Friday, October 20, 2023 15:10
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 13 and Oct. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Dropper.Zeus-10011479-0 Dropper Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing. Win.Downloader.Upatre-10011416-0 Downloader Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. Win.Packed.CoinMiner-10011305-1 Packed This malware installs and executes cryptocurrency-mining software. Win.Dropper.Remcos-10011195-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Malware.Zusy-10010855-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information. Win.Packed.AgentTesla-10010785-1 Packed AgentTesla is a remote access rojan that records keystrokes and attempts to steal sensitive information from web browsers and other installed applications. Win.Trojan.Tofsee-10010766-0 Trojan Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control. Win.Dropper.Glupteba-10010808-0 Dropper Glupteba is a multi-purpose trojan that is known to use the infected machine to mine cryptocurrency and steals sensitive information like usernames and passwords, spreads over the network using exploits like EternalBlue, and leverages a rootkit component to remain hidden. Glupteba has also been observed using the Bitcoin blockchain to store configuration information. Win.Dropper.Nanocore-10011208-0 Dropper Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes. Win.Dropper.DarkComet-10011490-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Threat Breakdown Win.Dropper.Zeus-10011479-0 Indicators of Compromise IOCs collected from dynamic analysis of 17 samples Registry Keys Occurrences \SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY Value Name: CleanCookies
12 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 Value Name: CheckSetting
12 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 Value Name: CheckSetting
12 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 Value Name: CheckSetting
12 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 Value Name: CheckSetting
12 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 Value Name: CheckSetting
12 \Software\Microsoft\
12 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: {C45BAE81-6FD8-625F-01B4-47867CA2B270}
5 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: {2AD245C9-6C14-D117-E84E-F21650C846A7}
2 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: {429DEFC0-AD95-8173-F328-FEDF80CD61A8}
2 \SOFTWARE\MICROSOFT\TAVIYR Value Name: Hyqafowo
1 \SOFTWARE\MICROSOFT\DIAQ Value Name: Tufa
1 \SOFTWARE\MICROSOFT\EDVA Value Name: Ruudibnir
1 \SOFTWARE\MICROSOFT\RAAMI Value Name: Oripxe
1 \SOFTWARE\MICROSOFT\HOOSS Value Name: Kuufture
1 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: {1B9B0642-9212-04C9-E76A-6689A279823D}
1 \SOFTWARE\MICROSOFT\EGNIB Value Name: Duvuoro
1 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: {82AFDD97-56B5-8180-6246-7EACFD9E3E11}
1 \SOFTWARE\MICROSOFT\OTIH Value Name: Umuz
1 \SOFTWARE\MICROSOFT\LUSYQO Value Name: Ecpiogtoi
1 \SOFTWARE\MICROSOFT\UCRUU Value Name: Yxyqnupio
1 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: {4DDC5D3F-09DB-40C8-8BE7-793502F0E15B}
1 \SOFTWARE\MICROSOFT\OSYCR Value Name: Okgeta
1 \SOFTWARE\MICROSOFT\WUENMU Value Name: Obyqupdot
1 \SOFTWARE\MICROSOFT\EQKURY Value Name: Itusri
1
Mutexes Occurrences 85485515
17 GLOBAL\{}
12 Local\{}
12 Local\{224FD2A9-13F0-844B-01B4-47867CA2B270}
5
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 34[.]98[.]99[.]30
5 109[.]203[.]118[.]16
2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences conntact[.]com
5 cursodegnosis[.]net
3 wildlife-galleries[.]co[.]uk
2 www[.]tuguarenas[.]com
1 tuoitredakrlap[.]net
1
Files and or directories created Occurrences %TEMP%\tmp.bat
12 %APPDATA%\
12 %APPDATA%\.exe
12 %APPDATA%\Agumaz\ukuvt.oqd
1 %APPDATA%\Rimuxy\gaka.aku
1 %APPDATA%\Ukomim\heyf.deg
1 %APPDATA%\Izxi\omly.eqe
1 %APPDATA%\Umudb\odmok.evr
1 %APPDATA%\Avke\egroo.agk
1 %APPDATA%\Zaopy\vemoe.ebk
1 %APPDATA%\Onsuca\goba.lyc
1 %APPDATA%\Toze\avlo.pee
1 %APPDATA%\Ygol\riyxd.apa
1 %APPDATA%\Dywib\ysah.eki
1 %APPDATA%\Nyyryz\muehe.avr
1
File Hashes 0390a213c2f1e2044dc034ef69854250734d366b588e5ed56ccfd43d6e487c61 182e47a72f0bef509026ffe4a99e2a55a3141b6a522418cec02306b8ec54ac22 1cc22b339677ca1f45d2cfde253948875a36f6ead95761d4cc00d4ec2d030896 285acd4d1368f8e0c43133996656d60ed5b121beca9368fb3fb93e6eb380c105 32742ef7917d53a4b04ef1b926163b1c4671151228074cccc3d998b45cb6c92f 3e9402d4c401522c9f272174035ef73a6543b3a7f51e6f7678807e427acd1deb 5f390a6125708cf8e7298e73b9e47ad77120052e0fcddf04be2d640120ee547d 825d1887edc5ab4be8a488dddf3315778879c6c10a970e810ae96669ffd5dec9 84644c5a5b0ac873fbcff8d088f1a86e285a8ece5bbd540108e1d4f275e85544 8f676a2f5fa319d6851f636276440eac7c792e25bc41ea3158111e8670a80ff3 a44304a9afb8b2483bd187c11ee178f95bc157f4675b1fc3690b838dddffa846 cd74c2ab3244618836b4e9dfb6e4c751003b2262325c0d580ea70ebf353f766e cd7727e61b2dbdbd0f9f346dd86f219485268be84348431c63e14fd00e23c0a5 d26420918252c8f6400f20514b4181f0b50876310652f3367b600768a4fa3828 d846e714d440c4ebf5be078ab98c48d28f235cbe315cf990bacecc13fc214d98 f5a105041be2e898ea346c48c4f63c5277aa11f7a07e63e01d0428d209942fe8 fc0915f632bebb398389a039a278af638022bc23d9c725088d0abb4ff4485d7c
