Threat Roundup for April 6 - 13

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 6 and 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and we will discuss how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

  • Win.Dropper.Fareit-6500687-1
    Dropper
    A credential and sensitive information harvester. Select information, such as banking credentials or web browser password databases, are queried for on the infected host. Any discovered data is propagated to a comm and control (C2).
     
  • Win.Dropper.Generickdz-6500702-1
    Dropper
    This cluster focuses on malware that creates a Run key for persistence and uses various Win32 API to perform malicious activities.
     
  • Win.Dropper.Generic-6502500-0
    Dropper
    This cluster focuses on malware that creates a Run key for persistence with embedded HTML to get the user to download additional files.
     
  • Win.Dropper.Mikey-6502276-0
    Dropper
    This cluster focuses on malware that creates a service for persistence, and is known for the plugin architecture.
     
  • Win.Dropper.Neutrinopos-6500704-1
    Dropper
    Neutrino has evolved over time. This variant targets point of sale (PoS) terminals. This family is known for using anti-sandbox techniques to hinder automatic analysis.
     
  • Win.Dropper.Shipup-6503419-0
    Dropper
    The typical behavior includes modifying the AutoRun feature for certain devices. It gains persistence by creating a scheduled task to conduct its activities.
     
  • Win.Dropper.Startsurf-6502245-0
    Dropper
    A trojan targeted at collecting personal information, and sometimes labeled as a potentially unwanted application (PUA) in other coverage signatures.
     
  • Win.Dropper.Upatre-6498441-1
    Dropper
    Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
     
  • Win.Packed.Tofsee-6504793-0
    Packed
    A multi-purpose malware that can contain a number of modules to carry out various activities, including installing itself as a service to carry out its spam botnet functionality.
     


Threats

Win.Dropper.Fareit-6500687-1


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • \BaseNamedObjects\00291FDE1ED259137753E922
IP Addresses
  • 101[.]99[.]75[.]151
Domain Names
  • makewebomb[.]xyz
Files and or directories created
  • N/A
File Hashes
  • b4abd9556f093b7d80bdc755d502917310a807d5ee9d9f9bac19bb0c8d596dbc
  • 1ca88b2c00b625bf596b93abafae873a6aec5bf1afeee1e116dc402cae69f83a
  • 3f2925b26b0f0b0f141346d8a654a74704d9326492537de17518bd6fb11671e8
  • ba0a2f6e001bc9c02ee8c5fbcd6cceaa74ced5ec058dfda71623146f06ff2490
  • f68b0c32da95c0fb06c4cefb992e1a0039afed32f6cfcef083db39a0702a06c7
  • 61ff6f5d48f02c0a5b7a28936f8aa9ebad2344f3552608fae2ce3f14a9bf14d4
  • a7d667e9d67d4b7db00c52572ca1e945b1aba8139dce9c647b8b9bce89ba45e0
  • 6a1a4a21545538c2dd34ba9beec07cbfe17c8ff65a10f1bcdf8598a8f1b58e42
  • 85d0021f75a2d312a27bc1c17702d09520006aff590d439a90d8045d2325a04e
  • 09574981553c2729c9779beee8e6007734f932a155de278eb46d9fc557c39400
  • e981fd64b4c1f1d50cdf3f21d3cd07dfb04dec58c518bee8697a187069997498
  • 7c83266775aceac7e54b9d7db2620245520a52e854a5e61f5c5f2452a60432de
  • 3ed671f4ea7e92ef0e0bf61e7bacc0b7a2a82ccea73a53e7cde66e3497a86520
  • 97702356739358d428d1e7c7ddcc8aa08379562b290edb12348cae2bc0ddbb32
  • 9c6def0cb6963372a10888e6f702d80381559a29db1da32ab149273b3d10ca34
  • df58773cc519e82a8beebeca8035018168cb3cb26aa491aae89c8d68cec835a7
  • 5eb40ac46872c6d26cd7ebdb0938a9375d7cdf28017a5c625d890a7d2ba7852d
  • afcdd2fda5b3c9e78a977df31be307ea7323b746e07e35e4d3c39a3a3f4b4b79
  • a854a9702c14be3508d35873e80577ee9b1296c993ee2a4269c283884775564e
  • 431e6a8252837a5e1c7c98aa9b72c1df4b21e34ae8c7e73882294097f140466e
  • 1d7a1a4181706379a7f80ed926c47cb0ebc7beb953739c9b41cec20093c63914
  • 7b24f0523af239668ee8946c433c53d0c233b0290bbaca405885d39dff86fa1f
  • 444147472ba54f1f58776a84e98152ae28dfbca23602cb440a830fddd4a283cf
  • b33436701b6a54b78141a2812264f4b3ee93ac0a5ae0149e636e7db8c4f38a28
  • e5d34b53cb6e4e111e167cf13b608b87f7ab7d43d7f08f995ae9f2c1139e8f51

