Threat Roundup for Nov. 9 to Nov. 16

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 09 and Nov. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

• Win.Ransomware.Gandcrab-6748603-0
  Ransomware
  Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
   
• Win.Virus.Parite-6748128-0
  Virus
  Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives.
   
• Win.Malware.Dijo-6748031-0
  Malware
  Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
   
• Win.Malware.Vobfus-6747720-0
  Malware
  Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.
   
• Win.Downloader.Upatre-6746951-0
  Downloader
  Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
   
• Win.Malware.Emotet-6745295-0
  Malware
  Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails.
   

---

Threats

Win.Ransomware.Gandcrab-6748603-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c
• \BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=ab8e4b3e3c28b0e4
• Global\7bf1bf81-e78a-11e8-a007-00501e3ae7b5

IP Addresses contacted by malware. Does not indicate maliciousness

• 66[.]171[.]248[.]178

Domain Names contacted by malware. Does not indicate maliciousness

• ipv4bot[.]whatismyipaddress[.]com

Files and or directories created

• %AllUsersProfile%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d19ab989-a35f-4710-83df-7b2db7efe7c5
• %AppData%\Microsoft\umitoa.exe
• %AppData%\Microsoft\hhbbvc.exe
• \Win32Pipes.000006c8.00000045
• \Win32Pipes.000006c8.00000047
• \Win32Pipes.000006c8.00000049

File Hashes

• 008e2453c3bba10629ae8f7f32c6377d91bd17326da52295f038d7badd53cf4f
• 00f07cc799aabac7449a324ff47161a6a34ad02ba4b2074ddb382152d383ed14
• 02edf037074ebd2445625737108f7337715a6af17ec161429fa0392894e479bd
• 04196939eee8a21a4480a5e5bcf34f70b20f1dad9c3038bc632a415130ac47e8
• 043f30bd958e54d6947631c10d70ddec772ababd8a3852ceb0e646e87d670a92
• 051f4d57fc51e1491eb9121cb6ecdd036e140103f1afbc73fe9cef9a4fd67a84
• 06cafb061ce341647e48d4113eb71bed76290d30d54ce6d98169fcfe8bbe83c5
• 0799d33c49bceeeeb9c92077d448d5823ab8e71a04b71c6b8afa7f386fb5aa92
• 08d56fc6c0622c2e931f04eb8c68a25fa431ac4833b1cbd7e44847d55f7f26e1
• 09abf839c42200b000d3065d2cda41d858be415a521a5cb2b77b6e62503ae460
• 0a48f61677791bca8d2553662ec6bce8acfdb3249cfcabac2802ba216ac54262
• 0acc350e791e4201a7dd17e389ba8e03264343020432389d3e1b9d08874005af
• 0b3e086550e4baaa05c69777d484b9b20773b01d5c6da124197eff423b798b04
• 0dd771fecae00517f9297e21a42956d2ee113f6f0bc4d3ee277f887721efc19a
• 0f2784bc6fb959eace7e44fd19fd08fbfa39af04b4f793241c3eddd4183dbe71
• 0f50d6433d2a79f30c2417fc434098d029eceedf3acd405901d3951208be2ae7
• 10b5897f820d7ae3fe0194b8969c42c5c5de6cc658baf95699f8a781e18237ff
• 130f32c65f3f2e67bdc228f125bc07c049f40fae04114b0de920e9fd0b00bccf
• 13ab0a6dcd3cfd5136b54d11739169917df37a5681189baf92c4c6b0a2df0bc9
• 13ccda5af78a1dea028d076418db880ab3734c745f068d2c4df5de4d4968b478
• 14094b6a6ba1af401829963ce991e02c0eb9da885eb3837cec88f1559e2007c6
• 166627c9ad4fb0acb0bec8e09e1d4ceedc3110e7cdbaa709322d0dbe41a2f70f
• 17b78d2828794c9612cc87b09b7254c32c810134e5d06742058c55ec55ddb746
• 19b4d752b0be5e81c835bd3b87f3c1124c208ba6adb2150f7b85a1b76222350f
• 1ac89466a2668afd8d06d0f9345d48151dc2978b81985070bb23e30a767bd71c

Coverage

Screenshots of Detection

AMP




ThreatGrid

Win.Virus.Parite-6748128-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• Residented

