Quantcast
Channel: Cisco Talos Blog
Viewing all articles
Browse latest Browse all 2041

Threat Roundup for July 5 to July 12

July 12, 2019, 10:34 am
$
0
0
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 5 and July 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
Threat NameTypeDescription
Win.Virus.Expiro-7011826-0 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Nymaim-7011878-0 Dropper Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Dropper.TrickBot-7011945-0 Dropper Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.
Win.Malware.njRAT-7011967-1 Malware njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Malware.Tofsee-7012060-0 Malware Tofsee is multi-purpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
Win.Ransomware.Gandcrab-7012204-0 Ransomware GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB", ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.
Win.Packed.Xcnfe-7012508-0 Packed This cluster provides generic detection for the Dridex banking trojan that's downloaded onto a target's machine.
Win.Packed.Kuluoz-7051229-0 Packed Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Ransomware.Cerber-7052005-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."

Threat Breakdown

Win.Virus.Expiro-7011826-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Type		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Type		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Type		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Start		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Type		27
MutexesOccurrences
kkq-vx_mtx127
gazavat-svc27
kkq-vx_mtx6427
kkq-vx_mtx6527
kkq-vx_mtx6627
kkq-vx_mtx6727
kkq-vx_mtx6827
kkq-vx_mtx6927
kkq-vx_mtx7027
kkq-vx_mtx7127
kkq-vx_mtx7227
kkq-vx_mtx7327
kkq-vx_mtx7427
kkq-vx_mtx7527
kkq-vx_mtx7627
kkq-vx_mtx7727
kkq-vx_mtx7827
kkq-vx_mtx7927
kkq-vx_mtx8027
kkq-vx_mtx8127
kkq-vx_mtx8227
kkq-vx_mtx8327
kkq-vx_mtx8427
kkq-vx_mtx8527
kkq-vx_mtx8627
*See JSON for more IOCs
Files and or directories createdOccurrences
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.vir27
\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.vir27
\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\setup.vir27
%CommonProgramFiles%\Microsoft Shared\VSTO\10.0\VSTOInstaller.vir27
%CommonProgramFiles%\Microsoft Shared\ink\ConvertInkStore.vir27
%CommonProgramFiles%\Microsoft Shared\ink\InputPersonalization.vir27
%CommonProgramFiles%\Microsoft Shared\ink\ShapeCollector.vir27
%CommonProgramFiles%\Microsoft Shared\ink\TabTip.vir27
%CommonProgramFiles%\Microsoft Shared\ink\mip.vir27
%ProgramFiles%\DVD Maker\DVDMaker.vir27
%ProgramFiles%\Internet Explorer\ieinstal.vir27
%ProgramFiles%\Internet Explorer\ielowutil.vir27
%ProgramFiles%\Internet Explorer\iexplore.vir27
%ProgramFiles%\Java\jre6\bin\java.vir27
%ProgramFiles%\Java\jre6\bin\javaw.vir27
%ProgramFiles%\Java\jre6\bin\javaws.vir27
%ProgramFiles%\Java\jre6\bin\unpack200.vir27
%ProgramFiles%\Java\jre7\bin\jabswitch.vir27
%ProgramFiles%\Java\jre7\bin\java.vir27
%ProgramFiles%\Java\jre7\bin\javacpl.vir27
%ProgramFiles%\Java\jre7\bin\javaw.vir27
%ProgramFiles%\Java\jre7\bin\javaws.vir27
%ProgramFiles%\Java\jre7\bin\jp2launcher.vir27
%ProgramFiles%\Java\jre7\bin\ssvagent.vir27
%ProgramFiles%\Java\jre7\bin\unpack200.vir27
*See JSON for more IOCs

File Hashes

0f11058b9bb9dce7014b474d85d37f38fef0c65ed40d4cba8045d37728cc3127 12b6dcadcf34533c756995f06ca4c874b355e9fe44fda55f8313e2cfb126b419 1a4c6b55be877c65e946d24812000fb8dfccbdfe19be1b8acc67bce8b4893743 2458be6e8b13f29643ab1bbb040b78d1a94e55e50146eade0a705740eebf054a 26dcb212b2eace9a14bc33b421505143fa0a247df2418b575046df6ef80ee6a9 288fb9363990e5cbbad51e4e0436b4ea69a1cf148dbabae124ffd00151b7bc33 32beb33b4e36b69c79c50928e05d24a8f175d25701bb507e1ad03cdf70b63f3f 3550e5495f8922d17929b8a9bac9c23135d1418356b82576c7dd0a4f15aa95f6 3b2f5faad148f5ed6a824553dded90c2de38978845deb2fbdf99816cabfb8854 4624f0bdb4bb2092cfc73dbd30f7ab61403a0d1c60bef5290c6ed9fe60bff849 47b7d95889199a717407c7a6e8278f5ab9a32c499aabe9930da52f9051304ff2 535bb9df4d41d57fc44572ebc1a535ac726546a41a8b2fcf3b904ed037a96db6 552a987dd3722960cba7fd8c4fc1cd36cc5bf2668c9f0ffe5b452eecdc1824e9 5f998984132fabb1879ddca658baa12d891afbbfd0738d2a2063a491be833a0a 6669a807690556293a60830285c9c2c9ad52842a1c7646e99852724b1b049ab0 67dc0704b4393c6dc523756d107279340eaba04a62d49048588ecd4be5a88aac 6c0f5ca1ab0562b3c285c5556f1a68fbe8a2a5fcec892bbd8333c8a6414c46d8 6cf2f544a52878b86e09d4a6938949fffb1b65c2afae49241c99913e3046baa3 7057f866649141c5f09b96dbece2db447ac2ef1a25ea992d16cc1f44afe9622e 710a3ca2a0030b4b064dc29da045ab7ff61a5f1a5cf11b100ab89a9b1d9ffc83 7327a9114c1facf322d5c31744aa1199a15ba9f57825650b3a548495630c1d63 73aa657a49c7c13b1c0727c05ef7d51fe9fd138862c15fdcc0fd64cdb06ece8d 79732b1aeb27cb1ead7ab37e4681c96d5f97d9e72c6a934b779f05fd82c51473 8de151ef4f21b6e74cc96403debbdd50ecb97299cac0fa7dc988dba68e30c44b 8ef41dc44a6c264c6c475b4d24ad44649a15f4bbbb4e237580621865361b995b
*See JSON for more IOCs

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP



ThreatGrid



Win.Dropper.Nymaim-7011878-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\Software\Microsoft\GOCFK 23
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg		23
MutexesOccurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}23
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}23
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}23
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}23
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4}23
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A}23
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}23
Local\{B888AC68-15DA-9362-2153-60CCDE3753D5}23
Local\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E}23
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
xunveu[.]in22
rerbitzfyff[.]in22
uwsmf[.]net22
utgwcrp[.]com22
xyiubkksjo[.]pw22
octvwlg[.]net22
mzutglz[.]com22
bjgouvf[.]net22
ulgug[.]in22
bybxug[.]pw22
ilqmz[.]com22
wnckjojra[.]net22
vncya[.]in22
mzpgaccm[.]in22
cspflbgtpwxg[.]com22
pcarbnracpll[.]in20
hnmkptaybcf[.]pw20
ypgfnvixxaw[.]in20
emuakrgqzg[.]pw20
ucwwhvxji[.]com20
rinzevlc[.]net20
zdlvqrnmf[.]net20
chavpayztnex[.]net20
fwceecdhnnph[.]net20
xlwzoffpooo[.]com20
*See JSON for more IOCs
Files and or directories createdOccurrences
%ProgramData%\ph23
%ProgramData%\ph\fktiipx.ftf23
%TEMP%\gocf.ksv23
%ProgramData%\l4szb23
%LOCALAPPDATA%\15rdg23
%APPDATA%\4fo23
%TEMP%\fro.dfx20
\Documents and Settings\All Users\pxs\pil.ohu20
%TEMP%\bpnb.skg10
%TEMP%\wghpl.bqj1
\Documents and Settings\All Users\akt\aaq.hcr1
%TEMP%\mfw.cac1
\Documents and Settings\All Users\yvn\uwawv.hnd1

File Hashes

21ca501957eb98d23abf16f253027ccf878f8045408dfefe9428df4357d8e4ac 2c7e7c4b50c4eccd7d68eb6aeea2a234a8b6f16cbc82740f85cf950755195aed 2f281ae6cd2f21d87ddd323ea4f1fe37949fd97e9d8fd69019c88754537dbd69 4e242fcebfb964c32ae3d53ac0bb5d85ff940cd58e26733bb677c4fafbd1c7c7 59a7dd286660811bb00e121c3e46c7e591f28e73fffa1d0b2b90eedb8a7824b1 5f4333e507e6d1868060e38423f036facc05cb30b863bef129ecf4db8c45470f 6b21c1f71ee50d296c0ada1d6c8924388b2049556c67966d8a4fcb513ad5afea 829e62346b8b1c58fa10995003137254a9c30f03154875c66b881c9ea6f45e5e 8da1535783ed2194ae6751f2a62964e0969758caa84e24cffaca42dd801e2c11 936179c3eccc864f82de20a7e7620679b78f4439a06b954afea38e81e8dc4597 a1099ca231637ee33617ec9fd3751bc79780a1e4cf5b27a320d8350f83520f86 a3a7b86869d6a01fd9ec3f91b909b40d82e1f970b7d5760c213a6cc7744fc33a a44b775b0768448ba60a004e452d0b3b36fbd92bf68ad97095a7b2fbad4df0c0 ac9f91736bfa4b2659ee9f3b2f4aabb5f6f9bf8ff92ffc9f4b1eb597c97b7580 b0b4f210c37edf202d27069530d03f808cb72c5103adab2c964d7e35fc372ec0 b516d410b359b11a05a0e94f39cfb7671139899bff1e1aa08dcaf8440c8c5f97 b8d03c79b54cca29f77504b224ec785ca19c735d9137a3c0265066711c6a658e c33f524a6bbde609dda5ebe36ab56d4c8963a9099446e8da94ea4e48531aa4d8 c50561443829e85ed8477ebab944e1fb44f36d1cf1148f6b1d2c9e4fe95454b1 c855e4b372f4bc3a66c9da5ffa57e39a95fe024bf11d5008097010adcb3a93a1 cd38e469faf445589dd68e69ee193533d86945355019b37f93f1232c0e337b71 f1553bddcfd8a3b662251154296dbac605b1e45e3cdab36af876fb431f0f6c71 f9548073e75760af718afb6466557ef52f84e0f43591b7b44e1f090b590ed6db

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
UmbrellaThis has coverage
WsaThis has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella



Win.Dropper.TrickBot-7011945-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob		10
<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender 2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\services\		2
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\services\		2
<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions 2
<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths 2
MutexesOccurrences
316D1C7871E0016
\BaseNamedObjects\785161C8872009
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
216[.]239[.]34[.]214
37[.]230[.]115[.]1294
78[.]155[.]207[.]1434
193[.]233[.]62[.]1314
195[.]133[.]196[.]2193
200[.]111[.]97[.]2353
186[.]68[.]120[.]163
37[.]230[.]115[.]1713
37[.]230[.]115[.]1333
62[.]69[.]241[.]1033
216[.]239[.]36[.]212
23[.]21[.]121[.]2192
50[.]16[.]229[.]1402
94[.]103[.]80[.]162
216[.]239[.]32[.]211
34[.]233[.]102[.]381
198[.]27[.]74[.]1461
104[.]20[.]17[.]2421
216[.]239[.]38[.]211
54[.]235[.]124[.]1121
52[.]206[.]161[.]1331
104[.]20[.]16[.]2421
94[.]127[.]111[.]141
184[.]73[.]220[.]2061
46[.]30[.]45[.]2081
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ipecho[.]net5
elb097307-934924932[.]us-east-1[.]elb[.]amazonaws[.]com5
myexternalip[.]com2
checkip[.]amazonaws[.]com2
api[.]ipify[.]org2
wtfismyip[.]com1
ipinfo[.]io1
icanhazip[.]com1
Files and or directories createdOccurrences
Modules16
client_id16
group_tag16
%System32%\Tasks\services update16
%APPDATA%\localservice\client_id14
%APPDATA%\localservice\group_tag14
%APPDATA%\localservice14
%SystemRoot%\Tasks\services update.job9
%SystemRoot%\TEMP\~DFDA4328936B46A2E2.TMP1
%SystemRoot%\TEMP\~DFBEE2068C496B9A0B.TMP1
%SystemRoot%\TEMP\~DFE4F856122203E5A6.TMP1
%SystemRoot%\TEMP\~DF95BC682C0250D9D0.TMP1
%SystemRoot%\TEMP\~DF664B3409FD7DCCB3.TMP1
%SystemRoot%\TEMP\~DF8B34B44DCAF0FAB3.TMP1
%SystemRoot%\TEMP\~DFDFC8A9E27AB554F4.TMP1
%SystemRoot%\TEMP\~DFE798A25A56E126CC.TMP1
%SystemRoot%\TEMP\~DFCCEBCD519293AB68.TMP1
%SystemRoot%\TEMP\~DF5DE8F500481F14C0.TMP1
%SystemRoot%\TEMP\~DFB36F6F7DB9D671D4.TMP1
%SystemRoot%\TEMP\~DF7A2364BFEF750112.TMP1
%SystemRoot%\TEMP\~DF604668AE25DEDE76.TMP1
%APPDATA%\localservice\82b686b66ad703470800edb64763f2b64e1cffaa6830accbe7ff8178e6b48724.exe1
%SystemRoot%\TEMP\~DF7802BEE615801D53.TMP1
%SystemRoot%\TEMP\~DF50F658542C3B5672.TMP1
%SystemRoot%\TEMP\~DF5E22B8EF8D659CE2.TMP1
*See JSON for more IOCs

File Hashes

008d13100397cf0ce26850e3bcbb5a8c2fc01502d9a2b452439c101aea7d0824 0214625318a30153d364581fb580334f05be63bd5a355cbf86f12be66461716d 11f8a050648d0b8c70d19a99c48aeb9ba0d893d348ee503b96313b4499d96c63 198311c124d55765d5488c44a27d94087c67599f88e7b7afdcce4a1bc936c0c3 36c46dd363ce161955f1fe561791fe7a6f923e8c185b8dd0408211d8001f3515 48994b0e9f9a32783b49759a81e09e818a0faad7b854f349819a0cca9e04ebbb 646d1f9f85c1d2db58748961f9c08147f011434cd79be11cafff4db43a10218a 6c0f7bb7d6d7782d9fbf4b5c9659a8e3502e7ad6ccdb9527311cbd554b716459 71d157b247885a9fac9d5a2de95d62675a2887bd539face9f6d97a749bf368a9 7ee35d3aca75c64bff75826baa082a1d65e5d0a0c4bc5a258d37d22facbaf159 82b686b66ad703470800edb64763f2b64e1cffaa6830accbe7ff8178e6b48724 928e054bade6765803e23936c60ede96cb02603eeecbd98abbef98f88d431c06 98a9522efeef7720f8ba8aad303259eb1e52b35d9b38cc5a44715439d4729b0e a418ba3cb2818dba4487178db3ac2beabdbd73aec9a5ce38d93d7c3eeb998fba ebe4c5cdda2437d323417c8d4e43a4fb973665c89a6a7dcf28c2ad0803612f5d f01e645d797000911da3221face197fd3a6eeb12d2e6acc99b984236530d117b

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
Umbrella N/A
WsaThis has coverage

Screenshots of Detection

AMP



ThreatGrid



Win.Malware.njRAT-7011967-1

Indicators of Compromise

Registry KeysOccurrences
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di		26
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS		26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec		26
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas 24
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs 24
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig 24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups 24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI 24
<HKCU>\Software\3d115699981cee571b7b4f66ac05e68c 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 3d115699981cee571b7b4f66ac05e68c		7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 3d115699981cee571b7b4f66ac05e68c		7
<HKCU>\SOFTWARE\3D115699981CEE571B7B4F66AC05E68C
Value Name: [kl]		7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d357c7c29de6f023d943a6a5749259b6		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d357c7c29de6f023d943a6a5749259b6		1
<HKCU>\SOFTWARE\D357C7C29DE6F023D943A6A5749259B6
Value Name: [kl]		1
<HKCU>\Software\eecedbc08899b6053b2f68175c2ade9d 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: eecedbc08899b6053b2f68175c2ade9d		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: eecedbc08899b6053b2f68175c2ade9d		1
<HKCU>\SOFTWARE\EECEDBC08899B6053B2F68175C2ADE9D
Value Name: [kl]		1
<HKCU>\Software\cee69a9c58a2f342efc10ce9b61baf18 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cee69a9c58a2f342efc10ce9b61baf18		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cee69a9c58a2f342efc10ce9b61baf18		1
<HKCU>\SOFTWARE\CEE69A9C58A2F342EFC10CE9B61BAF18
Value Name: [kl]		1
<HKCU>\Software\c89d6f2f51b03aeeb600705006913620 1
<HKCU>\SOFTWARE\C89D6F2F51B03AEEB600705006913620
Value Name: [kl]		1
MutexesOccurrences
Unknown26
Global\783b85a0-9df2-11e9-a007-00501e3ae7b526
3d115699981cee571b7b4f66ac05e68c7
767e342b9464203399b874be2f756a331
88f1bb19962eeb60cb416d731fb26aea1
e4147808b03abe9f0c3c590c783b5f671
cd37f8fb04904790aec64ec6b02964331
b2d5379932f9d6eda0b4b4e483e6f7061
d1c945c77014d102f98a39383a30a06f1
54652225b66d96cf87694edf842a80cd1
43ea784f064f564187850c70cfe36c6e1
d357c7c29de6f023d943a6a5749259b61
eecedbc08899b6053b2f68175c2ade9d1
cee69a9c58a2f342efc10ce9b61baf181
c89d6f2f51b03aeeb6007050069136201
b92cfeca418c2dea22378d2a69b20e0d1
2fec419046b765ea0c3b4e01c9db47a71
853654d9e10653518ce2df77e9edb5a01
f6a16052a275bda28850cb9c07e032e61
2c19e5532f94fc5804396a44a7b110751
bd038787fbc588893c8c348e22ae35571
f1d09ec17b6425dd6e0a316aeae5b67e1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
156[.]196[.]135[.]144
67[.]214[.]175[.]693
159[.]89[.]214[.]311
66[.]199[.]229[.]2511
85[.]17[.]30[.]1671
154[.]121[.]37[.]51
62[.]117[.]61[.]1301
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
magichako[.]publicvm[.]com7
shadowhakar41[.]ddns[.]net2
AAAA5[.]HOPTO[.]ORG1
kounan19[.]myq-see[.]com1
salehboot[.]ddns[.]net1
updated[.]ddns[.]net1
blackstrretboy[.]ddns[.]net1
z12z12[.]hopto[.]org1
bobaramos[.]ddns[.]net1
hackerdzarit[.]ddns[.]net1
hassan1212[.]ddns[.]net1
rezallta[.]ddns[.]net1
serveo[.]net1
android-update[.]servehttp[.]com1
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Mirosoft.js26
%APPDATA%\Microsoft\Windows\Templates\Windows.Exe26
%TEMP%\dw.log24
%TEMP%\73E7.dmp24
%HOMEPATH%\Start Menu\Programs\Startup\Mirosoft.js24
%HOMEPATH%\Templates\Windows.Exe24
%TEMP%\server.exe13
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\3d115699981cee571b7b4f66ac05e68c.exe7
%TEMP%\ddn.exe2
%APPDATA%\explorer.exe1
%APPDATA%\server.exe1
%TEMP%\system32.exe1
%APPDATA%\wininit.exe1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\767e342b9464203399b874be2f756a33.exe1
%TEMP%\syswine.exe1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cd37f8fb04904790aec64ec6b0296433.exe1
%TEMP%\updated.exe1
%TEMP%\svchos.exe1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\d1c945c77014d102f98a39383a30a06f.exe1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cee69a9c58a2f342efc10ce9b61baf18.exe1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\b92cfeca418c2dea22378d2a69b20e0d.exe1
%TEMP%\windows updates.exe1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\f6a16052a275bda28850cb9c07e032e6.exe1

File Hashes

07ae3ba8b6bb636c3cbc305d25f60d1b8544cbd3932ec60a41979aca444a0c8a 09332d76d630cf20549d849b207a78ac2608d719c7bdfedcf3904d9b07587210 14f0bf6f2bb1706c7c64c42a6dec0d18743ce84455cfa5507671628f09e0056b 29a28ff8074cacda1ee387ea13ea3264fc0819a32ba207002014b69a01e7d20a 2ce9507eca7390d1447568f575a31b3cccc185239956c34df11b8a97d5a41d6f 30ba3ca3f8bfe1be88a41da21b74b442f89ac3b9bc991f1429620cfe43a3d957 3709900a8d262b587769688b9ad51196212647f0c461cfa7c6aa02aad03f4c8e 37cf34ef1a59fa7f2a821d2aea146aa341d56ad8cbe8b60c028218919d9fb65c 3afaa0d40d4d857113aa2211bb268bb71a9f172a66581172c891171f3ec595d1 438a539d7fc684ff23c37d28f6968e16a26361baa95611374e844b527d8348f2 4492ee2ea728db7e9ef4a385f08890082d7754aad197aec3d3ad8a1f1b2e0554 49b6302a30504389f9f9fc0efb48da95aa52053e9c1a1ebcb309dcc0c60c071e 4ff6b9d3c069558001457fef65c1623d05ef503580db96a5b444ccc8dfb58fe8 59c9a7f0f2c8c0abdbe9790fe6d1f4b08dadb7764500fee60fd9782c076cdf40 59e1820154d4a5e6bc42158847a3f82cb25f4e7ac6a89fec036357a5e9ce6342 83e0d7c8af1ab2095ebfd11d195f5b2f1f999d741c0487c97c4f814050d0bb6f 8b9d87a3c7b4a03bf14459e9efdb89b4a73c3ffb006396638163ccd0ac73a72f 8e225d1629cb1c372d096f3d32bb621fadeba5b1c4489b08069ff977130d7bdd 9c36c86b6d998c5c3bded236f5fe94ac15239d8d283afe73acffb35bf45fea39 9cfe4f5840153f5bd81ac360c812854063952cb01fc5f3848fe9d460d84b17d7 9d46831f0a0d012493bde6165661a9af05199aa7451ca4bd89c840546d2c9d0e a0d93958f9ccada56204fafd970d87ff67d40f78014c65cc3ce063979578aaf7 a1739268211e4f63d1f8d89a897272a945f709e9350a4a8a8f788995b5086c54 b1a0998fd2465208767650c597906941f2c95d9acaa69254238f1923ab6290fb bc63a9907ef52f5c765a390b140e94b253b97f83aa3959f45c2ee0dcb823e0bb
*See JSON for more IOCs

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
Umbrella N/A
WsaThis has coverage

Screenshots of Detection

AMP



ThreatGrid



Win.Malware.Tofsee-7012060-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas 13
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs 13
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig 13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups 13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI 13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\athnmuap 13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATHNMUAP
Value Name: Type		13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATHNMUAP
Value Name: Start		13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATHNMUAP
Value Name: ErrorControl		13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATHNMUAP
Value Name: DisplayName		13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATHNMUAP
Value Name: WOW64		13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATHNMUAP
Value Name: ObjectName		13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATHNMUAP
Value Name: Description		13
<HKU>\.DEFAULT\Control Panel\Buses 12
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0		12
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1		12
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4		10
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2		10
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3		10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gzntsagv		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mftzygmb		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFTZYGMB
Value Name: ImagePath		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GZNTSAGV
Value Name: ImagePath		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATHNMUAP
Value Name: ImagePath		2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]231[.]4[.]713
69[.]55[.]5[.]25012
239[.]255[.]255[.]25010
46[.]4[.]52[.]10910
176[.]111[.]49[.]4310
85[.]25[.]119[.]2510
144[.]76[.]199[.]210
144[.]76[.]199[.]4310
98[.]137[.]159[.]2710
192[.]0[.]47[.]5910
209[.]85[.]202[.]2710
168[.]95[.]5[.]11410
104[.]44[.]194[.]2329
104[.]44[.]194[.]2369
94[.]23[.]27[.]389
188[.]125[.]73[.]878
74[.]6[.]137[.]658
65[.]55[.]92[.]1848
65[.]55[.]33[.]1358
65[.]55[.]92[.]1688
65[.]55[.]92[.]1528
65[.]55[.]37[.]728
65[.]54[.]188[.]728
104[.]44[.]194[.]2318
65[.]55[.]37[.]1208
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
microsoft-com[.]mail[.]protection[.]outlook[.]com13
250[.]5[.]55[.]69[.]in-addr[.]arpa12
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org10
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org10
mta7[.]am0[.]yahoodns[.]net10
mta5[.]am0[.]yahoodns[.]net10
mx-eu[.]mail[.]am0[.]yahoodns[.]net10
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net10
whois[.]iana[.]org10
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net10
whois[.]arin[.]net10
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org10
hotmail-com[.]olc[.]protection[.]outlook[.]com10
mta6[.]am0[.]yahoodns[.]net10
honeypus[.]rusladies[.]cn10
marina99[.]ruladies[.]cn10
coolsex-finders4[.]com10
sexual-pattern3[.]com10
msx-smtp-mx1[.]hinet[.]net9
ipinfo[.]io8
yahoo[.]fr6
charter[.]net6
mx0[.]charter[.]net6
smtp[.]secureserver[.]net6
msa[.]hinet[.]net6
*See JSON for more IOCs
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\athnmuap13
%TEMP%\wmslmukt.exe13
%SystemRoot%\SysWOW64\config\systemprofile:.repos12
%SystemRoot%\SysWOW64\config\systemprofile12
%System32%\antugrwv\nuhhkvni.exe (copy)10
%HOMEPATH%9

File Hashes

130c448935b7cda787b3b2c25759959feb78b4da0578993910dea9810ac5d65b 144f230d8ff21cebd98c9baceb3f6bf183cddf3faf499ef998265ce229c6c96f 1849aaffd6046b733d684532e2c96e9022df4a024f5d906f112d1dbe3a8cfe3b 3857377eca60c925c02e5225156497b7e048239b492c2bba6e183ffa11a1fca2 67a3626583d536db9f4e8facf0e2054db1aa5cb3fc0ffc2dd994b6e784aaf0fe 8b5bcebde67ea9f0f71b9dbceff20f719334b364efe2555c0a7faa53c2cccab9 993beed87fcc986b4dacb829f412f3cd0d8d3bd055abf62ad4b2808e308d2a90 ade3682626c6aa2269e28672fe60ebbeafc42a60f5e02922d2506d6bbe8f353c ae2cc0636044f30a1c0c662699b23bb371584fe4a53cad4ed63f91c25afa5dbb b1a7847311263f61d845e04d26d4bdb477ebc511e53438ab11408b69f079140c b2b29afc2cf0d1f3d4d0e29cf102c168d09405d7f1aa98426f1b2f6ae79ca1eb d63483697d4daef64ece202d8d000b45c5db118d55865b2c981b49dbc2ec80ea e0def1110bf0854a33f83b38925aee003e3264a35c41df58f39cc6cface46412

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
UmbrellaThis has coverage
WsaThis has coverage

Screenshots of Detection

AMP


ThreatGrid



Umbrella



Win.Ransomware.Gandcrab-7012204-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob		15
<HKCU>\SOFTWARE\keys_data\data 10
<HKCU>\SOFTWARE\keys_data 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\TASKBAND
Value Name: FavoritesChanges		9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\TASKBAND
Value Name: FavoritesVersion		9
<HKCU>\Software\EncryptKeys 9
<HKCU>\SOFTWARE\ENCRYPTKEYS
Value Name: local_enc_private_key_len		9
<HKCU>\SOFTWARE\ENCRYPTKEYS
Value Name: local_public_key_len		9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\TASKBAND
Value Name: FavoritesResolve		9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\TASKBAND
Value Name: Favorites		9
<HKLM>\SOFTWARE\Wow6432Node\ex_data\data 5
<HKLM>\SOFTWARE\Wow6432Node\keys_data\data 5
MutexesOccurrences
Global\8B5BAAB9E36E4507C5F5.lock15
BleepingComputer_no_more_ransom9
Global\XlAKFoxSKGOfSGOoSFOOFNOLPE5
Global\syncronize_9WATTOA1
Global\syncronize_9WATTOU1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
213[.]186[.]33[.]515
185[.]135[.]88[.]10513
23[.]236[.]62[.]14713
217[.]70[.]184[.]5013
66[.]96[.]147[.]10313
149[.]56[.]154[.]14113
199[.]188[.]201[.]21813
47[.]75[.]206[.]14813
45[.]118[.]145[.]9613
69[.]163[.]193[.]12713
23[.]100[.]15[.]18013
142[.]93[.]6[.]24913
62[.]210[.]24[.]11613
104[.]31[.]75[.]22710
104[.]27[.]162[.]2419
104[.]28[.]31[.]1608
104[.]24[.]103[.]1537
45[.]33[.]91[.]796
104[.]24[.]102[.]1536
194[.]154[.]192[.]676
186[.]202[.]153[.]956
217[.]160[.]0[.]275
209[.]182[.]208[.]2455
94[.]73[.]148[.]185
213[.]186[.]33[.]35
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]cyclevegas[.]com13
img[.]maokeyang[.]cn13
himmerlandgolfogsparesort[.]dk13
www[.]casegranmoun[.]com13
acbt[.]fr5
www[.]billerimpex[.]com5
asl-company[.]ru5
www[.]macartegrise[.]eu5
oceanlinen[.]com5
nesten[.]dk5
perovaphoto[.]ru5
koloritplus[.]ru5
pp-panda74[.]ru5
dna-cp[.]com5
boatshowradio[.]com5
www[.]mimid[.]cz5
tommarmores[.]com[.]br5
cevent[.]net5
poketeg[.]com5
alem[.]be5
h5s[.]vn5
wpakademi[.]com5
www[.]fabbfoundation[.]gm5
6chen[.]cn5
zaeba[.]co[.]uk5
*See JSON for more IOCs
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\TM02660319[[fn=Tab List]].glox23
%HOMEPATH%20
%HOMEPATH%\ntuser.ini15
%HOMEPATH%\98b689da98b68e3d7f.lock14
%HOMEPATH%\AppData\98b689da98b68e3d7f.lock14
%APPDATA%\98b689da98b68e3d7f.lock14
%APPDATA%\Media Center Programs\98b689da98b68e3d7f.lock14
%APPDATA%\Microsoft\98b689da98b68e3d7f.lock14
%APPDATA%\Microsoft\Internet Explorer\98b689da98b68e3d7f.lock14
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\98b689da98b68e3d7f.lock14
%HOMEPATH%\Cookies\98b689da98b68e3d7f.lock14
%HOMEPATH%\Desktop\98b689da98b68e3d7f.lock14
%HOMEPATH%\Documents\98b689da98b68e3d7f.lock14
%HOMEPATH%\Documents\My Music\98b689da98b68e3d7f.lock14
%HOMEPATH%\Documents\My Pictures\98b689da98b68e3d7f.lock14
%HOMEPATH%\Documents\My Videos\98b689da98b68e3d7f.lock14
%HOMEPATH%\Downloads\98b689da98b68e3d7f.lock14
%HOMEPATH%\Favorites\98b689da98b68e3d7f.lock14
%HOMEPATH%\Links\98b689da98b68e3d7f.lock14
%HOMEPATH%\Music\98b689da98b68e3d7f.lock14
%HOMEPATH%\My Documents\98b689da98b68e3d7f.lock14
%HOMEPATH%\NetHood\98b689da98b68e3d7f.lock14
%HOMEPATH%\Pictures\98b689da98b68e3d7f.lock14
%HOMEPATH%\PrintHood\98b689da98b68e3d7f.lock14
%HOMEPATH%\Recent\98b689da98b68e3d7f.lock14
*See JSON for more IOCs

File Hashes

0341bda36f866ba3f1577ff22863cc98f3db2eb576f9ddba0efd72226362fc43 0420cacdcaf5e4dea7eacab7a960a18bc6037a88b87c1965636e70a1c3227721 11f5d5328ee2f9cef980dcfbb30621c0310eda7a6d7827c5781b32dd0d15ec22 3cb3e5d46cfbd6e6f7e1cb2398df4ff36d615657e9156bd5381564e283ce58a8 4229d9cbca43732abbe849cf9b41cb92e62702a9716a36040a51ae4ae53b4035 4844c20d9a7b7f968d0dc2a2155abb371b53098f17c14d02eca4c3e318532d59 4ce34bd577092109a075a1889b0a7de35348d6e1c5055e8fed4c78f1deed3ffe 4eb064297e7f7c2353d9a6838527168e38765163f252277049fa55eab0adc8d7 567c39590d4590c201b42384e0188ce2e621613444da676c5a4a5010fd27e4a8 5c9db3e49d5f7633752a11bf74e9d11140ddfab0957bbdabd6c55eadaa9b87f9 68ae6904af508a6fdd6cb66f8db5ddb8fc1d3da7c97241ffe31a818fa0e8ed72 720b56fd906ba499f031c7747f630fec03bec5c0bcd4a48751783550fb089df5 7662ed6be2dda454c3660d65db1a0c4d67af16a563a0c128bcf6d8a498526c7a 87b9a389d2797a074483d4147805e82f225702363afe8d1f95416cdc6dc77678 8c099167fbe1897dc8390979486353371194c2cfcb8095b6542f13670c75cab4 9c0e9a4eadea6cab1ec7faf191e77e77b91e709d8222b5c2a1d30059d026f266 a0c0eab3ce2d8be0e79d2f45b106095912f28f3f55e179cb376d7c71323146f6 a159c38828b48df7f02089b7e69e18e154054c45aa056cb9a6cefe47cd1dda47 b00ff6be8bc64d83f2d33042b9bc17110e03acc140dc3a26aa777767f210bd1e b423e1d48c0278c2844858deff96748e9d28e8fb076990a57de6b85d8beacb03 bb187240ab8850d6b731921ab5d3ae0caeb5015ac5986af51af789ea75a3ef71 c6b096d8100033e510406c7d3f5ae5e16c8d3fb976509dacbc435c0bd0e3a118 c992d5faf5fc1cbafaf5e40e3fcfc0daad218bda2768b3640a97ed5185f91627 d88411b37cb58467d6f6050675757d8ec5cb7dfa1bbb9804f898010d4611eac6 ddee26d282c0eac34452e28c3295638fc9c887ee8f5750913f7de255b929b493
*See JSON for more IOCs

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
UmbrellaThis has coverage
WsaThis has coverage

Screenshots of Detection

AMP


ThreatGrid



Umbrella

Win.Packed.Xcnfe-7012508-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore		25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr		25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting		25
MutexesOccurrences
47DjnezoRe2
IXK1mBzkeB2
RkTC1Yz5Uz2
TmvHGtjMMV2
gTBa3BMJg62
mssh1fu7QG2
pyG6EAoW3D2
rPy4lSuqRA2
ii60Bmwus71
vKukwxgBam1
CUDKUvauMV1
KCeMGJgXYT1
SFxcCQUOXu1
SUC2X0PwVg1
X3ENRc03mQ1
YWuTH3ehY01
nVz9jsXjUw1
oFYy6Mcbck1
0CNHUsuQfc1
2rTNQbESAE1
PbFIJDskBy1
R5aLQD5OQO1
rrQXp0Shel1
9ykplVD3nO1
sKcAQgjpGg1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]12[.]14225
104[.]20[.]209[.]2113
104[.]20[.]208[.]2112
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com25
www[.]fvtbhlnxj0[.]com2
www[.]fynzp0oht8[.]com2
www[.]in4lprxgui[.]com2
www[.]ct1wlbyjzx[.]com2
www[.]uttn4zziks[.]com2
www[.]lrv8bvrmhq[.]com2
www[.]rm1cbe2kvb[.]com2
www[.]tcp1twzitf[.]com2
www[.]gzw0bfzxhb[.]com1
www[.]glixbn9lnj[.]com1
www[.]coxymk80cd[.]com1
www[.]exgk5nzv7m[.]com1
www[.]c62yc6xsm1[.]com1
www[.]hludxizrvf[.]com1
www[.]huga7gshpk[.]com1
www[.]rjhw2tvcvh[.]com1
www[.]5twtwy19pp[.]com1
www[.]fwn4l9u2gb[.]com1
www[.]xpqvri1vhh[.]com1
www[.]seqamoa4jp[.]com1
www[.]b7qxyidhg5[.]com1
www[.]porsukgrlq[.]com1
www[.]lqdu4kraxu[.]com1
www[.]t0uetiplqk[.]com1
*See JSON for more IOCs

File Hashes

071530d5d5e7021d1138953c314be94b1808f172e46e2e6e2b28d97ffbf2c0b1 178f3b0fc03659a616e12f423e870ab1aab778b44bd82cbc06e2c485f04bf8c3 1d987ccce04b8ba41261670691d44983a11ec2518098b312be88cb71beffa897 381a0476632ef5d0ebccd2ab242efc6a83a2e4834f2cb1fa3fa67f8fb4c09972 39c3b3c78175e68a946f81d3f5e5b2e4e45d2575387e0ab49324832fe1f47452 45103c6e8ccfda4b3f15ce4b2f3ecfdd44e1d335206f75b9a43665d35f0da2ee 486e2ea46a4e4d0e0392cb35c2e81ec465a0f89908f67a029c67c31a6178c20b 4c148b99dedd40de86d9fa90aeffae2615d465cef96547e32e2f76719f85cb26 6becb03594eaa1591c61343ba50e39df29ae01499aae44edf98a403970b0c8ac 73508f028e327bb43f8881d00a1067b5566e62b83ea5f98167a4a1947c24805a 7b89b754f7a6874a3273eedae6002a97d6ad2fab6be330207454f1ab403d38cc 8110313cc103989b2cf33894381e8715214e9003cde31d6fdf1bc8c5b49a4e89 82f1226d731f6f3c27911079d760b544b88da1e8eb5f61f4071d1d50aff37702 9915365d2bea4cd179b535b6591443ed07206dcdeb76f07dcfb9a0858e53be5b a1e834564e9e46ee8ee26b853b4341de9909840cb82357e5ceca6cceb5346733 a5922d0eb96861fa4d6354ea66b4cb3adca32c2767de523becd1f27c7fc3cd22 b17f763211175ee8f0cbe6aec43037fb299122dcd57367b7723dd27522934365 b7c692bea525a7f6fbde41f5f85212ca38495b23795efe801246ce061ae0d6d6 bf920f2cde720bd50bab18f19b4a55ec397461dcb184e46b51884294030311a9 c80454dfd900f67cb0e22b653c5dd0b3b45cb5ac2bdf8c47c45e3ba82fb36e79 c92b1407e77bcfeb097fbe7e03c22d5adad5e437522c2bcecaa3005973817d45 dd07a463b6a9f7405660ce8ae71307e044ec17a17d9dd06cbd456cf716d51a11 f745b8cf0c6e0c86f647613e3ee3557f471bf5f4ab5b7b37565881d6d1b83838 faee0cb6a7535b30312dfb855a1c59a24dc533564ff1aa5405f351a4748b6464 fdca740263e4d6dd9d71bacb869b3792010c9e427216e54c72edfc9acfe584d7

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP



ThreatGrid



Win.Packed.Kuluoz-7051229-0

Indicators of Compromise

MutexesOccurrences
2GVWNQJz126
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
178[.]63[.]193[.]6017
74[.]208[.]246[.]25016
37[.]26[.]108[.]4114
133[.]242[.]134[.]7614
62[.]75[.]143[.]21113
78[.]47[.]145[.]7213
77[.]72[.]26[.]978
Files and or directories createdOccurrences
%LOCALAPPDATA%\hcxlrall.exe2
%LOCALAPPDATA%\nxeeoucb.exe2
%HOMEPATH%\Local Settings\Application Data\rbgruqii.exe2
%HOMEPATH%\Local Settings\Application Data\leqahubc.exe1
%HOMEPATH%\Local Settings\Application Data\kwoisujq.exe1
%HOMEPATH%\Local Settings\Application Data\qoqjntog.exe1
%HOMEPATH%\Local Settings\Application Data\pegwmgts.exe1
%HOMEPATH%\Local Settings\Application Data\oubnlaau.exe1
%LOCALAPPDATA%\bufneahr.exe1
%LOCALAPPDATA%\ixhcodud.exe1
%LOCALAPPDATA%\esnbtcpu.exe1
%LOCALAPPDATA%\qphrcdrs.exe1
%LOCALAPPDATA%\gamnsluq.exe1
%LOCALAPPDATA%\qakojkqh.exe1
%LOCALAPPDATA%\tachgniq.exe1
%LOCALAPPDATA%\wcsmjqql.exe1
%LOCALAPPDATA%\akkqeuve.exe1
%LOCALAPPDATA%\huhqpcvi.exe1
%LOCALAPPDATA%\bxqfccqi.exe1
%LOCALAPPDATA%\jbsxvqlw.exe1
%LOCALAPPDATA%\gjqfijgu.exe1
%LOCALAPPDATA%\qxvxkxtb.exe1
%LOCALAPPDATA%\nsahkntd.exe1
%LOCALAPPDATA%\ptlqijon.exe1
%LOCALAPPDATA%\saxrgecs.exe1
*See JSON for more IOCs

File Hashes

00722db9477ac36de1c2862fc9f35cafc7a01347110d29102dce98cdf72155bc 012ab737e3a2128c76e48db7bef2768bdd57778e4af397ec133c6079c42411c5 012c77f8b7c99a1d27823d452e130abc5cac6f000adf05d56c7f2ae47a9d72bf 0146c339fb7ec7f1284c123da8e8a4d4faf8c52301949b1da482696a054c87d1 01afc54230a064be47e8948f41b699a33ed1fef92eada1fbab8cde2ab0655d03 02494b4c16f22b6d4f92ce1eef08a661cea52f673c7eb0289579290d46717898 03c783b4a26b0d890a71bdf0a643bdb96de4818898177a4716333b435ca1cd28 04a85f4471adefcba2b10c0e32a2fe12ff81b804205730f3cc21f3db4bc49b7c 04b02fc83ba2785e3216acccb81490bb1db3807bc2a2a255a193313ed90717fd 04f45879c4e79a6bea82e39aea468d8e1f8e55f13c8dbde1e4855141b19b26e6 0522ba3cf1a33345ee6bffade7ff3f73d8d3d018994f08e1a9d36df93efa9299 06370b03ef47ca5e5547d750f49034fbeb3782c201e36921c2577f074123ccb8 069df491cffe2a3fe59b8e85dce0e6520b61c2a8d9fd164277ee0f9a254354d0 06bc29e3a3c0cdc268fca231cb64458228d9d11b5f72cb6416321c986832aaf8 07067626f964e49a6efde18624deed513c1a53f5ac096e2bc422fdf23d70dedf 0763b04d0acac49c55a7fec6f47169e7567ccd9c0ed9264ddadd848bb08b7b65 08f908d9480fc99e75ba466f9fa113495db64e6decf5d26ced63a24a9c240caa 091fabce8131379f261ab41ade48b8b5ffb939f66e0219cc5083c85346d99661 0a579fd78803ea10efd73e5e1a36986f5a4f1caba4fecb0774d918ba578818de 0ae4096d1264141e9714700691f6fcad18b1ccac36f73d9e580a652b6b9e2743 0b7adc1b0cfd8e7b0b24f98a7ff788ef6ce9f361f09b286bee4d99ec5bd2c0ac 0c042729532173d9c64ab369c0710861299ed553b201c218a1453c52d967032c 0e0e274ce9e54e585f9ac7d096f3092f152f090fb5f5273d6086270f2b8da40d 0eacc634900f97e7c7b7e421db1f38c40e869dc86e79c0f490b71572510e6085 0ef4c5d715006cba42eb775a72e285c59c7ccf64082dcc85e3ed2843b1fc1be7
*See JSON for more IOCs

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP



ThreatGrid



Win.Ransomware.Cerber-7052005-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 18
<HKCU>\Printers\Defaults\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} 18
<HKCU>\PRINTERS\Defaults 18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run		18
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun		18
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: SCRNSAVE.EXE		18
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Installed		12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: CleanShutdown		7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: Generation		7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5}
Value Name: Data		7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5}
Value Name: Generation		7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Data		7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Generation		7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Data		7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Generation		7
<HKLM>\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&A27250A&0&2
Value Name: CustomPropertyHwIdKey		7
<HKLM>\SYSTEM\CONTROLSET001\ENUM\USB\VID_46F4&PID_0001\1-0000:00:1D.7-2
Value Name: CustomPropertyHwIdKey		7
<HKLM>\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_1AF4&DEV_1001&SUBSYS_00021AF4&REV_00\3&2411E6FE&2&18
Value Name: CustomPropertyHwIdKey		7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winrs		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rasautou		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: rasautou		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: getmac		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: getmac		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Utilman		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Utilman		1
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF}18
\BaseNamedObjects\shell.{573F0F01-C284-E3E4-B166-E3C39544ED56}17
cversions.1.m12
GeneratingSchemaGlobalMapping12
cversions.2.m12
Local\ExplorerIsShellMutex8
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
31[.]184[.]235[.]22418
31[.]184[.]234[.]12818
31[.]184[.]234[.]018
31[.]184[.]235[.]25218
31[.]184[.]235[.]25418
31[.]184[.]235[.]24818
31[.]184[.]235[.]12818
31[.]184[.]234[.]22418
31[.]184[.]234[.]19218
31[.]184[.]235[.]19218
31[.]184[.]234[.]25218
31[.]184[.]234[.]25418
31[.]184[.]234[.]24818
31[.]184[.]235[.]018
31[.]184[.]235[.]24018
31[.]184[.]234[.]24018
216[.]239[.]32[.]218
216[.]239[.]34[.]217
216[.]239[.]38[.]217
216[.]239[.]36[.]217
104[.]26[.]15[.]736
147[.]135[.]15[.]1865
104[.]26[.]14[.]735
185[.]100[.]85[.]1501
54[.]84[.]252[.]1391
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ipinfo[.]io18
en[.]wikipedia[.]org8
www[.]collectionscanada[.]ca8
alpha3[.]suffolk[.]lib[.]ny[.]us8
www[.]archives[.]gov8
www[.]vitalrec[.]com8
www[.]cdc[.]gov8
freegeoip[.]net6
ip-api[.]com5
52uo5k3t73ypjije[.]hlu8yz[.]top2
52uo5k3t73ypjije[.]xmfru5[.]top2
onion[.]to1
cerberhhyed5frqa[.]onion[.]to1
52uo5k3t73ypjije[.]zclw5i[.]top1
52uo5k3t73ypjije[.]ujtwhg[.]top1
52uo5k3t73ypjije[.]ka0te8[.]top1
52uo5k3t73ypjije[.]j92msu[.]top1
52uo5k3t73ypjije[.]nameuser[.]site1
52uo5k3t73ypjije[.]b7mciu[.]top1
52uo5k3t73ypjije[.]marksgain[.]kim1
52uo5k3t73ypjije[.]moonsides[.]faith1
52uo5k3t73ypjije[.]bigfooters[.]loan1
52uo5k3t73ypjije[.]poplenjohs[.]review1
Files and or directories createdOccurrences
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.html17
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.txt17
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.url17
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.vbs17
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.url17
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.html17
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt17
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.url17
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.vbs17
\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html17
\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt17
\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url17
\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs17
\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html17
\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt17
\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url17
\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs17
\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html17
\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt17
\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url17
\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs17
\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html17
\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt17
\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs17
\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html17
*See JSON for more IOCs

File Hashes

209658cf26f8038c101648b334666a1cbd99ba42a080a43876e8029213fd405b 274afa596526d108c10f535087a70a4fa67b6f1fd104d21e3c8674af03f7adfe 39c03cb39ccac093652c84050ce94ee6369a61bc8a1ca6a29da77e29085b2911 5a7a2465a741812bb9f5f6d203600e190db972f3e04dba331af035ccb27c61fb 70ee34b58fdfb524314767a6054328bd22fe04b57d6ac91e4509ec4ca11255ea 7fe89fee44b718691ba4af29f533b375ad78bdee6660a89071f80f8b12c58295 84237ea2516de3f238fbcc495a5c50b3c2ef72001b0afc14d0939a984d1dbf22 934861f1991b586ea681132cf93cc5a3d0892158ffa310ac55691c996e6bec19 9bf0aa931cd9e7faf11a6b17ead1493b98dae3155d948eb648d2b797e301a2cc ad93c9f4410bb99238320518457308695053b36d9034ba6a3720a9294b6b4c4f b52f586b1d185c332aa2c8ec7e196747b817344e508896bb24996c607cbd4581 b8148a65912385e4ce63f6ea7bb78b30479dddbc84d2bd6cbe9fa1a3425c27a3 d41538fe9d4c4edb975df9af8850749b9db89cd470139b0a58ff8d68e5b6240f eaf534a49e96dcbd62b64e4ca52c2aa087f554eec76d40760393841f4440f451 ec3b5abf71ccbe9986bf6033ab48cb2f616519825047dbdf7668f7fea8bcebeb eefe9124619775ab69b2cd620988245f928a8bb9c988298b9340f82cdf0187a7 f65d7ea6666e7aa4d3bac195a0493c4b736c995d36118915a1d10567a2b31b3f f8c55ef8913ff76ec97e8d226fdbe88c82a2ccaab4662fd6859585f3db946d6d

Coverage

ProductProtection
AmpThis has coverage
Cloudlock N/A
CwsThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat GridThis has coverage
UmbrellaThis has coverage
WsaThis has coverage

Screenshots of Detection

AMP



ThreatGrid


Umbrella



Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Madshi injection detected - (1969)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Kovter injection detected - (1195)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Process hollowing detected - (792)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Trickbot malware detected - (714)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Dealply adware detected - (468)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Gamarue malware detected - (125)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Atom Bombing code injection technique detected - (61)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
PowerShell file-less infection detected - (42)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Installcore adware detected - (38)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Excessively long PowerShell command detected - (37)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Search
Viewing all articles
Browse latest Browse all 2041

Trending Articles

Scuffham Amps - S-GEAR 2.6.0 VST, AAX, STANDALONE x86 x64 (R2R NO iLok2, +NO...

November 19, 2017, 7:24 am

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

VHSE First (1st) Allotment 2025 - vhscap.kerala.gov.in

May 24, 2025, 11:58 pm

UNIVERSE LEAGUE – UNIVERSE LEAGUE – WAR (We Are Ready) – EP [iTunes Plus M4A]

January 26, 2025, 11:12 am

City Hunter Teledrama – Episode 18 – 07th May 2016

May 6, 2016, 2:05 pm

Comment on Proposed Criteria for Identifying Predatory Conferences by Luke...

July 4, 2016, 3:53 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

Kendrick Lamar – Not Like Us (2024) [24Bit-88.2kHz] [PMEDIA] ⭐️

May 14, 2024, 7:14 pm

Inception 2010 Hindi Dual Audio 650MB BRRip 720p ESubs HEVC

December 27, 2016, 4:23 pm

East Hull MD admits sexual assaults after another victim comes forward

January 14, 2013, 12:20 am

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

R. v. Sargeant, 2023 ONSC 6406 (CanLII)

November 13, 2023, 9:00 pm

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

August 20, 2016, 5:13 pm

Who’s been sentenced at Northampton Magistrates’ Court

March 30, 2019, 10:00 pm

मतलबी दोस्त स्टेट्स | Matlabi Dost Status in Hindi – Selfish Friends Status

February 13, 2020, 3:12 am

Family cries out as traditional ruler allegedly abducts brother, extorts N2.5m

September 15, 2024, 1:15 am

Long-Running Conflict In Springfield (MA) Gangland Sphere Has Manzi Family &...

December 26, 2017, 3:59 pm

Wondershare Filmora X v10.1.20.16 x64

February 8, 2021, 5:34 am

Man arrested after fracas in flat

January 16, 2017, 10:10 pm

Man charged in ongoing Sexual Assault Investigation Derek Nyilas, 46, Faces...

May 27, 2019, 8:00 am
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>