Threat Round Up for Feb 16 - 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between February 16 and February 23. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Win.Packer.Givelet-6454616-0
    Packer
    Givlet is a packer that compresses and obfuscates a malware payload. It has been used to pack ransomware like GandCrab.
     
  • Win.Packer.WizzPack-6454612-0
    Packer
    This .NET packer has been seen being used by Wizzcaster adware which will install unwanted applications.
     
  • Win.Trojan.Generic-6454586-1
    Dropper
    These samples drop additional malicious files on the infected system, including cryptominers. They also use registry keys for persistence. And perform some host environment checks to evade sandboxes.
     
  • Win.Trojan.Generic-6454615-0
    Worm
    Win.Trojan.Generic-6454615-0 is a trojan that will contact a CnC server and try to steal information from the infected host.
     
  • Win.Trojan.GenInjector-6443827-0
    Trojan
    This family is highly polymorphic and malicious. It injects into another address space and it uses process hollowing techniques. Moreover, it gains persistence through the Windows registry and it complicates the analysis with several anti-debugging tricks. This particular cluster is able to contact SMTP servers and sends spam messages.
     
  • Win_Trojan_Regrun_6454954_0
    Trojan
    Win.Trojan.Regrun-6454954-0 is a trojan that will install itself in order to ensure persistance, and will modify several settings on the victim machine in order to conceal itself (file extension and file hiding configuration), hook certain actions (registering itself as a file handler), disable Windows Shell, register itself as SafeBoot alternate shell, disable the registry editor, and other actions to prevent the user from repairing the infected system.
     
  • Win.Trojan.Startpage-6455053-0
    Trojan
    This trojan changes the browser's start page. The start page can be a single site or a set of sites that will be opened when the browser is first opened.
     
  • Xls.Dropper.Powershell-6454576-0
    Office Macro Dropper
    Excel workbooks that use the Italian message 'FARE CLIC SU "ATTIVA CONTENUTO" NELLA BARRA DEI MESSAGGI' with an unreadable image to convince users to run the macro. Powershell is used to download and run a malicious executable.
     

Threats

Win.Packer.Givelet-6454616-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
    • Value: qdobxoamsza
Mutexes
  • Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c
IP Addresses
  • 193[.]0[.]179[.]152
  • 151[.]248[.]118[.]75
  • 5[.]154[.]191[.]67
Domain Names
  • gandcrab[.]bit
Files and or directories created
  • %AppData%\Microsoft\motopn.exe
File Hashes
  • 10f2ed852befc9c9c15e5231b2167bbec66e3700c44bcf324312a32e932fa819
  • 1257a5650f02a4cbff43c190452517e17f4aa46284b7063162e4a54d318aff79
  • 14944d9db8baace4d7fb97cdf285009b5e0472bd6aa4d9cb530a1f3893287682
  • 17d14ca09aa5f447fca0d8d5d1ae9dee5731846588d1c15987eb3de5cd57e90d
  • 184ccb64f12601a3797e9c73ce77c89d05b50f2a668f94ec8cfd1c7414906c0e
  • 18635915a4453bd1c68de152c139326023a165c0ae191ef501a6425615aa5d84
  • 18dd0a662f77ca2ec235b3ae761cf7f4e6a3adb3fe32b2c994c080b6b7f10389
  • 19519e38242877d2a689efaddecb8b8699d122051cd4b189de6466a83422f7c3
  • 19cebd1722376f2c62a1922214903052a964ad1d2505fa698376c5f3b4d0594b
  • 19e5e3d8fbf0db27d943090114c88051294bb918f0c9ce2d4894d9c8c290c21b
  • 1ddca770b20bf8748a2a0435cf4f7316167ee4dbc7311fd3fd8e9600c79fc7ec
  • 1e7eebcaf485682da709a94fb1c679555a9090592cfe54564f5eb396c7458044
  • 1eae0edf899f881fd86f0500b58f9b6497d5b94a99ac439307d61c0f24cb1573
  • 2155517a296dd90f86ef3bb09455444c387d9b1384bb435c997105acd88a281f
  • 29ce80f75b8877e22cdcdf3fbecb01d2d1a65161f18311facdbbd090769b5ee6
  • 29ff9ee8e9d85e836de88304ee4251ff373bcec4abc5c45496192952ad08a0a5
  • 32ee0ff7fbec042edbb9420e522eda1a126e1872da2b7a13b0627a03be4d1d59
  • 336e7c9dfef94fecf00c1c0b2a539c7332453e72367efc0b25c5115d90d94180
  • 3570b95ea454efd6735bf4942d69521d608ab7d0c9745cfa636f1107acc6a23c
  • 3732c9fd5ff38c31fda2492dd81584819f12cce5731f7361f536bdf8040c724d

