As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
- Win.Malware.Zbot-6732674-0
Malware
Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
- Win.Malware.Sivis-6734391-0
Malware
Sivis is a type of trojan that is usually downloaded from the internet and installed by unsuspecting users. This trojan variant also includes sandbox evasion logic. It has the ability to move numerous files to the Recycle Bin.
- Win.Malware.Explorerhijack-6734396-0
Malware
A hijacker could use this malware to change the user's browser's home page, redirect the user to suspicious websites, and then lead them to advertisements and commercial content that generates pay-per-click revenue for its developers.
- Xls.Malware.Cwsp-6735643-0
Malware
This is an Excel-based downloader that uses PowerShell to retrieve the next stage of the malware executable. Microsoft Office displays a warning to the user before the payload actually gets activated.
- Win.Trojan.Mikey-6735890-0
Trojan
This cluster focuses on malware that creates a specific cluster so the malware can achieve persistence. The samples have anti-analysis tricks to complicate the analysis. This family is known for the plugin architecture and for the intense network activity. This week, Mikey used the AppWizard packaging system. It is based on common Microsoft code, using the Microsoft Foundation Classes (MFC) to start a simple application. Malicious programs use this packer to stage process hollowing and obfuscate the malicious code.
Threats
Win.Malware.Zbot-6732674-0
Indicators of Compromise
Registry Keys
- <HKLM>\software\Wow6432Node\microsoft\windows nt\currentversion\winlogon
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
- Value Name: userinit
- N/A
- N/A
- N/A
- %WinDir%\SysWOW64\ntos.exe
- 0105bb0a81ceb78f84de07f7336a6ecdd95721545b3e47c96ae45f94a8fe8506
- 0114885e69a066a72f12eb475c9ae36e0851309ce6902a547dd60915ab785523
- 01be29f0973f96218bf0554f2212ee60fe8563a9fa5e9f1cc04b948a02a5989a
- 0280026374e8bc24bd0987abde9c8ded202bc489e0f718c2fbd87d541f2003e0
- 03262248439bc3ed3af3cc12a50d3595a0230b6a01fd3c6e34838750a01a4b72
- 03480a5dda4243eec0e9826a386729670c50c9cdcfd12109febf16695e7302ce
- 03746100716d1a66312b69c03ba2166aab6075f24ca826197972bf30a117dadb
- 03c2c34bd542dde2d600697bb658399498be9ff74614ab938adb3f77a4183c4c
- 0462f5a9a36956eb62b958203d66e1ad83268502f7ee6a2676e47d3829db1e03
- 06c57ae21c9f839895f847a5d8895fdc89e878a615565772246c94887caaf6cb
- 075b5ad9b36d79b3b14ad43decabdd7f07fbd3d428e890a14ee2af4969ba49e5
- 08866b56758d4c7b783af2faa3465a9c3dcb2621b19ded098ccb17e25e4f685a
- 08db11f50735c3f4d34d308bc190ae8db0cc6b291090716781ced208b13743fa
- 0a00e118d1917356a4598d2e5f3a96f184726cb37e6be4cfa70ad233fcf5be8a
- 0a0e93af895754435be151f0f09d3fcd542661c9e48314a82bfa4853be9212fe
- 0a4d7fbd10835ba00bd6518598f0c3a4670207e52e4c8c57a5500f0c4059a017
- 0a963367e108b56e58559846236f1896adcca5ec6e324330739e3b45d436e1dd
- 0b675493051c7f99878bca3510c5054bbc071612557acb008e9ae8980c6364ed
- 0b7143f5062cada3d26a97f59b10ddf8e2a73ea70dc97c7cb55a5ceef7e7e5d8
- 0b76777a484d6e0304bfc0b0c06576a51bca2a5cf6a648dfdf67f296301af3d4
- 0bc190d365d58acc24ec202637d87296c69c9f2d2dc4e7120d8f3b61ffc584bc
- 0c4533fd8ae2a9629f474373ce2697059e978e8f5945b4421d092a7052b9c64c
- 0e12afb0ec9aca39a02927e158883994dc6110f83880b5075aebcaed8077ce36
- 0ef146b745e8b57ed0f3b0cd888f650fb8510670731e5c01419e13722178d1d9