Coverage


Screenshots of Detection

AMP






Win.Dropper.Generickdz-6500702-1


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
    • Value: kdivknmyqwz
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyServer
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyOverride
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyEnable
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoConfigURL
Mutexes
  • N/A
IP Addresses
  • 66[.]171[.]248[.]178
Domain Names
  • gandcrab[.]bit
  • dns1[.]soprodns[.]ru
  • nomoreransom[.]bit
  • nomoreransom[.]coin
  • ipv4bot[.]whatismyipaddress[.]com
Files and or directories created
  • %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.tmp
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\W7RSB4SE.htm
  • %AppData%\Microsoft\zkwnlf.exe
File Hashes
  • 599d9e37c39ec47a50b512e01449a37ff3c3354ed0b9b4de2ca7e8f2d3a33bfa
  • 4d0f0b7c9a3b8694895275fcc45aa1df3e6f2ad0c58563a40ac80776c705f821
  • 0aeb76bb929ea68275b904412054c3b15a73fd6479ee3daecd5ffd4c407eb721
  • c76394aaf293cbf4bf3b9d7a94c251feac11435204664d700bb4bd87da3c1898
  • 66c2586add3eac9184972cfc7a6172532c16dc0d1e1f874e4cd3fa2276657c2a
  • 02cb3c5568577ed9658fcf68b9f776d720e2f7355090b10875f0f9bb2b8ed161
  • 5f7f8a6fd32cf4d91efe01c2f1b7c4fd5f509b504af134a08c6c688ba9597ea6
  • 3c9c3423951655b97251bf5d3d12fe59fcf96d4274c4887b88744438371fe61b
  • 4e496591b9c2c9722c07746edfc7892b178b8965bb4c452322caab68b2d5f262
  • 2eed2f22d055d605a8387d35610e4e82815eb29b7212de12088202efa54d3c31
  • 0073f6d57c2e4ca1871dc1a5e270160e734b2d79bd9b7b55b82a8ddc53aaac0f
  • c21fdd9a5d244aed75890c59094789c2f46815983084f4bc5966ae28630908a8
  • 98f7b5afa98edbfcb4a6f502d9d29e6bb0912a6bcb7a14abe3a9a60e0487b201
  • c7e92cc3f88c7180e2774f2641c593ebebedee3424314fdd8fa8365f6cd0000a
  • 1937b1e07be1737d79a3a4b1ea9c5ab0a56f1c3ce44d2e34d705a7b69b9346cd
  • 310848da5dd6e75c8df5bc00223582a7b7e6fbef90ca45222948eaba546be3bd
  • 40a0f808c1fd873c364850d95e2f0adb0ca24740945702de5c0552a5afc60612
  • b609c46124d069b2299de3896a5cc2f7540e4effcba462e7f5300573666efd4a
  • d7e95936470c9747f9c803d3839159e86112afbe49d68b578775f1c29141d502
  • 036d8c2a089ea0870fa37060c96928789a8b373ca0795d1c06db443b53dc5882
  • 2b7662b93abcd312eb2c4d66c246af9dc7c43a511fae5dddd11617bf2ced16c3
  • 5795c26debe0c06d1f1968730a84efeed69f0493b23f8411b3ea60781e7a24a7
  • 6856286bb8ac5961f58831e7e4fa6debe7a4a399e5ffa56d37e7ca78f1588871
  • 6db67b808d476e3412034571798447aafbbe320a0884a417a7d7fae604440c6e
  • acaa87b92f1e2ee316033624e4760ca4f9c781e82b72949c46861c7652cf74c2

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella





Win.Dropper.Generic-6502500-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
    • Value: NZVHFTBPMBN
Mutexes
  • N/A
IP Addresses
  • 198[.]54[.]117[.]217
  • 68[.]65[.]121[.]51
  • 104[.]200[.]23[.]95
  • 104[.]250[.]149[.]195
Domain Names
  • www[.]atopgixn[.]info
  • www[.]gstringguitarco[.]com
  • www[.]mymugcity[.]com
  • WWW[.]SNHVWA[.]MEN
  • www[.]mankafei[.]net
  • www[.]9999zh[.]com
  • www[.]dltecgeradores[.]com
  • www[.]snhvwa[.]men
  • www[.]zswlu[.]info
  • www[.]bitstubs[.]com
  • www[.]allsystemstoupgrades[.]win
Files and or directories created
  • %AppData%\K27P0CT0\K27logrv.ini
  • %TEMP%\Gsdf0d
  • %TEMP%\nsnD1EF.tmp
  • %TEMP%\zvu
  • %AppData%\K27P0CT0\K27logim.jpeg
  • %ProgramFiles(x86)%\Microsoft\Windows\WebCache\WebCacheV01.tmp
  • %TEMP%\nstD210.tmp\System.dll
  • %AppData%\K27P0CT0\K27logri.ini
  • %TEMP%\Gsdf0d\mshlg4q6x.exe
  • %ProgramFiles(x86)%\Gsdf0d
  • %TEMP%\nsc8B5E.tmp
  • %AppData%\K27P0CT0\K27log.ini
  • %TEMP%\nsi8B7F.tmp\System.dll
  • %ProgramFiles(x86)%\Gsdf0d\mshlg4q6x.exe
  • %AppData%\K27P0CT0\K27logrc.ini
  • %TEMP%\nsi8B7F.tmp
  • %AppData%\K27P0CT0
  • %TEMP%\nstD210.tmp
File Hashes
  • 44f6b3cea3a371a7cd6161739dcc6f9f96a40c8c732b1acd8042a2991a9bbf73
  • d62ee1186d8a8c7d84b2a03e0bee1c13c47d133a55238ba7c367f9539e6c9b17
  • df9f1a4e2cb4247132c7442aedfe873c5e801ab048e0236407066c3acd5ec79b
  • d8f1f59b81a985f538fc0a51c85c688794f94b28a06883ba9dadfb4b0c8bccd6
  • 2ca04f3c65e3fd16b9c879c7db4cc8025279463dbb965e3954e35106fe952e86
  • 3538c0a7785ab6d418112d10cd6844ded5745064840d18d74d9b978dea1fe1a9
  • 09cc6c9e39425a71ccdc26ffd8a67179043b20f646286685eea24e6bb00b12d9
  • 725752c4bda82acf554aad37fe97d08f4367c9a1e5d40b6fe17cdc94adf040fc
  • 3d756dcf4397cb6b0d406b9f70eb18029965fce0110c0290af6ad73468aa2c1f
  • ef4d20220eaecedc0b3069192843bd5eddc196b25a9e083fd16d19ae100374df
  • 70d50a77db7cb028163638a7e58c354e1fbab4757323ad9eccfb51e9b257f83c
  • 35c996576eba666a33e26bc25122196de365465da8ebee70930b9c4ec6be7313
  • 330a8b46f74f5d4af759b18db64dfd9af2ef3e429d597cd4522148fb78633000
  • ac6fbd8f18bb93cfac31af73eb9cf6a1aa925b95d44b42b3659ecfd49209ec76
  • 711155de0073adc2f68fc4088253f92f43a696bbf5d8f892f902724be37668f3
  • c1e6324086192a47c60daee91f9f906c2ceb03cac0c67a8ed3f0a31c37e3a991
  • 5301f9401c7d7ac485d0169085222c64ec2de6f14783cad6150b7c6f0f368c7c
  • 96847279dd3564a5d689bf310483fe351fac55e54a440d15e55f0bb7d35baab6
  • aebb84da20c2c92da398b1e5fcc8adc6bfe893d5a8b56c5cd1beb42b3fa5f069
  • 2a0904b6301b42ed0838633b161c947a781600fc884b0fc499f906a49ea38292
  • 0e1c8a62bd632cd364d16dcf0839531c8dcb443269f4478f301e4adf758977a6
  • f34354749657c44beee0b1d7f5cdc4a31c858eab565fc2592f96c69eb9d501e1
  • 8ecfcfc939e40cc943df83f548286c2f7f519a53e195b3ae595e0bef39baee29
  • 21178d6e06ded3b1a43e98eb781220c37e729ef081bd160f168fc465313ea4ff
  • ef4b97346e1ee359feff43d136f3dd6031993fb47bdfd25520b4fc3279d3649b

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Dropper.Mikey-6502276-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\9B4DFF593EC4945503B76D97E83BADF6893F2597
    • Value: Blob
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV\INSTANCES
    • Value: DefaultInstance
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV\INSTANCES\MAGSV INSTANCE
    • Value: Altitude
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV\INSTANCES\MAGSV INSTANCE
    • Value: Flags
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK
    • Value: atimode
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK
    • Value: shield_count
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK
    • Value: set_pt
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK
    • Value: set_bl
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES
    • Value: 9B4DFF593EC4945503B76D97E83BADF6893F2597
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP6\PARAMETERS
    • Value: DisabledComponents
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV
    • Value: ImagePath
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV
    • Value: DisplayName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV
    • Value: St
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV
    • Value: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV
    • Value: ErrorControl
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV
    • Value: WOW64
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV
    • Value: Group
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV
    • Value: Type
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
    • Value: DisableTaskOffload
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\NETWORK\FILESERVICE
    • Value: igfxmtc_time
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\NETWORK\FILESERVICE
    • Value: Liveup
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\9B4DFF593EC4945503B76D97E83BADF6893F2597
  • <HKLM>\Software\Microsoft\WBEM\CIMOM
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV\Instances
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MAGSV\INSTANCES\magsv Instance
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\magsv
Mutexes
  • N/A
IP Addresses
  • 45[.]77[.]68[.]17
  • 45[.]32[.]78[.]78
  • 45[.]63[.]57[.]87
  • 173[.]192[.]16[.]184
  • 174[.]37[.]56[.]249
Domain Names
  • gpt9[.]com
  • optcdn[.]com
  • www[.]userbest[.]com
  • optitm[.]com
Files and or directories created
  • %System32%\drivers\spbiovxl.sys
  • %LocalAppData%\exhpugb\dowmload.tmp
  • %WinDir%\TEMP\UDD7B8B.tmp
  • %System32%\pwkmbru
  • %TEMP%\3ED5.tmp
  • %TEMP%\400F.tmp
  • %WinDir%\TEMP\msidntfs\SSL\cert.db
  • %TEMP%\nsy4211.tmp\ioSpecial.ini
  • %System32%\pwkmbru\dsieovx.exe
  • %WinDir%\TEMP\msidntfs\SSL
  • %WinDir%\TEMP\UDD73AE.tmp
  • %LocalAppData%\igfxmtc\igfxmtc.exe
  • %WinDir%\TEMP\msidntfs\SSL\SecureTrust Network Root CA 2.cer
  • %TEMP%\4119.tmp
  • %TEMP%\nsy4211.tmp\modern-wizard.bmp
  • %WinDir%\TEMP\UDD6BD1.tmp
  • %WinDir%\TEMP\msidntfs
  • %LocalAppData%\exhpugb
  • %TEMP%\3DCC.tmp.exe
  • %WinDir%\TEMP\UDD63F3.tmp
  • %WinDir%\TEMP\UDD8369.tmp
  • %TEMP%\3FFE.tmp
  • %TEMP%\nss41A2.tmp
  • %WinDir%\SysWOW64\pwkmbru
  • %TEMP%\nsy4211.tmp\GetVersion.dll
  • %System32%\pwkmbru\dsieovx.sys
  • %System32%\pwkmbru\dsieovxdrv.sys
  • %TEMP%\3E3A.tmp
  • %WinDir%\TEMP\UDD4441.tmp
  • %LocalAppData%\igfxmtc\dowmload.tmp
  • %LocalAppData%\igfxmtc
  • %TEMP%\nsy4211.tmp
  • %TEMP%\3DCC.tmp
  • %TEMP%\nsy4211.tmp\InstallOptions.dll
File Hashes
  • 4605f6041d93c6390c1ed856336c01a6cf3982bea1987c6de846752ca7006882
  • a10aefc70a3d3512cf54f74e39b3ee5cc5403c003179c57aeea7fb3895ed8ace
  • a0365a881396fa66719255cd617e5ef7e175343f28b7ee7ec347bf87811274c0
  • 05be7b2de818dcb358a4f24d6050ae2b91d728c80a8af279894b5e701b060926
  • a32a315ae45f62d26cdd22281a69932c83f147fc4e820a9cc7bf05bcc4680777
  • 6bd49db136718b3cef01348bc839e206d566a1e1c32e0537be61dfa2ee87de6b
  • a677a593cebda3734ab26828b65fd93b54bbc02199a080a26da61afcff29ae48
  • 84c269a1661a987058f51dea4644ec2703b28170324fbeab6920e40ad1a05a54
  • ad7c7472d980025e3edbab89988fec2d5776b4f72b0757c2b1dac54d1c991c37
  • 877d9c4195c38a9dc55c472f7c72ec3d6ad0d95a544458a2050edf22df3aac5c
  • 0a6cabedfabfbab3fba2057d30b1faab2f1b2d2d47a6227aa3b677af45f92da2
  • 683339b58c7cbc066f84c625efa0248eb89bfcd24de916f5fe600c33867084e7
  • 7bc897c2c55ff708cbccff1461d2406aaef7953686817bd2d6a39ad58af393f9
  • e1e31a797b01f5f4ec694fb03d894e5ab331f41f3bc8c34bb407d390554bfe3a
  • fa8c301685d5ceb6a97b75f3bb665871e3ddf5b47410179dd7a55f4f3cebf4ab
  • 9b4536855237fe80447950bf86d1177489dbc1b231122e4a5d2157ba93c1b504
  • 19a5f6fc34e531409c787b00444671b44a5c11dec0dafab0e0ef699de29eea6d
  • b4e2b99c18bf61acedaff5b1908a212470eb902ddfe8e164e01ffcfbab19834b
  • db5b0bb4d05292e6649fa84f076195d7a0cfb15516ce386f214dc2dd96a5e467
  • 11117fe96292e5d5702f2c82e4b21c3cbc4234f13417b22ad963a9f746978482
  • 33ab8e652c16836caf3b22518485757f417fab73a92e916f0c6aaf27b57f3be4

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Dropper.Neutrinopos-6500704-1


Indicators of Compromise


Registry Keys
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\host2lc
  • <HKLM>\SOFTWARE\Microsoft\Tracing\FWCFG
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
Mutexes
  • \BaseNamedObjects\DRBCXMtx
IP Addresses
  • 216[.]58[.]217[.]174
  • 62[.]75[.]222[.]235
  • 216[.]58[.]206[.]78
  • 84[.]16[.]241[.]77
  • 66[.]199[.]229[.]251
Domain Names
  • google[.]com
  • u[.]drawfixmydesign[.]com
  • r[.]drawfixmydesign[.]com
Files and or directories created
  • N/A
File Hashes
  • 2593e0c6d66d36c7d8b3061f3c242875113310a2939f89aea73eda1397e44e31
  • e9a7b16189e27dff9ff67e31d09fa05e7f32658dfa56bb51feff8ca0cfb4eb85
  • 1a1144444adb05aee9ef8adfb3c892a97d32b870d1ee300975a5f3597f2ed638
  • ff5d541f260063a88b04a892cacfb3bcb13b8dd83c5f29ed5000737dbd6662c4
  • b1d0bfdd95f168cea0df0e138ee627cb7feb0a26ac7a736baa031547bb6fb08d
  • 9af34cdb7f0b01c044fdeb64f0b733d78e8b9be854c4beeee679f8ee083530b1
  • 24281907f8904bf6b9af4116f52ae2ba8b4b97ce586cd3b2b2777a8f3c76c8cc
  • 61cb5cbccb6d1c329cb1a641c3a74fd4a4521dee0d2d03e810f3f12303e0f1f1
  • 3431065d2208123137714d2d432427d33cff576d202e1fc7ea2990b21847cce1
  • ba975d346f8f543f348e1e42f03bf50167045740b321ae6dc8a8497e608e8766
  • 2df889657dd28f91ea10c08d5a72cf890bf142a6fb4928520ecdefcf708cc2b5
  • 174286f1a0bd66552237da989be39ef821b11fc6acccef5eabc00448991d1876
  • 4632c1023c0baaa1e227defd4923098c4f3c49317964ff1cb088b40b9df7a605
  • 530607f9b54be981e420a7bca1d33d0fa180e6c42877beddeb23836cc440f062
  • e9bcf85599744033e320f5031ecc8157e0498a42d699cb175d7242c95b9f4358
  • 86746d7dfa923b5b1e0e5a0d27f19eb40979dcf342f2fba01ccbb09175b9363c
  • 973c024f2af38334bfe80a5c1fc2f96b2215397124ff08110e3c96aa986e7440

Coverage


Screenshots of Detection

AMP






Win.Dropper.Shipup-6503419-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{E5EC135A-79D5-4595-A051-FFFB0E1F7FB4}
    • Value: data
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
    • Value: aybbmte.job.fp
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
    • Value: aybbmte.job
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
    • Value: Index
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
    • Value: Id
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{DAC4F53E-3658-4522-B6D9-1FB306F3D9D1}
    • Value: DynamicInfo
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{DAC4F53E-3658-4522-B6D9-1FB306F3D9D1}
    • Value: Path
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{DAC4F53E-3658-4522-B6D9-1FB306F3D9D1}
    • Value: Hash
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{DAC4F53E-3658-4522-B6D9-1FB306F3D9D1}
    • Value: Triggers
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{E5EC135A-79D5-4595-A051-FFFB0E1F7FB4}
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %ProgramFiles%\Mozilla\thfirxd.exe
  • %System32%\Tasks\aybbmte
File Hashes
  • 082f1ce18a378ec6eb67565fb7bd89cd29db886b44fe4312a863382af9e13df7
  • 0e1d3984bd6c33ba0fc108329e3906bd074d70ed44a4c7fa6d8f857531bbc437
  • 380545cfde4acaf2c29969d175db1cecd28c5691693e097e52da5c0e886a8301
  • 13da7abee3f2ea4275c1434900db5ba9f620fde8743eb0ff2388b32897685e0b
  • 9dc0c514ea1aaa91c1255857cb261bd6c94f8565ffef4420b75c5d5320717b09
  • 30103085dd67ac6e9bdf14255fc5c8b697d68b810e732b4ae29798b62e5ad677
  • 663ecdfa115605418b2826e4de7e289b0cd12849b719c7a171ee7524bf22fe99
  • cc203d955e3e33479423f7b2aea1f13c2ba5895da16159a779407e03e747d116
  • 3784e5b40ff8687265efe5dacfd5b6c9d744fe294f425703ddafbf687192eb8e
  • 0a52739b2a45b1002b78230df60dd42d2ffa0897197953639dd627bcc0454134
  • 1824bb4ea96c6107c6660b104d60073be3a9f5c3bdbbc2c801771fc34a03e01c
  • a1175ff8f5544f4ec078e4d55db4b6aff7a7844e9df2057d3fe906cfa77d25f0
  • 61dede4113d1eda504f7360ae535cd88ede9425722db4a43577185d0312acd5a
  • ac755dfabf99ea6fc8c334dcef526d1dce3680200deeaac5e80077a27042af9c
  • 786c1b55e5e73fd3c2231d7e6fa0565aacb4fb239807f42c2f0cb83f57186271
  • 4e27ccfd0c90aab501d16d45b1e9d13bde3e2d6c2ba6d230b7973dcc8567e556
  • c7dcf76652af54cf4cbbfdfc4fa5cc8d4a8e1807d478eceee32270260dbfecf7
  • 228ffe97f34e097a0cb3b3288ee56a063da65d890b1f888d59d59f0ad2b3bb71
  • 39c05a8b0d635eb221023154423dd3e26c93d16bb5a16a2512c68bde62996023
  • 6bd38baca4b923c26628e9dcf9ee64d8bcc5c4ba9cb9f2298e32f8db7816de08
  • cb2155b65879f66eb449b60a90c632c701fbea7ac8d4011e3b24b238c3302de0
  • 8fdabcedb02b4ae9364e53f38738710a1f6e9851077c29dbda34cf934229b47d
  • fdb559a29e0374fa7ce71d8661400fcc2d2db7d3486822a5cf1e0eba5c5634c8
  • 4a6043017f598162263d52315c79bfcb5fbef86f19d51beb718fe8093dc1af16
  • 2f9ca1b196aa915e3c87dabe20f353a4a69ee5998f8559ef8073194918dc7ea9

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Dropper.Startsurf-6502245-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 52[.]85[.]88[.]217
Domain Names
  • bush[.]basinafterthought[.]bid
Files and or directories created
  • N/A
File Hashes
  • 9ad10ae09760aa994fdf2d6132a60276badb77b0ab773ee5d07d5b5e7a259207
  • 2c31ec1ded95ec22f07a3bc29c03badd9158d8ddc19e1cdb98ccdab3482f2421
  • 433403d0f920938654f1592148f99110a5dd35fed88260c44a022983e12bdaa1
  • a02c5f7013b02bbc66380276f4250ea42173971c60e8836bb676243b648dd3a0
  • f0bfcb581935377def575a18a89290427d335c95da6781b11d1ad91711cb4a81
  • 41bf7b4e4d7a87395cc8867e026ed9d586830420a70325a672d07ea9c1a351e0
  • e616d1e7e2b6e1d4f1ac2fea3e2041b842d27f5de05ff941b5661997cfe8a856
  • 4300dc69146725fe7476b6ee4a81ecbed78604e4575e299f52f6b6f3c65eaaa1
  • bc782f40d16fd6574c1e84edd0728470f426a31d2ff94e4bbb87a19cf3992048
  • 04ead5ee82c762a26e1dc0e6a8b21c54669c771cca0291b5d41282d2e73a7fc0
  • 739f27ac00dc449895f589ff28e86d78ea17ca298ffc0b40021136d7c77ed679
  • cc4c722e0d6e2bbff6119e1895f6dfbbb2ed75b3d786e4de507b48792a2660a2
  • 28589697e00deb562a29f3cb335167b2880f3ef3065e418f57f1b626d9ea8c94
  • b622971e681f9e2fa5f84bfcb9e7144b6198d3fb554de8d4488117ca1e3f51c8
  • 0fee9d67ef1967d2bee1f67b1dc5ae24dff5d6dba17b9247e33b87f5bf6e6856
  • 6c8ca3ba14ee685739ea32a3ddc613d4544c69194a97c55365c570c053609938
  • f1dbfaf0378434cd1758feaabe050171df1c234ddc6215df494c6592a9e92547
  • e586da2bd9fd73223281176033b97e6e4e137249f9aff8430004099b31508e12
  • 1d70d1eb3210984b8d2c3c62ca6ade7b018f44688d009cbde3c2c214224a3ffb
  • 404746279f7d963489d1d7d2d9be4bd1b1dd82e81e21f6ebf09091ee7b059988
  • 4696ddd4a7ed96a86a09413f14657c7e01053213f6f1f6008a3a3bbe4fe45229
  • 66af9dc27feb2b69729b82e4076dd699cc504c3c8dce943d2023c7bdeca00f2a
  • 4694e19504a1bbc0335c213bad487727ab75faab3bf29d92cb7e3d14a2d3a8d0
  • 0863bf4a5476b5de02a15c3bdec1604c7d8ab7c8ca1c0546edf2f16a756e0d8f
  • 39974f2161bc0151692ae2f380d38b626f2b47904f92ce5706e29b2fe05122d3

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Dropper.Upatre-6498441-1


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 72[.]230[.]82[.]80
  • 216[.]146[.]43[.]71
  • 173[.]248[.]31[.]6
  • 93[.]185[.]4[.]90
  • 173[.]243[.]255[.]79
Domain Names
  • checkip[.]dyndns[.]org
Files and or directories created
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\W7RSB4SE.htm
  • %TEMP%\serizay.exe
File Hashes
  • 91122476660eff79e0de0f30752e1cf9b37985013cb2fd6ad51c6ea6f20dbdf5
  • fccaca287d58a30c33cc6a52e49fc16c9c5f08143624b82c8ea1df216ec42db0
  • 6b93b7b97c1d5f3ad00378c8ff279c2f2ef8ba4ca16fdde45fe0557c37e8630a
  • e9574e34b580958e83aa060868edf408751f89f2844da98f2a8c4df24a175efd
  • 2b0dbfbc6f7018646a9ec428424986969a8bcf3ca1c4e1b23d7aab3e7e7dda5f
  • d4be54137269f8b720abd45b5f900e513c8e9c6144169900c673a07b3181006a
  • 45919cf6c7ca6e97bcbf5f3bcf670db27c29d81aaa50b3563c50ec4e80ec6f4c
  • 388a22678ed13c5fc9a26d8d89a37805143b38d782677b49d9abbfa1dcd47105
  • d9b137bba139689b08b01f59dfc61b161f522c8618cd74321a7ae4531e093ebb
  • 702c79933e6afba258861251597fc1eb6fada3273a1a3038f4332f09eac44237
  • ccbf0df625484ab8244a47737514ff698fa00fe2ed8da99e779134c4f96c2a3f
  • 5c80cd096858030abfb8ec87a0aceb8b9d791dfdc67259e668ec2cabab3abef4
  • 6b6eb4cc4aa8e3d71a97a8657ffcd27d2bd12466faf3b1f7fcbcd274a4b9561c
  • 06c65a259d7c96000fcec97a7d8c5b6c4d0c8b8e52ed1d45c934a50d0369b3eb
  • f43312efa07fe063b6fd50de8f1bc3e7ccfe27b4d80d9082e8faaced210f6be0
  • 84f1fd4c31d0c21517ffe56eea666d6c7954aec47e958c33238b91f6bc9ef0e0
  • 07cb19e9013ac45d8e99618944ebd9d1a81499239d20800f8aaf5789b6fbb47e
  • e122d91eb62a33c8b4ef56b2299caf2f58fd4e48694c97e06c92f858497cf860
  • ea284de1551e367f736ce661b7342fc3a98297cfa8358972120375702dd14ccf
  • e4b38a225a2703c06bcf4d26acc22753a86b74fa461720bda700c1fa2c1b3db6
  • daeded4fb715741d4045fa7ff6e7d81920c3e7ce892c1c29676a51ee70d63712
  • bc417721acee0afa960d71a7c59acfb6d233384625620bd0856734521b028005
  • 79a50327843a8ccf58147971d1c86945f9a40cd0d4ee35084b8af26c9f5ab210
  • 53e260744b0f3d02c6d629cd466483b79c147d882e6749639631c4c7eeb46808
  • 2e5bff8f11e5ed171ac94f1a5656014fbffd46b66493c90aaf47b640568faa1e

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Packed.Tofsee-6504793-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\ControlSet001\Services\xkqrdots
  • <HKU>\Control Panel\Buses
Mutexes
  • N/A
IP Addresses
  • 85[.]25[.]185[.]229
  • 43[.]231[.]4[.]7
  • 12[.]167[.]151[.]116
Domain Names
  • 116[.]151[.]167[.]12[.]in-addr[.]arpa
Files and or directories created
  • N/A
File Hashes
  • c6eeffc5eb2ee7203e7abef9e60c5edffd5471aa02760e1b2ef0cce5c5a73aa3
  • cd159019d822551dd72c81fc954042275f65deaee88469c05682e7575a27e8e8
  • f0bd29ac4f11195c79f8b1812cbf93fcb2b8e67bd219c287e9e93c8136c44a32
  • 40b0cde3e58f802d799ce9b3baa86d3b03582b8d52af828fcf33a7b71fa704de
  • 842fd3e6342f2eab3bb49c69a6d963e3c7022221bdb074b4437310f8170b2c6f
  • e5633dfe5df0eadc14ee162af1c1f47c6350f514f6867cdeea8efeaf2cdd4f90
  • ea088b52681001876b19f1b4c22823d347b734e167cb634208a204d95f6c01f5
  • 268b1d9cc88537d6ba2301845262a82bc6df00b07a74fa7ead0242e5cf0dc9ae
  • 9b389a4e17438eeba6cba94c6359317175b36e38329ae8ccfef2e7bc5d3b5a61
  • e411592afee8c0a1d6baab011017672dea44c307ed4ea223999eb0152cd95db6
  • 8ab34d8df0858423dd1f4f70f407ca929cf9300839c783ef40f64024e477b4f0
  • c8aeb4cf24afcabea69ac048a658fe031b033534a9cc77e249c03b1d0464a75c
  • 10de8c9c16f71496e3c55f0d50640741449ea8f0e7b84dfabc80e13232dcee74
  • d2f102299b545cf1efc42b2e7d2de46dc6edf49b4da4ec4ee475539b21c7bad7
  • 5a9b3c474315a6cc941b44e2e1563266497d7c3a8fc88653b12d3b6fa9283439
  • f5c742ff51664195be30bba05c56c909b07cf7a475c570a704435e99ec925c92
  • 8d6c39242bb75f30437e3a3712cd54e5f4a1ccba7deef3ced7607c3894391297
  • 5e7847c2c9edb9a8cd764e28cdb8f575fa157846ed1b0e4ccf0612f915a794a1
  • 17595c6caf5362a043f81d32dc30dae30f27354fa9783de374301cbf42be2ff3
  • 35dcd9cd70c1047b835736be487536a3f3d6f2c2d40752f40ab278149972c481
  • 6812a316ac2f2fa0affd0977f61a97f7463f3dd77e18b217e8b97e2414d4ea18
  • 81233480a520d005f90f203e99bc325fca56eff338e6761a11295315ac9010d1
  • 8014614d9085f4ada71d6c403e8042ffdd715974ad826a19ec2fb8a4f713ca9f
  • 1f26c8b1dada5dc707651958630211824886556eb23f77f04d7a4818f8c8e756
  • 018ba4d9446e31d228b829f0f90f2f4519b87359d5d5750177152e0b986d8aad

Coverage


Screenshots of Detection

AMP


Tags: ,,,,
Share: Email, ReBlog, Twitter, Facebook, Pinterest, Google+
Newer Post: Newer Post
Older Post: Older Post
Date:
Edit this post

Discussion

Powered by Manual Template
Name

.NET 0-day 0day ACDSee Adobe advisory adwind AMP Android Antenna House antivirus apple APT arbitrary code execution Attribution Automation Bahamut BASS beers with talos bitcoin Bitvote Black Hat botnet Brazil BRKSEC-2010 CASC chrome cisco Cisco Live Cisco Security Clam AV ClamAV Cobalt group code injection command injection conferences Coverage cryptocurrency cryptomining CSV CTA CVE-2016-8610 CVE-2017-0199 cve-2017-11882 CVE-2017-5638 CVE-2018-3857 CVE-2018-3858 CVE-2018-3859 CVE-2018-3860 CVE-2018-3870 CVE-2018-3871 CVE-2018-8506 cybercrime dark cloud DDE Decryptor Def Con detection dispute DOC DoS Excel Exploit exploit kits RTF fast flux Flash formbook Foscam Foxit Fuzzing gandcrab google GoScanSSH gozi gplayed GravityRAT Group123 Hangul healthcare HWP Hyland IcedID ICS IDA Pro IMAP incident response India inesap infostealer intel iOS IoT iot malware iPhone IR isfb jRAT JScript kernel mode KevDroid Korea Linux macros MalDoc Malware Malware Analysis Malware Research MDM meltdown meraki Microsoft Microsoft Patch Tuesday Middle East miners mining mobile device management monero Moxa ms tuesday natus NavRAT new router malware NordVPN North Korea nvidia Office office router attack Olympic Destoryer Olympic Destroyer Olympics opsec password stealer patch tuesday PDF phishing PhotoLine PLC podcast pony Powershell privilege escalation ProntoVPN PTEX PubNub PubNubRAT py2exe Pyeongchang pyrebox python Qatar ransomware RAT remcos remote access tool remote code execution research research spotlight reven ReversingLabs Rocke Rockwell Automation ROKRAT rootkit rtf ruby ryptoShuffler samsam samsung Scriptlets security updates sennoma signatures SimpleDirect Media Layer smartthings Smoke Loader Snort Snort Rules Sony South Korea spam spectre spyeye stealer steam struts support Talos TALOS-2017-0507 talosintelligence.com telegrab telegram Tetrane Thanatos ThanatosDecryptor threat intelligence Threat Research Threat Research Summit Threat Round-up Threat Roundup ThreatGrid threats TIFF trickbot trojan TTRS Umbrella ursnif VBScript VMI vpn filter attack VPNFiler VPNFilter VPNFilter malware vuln dev vulndev vulnerabilities Vulnerability vulnerability analysis Vulnerability Report Vulnerability Research vulnerability spotlight vulnerabillity vulnerable routers Whitepaper Windows WindowsCodecs.dll wipers xamarin XSS
false
ltr
item
materialize material: Threat Roundup for April 6 - 13
Threat Roundup for April 6 - 13
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6yEe7KqFivz8auCMCuiIibDEMmHWlYT0G_kwNq5U6BoBbJ3w16X0A_DnQwtM3CPWT7JFxf_2Njel98vg3p-pTuEecYPhuXPZL2McN9ixQMCJZo0_5HwsTmUMLBAr7BgSR0ouEmgvY0-E/s1600/amp-proxy.png
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6yEe7KqFivz8auCMCuiIibDEMmHWlYT0G_kwNq5U6BoBbJ3w16X0A_DnQwtM3CPWT7JFxf_2Njel98vg3p-pTuEecYPhuXPZL2McN9ixQMCJZo0_5HwsTmUMLBAr7BgSR0ouEmgvY0-E/s72-c/amp-proxy.png
materialize material
https://materialize-material.blogspot.com/2018/04/threat-roundup-for-april-6-13.html
https://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/2018/04/threat-roundup-for-april-6-13.html
true
1816414542238562206
UTF-8
Not found any posts Not found any related posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU Tag ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Contents See also related Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy