Headline
Threat Roundup for September 23 to September 30
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 23 and Sept. 30. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Virus.Parite-9970689-0 Virus Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives. Win.Malware.Zusy-9970856-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information. Win.Dropper.Remcos-9970861-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Malware.Emotet-9970880-0 Malware Emotet is currently one of the most widely distributed and active malware families. It is a highly modular threat that can deliver a wide variety of payloads. The botnet is commonly delivered via Microsoft Office documents with macros sent as attachments to malicious emails. Win.Dropper.TrickBot-9970890-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution such as VB scripts. Win.Dropper.XtremeRAT-9971238-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs. Win.Dropper.Kuluoz-9971090-0 Dropper Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that downloads and executes follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. Win.Dropper.Shiz-9971537-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site. Win.Packed.Fareit-9971247-1 Packed The Fareit trojan is primarily an information stealer with functionality to download and install other malware.
Threat Breakdown
Win.Virus.Parite-9970689-0
Indicators of Compromise
IOCs collected from dynamic analysis of 29 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: HideFileExt 29
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden 29
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE
Value Name: fullpath 29
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 1
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 29
File Hashes
0536b9760519d832e0c5ff072cad054ef2ae43dbe57330d48c609aeb75e6ae43 0fb870a5615c6c24fa559ae795c3366d80a97622fe2efac880330772344a9760 10308179aec9cf03dfe7fcd95aba9f1da191f70406d653157ea3746e63423c93 15e5fc751dbee4b99c094bbfd15d5b4c3655e0a8a34af84cb4773f2bcd265db8 16048c5e4b000118579343bcf188dbb5bcc0d313bd144a08a76423a7ff990c58 1a16bf0852508c3742325cd1b25c6fa9f9580e42017f273ff81d41edea8bd579 23c44b2d663dcb0224e7a2dcbd9a179923baf1c1d95f221f0435eef3fa6c7913 264dfb45197cb3e37d2054313e54c5549dd53f9d6cbc4a7cf9963b8275e59811 3605daf57520cfe6759abc471cb9a55ff4a6b99711ee3718ce6db3438b63a7e0 39139ac00356189a53c9122b4efa10a9e5ca42b25656cc794d4199d5a0e6003a 3a19cc265b1767563c293cfe5dfd8083a1cb72e37625bd243538f210594bd9bf 51f14dad750e0a93bdf69200d726c8f929a6e903dc837fefc5b2efdf7b33493e 530e290a3e9383bc016d666d4829f2ca2c256f5f32e8c84e71346f1d4a65302a 58950830c787ae1768a8d5aab290270b089b04e61d39e6b82a7daf51696fea03 5b0d897a5c748d58c536b19b0d16b3262cc238d65ac41d22f4552d1a2a0ea966 66fe640d820e530e4554251bcb07177a4f2fdea28fc13beb588898a0374fd20d 714ced6bb466961048291a1f89355892490a10bd6e206a256b2e3b97bf1fec55 7dbd9b1e5792f9085af025e526f331e00c878b2adc2e0d8c4a2c5dba4d79a32b 8c8c7b2a40fcdff745e87d060daac5798bda65e8e1568dd46e69d703a5adace3 933768be5d22750f182e69c91630a6f7af6f5db309ba61f83d5547c9a8865273 95463bf7d0d934880a1292e479f56d69596e43062eb18265ef43905702551af0 a1af5ed894006b1690455b12e58c117725a5274e7fc6f8410af119429171372d a9a2deaa34de9ebc68523c18ad02f8a27aae60818fda1583440df25f336f61c2 aedea0e8e6ee4e36191b3e67dcc71e169ea9c1419b5ad4a062f3f2d37a99f3a3 c000e844ca7377e4f3a8e4bfdf0962897effa1622660e8b48d190e2820ff4429
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Malware.Zusy-9970856-0
Indicators of Compromise
IOCs collected from dynamic analysis of 13 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\APPLICATIONDESTINATIONS
Value Name: MaxEntries 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
47[.]111[.]103[.]192 13
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
os[.]ieycc[.]com 13
Files and or directories created Occurrences
\Client.txt 13
%TEMP%\Tomato.ini 13
%APPDATA%\testing.dat 13
\TEMP\1E0F0E0A120B156B155B15E0C0F160E0D160A.exe 1
\TEMP\1F0F0D0C120A156D155E15E0A0E160B0C160F.exe 1
\TEMP\1F0B0B0A120E156C155E15D0A0F160D0E160D.exe 1
\TEMP\1C0B0F0A120C156F155C15E0B0A160F0E160D.exe 1
\TEMP\1B0C0D0C120A156E155C15C0E0D160D0B160E.exe 1
\TEMP\1B0F0A0D120F156E155C15F0C0E160E0F160A.exe 1
\TEMP\1E0F0B0A120F156F155E15D0B0E160B0D160E.exe 1
\TEMP\1D0D0C0E120C156D155F15A0A0E160C0C160A.exe 1
\TEMP\1E0D0C0D120F156E155C15F0A0E160D0C160F.exe 1
\TEMP\1C0B0C0B120D156E155E15A0E0F160B0D160D.exe 1
\TEMP\1E0C0F0F120A156A155B15A0F0A160E0D160A.exe 1
\TEMP\1E0C0A0A120B156F155D15A0E0F160B0A160A.exe 1
\TEMP\1E0B0C0D120C156C155A15D0D0D160B0D160C.exe 1
File Hashes
015c6d06fe9aaa4844b5e008796cbb854cf6765c2ca398f596dd2fceeceb6c95 0de5af728d4834e450386979efd9681bd54bfeb65f687cccd621f3a20331c050 43d5fb959a8c848030537e37f0d0638bc57bb83652dba85ee2e868a17f1d10ef 568bc0b8c2e914ca7cb2f62bfd82839c584d14d3d47b96ea34703b9d024c78ec 7539e13bb8b001f08742f38c29b42135a2b414e2ba095cf3bf74f38db78f3e0f 80459aa210f4e16b123a27b47c1191872b79a6c6a8751613ad1b649a0f1f3426 974e745bbf32ea7bf0bcff7bd04e3b13f8f3c9cf8a79d01f34658729c793e333 aa22f56078cf431f2587ea270f428fff6d4eee5b08d542b40b89a9712e14e5b3 acf7e8303fd53c63b778a611773267ecf001225772bee1fccbd2a2370ad6e658 ae24b008cb2dc1855367cd814581f1092d9899a77e982f8fc746409c29afbaaa b13513bd0c731f688fe25804c6dd74a3126d0494549368c8d692bd85d2024e5f e35cb24702c24b57edf8f1439a1409b6c8c0f97bc30a90a3c396fdd0f3c38f84 f9501ffa9e293c88c61e0071fdc5b7ce2d00e1c8bc20a564ab906dfb9565e4c7
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Remcos-9970861-0
Indicators of Compromise
IOCs collected from dynamic analysis of 42 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]98[.]192[.]37 42
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]djapp[.]info 42
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 42
%APPDATA%\Microsoft\Windows\Cookies\NFIM9G9G.txt 10
%TEMP%\FltFD54.exe 1
%TEMP%\FltFAC5.exe 1
%TEMP%\FltFF0C.exe 1
%TEMP%\FltA28D.exe 1
%TEMP%\FltE1AD.exe 1
%TEMP%\FltFAB6.exe 1
%TEMP%\Flt593A.exe 1
%TEMP%\FltF8C2.exe 1
%TEMP%\Flt4F6E.exe 1
%TEMP%\FltFB71.exe 1
%TEMP%\FltA461.exe 1
%TEMP%\FltFD74.exe 1
%TEMP%\Flt23BD.exe 1
%TEMP%\Flt8A88.exe 1
%TEMP%\FltBC04.exe 1
%TEMP%\FltF633.exe 1
%TEMP%\FltB040.exe 1
%TEMP%\Flt6184.exe 1
%TEMP%\Flt540D.exe 1
%TEMP%\Flt5D82.exe 1
%TEMP%\FltBD3A.exe 1
%TEMP%\tnf5FD1.exe 1
%TEMP%\FltC777.exe 1
*See JSON for more IOCs
File Hashes
00cda027a316d979f614cd747e8eea14fcc1f7a144b5eb5fc385ea3b52ada9ac 04a7c806cd6404d5547bf136331733e970364c0090c705b0002170ca7fa59882 06a0c6a86e47342846759164e0a7da0087e5926d1bdf48b64ad106b6e53951a4 0d103909b0c3e6ac0021b1aa8bbd17b50d1f94ccfb6011a1b70609b6a45668fe 0d503f2d89c74456f441b95033f1f7f1b5f8c9b9ef338c177beb7e22c3844cb8 13d63a2102b3685464c7f32f95fb4ed6287f51db1da590f7141ad36d2ec0fe00 16de9b5489c9bc4900f94a6939e4a5124caee0ce2ac4dcd938850385c35ecd94 16e1726e22af546ae83bf70500135f69e1f3805c2c49752b6098c07f0815307a 1bb3b038b6da9ca30bf12a24ab4e0361ff60c6375bed74492ac37652e2ecd3da 23f59e71fd7d520a50ae1aaea2c026ae2f05a85d6bf1f24301ceac52e713157b 24d621a695ef4fae5b296bc2bb6071cc90b9c56415f70464797e69080b6a7e75 2635c53ba6293fe95e539dfd0f480835ceb7b47c6971a3024ae8443893eca176 2c65cccfb66e0773395cd78f4c742f03cdf3d482357278cf53cd47ea87f62f04 2d82667b13cc3acb398ae87a83674ce3a334867e82d20b4fd809a14d10323084 2e53c50fd916da51599be464f226b09f28d70fe323cb292c115b9723d402ddde 3457b58ade09a9a581003687d9bd904c6200dcc96aafbb24450c371a165c96d8 3832ee4b74d72c5b4e8299cc9e20248145ff74a7364ebfeb2baa9ee60c0a00d8 38ff5081e308b00e57028e3ad749ae4dccf165796a073fafacd6e6cbad31cc21 3e278b7296bcb58b47e8d60ee9a7f44c548a6d790cdf45fcdff6bc526c395a93 3f4fa0de7c9e2b18b0e16b1cbd72dcc279d5ab6b727992a158ed4bced8663f87 40318b04af3f4761f989d5725e61fc41bd034990e3a86478c897466416632c44 4126cae93a6d1471fbf37ef4a73347ed4fa136486fe7229b06721db5d50ed27c 479e0fa51921d000d9ae53beb96c8d88b3e90ba563b7595db6d015fe0c41beea 50532f85c712a7ba7e79ba23130a568fdfcfde7c3bdbcec90edea02aacef7f9b 535e141dc2b44bdafa9fd3ef6c3355413bd7837c5bfc398c608ea49e150b7727
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Malware.Emotet-9970880-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{39D7DE2A-54FC-2744-D7AC-675623A7BCA2} 25
Mutexes Occurrences
{24d07012-9955-711c-e323-1079ebcbe1f4} 25
{bf18992f-6351-a1bd-1f80-485116c997cd} 25
{dbad1190-816b-947c-9b01-53ef739d7edb} 25
{ed099f6b-73d9-00a3-4493-daef482dc5ca} 20
Files and or directories created Occurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 25
%System32%\Tasks\Ryddmbivo 25
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 25
%System32%\8452\eudcedit.exe 1
%APPDATA%\F9NSFA\MRT.exe 1
%APPDATA%\EoXbu\BdeUISrv.exe 1
%System32%\9450\VSSVC.exe 1
%System32%\7744\ComputerDefaults.exe 1
%APPDATA%\RAQ9\calc.exe 1
%System32%\9936\psr.exe 1
%APPDATA%\Q7e9\rekeywiz.exe 1
%System32%\5094\WindowsAnytimeUpgrade.exe 1
%APPDATA%\U6yhd\DeviceDisplayObjectProvider.exe 1
%System32%\5022\msra.exe 1
%APPDATA%\EtXM\fvenotify.exe 1
%System32%\1402\ddodiag.exe 1
%APPDATA%\bsPEU\wbengine.exe 1
%System32%\6726\StikyNot.exe 1
%APPDATA%\Kal6bb\sethc.exe 1
%System32%\6787\ie4uinit.exe 1
%APPDATA%\Y74EoZ\Dxpserver.exe 1
%System32%\7651\rrinstaller.exe 1
%APPDATA%\aF7U\WerFault.exe 1
%System32%\6604\DeviceDisplayObjectProvider.exe 1
%APPDATA%\rmluRRx\MRT.exe 1
*See JSON for more IOCs
File Hashes
0be6c8c9f6626f0cbc875a04f81d65ec51646285f607fc23610ced0698d2d356 0e00806596a0084133b662804d645e485a94d42b50e7634608bfc572bc6f99bc 10d50610dc069e961878c8d2be79f7ba638125c2f0229086f27d2261f7ef7074 209494092b65fdebe368f90fdf69cd878f931fb334c059611ccabe84301887e2 24273a46f41c978ebd1b7014cd43c05d7273e638fa539e21adf9b16fcd6d7fa4 270234993c0381d55e1d5615099a692a0e11139d6d5b353f625ac6197cc5fadd 2ce15b1bfa8a577f79da8bbcf2159bf3661aed963cdbbb59ddbf333da4bb52ea 370de40215ce6a4e8f27e33d7a6edcd9cc4c86dc39aa86246d02308f556ff39e 5239bbf6672c93344f21741c4016ea154db5f6aa3989514244de6c55532f54d4 5341a8e7076ea8dbba28ed69ec1130f361c7e90505afbb191f639d6b8295a3e7 634295ad711f68679e6471766d8ca49454c7276348211b6d99a5539e314e7ddb 64c51179f273e00dcb08ddf0c401a3e7c6b4441421f4a0f907bc32f4aaf54191 65c0c35adfcd488cde26d72ba39dd77052f0d6f54c40d10003d824ce1079a630 670db2f68e0bb350f98d1f0ea9624e45536473bb9f1552270be89d87aba17ed9 77c9d7eb923718013ec2145d35a18f17b326655e226b6f252ca6967b0837b39a 8ded5e3631dcd94576d1770289b38005c95c1456588157fd01ea6191c7bcaf1a 91c351ad5a31c40ccf05069b4dde6d0d8e2ff7e78118ca4d110bfe8fcef7d5b6 96e1d30dda3746847269a2707bf4261deadf3d146d1e9df5bd163743ef6b0902 9cebaa66b09ae6043e137c87fece4f2f55a3ae9cbbbb64414e0202a6d3db8932 9d019b660a52484961f7d540d3fe62da22c2c09be968474a614f9dd94ae8c7e5 a2074b34223a80ea0a46784e03ab9e09f86deb98c470c10b2999692fe19777b3 a81460aa2b31719c28672cc624c8fd83e3cbde9d4fc59fb1c55a0713b22a031b a8e2070710eb026f8d9aa46032576b1d474171ea11bb6d2cff97cc9e2069a3af ae65c3182b13c9012b1fc98d483a3c1c7bfd82193d1cd14b1e2a0572458530b1 ae8b637375e736db787d31a4081f2f39ce25908f3276807e43a6eceb4e511377
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.TrickBot-9970890-0
Indicators of Compromise
IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000 2
Mutexes Occurrences
Global\VLock 3
Global\683173c1-3af4-11ed-9660-001517635527 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]18[.]115[.]97 2
91[.]83[.]88[.]51 1
92[.]63[.]102[.]64 1
195[.]133[.]144[.]237 1
34[.]160[.]111[.]145 1
195[.]133[.]196[.]130 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
obyavlenie[.]lisx[.]ru 10
icanhazip[.]com 2
ipecho[.]net 1
Files and or directories created Occurrences
%APPDATA%\winapp\Modules 3
%System32%\Tasks\services update 3
%APPDATA%\winapp\client_id 3
%APPDATA%\winapp\group_tag 3
%APPDATA%\winapp 3
%APPDATA%\winapp\24ae736c30cacc5f26f34e07c47ca97c.exe 1
%APPDATA%\winapp\0g5d59dff6a3d3g20046c0ga554f8f9ef8d3e2c767g46c2592d53d6c604df5g9.exe 1
%APPDATA%\winapp\39g7366fcac6cdd0a64ag077e5ga30354aggg87d682e9cd06940033777cefaf2.exe 1
File Hashes
0a9fd6d744cc4fa8e08eee7c95c58d6cb9cb995a249597bdc8beba4ab5fdd921 0f4c49cee6a2c2f10036b0fa443e8e9de8c2d1b757f36b1491c42c6b503ce4f9 14bf94de8b881459e2f6f49051b1411da60e3526251751048bdde18f99d93f1e 29f7266ebab5bcc0a53af077d4fa20243afff87c681d9bc06930022777bdeae1 42162ca740023f144cf1f5efc8f9680f5db0ac16e0cf9eeb88f57275a5bbd38e 489d8e1c47548164a35abb21dbe155972aa09e6c65c0fd7456baf79d3ffb3539 7820f15d39888555e5d2189015d13491d58e2c345921064777155febcaf9b88e 8c1326a8e1f6c781441f3a5da6fe962337a03b9a3ffd93495e933e051d24f4a0 eac3e3c5636e62a6865ff6e048875506d16ed22ffd8caca23529407eb94a2478 f3395ab28c54a61118784d205926e7122ff7735d92d992c22db9dd63fd3a8e28