- 114f30f079e04714958728d7364b706dd8e88a241bd0771326d10c445d4fc95c
Coverage
Screenshots of Detection
AMP
ThreatGrid
Win.Malware.Sivis-6734391-0
Indicators of Compromise
Registry Keys
- N/A
- N/A
- N/A
- N/A
- \$Recycle.Bin\<USER-SID>\$RZ7KADN.txt
- \$Recycle.Bin\<USER-SID>\$RYGDGS7.lnk
- %AppData%\Mozilla\Firefox\Profiles\iv5rtgu3.default\key3.db
- 2073825ad497c12861800c93527e49e8aa4afafe77d1a7af2922ab707c4b258e
- 2c43a96efe6f36ef0e1e1ca7f4dfe34c83bdd1d99090a056d43955e70bae719f
- 2ff58a8b69dcb0dbb1ef63430a925068d586860c84faa583988b92e2bb87ef25
- 30a9b4c8db8eae33a1e9c35f6441e171cb8059a0f6c34bc8d377e064f3000008
- 32e5b6a36aa94734f0af2cc7d2235bbfeecc915fc0bc0bf46f385f238dc1b69d
- 32fb050134eefd9bba3f5a1d31c9727c0a25760e8b2342385b24b20a253e9512
- 34c5950ff21c25a4acbc1801f881d205ba2cae42333bb04358cf5117eef645b2
- 447e4f61b3e3a5ccf116346d228d1b80328a63e54fc71398e4894d70c22ff51d
- 4d6ac5ccca2bab50f296a4e34a7bed16131f01fdf6864c2bee8efbfea449697b
- 51a9bf24550ec6db0e383fbe1e9089558e1d1bd4e57c5d3678a95233efd59dab
- 581391e344bda3539189aef8252556f916bf27333e755765641a1485844b884f
- 66ada213ce8d9756c1c711d216d45ef8cc84586a1dc46213ce8275d4f8a7d08f
- 7d0ab4517139c8347e39af92cf8dafb9c71e80a8848cea25d7e4598292753fac
- 7f49ac352ec83b003ca00b29acafdf5c08132f0bd060151312157773e06a887d
- 8564af9b09f0ade9b372d76a0d53355587b28cc89afec83b9287cebe6dbce148
- 8cca573e22a563ae4074007c9b5c5abd11316a0235f206242baf4936f3cff4fb
- 91487940c217c106a1f70ea4f850db083396a8fd5c37e81c47d4cd01ef269906
- 9813d3fa86989ca43ecc0db5684e642823abebca58161d8676276349bb5c53ea
- b3be19db0aa19fc9588cb90d0ee5c39ae124e797b82ba1eeb02ba0b82c9a55f8
- beb78637a890b73e150cc67b1c51108dc89e7b3e491ed22cc81695eda729e10f
- c405942083f1d75a6de07f9270e94594cfd99b59c774f22bd2c214715822a851
- c5405c94a49bd14155027aea5722bf253eeedd1a3d0d1d73a2580adb70a6def7
- cc542bacf782757a362d3b6cfc54efe64f8abb860f7c997cf008cc0ae9ffcee6
- d2f9541628e3178b1e6cead482d9983e1509edd3155244b42ac49f0a6919d690
- d7ecfd142025e761006a446d1bd68a9f337eaf1f927fbc01fbbe336df39befae
Coverage
Screenshots of Detection
AMP
ThreatGrid
Win.Malware.Explorerhijack-6734396-0
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\LogonSoundHasBeenPlayed
- N/A
- 103[.]235[.]47[.]123
- N/A
- %SystemDrive%\347749632.exe
- 0387a6fcadc71d0fd723b94049d312eb81752994f06d6e11a222c20c81d610a8
- 39ad7614f81cf505be13fb726d9a68585ebcfb4ba3c156e7974e23a71c8254f1
- 41569db09055ec3bbd900f943c3049b6362be1fc08e73bf9403c6e0a684b5aed
- 7f25aa88bb56ce9888d3959344307b5c7423f53ef1409f84534dd82f2520eb92
- 856c90d502181b0297d792c67ab0d5e3d78fac4879e853beab00e10707e1c5dd
- 99e9c70014473728f7cfac4704c4961cb9cf1e6cb015bb1da6bb095fea13ecaa
- a4143241cfa447db8fa7d4ec5ef79a6bd0a78b853d8f461f209e1224ea09f34f
- e957fa484e5b1b1c84a0f4d3e3561686fe6d289f703ec2ff1f4d9fec886e1344
- f57061d301bce0ecb0b1caf8b0e0de238ecccd4f038f4e9a397ab1cdde57e9a2
- fd047bf2512554e75ffe684d07d0cb5ee798409fb504e2db7a13b90cfc7070e0
Coverage
Screenshots of Detection
AMP
ThreatGrid
Xls.Malware.Cwsp-6735643-0
Indicators of Compromise
Registry Keys
- N/A
- N/A
- 212[.]58[.]244[.]48
- 208[.]91[.]197[.]13
- lalecitinadesoja[.]com
- downloads[.]bbc[.]co[.]uk
- %LocalAppData%\Temp\1ii4ushk.rdy.ps1
- %LocalAppData%\Temp\i3iu3ax4.unx.psm1
- %AppData%\23C.exe
- 05997180a42ca9c01720b1ee3e759bd1a408c0064bbdac0c72f56c9783102a1f
- 07a8a906e93699e23b1b7fe6a190edf709d499efdb806a334d63d21e87d47fea
- 0d4e2eeb6402ecbfed9d9f70a4386ba988d96baa4570944ad7d25fda4e1360b5
- 1007b22475717247803c61a571c881bf50d93199f21559bfaa2b0651e3e88b99
- 11cd2e32f5b99a2988d75e7c6b7b372645385fa0b2f266084cf79a674fa87d54
- 12cb9af05b67398d8e32296f872fcf38485cb5bfb248882a039c901f917744c7
- 199abec0369aa5b56ccf3e40104dec650c0c621a4bf9fe892cde4c649951d96c
- 2436eb88be5cb4536470f00aa4e0b2204c938a7ccc1ab1512c51371c056083bb
- 2b99f6c10d40f9437e4f81c102829e5dd177b7ba83f04d0b09ca13fd35d4f37a
- 2e1d18fa4a0c1b7f1a840f0cbe366bed742fd882ba5ba7c32177fe4384d3feeb
- 2fcb4649130e60c9ee30bc0109dd276dfc20b58873098466740c95bae14e8b16
- 2fda76c3f4db61bd48ffefbe06625cbf33c84c9a99bfb5e4b078efab041786be
- 4c7833eda85621233fcf983d797da0a473e4d17bc8a6b5572eb475e1132f9604
- 4cf4a24b619e53b5155e2aa5eebcbd4a935b03bc2a99f703e955d26bfdc89834
- 522dea36276bb7616dabda4f46e9bd93fb5fac7dc8c035e2677febac8a9ac268
- 53bfd8dcca2dd1a702c80a92e52b6149c3b6d9dd69cfc616c6ece3931920aa0b
- 56ee72c3cac7e50c20945307e9f58360e097782ee10a5577323f1cee22caeb3d
- 5b8a7e111e05c20e9499e8a06ea17582b95ae8c8a780406b6969a40886b614b7
- 5dfef0b6f4f1b612edf80c8ab5cffc7556677bb07c53934963b550b60cf84474
- 6534a9d590748b2301a3f804b75fe02ffee39acf82d2dbb93800a3f8923c9934
- 6b83c696d85d8f467ee9ff306ef266c6b64c8cb4e0aad99f4b5627f6e2dd3c33
- 6c891decc602dc22ae6084be690674afdb405c5b7072a0e8b46d77ba8e331237
- 6da86b5ba028ddfd9646da6467cdaca4d698b72b165045561bcf7a65449dba85
- 7546344c7c370e86f9975710269a9c965104d6084fe4b51d8713c37cd277c2da
- 75a14beabec965f401a21c1809b7fe9563ced7366c863e78dd5c744516aea83d
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Malware
Win.Trojan.Mikey-6735890-0
Indicators of Compromise
Registry Keys
- N/A
- qazwsxedc
- 52[.]1[.]22[.]171
- www[.]easycounter[.]com
- %WinDir%\cer61A0.tmp
- %TEMP%\adminpak.msi
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\adminpak[1].exe
- %WinDir%\cluster\clcfgsrv.inf
- %WinDir%\cluster\cluadmin.exe
- 04a44c6f9ee4b5f944038452d2669a9915e493f3d4aedd8603af6bcbf9fb157d
- 075ef3a40de2c10d52140c02fc604654e60eb1231659122640d93884a8f639d8
- 1ed41ccdce4f7c67dbeb57873ed69a0b53bd8c509a66f391fb4838cd26d32f88
- 4e8da970321ee8e38f2fe918ce8755ce504d0c54ad579c7a2d388ed65aceca3f
- 63562fa34ca55cbbc1f007ed6a199b625f277f02487d18c6a9a8e24354af6ea3
- 72b02849c7cde8ba42dfe04edf18b0ede900c66187a9e38f5d16eaf84ddfbfbe
- 764947d95583d3a134fc96d6ce06ce4175261d3b9b48d224238367054e187d93
- 77515fa3f7bea9043e954ac8cb13917edd930d0e5d87f2cbc9fa4d44bd281161
- 7ea545f0dd17684011d7bbdde7c004faccacd8edb6d011c4e023f2780279ae1f
- 92e4863e96df84117c1288ceb692823a6d86c0b3a09f29a5cbc4af6a83a03415
- 9d267ed7cc3efe21afd96a3717cf920376048528e7094c54defb915afbe96a80
- a36d16238efb3b5f2ba5e9c23dd1db26a6b08fce8fa1d824e3006bc05f12a75f
- b63310bff942d0fe4f131fbb777737b110ab630876e784ac843e0c4dcdebde44
- bdc574d0160c6566738b039122d702a47aa10080b096cc3ca2729a2a5ca5f6f6
- cf7236e1d8783d00cd54d9d821a1067a2c08cd7cb67b0c091f5826784403f67a
- d7096f8904ebef796193afca1737f99e65c07ac7cf3c999aa46b5e60428ca006
- dba090f098676f7f4d5bd9e71a5b24cb1dfc71edb6b8a0dc06082a60730a81d0
- ed2893a0c58fbfaf73acdd4d7a7c9d8626e8609573739e8f0bf11c88d4b07303
- f9de2da81894bbde4f6baf5909c3f3f6a5d5fc61a8df97836fb8db14fbdb6006
- ff453440448d5f950a573ab246092a3c80e33c7c9189d97d15539bf09c48211d
Coverage
Screenshots of Detection
AMP
ThreatGrid
