Threat Round Up for Oct 6 - Oct 13

2017-10-13T12:01:00
ID TALOSBLOG:DDB3A9DC67CBDDA22C9443A009F54CDC
Type talosblog
Reporter noreply@blogger.com (Alexander Chiu)
Modified 2017-10-13T20:55:35

Description

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between October 6 and October 13. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.<br /><br />As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.<br /><a name='more'></a><br />The most prevalent threats highlighted in this round up are:<br /><br /><ul><li><b>Doc.Trojan.Emotet-6344335-2</b><br />Trojan<br />These malicious Office documents contain embedded OLE objects, obfuscated macro code, and leverage Powershell to download payloads. These samples were particularly observed dropping the Emotet banking trojan.<br /> </li><li><b>Doc.Dropper.Agent-6346631-0</b><br />Office Macro Downloader<br />This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.<br /> </li><li><b>Doc.Macro.DollarShell-6346616-0</b><br />Office Macro Downloader<br />This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable. It uses VBA.Shell$ to begin shell execution combined with the macro auto-open function<br /> </li><li><b>Doc.Macro.Obfuscation-6344051-0</b><br />Office Macro<br />These Office document samples make use of various obfuscation techniques to evade detection. This cluster focuses on unused junk code added to a macro to prevent quick analysis.<br /> </li><li><b>Doc.Macro.VBSDownloader-6346528-1</b><br />Office Macro Downloader<br />Word documents with macros encoded with base64 have been prevalent in the last few days. Recent samples try to evade detection by fragmenting the word "powershell" and inserting characters in between.<br /> </li><li><b>Win.Downloader.Trickbot-6344490-1</b><br />Downloader<br />Trickbot is a banking trojan targeting sensitive information for select financial institutions. These recent downloaders are spread via spam as secure documents with the sender spoofed as several different banks.<br /> </li><li><b>Win.Trojan.RevengeRat-6344273-0</b><br />Trojan<br />This Remote Access Tool (RAT) allows the operator to perform any action on the infected system, such as spying on the user, exfiltrating data, or running additional malicious software.<br /> </li><li><b>Win.Trojan.Tofsee-6345150-0</b><br />Trojan<br />This malware provides an entry point for other bundled malware. We have seen these samples connect to the Zeus botnet, exhibit behavior of ransomware, and send spam. The bundled content is wrapped in several layers of encryption.<br /> </li><li><b>Win.Trojan.Vilsel-4621</b><br />Trojan<br />Vilsel is old but prolific malware written in Visual Basic. It copies itself to several locations on the victim's computer, concatenating random bytes to the end of each of its copies. It gains persistence by copying itself to the victim's Startup folder.<br /> </li></ul><hr /><h2>Threats</h2><h3>Doc.Trojan.Emotet-6344335-2</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS</b></li><ul><li><b>Value: </b>ProxyServer</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>ProxyBypass</li></ul><li><b><HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS</b></li><ul><li><b>Value: </b>ProxyOverride</li></ul></ul><b>Mutexes</b><br /><ul><li>\BaseNamedObjects\Global\I9B0091C</li><li>Global\I98B68E3C</li><li>Global\M98B68E3C</li><li>\BaseNamedObjects\M3AD7726C</li><li>MC1D37BE7</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>dmsdjing[.]com</li><li>giantsinthesky[.]com</li><li>ihugny[.]com</li><li>haylophoto[.]com</li><li>joshzak[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>\Users\Administrator\Documents\20170925\PowerShell_transcript.PC.FsvUAdg8.20170925212636.txt</li><li>\Users\Administrator\Documents\20171010\PowerShell_transcript.PC.ywSjiQPH.20171010164255.txt</li></ul><b>File Hashes</b><br /><ul><li>e995a259e0046d0f53b9b2715550d8eee9ffada5bf8a14faaaf6a77a7ce2fbcf</li><li>56aa0e876398efcb1ba2e8465e8bd91109e700147eff81acac5ad2514e2f011a</li><li>a54134f7e0303f27781cdb6152e87ac0be5a6e736e242f9f5bcaca0e79dfca89</li><li>5b060682f0a97793797856af8c37265825d2c6769d9e69bc14833a98672e004a</li><li>a38563a27a75eab4ddc5d76a99a1e8589775add35fce1e20d0b2bc6b64bf2cfb</li><li>f7972ab6d27883f9c1a0fb6b0e54466eb6305eaa1bfb6c09da82e1539bbe7fc4</li><li>d91e08ac9c92e97acc03c87aeb20383150f17a26946e74eb450f48ddf612d5dc</li><li>4a5d8769935f5126bca4ccfd5f0c658fb6e7d41a34475d9b7712d51b3884e2f3</li><li>4beabf7a352c6dc30a2273392f4daa5793e43412c3eba3724e2ed9e5631c41c2</li><li>0c34b872ba2266c2028e27c9fc9bed8fe9c6f04221695e19c5194200a9638d6e</li><li>24b041585da64a03245c460805f68dbac94b63d19aba6f1bbf7f7d6fa3a26033</li><li>ee69976d53e2f0ee0d502f416ac54cb795059005f82989e095bdc7e5e299acbe</li><li>73ca04dd07cefa6bc4fc68714e0f2ec98f251833ff48eb8276f8cea09526fa89</li><li>3204f0c0ea5cafad98a2884d6c44a6eb7d4de82978962bbe2dbe332919b1185f</li><li>4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96</li><li>ef38926f1932b370abe835b38c51b806d4282e420ee06b312d9a2a25c446cf44</li><li>e77ff24ea71560ffcb9b6e63e9920787d858865ba09f5d63a7e44cb86a569a6e</li><li>b160f7e0036a12a9b7b499249950aaeec569484ff0d50122c4d32d72c75aaf49</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-z1kNZWSVR5c/WeEFrGCoTjI/AAAAAAAABZ4/CDpmB1PTMQ0Dhz8jaOph7aVE_df3e_zHACLcBGAs/s1600/Doc.Trojan.Emotet_6344335_2_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-z1kNZWSVR5c/WeEFrGCoTjI/AAAAAAAABZ4/CDpmB1PTMQ0Dhz8jaOph7aVE_df3e_zHACLcBGAs/s400/Doc.Trojan.Emotet_6344335_2_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-bYVHXdZjW3A/WeEFyp0A8RI/AAAAAAAABZ8/qQ9UK_-dafkIvXCX7fKC6V2S2btw46iIQCLcBGAs/s1600/Doc.Trojan.Emotet_6344335_2_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1289" data-original-width="1237" height="400" src="https://4.bp.blogspot.com/-bYVHXdZjW3A/WeEFyp0A8RI/AAAAAAAABZ8/qQ9UK_-dafkIvXCX7fKC6V2S2btw46iIQCLcBGAs/s400/Doc.Trojan.Emotet_6344335_2_threatgrid.png" width="383" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-18MvpwZU48U/WeEF5Nzx82I/AAAAAAAABaA/QATNZjrJz3sETQZQ6Jg7g6tnBugiAEeXQCLcBGAs/s1600/Doc.Trojan.Emotet_6344335_2_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="414" data-original-width="1112" height="148" src="https://2.bp.blogspot.com/-18MvpwZU48U/WeEF5Nzx82I/AAAAAAAABaA/QATNZjrJz3sETQZQ6Jg7g6tnBugiAEeXQCLcBGAs/s400/Doc.Trojan.Emotet_6344335_2_umbrella.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><br /><hr /><br /><h3>Doc.Dropper.Agent-6346631-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>Local\ZonesLockedCacheCounterMutex</li><li>Local\WinSpl64To32Mutex_e39d_0_3000</li><li>Local\MSCTF.Asm.MutexDefault1</li><li>Local\ZonesCacheCounterMutex</li><li>Global\552FFA80-3393-423d-8671-7BA046BB5906</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C5F7053F-0132-4AED-9DD3-3BD5F82E6BF2}.tmp</li><li>\TEMP\~$f56d32aea142f2f1bd162f709949a06025a400defd6a8fa564be8fdd02d81d.doc</li><li>\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4312D399-C51E-4E15-8491-42FD34DED614}.tmp</li><li>\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc</li><li>\TEMP\6ff56d32aea142f2f1bd162f709949a06025a400defd6a8fa564be8fdd02d81d.doc</li><li>%AppData%\Microsoft\Office\Recent\6ff56d32aea142f2f1bd162f709949a06025a400defd6a8fa564be8fdd02d81d.LNK</li><li>%TEMP%\CVR700.tmp.cvr</li></ul><b>File Hashes</b><br /><ul><li>6ff56d32aea142f2f1bd162f709949a06025a400defd6a8fa564be8fdd02d81d</li><li>71f2070d889c5d68b49bf31c45681cef343fbcf591b5f78e33471bc561541555</li><li>9246db170b7877dd00c0ea6154e28c33d0fc4c474efa934012657baf4f2b305a</li><li>2534cdf72fdb3f4e7580f2afc0eab07abb547aea1e3ac8dd36d34303d4370d73</li><li>64ffe80a9df394598ce7f1129242510c3fdeadadd374721e954910a5f0cd88ad</li><li>96894cb20067c2dad1d342f918b3c8aa4bb3941571c237ba1d830f584d9a116b</li><li>bad6335692e4deeea9050fe22a88dda2723b053bf165c076d67262d9d40064c2</li><li>d8cc4e04f80fa3073d7522f28d0c4a94ba7c2867e27b37175b02e11103ceb1d1</li><li>4ccf25007d397304643830d11f5f39bd9bdd73469b71caf4696cc4f466c98183</li><li>3cb3476f8998fdd58ba76d636cf18040ca3503c9e713da2ef1a65e15e39c9b69</li><li>ab88aa6377b9721c3091183632db23b817d99a3f3c5aafc4d5d549ef59d55040</li><li>e0a31ea6e31090ac6826033b96ea3bbe27b925b228e4f94c232beb5dfc289577</li><li>b47f65ff1975b3eb15e0b41872221d655d99e13f952d32b334168b8c3a684ea5</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-0lqSlixFz6w/WRNEvDBYhOI/AAAAAAAAA8g/ipzkzUpN9Ioo6QWiDDftf95zMLP66gt9QCLcB/s1600/amp-threatgrid-proxy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://2.bp.blogspot.com/-0lqSlixFz6w/WRNEvDBYhOI/AAAAAAAAA8g/ipzkzUpN9Ioo6QWiDDftf95zMLP66gt9QCLcB/s1600/amp-threatgrid-proxy.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-yY2MkQmiU-Y/WeEGBgvPPNI/AAAAAAAABaE/yZGrplwz4sQY8xvilNHW5NxUl7CPkHXywCLcBGAs/s1600/Doc_Dropper_Agent_6346631_0_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://2.bp.blogspot.com/-yY2MkQmiU-Y/WeEGBgvPPNI/AAAAAAAABaE/yZGrplwz4sQY8xvilNHW5NxUl7CPkHXywCLcBGAs/s400/Doc_Dropper_Agent_6346631_0_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-d7K6VahxuZs/WeEGF2Ln4UI/AAAAAAAABaI/qMgllqsstshl9d8G6hWBrtWpnyKAS1kACLcBGAs/s1600/Doc_Dropper_Agent_6346631_0_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="389" data-original-width="1216" height="127" src="https://3.bp.blogspot.com/-d7K6VahxuZs/WeEGF2Ln4UI/AAAAAAAABaI/_qMgllqsstshl9d8G6hWBrtWpnyKAS1kACLcBGAs/s400/Doc_Dropper_Agent_6346631_0_threatgrid.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Screenshot</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-nU0U2uVgt58/WeEGKwYXdSI/AAAAAAAABaM/d1cbElBHprA89WFTO_dbrshRkDCS2Uy7gCLcBGAs/s1600/Doc_Dropper_Agent_6346631_0_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1198" data-original-width="1600" height="298" src="https://4.bp.blogspot.com/-nU0U2uVgt58/WeEGKwYXdSI/AAAAAAAABaM/d1cbElBHprA89WFTO_dbrshRkDCS2Uy7gCLcBGAs/s400/Doc_Dropper_Agent_6346631_0_malware.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><hr /><br /><h3>Doc.Macro.DollarShell-6346616-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>185[.]35[.]228[.]6</li><li>52[.]179[.]17[.]38</li><li>192[.]168[.]1[.]219</li><li>167[.]114[.]121[.]80</li></ul><b>Domain Names</b><br /><ul><li>halalsecurities[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%WinDir%\SysWOW64\specsystem.exe</li></ul><b>File Hashes</b><br /><ul><li>5c3fff626f931fff80d79e53fdbf41a591f8dc048df2c7b636aa2d7a388d8e63</li><li>26582ff0d7d9578d564bedc4f3add7d0d2326be6959039b7dc2372458390e810</li><li>2c34d5de4bfbca74b4a782a221c44311fba086f876af6020f16c36b8759dcd24</li><li>bb1a67049f2f65ce40d68a111becaf0f772754c024013b8d8a869d59472af9eb</li><li>25948723a1ed54e5d7994639b0002f5074ff60b0bbd61a78c1e59dd80ebb4c54</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-U2hu27OSvZ4/WeEGS_S1OBI/AAAAAAAABaU/k2KFwd52aDA_aLG-KMzNvZ-bCsSDyyAogCLcBGAs/s1600/Doc_Macro_DollarShell_6346616_0_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-U2hu27OSvZ4/WeEGS_S1OBI/AAAAAAAABaU/k2KFwd52aDA_aLG-KMzNvZ-bCsSDyyAogCLcBGAs/s400/Doc_Macro_DollarShell_6346616_0_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-vHtu1u37Gao/WeEGXXYIzaI/AAAAAAAABaY/mBJrTW-u3wgM37R9_hkgvscRyUNdTkvSwCLcBGAs/s1600/Doc_Macro_DollarShell_6346616_0_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1131" height="400" src="https://4.bp.blogspot.com/-vHtu1u37Gao/WeEGXXYIzaI/AAAAAAAABaY/mBJrTW-u3wgM37R9_hkgvscRyUNdTkvSwCLcBGAs/s400/Doc_Macro_DollarShell_6346616_0_threatgrid.png" width="282" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-eOeqQwIuEdw/WeEGgDSyBPI/AAAAAAAABac/7NhN-IJdW3Ql9sACj2hgQc3FoLpCaQWIQCLcBGAs/s1600/Doc_Macro_DollarShell_6346616_0_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="487" data-original-width="1112" height="173" src="https://4.bp.blogspot.com/-eOeqQwIuEdw/WeEGgDSyBPI/AAAAAAAABac/7NhN-IJdW3Ql9sACj2hgQc3FoLpCaQWIQCLcBGAs/s400/Doc_Macro_DollarShell_6346616_0_umbrella.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Screenshot</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-JNLbAMa9nTg/WeEGnefje9I/AAAAAAAABag/NwobDYeA43saTuAMlHsXfRB6OywBeWrSgCLcBGAs/s1600/Doc_Macro_DollarShell_6346616_0_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="300" src="https://2.bp.blogspot.com/-JNLbAMa9nTg/WeEGnefje9I/AAAAAAAABag/NwobDYeA43saTuAMlHsXfRB6OywBeWrSgCLcBGAs/s400/Doc_Macro_DollarShell_6346616_0_malware.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><hr /><br /><h3>Doc.Macro.Obfuscation-6344051-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>52[.]179[.]17[.]38</li></ul><b>Domain Names</b><br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>N/A</li></ul><b>File Hashes</b><br /><ul><li>25210b1abea142ae5d2fa21e2a2ea836f1eb3a62cc7118f2188bf63904c9523a</li><li>1da8eda0545dbe5a53d41fb1b9ed71c7129cf14b2395acffd601056b7d6765fd</li><li>1e85b7f0d09e6a43cd83a66c287c1d34125ab9ee8e2f81d86a6c46ef44e37c20</li><li>a7b7a582248f4ed47c8816c9436e7a49f2c02a83d18014509d0215e217f19e9e</li><li>6f7b63d2f5be6d7ada5c8146e076af21acd4273d538d46c1dddf6bed222a6d4d</li><li>4abacdd4177a4446dedc00992c7d33538fd0046ba99971c2dcbdff49d51a7664</li><li>81bcde515e51332cd4b92996655fb28448c2b3a83b6a63443ee680ad63acdce1</li><li>c1a87f71d9f51cbbc82c03b58b75bdd6feb7d1be1d9d292c4a6a107b78a64efc</li><li>9e316bc8edd80e260d8ef24accfd2f1c1561665171d0721f4a36585e9b1cbe99</li><li>7ba4b97d8ef2eb865b6d6e76c77446657eb39269b5d276e77f458fa3fd639e2c</li><li>0b2799af3a38a865c37fe534c3f2f67d085757b09f5e489025037a1ed90f9b98</li><li>fd5c9b1ea6c9c76f3282634f8d7b02e0dba6e9813ae0143c7073ecdd925ee2f8</li><li>e0d0d55c04eb477c6becda415eed279895c56e4468df63ae302be7d389c95741</li><li>85fe7541480ab4165d31d0d83a020068a3de0f673e50b3aefa4be22f51f47704</li><li>7cdeb17d6bfa95e937868b7761be87ded361ec49cf6be88286a1c2cb22f3976a</li><li>ee787d5959e57fe1787b36a3bfa3fd4d90e4a0b1705f96f4a90a06d0bdd75cab</li><li>984730d87bc7df01d890f8719f83712c7eaf7af05de5cb9a49d3132dc6251751</li><li>a60e1a67b0080b342a5586a53497f2ea2ac51c55cf5b2b721593ddfc1248c838</li><li>0ff727f106fecde4e4292f0e35092376786cf8a9097da064623ffa912db7e9bf</li><li>b2c8a5be4249b5eb4b4a28cffaa3ef247589e0eb5ce0b7a914f8c1704b7f6cb4</li><li>6adbd32b36470178e4cbc4bf7c757e4338457cac8c53fc5f8a86b3bcfec2fa6d</li><li>b49adc35b4a6add49bc0accfc9ce9b6d2f8c093af0c2ee6dd05750aba2c75503</li><li>9de97b64e55209d946f21d8e1be015932f0df9df1acc0c282b8aaf6885b5d254</li><li>485ac8f15a1ed8005940365da1dd1031244eb9b18b86cc97a001483d23983e01</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-0lqSlixFz6w/WRNEvDBYhOI/AAAAAAAAA8g/ipzkzUpN9Ioo6QWiDDftf95zMLP66gt9QCLcB/s1600/amp-threatgrid-proxy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://2.bp.blogspot.com/-0lqSlixFz6w/WRNEvDBYhOI/AAAAAAAAA8g/ipzkzUpN9Ioo6QWiDDftf95zMLP66gt9QCLcB/s1600/amp-threatgrid-proxy.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-NQThfzLm9o0/WeEG04GpdKI/AAAAAAAABao/7JQX92HnrzQdxBy9k9rpLLLMVvXvWR0BwCLcBGAs/s1600/Doc_Macro_Obfuscation_6344051_0_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-NQThfzLm9o0/WeEG04GpdKI/AAAAAAAABao/7JQX92HnrzQdxBy9k9rpLLLMVvXvWR0BwCLcBGAs/s400/Doc_Macro_Obfuscation_6344051_0_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-3bBa3CQBLuI/WeEHB8icwPI/AAAAAAAABas/v16UKg_8NK01dMyvTJh9wAiYfHXl1O4QgCLcBGAs/s1600/Doc_Macro_Obfuscation_6344051_0_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="555" data-original-width="1237" height="178" src="https://3.bp.blogspot.com/-3bBa3CQBLuI/WeEHB8icwPI/AAAAAAAABas/v16UKg_8NK01dMyvTJh9wAiYfHXl1O4QgCLcBGAs/s400/Doc_Macro_Obfuscation_6344051_0_threatgrid.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><br /><hr /><br /><h3>Doc.Macro.VBSDownloader-6346528-1</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK{4D36E972-E325-11CE-BFC1-08002BE10318}{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION</b></li><ul><li><b>Value: </b>PnpInstanceID</li></ul><li><b><HKLM>\SYSTEM\CONTROLSET001\ENUM\SW{EEAB7790-C514-11D1-B42B-00805FC1270E}\ASYNCMAC</b></li><ul><li><b>Value: </b>CustomPropertyHwIdKey</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>AutoDetect</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>IntranetName</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>IntranetName</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>ProxyBypass</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>ProxyBypass</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\52125234</b></li><ul><li><b>Value: </b>52125234</li></ul><li><b><HKCU>\Printers\DevModePerUser</b></li><li><b><HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\</b></li></ul><b>Mutexes</b><br /><ul><li>Local\WinSpl64To32Mutex_44fd9_0_3000</li><li>RasPbFile</li><li>Local\MSCTF.Asm.MutexDefault1</li><li>Global\552FFA80-3393-423d-8671-7BA046BB5906</li></ul><b>IP Addresses</b><br /><ul><li>74[.]220[.]215[.]115</li><li>66[.]147[.]244[.]177</li><li>80[.]93[.]29[.]189</li><li>74[.]220[.]207[.]77</li><li>202[.]191[.]62[.]28</li><li>74[.]220[.]215[.]235</li></ul><b>Domain Names</b><br /><ul><li>damanidigital[.]com</li><li>markjgriffin[.]ie</li><li>ardentfilms[.]com</li><li>matteostocchino[.]com</li><li>on-int[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{91051D81-AD46-4035-86B1-0308A15C9AA9}.tmp</li><li>%TEMP%\CVR4C79.tmp.cvr</li><li>\TEMP\~$5cb14fade7c435e10d673170dd975ee9b3f1c15fd932dc5c9d2663b4a7af10.doc</li><li>\Users\Administrator\Documents\20171013\PowerShell_transcript.PC._mX5ReZQ.20171013054549.txt</li><li>%AppData%\Microsoft\Office\Recent\195cb14fade7c435e10d673170dd975ee9b3f1c15fd932dc5c9d2663b4a7af10.LNK</li><li>\TEMP\195cb14fade7c435e10d673170dd975ee9b3f1c15fd932dc5c9d2663b4a7af10.doc</li></ul><b>File Hashes</b><br /><ul><li>195cb14fade7c435e10d673170dd975ee9b3f1c15fd932dc5c9d2663b4a7af10</li><li>2374d35b524259f14a3cd41eca49417c69fafdab226a4d00788c014b3c2c922c</li><li>25948723a1ed54e5d7994639b0002f5074ff60b0bbd61a78c1e59dd80ebb4c54</li><li>26582ff0d7d9578d564bedc4f3add7d0d2326be6959039b7dc2372458390e810</li><li>2747932c56b816aae80ace812975e868b3227ab651903c1dc01e987231cccc96</li><li>2c34d5de4bfbca74b4a782a221c44311fba086f876af6020f16c36b8759dcd24</li><li>4b9703f52464b8025e0146ae4792400f7c077194b0007b3d2ae31eb80642c517</li><li>4bc6d7e5960831476f33ac3d9f632ebae9c2a22aa975d20fffb0830b94bf3143</li><li>57794867310c0c673a34eccea666780b09287f8ca42e4c5aadd21abec43d8168</li><li>5c3fff626f931fff80d79e53fdbf41a591f8dc048df2c7b636aa2d7a388d8e63</li><li>9949dccece62023379790e8b563d8a93bae156be13e7698f851a3804b72fa1c3</li><li>a6026baa4f4062b2bbf66dc3a3707f965e34271cdd3f00cae45f771e4b4b9013</li><li>bb1a67049f2f65ce40d68a111becaf0f772754c024013b8d8a869d59472af9eb</li><li>ca38154915f53ec6c2793e94639e2ce9701de8236e41064cba35fe7e6387af70</li><li>db1ba6f50f367209db4733b94e8d22c8703665bf5b90716bfc754b3639d4c76a</li><li>e95c8bf136de1cd79bfd3811072e7d02441aa5e8f57ab60e2b1478a4d4ca5678</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-DNCRAMjomx4/WeEIlZ06eLI/AAAAAAAABa4/tTF3NVjWaGkEQY860LuzMr-S-Cjc9p--wCLcBGAs/s1600/Doc_Macro_VBSDownloader_6346528_1_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-DNCRAMjomx4/WeEIlZ06eLI/AAAAAAAABa4/tTF3NVjWaGkEQY860LuzMr-S-Cjc9p--wCLcBGAs/s400/Doc_Macro_VBSDownloader_6346528_1_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Us3jZgN6ryY/WeEIq7QlEMI/AAAAAAAABa8/y7LBai4MatsxrARwclFqYVkt3i3A1YzkQCLcBGAs/s1600/Doc_Macro_VBSDownloader_6346528_1_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1415" data-original-width="1237" height="400" src="https://2.bp.blogspot.com/-Us3jZgN6ryY/WeEIq7QlEMI/AAAAAAAABa8/y7LBai4MatsxrARwclFqYVkt3i3A1YzkQCLcBGAs/s400/Doc_Macro_VBSDownloader_6346528_1_threatgrid.png" width="348" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Mkb6gVrsNkk/WeEIun3jhZI/AAAAAAAABbA/Dlb0GhQCRhElI1VNKh2J1b26ykVB4SyTACLcBGAs/s1600/Doc_Macro_VBSDownloader_6346528_1_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="1112" height="122" src="https://1.bp.blogspot.com/-Mkb6gVrsNkk/WeEIun3jhZI/AAAAAAAABbA/Dlb0GhQCRhElI1VNKh2J1b26ykVB4SyTACLcBGAs/s400/Doc_Macro_VBSDownloader_6346528_1_umbrella.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Screenshot</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-04oRbKUEsHc/WeEI02rvtAI/AAAAAAAABbE/hVHCqNNeuZUfyvEeAGX90Q90CxEj-1wewCLcBGAs/s1600/Doc_Macro_VBSDownloader_6346528_1_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1013" data-original-width="1447" height="280" src="https://4.bp.blogspot.com/-04oRbKUEsHc/WeEI02rvtAI/AAAAAAAABbE/hVHCqNNeuZUfyvEeAGX90Q90CxEj-1wewCLcBGAs/s400/Doc_Macro_VBSDownloader_6346528_1_malware.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><hr /><br /><h3>Win.Downloader.Trickbot-6344490-1</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache</b></li></ul><b>Mutexes</b><br /><ul><li>rdyboost_Perf_Library_Lock_PID_99c</li><li>WBEMPROVIDERSTATICMUTEX</li><li>316D1C7871E00</li><li>\BaseNamedObjects\647C097C25F0128</li><li>\BaseNamedObjects\E572F578D5E00</li></ul><b>IP Addresses</b><br /><ul><li>174[.]129[.]241[.]106</li><li>194[.]87[.]103[.]184</li><li>52[.]179[.]17[.]38</li><li>87[.]106[.]222[.]158</li><li>185[.]158[.]152[.]225</li><li>162[.]255[.]93[.]51</li><li>184[.]73[.]220[.]206</li><li>23[.]23[.]170[.]235</li></ul><b>Domain Names</b><br /><ul><li>diga-consult[.]de</li><li>hill-familie[.]de</li><li>deversdesign[.]com</li><li>essenza[.]co[.]id</li></ul><b>Files and or directories created</b><br /><ul><li>\Users\Administrator\Documents\20171004\PowerShell_transcript.PC.9v8wz+M+.20171004215407.txt</li><li>\Users\Administrator\Documents\20171004\PowerShell_transcript.PC.44+uZp3a.20171004215409.txt</li><li>%AppData%\winapp\Yqtgdelssjn.exE</li><li>%TEMP%\Gce8.bat</li><li>%WinDir%\Tasks\services update.job</li><li>%AppData%\winapp\Xqtfcdkssin.exE</li><li>%System32%\config\TxR{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf</li><li>%TEMP%\Ovvgpiua-_2.exE</li><li>%AppData%\winapp\Pvvhpjua-_3.exE</li></ul><b>File Hashes</b><br /><ul><li>0d92b1656112ed73fe98fd6c714d7959dd8ecc85759b87a6b01747a2ab0f8335</li><li>3ac1c23c28d19111e254649153b2cf0c03782f7523ce2062200a5ecd1c24f210</li><li>5351019f9879a285561e72acae1024e8a86a822f33b7bbb95c795a6bc465ff53</li><li>6acd175a2971b370ae7413bad180f8f745a4b391b0fa4f3e70ef660f5e3bee75</li><li>ae860de508c56045b39679b72b570028f820d9523f7e5d6ddb326c9a757c5c77</li><li>e6bd4d23467ee8df96837140695de5689cc7f7b73cffd9a9d40e33444766496a</li><li>08a5a27b430bdc6d157ebdbf5dd0e7c648d7fc0e9e3e52baf54f5b770f72e919</li><li>3a4ea7d6ce3bf31398f34e831249aaccc3a6c123eae239bca37ab1dd57749c19</li><li>8c937c4364f8c5c003f35771dd7983def26a073a9ad5dda9fca302f762dd4c83</li><li>793c3af7a30ca9cbb1a9f33b1986b8628af45ec1c2a04c1dd98a5cfa376f55be</li><li>dcfcc1a702447925e8826cf1b15a79db9ceee264c46e0447f62856c52be76c9a</li><li>37e7afe3da64064dacbc53b5cac88972662a181aa864e094b4a45ce88318d7f3</li><li>721c1d648a245bc350d1ace7537db518162f725f2dab14bd4a149d8165144962</li><li>b4492030182ee0e7c3257f417fe98d4e52d301230e31491a4563cb41fa6b3343</li><li>5619eeb7b8702693f78b452a0ca3df99a23b858d2b4d181bcd5588878411284e</li><li>f45334629dc79665d85cd4748e97b876de4330094759dc4c227da19ffbbd2a34</li><li>27bc34902437285c3f4fe0a0e3446314baecb7ee002fcd1060b91543c27b9369</li><li>38748c33121e51307108ca9711c4a5109223d86565f8902268e902f83a202fbd</li><li>a3355d8e3e5f21b84072993032341bf1edee8dd6b28a9aece5cc6ffe0e123621</li><li>28df3fd75d3c3748b26931a449229f585f4e4543aa25a0caf37367444bb7a7c2</li><li>99714908dc8d8316bcad7089c8d100755cd25f77c52bce91af0ed3a9a44db1bf</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-WcjQB5z7azY/WPEvFYVUpfI/AAAAAAAAA2o/9A2DqIoERHYxdyq2wats6A7E36it0gBdACLcB/s400/no-netsec.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://4.bp.blogspot.com/-WcjQB5z7azY/WPEvFYVUpfI/AAAAAAAAA2o/9A2DqIoERHYxdyq2wats6A7E36it0gBdACLcB/s400/no-netsec.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-pNQucJ8YpBs/WeEJDvpm4rI/AAAAAAAABbI/R0prDfF3PasZmm2JiXUKtEHWOK3C5QKKwCLcBGAs/s1600/Win_Downloader_Trickbot_6344490_1_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-pNQucJ8YpBs/WeEJDvpm4rI/AAAAAAAABbI/R0prDfF3PasZmm2JiXUKtEHWOK3C5QKKwCLcBGAs/s400/Win_Downloader_Trickbot_6344490_1_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-l4i2T1MmOqM/WeEJJSmWOaI/AAAAAAAABbU/HR7g1E23uNQsp8qHkZd3lSWO9pliE7tpQCLcBGAs/s1600/Win_Downloader_Trickbot_6344490_1_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="996" height="400" src="https://2.bp.blogspot.com/-l4i2T1MmOqM/WeEJJSmWOaI/AAAAAAAABbU/HR7g1E23uNQsp8qHkZd3lSWO9pliE7tpQCLcBGAs/s400/Win_Downloader_Trickbot_6344490_1_tg.png" width="248" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-wSwci4JsNmk/WeEJOTofrOI/AAAAAAAABbY/Ul054rOB47c6BUPGFVHjWrprYYokz05ngCLcBGAs/s1600/Win_Downloader_Trickbot_6344490_1_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="414" data-original-width="1112" height="148" src="https://1.bp.blogspot.com/-wSwci4JsNmk/WeEJOTofrOI/AAAAAAAABbY/Ul054rOB47c6BUPGFVHjWrprYYokz05ngCLcBGAs/s400/Win_Downloader_Trickbot_6344490_1_umbrella.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Screenshot</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-xKci325571A/WeEJSuuob2I/AAAAAAAABbc/N-iUF_gEvq84QC0m5fBNRx4ANZCuJmvGACLcBGAs/s1600/Win_Downloader_Trickbot_6344490_1_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="300" src="https://3.bp.blogspot.com/-xKci325571A/WeEJSuuob2I/AAAAAAAABbc/N-iUF_gEvq84QC0m5fBNRx4ANZCuJmvGACLcBGAs/s400/Win_Downloader_Trickbot_6344490_1_malware.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><hr /><br /><h3>Win.Trojan.RevengeRat-6344273-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</b></li><ul><li><b>Value: </b>WindowsServices</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</b></li><ul><li><b>Value: </b>internat.exe</li></ul><li><b><HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache</b></li><li><b><HKU>\Software\Microsoft\Windows\CurrentVersion\Run</b></li></ul><b>Mutexes</b><br /><ul><li>RV_MUTEX-yHuiGGjjtnxDp</li><li>\BaseNamedObjects\RV_MUTEX-yHuiGGjjtnxDp</li></ul><b>IP Addresses</b><br /><ul><li>86[.]120[.]105[.]76</li></ul><b>Domain Names</b><br /><ul><li>darkcometratttt[.]ddns[.]net</li></ul><b>Files and or directories created</b><br /><ul><li>%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsServices.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\WindowsServices.exe</li></ul><b>File Hashes</b><br /><ul><li>6fe71c4b59fba4e0200f2e71e308a791eadc3e6518ab87acb66db4c79df66985</li><li>7d0474c514e78deac6f690006546bf92c029836c60d547504ceebdd21bf6130c</li><li>bd3bcfecf479bd347540d6305001b068583696aa81279739ee8b32eb34f2a0df</li><li>e422cc0f5bb2d56d1def4063ac21cb8e18f97dfc48287e8b47ba07863704a8af</li><li>e60613e2453d6568cb04ad8e09ac64b6652318079be2444156293f092cc9ff52</li><li>b110def3771963078f3ce54d13d23a6f751ea6dc41e5177e242208791a0a8342</li><li>fdb99a0527be797fc7d7b7f48088c21d034bce6a5c848ede43714d86d3266661</li><li>0d576038349acf0892cbb0124b9558bb4b80c070875017c320dd12bdc0c21f9a</li><li>d06ffdfe71bd471b8ba5c2c9fd1191e661c6a9d2332243bc4f93f3838cbff75b</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-WcjQB5z7azY/WPEvFYVUpfI/AAAAAAAAA2o/9A2DqIoERHYxdyq2wats6A7E36it0gBdACLcB/s400/no-netsec.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://4.bp.blogspot.com/-WcjQB5z7azY/WPEvFYVUpfI/AAAAAAAAA2o/9A2DqIoERHYxdyq2wats6A7E36it0gBdACLcB/s400/no-netsec.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Y0sMELzmFTA/WeEJXcvPKMI/AAAAAAAABbg/vew2JekkynAomRFmb3bfCQmJmbXgyIXXQCLcBGAs/s1600/Win_Trojan_RevengeRat_6344273_0_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://2.bp.blogspot.com/-Y0sMELzmFTA/WeEJXcvPKMI/AAAAAAAABbg/vew2JekkynAomRFmb3bfCQmJmbXgyIXXQCLcBGAs/s400/Win_Trojan_RevengeRat_6344273_0_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-pCIZPKzVPQ8/WeEJe_WOHNI/AAAAAAAABbk/so93TGtqrRwWgqdVGdY2mQ8LehHy2m9DACLcBGAs/s1600/Win_Trojan_RevengeRat_6344273_0_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="597" data-original-width="1237" height="192" src="https://3.bp.blogspot.com/-pCIZPKzVPQ8/WeEJe_WOHNI/AAAAAAAABbk/so93TGtqrRwWgqdVGdY2mQ8LehHy2m9DACLcBGAs/s400/Win_Trojan_RevengeRat_6344273_0_threatgrid.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-W4ZnQ3j_H0U/WeEJklWpVUI/AAAAAAAABbo/6Xf_mIHZ-XQIslcZ6Wg6hz8Wn29WiszxQCLcBGAs/s1600/Win_Trojan_RevengeRat_6344273_0_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="414" data-original-width="1112" height="148" src="https://2.bp.blogspot.com/-W4ZnQ3j_H0U/WeEJklWpVUI/AAAAAAAABbo/6Xf_mIHZ-XQIslcZ6Wg6hz8Wn29WiszxQCLcBGAs/s400/Win_Trojan_RevengeRat_6344273_0_umbrella.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><br /><hr /><br /><h3>Win.Trojan.Tofsee-6345150-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><A>{461C21F0-877D-11E7-AB94-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A9C</b></li><ul><li><b>Value: </b>AeFileID</li></ul><li><b><HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI</b></li><ul><li><b>Value: </b>Start</li></ul><li><b><A>{461C21F0-877D-11E7-AB94-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A9D</b></li><ul><li><b>Value: </b>AeProgramID</li></ul><li><b><HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI</b></li><ul><li><b>Value: </b>Description</li></ul><li><b><A>{461C21F0-877D-11E7-AB94-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A9D\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}</b></li><ul><li><b>Value: </b>10000000095A9</li></ul><li><b><HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI</b></li><ul><li><b>Value: </b>ObjectName</li></ul><li><b><HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI</b></li><ul><li><b>Value: </b>ErrorControl</li></ul><li><b><HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI</b></li><ul><li><b>Value: </b>DisplayName</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS</b></li><ul><li><b>Value: </b>C:\Windows\SysWOW64\qpyyzgqi</li></ul><li><b><HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI</b></li><ul><li><b>Value: </b>WOW64</li></ul><li><b><A>{461C21F0-877D-11E7-AB94-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A9C</b></li><ul><li><b>Value: </b>_FileId</li></ul><li><b><HKLM>\SYSTEM\CONTROLSET001\SERVICES\QPYYZGQI</b></li><ul><li><b>Value: </b>ImagePath</li></ul><li><b><A>{461C21F0-877D-11E7-AB94-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A9D\Indexes</b></li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>185[.]12[.]95[.]147</li><li>207[.]46[.]8[.]167</li><li>64[.]12[.]88[.]132</li><li>200[.]138[.]219[.]72</li><li>199[.]212[.]0[.]46</li><li>185[.]7[.]123[.]158</li><li>65[.]55[.]92[.]184</li><li>23[.]103[.]156[.]42</li><li>66[.]196[.]118[.]37</li><li>185[.]195[.]27[.]81</li><li>65[.]55[.]92[.]152</li><li>74[.]125[.]133[.]27</li><li>98[.]138[.]112[.]38</li><li>23[.]103[.]156[.]74</li><li>64[.]12[.]91[.]196</li><li>98[.]136[.]216[.]26</li><li>103[.]248[.]137[.]133</li><li>64[.]12[.]88[.]164</li><li>65[.]55[.]33[.]135</li><li>89[.]233[.]43[.]71</li><li>110[.]77[.]183[.]122</li><li>172[.]217[.]13[.]67</li><li>65[.]55[.]33[.]119</li><li>152[.]163[.]0[.]67</li><li>195[.]154[.]242[.]211</li><li>192[.]0[.]47[.]59</li><li>191[.]239[.]213[.]197</li><li>5[.]133[.]235[.]100</li><li>65[.]55[.]37[.]120</li><li>104[.]44[.]194[.]231</li><li>65[.]55[.]37[.]72</li><li>65[.]54[.]188[.]94</li><li>209[.]244[.]0[.]3</li><li>66[.]196[.]118[.]240</li></ul><b>Domain Names</b><br /><ul><li>mailin-01[.]mx[.]aol[.]com</li><li>mailin-04[.]mx[.]aol[.]com</li><li>mailin-02[.]mx[.]aol[.]com</li><li>mx4[.]hotmail[.]com</li><li>mta5[.]am0[.]yahoodns[.]net</li><li>mta6[.]am0[.]yahoodns[.]net</li><li>www[.]google[.]co[.]uk</li><li>mx3[.]hotmail[.]com</li><li>whois[.]arin[.]net</li><li>mx1[.]hotmail[.]com</li><li>comcast[.]net</li><li>mx2[.]hotmail[.]com</li><li>250[.]5[.]55[.]69[.]in-addr[.]arpa</li><li>alt4[.]gmail-smtp-in[.]l[.]google[.]com</li><li>mta7[.]am0[.]yahoodns[.]net</li><li>250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org</li><li>mx1[.]comcast[.]net</li><li>mx1[.]charter[.]net</li><li>250[.]5[.]55[.]69[.]bl[.]spamcop[.]net</li><li>alt3[.]gmail-smtp-in[.]l[.]google[.]com</li><li>www[.]google[.]com</li><li>microsoft-com[.]mail[.]protection[.]outlook[.]com</li><li>microsoft[.]com</li><li>250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org</li><li>mailin-03[.]mx[.]aol[.]com</li><li>charter[.]net</li><li>whois[.]iana[.]org</li><li>250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net</li><li>gaby-gorny[.]de</li><li>gaby-gerstner[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%WinDir%\SysWOW64\config\systemprofile\Local Settings:init</li><li>%WinDir%\AppCompat\Programs\RecentFileCache.bcf</li><li>%System32%\bbscpfka\pdqccygi.exe (copy)</li><li>%WinDir%\Temp\rohwayag.exe</li><li>%WinDir%\SysWOW64\config\systemprofile\Local Settings</li><li>%WinDir%\SysWOW64\qpyyzgqi\eoopfgxb.exe</li></ul><b>File Hashes</b><br /><ul><li>baaf07eff95de3672affcae2e00aca57540b8bfcb1c6010ee359213d8700bd0e</li><li>6cbb53ee5485e756bd8680944961b6c27d59c1a610c5f93c1788a2dafd1f5706</li><li>0f4d468818d80d3048879c26546dc5b413956ca2a5ec5261fa54a00d03e0b393</li><li>d02cd223f8284826a4dd1d51ecb61cc39e2588c534c0e6b848f6fbfd772fc02a</li><li>b637127d56d4b02c131bfdeaa8a42d95210bdd33285ef5788249ba8f631a0abf</li><li>9f33ee45c11c52f6c6a38bb004457046f5743d51bde77282b2dc1847e9c6cbe9</li><li>94cab1cdda2cdf19e077add232b00de9b141f981f6def5c7309521613f6423cb</li><li>fa1645ec20a84fd16d9d5eb2960b1caafb168f4456c7a14c8b8e5219bd15b29c</li><li>b29d5908edaa7a98e7b7aca5614e0dbbcbaa5e15e93540f037451db52905ebdf</li><li>5ecce618b7b65cac1a5930608aa939241f4312a54a3efbfaf8c3bb5e27056b91</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-8-ewx032dEo/WShN7e2cmKI/AAAAAAAABAg/1zHeN8V4h-sP6aW4ev8jafnU6MW4QEE0wCLcB/s1600/no-email-security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://1.bp.blogspot.com/-8-ewx032dEo/WShN7e2cmKI/AAAAAAAABAg/1zHeN8V4h-sP6aW4ev8jafnU6MW4QEE0wCLcB/s1600/no-email-security.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-OLUeOXBaN7Y/WeEJwtnSwiI/AAAAAAAABbw/wuiIzGOy2DInhhJavVi1hdqvsn1MTQZmgCLcBGAs/s1600/Win_Trojan_Tofsee_6345150_0_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-OLUeOXBaN7Y/WeEJwtnSwiI/AAAAAAAABbw/wuiIzGOy2DInhhJavVi1hdqvsn1MTQZmgCLcBGAs/s400/Win_Trojan_Tofsee_6345150_0_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-tpPnMDbHrEs/WeEJ0_9xjBI/AAAAAAAABb0/Rff5qwDg3EEuG5GyYWVkW6nbkHbBodS9QCLcBGAs/s1600/Win_Trojan_Tofsee_6345150_0_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1143" data-original-width="1237" height="368" src="https://3.bp.blogspot.com/-tpPnMDbHrEs/WeEJ0_9xjBI/AAAAAAAABb0/Rff5qwDg3EEuG5GyYWVkW6nbkHbBodS9QCLcBGAs/s400/Win_Trojan_Tofsee_6345150_0_threatgrid.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-AHcvSKH8sj8/WeEJ5C0L5II/AAAAAAAABb4/gyKfi8q_kccMBdOyRy4BXplh3W0ghGzsACLcBGAs/s1600/Win_Trojan_Tofsee_6345150_0_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="1112" height="122" src="https://1.bp.blogspot.com/-AHcvSKH8sj8/WeEJ5C0L5II/AAAAAAAABb4/gyKfi8q_kccMBdOyRy4BXplh3W0ghGzsACLcBGAs/s400/Win_Trojan_Tofsee_6345150_0_umbrella.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><br /><hr /><br /><h3>Win.Trojan.Vilsel-4621</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>\BaseNamedObjects\Pro3</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%SystemDrive%\temp.zip (copy)</li><li>%SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Google Chrome\backup.exe</li><li>%SystemDrive%\c2d124b8466cec6b3e47c4\amd64\backup.exe</li><li>%SystemDrive%\Documents and Settings\All Users\Documents\My Music\Sample Playlists\00A751EC\backup.exe</li><li>%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office\backup.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\My Documents\backup.exe</li><li>%SystemDrive%\Documents and Settings\All Users\Favorites\backup.exe</li><li>%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\update.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\Favorites\backup.exe</li><li>%SystemDrive%\H1a02792</li><li>%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\backup.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\data.exe</li><li>%SystemDrive%\279862715.dat</li></ul><b>File Hashes</b><br /><ul><li>eff9dcc0bebee521ebc2cb48a4398c3fe55e878fe127fda6f2ac02208e135325</li><li>c3ff4ab8815d9934a5a2bb5e02de372e20d70ef2ea519bf96bd3188187ab8a63</li><li>c0a5e770e251be820ac40cf249d5e30eb74be677bc2be054ffd07ceae23cbc33</li><li>89782f35fef2dad9aadcad63b07fb6ed39077c9edfdccd0716facac53293f872</li><li>51b411f1c6b10e8ee9bea405e66fc2f1f8f84d29106f119b2423de59101bbbd8</li><li>4d0bbd53f71ad27a77602fa1b2c3e9a1f92976052ce575f73b4a78d5f9f9ef1a</li><li>2cdaa2c24356b829da8b7aa4aac7e93f3727d9f7378f60e408fae2c2838237db</li><li>267d1e4423079ce2998b30ff031b854fd72f20754f693e958ed2aa537407b726</li><li>1b8ba3bde52f7c979d427a03d636c9658b010724b8b93fd98c31a888bcc3123c</li><li>18804047e5c39b2da8fdd601a63f8d066e2fc45cabe970859e09ffc7a9bd4823</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-lMcm16MfzdA/WRTPVW_BAII/AAAAAAAAA9I/TUwW9Ai4QFAh5FURDnAbZJXWJ_Pc0etyACLcB/s1600/amp-esa-proxy-tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://4.bp.blogspot.com/-lMcm16MfzdA/WRTPVW_BAII/AAAAAAAAA9I/TUwW9Ai4QFAh5FURDnAbZJXWJ_Pc0etyACLcB/s1600/amp-esa-proxy-tg.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Gr3NNx2WlsI/WeEJ_T_iFII/AAAAAAAABb8/eCW5IszPdTw2IU02zYwfk40ouV_UUsiZQCLcBGAs/s1600/Win_Trojan_Vilsel_4621_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-Gr3NNx2WlsI/WeEJ_T_iFII/AAAAAAAABb8/eCW5IszPdTw2IU02zYwfk40ouV_UUsiZQCLcBGAs/s400/Win_Trojan_Vilsel_4621_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-_QQlH5HozbU/WeEKGo96S-I/AAAAAAAABcA/oV8zflGF8YQsTRsoxQRO0x3oZHIMk3omwCLcBGAs/s1600/Win_Trojan_Vilsel_4621_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="461" data-original-width="1200" height="152" src="https://2.bp.blogspot.com/-_QQlH5HozbU/WeEKGo96S-I/AAAAAAAABcA/oV8zflGF8YQsTRsoxQRO0x3oZHIMk3omwCLcBGAs/s400/Win_Trojan_Vilsel_4621_threatgrid.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/feedburner/Talos?a=VTCdkuQIBTc:HbsskwYpjRg:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/VTCdkuQIBTc" height="1" width="1" alt=""/>