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.XtremeRAT-9971238-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 16
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: InstalledServer 16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU 15
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: ServerStarted 6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ} 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ}
Value Name: StubPath 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7} 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7}
Value Name: StubPath 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7} 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7}
Value Name: StubPath 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}
Value Name: StubPath 2
Mutexes Occurrences
XTREMEUPDATE 16
<random, matching [a-zA-Z0-9]{5,9}EXIT> 15
<random, matching [a-zA-Z0-9]{5,9}>PERSIST 11
<random, matching [a-zA-Z0-9]{5,9}> 6
zZgdeZ8P 5
Q6gWX0 5
Q6gWX0PERSIST 5
Global\<random guid> 4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
profesorjedi11[.]myftp[.]biz 10
profesorjedi3[.]myftp[.]biz 3
clarityz[.]no-ip[.]biz 2
dynamic[.]no-ip[.]biz 2
cooempresas1[.]ddns[.]net 1
Files and or directories created Occurrences
%TEMP%\x.html 15
%SystemRoot%\SysWOW64\System32 10
%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.dat 6
%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg 6
%SystemRoot%\SysWOW64\Sistem32 5
%APPDATA%\Microsoft\Windows\zZgdeZ8P.cfg 5
%SystemRoot%\SysWOW64\System32\crrsc.exe 5
%APPDATA%\Microsoft\Windows\zZgdeZ8P.dat 5
%APPDATA%\Microsoft\Windows\Q6gWX0.cfg 5
%SystemRoot%\SysWOW64\Sistem32\crrsc.exe 5
%APPDATA%\Microsoft\Windows\Q6gWX0.dat 5
%SystemRoot%\SysWOW64\System32\csrrs.exe 3
%SystemRoot%\SysWOW64\System32\csrss.exe 2
%SystemRoot%\SysWOW64\Drivers\System.exe 1
File Hashes
02bbfb5be9238a07f4bbc310640558187fffe927b6c61aef277f25e556b42976 034fd97c565ab91825e7d810d5e629f00bb25f54ac1ed7f1846e7f1c23d1ecd2 104a08c153d9d099bad368fc405a2888a153bfaa1cf33f99f43fbc1b97d0282f 1a7fa38a87b8d63bdef718b54626476dd952673e010877eb0412041a227ae587 1b70089136743505bd03a024ed1d6faca2a618397aecf14eceafed7e708c42ef 1d281e8cd1c5e451d069a2df9eed854f4bfa28e91881e7e2bfea2be0cfd6e2d0 2a4841ab8656fedadeb5dcc16821ca4789ba29a1df607c72f73fe6de8c55f965 4a5a09ce229c5f06f96114b0c55b1b2a645b75ab6e5f1f3df524efc9e6b549df 4e960f7a51969cc989219642701cb327e7713462eff60866099fb16632e1c636 521f339fe84053ddc608a8f1faf2774ea1f6fa1ee3ad252f642967f27c2ebb2e 52f4aba104b5caadff9baa7eb92e4ff21c176ff183a59f0283555de081e74c9a 53743558915afca3fcf12a83095ed8448502c37ac0ce847268bd34ff2b17eaef 54d8e6f9d64d480ad1381ddcd730d786be7b94b34154fa9ae6a46fc06670732a 58432dc37d6e18bf7f719c42d1a955374dc04c737ec433384fa61ea7c895ce8a 5f0a9ba0fc1146512ec06df04fb3eedcaaf67df5534d2895bdee7d39dbb767d4 6aeceda58114f30d5286bf84e92bfc293d5fb1ed4648c29d9e6ba6e229ad6c0a 73711c78caf84f57df3e54a7e0d47dc5b91c73d521e6e5de2da31694c7a2cd1d 747ae8b9f401e6f92381039c80d98f2fbff9f1c94ab1479c23e9bd67714208b5 7d56d2784dafc2edb6f002e66504b3222f899712167f5d67878e576adf5bfff4 87365c8be5e1df23024d4f06108ca715ca6960fab1db19241af01dc249049b34 95774b16ad3920dee24ad1211ad677003bace3db07e351dcfa92ea8c9fb0de4d 9811dc1790865ba850a085b86faf45d12e6d18de3746fba1f79e7d5bc07b81e6 9fc0af5f00d92876795d06cadc1ec27ce789be7d4396cca1a4d39c10a1a13cee cf6bf580a1c08b6d4c8e4b73c65a156dd87e6157b358a22f58e6c4e741a62088 d2dd951900f73760709d95358434a8d382363f78cbd78a4476e361225b2fdb90
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Kuluoz-9971090-0
Indicators of Compromise
IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26
<HKCU>\SOFTWARE\HLUAPPSN
Value Name: simfbhec 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fihacxpj 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rtvamnqd 1
<HKCU>\SOFTWARE\UTLRUTMU
Value Name: jqusubuo 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kilanrco 1
<HKCU>\SOFTWARE\AUBBBWXT
Value Name: ibmqpuls 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: opoiitvt 1
<HKCU>\SOFTWARE\BWCRDATG
Value Name: qmiabusl 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mwxoukfx 1
<HKCU>\SOFTWARE\BTTXALDX
Value Name: micawbbp 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jtqieuec 1
<HKCU>\SOFTWARE\BBWAIJEJ
Value Name: lmpebxqp 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: emgsvrci 1
<HKCU>\SOFTWARE\MNSVSFDT
Value Name: jkxkagel 1
<HKCU>\SOFTWARE\MBJFFRTQ
Value Name: bgmxnfso 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: akpgniqk 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hrcgucbt 1
<HKCU>\SOFTWARE\NTKIGTHP
Value Name: etduinsg 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pjecpkuu 1
<HKCU>\SOFTWARE\NHSATHPS
Value Name: mxopsxdc 1
<HKCU>\SOFTWARE\HPEDSDSE
Value Name: vfkeebww 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: icccipkm 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ilxotnrg 1
<HKCU>\SOFTWARE\AFTNNBRU
Value Name: kchufmmw 1
Mutexes Occurrences
aaAdministrator 26
abAdministrator 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
69[.]64[.]36[.]244 21
16[.]156[.]201[.]237 17
110[.]77[.]220[.]66 15
5[.]249[.]139[.]132 15
85[.]12[.]29[.]251 13
5[.]175[.]166[.]35 13
130[.]60[.]202[.]71 11
198[.]57[.]165[.]46 10
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26
File Hashes
01e772c69c3d96d7da41baf1b4630a9b93cda39bd4b5b0234f1de2a818788965 0507e74fa55bfb2a725358b0e5d2a3ad82d95a15b8dda89eda0892276855c6e0 0575881e5f371494a9b928ea409bce3fc15b35f4a6fc47f5b3ccc267e6428d05 13830d13f9538029311649ec0b7d2b70afd36d0d38432550c973123429eb940b 14b22ef72fd4f36063c344d7358e32d9529010b303b09bcc11f562bf2d4981a7 1f226936fa8a2ae6ff457619b2883377cbe741decadc705095d4527a7ae9a4d8 21f96423b4b10c910ef1ae4f584ed1e49944f2166c41aac0d9f53ad042933f89 25c31d64ed3db07f502aee95703ec407b34dff5a3fdc34bf2b3b64250f2ec0e2 3578e19cbb128d0b2b7fb009c8041deed69144c0e20e6c58c18967a2abcc0c1b 422f405e2d70ed3bd58f6e9c4ef7d1a4ed8b912fc8acde5cab9068f34fc55f09 46b398648a6f022657c1a7a6bf0dae147562f354b34fa9b82103d8566b01c771 4cc31dc0d33247799cb383ede808dea70ab9081847e46b2ce95e2c054cd97011 576ed58a06ae914ae06a711af19b30a9f02ece2d435f84b7bea71fedc19dd995 5bad5333dcfea5b33727b34cde45b54d36cbf01d3fb0a1a915de8df1569b4fb1 5e3329e3193099fe8e09922ac85a7ab3e8ae89f0ae4f0f7a93fb30aacc7726e3 5e398a7762fe420158605cfb72bc309197c7c9346fc43a5cc8ccb0a14db25483 66b43dd194bf97f705c361ad1cc82a0f5c1afca7b03d57f99a3011cdefdc536f 6da9fe76f563ff6265b8971b601fb5037a93011fb16294b5ee7564f332d554ed 6ed6b8dececdaf3ee4ce0072d309125c5cef6e3ffef23f48baa3b0d3763462be 7c42e9ea360ccfb28b41c3490b305dcace56fea64e858ac3cde0984f6c9f3d07 816c6679de23475fe46588ce4380091c985ad689210fbf4daea6ca383f423465 8379ba1a2904b162411009fbe1bc4c94efd1ccf72ab38989dffb2077c1a0ec74 86e574bcb8a28b933731a83f9166c23c717a9840dfdecffde9130e9a2d598e08 8e39459d72319dc5e7f184b363ac8d7e3a486fbc6e02f9ad2273d0b0502a188d 8e5f994ccd02d59bc203efd3ff130575c4d9c170599592dd45696b87c4f4b420
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Shiz-9971537-0
Indicators of Compromise
IOCs collected from dynamic analysis of 27 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyEnable 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value Name: UNCAsIntranet 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value Name: AutoDetect 27
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit 27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c 27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit 27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit 27
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159\SHELL
Value Name: KnownFolderDerivedFolderType 1
Mutexes Occurrences
Global\674972E3a 27
Global\MicrosoftSysenterGate7 27
internal_wutex_0x<random, matching [0-9a-f]{8}> 27
internal_wutex_0x000004b4 26
internal_wutex_0x0000043c 26
internal_wutex_0x000004dc 25
internal_wutex_0x000000e0 1
internal_wutex_0x0000038c 1
internal_wutex_0x00000448 1
internal_wutex_0x000006a0 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]79[.]197[.]200 15
13[.]107[.]21[.]200 12
45[.]33[.]23[.]183 8
173[.]255[.]194[.]134 6
72[.]14[.]178[.]174 6
72[.]14[.]185[.]43 6
45[.]56[.]79[.]23 5
45[.]33[.]2[.]79 5
45[.]33[.]30[.]197 5
45[.]33[.]18[.]44 4
45[.]79[.]19[.]196 3
198[.]58[.]118[.]167 3
85[.]94[.]194[.]169 2
96[.]126[.]123[.]244 1
45[.]33[.]20[.]235 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
kevopoxecun[.]eu 27
rycaropynar[.]eu 27
lyxemoxyquf[.]eu 27
puzoxyvojyc[.]eu 27
fotaqizymig[.]eu 27
cidufitojex[.]eu 27
puvacigakog[.]eu 27
xuboninogyt[.]eu 27
cicezomaxyz[.]eu 27
dixyjohevon[.]eu 27
fokisohurif[.]eu 27
volugomymet[.]eu 27
maganomojer[.]eu 27
jefecajazif[.]eu 27
qedylaqecel[.]eu 27
nojotomipel[.]eu 27
gahoqohofib[.]eu 27
rytifaquwer[.]eu 27
kepujajynib[.]eu 27
lyrosajupid[.]eu 27
tuwaraqidek[.]eu 27
pumebeqalew[.]eu 27
cinycekecid[.]eu 27
divulewybek[.]eu 27
vocijekyqiv[.]eu 27
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 27
%TEMP%\F1A0.tmp 1
%TEMP%\8350.tmp 1
%TEMP%\6709.tmp 1
%TEMP%\5ABC.tmp 1
%TEMP%\DF95.tmp 1
File Hashes
03ceb23a35bcd7170f8e2293c15aa444406959d789fda9ff9e412cf7a3a6ad90 0a00f10084231e3abf745b456d522c27a284cd17e5824a91026e6511a0073792 0a9d1eec9b14e840863b4948703b4c1a50b8d1c16d6cd6c0191ed55e82864ea3 0aa380118e812371de65b56f760676f611ddda8a7dd422ed1e62214c2a8303d1 0b38f48ffc49f1b53724384bd894702bcf49f2d68c1b84e4e0eeb931d572d294 0b8cfcf3c71b18b73ec50c68115b5d7538eab4d21168272d547e4b6316ed592a 0d8afb797e2ce9f712f3b5fb22317ec97cd8ea55b85855ffb33f362f45e3b706 10d952070cca8a50175e4193e23e798484f215faa6ac8261b37caebb4ae4c22a 16487b9aabc544819f3e1843e196d8e6b982b15ae95b9b599af310c0f4a0763e 1751820a0b3e9669c512077ef08caa8cc8bd7cba8bb54eb97c574ba6dfa09d2d 1bafc4ef3a634e29c71f52e5b0f3ea6ab3cd55e25ef9623d8d21302a13ac4833 21c50af5ea57cf75b6bcf6e74b8008b335a440d4f4fd8499d2abc287116a0100 2473d34831b6fef2e985c045c3a00880d05aceeeac10edf1f09ff38a1cbc44af 2602a1096a4eec7291145b4570c1a0e814c03fba18d3d76d1b82f6e0dacaecf8 2656072242b6777473e258b7f0fc7777cda688fe95f0050f375ffeb12f000c28 2856afa65f2c7f0a23be68ce6899f24a9d3e12fa4f3b00644562e1ecdc06eed1 28b92d2ad7b6c9865a5eda3ca5435cbcd7b24fd0b48ed61c9c7b87af542b88ed 29bc8c64d83b59592ced9e79fd8e242344fedaa9bff3d385ce5372de7e035b4b 2a812fc2558cfe90756a59a8d79ec8da9e14d7fec59cd9bbc5189a67a86629eb 2e7fe1b9448cb0cca242f4b72fd956f21ad262587b88135045bc07a010cec102 3047c7b03f084dc15ddbca4044a0fb2376af8b3799e4316194de8ef1474e1bf8 321f58c68fead768a8465532821b62ec741482135b0a5460d48838433cde6133 32b2f95694db2d96de89e4f8644cbdf68229903053c066499141b323d4acca1a 34beb6169472ea58264460d2673a70128474e9bdb62fe998e5c22f9a4fa61a8c 350596b9f1a539dddfd73cb4d10c605ec8cc8ed227bd2f33f31fddd6f190e7d8
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Fareit-9971247-1
Indicators of Compromise
IOCs collected from dynamic analysis of 13 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR 13
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID 13
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
168[.]144[.]38[.]105 13
File Hashes
1acb437594832fbf922ea62142314c31026f4345dfd31cf843acb52eca1aec92 1cc621b3d1a8db17783e813726cee6309e7802110a6d93779b7096e723023628 39b43b15aeb0a1aff4ca35928a2dd25aa6439c2faa24721424a749cd5b376153 57e6addd9c1c9f9367c48020e1f004a26cd6b361c6145ec97e554fd991ca5925 6bc8e9d23757833faff22d586d92d2274283e5bbe400bf07fdd2c5a070f39bd2 84238de8af6828ea6864308ce0ea0f0e798c31c2e105c3b7bf0f238732738d78 8f1566be038140548e9c1350a9ae28d95c1b70b8f79c0ba3ba094ffec8b530c2 914e1a2a9ca34ba6b66795165ea9e57d2817f3aa23ed662a565c9ad6c6476459 a9b1fb4abbebe49a65998d688a02819d8bdc3eeeebad496b94b5f6b27ff4e49b b7f64dd2cb3cb310bfbbd54e29b4f9c03e94bd474ab487e403aec3357350307a c6c1fcd270017f81a8113545eb42471f98700eb162ccbd4272b54de6435c4971 f4fd5a689233ea0c7c0d1599f14b68554f5c07f0c12c86981e0eef4be06940be fb2a62eecd3f1a04e0633f43d472229ef3994de0a212da08d21c9fea8577016e
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 23 and Sept. 30. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Virus.Parite-9970689-0
Virus
Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives.
Win.Malware.Zusy-9970856-0
Malware
Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Remcos-9970861-0
Dropper
Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Emotet-9970880-0
Malware
Emotet is currently one of the most widely distributed and active malware families. It is a highly modular threat that can deliver a wide variety of payloads. The botnet is commonly delivered via Microsoft Office documents with macros sent as attachments to malicious emails.
Win.Dropper.TrickBot-9970890-0
Dropper
TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution such as VB scripts.
Win.Dropper.XtremeRAT-9971238-0
Dropper
XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Dropper.Kuluoz-9971090-0
Dropper
Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that downloads and executes follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.Shiz-9971537-0
Dropper
Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Win.Packed.Fareit-9971247-1
Packed
The Fareit trojan is primarily an information stealer with functionality to download and install other malware.
Threat Breakdown****Win.Virus.Parite-9970689-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 29 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: HideFileExt
29
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
29
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE
Value Name: fullpath
29
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
1
Files and or directories created
Occurrences
%TEMP%<random, matching '[a-z]{3}[A-F0-9]{3,4}’>.tmp
29
File Hashes
0536b9760519d832e0c5ff072cad054ef2ae43dbe57330d48c609aeb75e6ae43
0fb870a5615c6c24fa559ae795c3366d80a97622fe2efac880330772344a9760
10308179aec9cf03dfe7fcd95aba9f1da191f70406d653157ea3746e63423c93
15e5fc751dbee4b99c094bbfd15d5b4c3655e0a8a34af84cb4773f2bcd265db8
16048c5e4b000118579343bcf188dbb5bcc0d313bd144a08a76423a7ff990c58
1a16bf0852508c3742325cd1b25c6fa9f9580e42017f273ff81d41edea8bd579
23c44b2d663dcb0224e7a2dcbd9a179923baf1c1d95f221f0435eef3fa6c7913
264dfb45197cb3e37d2054313e54c5549dd53f9d6cbc4a7cf9963b8275e59811
3605daf57520cfe6759abc471cb9a55ff4a6b99711ee3718ce6db3438b63a7e0
39139ac00356189a53c9122b4efa10a9e5ca42b25656cc794d4199d5a0e6003a
3a19cc265b1767563c293cfe5dfd8083a1cb72e37625bd243538f210594bd9bf
51f14dad750e0a93bdf69200d726c8f929a6e903dc837fefc5b2efdf7b33493e
530e290a3e9383bc016d666d4829f2ca2c256f5f32e8c84e71346f1d4a65302a
58950830c787ae1768a8d5aab290270b089b04e61d39e6b82a7daf51696fea03
5b0d897a5c748d58c536b19b0d16b3262cc238d65ac41d22f4552d1a2a0ea966
66fe640d820e530e4554251bcb07177a4f2fdea28fc13beb588898a0374fd20d
714ced6bb466961048291a1f89355892490a10bd6e206a256b2e3b97bf1fec55
7dbd9b1e5792f9085af025e526f331e00c878b2adc2e0d8c4a2c5dba4d79a32b
8c8c7b2a40fcdff745e87d060daac5798bda65e8e1568dd46e69d703a5adace3
933768be5d22750f182e69c91630a6f7af6f5db309ba61f83d5547c9a8865273
95463bf7d0d934880a1292e479f56d69596e43062eb18265ef43905702551af0
a1af5ed894006b1690455b12e58c117725a5274e7fc6f8410af119429171372d
a9a2deaa34de9ebc68523c18ad02f8a27aae60818fda1583440df25f336f61c2
aedea0e8e6ee4e36191b3e67dcc71e169ea9c1419b5ad4a062f3f2d37a99f3a3
c000e844ca7377e4f3a8e4bfdf0962897effa1622660e8b48d190e2820ff4429
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Malware.Zusy-9970856-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 13 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\APPLICATIONDESTINATIONS
Value Name: MaxEntries
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
47[.]111[.]103[.]192
13
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
os[.]ieycc[.]com
13
Files and or directories created
Occurrences
\Client.txt
13
%TEMP%\Tomato.ini
13
%APPDATA%\testing.dat
13
\TEMP\1E0F0E0A120B156B155B15E0C0F160E0D160A.exe
1
\TEMP\1F0F0D0C120A156D155E15E0A0E160B0C160F.exe
1
\TEMP\1F0B0B0A120E156C155E15D0A0F160D0E160D.exe
1
\TEMP\1C0B0F0A120C156F155C15E0B0A160F0E160D.exe
1
\TEMP\1B0C0D0C120A156E155C15C0E0D160D0B160E.exe
1
\TEMP\1B0F0A0D120F156E155C15F0C0E160E0F160A.exe
1
\TEMP\1E0F0B0A120F156F155E15D0B0E160B0D160E.exe
1
\TEMP\1D0D0C0E120C156D155F15A0A0E160C0C160A.exe
1
\TEMP\1E0D0C0D120F156E155C15F0A0E160D0C160F.exe
1
\TEMP\1C0B0C0B120D156E155E15A0E0F160B0D160D.exe
1
\TEMP\1E0C0F0F120A156A155B15A0F0A160E0D160A.exe
1
\TEMP\1E0C0A0A120B156F155D15A0E0F160B0A160A.exe
1
\TEMP\1E0B0C0D120C156C155A15D0D0D160B0D160C.exe
1
File Hashes
015c6d06fe9aaa4844b5e008796cbb854cf6765c2ca398f596dd2fceeceb6c95
0de5af728d4834e450386979efd9681bd54bfeb65f687cccd621f3a20331c050
43d5fb959a8c848030537e37f0d0638bc57bb83652dba85ee2e868a17f1d10ef
568bc0b8c2e914ca7cb2f62bfd82839c584d14d3d47b96ea34703b9d024c78ec
7539e13bb8b001f08742f38c29b42135a2b414e2ba095cf3bf74f38db78f3e0f
80459aa210f4e16b123a27b47c1191872b79a6c6a8751613ad1b649a0f1f3426
974e745bbf32ea7bf0bcff7bd04e3b13f8f3c9cf8a79d01f34658729c793e333
aa22f56078cf431f2587ea270f428fff6d4eee5b08d542b40b89a9712e14e5b3
acf7e8303fd53c63b778a611773267ecf001225772bee1fccbd2a2370ad6e658
ae24b008cb2dc1855367cd814581f1092d9899a77e982f8fc746409c29afbaaa
b13513bd0c731f688fe25804c6dd74a3126d0494549368c8d692bd85d2024e5f
e35cb24702c24b57edf8f1439a1409b6c8c0f97bc30a90a3c396fdd0f3c38f84
f9501ffa9e293c88c61e0071fdc5b7ce2d00e1c8bc20a564ab906dfb9565e4c7
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Remcos-9970861-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 42 samples
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
172[.]98[.]192[.]37
42
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]djapp[.]info
42
Files and or directories created
Occurrences
%TEMP%<random, matching '[a-z]{3}[A-F0-9]{3,4}’>.tmp
42
%APPDATA%\Microsoft\Windows\Cookies\NFIM9G9G.txt
10
%TEMP%\FltFD54.exe
1
%TEMP%\FltFAC5.exe
1
%TEMP%\FltFF0C.exe
1
%TEMP%\FltA28D.exe
1
%TEMP%\FltE1AD.exe
1
%TEMP%\FltFAB6.exe
1
%TEMP%\Flt593A.exe
1
%TEMP%\FltF8C2.exe
1
%TEMP%\Flt4F6E.exe
1
%TEMP%\FltFB71.exe
1
%TEMP%\FltA461.exe
1
%TEMP%\FltFD74.exe
1
%TEMP%\Flt23BD.exe
1
%TEMP%\Flt8A88.exe
1
%TEMP%\FltBC04.exe
1
%TEMP%\FltF633.exe
1
%TEMP%\FltB040.exe
1
%TEMP%\Flt6184.exe
1
%TEMP%\Flt540D.exe
1
%TEMP%\Flt5D82.exe
1
%TEMP%\FltBD3A.exe
1
%TEMP%\tnf5FD1.exe
1
%TEMP%\FltC777.exe
1
*See JSON for more IOCs
File Hashes
00cda027a316d979f614cd747e8eea14fcc1f7a144b5eb5fc385ea3b52ada9ac
04a7c806cd6404d5547bf136331733e970364c0090c705b0002170ca7fa59882
06a0c6a86e47342846759164e0a7da0087e5926d1bdf48b64ad106b6e53951a4
0d103909b0c3e6ac0021b1aa8bbd17b50d1f94ccfb6011a1b70609b6a45668fe
0d503f2d89c74456f441b95033f1f7f1b5f8c9b9ef338c177beb7e22c3844cb8
