Threat Roundup for February 21 to February 28

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 21 and Feb. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Doc.Malware.Valyria-7595017-0	Malware	Valyria is a malicious Microsoft Word document family that is used to distribute other malware, such as Emotet.
Doc.Downloader.Emotet-7593277-0	Downloader	Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. It is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Bifrost-7593600-0	Dropper	Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. Bifrost uses a mutex that may be named "Bif1234," or "Tr0gBot" to obtain persistence.
Win.Dropper.XtremeRAT-7594794-0	Dropper	XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Dropper.Upatre-7594799-0	Dropper	Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Dropper.NetWire-7597088-0	Dropper	NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.njRAT-7595003-1	Packed	njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Packed.Zbot-7595026-0	Packed	Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Virus.Ramnit-7597892-0	Virus	Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.

Threat Breakdown

Doc.Malware.Valyria-7595017-0

Indicators of Compromise

IOCs collected from dynamic analysis of 30 samples

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`169[.]254[.]255[.]255`	3

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`footarepu[.]top`	11
`zofelaseo[.]top`	10
`folueaport[.]top`	6
`vvorootad[.]top`	2
`dosehoop[.]top`	1

Files and or directories created	Occurrences
`%HOMEPATH%\AppData\Roaming.eXE`	30

File Hashes

             014b3b9e320110980c62166a08832fda7b2bd8a6b095ee18ea8bfe4372caa690              02909271cfee6ff35f7c9da9ed2354f589247809f4119b46b237c4ba45f02db5              02ac3145ddddff7fd3e75985cbb8bbe9f094ce01b973d4a12870d009df968be2              04476696529134b2926b26c0427fb471084227fbaf0104d6e480379f9990bb5b              071e792d60441d74fc28cc37ec9237a4174242ee4611fb0aaab3356fb3829331              074afa99c7845566231749b727db862f16924cf84a03a9bad5f8146c13e02947              078848b174d490b613545f8fbc98ad18543c426916451bfc7aee51fdc2b979c1              09f7f3c299beb9be5a5f223b6398b867433dd5171045b37dc8be815421e35119              0a2bdecf39d98dba8eeafad36252d9ae0164032bdc404a8f8da8f27623657fc9              0e2c6cbee4f20e09c92d2c8534dadd1665eb58f8f5a662ea63a9d9556c5a3bf7              1033538e6ac46ade3da7b644f3e1d07b5a89dc40f7f58cf6a501e885813fc0f7              11b707b076bb829d8e86b775e1f005e6bbab3e9dc3efd223a34e46e53ed2f747              13cf6351dee9bf68beeefa1aa8c003f6bc689303dd19e1e4c8e9dc88d39b82e7              148173cc7590e62277ad64cf59fea93a556bd0bd578bee8de3628aadcc93176c              14c490ab9716eac9edbcdf2d9f49f10ac1d431f47ef26f76c37611c5437b91d8              15ca3df33525ce91e6920ed4621c5deaee74a86b9299123e844d0832a885aa8b              18767f3890df85eb67b775c4fc37d39116f5e7c59222d430820d9d270508941e              189abb02afe2a834dfeba5613b2d2f3cefd8143237301be1b8f49d9ed72de130              18f431c306631e11bdbeb7d45668e12ec9e9a1fc2faf0d8202a5e5d78b621bd7              1ac3723f78e87ce505114e1204d40da4af14f6470779dc58f3662dc7a1cec046              1b882e4bf3c0c2b7c7ee7d98ad28a72c94684f0bf70acc34ca3fafcb517bd021              1da8654cfcc0a2c57d35cb8e9ca50034ea26a4e2a7ede9ba02244c4c030a69e7              1f567c2e7f5e0e0143259ce8daf14c07d29f6d6d71f227a62bc4c8861f406d63              202ed2316d5ecbd3670cefcd64c0fd49a577e77d3a61290a78a8450bb7c627e8              20f92cd40972708128a8e3b31441218de329e59c4858eb3419100c8a6a4de7e3

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Downloader.Emotet-7593277-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\33E4E80807204C2B6182A3A14B591ACD25B5F0DB`	25

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`91[.]199[.]212[.]52`	25
`88[.]198[.]60[.]25`	25
`160[.]153[.]137[.]40`	25
`27[.]254[.]81[.]87`	25
`45[.]119[.]83[.]237`	25
`165[.]22[.]221[.]121`	25
`216[.]218[.]206[.]69`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`api[.]w[.]org`	25
`crt[.]sectigo[.]com`	25
`secureservercdn[.]net`	25
`pieceofpassion[.]com`	25
`raisabook[.]com`	25
`www[.]marketfxelite[.]com`	25
`biswalfoodcircle[.]com`	25
`tananfood[.]com`	25
`www[.]pieceofpassion[.]net`	25

Files and or directories created	Occurrences
`%HOMEPATH%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75A`	25

File Hashes

             0b4c6649ad41af209e5bd5d857f68d5edc560bc48eda4267c50f806e831b7af3              0fda18ca90096cec78e462f95be4cc2d46dc7dfbdcf44f8a022cb754d7607241              10f31d5d1d70661af3e512d03007b2c6f403a4a581bc6a71d66b3c7a1420bf94              18e85a75805b522d05cd674ad0c5eff59cdcccafa94f815b58483c2b89d0fd7e              1a3a144d6425ae749452dc9fba14b9d7e24152164d01cc78f3606df039bca8da              20607ff7ce201c1f167de3b0fd5fbb8c99d3f372c3e23027d365c8003ce7da79              207bfdb50cbada73d08d6f6849a670795f88892f50a81d83712f5c606ac074fd              2a9b6c82e814645cbaf5e3b77245ee17b11c629f82cbe92414fc40df1cc01e7a              2b1d86c9c4196536d630631a0a0c7abc99b74482b8b1260b48d3ed21c57313d6              314a112563a7a9cb9bfd1fe0ff7e54b19b2ab00827c68e237a251c47e77d28c4              3dec594b76a5f10a5ccb22f02be9afab964409e42ad864264f79596470c3b926              4188c8122fd994514c68a441bbeb2ea4981045cdad3b81cb30973ce853b89dbf              483421df4aace161f9d26c50bd0b6638397a90ab367f128beb759250cac85083              4c27e7c8f0d03b93b78a043800c2bf165183825d0ab4b5aec1973d3367e0d0cd              562047aa50f97221552f04df509b3b65f91b86c6cea109d8b2774ff7b61c0a6c              56a7d0293ab5e87d137ec58d312d381b38a9c2b40726c8a18deffb2cf6d8811f              5fa2d1ab59588863601e287aa39f0475749f16ef458f693992a9cc6afc106fbb              624b6b4f70e271f1dfdef7c9dc26a7d18f17feb7c5e5057866c42c0305ef55c6              6294cd75c47243ce037d61b46271f8425b0ba4838f829ac99fa22e40b2573b5e              68d2cef91a68892ff659a172c561b3638d5456dede979e5cfbeb91b7a8a8f8e7              774f03a7a0f1b281015f56c111092f83645e8671bae737391a0aa740bef03ccb              77ca0111c22e9de19cb947a73243aceb08b5b2e75289fd6747b35361f78787c4              7933573f99948a9b1ff3e813f9f7e186aca213638cb47cb0c6e2e5f59c1ef0ce              7b20e376a7a0f2a41411f91aa19a295aebd0acb2edfb0c5b7b7fc027baf01637              7d3e63ec5e6b564f45e9cc027e39669b3ed166abc7e65fe7c864bb892244add4

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Dropper.Bifrost-7593600-0

Indicators of Compromise

IOCs collected from dynamic analysis of 10 samples

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: wextract_cleanup0`	9

Mutexes	Occurrences
`Bif1234`	9
`0ok3s`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`lronaldinho[.]no-ip[.]biz`	1
`zoulou[.]zapto[.]org`	1
`snouci[.]no-ip[.]biz`	1

Files and or directories created	Occurrences
`%TEMP%\IXP000.TMP`	10
`%TEMP%\IXP000.TMP\TMP4351$.TMP`	10
`%ProgramFiles%\bifrost\server.exe`	8
`%TEMP%\IXP000.TMP\server.exe`	7
`%TEMP%\IXP000.TMP\serve.exe`	2
`%ProgramFiles%\h4o\h4o.exe`	1

File Hashes

             33dd43fa4d96ddbfb167ee204c864586150e115579c9cc67964e6dfde5e40661              4a90db4add682ee08ec03e4145b373503b7a6f23ff34c2b771fa78dee8e44bc3              68fe7fca6b557da2dc0492b70c44a7a4510b3a1e0f1d4c3d75662cfdc3fa5659              78fb8c5fd52940a7188f5e4788bd05d4a9d83faa78bb22e23e20cabdf839c963              8374b6d974e93d0b728514bb2f5db7dfb4b32969e15b7362c4c260e68fbdcace              90e4cff29fc9df5cd3bc27bdcc5dcbbed7cc391d45ce38a1826e111aacef0a79              96947aeb886bde239f1ca5e39fb1534afbeef46aa91dac46f448e3a82eee29e6              a4d8e5d6dbb820150af6bb616fd2673167b477cd711afaa5484c630c18f5bdcb              b91894048d0a84b1aea9ce9b947f4b32b5b0b8bb690b5e1f0010e5964b7bdf18              f04c620d94e41e30acdbe1c18f6df6fae97fad15d437874d9ced40d8402b9409

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.XtremeRAT-7594794-0

Indicators of Compromise

IOCs collected from dynamic analysis of 21 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> Value Name: ServerStarted`	20
`<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> Value Name: InstalledServer`	20
`<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>`	20
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKLM`	9
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKCU`	8
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN`	5
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN`	5
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: Server`	3
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: Server`	3
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: dll`	3
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: vlc`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} Value Name: StubPath`	2
`<HKCU>\SOFTWARE\FAKEMESSAGE Value Name: FakeMessage`	1
`<HKCU>\SOFTWARE\((MUTEX)) Value Name: InstalledServer`	1
`<HKCR>\LOCAL SETTINGS\MUICACHE\\52C64B7E Value Name: LanguageList`	1
`<HKCU>\SOFTWARE\((MUTEX))`	1
`<HKCU>\SOFTWARE\FAKEMESSAGE`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4YYH6UVK-0H14-53J3-2EKB-QFCG58W0Y54X}`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4YYH6UVK-0H14-53J3-2EKB-QFCG58W0Y54X} Value Name: StubPath`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4N6D64W4-JGT3-3SRU-VEIG-428Y3Y04H28J}`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4N6D64W4-JGT3-3SRU-VEIG-428Y3Y04H28J} Value Name: StubPath`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: msn`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{L026V375-M6QD-607A-01BW-NY4DH11HTA1N}`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{L026V375-M6QD-607A-01BW-NY4DH11HTA1N} Value Name: StubPath`	1

Mutexes	Occurrences
`XTREMEUPDATE`	21
`<random, matching [a-zA-Z0-9]{5,9}>`	20
`<random, matching [a-zA-Z0-9]{5,9}>PERSIST`	17
`<random, matching [a-zA-Z0-9]{5,9}EXIT>`	17
`((Mutex))`	1
`((Mutex))PERSIST`	1
`((Mutex))EXIT`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`in4ta[.]hopto[.]org`	2
`xtremerat[.]zapto[.]org`	1
`chrome[.]myvnc[.]com`	1
`antilove[.]zapto[.]org`	1
`lifefornoobs[.]no-ip[.]org`	1
`trancegend[.]servehttp[.]com`	1
`paxromana[.]no-ip[.]org`	1

Files and or directories created	Occurrences
`%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg`	20
`%TEMP%\x.html`	13
`%SystemRoot%\SysWOW64\InstallDir`	9
`%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp`	7
`%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.dat`	7
`%APPDATA%\InstallDir`	6
`%SystemRoot%\SysWOW64\dllcache`	4
`%APPDATA%\dllcache`	4
`%SystemRoot%\InstallDir`	3
`%SystemRoot%\SysWOW64\InstallDir\Server.exe`	3
`%SystemRoot%\SysWOW64\InstallDir\dll.exe`	3
`%APPDATA%\InstallDir\dll.exe`	3
`%SystemRoot%\InstallDir\Server.exe`	2
`%APPDATA%\Microsoft\Windows\((Mutex)).cfg`	1
`%APPDATA%\Microsoft\Windows\((Mutex)).dat`	1
`%SystemRoot%\SysWOW64\windows`	1
`%SystemRoot%\SysWOW64\dllcache\msn.exe`	1
`%APPDATA%\InstallDir\xyzl.exe`	1
`%SystemRoot%\SysWOW64\dllcache\xxsnd.exe`	1
`%APPDATA%\dllcache\msn.exe`	1
`%APPDATA%\dllcache\xxsnd.exe`	1
`%SystemRoot%\SysWOW64\InstallDir\xyzl.exe`	1
`%SystemRoot%\SysWOW64\rar.exe`	1
`%TEMP%\510photo1.jpg`	1
`%TEMP%\510photo1.jpg.exe`	1

*See JSON for more IOCs

File Hashes

             064c44467f1d528ec2d7da3190f5d0f0760825dd78dbdcd0800b5cf93ddfc35e              14b5b5b795998d35a0d7fdbec17264d677ccbe42ca0f0012ddea0b89c581998c              189815a3c61f115518eefef42514e5ade690d68c3f17cd5f25503114f8c76d39              18f93702d819615f2c6132ff4c9b72fe82d857f8c72ef8c0fa0568cfb87ce382              1f89323eccd76c387a536cbed269f64ae84abe86a25474d73a8d9ea48bc222bc              2ded94da0ecc3e9353762f4c097ab6bb4243ca51765e3075a60d575b4cda27c2              2f4d1036e0074d324b78bd15da52c63602aa467455ba8271520b7ea96b620f0f              4840f56924ba0b45a510341a7b748ec5507aefa1cf451c6c42ac6a5755f7a76f              4ed0da4f544326ee3d2ab53698ad556a7d79f2c71489be7586cb9489462c438b              6bc1a651a94482ad19df56647fb5b6e9b87be392ee8ba96794a778b8b27dfb34              716d6bb0792522da08ad4af7d0ad9500d25456c1138c6afb151a61cdac8c1d5b              8314a980d82e0c0abd2d51c44bbb9fcc0eb0d388e730d97e30b2d4abd8ec35ec              96b451f2217da28c874d357e574911ab5bf1534ef57cad4ee975c14dc1efe17c              a0624e016eae6a07df74d75f4ff1a240c7502ce3e104a1df10ce3d8cd317815e              ac7714fac188ff0cc932f752add2c001044b4ff3fb4aa73f5c3ef6f2a2ed17cf              ace5f789b508a16e2a2a9b81ae6a2f8152546eee393dd7b37677cd4e22b7354b              b893c36382ab489f6f23979f547b79a861457f08e0421a49756482a50a8a6d44              c0bc592589a215bb74bd525b44330246094db50cdeb5722d057485a7aff01156              d4fdf6ef3db3e219a672f7e7c18f81b3ded3d0639311cc8cb11df7ce0e128d98              ec04f36832901dfef1738c851a8f5df812c94762cf1ebdaadb2117f00b4e10a4              effa69e2b4b1301360f48fd51e759151a0ef8e656800d3da4a1107a590fc00ff

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Upatre-7594799-0

Indicators of Compromise

IOCs collected from dynamic analysis of 27 samples

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`38[.]65[.]142[.]12`	27
`104[.]20[.]16[.]242`	15
`104[.]20[.]17[.]242`	12
`96[.]46[.]99[.]183`	5
`96[.]46[.]100[.]49`	5
`217[.]168[.]210[.]122`	4
`81[.]90[.]175[.]7`	4
`176[.]36[.]251[.]208`	4
`109[.]86[.]226[.]85`	4
`68[.]55[.]59[.]145`	4
`37[.]57[.]144[.]177`	4
`64[.]111[.]36[.]52`	3
`66[.]215[.]30[.]118`	3
`72[.]230[.]82[.]80`	3
`104[.]174[.]123[.]66`	3
`24[.]220[.]92[.]193`	3
`84[.]246[.]161[.]47`	3
`216[.]254[.]231[.]11`	3
`69[.]163[.]81[.]211`	3
`77[.]95[.]195[.]68`	3
`76[.]84[.]81[.]120`	2
`85[.]135[.]104[.]170`	2
`24[.]148[.]217[.]188`	2
`98[.]209[.]75[.]164`	2
`24[.]33[.]131[.]116`	2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`icanhazip[.]com`	27

Files and or directories created	Occurrences
`%TEMP%\murzuja.exe`	27

File Hashes

             0079acd8e4919c1d944690ed62db665df7ee2033f0788fce8819dbd1dc52b495              00acff5b0b1d66f3518cb494dd25453245dac6bcf7445f572138b216dc60dd5e              061a443b28bcfb65d9bf4535e28e8d069a57b3b02b7313ce724ce7d65ace6cc3              087b88d444146ca59a3c728f0c2a4a531ad7a2dbc3639ed84ee408bf6215d8ac              0964da3037876a30f6d12b9205eea90a49b9bd63d603e052b7949b9abc0a1163              111cc7917516def507f0fc251b26a34e20507848a99405ddd8160bf409026679              12fc0b95918c16ada8f0833f544a07611f30f85211c9a77c73a249ce045b81bc              13c52d814547e6ef4379d980f95bed78b3d40b39a279573b9e049fb5099fff5e              20833a3aa302aa6e67bf9a527e6b61f077b0740405231b1df53a7c6764558b6f              2347db85b21ae8dc4acbf72ff8c60d5793c27bc6e067fd394f2b8e0d16a50587              2499f88be18379c4d00539250b0524632521fb7858baa0eca4bd807a9a05e908              24b01c67de3e123e84dc436772999cdf49f63bfea5367b9508a123d9a2b9bb20              28a49addd94f0a2a849a1b9304fcf408ac231a65f1f21f667f1b962a0b9a7861              2a67adf844b4e0ea5cad4864680231f8724862213d1416155675739686450087              2b2ad88f7c73ed799197300e4c83ec7833fd6623d2c561690f9a1390de312714              2f3520224d08d4ce69596975e6d3e4aad40ebbe2514dc4acf30f97df967efeff              2fefbeb2b24e4114fbf0eb5e6cbadd214c2d6a846aba2c776a1f1643cc26c6e6              32434dcee2ab34dccea41dc4946094c49c85fe698a1337566d200eb83ed2edc2              339d409e062631e1e64bf39fd0d6d61a92a98da179a69463fac1c374b4d328d3              3ab907d9ae4834ad819d9b0c22d15ae37acd43af4deff184d90fed1ab9abee6c              3b60c441272ef1ef1520e8295c583ad4abfb725f4ac21b26c774ea8fd0793cb8              3b90fe50da30f4c4a11687995c861586d9365c8cfab3ea0f9738f1254994cd9c              3c6b988b8af205e01b2c6ce71e02826478a29c091badb34a2f86e0b196fda1ee              40ef4e2cc593c02e1f0c92e495ba7b76386e9e694e70707d681e4e8b0e3d5b01              40f3d8368c69f76e48aa4e23b621b8acd9ca694f1552741aeadff450656e1768

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.NetWire-7597088-0

Indicators of Compromise

IOCs collected from dynamic analysis of 34 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\WINRAR`	22
`<HKCU>\SOFTWARE\WINRAR Value Name: HWID`	22
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9 Value Name: F`	22
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5 Value Name: F`	22
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC Value Name: F`	22
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: mkre`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: MSConfig`	1

Mutexes	Occurrences
`-`	7
`jpbuqnlp`	1
`Global\54220ec1-56cd-11ea-a007-00501e3ae7b5`	1
`Global\10d125c1-56cd-11ea-a007-00501e3ae7b5`	1
`thxETPfM`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`194[.]4[.]56[.]252`	2
`104[.]215[.]148[.]63`	1
`192[.]169[.]69[.]25`	1
`104[.]47[.]54[.]36`	1
`111[.]121[.]193[.]242`	1
`103[.]60[.]181[.]238`	1
`185[.]201[.]10[.]1`	1
`103[.]48[.]6[.]14`	1
`191[.]252[.]63[.]14`	1
`68[.]65[.]122[.]86`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`james7[.]serveftp[.]com`	4
`dualserverz[.]info`	3
`myp0nysite[.]ru`	2
`uzo123[.]serveftp[.]com`	2
`api[.]w[.]org`	1
`gmpg[.]org`	1
`microsoft-com[.]mail[.]protection[.]outlook[.]com`	1
`web[.]whatsapp[.]com`	1
`gypsypy[.]duckdns[.]org`	1
`bags[.]mn`	1
`pornhouse[.]mobi`	1
`opixib[.]bid`	1
`bishop123[.]ddns[.]net`	1
`papergang[.]ru`	1
`tizardns[.]3utilities[.]com`	1
`eorul[.]com`	1
`sistemacplus[.]com[.]br`	1
`www[.]sistemacplus[.]com[.]br`	1
`frankweb[.]club`	1
`usbasri[.]co[.]id`	1

Files and or directories created	Occurrences
`%TEMP%\-<random, matching '[0-9]{9}'>.bat`	20
`\TEMP\.Identifier`	7
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbs`	6
`%APPDATA%\GHYTRFDRTTG`	4
`%APPDATA%\GHYTRFDRTTG\filename.exe`	4
`%APPDATA%\Install`	2
`%APPDATA%\Install\.Identifier`	2
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wind0ws.vbs`	2
`%APPDATA%\zqxhkpjwc`	2
`%APPDATA%\zqxhkpjwc\wind0ws.scr`	2
`%APPDATA%\Install\Host.exe`	1
`%APPDATA%\subfolder`	1
`%APPDATA%\subfolder\filename.exe`	1
`%TEMP%\99a0_appcompat.txt`	1
`%APPDATA%\Install\juyr.exe`	1
`%APPDATA%\FGBHYTUJIUY`	1
`%APPDATA%\FGBHYTUJIUY\filename.exe`	1
`%HOMEPATH%\obgtcgwm.exe`	1
`%TEMP%\711562.bat`	1
`%TEMP%\734171.bat`	1
`%TEMP%\760328.bat`	1
`%TEMP%\AA1AE.dmp`	1

File Hashes

             03626570f585d84e55af0ce856078e9276419d199f905c54bddcd8b22ed59531              0fcd763cf9aacfe72a46b379a1b58234f969767077f0e58276d0c8496c780fcb              1aa57ab794a26bf3e5ffe959a232d76d0bbceae45b4e4a95cd0020b9544c6d0d              1cc2d9b34a545cd02771bf80cb5023dfbab5218c1e7de07625ac1acf7b2547db              23184d75b8da1d8098ad7781ddfc7b6ef77fdd829adb43983cac9f179ba38750              340e9f8c35eddc59064c602be4236f21168dca61b719c27c0663b79cef103a8b              3af3f307c5b1aaa3a45720cfae69ff81460dce4c9da0dea8c87a47a17faaa4cb              4265eab00295ca620c827e71be4674ee18570027ba01269a36604066b92f1920              4a9d1b415b5882f72096da7178edcb29748bc3307e3ae1419c856746eae66e8d              4d26a04fe07e1059cef86588306026a39acbd96796a2a971bcc1d6bb3be4637e              52f425836ad69e22d7594ef0b3ee22ecffd021a111e30f5dc9fc5425f6e0cac8              53d97906225832b310be044db70b6287ed3a20d23f43a4f4d4e0b6b2c13c08a8              579b412e9a175250a6f4248685924ad260b23ef4757173bea04ef62397027eda              752a6eabbd0eb73ed88633b288cde00fa4d47f66bbd42196d8631d5ff7525e53              82398b467b0d2d2f55111a2595fe665e416f9ee7fd47fc9ddb948a4d2f754bae              82c60953f478ac1f71ce1dbc4902c08058b20391915d32bb13ff8ff7d523b5b6              8761ab62984d012f514ec6ba9db5dabaf547729351c2db0d5bdcc3938a0381eb              9a2f9de8fd437e175e94688d9e84e77e2803d4b2c9d110a44597dead122484ca              b7082b2820ff5e857b192f79a6d4fbfe55f66bd309bdcea06d9d8b214a3b4923              b9ba565eafc1c0d837bdf9e83e4be40c4966e8f9d23640b01c1a4a9caeca97a8              ba96661424707f2d430bf9d5e8c915c6925363b163f7ad9855b8f72255615116              c2f508a2d916a56c96985298988ac37e7352b013acfb30e142f13d7f998054f7              c602c39491544712670f4ae93ffaf76beeb2eb86d4d1ac55bbcc25852a3a260b              cc4378d3d98efcb04fc4ac8071fa68e1a55b95b23283bf2dabcc74a593633b38              ce4b1e164c11a1cc3044cc0426f24eff4ed6149938cce855c116df7d21e4fef4

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.njRAT-7595003-1

Indicators of Compromise

IOCs collected from dynamic analysis of 10 samples

Registry Keys	Occurrences
`<HKCU>\ENVIRONMENT Value Name: SEE_MASK_NOZONECHECKS`	10
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: ParseAutoexec`	10
`<HKCU>\SOFTWARE\9BD3387F7E8ABEB14EFCB3BDF5E7C89B`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 9bd3387f7e8abeb14efcb3bdf5e7c89b`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 9bd3387f7e8abeb14efcb3bdf5e7c89b`	2
`<HKCU>\SOFTWARE\9BD3387F7E8ABEB14EFCB3BDF5E7C89B Value Name: [kl]`	2
`<HKCU>\SOFTWARE\BB0E5F604F30988E0B2498356D0A2358`	2
`<HKCU>\SOFTWARE\BDBC444244C8D079DD87AC27E84A52E2`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: bb0e5f604f30988e0b2498356d0a2358`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: bb0e5f604f30988e0b2498356d0a2358`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: bdbc444244c8d079dd87ac27e84a52e2`	2
`<HKCU>\SOFTWARE\BB0E5F604F30988E0B2498356D0A2358 Value Name: [kl]`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: bdbc444244c8d079dd87ac27e84a52e2`	2
`<HKCU>\SOFTWARE\BDBC444244C8D079DD87AC27E84A52E2 Value Name: [kl]`	2
`<HKCU>\SOFTWARE\38407B401D4C3FE12E0AA019ABFE1C1E`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 38407b401d4c3fe12e0aa019abfe1c1e`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 38407b401d4c3fe12e0aa019abfe1c1e`	1
`<HKCU>\SOFTWARE\38407B401D4C3FE12E0AA019ABFE1C1E Value Name: [kl]`	1
`<HKCU>\SOFTWARE\9F78F6C54CD3644B404DDA00839B7FA6`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 9f78f6c54cd3644b404dda00839b7fa6`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 9f78f6c54cd3644b404dda00839b7fa6`	1
`<HKCU>\SOFTWARE\9F78F6C54CD3644B404DDA00839B7FA6 Value Name: [kl]`	1
`<HKCU>\SOFTWARE\E425607C2D9B7766223C902817C469E3`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: e425607c2d9b7766223c902817c469e3`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: e425607c2d9b7766223c902817c469e3`	1

Mutexes	Occurrences
`<32 random hex characters>`	10

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`3[.]19[.]114[.]185`	1
`3[.]17[.]202[.]129`	1
`18[.]223[.]41[.]243`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`systeamwon[.]ddns[.]net`	2
`shwii[.]ddns[.]net`	2
`0[.]tcp[.]ngrok[.]io`	1
`windowshost[.]sytes[.]net`	1
`hell3324[.]ddns[.]net`	1
`hidden4matrix[.]ddns[.]net`	1

Files and or directories created	Occurrences
`%TEMP%\server.exe`	3
`%TEMP%\svchost.exe`	2
`%TEMP%\Config.exe`	2
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\9bd3387f7e8abeb14efcb3bdf5e7c89b.exe`	2
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\bb0e5f604f30988e0b2498356d0a2358.exe`	2
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\bdbc444244c8d079dd87ac27e84a52e2.exe`	2
`%HOMEPATH%\svchost.exe`	1
`%TEMP%\svchos.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\38407b401d4c3fe12e0aa019abfe1c1e.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\9f78f6c54cd3644b404dda00839b7fa6.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\e425607c2d9b7766223c902817c469e3.exe`	1
`%HOMEPATH%\facebook.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\5ebda11b3fd5a5a7f5d1714d88c0f3af.exe`	1

File Hashes

             3ef25d1d353980ad2520e32b1b572f6cc89f9663b5fdede26e82a0ada4923c01              65d2420dd699fb1f44f67acd048eea2a25e38bf1d937c76409d3bab468504158              6d616a0f4624ac3bf296775b7d4f4463086874b03250c26f7d9ac70eead17de2              8e9b7527288d425e4ae9eaa8a1aa18b95211f633aa8c445d3ff3bb7d290e9099              a036f4468f651fcbdc9c127d6fd15a54e72e438d928558dc206fb36a154540a9              a3b9c055304610aa65535697bc17b5a4a24868f81d7b832013bb1efb544c416b              ba8e06b7a75909f51aa597425432c532a92061fcdfb4652c5ad2566189720257              bd2707d424bc88be4dfcdf7a7c0a6bc53aa9a760634be11222b542f289c18a2d              c9dba92e18ca02c2ea1a007ac18ad149d527889496a892159eb3642229865798              f021bdb5547ce84dc5a6dc3b49926db736b275823bfdf792a2643705724d99ee

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Packed.Zbot-7595026-0

Indicators of Compromise

IOCs collected from dynamic analysis of 11 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\WINRAR`	11
`<HKCU>\SOFTWARE\WINRAR Value Name: HWID`	11

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`91[.]195[.]240[.]126`	11
`108[.]166[.]65[.]182`	11

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`aloucakbileti[.]com`	11

File Hashes

             1483f9f04971cf117cde479d601b247b2799922e733e5d35fd751dfb752c170a              1a8719053b69c4a7c9276686eea82638f64c6c15c13ed44c532d4b650256212b              2dbcea2a92e98a3a4d41a2b4e281aaa7247de43ebd3c19d6461f8a6a5d288a29              32f4a6e21c6bb34c6a1cc0dd8cf8f796cae8f2e28f413b8b0b9498ae1679e682              48335f0bfbdbd881848966178e6b993a8a6ae5ea7a68b31b985ff8c77fc259a4              4c666cfa1f81701cd6756694a10e9840472ec0aef101a856b5f45bcaa4bef37c              6f6d0d9bf3a2e132194c83d63f1fe5e6b6112cbb707874beb51d27e55ca16959              904b1715e5ef21a0f8562ca8e785552459931cb7659fca83d5514e73b01e1242              9e12ac912d40f689ba60b1d7297a834c7928e1ecd298d60847eec5b9a6b79017              c71c0978b1eab31318e19dd3ba4147f947dfb88f2acba740c70ff9901bd1c732              e2b2f54504e9f02a8cb68ea87e3f5fcebc32269e907c64a89d1980751d1d0ed8

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Virus.Ramnit-7597892-0

Indicators of Compromise

IOCs collected from dynamic analysis of 15 samples

Mutexes	Occurrences
`KyUffThOkYwRRtgPP`	13

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`204[.]79[.]197[.]200`	13
`72[.]26[.]218[.]70`	13
`172[.]217[.]164[.]174`	12
`13[.]107[.]21[.]200`	9

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`fget-career[.]com`	13

Files and or directories created	Occurrences
`%ProgramFiles%\Internet Explorer\dmlconf.dat`	13
`%ProgramFiles(x86)%\Microsoft\DesktopLayer.exe`	13
`%ProgramFiles%\Microsoft\DesktopLayer.exe`	13
`%ProgramFiles(x86)%\Microsoft`	13
`%SystemRoot%\SysWOW64\rundll32Srv.exe`	13
`%System32%\rundll32Srv.exe`	13
`%SystemRoot%\SysWOW64\rundll32SrvSrv.exe`	7

File Hashes

             176b9a90fd733e2a9e1740f169c326d1e9283aca061fb347077dda1f7f57d9ec              34d156c616d6afffc050fae92c5b9adff44272b171b60e70cb335784a2ad13b8              3525253f41b121d2355eb87270c8549d2ee43c39aaebbef5b3b59a282dd2d057              3d828f510bacb5c21461913f8d3675a39a0aa4b0528796ae464340a6b6cb3971              3fac755cdd70a60589efb24db320dfa9996f454298c30718cf82686de76d6a52              643a1a549572481e2135c12ce90059e027e39eb5196ad4e297547574c04987f9              6e89caaaa958c55fccff5adfc9a2c48af0050133ea388aea0d611a39be24d021              80b91b5430c4200ddd41340d7ab5e72083ef5e2da2bbb62d21f93dab73b09374              a3af4e90dc0a7cbb477be2d196dba7a0b4540a145075d1740deb9bd2a384be53              af1ee4f6576c31441a2274c256d4607b756e97cca20782f4a48e2f1dbe73d00d              b5065239929ba72b4ba764c7bd80e9a81a59cd37977a6a7a9044ccd08f443254              bcc3ddeb859276e8b8d83e53eca72f22bb15131ff2be63b1847403f91c1c9ad5              be71f31ad183c4c4987d9fbcb7618888f13c8c0472b7dccc451c7a576f50af02              c0eef4571e9bf2e8a07986d4191a3bdec59e3b5781f067f774d178e5ffe3ceb8              e77bacc45b82228bf607ff0d32fbff385fa74ee4e5dd77962cee5a6ff9832cd9

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (3979)

An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

Excessively long PowerShell command detected - (402)

A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Process hollowing detected - (340)

Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Kovter injection detected - (109)

A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

Installcore adware detected - (89)

Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

Gamarue malware detected - (82)

Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Dealply adware detected - (59)

DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Corebot malware detected - (14)

Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.

Reverse tcp payload detected - (10)

An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.

Trickbot malware detected - (9)

Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.

Threat Breakdown

Doc.Malware.Valyria-7595017-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Downloader.Emotet-7593277-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Dropper.Bifrost-7593600-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.XtremeRAT-7594794-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Upatre-7594799-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.NetWire-7597088-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.njRAT-7595003-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Packed.Zbot-7595026-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Virus.Ramnit-7597892-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Exploit Prevention

Trending Articles