Quantcast
Channel: Cisco Talos Blog
Viewing all articles
Browse latest Browse all 1948

Threat Roundup for May 24 to May 31

May 31, 2019, 9:42 am
$
0
0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 24 and May 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Remcos-6978637-1
    Malware
    Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. Remcos is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
     
  • Win.Dropper.LokiBot-6978650-0
    Dropper
    Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
     
  • Win.Dropper.Kovter-6978831-0
    Dropper
    Kovter is known for it's fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
     
  • Doc.Downloader.Emotet-6978977-0
    Downloader
    Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
     
  • Txt.Downloader.Nemucod-6979968-0
    Downloader
    Nemucod is a trojan that executes ransomware on a victim's computer.
     
  • Win.Dropper.Qakbot-6984556-0
    Dropper
    Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
     
  • Win.Malware.Kryptik-6983260-1
    Malware
    Kryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, include collecting system information, downloading/uploading files and dropping additional samples.
     
  • Win.Ransomware.Gandcrab-6984356-1
    Ransomware
    GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB", ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.
     
  • Win.Malware.DarkComet-6983986-1
    Malware
    DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
     

Threats

Win.Malware.Remcos-6978637-1


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Mozilla		9
<HKCU>\Software\Microsoft\Windows Script Host\Settings 1
<HKCU>\Software\Remcos-8L6ET9 1
<HKCU>\SOFTWARE\REMCOS-8L6ET9
Value Name: exepath		1
<HKCU>\SOFTWARE\REMCOS-8L6ET9
Value Name: licence		1
<HKCU>\Software\Remcos-DMGAK8 1
<HKCU>\SOFTWARE\REMCOS-DMGAK8
Value Name: exepath		1
<HKCU>\SOFTWARE\REMCOS-DMGAK8
Value Name: licence		1
<HKCU>\Software\explorer-N7CBD4 1
<HKCU>\SOFTWARE\EXPLORER-N7CBD4
Value Name: EXEpath		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: explorer		1
<HKCU>\SOFTWARE\EXPLORER-N7CBD4
Value Name: WD		1
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\34ONMET3ZF 1
<HKCU>\Software\Remcos-LMBBE5 1
<HKCU>\SOFTWARE\REMCOS-LMBBE5
Value Name: exepath		1
<HKCU>\SOFTWARE\REMCOS-LMBBE5
Value Name: licence		1
<HKCU>\Software\Remcos-A2GPXU 1
<HKCU>\SOFTWARE\REMCOS-A2GPXU
Value Name: exepath		1
<HKCU>\SOFTWARE\REMCOS-A2GPXU
Value Name: licence		1
<HKCU>\Software\Remcos-4ACKPE 1
<HKCU>\SOFTWARE\REMCOS-4ACKPE
Value Name: exepath		1
<HKCU>\SOFTWARE\REMCOS-4ACKPE
Value Name: licence		1
<HKCU>\SOFTWARE\REMCOS-4ACKPE
Value Name: FR		1
MutexesOccurrences
Remcos_Mutex_Inj6
3749282D282E1E80C56CAE5A1
A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A1
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-2580483871-590521980-3826313501-5001
\BaseNamedObjects\Mutex_RemWatchdog1
\BaseNamedObjects\3BA87BBD1CC40F3583D466801
Remcos-8L6ET91
Remcos-DMGAK81
explorer-N7CBD41
Remcos-LMBBE51
Remcos-A2GPXU1
Remcos-4ACKPE1
\BaseNamedObjects\explorer-N7CBD41
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
91[.]193[.]75[.]92
184[.]75[.]209[.]1571
91[.]193[.]75[.]1151
46[.]105[.]127[.]1431
185[.]244[.]31[.]631
47[.]254[.]172[.]1171
185[.]247[.]228[.]2101
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
uaeoffice999[.]warzonedns[.]com2
ml[.]warzonedns[.]com1
begurtyut[.]info1
ableyahweh[.]ddns[.]net1
kingmethod111[.]duckdns[.]org1
amblessed[.]ddns[.]net1
kobiremcos2[.]punkdns[.]top1
bio4kobs[.]geekgalaxy[.]com1
kobiremcos3[.]punkdns[.]top1
kobiremcos[.]punkdns[.]top1
Files and or directories createdOccurrences
%LOCALAPPDATA%\TVcard.exe9
%LOCALAPPDATA%\Mozilla\StatsReader.exe9
%LOCALAPPDATA%\Thex.bmp9
%APPDATA%\remcos5
%APPDATA%\remcos\logs.dat5
E:\TVcard.exe5
\TVcard.exe5
%HOMEPATH%\Local Settings\Application Data\TVcard.exe5
%HOMEPATH%\Local Settings\Application Data\Mozilla\StatsReader.exe5
%LOCALAPPDATA%\Mozilla\MiniConvert.exe5
%LOCALAPPDATA%\Sys.ocx5
%HOMEPATH%\Local Settings\Application Data\Thex.bmp5
%ProgramData%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol3
%LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol3
%HOMEPATH%\Local Settings\Application Data\Mozilla\MiniConvert.exe3
%HOMEPATH%\Local Settings\Application Data\Sys.ocx3
%APPDATA%\D282E1\1E80C5.lck1
%APPDATA%\D1CC40\0F3583.hdb1
%APPDATA%\D1CC40\0F3583.lck1
\??\E:\explorer.exe1
\explorer.exe1
%ProgramFiles%\Microsoft DN11
%APPDATA%\D1CC40\0F3583.exe (copy)1
%LOCALAPPDATA%\Microsoft Vision1
%TEMP%\install.vbs1
See JSON for more IOCs
File Hashes
  • 254cc60f64f6db8b54b2033d95f57f6a7f5c8ceea890ccc85f74570eab725b56
  • 5246657574c87126f2bd268b17f5a4bc44e4dd256cf6eff493c2250c7b1c3d3e
  • 5325269f4a381c1c7815863de0dd50b208944993d1f61c38a9f521be609827de
  • 585f0d663b32f025514e3740e5ac8dd007f777ce0c384fe664b3266c4159289d
  • 9484de151f507a81bb04f24b8bccbe4a63bfe0a1df7ea40ba5a076a52599af63
  • a233e5ce1fc0df70599f3fe8de20d512aac0b59d9d99df58894a34bba89ec81f
  • a969c6228f0de0426084c36c27615dbfa864c71a61c7c4f413fd862fc821db95
  • c71a6c05644b6fa09da4dc8c8d808bc7b0eaa3cac989d5f414cbbb79abea9b37
  • c916075ef74d579828ecb7fb1805076ac3929daac5b43b3c9d22c36d2239cbba
  • d8b92e14d57fb295a1102e9e89c2bdee0e332d87a003d3721b76e1e9eeaa7eb5
  • d9b94599e186e1c3a2507f1672a4a1b9492b4eb3c1a3547b3498c54275306765

Coverage


Screenshots of Detection

ThreatGrid



Umbrella



Win.Dropper.LokiBot-6978650-0


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\Software\WinRAR 1
<HKLM>\http://45.67.14.182/slk8/b/cat.php 1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F		1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F		1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F		1
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID		1
MutexesOccurrences
A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A6
3749282D282E1E80C56CAE5A5
\BaseNamedObjects\3BA87BBD1CC40F3583D466804
\BaseNamedObjects\A238FB80-2231ABE6-BF235135-4DF622E2-F156829B31
\BaseNamedObjects\A238FB80-2231ABE6-BF235135-47749B25-DB14F8DE11
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]79[.]156[.]243
185[.]79[.]156[.]183
185[.]79[.]156[.]232
45[.]67[.]14[.]1822
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
%ProgramData%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol6
%LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol6
%APPDATA%\D282E1\1E80C5.lck5
%APPDATA%\wfsgsybinp\spflmbuwjdxpyke.exe5
%TEMP%\2fda\api-ms-win-core-heap-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-interlocked-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-libraryloader-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-localization-l1-2-0.dll4
%TEMP%\2fda\api-ms-win-core-memory-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-namedpipe-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-processenvironment-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-processthreads-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-processthreads-l1-1-1.dll4
%TEMP%\2fda\api-ms-win-core-profile-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-string-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-synch-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-synch-l1-2-0.dll4
%TEMP%\2fda\api-ms-win-core-sysinfo-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-timezone-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-core-util-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-crt-conio-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-crt-convert-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-crt-environment-l1-1-0.dll4
%TEMP%\2fda\api-ms-win-crt-filesystem-l1-1-0.dll4
See JSON for more IOCs
File Hashes
  • 1efb2130e792e899d3fee5b0582e61b54f9bdafd00ae43e727d618d462a64a42
  • 316522e4f97f2d4f6d568093a043624cbb02d46eb5a7e0f6accfdb188cf1528f
  • 319d22b549bcbabce103c5d1359ac65f8e8ae49bff6287de21f3f9ef3138646d
  • 36ba85a2d278fb599de9dd36adbe289c39264055996b764d8979f45bcf123535
  • 39b14c7b01c68dbd67963156b813ff89c3755b4f12643e6bc92f6ff4b14f40ee
  • 680d1d8de9f13d9763a6bc8b2585840b70b7ca6c0f45470bed65f0ce5ca8f908
  • 737b0f10471e7d73ec2227dba9250c5130f16b083bc34773e112d72ded4f9e8b
  • 7ccb34bd9651f6f27d531128d839d8d0c1853f2b6f29fed69b7e19448bfd3024
  • 8772387a55e177ff01fa20b6941dddde054c594eee8098cdf96a57e2ccb78b7d
  • 8a4d4491deaea94a51586c5098055c335831b37c17f3d8449fba197dfe73a83d
  • 98ece7de8b60e356d6a965c8fecc089b86e67e2c29faa941f7cae0a64537abb9
  • ba11b9b4c9e0084e5ae5d0de45761b6bd6ebbb62d41c93c7a23ceeda8461d4b1
  • bda55e17c599b80c688e93249375fb027754aef373ecf8a05f205f1ff4bbf21d
  • e650008c2c991f8064942ff5609617d07b4589d40a3e9e37c3c4885898f29f54
  • ea123c9b6299186b1319ec6572bd16fb6a28185f2e9ddb9aa1bf3e52f1911b5d
  • efa28604a547613b68480f7e8ac59f8d02931f5b8d4be6971ea96aff253d5d1a

Coverage


Screenshots of Detection

ThreatGrid



Win.Dropper.Kovter-6978831-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade		25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed		25
<HKLM>\SOFTWARE\WOW6432NODE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate 25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUpgrade 25
<HKCU>\SOFTWARE\3a91c13ab1 25
<HKLM>\SOFTWARE\WOW6432NODE\3a91c13ab1 25
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 656f27d6		25
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 656f27d6		25
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 96f717b3		25
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 96f717b3		25
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: ffcfae7b		25
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: ffcfae7b		25
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 01b2a448		20
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 01b2a448		20
<HKLM>\SOFTWARE\WOW6432NODE\RDAW2P1XI
Value Name: tnzJBB		1
<HKLM>\SOFTWARE\WOW6432NODE\XBZ0H3
Value Name: Emk9DIqKS		1
<HKLM>\SOFTWARE\WOW6432NODE\RDAW2P1XI
Value Name: yw6yqsnsb		1
<HKLM>\SOFTWARE\WOW6432NODE\765B49A5A77BF31D 1
<HKLM>\SOFTWARE\WOW6432NODE\byvWyhji 1
<HKLM>\SOFTWARE\WOW6432NODE\765B49A5A77BF31D
Value Name: D347D67C3DAC5505		1
<HKLM>\SOFTWARE\WOW6432NODE\BYVWYHJI
Value Name: aL0JVbstG		1
<HKLM>\SOFTWARE\WOW6432NODE\BYVWYHJI
Value Name: ESqO4Lrhe		1
<HKLM>\SOFTWARE\WOW6432NODE\062D56AB77939C4FB63 1
<HKLM>\SOFTWARE\WOW6432NODE\1ZBB6iJuv 1
MutexesOccurrences
B3E8F6F86CDD9D8B25
A83BAA13F950654C25
EA4EC370D1E573DA25
Global\7A7146875A8CDE1E25
\BaseNamedObjects\408D8D94EC4F66FC15
\BaseNamedObjects\Global\350160F4882D1C9815
\BaseNamedObjects\053C7D611BC8DF3A15
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
104[.]170[.]60[.]261
144[.]193[.]156[.]1871
88[.]105[.]164[.]831
169[.]202[.]2[.]581
208[.]229[.]136[.]681
186[.]120[.]237[.]2041
28[.]237[.]185[.]181
216[.]21[.]9[.]1831
217[.]156[.]137[.]1191
11[.]136[.]96[.]411
90[.]235[.]33[.]2441
189[.]30[.]93[.]1021
85[.]82[.]241[.]2401
87[.]213[.]1[.]1211
42[.]75[.]114[.]2111
204[.]6[.]62[.]161
112[.]78[.]74[.]191
163[.]112[.]153[.]661
17[.]210[.]26[.]1141
27[.]3[.]105[.]381
100[.]27[.]228[.]1241
130[.]139[.]163[.]1411
128[.]215[.]237[.]2451
23[.]138[.]20[.]2361
167[.]165[.]229[.]1911
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]cloudflare[.]com1
demo[.]wylynx[.]com1
aviators-auth[.]coxhn[.]net1
Files and or directories createdOccurrences
\InitShutdown18
\winreg18
%SystemRoot%\SysWOW64\tzres.dll1
File Hashes
  • 0715f9f01ebbe56625dd3e970d7437d97564648e85990c9bdf142b4ecdaca3f1
  • 07285e9593636743a333a3338ab93bf095fa0907451e471084cd609e7c938281
  • 097d7d04e897eca987e28fa7f65a0c3ade12a71de1c758a9a4f5f925c5c602d8
  • 0a297b9d84a638e994b2c7fec6df3b3847404731fb7c71562f1ccc0ae75506ab
  • 0c8b9fa3bbdce9c015b000de00360c16203166088f2e7221af3e790e73095403
  • 11bc7f1f1a3cda33e2f6240ab1e88e468c3a63e5ea3a329946992b737e296136
  • 16e7c3a7b2a49e61db54ac870d796c37f9e671f64647887f1489ad3bd5ff626c
  • 260572ea7138b64d15936143a9a547bab095151cc4d2ee8e2e9b7daf305fb2be
  • 26f53bfdf087e36f3d13e5277b12e38ddb1b4989dd009f3f092d1954da0b8717
  • 28766b46246a485e4c226ff90d93392cf2c706ed3bc60aa0d67fd2772130a985
  • 2c32a26d84981b540b5fac0d466092c9a72c93723c2a36d643e6ff8cb8a8067d
  • 2cfaede6d177df3e4eff37f5f99cb6a3353d76eac59a708f553abf8269dd2aca
  • 30ae1dda31fe6473f13e54e01ad124ad3ea919ceaf196cb9f240ca1dfd79ed4a
  • 3509a633922b3ede20640ffff30ffa13785f3972c4228bce33d631458825fe24
  • 37bc5d2235c55b03d1b3270f88dac6f210400a192d85c85405593424af5c4c60
  • 3a105a570eab21e12a4895a0ccf65b0d4b2bff313567e3e52119b1c14e8ea750
  • 3c3166135909f4e982f313d6f28cbd44057f96a9ace0b1ffc9fd085d577fc4aa
  • 3ea71c0fcc071c4eb5195f17a6b35156a5cc3602b2e1f5a6e90f9cb2ea315a07
  • 3eb27755726ae476869cd8054527c1d0f6f49365c9efda8887013af895146c05
  • 42561fe7ca1b2322cbe4d910d4c6d7d74a7089a33974a0bef7a45f7235267cd6
  • 42ac2333962667d01a4296c64cfd907880c64dfbb9439a3a471f8080024e9d07
  • 53dc0aee9d383c234bf9ffd2a49a25ae2affc2275b8806a72e343744f0a9e2ad
  • 56ac99cd20dce48020e300dd3b46e9813552ad890b5e52e3d1c46247f6bb8cae
  • 5700b5bfde766173f1dce5ccceb7ba015c22cb327f9591e700b8ebacfd158ed5
  • 597f778320e6a1a30ab8905f7abdc796c490bd0a87f09c0a02f7849eb0b80585
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP




ThreatGrid



Doc.Downloader.Emotet-6978977-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\sourcebulk 38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Type		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Start		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: ErrorControl		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: ImagePath		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: DisplayName		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: WOW64		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: ObjectName		38
MutexesOccurrences
Global\I98B68E3C38
Global\M98B68E3C38
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
115[.]71[.]233[.]12735
74[.]207[.]227[.]9628
23[.]95[.]95[.]1828
172[.]217[.]6[.]21124
65[.]55[.]72[.]18323
74[.]6[.]136[.]15021
69[.]147[.]92[.]1118
74[.]6[.]141[.]5017
212[.]77[.]101[.]14117
69[.]147[.]92[.]1217
196[.]25[.]211[.]15016
212[.]227[.]17[.]16816
212[.]77[.]101[.]116
172[.]217[.]12[.]21115
159[.]127[.]187[.]1215
173[.]194[.]207[.]10815
72[.]167[.]238[.]2913
104[.]131[.]11[.]15013
64[.]91[.]228[.]4513
200[.]27[.]156[.]23013
64[.]4[.]244[.]6812
200[.]27[.]156[.]16012
207[.]204[.]50[.]1011
68[.]178[.]213[.]20311
213[.]165[.]67[.]10811
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
blog[.]laviajeria[.]com25
smtp[.]aol[.]com17
mail[.]wp[.]pl17
smtp[.]wp[.]pl16
mail[.]aol[.]com15
mail[.]paypal[.]com15
smtp[.]telkomsa[.]net14
pop3[.]telkomsa[.]net13
golfingtrail[.]com13
smtpout[.]secureserver[.]net12
smtp[.]mail[.]ru12
mail[.]web[.]de12
smtp[.]paypal[.]com12
imap[.]secureserver[.]net11
smtp[.]orange[.]fr11
mail[.]secureserver[.]net10
smtp[.]1und1[.]de10
smtp[.]outlook[.]com9
smtp[.]yahoo[.]co[.]uk9
smtp[.]secureserver[.]net8
mail[.]rochester[.]rr[.]com8
mail[.]ccsu[.]edu8
premium68[.]web-hosting[.]com8
mail[.]gmx[.]de7
mail[.]msn[.]com7
See JSON for more IOCs
Files and or directories createdOccurrences
%HOMEPATH%\905.exe25
%HOMEPATH%\985.exe13
%SystemRoot%\Registration\R000000000005.clb1
%SystemRoot%\SysWOW64\sourcebulka.exe1
%SystemRoot%\SysWOW64\RaIsI.exe1
%SystemRoot%\SysWOW64\b7CLyYeMYOz.exe1
%SystemRoot%\SysWOW64\JAfDaABdFwDwQOmU.exe1
%SystemRoot%\SysWOW64\XsURGMXS03AY8k5H.exe1
%SystemRoot%\SysWOW64\B3G3HJkHw.exe1
%SystemRoot%\SysWOW64\OACv5sbfWOqW.exe1
%SystemRoot%\SysWOW64\vQPrd2DqNc.exe1
%SystemRoot%\SysWOW64\eZctuX442LBnjCR.exe1
%SystemRoot%\SysWOW64\G4gruKLDsT8Hqq.exe1
%SystemRoot%\SysWOW64\H2TI.exe1
%SystemRoot%\SysWOW64\0UiKEdt.exe1
%SystemRoot%\SysWOW64\lI7hCDdPp88lp9wc9FI.exe1
%SystemRoot%\SysWOW64\jvfRQuzTShGWsLy.exe1
%SystemRoot%\SysWOW64\pFZeNxzUSolEMyg5jlf.exe1
%TEMP%\CVR99F.tmp1
%SystemRoot%\SysWOW64\s5nWep8.exe1
%SystemRoot%\SysWOW64\OBG55Zcwc0ZIAIzMsrO.exe1
%SystemRoot%\SysWOW64\rrLgU5ygLqi.exe1
%SystemRoot%\SysWOW64\Bbnxe2ZT28fYyG.exe1
%SystemRoot%\SysWOW64\4CrV663kwXBhNO.exe1
%SystemRoot%\SysWOW64\rnrtEbeM2u.exe1
See JSON for more IOCs
File Hashes
  • 08891649a39702f90e11f8ff3035fd16c8f2431d16eeb4919382414735a342be
  • 10b5e211a2e7f00f87d2074a183f9870459e588772f2434ae2e597f800f8522a
  • 173f2078c872504912c5878cac192ab6e7aee9da8f2b76505a7c201eec5af2f2
  • 17dbcd96af456b87e928609743c3a232e438e3b7f31be3f82d9912605a17e7e5
  • 1a1c4b3314857aed3c55053968fa6260693577ee18e59f29be78e9add0e52840
  • 1afd12fda74676381f591b7e2dd6dd2510e603308504a73c880ab6990bd49d32
  • 28398ed10fb49cc49f2cf4559ccbd2b5ce7213c0d62694dd637a5ec8d304352b
  • 286d190e59b9fea171a55e2d99f2c4c5a66560c2e919199a67a6a960f5acd079
  • 2875510d0044c059a8f554aa8401cacd69f806a46205632a11c02096ecb6a0e8
  • 29a3ee36c05e27f07958695833e5f49f2579ce005fabd6048d74285b9dfc40e9
  • 40abbe8ec1e3c31efdedfabaeadc4cdcb88e918f7a0ed7dd3092e26fb2dd676e
  • 4e82b20ca98af17b4361fe688bce991cd907e25c139b9da39340fd758a6bd22b
  • 4f65fb3713b36e2c0eb64e8e77a3aa6bd3e4367ffd3184b179da869ff094cacc
  • 510f007b77f469f04508b716ab447ce6b2bdcb592aaf4854d236410e61009ee4
  • 598ec9fc1bede336d31abbeaa17ee90fec033e46ca742d16e17b25efa2bfe8dc
  • 5a217e950f27df7da794e729b22980c2aa1417696ffa1ee861ce9e657fd35bbb
  • 5c0a12520509cc3dced61c92a635e06dc369f5fe537f6dd74cde28a383beaaf8
  • 6850221b3ed9b438b4959fac2fa86ef2731267ecef2c539e128621a145f8f0b1
  • 720d9323f66abad23ddc1a0274f13ada330575fa1566fc87c81faad0983b2a72
  • 74b11951254ac75489460f573845fc5ddc84110b02585520cc175b02162c212e
  • 74bf67c7c1ed3eafd43b099b40d537ea115190c49e4e3e956e42702ea9aa904b
  • 7db9895829ef195f34659278d7f47618703cb2c535183f41dfc51a8263c7b4c5
  • 83b3bc37bf99bc56096c76ecfd19cb34a70d0d9656f926598625417b5c425fc7
  • 8691ab6505118b9ca2818db4e3ece4edcd40cedc4ba3b5a00dfbc7a1c12d58e6
  • 86a50c8e8f5d300f3731ebdce8b98be02696e2ff1d7e979abd873354bfd87006
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Malware



Txt.Downloader.Nemucod-6979968-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\System32 18
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\Configuration 18
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xi		18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Client Server Runtime Subsystem		18
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xVersion		18
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xmode		16
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xpk		16
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xstate		16
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xcnt		16
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob		14
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: shst		14
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: sh1		14
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xmail		9
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: shsnt		9
MutexesOccurrences
N/A-
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
194[.]109[.]206[.]2129
95[.]216[.]12[.]1419
104[.]18[.]35[.]1319
104[.]16[.]154[.]368
104[.]16[.]155[.]368
86[.]59[.]21[.]387
104[.]18[.]34[.]1317
208[.]83[.]223[.]346
154[.]35[.]32[.]56
171[.]25[.]193[.]96
128[.]31[.]0[.]395
193[.]23[.]244[.]2445
76[.]73[.]17[.]1945
62[.]173[.]145[.]1043
85[.]93[.]145[.]2513
131[.]188[.]40[.]1893
138[.]201[.]169[.]122
78[.]129[.]150[.]542
82[.]192[.]94[.]1252
134[.]19[.]177[.]1092
109[.]234[.]165[.]772
173[.]254[.]213[.]132
94[.]73[.]147[.]1651
148[.]251[.]155[.]1081
212[.]237[.]210[.]81
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
whatismyipaddress[.]com16
opengraphprotocol[.]org16
wsrs[.]net16
whatsmyip[.]net16
aff[.]ironsocket[.]com16
cmsgear[.]com16
www[.]zagogulina[.]com2
api[.]w[.]org1
gmpg[.]org1
t[.]co1
www[.]lagerpartner[.]dk1
adasnature[.]rodevdesign[.]com1
toolingguru[.]com1
specialsedu[.]com1
tuttyguru[.]com1
hoiquanarsenal[.]000webhostapp[.]com1
stakesedu[.]com1
techjoomo[.]com1
tbuild[.]2tstelecom[.]com1
fruityytech[.]com1
techyoun[.]com1
www[.]adasnature[.]rodevdesign[.]com1
trutthedu[.]com1
essexweldmex[.]com1
ashleyharrison[.]tech1
See JSON for more IOCs
Files and or directories createdOccurrences
%ProgramData%\Windows18
%TEMP%\6893A5D89718
%TEMP%\6893A5~1\lock18
%ProgramData%\Windows\csrss.exe18
%TEMP%\6893A5~1\state.tmp18
%TEMP%\6893A5~1\unverified-microdesc-consensus.tmp18
%TEMP%\6893A5~1\cached-certs.tmp17
%TEMP%\6893A5~1\cached-microdesc-consensus.tmp17
%TEMP%\6893A5~1\cached-microdescs.new17
%TEMP%\6893A5~1\unverified-microdesc-consensus17
E:\README10.txt16
E:\README2.txt16
E:\README5.txt16
E:\README6.txt16
E:\README7.txt16
E:\README8.txt16
E:\README9.txt16
\README1.txt16
\README10.txt16
\README2.txt16
\README3.txt16
\README4.txt16
\README5.txt16
\README6.txt16
\README7.txt16
See JSON for more IOCs
File Hashes
  • 01446b1b8130f7e962e12ff9a50d5da8acb394be437f000d77f54e39527b7ab8
  • 0aa15df3fca9a49cf616d6ee3dbc9d29fde8f272466788a217e15c28ec6ef3f5
  • 19c6c4e0d94e88f3460549dca47715ba9f0f0e928f127eb45706c38d9979163b
  • 1e91a7eb97063517cb8798dafe93fb2f20eec7f4100b4175ec26c7f975aa6965
  • 1ed50005b56e0fd4828799e74bc5f78d2cc887934b891c23eb28d5b5cff14139
  • 37134b5f952e7c0108685d16963663687637ec006a86a15feee1afca36e8b765
  • 38be93101842cd74079121d4864d37f971cbad305c993ef2d465bb2bb6706d3d
  • 43d78a497d4fc7a500e33d09bda1b93097727c703b7a0ed698bda3b417efd7c4
  • 467be08133e9e2c683444bb21eef42864df9603cf22cde4ddf777a7d1c242362
  • 47b28eea9dc3aea93a1c361b3e5db6d1cf88021225c43ba364f11959a834049e
  • 54a6d6b359a4119a0009c2fec6f430a06df2aa6a0793b79feafe1a89b0e09010
  • 640f7ee70f167a82e02a174c8f084ecec19b7a5481b6f7e399dfd25ad64f4da5
  • 7b1d29992c3c9be33294af41981d48ba92a773f2d6bab6142d625aa5b7d96a7d
  • 856b8aed7661ec632ccdba1e738e990703a53dd241c99a1627df99ad5bd3a478
  • 869daf9d7e0ba9da47e604ca310022fa7aeb7a3a2ca7c1dc976958b634ab9cc5
  • 94c3139cb64e42264c87afd46f879702b45c33e6711d1777a4ce3faa134faecf
  • 986a7e2a2199640a2b156ad35a9313070bab0f89402bf9f6daff03c76748c76e
  • a3c8f9e92437fc83ad502f12eeb5aa97828b060168e50914aef6504961c82263
  • ab05542f803dfe04d1941ca646a3c9f10d04037475655bb1b9495dc82279fcd3
  • af66d0c9ab90be7dee01a389e351dc52a025be4579a7ef9cb290c4348c499cb6
  • be77578b063aeb67fa49b17d0474229e4573ab79e48d9d68e4250a063884d7c6
  • c22bb64479d12c5322e20c8cf88d7ddd68157d81b9211764a7f46e9096c56594
  • cf86b58dcc90b88df0f81d7e4db87e2c687baae11058924a74e91594ee8a0965
  • d6b029b0280f7c3e1a9be0dff1d9ce58e173b4fca568a80e62c69248398eed53
  • d93ad8604d87827ce1312c1640df2a49ba9f3c592ef9f779ae38eb76a9d95739
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Dropper.Qakbot-6984556-0


Indicators of Compromise


Registry KeysOccurrences
N/A-
MutexesOccurrences
ocmwn36
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
N/A-
File Hashes
  • 0416a1f1118ca4e50afdee9c1e76cdca0b19e374d2be21ed1ea6cf96eadc6033
  • 0f70dc9c66a9bc37b7edfa1cb2d3566c53b63d67b8e8fd4c78f0f9ac08fc7a7b
  • 0fbd8df6ea3398aa3c7a139679fe60ab90766a4dd81e3ae6feface7a24061b31
  • 0fc09554d5f6f9059e6c251108caf5921db41ce23e791d418b4587108aae62db
  • 122f88c01202cc59a9cbb11b8eff11e4b1ff98b8a9e7956db2c0161bd633e451
  • 1df18b6c34f6eab5ba1de274793f94f6168016cfe00008db3a38d79031936b81
  • 25194a4d3d7b860d1c2a722eeccd45d7c6bedb3fe2967e83bd28e9b3ea6bb033
  • 2c738330714e592259d090d03400fa3cc4f2ae7f16b2e3616a5b8bc16e29c72e
  • 2de648c80d9122fc3081aabf4d6257e03fecb57d9fe6e1b98b4e79f28516b8a2
  • 2f769a70e02699e161593dc619e354028e3f3b23ea76cb8b493ef68595bc2b67
  • 3b24ecd81735aaa4c459aa8e5378595eb6bc043d607eeb90b56ba89a962f56a8
  • 40a186d85f12a21d4b65650ab513e723d0ebac79256307b6772257d4d9364188
  • 43b8424bdd21dfbfd81cfc4b2f31706f2bfd21c5d5dd99b17be2b78ceb3a98e2
  • 47d0d80d31c6b02e009585b97702fac60a958c5443a07ac62a68ef24b39bfcf4
  • 4a961cc37b6f6c9e650d4aefa99de46a564679783b5ebaf631b10ac0e891191d
  • 4ac3ceb7094c7c2a5edd95bb21a5b87e6f644cb03b0b72bb9f436623ec2b11d1
  • 4af9db7adad64a3ccffb37a051672cbd119524999968837300763d1f0143d218
  • 4b1becbe4702e8e370a3c0ba0d1ae6c3b0794de26b1db1730c609d2675f7edbd
  • 4c36e499054de9b6a674a54d809083b90ffef539a33f76ef49d7a1bfe89ddfd2
  • 56d8a1d419389fc826ca627bd62b90d8c1c78c1de9c906d73cc2f9a90aace0a6
  • 5931e1ea80e1b82dbf84db29d4bcdf01feecc7a0efb3fac05bc187abf29a588c
  • 61e2e922cae2ebed761d7ebc4e43e48821097821213216a17ec7690325c18f6f
  • 62679544133ce6ec6a09ac7b374cb3c51e82ad5486499467ad58b4115850f110
  • 66ef03a7d4628f9c40801b5ffd192376dce602214947e29f32d676f908c41d18
  • 70d91dbb7fb60dfcee3cfa585eed0efcdd25620bdb5ffffd8431e02876ee65dd
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP



ThreatGrid



Win.Malware.Kryptik-6983260-1


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: drippt		25
MutexesOccurrences
3G1S91V5ZA5fB56W25
8AZB70HDFK0WOZIZ25
ATYNKAJP30Z9AQ25
JKLSXX1ZA1QRLER25
NHO9AZB7HDK0WAZMM25
OMXBJSJ3WA1ZIN25
PJOQT7WD1SAOM25
PSHZ73VLLOAFB25
VHO9AZB7HDK0WAZMM25
VRK1AlIXBJDA5U3A25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
N/A-
File Hashes
  • 037a8cc036ef9b395300b6e56deb931f411d1fb498aefa1417fc5905f5a355b7
  • 0e699ed4adcd822951f647d9d34873eb45436d8e08f273c6edc271b3a28a63b3
  • 1693124dbb76c552ea96d94aeb56bcf673b29a4207be877743bc8e5b7404a9c5
  • 1c3eb8b78b435fb261296e5afe7eca9d2f898e75a953edad8eb4b8788875e5b6
  • 1cc0c215b78bc42e9926e822e8b3c05fca8dddfa23e6cbd245087309a9ac114c
  • 233dd554a6e99d66c3c5b03a60c25c5737b1da6a6fa13b3e594da1deb5c47dcd
  • 337b52e708905c51d83d570edd07379322270d6ef25a981a801776b2e60cf82a
  • 37ae2b35640423e3074277bf9c6f6e0f25d47251418b66ce9b37c76154164023
  • 3d2017ed5b3f99c43cc17ea72e95a4209be22d7cd0ed8c6b9d43add50628d6cc
  • 432ce20272510c1a6112aa246b0cb321976a299b054d2b82b94598ed59ee7f44
  • 4ac6c836b35945108c53f863e441e659baaf099279f06e0aa01d41f1739a980d
  • 4f2333d05cdb8293b85e64bbb891eb5a8ad1ab322babf8993b854e37135a8677
  • 513171233ab20f2e5f474ec0e00498a7e800c8c6d31f575ace21677e9a834667
  • 571cfa598f094ad73ff6237ae66c938cb2832bf04196442608107fc3b46a967f
  • 59010e05103e93fcb5bd33a0f13b8780720ac23694a1d12e4a5d59e3e8aa0984
  • 6067621b4ecf4018e42e5ed195a8e179a3e6c259025b6f248e6b8bbd2b205704
  • 6a73e94427c84a3e16e9c2c7ee4404ae93137cd08852fbb33dda67bacebbf0a6
  • 6c2c7bab2520d774d6054b789047916f59f741b561db2710351b96e36b10f000
  • 710436e038f3406ba539b2fdf91478ba44b4ac14e4738ef9dbc25fc0b2fe7105
  • 712119bcb97d93941e5668fe8977fdbf5a06eb435d7b611094a87caf54fffb72
  • 747c08074c51758e03b550d571830cbcdaaf0ce6ad6721d7d07de7f0f3df0b62
  • 8662a730cdb3d3303e5ae5ef9beafd74473487fac7f06542f0154cbbe56284f9
  • 8a5f573dd497c0d1adc337bf71f6a37b9b9cb0ba79607950c7fc92cc45508c16
  • 94bceae74cc733290eaa6830bfc61bfdeeafaf1d609439d5d9bc718b8ffc668a
  • 989eaa8e832dee1ea28452e91c30556ed1b84cb38d1381361770469c599db4ce
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP



ThreatGrid



Win.Ransomware.Gandcrab-6984356-1


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: Wallpaper		3
<HKLM>\SOFTWARE\WOW6432NODE\ex_data 3
<HKLM>\SOFTWARE\WOW6432NODE\EX_DATA\data 3
<HKLM>\SOFTWARE\WOW6432NODE\keys_data 3
<HKLM>\SOFTWARE\WOW6432NODE\KEYS_DATA\data 3
<HKLM>\SOFTWARE\WOW6432NODE\EX_DATA\DATA
Value Name: ext		3
<HKLM>\SOFTWARE\WOW6432NODE\KEYS_DATA\DATA
Value Name: public		3
<HKLM>\SOFTWARE\WOW6432NODE\KEYS_DATA\DATA
Value Name: private		3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\Notify 2
<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\system32\rundll32.exe		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\gctilof 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\GCTILOF
Value Name: Impersonate		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\GCTILOF
Value Name: Asynchronous		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\GCTILOF
Value Name: MaxWait		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\GCTILOF
Value Name: DllName		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\GCTILOF
Value Name: Startup		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gctilof		2
MutexesOccurrences
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A20
Global\8B5BAAB9E36E4507C5F5.lock3
Global\XlAKFoxSKGOfSGOoSFOOFNOLPE3
A9MTX7ERFAMKLQ2
A9ZLO3DAFRVH1WAE2
AhY93G7iia2
B81XZCHO7OLPA2
BSKLZ1RVAUON2
DRBCXMtx2
F-DAH77-LLP2
FNZIMLL12
FURLENTG3a2
FstCNMutex2
GJLAAZGJI156R2
I-103-139-9005572
I106865886KMTX2
IGBIASAARMOAIZ2
IGMJIA3OX2
J8OSEXAZLIYSQ8J2
LXCV0IMGIXS0RTA12
MKS8IUMZ13NOZ2
NLYOPPSTY2
OLZTR-AFHK112
OPLXSDF19WRQ2
PLAX7FASCI8AMNA2
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
104[.]31[.]71[.]12210
192[.]42[.]119[.]414
185[.]62[.]170[.]13
52[.]17[.]9[.]1853
217[.]26[.]54[.]1893
83[.]166[.]148[.]693
217[.]26[.]53[.]373
213[.]186[.]33[.]53
136[.]243[.]162[.]1403
195[.]201[.]207[.]2133
188[.]165[.]40[.]1303
46[.]32[.]228[.]223
185[.]58[.]214[.]1063
185[.]51[.]191[.]293
149[.]126[.]4[.]153
193[.]200[.]231[.]43
194[.]51[.]187[.]233
83[.]166[.]138[.]83
5[.]144[.]168[.]2103
136[.]243[.]13[.]2153
83[.]138[.]82[.]1073
192[.]185[.]159[.]2533
193[.]246[.]63[.]1573
149[.]126[.]4[.]893
194[.]51[.]187[.]223
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
electrumscoin[.]org10
PALKANKA[.]SITE6
doa[.]wolexsal[.]at5
www[.]cantinesurcoux[.]net3
www[.]pizcam[.]com3
www[.]hotel-blumental[.]com3
www[.]arbezie[.]com3
www[.]holzbock[.]biz3
www[.]disch[.]mehrmarken[.]net3
www[.]alpenlodge[.]com3
www[.]hotelolden[.]com3
www[.]hotellido-lugano[.]com3
www[.]petit-paradis[.]com3
www[.]hotelrotonde[.]com3
www[.]2mmotorsport[.]biz3
www[.]flemings-hotels[.]com3
www[.]hardrockhoteldavos[.]com3
www[.]bnbdelacolline[.]com3
www[.]arbezie-hotel[.]com3
www[.]mountainhostel[.]com3
www[.]lassalle-haus[.]org3
www[.]alimentarium[.]org3
www[.]bellevuewiesen[.]com3
www[.]kroneregensberg[.]com3
www[.]waageglarus[.]com3
See JSON for more IOCs
Files and or directories createdOccurrences
%TEMP%\pidor.bmp3
%HOMEPATH%\98b689da98b68e3f316.lock3
%HOMEPATH%\AppData\98b689da98b68e3f316.lock3
%APPDATA%\Media Center Programs\98b689da98b68e3f316.lock3
%APPDATA%\Microsoft\98b689da98b68e3f316.lock3
%APPDATA%\Microsoft\Internet Explorer\98b689da98b68e3f316.lock3
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\98b689da98b68e3f316.lock3
%APPDATA%\98b689da98b68e3f316.lock3
%HOMEPATH%\Cookies\98b689da98b68e3f316.lock3
%HOMEPATH%\Desktop\98b689da98b68e3f316.lock3
%HOMEPATH%\Documents\98b689da98b68e3f316.lock3
%HOMEPATH%\Documents\My Music\98b689da98b68e3f316.lock3
%HOMEPATH%\Documents\My Pictures\98b689da98b68e3f316.lock3
%HOMEPATH%\Documents\My Videos\98b689da98b68e3f316.lock3
%HOMEPATH%\Downloads\98b689da98b68e3f316.lock3
%HOMEPATH%\Favorites\98b689da98b68e3f316.lock3
%HOMEPATH%\Links\98b689da98b68e3f316.lock3
%HOMEPATH%\Music\98b689da98b68e3f316.lock3
%HOMEPATH%\My Documents\98b689da98b68e3f316.lock3
%HOMEPATH%\NetHood\98b689da98b68e3f316.lock3
%HOMEPATH%\Pictures\98b689da98b68e3f316.lock3
%HOMEPATH%\PrintHood\98b689da98b68e3f316.lock3
%HOMEPATH%\Recent\98b689da98b68e3f316.lock3
%HOMEPATH%\Saved Games\98b689da98b68e3f316.lock3
%HOMEPATH%\SendTo\98b689da98b68e3f316.lock3
See JSON for more IOCs
File Hashes
  • 0056173ac7818058a9ef3025473fceff24386f8dd61c23b3ca53f332b7b8b756
  • 010dd10aebe976dbf2473a656f0449c0a91aff6732d82fa605974d5452a1f882
  • 0c3a00f9adfbb35f60aa3a67e02ee7fe5f01464d08825c2a0b181c5553809484
  • 0cd7b76e663ef841a0468a4542f9594a212f682bda4fd13ac596c8dc375a70a1
  • 0dd538728ed3de4c0f112e503825028c6de6a19d176093b4f8ee2aba784e96e4
  • 12a9b70fb4e43716b450c37120a63c2da29e7a3c8657a95a1f318a4853550968
  • 157f96de23735d1c41df83f0a4deba3a4c64d7d0b15d4cce28a9166131e085bc
  • 19d7bab5cc8305e6fa1b248ceda3fb40dfe9d5256b1f8897350ccd2110c235d5
  • 259220ed0a5fadd095aee079bf2fb8fa27f2204f3ebe95b588014bf4654d925d
  • 411d66336a7a62138158211a0c9d47760cf072a86ea27cddfb173a59a4839a6e
  • 4446a42ec66656956467df28df5c1e587d4c4cfd804201ba9912fd5729bb8f64
  • 4b4f963ed8910f44f75ca75a2c21f7a31f600761bd97517246f7aa8f2ab5c4ff
  • 4c9cb943f1efb719c8bb4907d89fa296bb53f010e53fd8f1da09667be0055aaf
  • 50e6406dd568defee6835b152a2af2b82956004a87011d9da202648197dfaafe
  • 510fd9535d75bf55e09028dc6f015798c7050d39f60b9ed86f7ce392d08ccc36
  • 53248110e4f2ffb57520d2bbedc2cd4efe486c2a05243eb60807242bbfcbdd0e
  • 5a70e3f4169bfc369c5d6686eb5f6a3170b39dc4fa5196d39d2d9409075665cf
  • 5c562a47c8bb34f90f70377862dad9f134d6d5ae2d01595ea8225f51f8c7ed99
  • 618d93da49f253e9ece275eaf87c9639489d5f876dec9b1ce6fb14fc22d1c175
  • 66ef34785cdbbccb9cc46e69902d4e4f227134ddd2f8275430e3656480d79caa
  • 729c6ae5d8415d8b49c646807a4b95ddef38626bce3303cf08c4cdcc505196cf
  • 76151d8b9598ed85a90c04ce2b8c19fb93efc435b9982dd37565bdc92a494ad3
  • 7872ffcf0a320ec62c57954bb55158876958adf3c9a41ff470da476a13cbbef7
  • 796b0898478bb8ba453d4d974ab43aacf5c7e85bafa8e86133a284f47ab214d9
  • 8775ce35c810ebe3d2e0f8a9c84b77e38bd5d2d682a4e65a3fc9f9a86df52aa1
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Malware.DarkComet-6983986-1


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E11FA4-EASQ-57E4-QPP4-4B4EE7V76IQ4} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: system32		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: system32		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{16E11FA4-EASQ-57E4-QPP4-4B4EE7V76IQ4}
Value Name: StubPath		1
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D285L58-7O12-HSU1-C880-04J8UU718520} 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: WinUpdate		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: WinUpdate		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{0D285L58-7O12-HSU1-C880-04J8UU718520}
Value Name: StubPath		1
<HKCU>\SOFTWARE\Cofer2 1
<HKCU>\SOFTWARE\COFER2
Value Name: FirstExecution		1
<HKCU>\SOFTWARE\COFER2
Value Name: NewIdentification		1
MutexesOccurrences
\BaseNamedObjects\_x_X_UPDATE_X_x_13
\BaseNamedObjects\_x_X_PASSWORDLIST_X_x_13
\BaseNamedObjects\_x_X_BLOCKMOUSE_X_x_13
\BaseNamedObjects\***MUTEX***4
\BaseNamedObjects\***MUTEX***_SAIR4
\BaseNamedObjects\***MUTEX***_PERSIST4
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
loucao22[.]no-ip[.]org1
Files and or directories createdOccurrences
%TEMP%\UuU.uUu4
%TEMP%\XX--XX--XX.txt4
%TEMP%\XxX.xXx4
%APPDATA%\logs.dat4
%System32%\install\server.exe2
%SystemRoot%\SysWOW64\install1
%SystemRoot%\install1
%SystemRoot%\SysWOW64\install\explore.exe1
%System32%\install\explore.exe1
%SystemRoot%\install\flashplayer.exe1
File Hashes
  • 001dadb87b55db69aaab1edcbf7c38bba929732e83c16d84278c992687d157fc
  • 4ca9b2f8018dd2789f91fca2ad5a2281875bd3a6239a56ec29ff3ce366265d98
  • 5780956f6411277398daf452baa75bdfcad2bd93c4a97af4e07ac0e20fbb9f0c
  • 7ad5f208199b49bd14cbb26a1d8888c07692830d84b9be29920bc1db37c0b1e1
  • 8a006d694bf6d30e2f711fce6e612d2880fba6d95085e41c57d0b76b88392b44
  • 95728734cc57a788f44b2c8a7cf6601b0f4b7b2c05b85aa893a926d1c4c799d7
  • a9a09f58cc3dc6d6d097ee2ffcab7ec256c157d778979f5e80c1212ff68f3eb3
  • d2211069cc40d43f81d9c81274976aff64ff52e5858ed573d26cd5503dd563ee
  • d90b4a4ade207ebf768af252cf8d9b032158122670c50eb6bfafeec74d695f58
  • eb914c411fdc043c690ed0d1361d82d73dca6e764150c0bce4a20d9439df9c8b
  • ef2dae7f7d3a706a766ac41478adb9dd2dd871f88d458ace41e9813670cc99bd
  • f094dbe9dc2bbc7337e2aa1317317f1a7833bad9d966f01ebb582d51ce8d3b23
  • f1a0dda889f3af093b9092b8652fd7847de05015dee0914d36937c2ef641fa46
  • f51b96ebe4242a34754e14d0d2bc0dcd5ccd446f0eeb5fcdb9b7e03686dc40cc

Coverage


Screenshots of Detection

AMP



ThreatGrid



Exprev

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
  • Madshi injection detected (3512)
    Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
  • Kovter injection detected (1779)
    A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
  • PowerShell file-less infection detected (513)
    A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
  • Process hollowing detected (478)
    Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
  • Gamarue malware detected (288)
    Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
  • Dealply adware detected (285)
    DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
  • Atom Bombing code injection technique detected (60)
    A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
  • Installcore adware detected (59)
    Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
  • Suspicious PowerShell execution detected (55)
    A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
  • Excessively long PowerShell command detected (54)
    A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Search
Viewing all articles
Browse latest Browse all 1948

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

January 5, 2014, 10:34 pm

Ominde Commission Report and Recommendations – Ominde Report of 1964

March 16, 2015, 5:14 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

March 26, 2017, 11:23 pm

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

October 17, 2016, 7:20 am

Mp3 Download: Mdu - Kunjenjenjena

December 7, 2017, 8:16 am

How the kill the job , when DTP request running for long hours.

July 26, 2013, 2:41 am

Microsoft Intune から展開しているアプリのアップデートについて

October 17, 2016, 4:11 am

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

September 1, 2017, 10:00 pm

Car crash in Dunton Bassett leaves driver in critical condition

October 7, 2014, 7:51 am

Macky 2, Two Others In Road Accident

March 29, 2015, 5:34 am

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

May 14, 2015, 11:27 pm

Detroit mafia: D’Anna Brothers agree to plea deal

April 21, 2016, 6:56 am

Delivery block field greyed out using VA02

January 26, 2016, 2:52 pm

Muloraki Au

June 22, 2016, 1:44 am

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出w【リベンジポルノ】@PornHub

October 12, 2017, 2:23 pm

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

February 9, 2018, 4:56 am

FIAT 500 B0111 B0112

July 5, 2018, 10:31 am
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>