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Packer.WizzPack-6454612-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • RasPbFile
IP Addresses
  • 94[.]23[.]252[.]37
  • 46[.]105[.]121[.]115
  • 94[.]23[.]199[.]17
Domain Names
  • asedownloadgate[.]com
Files and or directories created
  • \Program Files\S941OEL096\uninstaller.exe.config
  • \Program Files\S941OEL096\S941OEL09.exe
  • %SystemDrive%\Program Files\P56VHIGDGI\P56VHIGDG.exe.config
  • %SystemDrive%\Program Files\P56VHIGDGI\P56VHIGDG.exe
  • \Program Files\S941OEL096\uninstaller.exe
  • \Program Files\S941OEL096\S941OEL09.exe.config
  • %SystemDrive%\Program Files\P56VHIGDGI\uninstaller.exe
  • %SystemDrive%\Program Files\P56VHIGDGI\uninstaller.exe.config
File Hashes
  • a7bca25940ec920dbbcc05ef606b1d0a1192d46de612b432a1072d3aa1fa5a07
  • 22a96cc3fcc81a7475fc4c6253fd8e39bda56bd97afc5c98864c1eab9c2f625f
  • c9bd472f6fa6af9f0ba855967c4a061e6e559e48734b4e85c30742a14274a5f8
  • ea4ddb43aa08c17216262c7251fb47d6f8c2c3f2369c6efed6c7914d9f0e16c1
  • 17873809b8b5c0df00a414ed8ac4ccd356d46bb5726d79552c3e5d5f0e63c889
  • e63962df00ffdc4e99d59019b588c0b34a0c56368bedb9736cb684274fac3833
  • 3c7d21d1ae2103a9610f3073c3e805ef76adfc978c13c19585830d2e17d3c912
  • 9eea6555c0fbc9753b5a7f68d367269872538850b326a2eea3ad4c26fe910073
  • 0c0124adc78b717b24505119f4faa70b1ce9fd217d7c5fee574b77eccd13d755
  • 11d808a9eb56223bdb3e1a66a3d55a8ea12f077bb5ee2db66d193cb779a02f62
  • a085a4dac6d01166072c7296ec4e4089e50a45ed0027a691854c62ed0c5be611
  • e05db1be09272fb01803d46ca5b9b55e324776058a87f9695e1b39f8f9bd3e17
  • f8f7422827e5874604c69ab1d2de11d893f7432a6b346b1a6d0feddce700d24d
  • 2815d64f1dcbb9ea459b969da34c7d319440c854fcee7d5b12b138f5540f7a10
  • f6bddc85724ff45d2b64f17685dcce98c7e5f7435d9b268debd523cbebc14260
  • 899a119818fbdd16989380e5e4a62998e2d68865dc5f5dba82c2931e6d20bcbd
  • f2dbc26b7b7dd8f552e954ce4e8b685a9600506a633a90c2735a303aec80e0a0
  • 4727f0952de54fb024c30de9188d2e6e81ee0a675f229159013b6d753e985a6e
  • 8e8bdb56d72a73da3d4367a59ca2235495fc7837aa48dd15201a6a0ff1a8d7ef
  • c59a5a9e3cb8bc3794d17a480e4709b1b96b28a469c2a1ff1d9ab4972f7a043d