13d63a2102b3685464c7f32f95fb4ed6287f51db1da590f7141ad36d2ec0fe00
16de9b5489c9bc4900f94a6939e4a5124caee0ce2ac4dcd938850385c35ecd94
16e1726e22af546ae83bf70500135f69e1f3805c2c49752b6098c07f0815307a
1bb3b038b6da9ca30bf12a24ab4e0361ff60c6375bed74492ac37652e2ecd3da
23f59e71fd7d520a50ae1aaea2c026ae2f05a85d6bf1f24301ceac52e713157b
24d621a695ef4fae5b296bc2bb6071cc90b9c56415f70464797e69080b6a7e75
2635c53ba6293fe95e539dfd0f480835ceb7b47c6971a3024ae8443893eca176
2c65cccfb66e0773395cd78f4c742f03cdf3d482357278cf53cd47ea87f62f04
2d82667b13cc3acb398ae87a83674ce3a334867e82d20b4fd809a14d10323084
2e53c50fd916da51599be464f226b09f28d70fe323cb292c115b9723d402ddde
3457b58ade09a9a581003687d9bd904c6200dcc96aafbb24450c371a165c96d8
3832ee4b74d72c5b4e8299cc9e20248145ff74a7364ebfeb2baa9ee60c0a00d8
38ff5081e308b00e57028e3ad749ae4dccf165796a073fafacd6e6cbad31cc21
3e278b7296bcb58b47e8d60ee9a7f44c548a6d790cdf45fcdff6bc526c395a93
3f4fa0de7c9e2b18b0e16b1cbd72dcc279d5ab6b727992a158ed4bced8663f87
40318b04af3f4761f989d5725e61fc41bd034990e3a86478c897466416632c44
4126cae93a6d1471fbf37ef4a73347ed4fa136486fe7229b06721db5d50ed27c
479e0fa51921d000d9ae53beb96c8d88b3e90ba563b7595db6d015fe0c41beea
50532f85c712a7ba7e79ba23130a568fdfcfde7c3bdbcec90edea02aacef7f9b
535e141dc2b44bdafa9fd3ef6c3355413bd7837c5bfc398c608ea49e150b7727
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Malware.Emotet-9970880-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{B11CF2E2-C0C2-7860-F12E-428101DCB963}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{B11CF2E2-C0C2-7860-F12E-428101DCB963}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{39D7DE2A-54FC-2744-D7AC-675623A7BCA2}
25
Mutexes
Occurrences
{24d07012-9955-711c-e323-1079ebcbe1f4}
25
{bf18992f-6351-a1bd-1f80-485116c997cd}
25
{dbad1190-816b-947c-9b01-53ef739d7edb}
25
{ed099f6b-73d9-00a3-4493-daef482dc5ca}
20
Files and or directories created
Occurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
25
%System32%\Tasks\Ryddmbivo
25
%APPDATA%<random, matching '[a-z0-9]{3,7}’>
25
%System32%\8452\eudcedit.exe
1
%APPDATA%\F9NSFA\MRT.exe
1
%APPDATA%\EoXbu\BdeUISrv.exe
1
%System32%\9450\VSSVC.exe
1
%System32%\7744\ComputerDefaults.exe
1
%APPDATA%\RAQ9\calc.exe
1
%System32%\9936\psr.exe
1
%APPDATA%\Q7e9\rekeywiz.exe
1
%System32%\5094\WindowsAnytimeUpgrade.exe
1
%APPDATA%\U6yhd\DeviceDisplayObjectProvider.exe
1
%System32%\5022\msra.exe
1
%APPDATA%\EtXM\fvenotify.exe
1
%System32%\1402\ddodiag.exe
1
%APPDATA%\bsPEU\wbengine.exe
1
%System32%\6726\StikyNot.exe
1
%APPDATA%\Kal6bb\sethc.exe
1
%System32%\6787\ie4uinit.exe
1
%APPDATA%\Y74EoZ\Dxpserver.exe
1
%System32%\7651\rrinstaller.exe
1
%APPDATA%\aF7U\WerFault.exe
1
%System32%\6604\DeviceDisplayObjectProvider.exe
1
%APPDATA%\rmluRRx\MRT.exe
1
*See JSON for more IOCs
File Hashes
0be6c8c9f6626f0cbc875a04f81d65ec51646285f607fc23610ced0698d2d356
0e00806596a0084133b662804d645e485a94d42b50e7634608bfc572bc6f99bc
10d50610dc069e961878c8d2be79f7ba638125c2f0229086f27d2261f7ef7074
209494092b65fdebe368f90fdf69cd878f931fb334c059611ccabe84301887e2
24273a46f41c978ebd1b7014cd43c05d7273e638fa539e21adf9b16fcd6d7fa4
270234993c0381d55e1d5615099a692a0e11139d6d5b353f625ac6197cc5fadd
2ce15b1bfa8a577f79da8bbcf2159bf3661aed963cdbbb59ddbf333da4bb52ea
370de40215ce6a4e8f27e33d7a6edcd9cc4c86dc39aa86246d02308f556ff39e
5239bbf6672c93344f21741c4016ea154db5f6aa3989514244de6c55532f54d4
5341a8e7076ea8dbba28ed69ec1130f361c7e90505afbb191f639d6b8295a3e7
634295ad711f68679e6471766d8ca49454c7276348211b6d99a5539e314e7ddb
64c51179f273e00dcb08ddf0c401a3e7c6b4441421f4a0f907bc32f4aaf54191
65c0c35adfcd488cde26d72ba39dd77052f0d6f54c40d10003d824ce1079a630
670db2f68e0bb350f98d1f0ea9624e45536473bb9f1552270be89d87aba17ed9
77c9d7eb923718013ec2145d35a18f17b326655e226b6f252ca6967b0837b39a
8ded5e3631dcd94576d1770289b38005c95c1456588157fd01ea6191c7bcaf1a
91c351ad5a31c40ccf05069b4dde6d0d8e2ff7e78118ca4d110bfe8fcef7d5b6
96e1d30dda3746847269a2707bf4261deadf3d146d1e9df5bd163743ef6b0902
9cebaa66b09ae6043e137c87fece4f2f55a3ae9cbbbb64414e0202a6d3db8932
9d019b660a52484961f7d540d3fe62da22c2c09be968474a614f9dd94ae8c7e5
a2074b34223a80ea0a46784e03ab9e09f86deb98c470c10b2999692fe19777b3
a81460aa2b31719c28672cc624c8fd83e3cbde9d4fc59fb1c55a0713b22a031b
a8e2070710eb026f8d9aa46032576b1d474171ea11bb6d2cff97cc9e2069a3af
ae65c3182b13c9012b1fc98d483a3c1c7bfd82193d1cd14b1e2a0572458530b1
ae8b637375e736db787d31a4081f2f39ce25908f3276807e43a6eceb4e511377
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.TrickBot-9970890-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 10 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
2
Mutexes
Occurrences
Global\VLock
3
Global\683173c1-3af4-11ed-9660-001517635527
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
104[.]18[.]115[.]97
2
91[.]83[.]88[.]51
1
92[.]63[.]102[.]64
1
195[.]133[.]144[.]237
1
34[.]160[.]111[.]145
1
195[.]133[.]196[.]130
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
obyavlenie[.]lisx[.]ru
10
icanhazip[.]com
2
ipecho[.]net
1
Files and or directories created
Occurrences
%APPDATA%\winapp\Modules
3
%System32%\Tasks\services update
3
%APPDATA%\winapp\client_id
3
%APPDATA%\winapp\group_tag
3
%APPDATA%\winapp
3
%APPDATA%\winapp\24ae736c30cacc5f26f34e07c47ca97c.exe
1
%APPDATA%\winapp\0g5d59dff6a3d3g20046c0ga554f8f9ef8d3e2c767g46c2592d53d6c604df5g9.exe
1
%APPDATA%\winapp\39g7366fcac6cdd0a64ag077e5ga30354aggg87d682e9cd06940033777cefaf2.exe
1
File Hashes
0a9fd6d744cc4fa8e08eee7c95c58d6cb9cb995a249597bdc8beba4ab5fdd921
0f4c49cee6a2c2f10036b0fa443e8e9de8c2d1b757f36b1491c42c6b503ce4f9
14bf94de8b881459e2f6f49051b1411da60e3526251751048bdde18f99d93f1e
29f7266ebab5bcc0a53af077d4fa20243afff87c681d9bc06930022777bdeae1
42162ca740023f144cf1f5efc8f9680f5db0ac16e0cf9eeb88f57275a5bbd38e
489d8e1c47548164a35abb21dbe155972aa09e6c65c0fd7456baf79d3ffb3539
7820f15d39888555e5d2189015d13491d58e2c345921064777155febcaf9b88e
8c1326a8e1f6c781441f3a5da6fe962337a03b9a3ffd93495e933e051d24f4a0
eac3e3c5636e62a6865ff6e048875506d16ed22ffd8caca23529407eb94a2478
f3395ab28c54a61118784d205926e7122ff7735d92d992c22db9dd63fd3a8e28
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.XtremeRAT-9971238-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
16
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
Value Name: InstalledServer
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
15
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
Value Name: ServerStarted
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ}
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{T88RCWLO-A2V2-4LXR-TJ24-W4CWO446W6OJ}
Value Name: StubPath
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7}
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{424A7MGK-RCMT-8C4V-40EM-XW7BLA8PVRC7}
Value Name: StubPath
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7}
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5K3TI7P5-LW5S-LR18-4174-DG7KKUL703V7}
Value Name: StubPath
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}
Value Name: StubPath
2
Mutexes
Occurrences
XTREMEUPDATE
16
<random, matching [a-zA-Z0-9]{5,9}EXIT>
15
<random, matching [a-zA-Z0-9]{5,9}>PERSIST
11
<random, matching [a-zA-Z0-9]{5,9}>
6
zZgdeZ8P
5
Q6gWX0
5
Q6gWX0PERSIST
5
Global<random guid>
4
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
profesorjedi11[.]myftp[.]biz
10
profesorjedi3[.]myftp[.]biz
3
clarityz[.]no-ip[.]biz
2
dynamic[.]no-ip[.]biz
2
cooempresas1[.]ddns[.]net
1
Files and or directories created
Occurrences
%TEMP%\x.html
15
%SystemRoot%\SysWOW64\System32
10
%APPDATA%\Microsoft\Windows<random, matching '[a-zA-Z0-9]{5,9}’>.dat
6
%APPDATA%\Microsoft\Windows<random, matching '[a-zA-Z0-9]{5,9}’>.cfg
6
%SystemRoot%\SysWOW64\Sistem32
5
%APPDATA%\Microsoft\Windows\zZgdeZ8P.cfg
5
%SystemRoot%\SysWOW64\System32\crrsc.exe
5
%APPDATA%\Microsoft\Windows\zZgdeZ8P.dat
5
%APPDATA%\Microsoft\Windows\Q6gWX0.cfg
5
%SystemRoot%\SysWOW64\Sistem32\crrsc.exe
5
%APPDATA%\Microsoft\Windows\Q6gWX0.dat
5
%SystemRoot%\SysWOW64\System32\csrrs.exe
3
%SystemRoot%\SysWOW64\System32\csrss.exe
2
%SystemRoot%\SysWOW64\Drivers\System.exe
1
File Hashes
02bbfb5be9238a07f4bbc310640558187fffe927b6c61aef277f25e556b42976
034fd97c565ab91825e7d810d5e629f00bb25f54ac1ed7f1846e7f1c23d1ecd2
104a08c153d9d099bad368fc405a2888a153bfaa1cf33f99f43fbc1b97d0282f
1a7fa38a87b8d63bdef718b54626476dd952673e010877eb0412041a227ae587
1b70089136743505bd03a024ed1d6faca2a618397aecf14eceafed7e708c42ef
1d281e8cd1c5e451d069a2df9eed854f4bfa28e91881e7e2bfea2be0cfd6e2d0
2a4841ab8656fedadeb5dcc16821ca4789ba29a1df607c72f73fe6de8c55f965
4a5a09ce229c5f06f96114b0c55b1b2a645b75ab6e5f1f3df524efc9e6b549df
4e960f7a51969cc989219642701cb327e7713462eff60866099fb16632e1c636
521f339fe84053ddc608a8f1faf2774ea1f6fa1ee3ad252f642967f27c2ebb2e
52f4aba104b5caadff9baa7eb92e4ff21c176ff183a59f0283555de081e74c9a
53743558915afca3fcf12a83095ed8448502c37ac0ce847268bd34ff2b17eaef
54d8e6f9d64d480ad1381ddcd730d786be7b94b34154fa9ae6a46fc06670732a
58432dc37d6e18bf7f719c42d1a955374dc04c737ec433384fa61ea7c895ce8a
5f0a9ba0fc1146512ec06df04fb3eedcaaf67df5534d2895bdee7d39dbb767d4
6aeceda58114f30d5286bf84e92bfc293d5fb1ed4648c29d9e6ba6e229ad6c0a
73711c78caf84f57df3e54a7e0d47dc5b91c73d521e6e5de2da31694c7a2cd1d
747ae8b9f401e6f92381039c80d98f2fbff9f1c94ab1479c23e9bd67714208b5
7d56d2784dafc2edb6f002e66504b3222f899712167f5d67878e576adf5bfff4
87365c8be5e1df23024d4f06108ca715ca6960fab1db19241af01dc249049b34
95774b16ad3920dee24ad1211ad677003bace3db07e351dcfa92ea8c9fb0de4d
9811dc1790865ba850a085b86faf45d12e6d18de3746fba1f79e7d5bc07b81e6
9fc0af5f00d92876795d06cadc1ec27ce789be7d4396cca1a4d39c10a1a13cee
cf6bf580a1c08b6d4c8e4b73c65a156dd87e6157b358a22f58e6c4e741a62088
d2dd951900f73760709d95358434a8d382363f78cbd78a4476e361225b2fdb90
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Kuluoz-9971090-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 26 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
26
<HKCU>\SOFTWARE\HLUAPPSN
Value Name: simfbhec
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fihacxpj
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rtvamnqd
1
<HKCU>\SOFTWARE\UTLRUTMU
Value Name: jqusubuo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kilanrco
1
<HKCU>\SOFTWARE\AUBBBWXT
Value Name: ibmqpuls
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: opoiitvt
1
<HKCU>\SOFTWARE\BWCRDATG
Value Name: qmiabusl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mwxoukfx
1
<HKCU>\SOFTWARE\BTTXALDX
Value Name: micawbbp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jtqieuec
1
<HKCU>\SOFTWARE\BBWAIJEJ
Value Name: lmpebxqp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: emgsvrci
1
<HKCU>\SOFTWARE\MNSVSFDT
Value Name: jkxkagel
1
<HKCU>\SOFTWARE\MBJFFRTQ
Value Name: bgmxnfso
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: akpgniqk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hrcgucbt
1
<HKCU>\SOFTWARE\NTKIGTHP
Value Name: etduinsg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pjecpkuu
1
<HKCU>\SOFTWARE\NHSATHPS
Value Name: mxopsxdc
1
<HKCU>\SOFTWARE\HPEDSDSE
Value Name: vfkeebww
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: icccipkm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ilxotnrg
1
<HKCU>\SOFTWARE\AFTNNBRU
Value Name: kchufmmw
1
Mutexes
Occurrences
aaAdministrator
26
abAdministrator
26
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
69[.]64[.]36[.]244
21
16[.]156[.]201[.]237
17
110[.]77[.]220[.]66
15
5[.]249[.]139[.]132
15
85[.]12[.]29[.]251
13
5[.]175[.]166[.]35
13
130[.]60[.]202[.]71
11
198[.]57[.]165[.]46
10
Files and or directories created
Occurrences
%LOCALAPPDATA%<random, matching '[a-z]{8}’>.exe
26
File Hashes
01e772c69c3d96d7da41baf1b4630a9b93cda39bd4b5b0234f1de2a818788965
0507e74fa55bfb2a725358b0e5d2a3ad82d95a15b8dda89eda0892276855c6e0
0575881e5f371494a9b928ea409bce3fc15b35f4a6fc47f5b3ccc267e6428d05
13830d13f9538029311649ec0b7d2b70afd36d0d38432550c973123429eb940b
14b22ef72fd4f36063c344d7358e32d9529010b303b09bcc11f562bf2d4981a7
1f226936fa8a2ae6ff457619b2883377cbe741decadc705095d4527a7ae9a4d8
21f96423b4b10c910ef1ae4f584ed1e49944f2166c41aac0d9f53ad042933f89
25c31d64ed3db07f502aee95703ec407b34dff5a3fdc34bf2b3b64250f2ec0e2
3578e19cbb128d0b2b7fb009c8041deed69144c0e20e6c58c18967a2abcc0c1b
422f405e2d70ed3bd58f6e9c4ef7d1a4ed8b912fc8acde5cab9068f34fc55f09
46b398648a6f022657c1a7a6bf0dae147562f354b34fa9b82103d8566b01c771
4cc31dc0d33247799cb383ede808dea70ab9081847e46b2ce95e2c054cd97011
576ed58a06ae914ae06a711af19b30a9f02ece2d435f84b7bea71fedc19dd995
5bad5333dcfea5b33727b34cde45b54d36cbf01d3fb0a1a915de8df1569b4fb1
5e3329e3193099fe8e09922ac85a7ab3e8ae89f0ae4f0f7a93fb30aacc7726e3
5e398a7762fe420158605cfb72bc309197c7c9346fc43a5cc8ccb0a14db25483
66b43dd194bf97f705c361ad1cc82a0f5c1afca7b03d57f99a3011cdefdc536f
6da9fe76f563ff6265b8971b601fb5037a93011fb16294b5ee7564f332d554ed
6ed6b8dececdaf3ee4ce0072d309125c5cef6e3ffef23f48baa3b0d3763462be
7c42e9ea360ccfb28b41c3490b305dcace56fea64e858ac3cde0984f6c9f3d07
816c6679de23475fe46588ce4380091c985ad689210fbf4daea6ca383f423465
8379ba1a2904b162411009fbe1bc4c94efd1ccf72ab38989dffb2077c1a0ec74
86e574bcb8a28b933731a83f9166c23c717a9840dfdecffde9130e9a2d598e08
8e39459d72319dc5e7f184b363ac8d7e3a486fbc6e02f9ad2273d0b0502a188d
8e5f994ccd02d59bc203efd3ff130575c4d9c170599592dd45696b87c4f4b420
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Shiz-9971537-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 27 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyEnable
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value Name: UNCAsIntranet
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value Name: AutoDetect
27
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
27
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159\SHELL
Value Name: KnownFolderDerivedFolderType
1
Mutexes
Occurrences
Global\674972E3a
27
Global\MicrosoftSysenterGate7
27
internal_wutex_0x<random, matching [0-9a-f]{8}>
27
internal_wutex_0x000004b4
26
internal_wutex_0x0000043c
26
internal_wutex_0x000004dc
25
internal_wutex_0x000000e0
1
internal_wutex_0x0000038c
1
internal_wutex_0x00000448
1
internal_wutex_0x000006a0
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
204[.]79[.]197[.]200
15
13[.]107[.]21[.]200
12
45[.]33[.]23[.]183
8
173[.]255[.]194[.]134
6
72[.]14[.]178[.]174
6
72[.]14[.]185[.]43
6
45[.]56[.]79[.]23
5
45[.]33[.]2[.]79
5
45[.]33[.]30[.]197
5
45[.]33[.]18[.]44
4
45[.]79[.]19[.]196
3
198[.]58[.]118[.]167
3
85[.]94[.]194[.]169
2
96[.]126[.]123[.]244
1
45[.]33[.]20[.]235
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
kevopoxecun[.]eu
27
rycaropynar[.]eu
27
lyxemoxyquf[.]eu
27
puzoxyvojyc[.]eu
27
fotaqizymig[.]eu
27
cidufitojex[.]eu
27
puvacigakog[.]eu
27
xuboninogyt[.]eu
27
cicezomaxyz[.]eu
27
dixyjohevon[.]eu
27
fokisohurif[.]eu
27
volugomymet[.]eu
27
maganomojer[.]eu
27
jefecajazif[.]eu
27
qedylaqecel[.]eu
27
nojotomipel[.]eu
27
gahoqohofib[.]eu
27
rytifaquwer[.]eu
27
kepujajynib[.]eu
27
lyrosajupid[.]eu
27
tuwaraqidek[.]eu
27
pumebeqalew[.]eu
27
cinycekecid[.]eu
27
divulewybek[.]eu
27
vocijekyqiv[.]eu
27
*See JSON for more IOCs
Files and or directories created
Occurrences
%TEMP%<random, matching [A-F0-9]{1,4}>.tmp
27
%TEMP%\F1A0.tmp
1
%TEMP%\8350.tmp
1
%TEMP%\6709.tmp
1
%TEMP%\5ABC.tmp
1
%TEMP%\DF95.tmp
1
File Hashes
03ceb23a35bcd7170f8e2293c15aa444406959d789fda9ff9e412cf7a3a6ad90
0a00f10084231e3abf745b456d522c27a284cd17e5824a91026e6511a0073792
0a9d1eec9b14e840863b4948703b4c1a50b8d1c16d6cd6c0191ed55e82864ea3
0aa380118e812371de65b56f760676f611ddda8a7dd422ed1e62214c2a8303d1
0b38f48ffc49f1b53724384bd894702bcf49f2d68c1b84e4e0eeb931d572d294
0b8cfcf3c71b18b73ec50c68115b5d7538eab4d21168272d547e4b6316ed592a
0d8afb797e2ce9f712f3b5fb22317ec97cd8ea55b85855ffb33f362f45e3b706
10d952070cca8a50175e4193e23e798484f215faa6ac8261b37caebb4ae4c22a
16487b9aabc544819f3e1843e196d8e6b982b15ae95b9b599af310c0f4a0763e
1751820a0b3e9669c512077ef08caa8cc8bd7cba8bb54eb97c574ba6dfa09d2d
1bafc4ef3a634e29c71f52e5b0f3ea6ab3cd55e25ef9623d8d21302a13ac4833
21c50af5ea57cf75b6bcf6e74b8008b335a440d4f4fd8499d2abc287116a0100
2473d34831b6fef2e985c045c3a00880d05aceeeac10edf1f09ff38a1cbc44af
2602a1096a4eec7291145b4570c1a0e814c03fba18d3d76d1b82f6e0dacaecf8
2656072242b6777473e258b7f0fc7777cda688fe95f0050f375ffeb12f000c28
2856afa65f2c7f0a23be68ce6899f24a9d3e12fa4f3b00644562e1ecdc06eed1
28b92d2ad7b6c9865a5eda3ca5435cbcd7b24fd0b48ed61c9c7b87af542b88ed
29bc8c64d83b59592ced9e79fd8e242344fedaa9bff3d385ce5372de7e035b4b
2a812fc2558cfe90756a59a8d79ec8da9e14d7fec59cd9bbc5189a67a86629eb
2e7fe1b9448cb0cca242f4b72fd956f21ad262587b88135045bc07a010cec102
3047c7b03f084dc15ddbca4044a0fb2376af8b3799e4316194de8ef1474e1bf8
321f58c68fead768a8465532821b62ec741482135b0a5460d48838433cde6133
32b2f95694db2d96de89e4f8644cbdf68229903053c066499141b323d4acca1a
34beb6169472ea58264460d2673a70128474e9bdb62fe998e5c22f9a4fa61a8c
350596b9f1a539dddfd73cb4d10c605ec8cc8ed227bd2f33f31fddd6f190e7d8
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Fareit-9971247-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 13 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\WINRAR
13
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
13
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
168[.]144[.]38[.]105
13
File Hashes
1acb437594832fbf922ea62142314c31026f4345dfd31cf843acb52eca1aec92
1cc621b3d1a8db17783e813726cee6309e7802110a6d93779b7096e723023628
39b43b15aeb0a1aff4ca35928a2dd25aa6439c2faa24721424a749cd5b376153
57e6addd9c1c9f9367c48020e1f004a26cd6b361c6145ec97e554fd991ca5925
6bc8e9d23757833faff22d586d92d2274283e5bbe400bf07fdd2c5a070f39bd2
84238de8af6828ea6864308ce0ea0f0e798c31c2e105c3b7bf0f238732738d78
8f1566be038140548e9c1350a9ae28d95c1b70b8f79c0ba3ba094ffec8b530c2
914e1a2a9ca34ba6b66795165ea9e57d2817f3aa23ed662a565c9ad6c6476459
a9b1fb4abbebe49a65998d688a02819d8bdc3eeeebad496b94b5f6b27ff4e49b
b7f64dd2cb3cb310bfbbd54e29b4f9c03e94bd474ab487e403aec3357350307a
c6c1fcd270017f81a8113545eb42471f98700eb162ccbd4272b54de6435c4971
f4fd5a689233ea0c7c0d1599f14b68554f5c07f0c12c86981e0eef4be06940be
fb2a62eecd3f1a04e0633f43d472229ef3994de0a212da08d21c9fea8577016e
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK