990e3a86478c897466416632c44              4126cae93a6d1471fbf37ef4a73347ed4fa136486fe7229b06721db5d50ed27c              479e0fa51921d000d9ae53beb96c8d88b3e90ba563b7595db6d015fe0c41beea              50532f85c712a7ba7e79ba23130a568fdfcfde7c3bdbcec90edea02aacef7f9b              535e141dc2b44bdafa9fd3ef6c3355413bd7837c5bfc398c608ea49e150b7727              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Emotet-9970880-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42}                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42}\SHELLFOLDER                             25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{39D7DE2A-54FC-2744-D7AC-675623A7BCA2}                             25        
                     
                
            
        Mutexes            Occurrences        
                                 
        {24d07012-9955-711c-e323-1079ebcbe1f4}            25            
                 
        {bf18992f-6351-a1bd-1f80-485116c997cd}            25            
                 
        {dbad1190-816b-947c-9b01-53ef739d7edb}            25            
                 
        {ed099f6b-73d9-00a3-4493-daef482dc5ca}            20            
                     
                                       
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5            25            
                 
        %System32%\Tasks\Ryddmbivo            25            
                 
        %APPDATA%\<random, matching '[a-z0-9]{3,7}'>            25            
                 
        %System32%\8452\eudcedit.exe            1            
                 
        %APPDATA%\F9NSFA\MRT.exe            1            
                 
        %APPDATA%\EoXbu\BdeUISrv.exe            1            
                 
        %System32%\9450\VSSVC.exe            1            
                 
        %System32%\7744\ComputerDefaults.exe            1            
                 
        %APPDATA%\RAQ9\calc.exe            1            
                 
        %System32%\9936\psr.exe            1            
                 
        %APPDATA%\Q7e9\rekeywiz.exe            1            
                 
        %System32%\5094\WindowsAnytimeUpgrade.exe            1            
                 
        %APPDATA%\U6yhd\DeviceDisplayObjectProvider.exe            1            
                 
        %System32%\5022\msra.exe            1            
                 
        %APPDATA%\EtXM\fvenotify.exe            1            
                 
        %System32%\1402\ddodiag.exe            1            
                 
        %APPDATA%\bsPEU\wbengine.exe            1            
                 
        %System32%\6726\StikyNot.exe            1            
                 
        %APPDATA%\Kal6bb\sethc.exe            1            
                 
        %System32%\6787\ie4uinit.exe            1            
                 
        %APPDATA%\Y74EoZ\Dxpserver.exe            1            
                 
        %System32%\7651\rrinstaller.exe            1            
                 
        %APPDATA%\aF7U\WerFault.exe            1            
                 
        %System32%\6604\DeviceDisplayObjectProvider.exe            1            
                 
        %APPDATA%\rmluRRx\MRT.exe            1            

*See JSON for more IOCs

File Hashes

             0be6c8c9f6626f0cbc875a04f81d65ec51646285f607fc23610ced0698d2d356              0e00806596a0084133b662804d645e485a94d42b50e7634608bfc572bc6f99bc              10d50610dc069e961878c8d2be79f7ba638125c2f0229086f27d2261f7ef7074              209494092b65fdebe368f90fdf69cd878f931fb334c059611ccabe84301887e2              24273a46f41c978ebd1b7014cd43c05d7273e638fa539e21adf9b16fcd6d7fa4              270234993c0381d55e1d5615099a692a0e11139d6d5b353f625ac6197cc5fadd              2ce15b1bfa8a577f79da8bbcf2159bf3661aed963cdbbb59ddbf333da4bb52ea              370de40215ce6a4e8f27e33d7a6edcd9cc4c86dc39aa86246d02308f556ff39e              5239bbf6672c93344f21741c4016ea154db5f6aa3989514244de6c55532f54d4              5341a8e7076ea8dbba28ed69ec1130f361c7e90505afbb191f639d6b8295a3e7              634295ad711f68679e6471766d8ca49454c7276348211b6d99a5539e314e7ddb              64c51179f273e00dcb08ddf0c401a3e7c6b4441421f4a0f907bc32f4aaf54191              65c0c35adfcd488cde26d72ba39dd77052f0d6f54c40d10003d824ce1079a630              670db2f68e0bb350f98d1f0ea9624e45536473bb9f1552270be89d87aba17ed9              77c9d7eb923718013ec2145d35a18f17b326655e226b6f252ca6967b0837b39a              8ded5e3631dcd94576d1770289b38005c95c1456588157fd01ea6191c7bcaf1a              91c351ad5a31c40ccf05069b4dde6d0d8e2ff7e78118ca4d110bfe8fcef7d5b6              96e1d30dda3746847269a2707bf4261deadf3d146d1e9df5bd163743ef6b0902              9cebaa66b09ae6043e137c87fece4f2f55a3ae9cbbbb64414e0202a6d3db8932              9d019b660a52484961f7d540d3fe62da22c2c09be968474a614f9dd94ae8c7e5              a2074b34223a80ea0a46784e03ab9e09f86deb98c470c10b2999692fe19777b3              a81460aa2b31719c28672cc624c8fd83e3cbde9d4fc59fb1c55a0713b22a031b              a8e2070710eb026f8d9aa46032576b1d474171ea11bb6d2cff97cc9e2069a3af              ae65c3182b13c9012b1fc98d483a3c1c7bfd82193d1cd14b1e2a0572458530b1              ae8b637375e736db787d31a4081f2f39ce25908f3276807e43a6eceb4e511377              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.TrickBot-9970890-0

Indicators of Compromise

IOCs collected from dynamic analysis of 10 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @explorer.exe,-7001                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000                            2        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\VLock            3            
                 
        Global\683173c1-3af4-11ed-9660-001517635527            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        104[.]18[.]115[.]97            2            
                 
        91[.]83[.]88[.]51            1            
                 
        92[.]63[.]102[.]64            1            
                 
        195[.]133[.]144[.]237            1            
                 
        34[.]160[.]111[.]145            1            
                 
        195[.]133[.]196[.]130            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        obyavlenie[.]lisx[.]ru            10            
                 
        icanhazip[.]com            2            
                 
        ipecho[.]net            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\winapp\Modules            3            
                 
        %System32%\Tasks\services update            3            
                 
        %APPDATA%\winapp\client_id            3            
                 
        %APPDATA%\winapp\group_tag            3            
                 
        %APPDATA%\winapp            3            
                 
        %APPDATA%\winapp\24ae736c30cacc5f26f34e07c47ca97c.exe            1            
                 
        %APPDATA%\winapp\0g5d59dff6a3d3g20046c0ga554f8f9ef8d3e2c767g46c2592d53d6c604df5g9.exe            1            
                 
        %APPDATA%\winapp\39g7366fcac6cdd0a64ag077e5ga30354aggg87d682e9cd06940033777cefaf2.exe            1            

File Hashes

             0a9fd6d744cc4fa8e08eee7c95c58d6cb9cb995a249597bdc8beba4ab5fdd921              0f4c49cee6a2c2f10036b0fa443e8e9de8c2d1b757f36b1491c42c6b503ce4f9              14bf94de8b881459e2f6f49051b1411da60e3526251751048bdde18f99d93f1e              29f7266ebab5bcc0a53af077d4fa20243afff87c681d9bc06930022777bdeae1              42162ca740023f144cf1f5efc8f9680f5db0ac16e0cf9eeb88f57275a5bbd38e              489d8e1c47548164a35abb21dbe155972aa09e6c65c0fd7456baf79d3ffb3539              7820f15d39888555e5d2189015d13491d58e2c345921064777155febcaf9b88e              8c1326a8e1f6c781441f3a5da6fe962337a03b9a3ffd93495e933e051d24f4a0              eac3e3c5636e62a6865ff6e048875506d16ed22ffd8caca23529407eb94a2478              f3395ab28c54a61118784d205926e7122ff7735d92d992c22db9dd63fd3a8e28              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.XtremeRAT-9971238-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>                             16        
             
    <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>                          
        Value Name: InstalledServer                            16        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: HKLM                            15        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: HKCU                            15        
             
    <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>                          
        Value Name: ServerStarted                            6        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ}                             5        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ}                          
        Value Name: StubPath                            5        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7}                             5        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7}                          
        Value Name: StubPath                            5        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7}                             3        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7}                          
        Value Name: StubPath                            3        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}                             2        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}                          
        Value Name: StubPath                            2        
                     
                
            
        Mutexes            Occurrences        
                                 
        XTREMEUPDATE            16            
                 
        <random, matching [a-zA-Z0-9]{5,9}EXIT>            15            
                 
        <random, matching [a-zA-Z0-9]{5,9}>PERSIST            11            
                 
        <random, matching [a-zA-Z0-9]{5,9}>            6            
                 
        zZgdeZ8P            5            
                 
        Q6gWX0            5            
                 
        Q6gWX0PERSIST            5            
                 
        Global\<random guid>            4            
                     
                                
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        profesorjedi11[.]myftp[.]biz            10            
                 
        profesorjedi3[.]myftp[.]biz            3            
                 
        clarityz[.]no-ip[.]biz            2            
                 
        dynamic[.]no-ip[.]biz            2            
                 
        cooempresas1[.]ddns[.]net            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\x.html            15            
                 
        %SystemRoot%\SysWOW64\System32            10            
                 
        %APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.dat            6            
                 
        %APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg            6            
                 
        %SystemRoot%\SysWOW64\Sistem32            5            
                 
        %APPDATA%\Microsoft\Windows\zZgdeZ8P.cfg            5            
                 
        %SystemRoot%\SysWOW64\System32\crrsc.exe            5            
                 
        %APPDATA%\Microsoft\Windows\zZgdeZ8P.dat            5            
                 
        %APPDATA%\Microsoft\Windows\Q6gWX0.cfg            5            
                 
        %SystemRoot%\SysWOW64\Sistem32\crrsc.exe            5            
                 
        %APPDATA%\Microsoft\Windows\Q6gWX0.dat            5            
                 
        %SystemRoot%\SysWOW64\System32\csrrs.exe            3            
                 
        %SystemRoot%\SysWOW64\System32\csrss.exe            2            
                 
        %SystemRoot%\SysWOW64\Drivers\System.exe            1            

File Hashes

             02bbfb5be9238a07f4bbc310640558187fffe927b6c61aef277f25e556b42976              034fd97c565ab91825e7d810d5e629f00bb25f54ac1ed7f1846e7f1c23d1ecd2              104a08c153d9d099bad368fc405a2888a153bfaa1cf33f99f43fbc1b97d0282f              1a7fa38a87b8d63bdef718b54626476dd952673e010877eb0412041a227ae587              1b70089136743505bd03a024ed1d6faca2a618397aecf14eceafed7e708c42ef              1d281e8cd1c5e451d069a2df9eed854f4bfa28e91881e7e2bfea2be0cfd6e2d0              2a4841ab8656fedadeb5dcc16821ca4789ba29a1df607c72f73fe6de8c55f965              4a5a09ce229c5f06f96114b0c55b1b2a645b75ab6e5f1f3df524efc9e6b549df              4e960f7a51969cc989219642701cb327e7713462eff60866099fb16632e1c636              521f339fe84053ddc608a8f1faf2774ea1f6fa1ee3ad252f642967f27c2ebb2e              52f4aba104b5caadff9baa7eb92e4ff21c176ff183a59f0283555de081e74c9a              53743558915afca3fcf12a83095ed8448502c37ac0ce847268bd34ff2b17eaef              54d8e6f9d64d480ad1381ddcd730d786be7b94b34154fa9ae6a46fc06670732a              58432dc37d6e18bf7f719c42d1a955374dc04c737ec433384fa61ea7c895ce8a              5f0a9ba0fc1146512ec06df04fb3eedcaaf67df5534d2895bdee7d39dbb767d4              6aeceda58114f30d5286bf84e92bfc293d5fb1ed4648c29d9e6ba6e229ad6c0a              73711c78caf84f57df3e54a7e0d47dc5b91c73d521e6e5de2da31694c7a2cd1d              747ae8b9f401e6f92381039c80d98f2fbff9f1c94ab1479c23e9bd67714208b5              7d56d2784dafc2edb6f002e66504b3222f899712167f5d67878e576adf5bfff4              87365c8be5e1df23024d4f06108ca715ca6960fab1db19241af01dc249049b34              95774b16ad3920dee24ad1211ad677003bace3db07e351dcfa92ea8c9fb0de4d              9811dc1790865ba850a085b86faf45d12e6d18de3746fba1f79e7d5bc07b81e6              9fc0af5f00d92876795d06cadc1ec27ce789be7d4396cca1a4d39c10a1a13cee              cf6bf580a1c08b6d4c8e4b73c65a156dd87e6157b358a22f58e6c4e741a62088              d2dd951900f73760709d95358434a8d382363f78cbd78a4476e361225b2fdb90              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Kuluoz-9971090-0

Indicators of Compromise

IOCs collected from dynamic analysis of 26 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>                             26        
             
    <HKCU>\SOFTWARE\HLUAPPSN                          
        Value Name: simfbhec                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: fihacxpj                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: rtvamnqd                            1        
             
    <HKCU>\SOFTWARE\UTLRUTMU                          
        Value Name: jqusubuo                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: kilanrco                            1        
             
    <HKCU>\SOFTWARE\AUBBBWXT                          
        Value Name: ibmqpuls                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: opoiitvt                            1        
             
    <HKCU>\SOFTWARE\BWCRDATG                          
        Value Name: qmiabusl                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: mwxoukfx                            1        
             
    <HKCU>\SOFTWARE\BTTXALDX                          
        Value Name: micawbbp                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: jtqieuec                            1        
             
    <HKCU>\SOFTWARE\BBWAIJEJ                          
        Value Name: lmpebxqp                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: emgsvrci                            1        
             
    <HKCU>\SOFTWARE\MNSVSFDT                          
        Value Name: jkxkagel                            1        
             
    <HKCU>\SOFTWARE\MBJFFRTQ                          
        Value Name: bgmxnfso                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: akpgniqk                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: hrcgucbt                            1        
             
    <HKCU>\SOFTWARE\NTKIGTHP                          
        Value Name: etduinsg                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: pjecpkuu                            1        
             
    <HKCU>\SOFTWARE\NHSATHPS                          
        Value Name: mxopsxdc                            1        
             
    <HKCU>\SOFTWARE\HPEDSDSE                          
        Value Name: vfkeebww                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: icccipkm                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ilxotnrg                            1        
             
    <HKCU>\SOFTWARE\AFTNNBRU                          
        Value Name: kchufmmw                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        aaAdministrator            26            
                 
        abAdministrator            26            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        69[.]64[.]36[.]244            21            
                 
        16[.]156[.]201[.]237            17            
                 
        110[.]77[.]220[.]66            15            
                 
        5[.]249[.]139[.]132            15            
                 
        85[.]12[.]29[.]251            13            
                 
        5[.]175[.]166[.]35            13            
                 
        130[.]60[.]202[.]71            11            
                 
        198[.]57[.]165[.]46            10            
                     
                                 
            
        Files and or directories created            Occurrences        
                                 
        %LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe            26            

File Hashes

             01e772c69c3d96d7da41baf1b4630a9b93cda39bd4b5b0234f1de2a818788965              0507e74fa55bfb2a725358b0e5d2a3ad82d95a15b8dda89eda0892276855c6e0              0575881e5f371494a9b928ea409bce3fc15b35f4a6fc47f5b3ccc267e6428d05              13830d13f9538029311649ec0b7d2b70afd36d0d38432550c973123429eb940b              14b22ef72fd4f36063c344d7358e32d9529010b303b09bcc11f562bf2d4981a7              1f226936fa8a2ae6ff457619b2883377cbe741decadc705095d4527a7ae9a4d8              21f96423b4b10c910ef1ae4f584ed1e49944f2166c41aac0d9f53ad042933f89              25c31d64ed3db07f502aee95703ec407b34dff5a3fdc34bf2b3b64250f2ec0e2              3578e19cbb128d0b2b7fb009c8041deed69144c0e20e6c58c18967a2abcc0c1b              422f405e2d70ed3bd58f6e9c4ef7d1a4ed8b912fc8acde5cab9068f34fc55f09              46b398648a6f022657c1a7a6bf0dae147562f354b34fa9b82103d8566b01c771              4cc31dc0d33247799cb383ede808dea70ab9081847e46b2ce95e2c054cd97011              576ed58a06ae914ae06a711af19b30a9f02ece2d435f84b7bea71fedc19dd995              5bad5333dcfea5b33727b34cde45b54d36cbf01d3fb0a1a915de8df1569b4fb1              5e3329e3193099fe8e09922ac85a7ab3e8ae89f0ae4f0f7a93fb30aacc7726e3              5e398a7762fe420158605cfb72bc309197c7c9346fc43a5cc8ccb0a14db25483              66b43dd194bf97f705c361ad1cc82a0f5c1afca7b03d57f99a3011cdefdc536f              6da9fe76f563ff6265b8971b601fb5037a93011fb16294b5ee7564f332d554ed              6ed6b8dececdaf3ee4ce0072d309125c5cef6e3ffef23f48baa3b0d3763462be              7c42e9ea360ccfb28b41c3490b305dcace56fea64e858ac3cde0984f6c9f3d07              816c6679de23475fe46588ce4380091c985ad689210fbf4daea6ca383f423465              8379ba1a2904b162411009fbe1bc4c94efd1ccf72ab38989dffb2077c1a0ec74              86e574bcb8a28b933731a83f9166c23c717a9840dfdecffde9130e9a2d598e08              8e39459d72319dc5e7f184b363ac8d7e3a486fbc6e02f9ad2273d0b0502a188d              8e5f994ccd02d59bc203efd3ff130575c4d9c170599592dd45696b87c4f4b420              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Shiz-9971537-0

Indicators of Compromise

IOCs collected from dynamic analysis of 27 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: internat.exe                            27        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS                          
        Value Name: ProxyEnable                            27        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP                          
        Value Name: UNCAsIntranet                            27        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP                          
        Value Name: AutoDetect                            27        
             
    <HKLM>\SOFTWARE\MICROSOFT                          
        Value Name: 67497551a                            27        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: load                            27        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: run                            27        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: userinit                            27        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: 98b68e3c                            27        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: userinit                            27        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: System                            27        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: run                            27        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: userinit                            27        
             
    <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159\SHELL                          
        Value Name: KnownFolderDerivedFolderType                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\674972E3a            27            
                 
        Global\MicrosoftSysenterGate7            27            
                 
        internal_wutex_0x<random, matching [0-9a-f]{8}>            27            
                 
        internal_wutex_0x000004b4            26            
                 
        internal_wutex_0x0000043c            26            
                 
        internal_wutex_0x000004dc            25            
                 
        internal_wutex_0x000000e0            1            
                 
        internal_wutex_0x0000038c            1            
                 
        internal_wutex_0x00000448            1            
                 
        internal_wutex_0x000006a0            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        204[.]79[.]197[.]200            15            
                 
        13[.]107[.]21[.]200            12            
                 
        45[.]33[.]23[.]183            8            
                 
        173[.]255[.]194[.]134            6            
                 
        72[.]14[.]178[.]174            6            
                 
        72[.]14[.]185[.]43            6            
                 
        45[.]56[.]79[.]23            5            
                 
        45[.]33[.]2[.]79            5            
                 
        45[.]33[.]30[.]197            5            
                 
        45[.]33[.]18[.]44            4            
                 
        45[.]79[.]19[.]196            3            
                 
        198[.]58[.]118[.]167            3            
                 
        85[.]94[.]194[.]169            2            
                 
        96[.]126[.]123[.]244            1            
                 
        45[.]33[.]20[.]235            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        kevopoxecun[.]eu            27            
                 
        rycaropynar[.]eu            27            
                 
        lyxemoxyquf[.]eu            27            
                 
        puzoxyvojyc[.]eu            27            
                 
        fotaqizymig[.]eu            27            
                 
        cidufitojex[.]eu            27            
                 
        puvacigakog[.]eu            27            
                 
        xuboninogyt[.]eu            27            
                 
        cicezomaxyz[.]eu            27            
                 
        dixyjohevon[.]eu            27            
                 
        fokisohurif[.]eu            27            
                 
        volugomymet[.]eu            27            
                 
        maganomojer[.]eu            27            
                 
        jefecajazif[.]eu            27            
                 
        qedylaqecel[.]eu            27            
                 
        nojotomipel[.]eu            27            
                 
        gahoqohofib[.]eu            27            
                 
        rytifaquwer[.]eu            27            
                 
        kepujajynib[.]eu            27            
                 
        lyrosajupid[.]eu            27            
                 
        tuwaraqidek[.]eu            27            
                 
        pumebeqalew[.]eu            27            
                 
        cinycekecid[.]eu            27            
                 
        divulewybek[.]eu            27            
                 
        vocijekyqiv[.]eu            27            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %TEMP%\<random, matching [A-F0-9]{1,4}>.tmp            27            
                 
        %TEMP%\F1A0.tmp            1            
                 
        %TEMP%\8350.tmp            1            
                 
        %TEMP%\6709.tmp            1            
                 
        %TEMP%\5ABC.tmp            1            
                 
        %TEMP%\DF95.tmp            1            

File Hashes

             03ceb23a35bcd7170f8e2293c15aa444406959d789fda9ff9e412cf7a3a6ad90              0a00f10084231e3abf745b456d522c27a284cd17e5824a91026e6511a0073792              0a9d1eec9b14e840863b4948703b4c1a50b8d1c16d6cd6c0191ed55e82864ea3              0aa380118e812371de65b56f760676f611ddda8a7dd422ed1e62214c2a8303d1              0b38f48ffc49f1b53724384bd894702bcf49f2d68c1b84e4e0eeb931d572d294              0b8cfcf3c71b18b73ec50c68115b5d7538eab4d21168272d547e4b6316ed592a              0d8afb797e2ce9f712f3b5fb22317ec97cd8ea55b85855ffb33f362f45e3b706              10d952070cca8a50175e4193e23e798484f215faa6ac8261b37caebb4ae4c22a              16487b9aabc544819f3e1843e196d8e6b982b15ae95b9b599af310c0f4a0763e              1751820a0b3e9669c512077ef08caa8cc8bd7cba8bb54eb97c574ba6dfa09d2d              1bafc4ef3a634e29c71f52e5b0f3ea6ab3cd55e25ef9623d8d21302a13ac4833              21c50af5ea57cf75b6bcf6e74b8008b335a440d4f4fd8499d2abc287116a0100              2473d34831b6fef2e985c045c3a00880d05aceeeac10edf1f09ff38a1cbc44af              2602a1096a4eec7291145b4570c1a0e814c03fba18d3d76d1b82f6e0dacaecf8              2656072242b6777473e258b7f0fc7777cda688fe95f0050f375ffeb12f000c28              2856afa65f2c7f0a23be68ce6899f24a9d3e12fa4f3b00644562e1ecdc06eed1              28b92d2ad7b6c9865a5eda3ca5435cbcd7b24fd0b48ed61c9c7b87af542b88ed              29bc8c64d83b59592ced9e79fd8e242344fedaa9bff3d385ce5372de7e035b4b              2a812fc2558cfe90756a59a8d79ec8da9e14d7fec59cd9bbc5189a67a86629eb              2e7fe1b9448cb0cca242f4b72fd956f21ad262587b88135045bc07a010cec102              3047c7b03f084dc15ddbca4044a0fb2376af8b3799e4316194de8ef1474e1bf8              321f58c68fead768a8465532821b62ec741482135b0a5460d48838433cde6133              32b2f95694db2d96de89e4f8644cbdf68229903053c066499141b323d4acca1a              34beb6169472ea58264460d2673a70128474e9bdb62fe998e5c22f9a4fa61a8c              350596b9f1a539dddfd73cb4d10c605ec8cc8ed227bd2f33f31fddd6f190e7d8              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Fareit-9971247-1

Indicators of Compromise

IOCs collected from dynamic analysis of 13 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\WINRAR                             13        
             
    <HKCU>\SOFTWARE\WINRAR                          
        Value Name: HWID                            13        
                     
                       
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        168[.]144[.]38[.]105            13            

File Hashes

             1acb437594832fbf922ea62142314c31026f4345dfd31cf843acb52eca1aec92              1cc621b3d1a8db17783e813726cee6309e7802110a6d93779b7096e723023628              39b43b15aeb0a1aff4ca35928a2dd25aa6439c2faa24721424a749cd5b376153              57e6addd9c1c9f9367c48020e1f004a26cd6b361c6145ec97e554fd991ca5925              6bc8e9d23757833faff22d586d92d2274283e5bbe400bf07fdd2c5a070f39bd2              84238de8af6828ea6864308ce0ea0f0e798c31c2e105c3b7bf0f238732738d78              8f1566be038140548e9c1350a9ae28d95c1b70b8f79c0ba3ba094ffec8b530c2              914e1a2a9ca34ba6b66795165ea9e57d2817f3aa23ed662a565c9ad6c6476459              a9b1fb4abbebe49a65998d688a02819d8bdc3eeeebad496b94b5f6b27ff4e49b              b7f64dd2cb3cb310bfbbd54e29b4f9c03e94bd474ab487e403aec3357350307a              c6c1fcd270017f81a8113545eb42471f98700eb162ccbd4272b54de6435c4971              f4fd5a689233ea0c7c0d1599f14b68554f5c07f0c12c86981e0eef4be06940be              fb2a62eecd3f1a04e0633f43d472229ef3994de0a212da08d21c9fea8577016e              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS
#vulnerability#web#mac#windows#microsoft#js#git#botnet#ibm

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 23 and Sept. 30. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Virus.Parite-9970689-0

Virus

Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives.

Win.Malware.Zusy-9970856-0

Malware

Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Win.Dropper.Remcos-9970861-0

Dropper

Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.

Win.Malware.Emotet-9970880-0

Malware

Emotet is currently one of the most widely distributed and active malware families. It is a highly modular threat that can deliver a wide variety of payloads. The botnet is commonly delivered via Microsoft Office documents with macros sent as attachments to malicious emails.

Win.Dropper.TrickBot-9970890-0

Dropper

TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution such as VB scripts.

Win.Dropper.XtremeRAT-9971238-0

Dropper

XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.

Win.Dropper.Kuluoz-9971090-0

Dropper

Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that downloads and executes follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.

Win.Dropper.Shiz-9971537-0

Dropper

Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.

Win.Packed.Fareit-9971247-1

Packed

The Fareit trojan is primarily an information stealer with functionality to download and install other malware.

Threat Breakdown****Win.Virus.Parite-9970689-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 29 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

        Value Name: HideFileExt

29

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

        Value Name: Hidden

29

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE

        Value Name: fullpath

29

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @explorer.exe,-7001

1

Files and or directories created

Occurrences

%TEMP%<random, matching '[a-z]{3}[A-F0-9]{3,4}’>.tmp

29

File Hashes

    0536b9760519d832e0c5ff072cad054ef2ae43dbe57330d48c609aeb75e6ae43

    0fb870a5615c6c24fa559ae795c3366d80a97622fe2efac880330772344a9760

    10308179aec9cf03dfe7fcd95aba9f1da191f70406d653157ea3746e63423c93

    15e5fc751dbee4b99c094bbfd15d5b4c3655e0a8a34af84cb4773f2bcd265db8

    16048c5e4b000118579343bcf188dbb5bcc0d313bd144a08a76423a7ff990c58

    1a16bf0852508c3742325cd1b25c6fa9f9580e42017f273ff81d41edea8bd579

    23c44b2d663dcb0224e7a2dcbd9a179923baf1c1d95f221f0435eef3fa6c7913

    264dfb45197cb3e37d2054313e54c5549dd53f9d6cbc4a7cf9963b8275e59811

    3605daf57520cfe6759abc471cb9a55ff4a6b99711ee3718ce6db3438b63a7e0

    39139ac00356189a53c9122b4efa10a9e5ca42b25656cc794d4199d5a0e6003a

    3a19cc265b1767563c293cfe5dfd8083a1cb72e37625bd243538f210594bd9bf

    51f14dad750e0a93bdf69200d726c8f929a6e903dc837fefc5b2efdf7b33493e

    530e290a3e9383bc016d666d4829f2ca2c256f5f32e8c84e71346f1d4a65302a

    58950830c787ae1768a8d5aab290270b089b04e61d39e6b82a7daf51696fea03

    5b0d897a5c748d58c536b19b0d16b3262cc238d65ac41d22f4552d1a2a0ea966

    66fe640d820e530e4554251bcb07177a4f2fdea28fc13beb588898a0374fd20d

    714ced6bb466961048291a1f89355892490a10bd6e206a256b2e3b97bf1fec55

    7dbd9b1e5792f9085af025e526f331e00c878b2adc2e0d8c4a2c5dba4d79a32b

    8c8c7b2a40fcdff745e87d060daac5798bda65e8e1568dd46e69d703a5adace3

    933768be5d22750f182e69c91630a6f7af6f5db309ba61f83d5547c9a8865273

    95463bf7d0d934880a1292e479f56d69596e43062eb18265ef43905702551af0

    a1af5ed894006b1690455b12e58c117725a5274e7fc6f8410af119429171372d

    a9a2deaa34de9ebc68523c18ad02f8a27aae60818fda1583440df25f336f61c2

    aedea0e8e6ee4e36191b3e67dcc71e169ea9c1419b5ad4a062f3f2d37a99f3a3

    c000e844ca7377e4f3a8e4bfdf0962897effa1622660e8b48d190e2820ff4429

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Zusy-9970856-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

8

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @explorer.exe,-7001

8

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\APPLICATIONDESTINATIONS

        Value Name: MaxEntries

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

47[.]111[.]103[.]192

13

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

os[.]ieycc[.]com

13

Files and or directories created

Occurrences

\Client.txt

13

%TEMP%\Tomato.ini

13

%APPDATA%\testing.dat

13

\TEMP\1E0F0E0A120B156B155B15E0C0F160E0D160A.exe

1

\TEMP\1F0F0D0C120A156D155E15E0A0E160B0C160F.exe

1

\TEMP\1F0B0B0A120E156C155E15D0A0F160D0E160D.exe

1

\TEMP\1C0B0F0A120C156F155C15E0B0A160F0E160D.exe

1

\TEMP\1B0C0D0C120A156E155C15C0E0D160D0B160E.exe

1

\TEMP\1B0F0A0D120F156E155C15F0C0E160E0F160A.exe

1

\TEMP\1E0F0B0A120F156F155E15D0B0E160B0D160E.exe

1

\TEMP\1D0D0C0E120C156D155F15A0A0E160C0C160A.exe

1

\TEMP\1E0D0C0D120F156E155C15F0A0E160D0C160F.exe

1

\TEMP\1C0B0C0B120D156E155E15A0E0F160B0D160D.exe

1

\TEMP\1E0C0F0F120A156A155B15A0F0A160E0D160A.exe

1

\TEMP\1E0C0A0A120B156F155D15A0E0F160B0A160A.exe

1

\TEMP\1E0B0C0D120C156C155A15D0D0D160B0D160C.exe

1

File Hashes

    015c6d06fe9aaa4844b5e008796cbb854cf6765c2ca398f596dd2fceeceb6c95

    0de5af728d4834e450386979efd9681bd54bfeb65f687cccd621f3a20331c050

    43d5fb959a8c848030537e37f0d0638bc57bb83652dba85ee2e868a17f1d10ef

    568bc0b8c2e914ca7cb2f62bfd82839c584d14d3d47b96ea34703b9d024c78ec

    7539e13bb8b001f08742f38c29b42135a2b414e2ba095cf3bf74f38db78f3e0f

    80459aa210f4e16b123a27b47c1191872b79a6c6a8751613ad1b649a0f1f3426

    974e745bbf32ea7bf0bcff7bd04e3b13f8f3c9cf8a79d01f34658729c793e333

    aa22f56078cf431f2587ea270f428fff6d4eee5b08d542b40b89a9712e14e5b3

    acf7e8303fd53c63b778a611773267ecf001225772bee1fccbd2a2370ad6e658

    ae24b008cb2dc1855367cd814581f1092d9899a77e982f8fc746409c29afbaaa

    b13513bd0c731f688fe25804c6dd74a3126d0494549368c8d692bd85d2024e5f

    e35cb24702c24b57edf8f1439a1409b6c8c0f97bc30a90a3c396fdd0f3c38f84

    f9501ffa9e293c88c61e0071fdc5b7ce2d00e1c8bc20a564ab906dfb9565e4c7

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Remcos-9970861-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 42 samples

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

172[.]98[.]192[.]37

42

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

www[.]djapp[.]info

42

Files and or directories created

Occurrences

%TEMP%<random, matching '[a-z]{3}[A-F0-9]{3,4}’>.tmp

42

%APPDATA%\Microsoft\Windows\Cookies\NFIM9G9G.txt

10

%TEMP%\FltFD54.exe

1

%TEMP%\FltFAC5.exe

1

%TEMP%\FltFF0C.exe

1

%TEMP%\FltA28D.exe

1

%TEMP%\FltE1AD.exe

1

%TEMP%\FltFAB6.exe

1

%TEMP%\Flt593A.exe

1

%TEMP%\FltF8C2.exe

1

%TEMP%\Flt4F6E.exe

1

%TEMP%\FltFB71.exe

1

%TEMP%\FltA461.exe

1

%TEMP%\FltFD74.exe

1

%TEMP%\Flt23BD.exe

1

%TEMP%\Flt8A88.exe

1

%TEMP%\FltBC04.exe

1

%TEMP%\FltF633.exe

1

%TEMP%\FltB040.exe

1

%TEMP%\Flt6184.exe

1

%TEMP%\Flt540D.exe

1

%TEMP%\Flt5D82.exe

1

%TEMP%\FltBD3A.exe

1

%TEMP%\tnf5FD1.exe

1

%TEMP%\FltC777.exe

1

*See JSON for more IOCs

File Hashes

    00cda027a316d979f614cd747e8eea14fcc1f7a144b5eb5fc385ea3b52ada9ac

    04a7c806cd6404d5547bf136331733e970364c0090c705b0002170ca7fa59882

    06a0c6a86e47342846759164e0a7da0087e5926d1bdf48b64ad106b6e53951a4

    0d103909b0c3e6ac0021b1aa8bbd17b50d1f94ccfb6011a1b70609b6a45668fe

    0d503f2d89c74456f441b95033f1f7f1b5f8c9b9ef338c177beb7e22c3844cb8

    13d63a2102b3685464c7f32f95fb4ed6287f51db1da590f7141ad36d2ec0fe00

    16de9b5489c9bc4900f94a6939e4a5124caee0ce2ac4dcd938850385c35ecd94

    16e1726e22af546ae83bf70500135f69e1f3805c2c49752b6098c07f0815307a

    1bb3b038b6da9ca30bf12a24ab4e0361ff60c6375bed74492ac37652e2ecd3da

    23f59e71fd7d520a50ae1aaea2c026ae2f05a85d6bf1f24301ceac52e713157b

    24d621a695ef4fae5b296bc2bb6071cc90b9c56415f70464797e69080b6a7e75

    2635c53ba6293fe95e539dfd0f480835ceb7b47c6971a3024ae8443893eca176

    2c65cccfb66e0773395cd78f4c742f03cdf3d482357278cf53cd47ea87f62f04

    2d82667b13cc3acb398ae87a83674ce3a334867e82d20b4fd809a14d10323084

    2e53c50fd916da51599be464f226b09f28d70fe323cb292c115b9723d402ddde

    3457b58ade09a9a581003687d9bd904c6200dcc96aafbb24450c371a165c96d8

    3832ee4b74d72c5b4e8299cc9e20248145ff74a7364ebfeb2baa9ee60c0a00d8

    38ff5081e308b00e57028e3ad749ae4dccf165796a073fafacd6e6cbad31cc21

    3e278b7296bcb58b47e8d60ee9a7f44c548a6d790cdf45fcdff6bc526c395a93

    3f4fa0de7c9e2b18b0e16b1cbd72dcc279d5ab6b727992a158ed4bced8663f87

    40318b04af3f4761f989d5725e61fc41bd034990e3a86478c897466416632c44

    4126cae93a6d1471fbf37ef4a73347ed4fa136486fe7229b06721db5d50ed27c

    479e0fa51921d000d9ae53beb96c8d88b3e90ba563b7595db6d015fe0c41beea

    50532f85c712a7ba7e79ba23130a568fdfcfde7c3bdbcec90edea02aacef7f9b

    535e141dc2b44bdafa9fd3ef6c3355413bd7837c5bfc398c608ea49e150b7727

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Emotet-9970880-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{B11CF2E2-C0C2-7860-F12E-428101DCB963}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{B11CF2E2-C0C2-7860-F12E-428101DCB963}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{39D7DE2A-54FC-2744-D7AC-675623A7BCA2}

25

Mutexes

Occurrences

{24d07012-9955-711c-e323-1079ebcbe1f4}

25

{bf18992f-6351-a1bd-1f80-485116c997cd}

25

{dbad1190-816b-947c-9b01-53ef739d7edb}

25

{ed099f6b-73d9-00a3-4493-daef482dc5ca}

20

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5

25

%System32%\Tasks\Ryddmbivo

25

%APPDATA%<random, matching '[a-z0-9]{3,7}’>

25

%System32%\8452\eudcedit.exe

1

%APPDATA%\F9NSFA\MRT.exe

1

%APPDATA%\EoXbu\BdeUISrv.exe

1

%System32%\9450\VSSVC.exe

1

%System32%\7744\ComputerDefaults.exe

1

%APPDATA%\RAQ9\calc.exe

1

%System32%\9936\psr.exe

1

%APPDATA%\Q7e9\rekeywiz.exe

1

%System32%\5094\WindowsAnytimeUpgrade.exe

1

%APPDATA%\U6yhd\DeviceDisplayObjectProvider.exe

1

%System32%\5022\msra.exe

1

%APPDATA%\EtXM\fvenotify.exe

1

%System32%\1402\ddodiag.exe

1

%APPDATA%\bsPEU\wbengine.exe

1

%System32%\6726\StikyNot.exe

1

%APPDATA%\Kal6bb\sethc.exe

1

%System32%\6787\ie4uinit.exe

1

%APPDATA%\Y74EoZ\Dxpserver.exe

1

%System32%\7651\rrinstaller.exe

1

%APPDATA%\aF7U\WerFault.exe

1

%System32%\6604\DeviceDisplayObjectProvider.exe

1

%APPDATA%\rmluRRx\MRT.exe

1

*See JSON for more IOCs

File Hashes

    0be6c8c9f6626f0cbc875a04f81d65ec51646285f607fc23610ced0698d2d356

    0e00806596a0084133b662804d645e485a94d42b50e7634608bfc572bc6f99bc

    10d50610dc069e961878c8d2be79f7ba638125c2f0229086f27d2261f7ef7074

    209494092b65fdebe368f90fdf69cd878f931fb334c059611ccabe84301887e2

    24273a46f41c978ebd1b7014cd43c05d7273e638fa539e21adf9b16fcd6d7fa4

    270234993c0381d55e1d5615099a692a0e11139d6d5b353f625ac6197cc5fadd

    2ce15b1bfa8a577f79da8bbcf2159bf3661aed963cdbbb59ddbf333da4bb52ea

    370de40215ce6a4e8f27e33d7a6edcd9cc4c86dc39aa86246d02308f556ff39e

    5239bbf6672c93344f21741c4016ea154db5f6aa3989514244de6c55532f54d4

    5341a8e7076ea8dbba28ed69ec1130f361c7e90505afbb191f639d6b8295a3e7

    634295ad711f68679e6471766d8ca49454c7276348211b6d99a5539e314e7ddb

    64c51179f273e00dcb08ddf0c401a3e7c6b4441421f4a0f907bc32f4aaf54191

    65c0c35adfcd488cde26d72ba39dd77052f0d6f54c40d10003d824ce1079a630

    670db2f68e0bb350f98d1f0ea9624e45536473bb9f1552270be89d87aba17ed9

    77c9d7eb923718013ec2145d35a18f17b326655e226b6f252ca6967b0837b39a

    8ded5e3631dcd94576d1770289b38005c95c1456588157fd01ea6191c7bcaf1a

    91c351ad5a31c40ccf05069b4dde6d0d8e2ff7e78118ca4d110bfe8fcef7d5b6

    96e1d30dda3746847269a2707bf4261deadf3d146d1e9df5bd163743ef6b0902

    9cebaa66b09ae6043e137c87fece4f2f55a3ae9cbbbb64414e0202a6d3db8932

    9d019b660a52484961f7d540d3fe62da22c2c09be968474a614f9dd94ae8c7e5

    a2074b34223a80ea0a46784e03ab9e09f86deb98c470c10b2999692fe19777b3

    a81460aa2b31719c28672cc624c8fd83e3cbde9d4fc59fb1c55a0713b22a031b

    a8e2070710eb026f8d9aa46032576b1d474171ea11bb6d2cff97cc9e2069a3af

    ae65c3182b13c9012b1fc98d483a3c1c7bfd82193d1cd14b1e2a0572458530b1

    ae8b637375e736db787d31a4081f2f39ce25908f3276807e43a6eceb4e511377

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.TrickBot-9970890-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @explorer.exe,-7001

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000

2

Mutexes

Occurrences

Global\VLock

3

Global\683173c1-3af4-11ed-9660-001517635527

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

104[.]18[.]115[.]97

2

91[.]83[.]88[.]51

1

92[.]63[.]102[.]64

1

195[.]133[.]144[.]237

1

34[.]160[.]111[.]145

1

195[.]133[.]196[.]130

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

obyavlenie[.]lisx[.]ru

10

icanhazip[.]com

2

ipecho[.]net

1

Files and or directories created

Occurrences

%APPDATA%\winapp\Modules

3

%System32%\Tasks\services update

3

%APPDATA%\winapp\client_id

3

%APPDATA%\winapp\group_tag

3

%APPDATA%\winapp

3

%APPDATA%\winapp\24ae736c30cacc5f26f34e07c47ca97c.exe

1

%APPDATA%\winapp\0g5d59dff6a3d3g20046c0ga554f8f9ef8d3e2c767g46c2592d53d6c604df5g9.exe

1

%APPDATA%\winapp\39g7366fcac6cdd0a64ag077e5ga30354aggg87d682e9cd06940033777cefaf2.exe

1

File Hashes

    0a9fd6d744cc4fa8e08eee7c95c58d6cb9cb995a249597bdc8beba4ab5fdd921

    0f4c49cee6a2c2f10036b0fa443e8e9de8c2d1b757f36b1491c42c6b503ce4f9

    14bf94de8b881459e2f6f49051b1411da60e3526251751048bdde18f99d93f1e

    29f7266ebab5bcc0a53af077d4fa20243afff87c681d9bc06930022777bdeae1

    42162ca740023f144cf1f5efc8f9680f5db0ac16e0cf9eeb88f57275a5bbd38e

    489d8e1c47548164a35abb21dbe155972aa09e6c65c0fd7456baf79d3ffb3539

    7820f15d39888555e5d2189015d13491d58e2c345921064777155febcaf9b88e

    8c1326a8e1f6c781441f3a5da6fe962337a03b9a3ffd93495e933e051d24f4a0

    eac3e3c5636e62a6865ff6e048875506d16ed22ffd8caca23529407eb94a2478

    f3395ab28c54a61118784d205926e7122ff7735d92d992c22db9dd63fd3a8e28

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.XtremeRAT-9971238-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

16

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

        Value Name: InstalledServer

16

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: HKLM

15

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: HKCU

15

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

        Value Name: ServerStarted

6

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ}

5

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ}

        Value Name: StubPath

5

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7}

5

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7}

        Value Name: StubPath

5

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7}

3

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7}

        Value Name: StubPath

3

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}

2

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}

        Value Name: StubPath

2

Mutexes

Occurrences

XTREMEUPDATE

16

<random, matching [a-zA-Z0-9]{5,9}EXIT>

15

<random, matching [a-zA-Z0-9]{5,9}>PERSIST

11

<random, matching [a-zA-Z0-9]{5,9}>

6

zZgdeZ8P

5

Q6gWX0

5

Q6gWX0PERSIST

5

Global<random guid>

4

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

profesorjedi11[.]myftp[.]biz

10

profesorjedi3[.]myftp[.]biz

3

clarityz[.]no-ip[.]biz

2

dynamic[.]no-ip[.]biz

2

cooempresas1[.]ddns[.]net

1

Files and or directories created

Occurrences

%TEMP%\x.html

15

%SystemRoot%\SysWOW64\System32

10

%APPDATA%\Microsoft\Windows<random, matching '[a-zA-Z0-9]{5,9}’>.dat

6

%APPDATA%\Microsoft\Windows<random, matching '[a-zA-Z0-9]{5,9}’>.cfg

6

%SystemRoot%\SysWOW64\Sistem32

5

%APPDATA%\Microsoft\Windows\zZgdeZ8P.cfg

5

%SystemRoot%\SysWOW64\System32\crrsc.exe

5

%APPDATA%\Microsoft\Windows\zZgdeZ8P.dat

5

%APPDATA%\Microsoft\Windows\Q6gWX0.cfg

5

%SystemRoot%\SysWOW64\Sistem32\crrsc.exe

5

%APPDATA%\Microsoft\Windows\Q6gWX0.dat

5

%SystemRoot%\SysWOW64\System32\csrrs.exe

3

%SystemRoot%\SysWOW64\System32\csrss.exe

2

%SystemRoot%\SysWOW64\Drivers\System.exe

1

File Hashes

    02bbfb5be9238a07f4bbc310640558187fffe927b6c61aef277f25e556b42976

    034fd97c565ab91825e7d810d5e629f00bb25f54ac1ed7f1846e7f1c23d1ecd2

    104a08c153d9d099bad368fc405a2888a153bfaa1cf33f99f43fbc1b97d0282f

    1a7fa38a87b8d63bdef718b54626476dd952673e010877eb0412041a227ae587

    1b70089136743505bd03a024ed1d6faca2a618397aecf14eceafed7e708c42ef

    1d281e8cd1c5e451d069a2df9eed854f4bfa28e91881e7e2bfea2be0cfd6e2d0

    2a4841ab8656fedadeb5dcc16821ca4789ba29a1df607c72f73fe6de8c55f965

    4a5a09ce229c5f06f96114b0c55b1b2a645b75ab6e5f1f3df524efc9e6b549df

    4e960f7a51969cc989219642701cb327e7713462eff60866099fb16632e1c636

    521f339fe84053ddc608a8f1faf2774ea1f6fa1ee3ad252f642967f27c2ebb2e

    52f4aba104b5caadff9baa7eb92e4ff21c176ff183a59f0283555de081e74c9a

    53743558915afca3fcf12a83095ed8448502c37ac0ce847268bd34ff2b17eaef

    54d8e6f9d64d480ad1381ddcd730d786be7b94b34154fa9ae6a46fc06670732a

    58432dc37d6e18bf7f719c42d1a955374dc04c737ec433384fa61ea7c895ce8a

    5f0a9ba0fc1146512ec06df04fb3eedcaaf67df5534d2895bdee7d39dbb767d4

    6aeceda58114f30d5286bf84e92bfc293d5fb1ed4648c29d9e6ba6e229ad6c0a

    73711c78caf84f57df3e54a7e0d47dc5b91c73d521e6e5de2da31694c7a2cd1d

    747ae8b9f401e6f92381039c80d98f2fbff9f1c94ab1479c23e9bd67714208b5

    7d56d2784dafc2edb6f002e66504b3222f899712167f5d67878e576adf5bfff4

    87365c8be5e1df23024d4f06108ca715ca6960fab1db19241af01dc249049b34

    95774b16ad3920dee24ad1211ad677003bace3db07e351dcfa92ea8c9fb0de4d

    9811dc1790865ba850a085b86faf45d12e6d18de3746fba1f79e7d5bc07b81e6

    9fc0af5f00d92876795d06cadc1ec27ce789be7d4396cca1a4d39c10a1a13cee

    cf6bf580a1c08b6d4c8e4b73c65a156dd87e6157b358a22f58e6c4e741a62088

    d2dd951900f73760709d95358434a8d382363f78cbd78a4476e361225b2fdb90

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Kuluoz-9971090-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

26

<HKCU>\SOFTWARE\HLUAPPSN

        Value Name: simfbhec

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: fihacxpj

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: rtvamnqd

1

<HKCU>\SOFTWARE\UTLRUTMU

        Value Name: jqusubuo

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: kilanrco

1

<HKCU>\SOFTWARE\AUBBBWXT

        Value Name: ibmqpuls

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: opoiitvt

1

<HKCU>\SOFTWARE\BWCRDATG

        Value Name: qmiabusl

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: mwxoukfx

1

<HKCU>\SOFTWARE\BTTXALDX

        Value Name: micawbbp

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: jtqieuec

1

<HKCU>\SOFTWARE\BBWAIJEJ

        Value Name: lmpebxqp

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: emgsvrci

1

<HKCU>\SOFTWARE\MNSVSFDT

        Value Name: jkxkagel

1

<HKCU>\SOFTWARE\MBJFFRTQ

        Value Name: bgmxnfso

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: akpgniqk

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: hrcgucbt

1

<HKCU>\SOFTWARE\NTKIGTHP

        Value Name: etduinsg

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: pjecpkuu

1

<HKCU>\SOFTWARE\NHSATHPS

        Value Name: mxopsxdc

1

<HKCU>\SOFTWARE\HPEDSDSE

        Value Name: vfkeebww

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: icccipkm

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ilxotnrg

1

<HKCU>\SOFTWARE\AFTNNBRU

        Value Name: kchufmmw

1

Mutexes

Occurrences

aaAdministrator

26

abAdministrator

26

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

69[.]64[.]36[.]244

21

16[.]156[.]201[.]237

17

110[.]77[.]220[.]66

15

5[.]249[.]139[.]132

15

85[.]12[.]29[.]251

13

5[.]175[.]166[.]35

13

130[.]60[.]202[.]71

11

198[.]57[.]165[.]46

10

Files and or directories created

Occurrences

%LOCALAPPDATA%<random, matching '[a-z]{8}’>.exe

26

File Hashes

    01e772c69c3d96d7da41baf1b4630a9b93cda39bd4b5b0234f1de2a818788965

    0507e74fa55bfb2a725358b0e5d2a3ad82d95a15b8dda89eda0892276855c6e0

    0575881e5f371494a9b928ea409bce3fc15b35f4a6fc47f5b3ccc267e6428d05

    13830d13f9538029311649ec0b7d2b70afd36d0d38432550c973123429eb940b

    14b22ef72fd4f36063c344d7358e32d9529010b303b09bcc11f562bf2d4981a7

    1f226936fa8a2ae6ff457619b2883377cbe741decadc705095d4527a7ae9a4d8

    21f96423b4b10c910ef1ae4f584ed1e49944f2166c41aac0d9f53ad042933f89

    25c31d64ed3db07f502aee95703ec407b34dff5a3fdc34bf2b3b64250f2ec0e2

    3578e19cbb128d0b2b7fb009c8041deed69144c0e20e6c58c18967a2abcc0c1b

    422f405e2d70ed3bd58f6e9c4ef7d1a4ed8b912fc8acde5cab9068f34fc55f09

    46b398648a6f022657c1a7a6bf0dae147562f354b34fa9b82103d8566b01c771

    4cc31dc0d33247799cb383ede808dea70ab9081847e46b2ce95e2c054cd97011

    576ed58a06ae914ae06a711af19b30a9f02ece2d435f84b7bea71fedc19dd995

    5bad5333dcfea5b33727b34cde45b54d36cbf01d3fb0a1a915de8df1569b4fb1

    5e3329e3193099fe8e09922ac85a7ab3e8ae89f0ae4f0f7a93fb30aacc7726e3

    5e398a7762fe420158605cfb72bc309197c7c9346fc43a5cc8ccb0a14db25483

    66b43dd194bf97f705c361ad1cc82a0f5c1afca7b03d57f99a3011cdefdc536f

    6da9fe76f563ff6265b8971b601fb5037a93011fb16294b5ee7564f332d554ed

    6ed6b8dececdaf3ee4ce0072d309125c5cef6e3ffef23f48baa3b0d3763462be

    7c42e9ea360ccfb28b41c3490b305dcace56fea64e858ac3cde0984f6c9f3d07

    816c6679de23475fe46588ce4380091c985ad689210fbf4daea6ca383f423465

    8379ba1a2904b162411009fbe1bc4c94efd1ccf72ab38989dffb2077c1a0ec74

    86e574bcb8a28b933731a83f9166c23c717a9840dfdecffde9130e9a2d598e08

    8e39459d72319dc5e7f184b363ac8d7e3a486fbc6e02f9ad2273d0b0502a188d

    8e5f994ccd02d59bc203efd3ff130575c4d9c170599592dd45696b87c4f4b420

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Shiz-9971537-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: internat.exe

27

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

        Value Name: ProxyEnable

27

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

        Value Name: UNCAsIntranet

27

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

        Value Name: AutoDetect

27

<HKLM>\SOFTWARE\MICROSOFT

        Value Name: 67497551a

27

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: load

27

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: run

27

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: userinit

27

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: 98b68e3c

27

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: userinit

27

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: System

27

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: run

27

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: userinit

27

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159\SHELL

        Value Name: KnownFolderDerivedFolderType

1

Mutexes

Occurrences

Global\674972E3a

27

Global\MicrosoftSysenterGate7

27

internal_wutex_0x<random, matching [0-9a-f]{8}>

27

internal_wutex_0x000004b4

26

internal_wutex_0x0000043c

26

internal_wutex_0x000004dc

25

internal_wutex_0x000000e0

1

internal_wutex_0x0000038c

1

internal_wutex_0x00000448

1

internal_wutex_0x000006a0

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

204[.]79[.]197[.]200

15

13[.]107[.]21[.]200

12

45[.]33[.]23[.]183

8

173[.]255[.]194[.]134

6

72[.]14[.]178[.]174

6

72[.]14[.]185[.]43

6

45[.]56[.]79[.]23

5

45[.]33[.]2[.]79

5

45[.]33[.]30[.]197

5

45[.]33[.]18[.]44

4

45[.]79[.]19[.]196

3

198[.]58[.]118[.]167

3

85[.]94[.]194[.]169

2

96[.]126[.]123[.]244

1

45[.]33[.]20[.]235

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

kevopoxecun[.]eu

27

rycaropynar[.]eu

27

lyxemoxyquf[.]eu

27

puzoxyvojyc[.]eu

27

fotaqizymig[.]eu

27

cidufitojex[.]eu

27

puvacigakog[.]eu

27

xuboninogyt[.]eu

27

cicezomaxyz[.]eu

27

dixyjohevon[.]eu

27

fokisohurif[.]eu

27

volugomymet[.]eu

27

maganomojer[.]eu

27

jefecajazif[.]eu

27

qedylaqecel[.]eu

27

nojotomipel[.]eu

27

gahoqohofib[.]eu

27

rytifaquwer[.]eu

27

kepujajynib[.]eu

27

lyrosajupid[.]eu

27

tuwaraqidek[.]eu

27

pumebeqalew[.]eu

27

cinycekecid[.]eu

27

divulewybek[.]eu

27

vocijekyqiv[.]eu

27

*See JSON for more IOCs

Files and or directories created

Occurrences

%TEMP%<random, matching [A-F0-9]{1,4}>.tmp

27

%TEMP%\F1A0.tmp

1

%TEMP%\8350.tmp

1

%TEMP%\6709.tmp

1

%TEMP%\5ABC.tmp

1

%TEMP%\DF95.tmp

1

File Hashes

    03ceb23a35bcd7170f8e2293c15aa444406959d789fda9ff9e412cf7a3a6ad90

    0a00f10084231e3abf745b456d522c27a284cd17e5824a91026e6511a0073792

    0a9d1eec9b14e840863b4948703b4c1a50b8d1c16d6cd6c0191ed55e82864ea3

    0aa380118e812371de65b56f760676f611ddda8a7dd422ed1e62214c2a8303d1

    0b38f48ffc49f1b53724384bd894702bcf49f2d68c1b84e4e0eeb931d572d294

    0b8cfcf3c71b18b73ec50c68115b5d7538eab4d21168272d547e4b6316ed592a

    0d8afb797e2ce9f712f3b5fb22317ec97cd8ea55b85855ffb33f362f45e3b706

    10d952070cca8a50175e4193e23e798484f215faa6ac8261b37caebb4ae4c22a

    16487b9aabc544819f3e1843e196d8e6b982b15ae95b9b599af310c0f4a0763e

    1751820a0b3e9669c512077ef08caa8cc8bd7cba8bb54eb97c574ba6dfa09d2d

    1bafc4ef3a634e29c71f52e5b0f3ea6ab3cd55e25ef9623d8d21302a13ac4833

    21c50af5ea57cf75b6bcf6e74b8008b335a440d4f4fd8499d2abc287116a0100

    2473d34831b6fef2e985c045c3a00880d05aceeeac10edf1f09ff38a1cbc44af

    2602a1096a4eec7291145b4570c1a0e814c03fba18d3d76d1b82f6e0dacaecf8

    2656072242b6777473e258b7f0fc7777cda688fe95f0050f375ffeb12f000c28

    2856afa65f2c7f0a23be68ce6899f24a9d3e12fa4f3b00644562e1ecdc06eed1

    28b92d2ad7b6c9865a5eda3ca5435cbcd7b24fd0b48ed61c9c7b87af542b88ed

    29bc8c64d83b59592ced9e79fd8e242344fedaa9bff3d385ce5372de7e035b4b

    2a812fc2558cfe90756a59a8d79ec8da9e14d7fec59cd9bbc5189a67a86629eb

    2e7fe1b9448cb0cca242f4b72fd956f21ad262587b88135045bc07a010cec102

    3047c7b03f084dc15ddbca4044a0fb2376af8b3799e4316194de8ef1474e1bf8

    321f58c68fead768a8465532821b62ec741482135b0a5460d48838433cde6133

    32b2f95694db2d96de89e4f8644cbdf68229903053c066499141b323d4acca1a

    34beb6169472ea58264460d2673a70128474e9bdb62fe998e5c22f9a4fa61a8c

    350596b9f1a539dddfd73cb4d10c605ec8cc8ed227bd2f33f31fddd6f190e7d8

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Fareit-9971247-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\WINRAR

13

<HKCU>\SOFTWARE\WINRAR

        Value Name: HWID

13

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

168[.]144[.]38[.]105

13

File Hashes

    1acb437594832fbf922ea62142314c31026f4345dfd31cf843acb52eca1aec92

    1cc621b3d1a8db17783e813726cee6309e7802110a6d93779b7096e723023628

    39b43b15aeb0a1aff4ca35928a2dd25aa6439c2faa24721424a749cd5b376153

    57e6addd9c1c9f9367c48020e1f004a26cd6b361c6145ec97e554fd991ca5925

    6bc8e9d23757833faff22d586d92d2274283e5bbe400bf07fdd2c5a070f39bd2

    84238de8af6828ea6864308ce0ea0f0e798c31c2e105c3b7bf0f238732738d78

    8f1566be038140548e9c1350a9ae28d95c1b70b8f79c0ba3ba094ffec8b530c2

    914e1a2a9ca34ba6b66795165ea9e57d2817f3aa23ed662a565c9ad6c6476459

    a9b1fb4abbebe49a65998d688a02819d8bdc3eeeebad496b94b5f6b27ff4e49b

    b7f64dd2cb3cb310bfbbd54e29b4f9c03e94bd474ab487e403aec3357350307a

    c6c1fcd270017f81a8113545eb42471f98700eb162ccbd4272b54de6435c4971

    f4fd5a689233ea0c7c0d1599f14b68554f5c07f0c12c86981e0eef4be06940be

    fb2a62eecd3f1a04e0633f43d472229ef3994de0a212da08d21c9fea8577016e

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information