IP Addresses contacted by malware. Does not indicate maliciousness

• N/A

Domain Names contacted by malware. Does not indicate maliciousness

• N/A

Files and or directories created

• %AppData%\Wplugin.dll
• %WinDir%\Wplugin.dll
• %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yma1.tmp
• %LocalAppData%\Temp\neb2886.tmp

File Hashes

• 00ad96301d29476dba58c071ef5bc4cf5eb265e9181a1d866bcacfe847199f64
• 01edcc04020177e2f31b13d9f6a46db2e058028011151850b0802394ccda8d77
• 05f816442e9d1d18a80233674af70d0ce6e17d10768d8f0e77973566b07aba8e
• 0e70c57c577078b1c9cab7d6bd1215372330548ae0c20ff2b80f0cb86cde2074
• 115995a5dc32df9da2f214cf9f4f81341daf7bc101c1b9346bead99428acb15e
• 145c7866de76f33e571f19a1a40c2e12c900a6a1ad9bac30b46dcdc28be6feec
• 14ac990a0affb831e4dccee45cff19e8a7c28dc5b93f731131ffa1c319e43823
• 15c7b9a2c4688af296b57ac418f01347c8fbbd74ac5fbcae17c90f9bcdfb8e26
• 16ee4360c7d1b78da48d06889177668120dfcaf62745bbc8c88d7864d28ba43d
• 1817a467dba009e325a1c8bbaa5c274ec80856f8936321980fee86a0e33a34cd
• 181dd25663e2628e56410e65b57677f5f3346866ccb737aa2eab8dd7376a11af
• 1c8698e1bd9fa33f8f664a0a12e90db53e91e31414cd307c21575a5d039b0d32
• 1eece81891ab4f4836931f8b1bc630e044d08ed659797dc19afc3bebd3b2b259
• 1fa3b372ec521a5b57a52d8b6a5ec8de67f5d8f80e87835b67b4916d4e5dd415
• 29f37223352f9584de101958ce00b41c3c66d9cfb15cc27d22a67df2c9dcd53e
• 2aea31075160d93b13bb726dc95b2a46505deefa529f8c9edfd9f6ecd8d80a37
• 300655178fabae5c65e48307fef7de67100b7d866b118f1ca0f0919de7e3a490
• 35270fa68190eba46f59bba10c8dce3a03e55d8af7e8a33f9a330e077f63aeff
• 39cb46a92889429d3dfc422381b46d04f9e69af0a088eec656845f184ed0b8f2
• 3b6a4dbf9a923ac935f6f671b38de0ed83da428b74dea48efa180365a507e13f
• 452ce18b59c1ab0cb4925435edf60edcfc5114cdea15056702e69c45af5763a2
• 4e38b473973bce00cf5f60b545327db9c9e8b17225262e88d13299f6abf579f2
• 51a323f3b47edc969017af5b31d364d4f23574471a52511970aaf54a8c34c382
• 51bbe9d3ae4bd23f31fd90ddf0d8af295ca98773653a16c2bb5a950670352888
• 525bc89d56339ce9423aae276228a8b879d7156ecadff7054a397a8d5178f5f0

Coverage

Screenshots of Detection

AMP




ThreatGrid

Win.Malware.Dijo-6748031-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses contacted by malware. Does not indicate maliciousness

• 95[.]181[.]198[.]115
• 192[.]162[.]244[.]171

Domain Names contacted by malware. Does not indicate maliciousness

• resolver1[.]opendns[.]com
• 222[.]222[.]67[.]208[.]in-addr[.]arpa
• myip[.]opendns[.]com
• www[.]bing[.]com
• hq92lmdlcdnandwuq[.]com
• cyanteread[.]com
• tmencedfur[.]com

Files and or directories created

• %LocalAppData%\Temp\RESB9BE.tmp
• %LocalAppData%\Temp\CSCE580781F303F45AE9F8858B262C2D7E7.TMP
• %LocalAppData%\Temp\9DF6.bin
• %LocalAppData%\Temp\CB8E.bin
• %LocalAppData%\Temp\3F14.bi1
• %LocalAppData%\Temp\RESBCAB.tmp
• %LocalAppData%\Temp\CSC8B3FB8E53BAD4C5CA67A2B1CAEA0ABB3.TMP
• %LocalAppData%\Temp\5mq30dkw.2sp.psm1
• %LocalAppData%\Temp\jrz15mzo.uwv.ps1
• %LocalAppData%\Temp\lajoenvy.0.cs
• %LocalAppData%\Temp\lajoenvy.cmdline
• %LocalAppData%\Temp\lajoenvy.dll
• %LocalAppData%\Temp\lajoenvy.err
• %LocalAppData%\Temp\lajoenvy.out
• %LocalAppData%\Temp\lajoenvy.tmp

File Hashes

• 0024d14e96fc79b1f7fd052945424e685843a48b1124f2b19b3a0b00570fb716
• 004a4d3772f1253ed309ce48cdefb8358c7500b91b7fc1a548dd32af03f8178d
• 00f9d43bdeb5c30acc9e5594c0ff1bd29b52efdcaa63bb8eba745342c165f856
• 0169eb0d2386671d1929cf74456a32da1758d8c177b4dadbb5c1998768eee892
• 016ef438660d7acbe94a229f0680b154bb963bc9dbc56eed7450dab36d486c01
• 01aa3a5ab9590ff079a13d66f67d40b441ab171d2a6ead0df5453b2d3b55888d
• 01e4c31f4836784dc4d297c4ba6e8f680216693735339022e11669960b929dcc
• 020c8eff9905e60c6bba7ff500dd0097b0b3017cfa33712a74ff23062c539520
• 0326d68f08fc899cd8bb7f1a9c1d7df50bc5b979e0f7d2532904a419ab1b7160
• 033370dfd1d35bc66ed5abf0e6f6ff214c9e1e25196fef04679f18875b0b683c
• 0383644a89640bbccf401520a918b54920f038e04ec0b0ae0d5aa53c45c08705
• 03d315458bfc34d01d2e058b6aa772c7fcd294f3dbcd821f71249675da00d94e
• 03df086184a6b1b146858ea3cef951dc9c3bf6148a26740a74e2384f5cc4a256
• 03e17ccdc6dfa104759f6d08c38a1ee96fd9cb161600fb5446b61132e4d9bd3d
• 04abd09ae808338d64a59fedb49dd5af79599cb9e990c2eab869d1afb25285a1
• 04ef397e7e52f4c71553f5eb2d4bc1971d2eda8a54eafa5a23aae4700264688d
• 05a5bbabbab5444214ce70c1190f41ccef8ef3dee786d1821d26a396d8a49eb5
• 07b911ca945371e153a661cc0d3dc04a41e75075b184eeba26a82c6a945a82e2
• 0879b668fbfac129d1c21076fc5826d46323398a3bcd327e4012be584778a446
• 095114cf4e2a81c44821a1ad9d4ea632e8cf17cf35a5cabc65813a29bcc41157
• 0a088fe8df26a9a2cd4330224134e1ea0d249300cbce0eaf11fc6f70b75f21f1
• 0ad6e9f9cd8e64c8ec265d258407f627fb1a872d13bd9cb577ad5e100633f492
• 0b438e78bb3fe8bffc8f5f1453f318efe177c97d9e4f0ba7e26969a60671a67e
• 0b4d5c0751ead190373484f7b4d8f0d7e5de5ade613b888712b92947fc173a6a
• 0d1b953aa006b38c0140f3a2bacda47a28262d54d5676aeeaf432235e356a5bd

Coverage

Screenshots of Detection

AMP




ThreatGrid




Umbrella

Win.Malware.Vobfus-6747720-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value Name: muehe

Mutexes

• \BaseNamedObjects\A
• A

IP Addresses contacted by malware. Does not indicate maliciousness

• N/A

Domain Names contacted by malware. Does not indicate maliciousness

• ns1[.]chopsuwey[.]org
• ns1[.]chopsuwey[.]biz
• ns1[.]chopsuwey[.]info
• ns1[.]chopsuwey[.]com
• ns1[.]chopsuwey[.]net

Files and or directories created

• \??\E:\autorun.inf
• \autorun.inf
• \??\E:\System Volume Information.exe
• \System Volume Information.exe
• \$RECYCLE.BIN.exe
• \??\E:\$RECYCLE.BIN.exe
• \Secret.exe
• \??\E:\Passwords.exe
• \??\E:\Porn.exe
• \??\E:\Secret.exe
• \??\E:\Sexy.exe
• \??\E:\x.mpeg
• \Passwords.exe
• \Porn.exe
• \Sexy.exe
• %SystemDrive%\Documents and Settings\Administrator\sauuyi.exe
• %UserProfile%\muehe.exe
• \??\E:\RCXFF.tmp
• \??\E:\muehe.exe
• \RCXFBD0.tmp
• \RCXFF.tmp
• \muehe.exe

File Hashes

• 010054eb95e98fdfea1f1164b12a5dcf475f0ffcc16dc18c276553d4bce3e39c
• 01cdf16c052bd4d6e8f50d0447f0570b6e42727cbb3dcebed6e20766a0599854
• 02785ab8fe2473f20ea32dad5908f6b8831d603c26db26e67e8b3d1daefd4544
• 0293926921291e6700eddb633fe22ac136735ace9170e6c502be52039d3e7488
• 02f72dfcc27501cd1a44b3a0eed9e41831f745fc26d6b7d1526c151c94d58333
• 0572a5a7f2888736e647fccbd2d4ed051bb038b82d3d53fb899dcde836922fc2
• 0581546a844cf13d0f0c494c9cda7eb7a71a5dbea4abbd8ddb917fe00665965b
• 06383e4b2c2a596732f85ce8028c5b1c0a60c82e75bbb75358bcd8498b6b4b03
• 080d08b5202a6da7052a3256c1863db41121881d75188ad96b9af9ab5932a97e
• 08293e6522e8888ce18400e0c3d6e6ac1319e80bd99ffd24b8e7845fca091cf5
• 08c0cc2e37a1fbc8f84c932a7cb2bc9a3d3f78a4ce086c1286cb3d335619f9ff
• 0b2752012a9e104641af14d60987db12a41d39401ac46584b6e9125ed5d0c198
• 0bcd28d3d84c7518df94abbb5a8153a345121d1d126fc9dc4624259de02a41ab
• 0c45087137456380ec673b12d06310d8d753be92a3009bcec94ec4ebc2140bb7
• 0ceecae1d802f19881b04e6f97af98b5039f2b8ccd538c293d66de93d8d77964
• 0d9a84172a0f96b340eb3f6bd45ca30dbe6c20180f9dae75cb135d0d8b6ffa38
• 0db0feea81c1b211fbae852151734fca8fb423102cb953dafb3c188f40491482
• 0ea8e078ab8b42d97148b488fb1ad7d21972c37fdac7befc7d462ee7be3acb84
• 0feb943bda713bb872c82a94bceb10acd11a1ec0cd2997236dc17da24b646288
• 121a6b3a8000948f073e3660ecafb19bf5d204a9d468112575afd15c39222eb1
• 12fc93e4e1c01ce7e3670138d50aa26e5c3d77f3c42da0dc3bd7bbae57359dc4
• 133fea888e19e34c7703b38194ec08360ce8d697d7aec79da979a35072adce02
• 145fe07226fb8eb92f609f16f7044ae5a529433730d285ca7c33b9cff6b86b71
• 1551de875bb37b13c332d5b67ed64026c477f21bbcc6ad3d50ba8b3b8702ee5f
• 18ee7ed2c61ee532f9a42d02c3c53b017496071608324361117514bdd3fdcade

Coverage

Screenshots of Detection

AMP





ThreatGrid



Umbrella

Win.Downloader.Upatre-6746951-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses contacted by malware. Does not indicate maliciousness

• 195[.]38[.]137[.]100

Domain Names contacted by malware. Does not indicate maliciousness

• drippingstrawberry[.]com

Files and or directories created

• %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ffengh.exe
• %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hfsrfgs.exe
• %LocalAppData%\Temp\ffengh.exe
• hfsrfgs.exe

File Hashes

• 1b806d44ead6688b22e623a1d50ad910af73b6ebe274901cccff8aabd526e3dd
• 1df5a1477102ad9d32a976eea0af04b7c63a660fefc39a8c2c524e8cfa9634e3
• 2e09c458bc34495f4390b2783d17369a2f809860eb95b95ff914c6610fd42ab0
• 56db7b1dd0bcbeca631eee556146fb599fc363466f51ec01eae28ecd4289e838
• 61e96310f388db546db48b6b8d81958264647add9f7cc880067cd6f875b5b4f9
• 64c1bb68e91d30812c0ea2690a4bb15d2788b43ec6c54aa9672de758ee7e5042
• 71dfc74d26d696f74b65c03c93a9118b9c62e5adfb6c93a5e15d00dcb50d585f
• 7a305e442718a07f2ddcc7ae9a8983c49be3247c123b06dabcf7d48d3a4bdcde
• 7da8dd2d31ad4ed61c87b5f44e1d70bcb938d9c5ff9abbc94c8e76cf0b10f379
• 87071c84cff348e086cb28fcfeec54daf58d728c5fb3aaa26ff4aca42fab4b4f
• 99230cc2ba171d71a9c5bade432d53bbf1ea78be629f62b90bb73fd71a26e8a4
• af44d4fff8ce394f9ecb9b3f9d95b8fb440a7b8f1892574f41355072ec2f0999
• bcdfdc97d2a6f3769902d3bf55b180b4dd9efc74af345cf23a795dbdc9456b51
• c224d27d7adf2fece2e92d4ed2f62e244e8e5bcaa98c89ade06d40b0112e6bd1
• d7afe736ed75987b854236b451a4cb6f0642b4e9cc92f3a9a96e2b8535070d05
• d9d107fed85d142d6a5cb4d40a48b3ddf5c61f97bc502a297f816ac902fa13a6
• e4eddc3910aca83db9bef4bc4f11006c0ae09a1552a6266adac79dc922ffe90a
• e6c03bfb271c97063320d079b7ed156b8eae18c75ccf5c25d5ae5cc01df62139
• f41388706c803a31645f416804995ad881d8ee0e0de0f0c355fb87fc415de211
• fb75875cdf989e58a80330aa43543b9ab3765fde077174729e2011555cd295d9

Coverage

Screenshots of Detection

AMP




ThreatGrid



Umbrella

Win.Malware.Emotet-6745295-0

Indicators of Compromise

Registry Keys

• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\GENRALNLA
  • Value Name: ObjectName

Mutexes

• Global\I98B68E3C
• Global\M98B68E3C
• PEM19C
• PEM52C
• PEM748
• PEM43C
• PEM20C

IP Addresses contacted by malware. Does not indicate maliciousness

• 187[.]162[.]64[.]157
• 98[.]144[.]2[.]113
• 200[.]71[.]62[.]76
• 82[.]211[.]30[.]202
• 165[.]255[.]91[.]69
• 154[.]0[.]171[.]246
• 110[.]142[.]247[.]110
• 119[.]59[.]124[.]163
• 108[.]51[.]20[.]17
• 197[.]249[.]165[.]27
• 96[.]242[.]234[.]105
• 217[.]91[.]43[.]150
• 66[.]220[.]110[.]56
• 72[.]67[.]198[.]45
• 183[.]88[.]1[.]238

Domain Names contacted by malware. Does not indicate maliciousness

• N/A

Files and or directories created

• N/A

File Hashes

• 0edecb893280c8258b5ee20f17afdbdcd09efdec198ba3f0b9dae3bb3a74c497
• 11fb93e3b137ff6978fd79fdd634f44f257ee28f9bc5c2965108cb5c49a0d949
• 313f19bdb8c46b96ac18bca55f53f5c0eb03d2fcececaab47b9339d8f014f7c7
• 40651a1759d2ae614541d3f6e8bb6298ab72a242673c44e541dc28e30ca8929f
• 5df55f78a21cd8457c9432afc8da45c182fad6107e3b6e4f5cf86272b68012b1
• 70921b45506097595f7d11123c1b5c92aa032332c8a503058b27f32ec85d8df2
• 73689ce1d669a63bdc781fab63f052fdc22021f7d08d37ed7573d2da7230568e
• 83b316b9a9f76efcab1e741c8eeb7a0c7a50072c3fde5acd49cb0d28afbe7a23
• 9edeb5b8ba0b6fd036650f80edf1cdd3c35974fcb8ef5a272b658d3ec1a38035
• b53fb3cf4ed1d4e62dd0cc9d8e1d482dc1a55dedc3804a097f1b213080bb64c5
• dab7877de92a3793873fec30c4b2e4a758bd5c3c6a67c8da20bfce7c255031be
• ea8479d471d38105312f8264f2d93c7dd317d1bfda94f345f74313efffe8fb54
• eba4704ea3e2a37a2bef98101758cbd2264bf6dcfe36eb930fe36fa32d75838a
• f2a2d0eda6e21c4273d07aafe190918d96c21db335de4c4872e1eca136920c6b
• fba4b9baf4b72790f1ff9ad58160efd7bd4a1927191668da75468255083e48b9
• fc5935b12a8d07abcafc613a04d3c6773e088f31b88f78acc7f8ee2d2fc2d529

Coverage

Screenshots of Detection

AMP




ThreatGrid