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Downloader.Upatre-10011416-0 Indicators of Compromise IOCs collected from dynamic analysis of 30 samples Registry Keys Occurrences \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE Value Name: StartMenu_Balloon_Time
2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 185[.]211[.]22[.]242
29 23[.]205[.]105[.]157
10 23[.]205[.]105[.]169
10 23[.]205[.]105[.]153
6 23[.]205[.]105[.]146
2 23[.]219[.]154[.]136
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences apps[.]identrust[.]com
29 salahicorp[.]com
29 ren7oaks[.]co[.]uk
29
Files and or directories created Occurrences %TEMP%\budha.exe
30
File Hashes 01d39073e8023b463aeeb09d7d745b79fd4d1d570448c41e1fbe290e4c24220e 03783c7ce13fa114e8f8752218adf7bfa538098a550df3364a7fd69d767f9cfd 0b87dad19fb92148113f48a6b49d0023e1c34003793c1cb67850c5e2d9c58755 0c499d7a858682d75c7ca11ed919e44307a8f9bbd6ea91e6d7d9fcfea3d01ff8 0f7ab72492dfe10804ba22a630148486d137a0f8cb57c3a48a48355d6be69707 123eb4da91b065d629afe30d6fc6e37465ad017abed80fe4d94d15b5324008d6 1f496efb45301d0a4d0a41fd8dbd998e3075bce1631c018aa943c7d3fb083967 23df6b20b96ae652d532416298621da60c32cbf15762cc181d43f26ed980c1a7 2a3c8198840e7b55aec2f79aade39baa01f66921b2c6077b8261944bda68b8c5 2e9a44b5434ff209387fdd456901a679d6577874afd71208fb9c3046fef51883 3a7c36c7c377963e76e1192f58808c6693c92148573559f61607a07a2c24ad6f 4f1ad200a563ec7ca3b1d1151fbaff7ddd695c9c056e3d98c5323e9f02d40b25 54e5900083763b04504d24aeb9b5c134eac3e784eab067e07630903c16a322d9 57eabd449ebd30730b3a2a20958fc8faba9c2ddb7e68dd4e791df98a50eb7e08 599f6ade2b8577d1020597472bb44c42b119a3b935415e7a3b55ff876ff4645d 5c9d1828a67d8af3b2bd5fa9037cc64c995dda3270b60f4326acfac2e9206d8d 68e9468cdf8c33bdf1c02bdb12f056a0336ea20a60891bf4678ee31faf1a76b5 7501fab5ff915e31cab34c5207751f5c422c3b97c53f68aa6ff7776b81a9b6a5 7865a38ee6cc666d6bb6f395d423aea7ded6d6a9e9da8c79c61142a2f739efa6 7c7c0662a8ea3f52cbd2ad44c68fcd9469b5ab1284d2366880477b45e53eb6c7 87f39a0275aecbd0529b84b4815ac2429da6fcbb744a684335ad6ffa650f2eab 9471bedea8d8b57b875ed67abd082fe13d4fc4f795c1cdfb45dbb713505ad23a a0baa12791570d5cd7f6ebd20bd49bb7365693442096b72687fcfd3eea926970 b05014f4ad4b0f6ea82236fec9030dd92c04601d5482b5cae0a3e1ded0460de4 c0bf0423e9d81f5d6e3607a8f072c595c70c5549d02d3aed43d4a3fd514c6a82
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Packed.CoinMiner-10011305-1 Indicators of Compromise IOCs collected from dynamic analysis of 17 samples Registry Keys Occurrences \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE Value Name: StartMenu_Balloon_Time
1
Mutexes Occurrences atwimjbzqckrcqbp
17 Global\atwimjbzqckrcqbp
17
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 142[.]202[.]242[.]45
10 142[.]202[.]242[.]43
7
Domain Names contacted by malware. Does not indicate maliciousness Occurrences pool[.]hashvault[.]pro
17
Files and or directories created Occurrences %APPDATA%\Google
17 %APPDATA%\Google\Libs
17 %APPDATA%\Google\Libs\WR64.sys
17 %TEMP%\qdorobglftsq.tmp
17
File Hashes 0418cdb7929843bb178117edceb2da83d7e5b2324102160d89b0501a2f98bbfd 0b2543ca8927a890090c75074661192b96c9ab16470663c54208fa98451e84b0 120fa170b822961e74e598032928a50923cb13eb47e681f10c902c7a9b3037a9 28c0c623b2c1ae88989303038fd8deb1a2f70e5915e309a4bfc49d98b7eec7d8 2effdfaaf496f107e15a40d407b340a3ef1412eaf25c8964fbdf95745f81d6a4 3c10a8c8a245a127c01ff4ff0fa2e5efe4fc593590b91ca6db614520a027c7bc 425786ded081d2aef6df029bfa8081d55a6d1d779227de39e0a183beced35fc6 48b81bf6601875a79bc51a940d1f8c52e1992d02a4c82ae9918ca9caf165e962 4bab91437f57be24381b09d84ff6e0f8559dd9c763d8b91f4b3658d5b8fbccb8 52ed438206b7d7b070a9a1cafb1a58e4bde9ba6ab38771713474274bdc425feb 6ae0bd1945da4b746106d6c2f925c078fc434d7f8ab7d392ba5370f32dc02dc2 70f4b38d9bb380303df03ca055f4af62d784e649fc556c3d9d7c61a365eb3921 74e111ece66a5e72d0d2c6e208d2e4276f1e5e2d2b15dae3d7dfcda4ca629535 82ccec7113295fe5ddc9eebbd5330ce9c4bce472018ef5a62980722644cd5966 c5dc5e4924756efe46e5d66975f56ea421c41a49a0f7b70d8198f6f9d2648e01 e78054bcf5b78d34eb871767647f180336157fac21a774b8a31f7f6dc37c21f4 ee02b883db69d9401fb465800719963a5fdec877690d2cb4864a15c03bda4091
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Remcos-10011195-0 Indicators of Compromise IOCs collected from dynamic analysis of 28 samples Registry Keys Occurrences \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: hpsupportdf
6 \SOFTWARE\HPSUPPORTA-3474R7 Value Name: exepath
6 \SOFTWARE\HPSUPPORTA-3474R7 Value Name: licence
6 \SOFTWARE\HPSUPPORTA-3474R7
6 \SOFTWARE\WINRAR
3 \SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9 Value Name: F
3 \SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5 Value Name: F
3 \SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC Value Name: F
3 \SOFTWARE\WINRAR Value Name: HWID
3 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: remcos
2 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: NetWire
2 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
1 \SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2
1 \SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX
1 \SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN
1 \SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD
1 \SOFTWARE\NETWIRE
1 \SOFTWARE\REMCOS_UAGFTAAWDGTKFLY Value Name: EXEpath
1 \SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4KUJJ476-38ES-RCMH-QGW0-22030L368G76} Value Name: StubPath
1 \SOFTWARE\NETWIRE Value Name: HostId
1 \SOFTWARE\REMCOS_MPGOQKDCERXZZVE Value Name: EXEpath
1 \SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4KUJJ476-38ES-RCMH-QGW0-22030L368G76}
1 \SOFTWARE\REMCOS_MPGOQKDCERXZZVE
1 \SOFTWARE\REMCOS_UAGFTAAWDGTKFLY
1 \SOFTWARE\NETWIRE Value Name: Install Date
1
Mutexes Occurrences Remcos_Mutex_Inj
8 hpsupporta-3474R7
6 8-3503835SZBFHHZ
1 remcos_uagftaawdgtkfly
1 remcos_mpgoqkdcerxzzve
1 5-7-7D18-X4vYDyz
1 S-1-5-21-2580483-12442889567640
1 S-1-5-21-2580483-15883551588870
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 216[.]218[.]135[.]118
6 192[.]169[.]69[.]25
4 61[.]139[.]126[.]54
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences teryts1802[.]sytes[.]net
6 onelove03[.]duckdns[.]org
1 fucktoto[.]duckdns[.]org
1 drantvenaco[.]xyz
1 www[.]hydzjg[.]com
1 www[.]verysinr[.]com
1 ebuxxxxx[.]duckdns[.]org
1 tunedd30[.]duckdns[.]org
1 www[.]salesnjinn[.]com
1 www[.]christianroyaltyapparel[.]com
1 www[.]augiticmisknow[.]party
1 www[.]aow85[.]com
1 www[.]horizonenterprisediscovery[.]com
1 onlygoodm[.]com
1
Files and or directories created Occurrences %TEMP%\install.vbs
6 %APPDATA%\hpsupportl
6 %APPDATA%\hpsupportl\logs.dat
6 %APPDATA%\hpsupportk
6 %APPDATA%\hpsupportk\hpsupportw.exe
6 %APPDATA%\remcos
2 %APPDATA%\remcos\logs.dat
2 %APPDATA%\remcos\remcos.exe
2 %APPDATA%\Install
2 %APPDATA%\Install\Host.exe
2 %TEMP%\install.bat
2 %HOMEPATH%\file
1 %HOMEPATH%\file\bin.exe
1 %HOMEPATH%\file\bin.vbs
1 %APPDATA%\5-7-7D18
1 %APPDATA%\5-7-7D18\5-7log.ini
1 %APPDATA%\5-7-7D18\5-7logim.jpeg
1 %APPDATA%\5-7-7D18\5-7logrc.ini
1 %APPDATA%\5-7-7D18\5-7logri.ini
1 %APPDATA%\5-7-7D18\5-7logrv.ini
1 %ProgramFiles(x86)%\Lwbphud
1 %TEMP%\Lwbphud
1 %ProgramFiles(x86)%\Lwbphud\IconCacheojphll2x.exe
1 %TEMP%\Lwbphud\IconCacheojphll2x.exe
1 %TEMP%\1514536984.bat
1
*See JSON for more IOCs
File Hashes 05981c05db85bd1116054ef5e99c5df384ac5c35ff79b76acffd6a99e7aca657 070038fba858d93969038e1c4c7cb70512f248c9d68596c913eba08922da26a6 1dee5ba303986f17484fca28500b8899bbee36d86aa0f34021ec5d82519c9570 21439850d13a4c45e6f75caf0c149dbb15859393ac229ba6c74683777994304d 2a7f24497b90c763c0714c0e1313e5dd899b85963f657bd1302a36fe4c4f55c9 42eaade0de6a185309d3b13a32dc351d93452dbcbdded2ab650143bf8b6cafe4 4ad68afeed6c18b0185e4ec793f825e734935671f4bdbb4ec9c019972ba93064 51ced0fcb9d3fec5cfa3e72de7b930b6d78fc62814abbb7f1162342e8c22cbca 67ec62211a942ea2b60ebb595d909f3961b70356ebf246a8a3b192309258e9e7 680696d80533b37e67db64b6b5503a7b69b7a14d0ef4ce413b38056669620780 6a65bb7a6cde96195d50aa7b55ca5cff73d532eca0db12b626a526039e0d333f 7a7060976e2908d0202c7c318be3226718cc324db2976e5423eb71b3851bad31 81e497b15e18c5da4908b4d6c8fe3c76a47fb4a4135f93efe42da98f48077901 839bdaa5ded4faeb3aff10352dbd93c2b22cdf954314d0a17cb4e3a48c5fef3a 99231a8315c128463e6cfebd53e6c92e9112859adf6bf890839513028c008bbd 9dd2edc4eb2ab7d3a1c238a0b8be7658bd2af062b6f7c03eb578c8a3ad82cdc5 a288e629d848936d273fe256f841902a4f5f328e891954cdcc36ed8f2be066a1 b0f25cb920e6cfacce95d66252e616d042b0260be17def122aa701ab1c005b60 c50094f7f4e916f709f77d744c085077e5e36c5d9f04d3060c070c23b10af856 c7a00b0bc4cff31661baa7f83d0a27c603ac0b6eef28f8f291a055d3590c5470 cae3fd31e5853fb3a9650a85c94d3ee0851e03d53d82c57a49905b97c66a5f74 d58673f907ab243c0a9179fb59047dd6bdce3481fe741516001c7668c8a846e7 dc6b8953fa1be8082acb36898d5ed60fe016afd4b392b1b82f45b1ab0647be49 e0d5d0af7e4b140d9b590e93767d36c44dc3e54fe7fc16ca069a41f8ae7d5321 eb66fd13ec27e7f664138728ee6bf978115d6160a71d033602abe339808d0286
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Malware.Zusy-10010855-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 128[.]1[.]157[.]224/30
17 128[.]1[.]157[.]228
4 61[.]170[.]77[.]234/31
4 128[.]1[.]157[.]230/31
4 222[.]73[.]33[.]209
2 114[.]80[.]179[.]242
2 61[.]170[.]81[.]250
2 101[.]226[.]26[.]134/31
2 101[.]226[.]26[.]136/31
2 61[.]170[.]77[.]230
1 61[.]170[.]81[.]204
1 101[.]226[.]26[.]140
1 114[.]80[.]179[.]215
1 114[.]80[.]179[.]211
1 61[.]170[.]77[.]229
1 101[.]226[.]26[.]128
1 61[.]170[.]81[.]215
1 61[.]170[.]77[.]236
1 61[.]170[.]81[.]234
1 222[.]73[.]33[.]212
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences bucket-ynote-online-cdn[.]note[.]youdao[.]com
25 note[.]youdao[.]com
25
Files and or directories created Occurrences \TEMP\code.dll
25 %TEMP%\1063874369\....
1 %TEMP%\1397711845
1 %TEMP%\1397711845\....
1 %TEMP%\1397711751
1 %TEMP%\1397711751\....
1 %TEMP%\1397709317
1 %TEMP%\1397709317\....
1 %TEMP%\1397708319
1 %TEMP%\1397708319\....
1 %TEMP%\1397712250
1 %TEMP%\1397712250\....
1 %TEMP%\1397709348
1 %TEMP%\1397709348\....
1 %TEMP%\1397711860
1 %TEMP%\1397711860\....
1 %TEMP%\1397712671
1 %TEMP%\1397712671\....
1 %TEMP%\1397713139
1 %TEMP%\1397713139\....
1 %TEMP%\1397713841
1 %TEMP%\1397713841\....
1 %TEMP%\1397710409
1 %TEMP%\1397710409\....
1 %TEMP%\1397712999
1
*See JSON for more IOCs
File Hashes 01cc53c302446a2e15a7b7a7a74916f046b4fd33065ef243fbffacd95766d459 03b6b1a6c120c70724a11b2d5b4831157829d07e61a372f066398d9be23ef55c 17e951cbe7d604bb2c3621c77237264c19f90a68d7c9c8024effda9c317e855e 1e6e6c9475dfd79ed14ca92d7ee9dbe0b0b431bc5217e80a1d193415b4ccaa3a 20d7a56937b58e204db62e45611b8a9146e95108b31fc0f5d92cbcc8ea387232 263ec38f95ec125a0f8b48b3a16159130084146fdc9431abc4d7d6142d1467b3 2a491cde6070f6dd980d2e328d54e77cc35370e288e186c1f7c8f9f9209892b0 2b8a116b1809ed75ff2da6932d139166d2c12c0e8ea3e012fc297b0c70f44ab9 3ce95ed5e0819efbbd6442968b24c645942b2337f5ccbea435535d5d8e45a8c6 448580bb338636b13ebd5598cd2f24696e2564dda300eab9a85031cbfe162ff9 498d707a42657c0b7ccfdc2def9d63f4d19c145461ed8964bcd0f1c26b3228eb 4ff2d0d278379eba9906ca0df0eb5a640985da45cd1ea7a4f8af1161f735b426 5496e6ac7968a49bac965aca651582ce874e594592206cad548f5ef353160f1e 63dcc1077304b8ff6d9a555d58cf3a4f9e0218a0246cf899897024815e951dba 6d3ea1979f85f2ac65808b445cc49b3b5e04110a162e4c315169a1c59c2c0b61 70cf7868355f4eacb0c97c210b7d976570764a43b02b79f9b1f659dd868350a6 70f6911ebc64c4fb1a25b9061a1eab4bc57b5fc0089c890f26df35f8da4cad02 850fcf9865a30e415515aa4efdc73d59dc1c59ab3df5621dcf36f6ad7c2f48bc 891ced20003dfe6f9c105e727ecb87ab73cceb642d91c59451630d40441ad58c 8f9fa23402495fdc9c068b2b2d3c6446f4ac94eb8bfc0d411e4f2f9dd8ff82f5 95453ff31dc805f76874fcae507414318ac0240d226967590f18e83e8655012a bc4b18edbf2b6312980b9d11c28beb597dd92312d41c87962f0c7ee90959e66c c1113ed3080862ec70c245b72c1d2914e996dbf8fa847cb7208ffd412f8793a3 c580ccfd7d6e8e5afed318f8aab2ea2798bf8886dfb247beb82d6242d29347e6 c7a1bc66652638a4b2b00f4c6d4d9718380462ca8bfd94242ce085fe4410723e
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Packed.AgentTesla-10010785-1 Indicators of Compromise IOCs collected from dynamic analysis of 16 samples Registry Keys Occurrences \SOFTWARE\MICROSOFT\MULTIMEDIA\DRAWDIB
9 \SOFTWARE\MICROSOFT\MULTIMEDIA\DRAWDIB Value Name: 1152x864x32(BGR 0)
9 \SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: AGP Manager
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASAPI32 Value Name: EnableFileTracing
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASAPI32 Value Name: EnableConsoleTracing
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASAPI32 Value Name: FileTracingMask
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASAPI32 Value Name: ConsoleTracingMask
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASAPI32 Value Name: MaxFileSize
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASAPI32 Value Name: FileDirectory
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASMANCS Value Name: EnableFileTracing
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASMANCS Value Name: EnableConsoleTracing
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASMANCS Value Name: FileTracingMask
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASMANCS Value Name: ConsoleTracingMask
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASMANCS Value Name: MaxFileSize
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASMANCS Value Name: FileDirectory
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASAPI32
1 \SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\_RASMANCS
1 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: MyOtApp
1
Mutexes Occurrences HMYAYDAVR5GSQKT8N5DJ
1 Global\{691d653b-e3fd-4576-a193-64407d29eeee}
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 193[.]122[.]130[.]0
4 132[.]226[.]8[.]169
4 193[.]122[.]6[.]168
3 172[.]67[.]69[.]96
3 162[.]213[.]251[.]134
2 149[.]154[.]167[.]220
1 185[.]199[.]111[.]133
1 45[.]67[.]228[.]51
1 158[.]101[.]44[.]242
1 104[.]26[.]10[.]89
1 104[.]26[.]11[.]89
1 172[.]67[.]150[.]79
1 89[.]47[.]1[.]10
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences checkip[.]dyndns[.]org
9 dispatchweekly[.]com
5 kenesrakishev[.]net
2 rakishev[.]net
2 raw[.]githubusercontent[.]com
1 api[.]telegram[.]org
1
Files and or directories created Occurrences %APPDATA%\ScreenShot
9 %APPDATA%\ScreenShot\screen.jpeg
9 %ProgramFiles(x86)%\AGP Manager
1 %ProgramFiles(x86)%\AGP Manager\agpmgr.exe
1 %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5
1 %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs
1 %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator
1 %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat
1 %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat
1 %System32%\Tasks\AGP Manager
1 %System32%\Tasks\AGP Manager Task
1 \TEMP\DotNetZip.dll
1 %TEMP%\tmp791.tmp
1 %APPDATA%\Adobe\R.exe
1 %TEMP%\V8.exe
1 %APPDATA%\Adobe\2.exe
1 %APPDATA%\Adobe\.exe
1 %APPDATA%\audddd
1 %ProgramData%\Application Data\GL.exe
1 %ProgramData%\Start Menu\9H6RQHZI64J.exe
1 %ProgramData%\Microsoft\Windows\Start Menu\9H6RQHZI64J.exe
1 %ProgramData%\GL.exe
1 %APPDATA%\Identities\OIX.exe
1 %LOCALAPPDATA%\7a5d2bcb028d0c29c6ab36d358820c4b
1 %TEMP%\tmp6D17.tmp
1
*See JSON for more IOCs
File Hashes 00515fe91a6b40d5c5ae851cb18d31c675ff38901edd352b3e6379087d5f2b26 0dc49cff6bbb27af37cb8e199f8f4122fcedf647955660d980c9944e3b58d7fc 0e2e87be4f630eca53dc753711ccffd41f771e2fd9ce446a7491674329209844 1c95a9e24ef743ee2bd1ce1e8362ecfe500ec095812bd1a43db9e93370006e51 36d939859128fd7a891258579fafa9b522ca637202b292f05acc8ee47dfd20a0 3e49fe819025e4a6e061584f1a596f535d8c7dae935a079121ef19e0c11b3e60 488c73c88c1aeeede951446e63b9f0fced2a913f1610fc0e71ae0ab1aa826b82 5498127f11928bb91062949e7f2d2a140164036490563db5fcfb85c29e4d3e1f 610f1d2a16f1511223b1a969ef53a772ccb2ead1fea79cf3d67eb3faf06de540 62904bd3def9671a1352f9cbc0d36e1981663bbd954c2f42e1e88460517d8784 6b28372c408fbc0dc427b6f62aef80fd79df3d1db0c55da22468a4af442f2881 74e11cf2be6cd94f573a8121013c74cc93558aa8cde83780c4854d3ec3bdf1c6 7ce409445bd96bdda132a6c97169dfd2dcf69c1e59a526b1a6882ed154e33185 a1220eb6311115d3a4a6cbf77665fb444a54f9d715ee0e5c9651459222118c95 a7d7f71dd797380ee843dd5ccd9d73b898b9d8eaf25dfa8dc7be66e2c36f83a8 f704722d897598af8c22bbca70c9edc3d6a69ca00568bf4150881be567ba52da
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Trojan.Tofsee-10010766-0 Indicators of Compromise IOCs collected from dynamic analysis of 17 samples Registry Keys Occurrences \SYSTEM\CONTROLSET001\SERVICES\
14 \SYSTEM\CONTROLSET001\SERVICES\ Value Name: Type
14 \SYSTEM\CONTROLSET001\SERVICES\ Value Name: Start
14 \SYSTEM\CONTROLSET001\SERVICES\ Value Name: ErrorControl
14 \SYSTEM\CONTROLSET001\SERVICES\ Value Name: DisplayName
14 \SYSTEM\CONTROLSET001\SERVICES\ Value Name: WOW64
14 \SYSTEM\CONTROLSET001\SERVICES\ Value Name: ObjectName
14 \SYSTEM\CONTROLSET001\SERVICES\ Value Name: ImagePath
14 \SYSTEM\CONTROLSET001\SERVICES\ Value Name: Description
12 \.DEFAULT\CONTROL PANEL\BUSES
11 \.DEFAULT\CONTROL PANEL\BUSES Value Name: Config2
11 \.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0
11 \.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1
11 \SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\isupldcy
1 \SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\vfhcyqpl
1 \SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\mwytphgc
1 \SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\fprmiazv
1 \SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\jtvqmedz
1 \SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\gqsnjbaw
1 \SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\tdfawonj
1 \SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\xhjeasrn
1 \SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\blniewvr
1 \SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\lvxsogfb
1 \SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\uegbxpok
1
Mutexes Occurrences SlimeLoveAllTheTime
1 Global\439f74e1-67b1-11ee-9660-001517b0163a
1 Global\1352bd61-6914-11ee-9660-0015174ac6a1
1 Global\15b95d21-6914-11ee-9660-0015175f9dd6
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 176[.]113[.]115[.]136
14 80[.]66[.]75[.]4
14 176[.]113[.]115[.]135
14 45[.]143[.]201[.]238
14 62[.]122[.]184[.]92
14 176[.]113[.]115[.]84/31
14 62[.]122[.]184[.]58
14 193[.]106[.]174[.]220
14 142[.]250[.]80[.]68
10 31[.]13[.]65[.]52
8 149[.]154[.]167[.]99
7 142[.]250[.]65[.]227
7 93[.]115[.]25[.]49
7 93[.]115[.]25[.]73
7 31[.]13[.]65[.]174
5 142[.]250[.]80[.]67
5 93[.]115[.]25[.]13
5 93[.]115[.]25[.]10
5 20[.]231[.]239[.]246
5 93[.]115[.]25[.]110
4 23[.]200[.]98[.]58
4 104[.]75[.]113[.]100
4 34[.]120[.]241[.]214
4 34[.]117[.]59[.]81
3 142[.]250[.]74[.]68
3
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 249[.]5[.]55[.]69[.]in-addr[.]arpa
14 www[.]google[.]com
14 vanaheim[.]cn
14 249[.]5[.]55[.]69[.]bl[.]spamcop[.]net
11 249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
11 249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
11 249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
11 249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
11 microsoft-com[.]mail[.]protection[.]outlook[.]com
11 microsoft[.]com
11 i[.]instagram[.]com
8 www[.]google[.]es
7 t[.]me
7 steamcommunity[.]com
7 api[.]steampowered[.]com
7 www[.]instagram[.]com
5 api[.]vk[.]com
5 www[.]amazon[.]co[.]uk
4 www[.]evernote[.]com
4 ok[.]ru
4 www[.]google[.]fr
3 www[.]tiktok[.]com
3 imap[.]rambler[.]ru
3 www[.]yahoo[.]com
2 www[.]google[.]com[.]au
2
*See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SysWOW64\
14 %TEMP%\.exe
13 %SystemRoot%\SysWOW64\config\systemprofile
11 %SystemRoot%\SysWOW64\config\systemprofile:.repos
11 %HOMEPATH%\AppData\LocalLow\sqlite3.dll
1 %HOMEPATH%\AppData\LocalLow\freebl3.dll
1 %HOMEPATH%\AppData\LocalLow\mozglue.dll
1 %HOMEPATH%\AppData\LocalLow\msvcp140.dll
1 %HOMEPATH%\AppData\LocalLow\nss3.dll
1 %HOMEPATH%\AppData\LocalLow\softokn3.dll
1 %HOMEPATH%\AppData\LocalLow\vcruntime140.dll
1 %TEMP%\lualjyq.exe
1 %HOMEPATH%\AppData\LocalLow\1T95Ye0aeftg
1 %HOMEPATH%\AppData\LocalLow\1T95Ye0aeftg-shm
1 %HOMEPATH%\AppData\LocalLow\1T95Ye0aeftg-wal
1 %HOMEPATH%\AppData\LocalLow\7th8d2Q2U980
1 %HOMEPATH%\AppData\LocalLow\EZi3W6aEj1e5
1
File Hashes 0c018ba0c0b75323b87ec3f55c6ed7302549b56e1ebd5b7c70c8a33fc6c5a65e 42b2cb14dd123186b342a9b6e7f4602e8a3e6be4464aa224f50623307b027edc 5526ee913fc27725e10272fcc696ab0c7178db48dced8a9928358fb8e11b49ac 57d3bf38fe4fed3bc50773533d46358be48c5e81384e380ae488b91f67e8873f 61dba3ac0001f7af924d4a228306e0cd3749445ba368a77b22ba9f30f98f0379 6f1b7a7f4cdf4cd4263bcfa854cbf6eceb044439ffb183487458361d473db258 88d59c2c9d8b4ff76d08e057d226530f5cee5abd564267656f1a1a5a6002521a ad160e7bddf415b5b3ecf4c951f5d0a7e53bf3434f7b8c50713ba110f49002f2 b25f931f36baf4661f2bef5bab7eaf46f159757dd6f874d98ba96f8edacccd3b c1f292d936e613e673ff96354e9f0a1e984a02996e6d92ac18291f6f310c739a c3020144db0b8288140b7f88d5909851b1aacaa3df70f8f3f2c81cae76fd7e85 cc961cfe772710958620932d215481c71a931d50d5bd520a947796a1646d9405 da2a7c7a129426bcfab067d91f27467ebcde5996db5fe6e69c8418aff9e0345d dc548cbbab081ed14e4805259afe55185717aa611eea409b480105f8addfa118 f49986695c72d2307fb1ae3cc76fe29798a6e843bc0d0240af3c83c60da1f7cc fa569fdde5a4dcc5ca5636c8cd1294d57ab7096dddfc698be744fbeb0a70b7ca fc7ca972d18acc6d5ed9c6efa7004c66902fb8d19c00d2d1fc2bed4dcad30a1a
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Glupteba-10010808-0 Indicators of Compromise IOCs collected from dynamic analysis of 13 samples Registry Keys Occurrences \SOFTWARE\MICROSOFT\A1890984 Value Name: PatchTime
12 \SOFTWARE\MICROSOFT\A1890984 Value Name: PGDSE
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXWDDM Value Name: DisplayName
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXWDDM Value Name: WOW64
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXWDDM Value Name: ObjectName
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXSF Value Name: Type
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXSF Value Name: Start
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXSF Value Name: ErrorControl
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXSF Value Name: ImagePath
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXSF Value Name: DisplayName
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXSF Value Name: WOW64
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXSF Value Name: ObjectName
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE Value Name: Type
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE Value Name: Start
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE Value Name: ErrorControl
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE Value Name: ImagePath
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE Value Name: DisplayName
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE Value Name: WOW64
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE Value Name: ObjectName
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST Value Name: Type
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST Value Name: Start
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST Value Name: ErrorControl
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST Value Name: ImagePath
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST Value Name: DisplayName
12 \SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST Value Name: WOW64
12
Mutexes Occurrences Global\SetupLog
12 Global\WdsSetupLogInit
12 Global\h48yorbq6rm87zot
12 WininetConnectionMutex
12 Global\qtxp9g8w
12 Global\xmrigMUTEX31337
2 Global\923de961-62ac-11ee-9660-001517289b0f
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]79[.]197[.]219
12 172[.]67[.]212[.]188
10 20[.]150[.]38[.]228
9 185[.]82[.]216[.]48/31
8 20[.]150[.]79[.]68
6 162[.]159[.]135[.]233
4 172[.]253[.]120[.]127
4 162[.]159[.]129[.]233
3 74[.]125[.]128[.]127
3 185[.]82[.]216[.]50
3 162[.]159[.]130[.]233
2 162[.]159[.]134[.]233
2 20[.]150[.]70[.]36
2 142[.]250[.]144[.]127
2 104[.]21[.]23[.]184
2 162[.]159[.]133[.]233
1 142[.]250[.]15[.]127
1 142[.]250[.]112[.]127
1 3[.]33[.]249[.]248
1 185[.]82[.]216[.]65
1 173[.]214[.]169[.]17
1 178[.]236[.]247[.]232
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences msdl[.]microsoft[.]com
12 vsblobprodscussu5shard35[.]blob[.]core[.]windows[.]net
12 vsblobprodscussu5shard60[.]blob[.]core[.]windows[.]net
12 cdn[.]discordapp[.]com
12 walkinglate[.]com
12 stun3[.]l[.]google[.]com
4 stun[.]stunprotocol[.]org
3 stun4[.]l[.]google[.]com
3 79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]mypushtimes[.]net
3 stun2[.]l[.]google[.]com
2 server9[.]mypushtimes[.]net
2 79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]haoshuruzhiyou[.]co[.]in
2 79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]cdntokiog[.]studio
2 stun[.]sipgate[.]net
1 stun[.]l[.]google[.]com
1 stun1[.]l[.]google[.]com
1 server1[.]zaoshanghao[.]su
1 server13[.]cdntokiog[.]studio
1 79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]zaoshang[.]ru
1 79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]zaoshanghao[.]su
1 server6[.]safarimexican[.]net
1 server6[.]haoshuruzhiyou[.]co[.]in
1 79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]safarimexican[.]net
1 server16[.]zaoshang[.]ru
1 server1[.]haoshuruzhiyou[.]co[.]in
1
*See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\Logs\CBS\CBS.log
12 %SystemRoot%\rss
12 %SystemRoot%\rss\csrss.exe
12 %TEMP%\csrss
12 %TEMP%\csrss\dsefix.exe
12 %TEMP%\csrss\patch.exe
12 %System32%\drivers\Winmon.sys
12 %System32%\drivers\WinmonFS.sys
12 %System32%\drivers\WinmonProcessMonitor.sys
12 %SystemRoot%\windefender.exe
12 %TEMP%\Symbols
12 %TEMP%\Symbols\ntkrnlmp.pdb
12 %TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02
12 %TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02\download.error
12 %TEMP%\Symbols\pingme.txt
12 %TEMP%\Symbols\winload_prod.pdb
12 %TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361
12 %TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361\download.error
12 %TEMP%\dbghelp.dll
12 %TEMP%\ntkrnlmp.exe
12 %TEMP%\osloader.exe
12 %TEMP%\symsrv.dll
12 %TEMP%\csrss\DBG0.tmp
12 %System32%\Tasks\csrss
12 %TEMP%\csrss\injector
12
*See JSON for more IOCs
File Hashes 086371131dd2487c7dbb05bc1e67afb2d18e85df7f54facecf8b04490fd269b2 08b281c516048087ec8fab4cfae4b5546e02eefdafbc95dabb55c942c4c16395 2754883908b96204bbb60cfa0822701549ee115eb6028555a90c0cdbe0495c7f 2ffed7363cf4bc5a5ff7d27646fea7ac1ae0dd7e1332ea604a8da1f99d57e0f9 4feb8163d161750583d541adf29b61e3e493aa8ee474e927f0ce5d9c3c0b49a6 69275d573d4a65c61094b3791d93f60ce492f15d98fcffaaa081b81fcf9bd2ed 84b3e26f8885900c196d3cd32c2a2b3be75351e8e3b5aea38c166dd0fa2abf47 902b0087fb710e4f361248356292ecca1309f980bf00cd9d97d4d2eb5c3bbcca a6cc331a1f7b6f2e81a5edf4ff093e2c4664553e0b899592164320d71d0d2e94 b819b7e697eae7d6d679790d8708d4d71e0b2e2f4dd3bc8aeca8b5522bafc8b4 bd853acffcff627107f4a5222043b3b56867d41a51e7d5e069b9fe91f892feed d48dd78cfb8ac01a3f0015489a1e87e5d8d732d15d3fcc241c684e1e610be75b dfb6425a4926b59bdb800173fa75f296a8066057587e1ddf712ec9a670cce2e5
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Nanocore-10011208-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences \SOFTWARE\WINRAR
6 \SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9 Value Name: F
6 \SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5 Value Name: F
6 \SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC Value Name: F
6 \SOFTWARE\WINRAR Value Name: HWID
6 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: hpsupportdf
4 \SOFTWARE\HPSUPPORTA-0NMJO7 Value Name: exepath
4 \SOFTWARE\HPSUPPORTA-0NMJO7 Value Name: licence
4 \SOFTWARE\HPSUPPORTA-0NMJO7
4 \SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: AGP Manager
3 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: NetWire
1 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: hpsupport
1 \SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Userinit
1 \SOFTWARE\NETWIRE
1 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: 5J-XUFWH2T
1 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: chrome
1 \SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{R7881T2L-5Q6O-A6AF-YTOP-UR6LGAD671YS} Value Name: StubPath
1 \SOFTWARE\NETWIRE Value Name: HostId
1 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Registry Key Name
1 \SOFTWARE\REMCOS_XOQLVKOBZX
1 \SOFTWARE\REMCOS_XOQLVKOBZX Value Name: EXEpath
1 \SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{R7881T2L-5Q6O-A6AF-YTOP-UR6LGAD671YS}
1 \SOFTWARE\NETWIRE Value Name: Install Date
1 \SOFTWARE\HPSUPPORT-14R0XW
1 \SOFTWARE\HPSUPPORT-14R0XW Value Name: exepath
1
Mutexes Occurrences Remcos_Mutex_Inj
6 hpsupporta-0NMJO7
4 8-3503835SZBFHHZ
1 7433cdb324b04dd5e3c3db213381216c7c539baa
1 J14-9347TBE693E5
1 remcos_xoqlvkobzx
1 hpsupport-14R0XW
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 203[.]170[.]80[.]250
1 213[.]186[.]33[.]5
1 192[.]169[.]69[.]25
1 91[.]195[.]240[.]126
1 5[.]79[.]68[.]107
1 65[.]99[.]252[.]216
1 204[.]152[.]219[.]98
1 79[.]134[.]225[.]17
1 39[.]96[.]26[.]145
1 198[.]187[.]30[.]187
1 199[.]80[.]53[.]28
1 194[.]5[.]98[.]83
1 194[.]5[.]98[.]81
1 37[.]49[.]224[.]172
1 34[.]237[.]212[.]127
1 44[.]219[.]130[.]155
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences manafuuh[.]ddns[.]net
4 checkip[.]amazonaws[.]com
2 www[.]gedhang[.]win
1 www[.]regular123[.]com
1 www[.]centronasser[.]com
1 www[.]sondcn[.]com
1 www[.]techotakus[.]com
1 www[.]oligo-le-nuton[.]com
1 www[.]hobonichidouga[.]com
1 www[.]spasence[.]online
1 www[.]lovendwild[.]com
1 www[.]urgamesim[.]com
1 www[.]1tzae[.]top
1 www[.]coincoin9[.]com
1 onlygoodm[.]com
1 rezkathryn289[.]ddns[.]net
1 ben1234[.]duckdns[.]org
1 cepastr[.]ddns[.]net
1 oluebebchi[.]duckdns[.]org
1 locash[.]hopto[.]org
1
Files and or directories created Occurrences %TEMP%\install.vbs
5 %APPDATA%\hpsupportl
4 %APPDATA%\hpsupportl\logs.dat
4 %APPDATA%\hpsupportk
4 %APPDATA%\hpsupportk\hpsupportw.exe
4 %ProgramFiles(x86)%\AGP Manager
3 %ProgramFiles(x86)%\AGP Manager\agpmgr.exe
3 %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5
3 %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs
3 %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator
3 %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat
3 %HOMEPATH%\subfolder\filename.exe
1 %HOMEPATH%\subfolder\filename.vbs
1 %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat
1 %System32%\Tasks\AGP Manager
1 %System32%\Tasks\AGP Manager Task
1 %APPDATA%\Install\Host.exe
1 %TEMP%\install.bat
1 %APPDATA%\chrome
1 %APPDATA%\chrome\chrome.exe
1 %ProgramData%\7433cdb324b04dd5e3c3db213381216c7c539baa
1 %APPDATA%\hpsupport
1 %APPDATA%\hpsupport\hpsupport.exe
1 %APPDATA%\hpsupport\logs.dat
1 %ProgramFiles(x86)%\Lqdfp\systrayzt48dxy8.exe
1
*See JSON for more IOCs
File Hashes 00c935c3cf87816fd66654a66a5e3ec1a40674eabaf05b65082190e1a1bd55e4 0c403455d1949c9b643d9299300fd6816c8527549cf1566e44a9f653dde909f5 2f79337e254db1abc0df8e59f15b97e3f6325c8118f9563ef514d569e90dee34 639d23e7cfb18c85c237fda935e3a69cc105a31cb2d58fd25cb222b16e0ebc2b 6edf59ab00fc8a5c0baaf2600c3deeb2c8c52fa6454541b86213521629f2225c 8304a713ec50838d56a6bc1a489c87e8b1ccccdb090098ad4efed69e8012f1a4 92a2fb494f7dd6cd2908567b3f9d81664c0ce27532936651f85b8302dab6ea6c 96670d316eec735cbb7dda69e578659260f220e3651f89d0d413c3f6044b5510 a52143ab756a37bcd7de8b5869061a195d9f404dba80e5b6ee14b6d7548c1ad8 aaa9888059a78dc3eff1c8939f125052ce50914b2c5149b667cfb33f2d60793b ada0ca0f3efdc72e6bb70e00df6ae03411044bc50e9c2973ec3eafa73c27fe2a b56f043f756603fd39d94dc38fcd472c38014c93797eaee14851eaf9815e2801 c12defeb704dbb21f54896cd1f7e0ec6ee3ed1dd4bd3ebf777b95d291f9b05ed cb17955c8f1a7c7649b5a53d855898a2834f95a4bc052a249d637de20ccac17e cccbc7d541a6e9b352d2e6f52f8083b024561f71fd0b7195bfab03c9103e827b cf66700f2113d532cc65fd93d92a1aaadf58df032cb04341a99b9fd96c1cc8b9 d418893a78767ea5afe08f34328232b893046f2190b6822a4a55a23cd807a88d d5c4b482c7282d1a767b7d165c47261d14959a4acd6f2bd07ccd0548d3589310 da29289e269a7c5d79dbad8e5976c912beec40d77166cbc386506769c064b548 de6f39611192f151bd3417c60c880356a8840d7f235a01d2f0b83206b5ccfd25 f03e9ebe28c6f2ad739335ef71ec842f43b5034e94f8a1c3892491800f3145e3 f5f1f247d16a00e76173edc03ecf60636ff7a9c6c898f0e048e30f02ecfc113b f7a5e4ba58c46562fa48143e2e05ae3eecc46501ae288b900e61621b56b20fee fb12b01fcf79d933460bb7db24db9c4adc0e02f2efc879c495fa16bba3a562bb fb755b396eeac9da53149162551ba0a052851026f15a12b2b5240a9bc6716377
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.DarkComet-10011490-1 Indicators of Compromise IOCs collected from dynamic analysis of 27 samples Registry Keys Occurrences \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
27 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
27 \SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS
27 \SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1ONY8XDG-DX6S-CQ0K-8R1G-272WTPXC6H5P}
27 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: Policies
27 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: Policies
27 \SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKLM
27 \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKCM
27 \SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1ONY8XDG-DX6S-CQ0K-8R1G-272WTPXC6H5P} Value Name: StubPath
27 \SOFTWARE\NOTEPAD
27 \SOFTWARE\NOTEPAD Value Name: NewIdentification
27 \SOFTWARE\NOTEPAD Value Name: FirstExecution
27 \SOFTWARE\MICROSOFT Value Name: PIDprocess
27
Mutexes Occurrences _x_X_BLOCKMOUSE_X_x_
27 _x_X_PASSWORDLIST_X_x_
27 _x_X_UPDATE_X_x_
27 _y_X_PASSWORDLIST_X_y_
27 JoKeR_MaSK_SEMUTEX
27 lass
27 lass_PERSIST
27 lass_SAIR
27 GREAME_RAT-_-MUTEX
27
Domain Names contacted by malware. Does not indicate maliciousness Occurrences tigersa[.]no-ip[.]biz
27
Files and or directories created Occurrences %APPDATA%\logs.dat
27 %TEMP%\X-GRY-X.txt
27 %ProgramFiles(x86)%\windows
27 %TEMP%\GRY-XX-X
27 %TEMP%\uU-GRY-Xx
27 %ProgramFiles(x86)%\windows\lass.exe
27
File Hashes 01b01c090edaec7b0cfd0b6354c66e696130f484edbe71b730d63f8d941f71a1 1a368187dbc3d13c67f69f122f2420cd4a87bfd3d87a3efd2105d28de04eb817 1d1309c1d4851b6a9c86fc17097325bfce70964548d5a9bfe700dd4c64dfbeba 2c76ce0aebb7e93a981dd47e712c1461ed3f5aac5ab5c440668d00522f9418b0 2cd4442ad9276beaa4059620cc716572c23a52668eb1dc8374f01d5f54c52bc3 2d73a63f0a5c565e55661a1aef0344a26431046417c9cc15c16b8695e1f97547 3e69bd53a6343bb72380184dd0c8b410c42d8ae73ba06b209293c3213cff7a56 471c39751ac6b560567fffea6af72fec4c169d5dbb9b4ee5c6f000d084d4f2a2 65af16839bf587ccc768a72388974eff49af308602588cfcbb11062311cba04d 7f05a9d3b9ca35d54b542f550eb34307279922bd95b3041dd93ff52f736d522d 8e618ff246cbacd3a40cb407d1930e764f924809a73fe72136a4d6f975388afc 96ce4dc0acc185fce6ebf43194ee47d58e18eacb05a71eca3f389823574a38f0 a487474d0476a93ca474b9874a1b3729adcbe25c2da368277b1a2cba64ccf0a0 a7efeacdcf8508e36b4b917141fe37bd427995955c93617ec40d002742a9c93f acbfbe381bba59151af2ac2309451d3a4850407724f58eba69eb67b98ded2004 b0810d35107bc6b30cbaaa2e0dfd42f70a5e16302128a653af4ab4f7128f4bf8 b6f4e980ceea8c55e78ce9d9768bfe901790f13d9e0aa1b03fabf26f3873ae54 c65a2f53920f6403b649570b8b98a120a9e9db472f4a89e0d027ed345acc486c c8799d7d6f8b161b4e1b3ad06d66584da7e24ab2ef741eae73f4ad0545626559 c988702baf4bae86fb2da35b5c1ab466764fffa8fc4acb6c6a5e2ff3fc56fbee ced5fffd715ac29276b0e655fc8d1b353ae3988a0fa134343a4eccd70eb94812 d7743498bb6c17664b8afa43212d90653bc8a74804543af34667255bd7a3aba8 d9c50f22e3c9d5dd9edb80b0857c00b6f8262053afa6643365b9918571944e80 dfb79015230e4b5d5e7a32b0dbfc5193e6e65865b6b798525451027782dadc3e eacb36be8ba58d3138acded71542fb68579ba0144c15699b412196252d75da53
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK
文章来源: https://blog.talosintelligence.com/threat-roundup-1013-1020/ 如有侵权请联系:admin#unsafe.sh