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella





Win.Trojan.Generic-6454586-1


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: AudioHD
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
Mutexes
  • Local\MSCTF.Asm.MutexDefault1
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %TEMP%\svchost.exe
  • %AppData%\AudioHDriver\AudioHD.exe
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\AudioHD.url
File Hashes
  • 013ede62c35998c847f9248bcede46dce801480743a064d488341f95094c0d4e
  • 166ee27653415896013b0e775c03ffc27db5a7b6daa7a4c78976fdd7bc166416
  • 1f1ec9a132226bc4eac25a6e999cc9b937718cb356c8d41b2bb08266ca1c5a38
  • 2d1cfd1ae428729b32af03264179cb7640d4aa7b1e3c299cb106a77cfe42d216
  • 38cf958875c3eb34a07f15163e7ceb8294ada5eccb765aa37ea69aba4fe79cd8
  • 3b0e9faf07e32d593b54cdfebd725707988bdaa7d81ab2ab396630384127fdc9
  • 3ff03a32f5a944c6655789bbfa124a7d52bb17df771c975685a5dce69c124d04
  • 45b40df9bc6508a11c7fdf06de88a039485dca91d985fb667a91a4af35a08b2a
  • 4ca97c879d841e79a5588f350cea663272bdfab1a1e7761b109c6bc72da523fe
  • 5943eb982b5def7773628c728369398d5722c39f67b978c10782311eb00a50bf
  • 9414096ebca4dd3e948014b7348578e5adfec4729e5a9f15f6b06dfffbd13408
  • a6a9ec0af4abe94b72e557f4b9c9d4d0b59b4296aca3175a1551b84efefed856
  • ab1c0fd38656ae73d1ec96bb5b3ee5e354022feca924653c606ad5dbc3ae0c47
  • fddbec3a6e8fca4f3f388ff5856b8030005339967ffda594035f9353f5c71bd2

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Trojan.Generic-6454615-0


Indicators of Compromise


Registry Keys
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\eapqec.dll,-102
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\eapqec.dll,-103
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\eapqec.dll,-100
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\eapqec.dll,-101
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\dhcpqec.dll,-102
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\dhcpqec.dll,-103
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\dhcpqec.dll,-100
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\dhcpqec.dll,-101
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value: PnpInstanceID
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\napipsec.dll,-1
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\napipsec.dll,-3
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\napipsec.dll,-2
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\napipsec.dll,-4
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\tsgqec.dll,-101
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\tsgqec.dll,-102
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\tsgqec.dll,-103
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\tsgqec.dll,-100
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: 35f4cf4b9d22a75d4f44d45247335d79
  • <HKCU>\SOFTWARE\35F4CF4B9D22A75D4F44D45247335D79
    • Value: [kl]
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: 35f4cf4b9d22a75d4f44d45247335d79
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500
    • Value: di
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: LanguageList
  • <HKCU>\ENVIRONMENT
    • Value: SEE_MASK_NOZONECHECKS
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
    • Value: ParseAutoexec
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
  • <HKLM>\Software\Microsoft\Fusion\GACChangeNotification\Default
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
  • <HKU>\Software\35f4cf4b9d22a75d4f44d45247335d79
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
  • <HKU>\Environment
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
  • <HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKU>S-1-5-21-1258710499-2222286471-4214075941-500
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
  • <HKCU>\Software\35f4cf4b9d22a75d4f44d45247335d79
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
  • <HKLM>\SOFTWARE\Microsoft\Tracing\FWCFG
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
  • <HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig
Mutexes
  • 35f4cf4b9d22a75d4f44d45247335d79
  • Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7
  • \BaseNamedObjects\35f4cf4b9d22a75d4f44d45247335d79
  • RasPbFile
IP Addresses
  • 52[.]15[.]72[.]79
  • 52[.]15[.]194[.]28
Domain Names
  • abdullahxd[.]ddns[.]net
  • achreeff[.]ddns[.]net
  • fatehtawba[.]hopto[.]org
  • youdkme6[.]ddns[.]net
  • boubou14789[.]myddns[.]me
  • hixx[.]ddns[.]net
  • hoangvanloi[.]ddns[.]net
  • hackingisis[.]ddns[.]net
  • aymandz[.]hopto[.]org
  • deface666[.]duckdns[.]org
  • ramzy778[.]ddns[.]net
  • adsvcksl0[.]hopto[.]org
  • hostalukkzattack[.]ddns[.]net
  • 4mmujnm11[.]ddns[.]net
  • love-5aled[.]ddns[.]net
  • njrat511[.]hopto[.]org
  • rootbot2[.]ddns[.]net
  • force-ss[.]ddns[.]net
  • aadlallame00[.]ddns[.]net
  • ksa-99[.]ddns[.]net
  • updateservice[.]ddns[.]net
  • forever12qut[.]hopto[.]org
  • wydad2002[.]ddns[.]net
  • feedback007[.]ddns[.]net
  • sniper1994[.]hopto[.]org
  • falcon777[.]ddns[.]net
  • pikhateamspeak[.]duckdns[.]org
  • krkr-7rb[.]ddns[.]net
  • sagadegemios[.]ddns[.]net
  • sniper04[.]ddns[.]net
  • omerbahram00[.]ddns[.]net
  • koshtmna[.]ddns[.]net
  • colorado[.]ddns[.]net
  • minhahostvitimas[.]ddns[.]net
  • zkiller[.]ddns[.]net
  • 1[.]tcp[.]ngrok[.]io
  • hussein1984[.]ddns[.]net
  • sniperusa[.]ddns[.]net
  • sodotest[.]ddns[.]net
  • notfoundd[.]ddns[.]net
  • portaclore[.]ddns[.]net
  • al38lal56er[.]ddns[.]net
  • paubrasil123ei[.]ddns[.]net
  • samuli[.]ddns[.]net
  • droid[.]ddnsking[.]com
  • naoe1noip[.]hopto[.]org
  • njrat98[.]ddns[.]net
  • windowssystem2017[.]hopto[.]org
  • dndon[.]ddns[.]net
  • plon[.]ddns[.]net
  • kskhtk[.]ddns[.]net
  • belegugamaniawr[.]hopto[.]org
  • boubou14789[.]hopto[.]org
  • samirsuheib12[.]ddns[.]net
  • machouche17[.]ddns[.]net
  • menescraftson[.]ddns[.]net
  • tronn[.]ddns[.]net
  • zombi16[.]ddns[.]net
  • hamaditigwan[.]ddns[.]net
  • r4y3n[.]ddns[.]net
Files and or directories created
  • %SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\35f4cf4b9d22a75d4f44d45247335d79.exe
  • \TEMP\R8v6FbJV.exe
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\35f4cf4b9d22a75d4f44d45247335d79.exe
  • %AppData%\server.exe
File Hashes
  • e537ffeb2bc202f2a8289e9c96115c5c03280cdbda5a82a81d83b97570ccfcce
  • eada793b386002f297ad511a2ae780cd011b189f1dccbd6ca62d89345095d6e6
  • 49fbf92ef158694f0ed792403f7a066d88831ba71e5f4018f707010f2627210d
  • 4c54271a9c1fc98d0561c6f8ab45be77121bb382453e07d49f2b56d89bd263ab
  • b6712bdb9c15e7e3cbeb71a32cd2103c1286509a85e7db870baed53d71b0dcc2
  • 15fa9fff9515ae191c98aabd7a870699d3683ad9ae0b9fbdb4fb875e35c43183
  • 8def70bf3014498d6c05556fd1b5b72982205423bb5bfa9d25ab4288ecbb506f
  • 658e4b5c23b609d535abc535901b848569dd294f26952fb07a25dc3537116bf8
  • a4b0b9b8b4240370b6c9f030eaac7b852f10da8069b36d3387fd1b96e472d73a
  • 2f2e7e92f633924afa45b5da925e217643ed08e605ced40949f0ca78adb36d6f
  • a1d8135b1ff1c5d8c28016b4ff09bb47606f04f815a4f268c6d82d25398f7bec
  • 46a5a182b94569e4db66ae877064a18a1ca470aa0302d400eaed02545d83c1eb
  • 9bce170ab8da2c93a54bac556b0666f93ab09bfa9965b03bdbc7861ee413448e
  • 90e7a37c2183bd83b02d3a6ac8af8a3afd19e0a1561bf16f2338476802dcfefa
  • e1673a3ed97150082c0e89712386c71f6feb8fd1d7428fe633cfae0d1ca9baba
  • ba1d8858e7863db19f04cf44cfa92906887833a84099f2bc810ed5c6863b46b1
  • 59a56a0d81bac39e5a7a9299ae700b5734b1b038fa800c006463c5592620107d
  • de3357a9ab3d0f03cb4025862a0f0a38f1eb2e0d2909f9537597c4e341cc14be
  • bc9c84da6bac2680ae866d540768af8f744c321d2cedcccd97fb17299d5904c6
  • 2e7b6747e309c3d8fb98ebe25eeeb9f4644162084b304a68ef00a5690be27b46
  • 8d3b285e6b1a0c1f21e9a950ab580800f184b0d6456dd117c74edc37020c31f3
  • b371a4708ba510da541267981d4b05bb6dafbe4b07b387952c582db4ea691e26
  • dde1cc674ef61703752be1d3354f0f766724678aa0fdeb6376e7448a901d7f78
  • ff2269482bf29fef74fdb1d15cfae2417955f1aaa80cd8e3c296d21bec23bf98
  • ce533f8f084a79294aa1254db01fd630dab95ccff22124d9fb4c51fe16a2948a

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella






Win.Trojan.GenInjector-6443827-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: FileTracingMask
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: FileTracingMask
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: MaxFileSize
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: ConsoleTracingMask
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value: PnpInstanceID
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: LanguageList
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: MaxFileSize
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: FileDirectory
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: FileDirectory
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: EnableConsoleTracing
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: FSjrvbtr\s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: ConsoleTracingMask
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: EnableFileTracing
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: EnableFileTracing
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: EnableConsoleTracing
  • <HKLM>\Software\Wow6432Node\Microsoft\WBEM\CIMOM
  • <HKLM>\Software\Wow6432Node\Microsoft\Tracing\regasm_RASMANCS
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\Software\Microsoft\Fusion\GACChangeNotification\Default
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\SOFTWARE\CLASSES
  • <HKLM>\Software\Wow6432Node\Microsoft\Tracing\regasm_RASAPI32
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKLM>\SOFTWARE\Microsoft\ESENT\Process\regasm\DEBUG
  • <HKLM>\Software\Wow6432Node\Microsoft\Tracing
Mutexes
  • \BaseNamedObjects\7261cb8c-207c-4c90-b816-c6717f9f50fe
  • 7261cb8c-207c-4c90-b816-c6717f9f50fe
  • RasPbFile
IP Addresses
  • 208[.]91[.]199[.]224
  • 37[.]187[.]116[.]23
  • 208[.]91[.]199[.]223
  • 192[.]168[.]1[.]255
  • 208[.]91[.]199[.]225
  • 66[.]171[.]248[.]178
  • 208[.]91[.]198[.]143
Domain Names
  • glop[.]me
  • us2[.]smtp[.]mailhostbox[.]com
  • smtp[.]tridentsaefoods[.]com
  • bot[.]whatismyipaddress[.]com
Files and or directories created
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp3.tmp
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp2.tmp
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp5.tmp
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\8a30b2df-789d-2a28-7167-76c811ca3a9f
  • \TEMP\IMG-PRO-FORMA INVO.2017.1.11.exe
  • %AppData%\FSjrvbtr\AVetZPQw.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp4.tmp
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp7.tmp
  • %System32%\wbem\Logs\wbemprox.log
  • %TEMP%\a998c159-9477-9c4d-f909-8a857896ecad
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp1.tmp
File Hashes
  • 021492b2cc3c242851207e402e9ba284ed32350379deac649f38426130b2c01f
  • 048800615c3449d53e8b3c28489fabb4e8f4d758ace9f585f8f2ea585d3c7fad
  • 18d5300979ddaa3b65ff7579aa3725921b44e945e40ed54e55a0396add9d3323
  • 2cd6fc2a4572f4b1a39371a8df8c664eabe119608908d441257e72eb203737f4
  • 6346200d4e21bcd391e3557b72791f033c51fc72ebfeb359498b63c1c8d832ca
  • 7ad83d75a4223be0dec837d26fa78e4d7a69e4379c01c3ae31f3aa82483fbd2d
  • 90cd726b06dffb129795b132f92d39750492d168206ef22b0ee422a6a55663cb
  • b111124ced4570df72cefd1b5d0d1afc1f1dae7db1319c4e720f52c23b76c0ad
  • b9a43f89e0b974b2f2b2af15e80353b10175ed3e9d4e015d85f96d7d38e65c6c
  • be9f065d0330585bc300e3a56c7ade7da01a48af2d1c7634e20c2896c45a2024
  • d90dc3f22cc7bd92f22bafa9d77b0e373849386eae57606b42239f915357084a
  • e128f7ad54a882d2d269733a956f49e5b1bf2b182781f24f98f058f2d8f48787
  • e4b1ee306ab7080c48b05746da8130fdeede8730214e00778c8231f6d8d6e7c0
  • fb237b7fc75cec8180f4d853c44911dc0dbdb705be39c3e6f1f2a523b79ff9d5
  • 7a7afe3c990a21f1076dd57769d2e199e081ef04f5fb250da5c6d4d109034dc0
  • a9657835057ff11177054c128e834217fd6ba5e55279caab16391f12147c0757

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Trojan.Regrun-6454954-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
    • Value: DisableMSI
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: System Monitoring
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
    • Value: NoFolderOptions
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
    • Value: DisableCMD
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
    • Value: DisableRegistryTools
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value: ScreenSaveTimeOut
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE
    • Value: FullPathAddress
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: xk
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
    • Value: DisableConfig
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT
    • Value: AlternateShell
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
    • Value: Debugger
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
    • Value: LimitSystemRestoreCheckpointing
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
    • Value: Userinit
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
    • Value: DisableRegistryTools
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value: SCRNSAVE.EXE
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
    • Value: Auto
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
    • Value: DisableSR
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
    • Value: HideFileExt
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
    • Value: ShowSuperHidden
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value: ScreenSaverIsSecure
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: MSMSGS
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: LogonAdministrator
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
    • Value: Hidden
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
    • Value: Shell
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
    • Value: NoFolderOptions
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: ServiceAdministrator
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
  • <HKLM>\SOFTWARE\CLASSES\lnkfile\shell\open\command
  • <HKCU>\Control Panel\Desktop\
  • <HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore
  • <HKLM>\SOFTWARE\CLASSES\batfile\shell\open\command
  • <HKCU>\Software\Policies\Microsoft\Windows\System\
  • <HKLM>\SOFTWARE\CLASSES\piffile\shell\open\command
  • <HKLM>\SYSTEM\CurrentControlSet\Control\SafeBoot\
  • <HKLM>\SOFTWARE\CLASSES\LNKFILE\SHELL\open
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
  • <HKLM>\SOFTWARE\CLASSES\lnkfile
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Run\
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  • <HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Installer
  • <HKLM>\SOFTWARE\CLASSES\exefile
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
  • <HKLM>\SOFTWARE\CLASSES\exefile\shell\open\command
  • <HKLM>\SOFTWARE\CLASSES\LNKFILE\shell
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\System\
  • <HKLM>\SOFTWARE\CLASSES\comfile\shell\open\command
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %WinDir%\Tasks\SCHEDLGU.TXT
File Hashes
  • d86831a343b89136da7a224b0abfae57a79b1ce5d0ae3447bef628d262fb0f12
  • c137279e9650a0112f3a3460172a41f307e32aba43016c6d85b1d33859079bba
  • 060bf8faec0beb953af3c72b54ea334abc1057f5bc96a65a140810ac55d2e6ce
  • b6a80a6ed3bc851a1685ef19dc3a89424813b93a10b25a0684631a532dea71ca
  • 13cf35842c9ef3f362bb7d3c6c8c50957f5b156e865b45b57e2e420416a3f656
  • e6f2a103d62c0dd55cdbd3776578fd8ff3ea28532404a811c0dcd9ed7df473c0
  • ddc14512ed0a1c00988ef4ea0ea59b832d4e17a25500e7a2f7d5caaa6aae0245
  • 4a66e0bfcdd2addfccd8ba68c50d2b803beb2b8120a6cf4f8fecf4a0b0cf1678
  • 9dda2f8f7543c8074f4c284c00e5310a599b364def138a99d7425ec1b205b7e0
  • b2d99e9bb7d597d69b139b07c3ac03aeb37f959094ab0f50bc2a8269d340b8b6
  • 59695cfe42cc0d5418a4568d946949af5fd9de14bdc160d1a5d12d5916a9b411
  • 2c4d182d15533ea845e2d8741a3012998f339a3a6411735a07e4a5722ed0738c
  • 80fd45667ccd54a83e5a54339fa4f5260929bc59f1a57be49251e3ebdcd5abce
  • f0c6a8ed12cb35d5986a1ad51f035f684f0b2953c8b4738e5243777920d23169
  • 04b54cac517f204d2f4159a819b63825a8be41a0470d9666ea2110607888c857
  • 3c7e07a560d5cd46a054d44663440f7ef38b48157ae16c39e7a8c8859d517d80
  • 6262f5c8735e38bc8ab646dc1edb6f989478c3d50abadd7b9b58a5e63d558dc1
  • 5d5175472fbb0a943818f84a6b2423c410c212390310daca531e6f0f880c336d
  • 57b930abca5b4f3cdd3c7c50b77224ea732dc5d44d2e8443c9199b7701a8307d

Coverage


Screenshots of Detection

AMP


ThreatGrid





Win.Trojan.Startpage-6455053-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
    • Value: URL
  • <HKU>\Software\Microsoft\Internet Explorer\TabbedBrowsing
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value: LanguageList
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
    • Value: SuggestionsURL
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
    • Value: DisplayName
  • <HKU>\Software\Microsoft\Internet Explorer\User Preferences
  • <HKU>\Software\Microsoft\Internet Explorer\Main
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
  • <HKU>\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
  • <HKLM>\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}
  • <HKU>\Software\Microsoft\Internet Explorer\SearchScopes\{F7067876-A17A-4A11-A92B-185B2E8D39B6}
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
  • <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\trust
  • <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\CA
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs
  • <HKCU>\Software\Microsoft\SystemCertificates\TrustedPeople
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
  • <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\trust
  • <HKCU>\Software\Microsoft\SystemCertificates\Disallowed
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CTLs
Mutexes
  • {5312EE61-79E3-4A24-BFE1-132B85B23C3A}
IP Addresses
  • 1[.]1[.]1[.]1
Domain Names
  • N/A
Files and or directories created
  • N/A
File Hashes
  • 6daffa157bd0a686cec232c2d1ffc764b7b85d7a94a6c2b13b46e3903fcd78b8
  • 60dbf376cedaecb73bc2bd558024a2af9a95a3044d7343850a7ca03d098943f1
  • 9eea8a80c3d01e16ab4ed53e9743d1dee0351b9ce6dd632dad938b71d78f8cce
  • e74e9dd028c909ebd85012866f2e9ac33bc1db243499230d0e0c225eee9adb1b
  • 18afad450f4b7816ddf1451e48684cefce677671ae5d6747fe90be2c3d8bd82e
  • ab15bfd82688bd582807715e61aaa40f018f80fa0e99bbd018bc47a6c1aa80f4
  • 399c3b0534f83e5778e2e1f65633d12e92b7b395d38315d964a640df646d32d8
  • dbc1311001ddb6e3069e7b6d5dce0ce3618d736e1603f0271ffc52abbb8e2f0c
  • 32bcd39615ac8e11e42b24925b24e74f4a4540acc763c5255c7bde0a00e1f253
  • f31f9f266b453ddde95d2bab56548a32269b12d8c54c6efc7a91628b2a72273e
  • a0014494734eb608b9f7af9f3c71057babf7f486e19745286bc574f766b4760c
  • 228a8c340397acc65c36004acac69a29204840167527deb1f6ed02b75c8cbf1a
  • f9552c1892cb3bd49289fb7eb541353027e6d431194d326c24b231b529adc0ba
  • 62d5c29939f8c70c80797165dcff9b9170a77a82354bc0d2a5625c115a7dbc6f
  • cc8a88dc216648a8ea78174b04c0c874cecbec2a2e6b93a742eaa530264cb563
  • ab8cc1d317663161a27eba9a23d54f3c6d71bfb774dda248eadc052062e76cb1
  • 13b51f0088c3c341d59467f89601703b20f160585d6008707572b12862ae894d
  • 91fd6e5bf7737e284fc80757fbdf0e141564d37c0e50e447e1b7dc2ce1cb7a2e
  • abc0a5ea42a72483a16308ea888d1a56f27c8e8c02b6a93d816339e7acab9c49
  • 33033fc8af66d92c077aeeb997043c90a64d4aba8840779dedb4f446be7b94f4
  • d463ae2543a2a81dc89d84b6ca9f195c430d65cf25fb753a9e4ab5fad1b4df2e
  • 0b11ccc6fc403eeebd9edd0e9087406beeaf5aea9b38cfd7d4a57139e777619f
  • 6b148642e7d64be68a97a13d776b03a76406bd2553ef0314b5afcb5906ad43d1
  • 278cda56d3b11ab3712751f7c3848465a728aa13cf07980722509b04d992626c
  • e32a73c2356c41a50e83cd9e7bac747249aed1fe68f17ee71d0a90887c3c1401

Coverage


Screenshots of Detection

AMP


ThreatGrid


Screenshot





Xls.Dropper.Powershell-6454576-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 192[.]168[.]1[.]114
  • 192[.]168[.]1[.]255
  • 192[.]168[.]1[.]1
Domain Names
  • bitcloud[.]gq
Files and or directories created
  • %TEMP%\CVRA534.tmp.cvr
File Hashes
  • 1955b36980486ceb95b0194fe10ed7aa9b317b7c3d6f79f152ff4f0aebba50eb
  • 471c4a3ac3ee5f32cad237e320bbacc99c0b1cc52cadd351a9cd35eebc36ea97
  • 1e0c9247ec3bb3d9f0e7a9e422aea3263ec32db17ffed0b4ae6a6e4b791fa195
  • 9adfcba2c8a8e25433eb3cb88593d22314d59e0d420f1735df2908df7e7b8881
  • 2241ad38594e08c9a72417e1f232ae1256c551f3b466d53a3ecf0fe4b3ac976f

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot

Tags: ,,,,
Share: Email, ReBlog, Twitter, Facebook, Pinterest, Google+
Newer Post: Newer Post
Older Post: Older Post
Date:
Edit this post

Discussion

Powered by Manual Template
Name

.NET 0-day 0day ACDSee Adobe advisory adwind AMP Android Antenna House antivirus apple APT arbitrary code execution Attribution Automation Bahamut BASS beers with talos bitcoin Bitvote Black Hat botnet Brazil BRKSEC-2010 CASC chrome cisco Cisco Live Cisco Security Clam AV ClamAV Cobalt group code injection command injection conferences Coverage cryptocurrency cryptomining CSV CTA CVE-2016-8610 CVE-2017-0199 cve-2017-11882 CVE-2017-5638 CVE-2018-3857 CVE-2018-3858 CVE-2018-3859 CVE-2018-3860 CVE-2018-3870 CVE-2018-3871 CVE-2018-8506 cybercrime dark cloud DDE Decryptor Def Con detection dispute DOC DoS Excel Exploit exploit kits RTF fast flux Flash formbook Foscam Foxit Fuzzing gandcrab google GoScanSSH gozi gplayed GravityRAT Group123 Hangul healthcare HWP Hyland IcedID ICS IDA Pro IMAP incident response India inesap infostealer intel iOS IoT iot malware iPhone IR isfb jRAT JScript kernel mode KevDroid Korea Linux macros MalDoc Malware Malware Analysis Malware Research MDM meltdown meraki Microsoft Microsoft Patch Tuesday Middle East miners mining mobile device management monero Moxa ms tuesday natus NavRAT new router malware NordVPN North Korea nvidia Office office router attack Olympic Destoryer Olympic Destroyer Olympics opsec password stealer patch tuesday PDF phishing PhotoLine PLC podcast pony Powershell privilege escalation ProntoVPN PTEX PubNub PubNubRAT py2exe Pyeongchang pyrebox python Qatar ransomware RAT remcos remote access tool remote code execution research research spotlight reven ReversingLabs Rocke Rockwell Automation ROKRAT rootkit rtf ruby ryptoShuffler samsam samsung Scriptlets security updates sennoma signatures SimpleDirect Media Layer smartthings Smoke Loader Snort Snort Rules Sony South Korea spam spectre spyeye stealer steam struts support Talos TALOS-2017-0507 talosintelligence.com telegrab telegram Tetrane Thanatos ThanatosDecryptor threat intelligence Threat Research Threat Research Summit Threat Round-up Threat Roundup ThreatGrid threats TIFF trickbot trojan TTRS Umbrella ursnif VBScript VMI vpn filter attack VPNFiler VPNFilter VPNFilter malware vuln dev vulndev vulnerabilities Vulnerability vulnerability analysis Vulnerability Report Vulnerability Research vulnerability spotlight vulnerabillity vulnerable routers Whitepaper Windows WindowsCodecs.dll wipers xamarin XSS
false
ltr
item
materialize material: Threat Round Up for Feb 16 - 23
Threat Round Up for Feb 16 - 23
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjn7I54CQ3RVm5xlxNwDYKZEqyWl4Yb-njzWZClh-G1jRsinb2KPQjEwE6MC7FUhF7m31FmQbqljL6yFXScwRNaYIgwPdmw3oerzgxrSCBQeeScesZ4PivTYqYpX8C5bPEG88xglex3BY/s1600/amp-tg-proxy-umbrella.png
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjn7I54CQ3RVm5xlxNwDYKZEqyWl4Yb-njzWZClh-G1jRsinb2KPQjEwE6MC7FUhF7m31FmQbqljL6yFXScwRNaYIgwPdmw3oerzgxrSCBQeeScesZ4PivTYqYpX8C5bPEG88xglex3BY/s72-c/amp-tg-proxy-umbrella.png
materialize material
https://materialize-material.blogspot.com/2018/02/threat-round-up-for-feb-16-23.html
https://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/2018/02/threat-round-up-for-feb-16-23.html
true
1816414542238562206
UTF-8
Not found any posts Not found any related posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU Tag ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Contents See also related Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy