Threat Roundup for October 4 to October 11
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct. 4 and Oct. 11. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
| Threat Name | Type | Description |
|---|---|---|
| Win.Dropper.TrickBot-7288419-0 | Dropper | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. |
| Win.Dropper.Qakbot-7287972-0 | Dropper | Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. |
| Win.Trojan.Emotet-7287811-0 | Trojan | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. |
| Win.Worm.Vobfus-7198158-0 | Worm | Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. |
| Win.Dropper.Upatre-7196259-0 | Dropper | Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware. |
Threat Breakdown
Win.Dropper.TrickBot-7288419-0
Indicators of Compromise
| Mutexes | Occurrences |
|---|---|
Global\316D1C7871E10 |
64 |
| IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
190[.]152[.]4[.]210 |
17 |
37[.]228[.]117[.]146 |
9 |
31[.]184[.]253[.]37 |
9 |
181[.]113[.]20[.]186 |
6 |
185[.]222[.]202[.]222 |
6 |
51[.]68[.]247[.]62 |
5 |
194[.]5[.]250[.]82 |
5 |
51[.]254[.]69[.]244 |
5 |
91[.]132[.]139[.]170 |
5 |
116[.]203[.]16[.]95 |
4 |
189[.]80[.]134[.]122 |
4 |
203[.]23[.]128[.]168 |
4 |
46[.]30[.]41[.]229 |
4 |
37[.]44[.]212[.]216 |
4 |
216[.]239[.]38[.]21 |
3 |
185[.]248[.]87[.]88 |
3 |
138[.]59[.]233[.]5 |
3 |
190[.]154[.]203[.]218 |
3 |
187[.]58[.]56[.]26 |
3 |
177[.]103[.]240[.]149 |
3 |
200[.]21[.]51[.]38 |
3 |
5[.]230[.]22[.]40 |
3 |
200[.]153[.]15[.]178 |
3 |
198[.]27[.]74[.]146 |
2 |
146[.]196[.]122[.]167 |
2 |
*See JSON for more IOCs
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
|---|---|
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org |
12 |
ip[.]anysrc[.]net |
4 |
api[.]ip[.]sb |
3 |
ipinfo[.]io |
3 |
checkip[.]amazonaws[.]com |
2 |
wtfismyip[.]com |
2 |
api[.]ipify[.]org |
2 |
www[.]myexternalip[.]com |
1 |
ident[.]me |
1 |
| Files and or directories created | Occurrences |
| — | — |
%APPDATA%\netcloud |
64 |
%System32%\Tasks\netcloud free disk |
64 |
%APPDATA%\netcloud\settings.ini |
64 |
%APPDATA%\netcloud\data\systeminfo64 |
4 |
%APPDATA%\netcloud\data\pwgrab64 |
2 |
%APPDATA%\netcloud\data\pwgrab64_configs\dpost |
2 |
File Hashes
01665c3044d0c07559850f4c63b0e83a75d377d47cbb024109af959ab07a84ab 029d508d8b0b8d85d4e9409b4fce7d1e77278e9c287ea413bfc6ef74b04f3f62 02b56e22b5b87c10e1aaa55a64d023c146705bec60a05f663383c58ad2d46ec9 04915554da413b0eec1c972c40dd73f01494e0babbb952511bc471831f09d66a 07037779cf0fd1203023ab1c5d0ca29103ec20b86ef4a1352e0eae887522aaf5 0b0812b19376da99480f2eaa6ef5c50b0ddef28e861d58f72ea2f321d8d5f4a7 11b52fd22db6a8407a7b185bbff4731813f3e5ade255545b0c5aa75e71001d40 139682b035166c0554038c7a3d41d21c1224ca4d8a1f3dc2fdc78b5d162980a3 1452da4d87422fbce37fa81c0357b9093120f39849a39a6b49529d2e88c24601 15e767c8416fff66195618b591a2a2869b42075a81962d760e644504ecbccd7d 1bcc2e0e40cb671020249c818d9580345498198e06e83242ec54c5666c13eeac 1f64de67c63364947a52b85977c30e101cb27151c9d21759db0a7ea2d20d1c76 1fd9de5a0da8baf970b071eec8072dbe8e166c52a520252a7bad4c6cccdb6f5a 2211518528d8df3b3a37b83807f27b3c48e8dc68e427be3d693775dd9281d3dc 2329e7a18e95750266b5865d2cebb2b0ab2db296e99735b1fcf174eabd0364bc 25ed6d3f3dcaa2fb50d9b98b4b18ce5552b8e7f7edb34036dbe223a0e594c61e 28d5358cee665b777f608ab2994f09baeea9f98a53f7631dc18412b58e279e79 2c5e9d6e2caf1b7d0b3d34eefe3f6cba433c5f4d9cb1056788efba86d64070c7 2cb27358ab67c8b99b3ef38653c6e529daf2782415ee4025977853dbecba4135 2fcd6ec5753d814c537cf1d8c0bd40fd71da35fc0daa3464c71061feabccc003 3899c0d52fb831b58971b8cc3676b819623c3cdf394404441e9e3fc5149f2924 39812d745606743e797291736409505e7c8fee6708f1b9cdfd81db696b045f0b 3c0fdeaf8672109d78f05a5409aa4d1a64970e0317d00dce93c2f850ed315444 3ce742d661cf7896361b4419bffe4b457db5996bb437e386ac8725a32ea3775c 3cfd3b1da2d19d3d79479a35570aa2f8c53c5a865307ae39c45dbab34ecd1eb3
*See JSON for more IOCs
Coverage
| Product | Protection |
|---|---|
| Amp |  |
| Cloudlock | N/A |
| Cws | |
| Email Security | |
| Network Security | |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | N/A |
| Wsa | |
Screenshots of Detection
AMP
ThreatGrid
Win.Dropper.Qakbot-7287972-0
Indicators of Compromise
| Mutexes | Occurrences |
|---|---|
<random, matching [a-zA-Z0-9]{5,9}> |
9 |
<random, matching [a-fA-F0-9]{10}> |
6 |
NO_HIDE |
2 |
Global\eqfik |
1 |
Global\epieuxzk |
1 |
Global\ulnahjoi |
1 |
Global\utjvfi |
1 |
Global\siexlcvo |
1 |
Global\3e356201-e784-11e9-a007-00501e3ae7b5 |
1 |
9a1e0bdf466b43e51e62125b6de07886Ð÷# Administra |
1 |
Global\zmzqw |
1 |
Global\hzquyt |
1 |
Global\orprmhqn |
1 |
llvmspnzmgf |
1 |
Global\emiudb |
1 |
siexlcvo/W |
1 |
Global\okqxsvm |
1 |
hnqgbtxnpbgb |
1 |
Global\awfury |
1 |
Global\mesgra |
1 |
Global\esute |
1 |
Global\caypop |
1 |
azvfitrmerda |
1 |
Global\yweieuzg |
1 |
Global\lajpa |
1 |
*See JSON for more IOCs
| IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
|---|---|
69[.]241[.]80[.]162 |
8 |
69[.]241[.]74[.]170 |
8 |
69[.]241[.]108[.]58 |
8 |
69[.]241[.]106[.]102 |
8 |
209[.]126[.]124[.]173 |
7 |
66[.]96[.]134[.]31 |
6 |
66[.]7[.]210[.]190 |
6 |
65[.]182[.]187[.]52 |
6 |
181[.]224[.]138[.]240 |
5 |
69[.]64[.]56[.]244 |
5 |
162[.]144[.]12[.]241 |
5 |
208[.]100[.]26[.]234 |
3 |
64[.]34[.]169[.]244 |
3 |
108[.]61[.]103[.]175 |
3 |
193[.]28[.]179[.]105 |
3 |
12[.]167[.]151[.]78/31 |
3 |
216[.]58[.]217[.]142 |
2 |
195[.]22[.]28[.]222 |
2 |
173[.]227[.]247[.]50 |
2 |
12[.]167[.]151[.]89 |
2 |
12[.]167[.]151[.]81 |
2 |
195[.]22[.]28[.]199 |
1 |
173[.]227[.]247[.]49 |
1 |
173[.]227[.]247[.]34 |
1 |
173[.]227[.]247[.]59 |
1 |
*See JSON for more IOCs
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
|---|---|
jacksonville-a[.]speedtest[.]comcast[.]net |
8 |
stc-sjos-01[.]sys[.]comcast[.]net |
8 |
stc-fxbo-01[.]sys[.]comcast[.]net |
8 |
www[.]ip-adress[.]com |
8 |
stc-hstn-03[.]sys[.]comcast[.]net |
8 |
boston[.]speedtest[.]comcast[.]net |
8 |
houston[.]speedtest[.]comcast[.]net |
8 |
sanjose[.]speedtest[.]comcast[.]net |
8 |
jacksonville[.]speedtest[.]comcast[.]net |
8 |
wpaoyqevfvmqquvpfwo[.]com |
3 |
ageanrzekiycakzrswcq[.]com |
3 |
utglavlafksmzfcniumfwwbm[.]biz |
3 |
wyrlmssiybtkxemblgkturpw[.]net |
3 |
qguuivkqppwohlzzvjv[.]org |
3 |
ohfckvgylddiulbtgcrdijtpl[.]org |
3 |
zhkclrrbgufzsgljzohs[.]com |
3 |
evvedpvqyno[.]net |
3 |
cyiynudufvqmswxgtdkgyal[.]org |
3 |
fmncuwynktocekwqmthsr[.]net |
3 |
hrmmnxigwodcsbqhcezedv[.]net |
3 |
ohnzjsjoyxmkfpafaouujked[.]biz |
3 |
rpagfveavil[.]com |
3 |
ocqfamsdr[.]org |
3 |
sso[.]anbtr[.]com |
2 |
tnqnpjthcwhhit[.]biz |
2 |
*See JSON for more IOCs
| Files and or directories created | Occurrences |
|---|---|
%APPDATA%\Microsoft\Siexlcvoi\siexlcv.dll |
1 |
%APPDATA%\Microsoft\Siexlcvoi\siexlcvo.exe |
1 |
%APPDATA%\Microsoft\Eqfikq |
1 |
%APPDATA%\Microsoft\Eqfikq\eqfi.dll |
1 |
%APPDATA%\Microsoft\Eqfikq\eqfik.exe |
1 |
%HOMEPATH%\APPLIC~1\AuthHost_86.exe |
1 |
%APPDATA%\Microsoft\Emiudbm\cemiudb32.dll |
1 |
%APPDATA%\Microsoft\Emiudbm\emiud.dll |
1 |
%APPDATA%\Microsoft\Emiudbm\emiudb.exe |
1 |
%APPDATA%\Microsoft\Emiudbm\emiudb32.dll |
1 |
%APPDATA%\Microsoft\Emiudbm\qaodxae.exe |
1 |
%APPDATA%\Microsoft\Siexlcvoi\csiexlcvo32.dll |
1 |
%APPDATA%\Microsoft\Siexlcvoi\siexlcvo32.dll |
1 |
%APPDATA%\Microsoft\Siexlcvoi\u\siexlcvo.exe |
1 |
%APPDATA%\Microsoft\Caypopa\caypo.dll |
1 |
%APPDATA%\Microsoft\Caypopa\caypop.exe |
1 |
%APPDATA%\Microsoft\Caypopa\caypop32.dll |
1 |
%APPDATA%\Microsoft\Caypopa\ccaypop32.dll |
1 |
%APPDATA%\Microsoft\Nkswhk\cnkswh32.dll |
1 |
%APPDATA%\Microsoft\Nkswhk\nksw.dll |
1 |
%APPDATA%\Microsoft\Nkswhk\nkswh.exe |
1 |
%APPDATA%\Microsoft\Nkswhk\nkswh32.dll |
1 |
%APPDATA%\Microsoft\Teubkce\cteubkc32.dll |
1 |
%APPDATA%\Microsoft\Teubkce\ojpgopoc.exe |
1 |
%APPDATA%\Microsoft\Teubkce\teubk.dll |
1 |
*See JSON for more IOCs
File Hashes
00ff1db58b6f1e59ab2c2bf8e56160505a45d4a81f6fe1eaa929e64fb1721579 064778a5c62de64d9209efd2a1d07d51e5bba27dec7304adb16cb0f477990da7 10498726da41ce76941828ba2645cd142d14345730ed27ef477ef3360776b70e 1550ddeb6bedfa869544e6acff1b99deef5ed36c5d3e53bb8c54a7dfc1ee7979 16e32d59b24b270c97fc9003ce99d52bbd5d2f8f71066a7ae89489b70230b6ea 2a4d5212548373f2036751006f472fd59796cb1f3ea0a5e3b00ff257dda42d90 2a98486961a037fc69ad76a352cdbd94b9e9b20e935ea2223632616af9cf9164 2f8eaa9d09eea245e077d855496d325833f431c565b0caf376694a20786a360d 33e8352baa3fd5c8657f950f6853c852ab5bc7a8738ef0100393e8840170f689 3c671a2c98bad1d21523542d92d3e7e64f10dc11b71ad877a12d3c716f79d6c5 3ed342a425980d09017f40042c3bc38c995f80b25ebc0ce54f57aa247a399972 433da825e9d75917a8e935ce67e352de3300c2276b8e1e4088ad353f1dc563cd 4567101b5264de0d437095f3dad638f1f663eca77eb737f1c8188133786c42a3 49a262416b8af5718487c966f6d328f12b7dd39c4e48c1d12ec99eb6f67b5bf7 5008602076bc658f669bcbdcdcdae8ac0db03df3d67d59cc8a594916c7e0eab7 546fe2283bec932d0e579545928b7c61aa4865891ae2ae270311cb43d37f24fc 5694eba592c8d2dc736d820dfe10f1cb70fc613595349358e67651b04f8d5f9c 5873b0a3726c51faf9e15170f2cc2cf907da40bd6535886c2f4cc5eb4d1b677f 5a779b62299bf87288404f408ffd1ca26ffb365a1a80a3f0be02634dbb6b0acd 61e897720193eb60766425f7952795081b220bd3fcb84693d127ae08cdc7fd77 64a7ea2afabd89b89154b3e9165e4821194657eaa2df6f3c05513ac57f4269a1 67d275ebe2e3e3653d1a9dfc9e68abe38adaca68e30d4335e974fe9393ed1166 7103e2d1e6b0cb025ba011e3b71b959beb9dba33e919d22ce710703b0cecc9d3 7173180702f16103ff9e12dc30a4d35ffe8e59fed07a9b85b1a8051cccc3443c 75294d7224051e0fc6f7a583941ed6be64270f2296f01a2f907c475bcc604296
*See JSON for more IOCs
Coverage
| Product | Protection |
|---|---|
| Amp | |
| Cloudlock | N/A |
| Cws | |
| Email Security | |
| Network Security | |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | |
| Wsa | |
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Trojan.Emotet-7287811-0
Indicators of Compromise
| Registry Keys | Occurrences |
|---|---|
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL | |
| Value Name: Type ` | 13 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL | |
| Value Name: Start ` | 13 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL | |
| Value Name: ErrorControl ` | 13 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL | |
| Value Name: ImagePath ` | 13 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL | |
| Value Name: DisplayName ` | 13 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL | |
| Value Name: WOW64 ` | 13 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL | |
| Value Name: ObjectName ` | 13 |
| `<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL | |
| Value Name: Description ` | 13 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL |
13 |
| Mutexes | Occurrences |
| — | — |
Global\I98B68E3C |
13 |
Global\M98B68E3C |
13 |
Global\M3C28B0E4 |
13 |
Global\I3C28B0E4 |
13 |
| IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
80[.]11[.]163[.]139 |
11 |
85[.]54[.]169[.]141 |
10 |
185[.]14[.]187[.]201 |
4 |
45[.]79[.]188[.]67 |
4 |
63[.]142[.]253[.]122 |
4 |
67[.]225[.]229[.]55 |
3 |
193[.]70[.]18[.]144 |
2 |
193[.]252[.]22[.]86 |
2 |
17[.]36[.]205[.]74 |
2 |
212[.]227[.]15[.]142 |
2 |
213[.]180[.]147[.]145 |
2 |
52[.]96[.]40[.]242 |
2 |
62[.]149[.]157[.]55 |
2 |
217[.]116[.]0[.]228 |
2 |
62[.]149[.]128[.]179 |
2 |
173[.]194[.]68[.]108/31 |
2 |
82[.]223[.]190[.]138/31 |
2 |
62[.]28[.]40[.]155 |
1 |
82[.]223[.]191[.]228 |
1 |
84[.]232[.]4[.]63 |
1 |
5[.]56[.]56[.]146 |
1 |
37[.]187[.]56[.]166 |
1 |
134[.]0[.]12[.]48 |
1 |
213[.]0[.]77[.]51 |
1 |
208[.]91[.]198[.]107 |
1 |
*See JSON for more IOCs
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
|---|---|
smtp[.]office365[.]com |
2 |
smtp[.]outlook[.]com |
2 |
smtp[.]1and1[.]es |
2 |
mail[.]comcast[.]net |
2 |
mail[.]1und1[.]de |
2 |
outlook[.]office365[.]com |
2 |
smtp[.]one[.]com |
2 |
smtp[.]orange[.]fr |
2 |
smtp[.]serviciodecorreo[.]es |
2 |
mail[.]gmx[.]net |
2 |
smtp[.]poczta[.]onet[.]pl |
2 |
mail[.]aruba[.]it |
2 |
pop3s[.]aruba[.]it |
2 |
smtp[.]pec[.]aruba[.]it |
2 |
smtp[.]myfbmc[.]com |
1 |
mail[.]amazon[.]com |
1 |
smtp[.]amazon[.]com |
1 |
mail[.]bellnet[.]ca |
1 |
mail[.]hotmail[.]es |
1 |
smtp[.]ogicom[.]pl |
1 |
smtp[.]my[.]tnt[.]com |
1 |
mail[.]pec[.]it |
1 |
mail[.]kovalam[.]es |
1 |
smtp[.]myslide[.]cn |
1 |
smtp[.]tepore[.]com |
1 |
*See JSON for more IOCs
| Files and or directories created | Occurrences |
|---|---|
%SystemRoot%\SysWOW64\<random, matching '[a-zA-Z0-9]{4,19}'>.exe |
12 |
\TEMP\yc3qjv_812.exe |
1 |
\TEMP\njrfqcj58z_23190.exe |
1 |
\TEMP\b2_13022603.exe |
1 |
\TEMP\5tnlmwuu_6728847347.exe |
1 |
\TEMP\feqxn9l_08751690.exe |
1 |
\TEMP\u1p1rr_2846411837.exe |
1 |
\TEMP\93cumzh_740237.exe |
1 |
%SystemRoot%\TEMP\DFFB.tmp |
1 |
File Hashes
0d2fcaa55a4fa60ddb207a884d8708616afe216172606cb34428696d94d02b55 1d79c23865675ea988e8da616d87729fc029e3da8655a452ec8603c2645ed29c 1eda8a1b220b335de0e0dcc4b1c370f063d3bb8179e78e1aa5aa07d97182e50e 2f2fde0c36731205d5c8139450b3e65c99c4b101632f9e5b359d241bd39bc854 4f525a377c92170b4e0fdb377d84e7046be3fabf13020542889dabfceb3f3290 6e0ff7d8aabe7604957239a4217e8acd18261216c6fd4447c3e3ea061062bad5 7999aecb854548554573e807e3099b3285ffa31244668bda61a60ca02763de48 c2b0637eaa88c02f22d551ece7de3220d4888a7882676fd7b51c6c577140ce51 ce8949e5a1b41b1b1ff2d6d432aef7af6db3c4308b4e58839b9e6958846cd24e d5128c8528eaf67f71aa26c53db2b9035ee95849f03ab991ae9805bf4c07f496 e142a57f84461cad1faea965d00decb6ed53eb65fc884acd52ffede5454d1a4e e28a38d8fdd96021b0391fc8a2f0e88da19143a6084ab6a64ff93fdb1d2c9ee2 fe84dbdcefa7c810abd780e0ca47c5bdfaa8c27146b810e2d784d1b00a077aa0
Coverage
| Product | Protection |
|---|---|
| Amp | |
| Cloudlock | N/A |
| Cws | |
| Email Security | |
| Network Security | |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | N/A |
| Wsa | |
Screenshots of Detection
AMP
ThreatGrid
Win.Worm.Vobfus-7198158-0
Indicators of Compromise
| Registry Keys | Occurrences |
|---|---|
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED | |
| Value Name: ShowSuperHidden ` | 23 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: xaawee ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: juemauy ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: zltip ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: wkxid ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: leohuow ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: kuoova ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: vjdoq ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: beyuk ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: baeuqo ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: lieagu ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: juohoah ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: taeele ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: baaqaic ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: wmquoz ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: qeodux ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: ziiluet ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: mrlot ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: coawi ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: ceqav ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: gejay ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: baule ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: xeezua ` | 1 |
| `<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | |
| Value Name: mouzui ` | 1 |
| Mutexes | Occurrences |
| — | — |
A |
23 |
Global\d11cb3c1-e7ca-11e9-a007-00501e3ae7b5 |
1 |
Global\02adca01-e7cb-11e9-a007-00501e3ae7b5 |
1 |
| Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
| — | — |
ns1[.]videoall[.]net |
23 |
ns1[.]videoall[.]org |
23 |
ns1[.]player1532[.]com |
23 |
| Files and or directories created | Occurrences |
| — | — |
\autorun.inf |
23 |
\$RECYCLE.BIN.lnk |
23 |
\System Volume Information.lnk |
23 |
\Documents.lnk |
23 |
\Music.lnk |
23 |
\New Folder.lnk |
23 |
\Passwords.lnk |
23 |
\Pictures.lnk |
23 |
\Video.lnk |
23 |
\<random, matching '[a-z]{4,7}'>.exe |
23 |
%HOMEPATH%\<random, matching '[a-z]{5,7}'>.exe |
23 |
E:\$RECYCLE.BIN.lnk |
22 |
E:\autorun.inf |
22 |
E:\x.mpeg |
22 |
E:\System Volume Information.lnk |
22 |
E:\Music.lnk |
22 |
E:\Passwords.lnk |
22 |
E:\Pictures.lnk |
22 |
E:\Documents.lnk |
22 |
E:\New Folder.lnk |
22 |
E:\Video.lnk |
22 |
E:\<random, matching '[a-z]{4,7}'>.exe |
22 |
E:\RFJ.ico |
1 |
\RFJ.ico |
1 |
E:\baaqaicx.exe |
1 |
*See JSON for more IOCs
File Hashes
09be96cf7eaf5a8b9e6231dc9f5760df58907a9c8dfb996e406361c3c72e5aa7 0c114b0894e482f57f0909cbd8b8dced3a8d6b20ec50139ccafdc81c1f21d6f2 107add01286993501566a44c448e321e27d3dadef2e2b62162b158cee42f4b80 210c1a435f47d5bca6300a4a323aa416e8edd2855946a9b5dc13f525e2061122 261ba2deae2f40205c12ecaa69ac285e3db2669ace697f4f52006aaca3046137 2642ae8489bf119064a09e9919cf06f92bc5b5882613c673745ffe89b34c2f43 30e340533c70f200d86348c10c78164a165e17a88f62b344e2b76f035386beae 323f9bcc53cdf71e937974d6523174ebb74151af8928d1148d0476c13b3e1622 37d2c4a0c7b4640261d4eae7bfe234eb4029a5686589e96fa78d9da20bf2add8 408680beb42a3d4123ca4136cb02431efdb2efd112d546a378dfea96dd042f5d 423ddc412baf3a6aa9637d6258b7309f08ed1e1bc9c2dddc30cc25732998e42c 46a8888ab48c79a9bdef4cf4ff58f5f58feb8ad6e3926a6ee98f7ea1dc2b383a 4e8f5a3497e7263ad12bdb242fdcbbd9c2d1ff85e862b263ce4b4d138f00002c 5642cb5f8c9d9115143cf67b67b50327dc6ac07c78e87334f52d3a89ef7e855c 575c4e03f446b9ae91769cc7be8b7cc8aa451d607615a69ac0797190240f0bff 5c3a99fa29ab5917f2facf4383dd6284c2fd4c93c0aa9a16cf5a8b605ce3521c 605712812595a21fae8b728974d328ecc2811792cec2f0808653d2ea8ee556c2 610519390720b741a8b2de2686575141bf8839473abdc06ffa9ecfd7efb88a3c 640f88b445819b50d801f63bba996635c07883cf245ddca2f39b592ce07d0a30 777a8c8f5ffa5c992ea0991e99b6be9f6ed560768154f6273f42c2547e6454ab 7f285a63779f27c9793b5fdcdcc9f8e8d48207298cb4c3cd18e27889c2dd052a 8232b50475cf369b325dc6866d6b88c27245faf7e572a3629b5c0ad3a88cbd72 84b677c976458077b79120064fe7aa275ad33d19d7651425f3faf6cd717fc520 8536b9a9da4f0b6930ed148166800147062e93f6c31ad70f61eb7ed174383c80 89f1ede2d77a45043f2ce760265d21a512f5e5b011cde43f76c3b968214530e5
*See JSON for more IOCs
Coverage
| Product | Protection |
|---|---|
| Amp | |
| Cloudlock | N/A |
| Cws | |
| Email Security | |
| Network Security | N/A |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | |
| Wsa | |
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Dropper.Upatre-7196259-0
Indicators of Compromise
| Files and or directories created | Occurrences |
|---|---|
%TEMP%\szgfw.exe |
43 |
File Hashes
0209860624b9650a80e8e7ccd913c68bbd5e4be9e503c2a1b554c6b3b94861a1 0755dff6699aebb40a37368f78ed9a7b66d3e24d039af8cdd2ad13b8ef969273 0e2cb655432353bc5f362692d75f76b1deb6d4c339db1eacb671731c5f23a733 1191f1f7a73c262102b8ec25f2aecefc26eef287e55934e608ba510b45bff3db 11aa23a13c9a53dae82684af6adf9835fe027550d5b9bfd21604ab1261c97224 25f1eb50680c50626387a6e2c28a9278172dadbb61113f984a9c0074db4a3514 35588e1d2203194ae0524d551d9a5d45bccbfbd9ef226a25e223c4e626db8e7e 37715e5cfc32e42ccd741a8ca0b17276c76b9d28c2ab4ab4edc4ba712cfe98a4 47b69664dd70b8ed9e0f369640f4dfd27a5a33b8bd3d83d572b667551d6465cd 47cbf5466f14bacd5dae7a217a85673048245844e39d081ce4009aa8bbdf0743 48b14ad94dbfe648d7ef4cbce8debeec6b009d9972cb026f7f4ecfea72ae380d 4c6c1e0eb3b508e3bd525b4ce71a1309d231b218f7172bfb5da57a93a050ab5c 4d30d13f5454bc30c92643657d4113a4008e09cd06491e1f73801a14b5415cf5 50bf198fb00ff18f6b08b9aff48c8b5ffcc85cc0dcda23a0359f413113fd6207 51cd17e592d2ebadfd3f15ca6b542f78b2adb4f26b7eaf8c254e849ee141bcc4 52f3ac52e9e2e9ebaba6da86ea629ad07b2017a44a5be6f66a576853341cc1ca 5cdc406d0cfc60b4a6b5cce5411932f250bcf7c60863e71111f461130c2d942f 607473f50e64388087985abb0bb05caa8688a1a17c25607508bb2a3a8a62fc13 607ac8ad70dc43765ea3954c09b2dbe320f7dbe4fe9fee9b07fab9e855aef37b 6516b8c920ae407765804372470187aa6749d1f598e87b7dbe8bf47291039568 658f7d3524bc9db586321be2fb22b1d832cd6f80328dcdbecdfc2734ff45487a 6812985cee6342855219205500bd1bb53300d552f17b88dbeeab1cdad32e55bf 6be61289884c2bd01ddade32649d23fac7bc0ba4591f3eed911101eb44c5181b 6f8ed68f17904767ecd16b1cb1943caa8f474912bffc930082e64512fa48f96f 75c817a4d49bc40781537143aabad6f0496129120503b7276854e9db15b4a965
*See JSON for more IOCs
Coverage
| Product | Protection |
|---|---|
| Amp | |
| Cloudlock | N/A |
| Cws | |
| Email Security | |
| Network Security | N/A |
| Stealthwatch | N/A |
| Stealthwatch Cloud | N/A |
| Threat Grid | |
| Umbrella | N/A |
| Wsa | N/A |
Screenshots of Detection
AMP
ThreatGrid
Exploit Prevention
Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (17383)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Excessively long PowerShell command detected - (3263)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Madshi injection detected - (2949)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Kovter injection detected - (1750)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Atom Bombing code injection technique detected - (577)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Process hollowing detected - (512)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected - (158)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Dealply adware detected - (149)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Installcore adware detected - (79)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Aggah malware dropper detected - (61)
Aggah dropper technique has been detected. The Aggah campaign has been observed dropping Azorult, LokiBot and other malware families. Aggah employs phishing and process hollowing to infect victim machines.
Related
