Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 21 and 28. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
The most prevalent threats highlighted in this roundup are:
- Doc.Downloader.Powload-6697736-0
Downloader
Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing the Emotet banking trojan.
- Doc.Malware.Sagent-6697297-0
Malware
Sagent downloads and executes a binary using PowerShell from a Microsoft Word document.
- Win.Malware.Tspy-6698228-0
Malware
The Tspy trojan is used to steal sensitive information, such as banking credentials, and installs a remote-access backdoor.
- Win.Ransomware.Gandcrab5-6697262-1
Ransomware
Gandcrab V5.0 is the latest version of the ransomware family that encrypts documents, photos, databases and other important files.
- Win.Trojan.Razy-6697101-0
Trojan
Razy is oftentimes a generic detection name for a Windows trojan. Although more recent cases have found that it attributed to ransomware that uses the .razy file extension when writing encrypted files to disk — these samples are the former case. They collect sensitive information from the infected host, format and encrypt the data, and send it to a command and control (C2) server.
- Win.Malware.Ursu-6696608-0
Malware
Ursu is a generic malware that has many functionalities. It contacts and C2 server and performs code injection in the address space of legitimate processes. It is able to achieve persistence, as well, and seeks to collect confidential information. It is spread via email.
- Win.Virus.Sality-6696580-0
Virus
Sality is a file infector that establishes a peer-to-peer botnet. Although it's been prevalent for more than a decade, we continue to see new samples that require marginal attention in order to remain consistent with detection. The end goal is to execute a downloader component capable of executing additional malware after a Sality client compromises perimeter security.
Threats
Doc.Downloader.Powload-6697736-0
Indicators of Compromise
Registry Keys
- N/A
- N/A
- 190[.]147[.]53[.]140
- 81[.]177[.]139[.]193
- stalfond-n[.]ru
- %UserProfile%\692.exe
- %LocalAppData%\Temp\02rp2yuh.rgu.ps1
- %LocalAppData%\Temp\bsiltcdz.yqo.psm1
- 011fd5d669884b2770c80a0427417418e0d1807132924c323ae951d09fca0806
- 0daef21240d620d0560a464273ef4d6ddffb954d555e123d21daa38ecf97ab71
- 3764038477dc8bbe6c588bae1c0c3856b7cf392fe8df04eb98673f5f7fbc0bd6
- 6298261a5ccb038673a2ebb1a10bc242440c23b6b99c70a480ad91f2b7fc2d9f
- 6dd09f3c6a26e8b2225a86b8e941d6283dad33603dc5ec6a0c4ed80162da5d3c
- 7030b39dcbf2498dd38e9980769bf8a52e517d6330917c22b1a0a55aa7199fd1
- 8eb4e3317dfad2c94e3c1f3c1267635aaf1c0202738948b80bf012398942377f
- 9541ab72a2fe2bef02fa0c1d288357719c445c1eb82fcb5d2ee3c59b47238c5b
- a77778354f829c8674431fa6a2a1a36f6989537e25ac8823117cfbfb5a14564f
- b5aeb7cd38f02215471aac4960d29342d9e75c1a188a79d5c635f1e4943e0451
- c13a146928c2d0b87c44283aa7c06483039b149c6e93618dbffdc4e1c1695dd6
- e7bd379dd6bd70b10ed492642db1f9a26cf44c0928b101208421e9e6863c98a7
- f349dcd66a084e8b9b503b274d9128d22931497b78675b8e8ab424977db22275
Coverage
Screenshots of Detection
AMP
ThreatGrid
Doc.Malware.Sagent-6697297-0
Indicators of Compromise
Registry Keys
- N/A
- N/A
- 172[.]106[.]32[.]205
- 192[.]48[.]88[.]236
- 192[.]48[.]88[.]5
- owieoqkxkals[.]com
- iwoqiwuqoeuowei[.]com
- %AppData%\39281.exe
- %LocalAppData%\Temp\vp33msdr.cx4.psm1
- %LocalAppData%\Temp\w5lg3lem.ise.ps1
- %LocalAppData%\Temp\tfkiykcl.c4i.psm1
- %LocalAppData%\Temp\xjkqhrqd.vw5.ps1
- %AppData%\32089115502559.exe.exe
- 00c949029e29b4f0222846e9a40f4160ab2f4920dd5f8fe77ce617543f7ce6b2
- 010d7399d9cda5b1d4f351d81d6bd4a1ec7ea87b17f869f93ca6372b5350360f
- 01b4fa260b4d29a687bb7bb428b58c898d1882b05de199f17390d83c1936918a
- 04c4c5b10bb23c21ad187eb45b94c064960be5c94a097bfe46be804f33c4355a
- 04e9882cea77d5613a36d6e2f8e22d32188242e8ba76adaf04ddc4258c519145
- 0883677c6d3c749d06834f8c39567cfb0a2df4f1ec92aebc7935c9dfc0b1dcb8
- 09b8d49329d695fa757f6019177ce64a0c3714ac0f5c24fd8133360b8a9e4f54
- 13d5fb27fb148f038c8373b16a35bed7e87c282c5920480406d71310356c9721
- 16380e6168e31a0098a70f629c0d5a1ade9f3230b322ec4a358fd85cf6bffd56
- 16555b75a521b0903484f0d3f4f6359b7509601f75172bc7be7d8bf950d03729
- 1b355a43396766838fb28181a989d9537b088ecc259218cfc72cdd3e2f6c6307
- 1c45152a5b9bd58507201b553f9e37fd70dc2d801ad979150b55ed99fc5a9fbd
- 1cc91a7cbfabb4f9ffad1cee71e634d3d484d8b60d7a3f89961a1a6354b8e5ab
- 25b408184567aa32716d67b542bfd51bc66f665d5d0a5bdb34946eefe1dddfa3
- 315fbd4598e7c9cdfed8b1035edd49d7c8b84a02687ff7722b94febfdc2a62a1
- 3213877a8ca57ae183aa3ba925bede665cd51ff9394944cbaff7f7910b83561d
- 3218afccd21656fefb2cebaedff13cd95b22cee4163f51a3189280cc7b342f45
- 391797762b247bdcf2d00431c18655b3ed5c56e3dca484e3da6ac3d7d5a17426
- 3b2c998477788cbe3e2a8b562ca9bcaaf99bf34173946eb35d982b0791818c4d
- 3b540e0d41baa0cae3ed5c2cde1fdf3973332ae22d5a37c90b804cc8acdb7d2f
- 410176eebc6ad926d379a05a0797ffe79d2b1eb2277e2a0178215eb7b759b32e
- 419396e33483bc3c538d2cb26837871abacedc886d72d46298054ff243ccc429
- 42f968acaea98c5b06aa3a35a2e70d9b170ea9e9c1c043a41be536b26f30ee62
- 4643c3cdfc6c2e479b2fdfa3662932d627c335e6fed94dfbc601f775880a9e88
- 48fb581864c03d49fc1a51f58e73bdbfb4ddb2b9d7f5ccbe2c08af1b6bc38bb4
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Malware.Tspy-6698228-0
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value Name: internat.exe
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value Name: MyOtApp
- N/A
- 216[.]146[.]38[.]70
- checkip[.]dyndns[.]org
- %AppData%\MyOtApp
- %AppData%\MyOtApp\MyOtApp.exe
- 08d6bf7a2e121cb3f42c5da6dd8675c494eda1bff1846609690f4c938fbe261c
- 13b777c7fae7df5e6d97ee5a0c1c15c863bcfe7de4aa03a48379a27b3bd7b755
- 2602400c743bcf09a1f2c4a9f313f54c4c27e46c29cefb211c7a15c4aa769ad0
- 2ec84185946db48799de6a71dfe036c25d9bf7cbef8e7f37c125da467d7c1262
- 2f7e7ed4974db01250d17e09caf9c3725aba7318acb835cfec1238c6df242d0d
- 35174fabe3bcb8510cd6492238f67e632b8d4be1f80b221275772d7ecadb6435
- 39733dd17e8ba00a486f8dea9c39ca5aaee050f4f3cef792b792a547d3b1c8bb
- 47ff0e1ac6d99e1d3809267d6d6db6dd39ce3c42f1315a701cef340bc99f6559
- 4e45d72f9846ecd10586241de4e47248d7bfe2fa9577bad4b1265db406574d83
- 62e94bc8400153e5927a52f14c997782acf705eac748d176cda197767751fd4a
- 6ccf99e260f9a2b3115fa228c1ef909b612d05f1922aa148ef21646757a08bf0
- 6d9a7acb5f5d21ba333a56bdb1d3db19b61833ddcb6f28706ec6f4f48904d1f1
- 6f94d32cf71a60105bc0d7ababa784930805a435f58f8acc5147394373cdd961
- 991c3f32a3be04f65767befb063f4250b0dc7f7a68dd08375ef2792a78578b61
- a60b6009eae0d1106c9206467fd2ab1f4085c3af042326f2866c0b83124c4426
- af5bf956991e77162cb826f1c82f72eb608bfca26b9a7359bb05a9eb24558ad0
- b59f4e2a60f33c618b232dfaab4c40f1d617fd3f281c70707d72787cf1c150e4
- b784c5b241865ac9677926b37e52fad5b866e8a0fe55c55de100f2b4133e7228
- e3935ad630e9d4c7aafd5b4aee9f8a052d1279d2587742d92dc935370a02ff2d
- e7ac6050674af628fd893f0b11c70af20ba529b9406bcd96efc9c32f6b172767
- e9069351d7bf92c3279930bd25a4c4d88db541da2211faea7acd3a84e613fb0e
- fa28d5c8403cf180d4e15acd33feecda62f25ae7c4fad3ae145e07003c6d0f0f
- fe80093fff73e7031c2350baac2bb24131687afcba327762350eb1d37d55b9d5
Coverage
Screenshots of Detection
ThreatGrid
Win.Ransomware.Gandcrab5-6697262-1
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\KEYS_DATA\DATA
- Value Name: public
- <HKCU>\SOFTWARE\KEYS_DATA\DATA
- Value Name: private
- Global\8B5BAAB9E36E4507C5F5.lock
- Global\XlAKFoxSKGOfSGOoSFOOFNOLPE
- 93[.]125[.]99[.]121
- 94[.]231[.]109[.]239
- 87[.]236[.]16[.]31
- 89[.]252[.]187[.]72
- 87[.]236[.]16[.]29
- 94[.]73[.]148[.]18
- 87[.]236[.]19[.]135
- 92[.]53[.]96[.]201
- 95[.]213[.]173[.]173
- 87[.]236[.]16[.]208
- zaeba[.]co[.]uk
- ZAEBA[.]CO[.]UK
- www[.]wash-wear[.]com
- yourmine[.]ru
- www[.]poketeg[.]com
- %UserProfile%\Desktop\ASZNJ-DECRYPT.html
- \PerfLogs\ASZNJ-DECRYPT.html
- \Recovery\ASZNJ-DECRYPT.html
- \TEMP\ASZNJ-DECRYPT.html
- 0f929521a468c4998256c074b5f5b3db085e0e8a200672a7ec18c8d626f41e88
- 241c85b8452824030096aa18d04ee84e464a44fa116ff0212d47c5f17f4fc259
- 3f46a274979208f967357bc2fe776b38cef0f39578299070f029cf492f394cde
- 644f43f1a6c55695a1616265cc8bd701c0f1447ac334ab61bec61de64bfb6622
- 68c0f0aab240c1cea01c5c7c3ec9f2cb9ae65136127e1b889542ad176b259172
- 6f559120f36b4699ed3f3668bac0b699efb1f8623bf511256f82bfd5b0c9ee9c
- 77dd53de29eac87ade3ff7a7fca47d3a8906feebd70876b23b220a6a61806765
- 85822d86e64e4d677b83662b44140c7e70ff80ed7e255b39de579bb18e54e858
- 8b8e36cca05ccdf78d60ea71be4d75f4b077dd729237420a78ac6c5442bd3263
- 8cc12fff598c2e32e04cc72198a5c39c2b1cebe1e343ff15ed5b069056f040b9
- 919c39d2c2494b9f275496d3b77c99c439b0a87e4ec200165fcdbc6fcade3a12
- aec69b1f8630db4fd1ca605319cf1b6186c33640f06c4fb6e97a8ebb69652caa
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Trojan.Razy-6697101-0
Indicators of Compromise
Registry Keys
- N/A
- 3749282D282E1E80C56CAE5A
- 91[.]234[.]99[.]41
- mazeedkyabar[.]com
- %AppData%\D282E1\1E80C5.lck
- \PC*\MAILSLOT\NET\NETLOGON
- 0ce54c69a1bccd215380f3b4de8691264dd44e70688ed0ac6d0bf81f1e9eeb40
- 10f32f95f44868f70681a2333ad6a6c9a5abb65733b7534a2b223e09a7138d99
- 14df5201043d4c810c732ed7acf517c41d5e3591a689bbb0d27c2b4fcb426afd
- 4ba2236755c18e45f720170deca60c17bcdae837a921b210e5e9e5493be3dc22
- 78372b53ba801d6de3d9a8a0cccf8b52d2b37853bb562092c296064f9284f7f5
- a5d264aac354f4f95b0338e81ed51d655fe98983134e10666f58a78b2f766c62
- aa81268a74a3521e5a52c697e161bee84137fd96d2f7b13a0f2d0e541fe418fb
- b4b56cb72d176a8bfb23b7254d7702a4ec6efc8ed6663256699805b53df116e5
- c55b8a161364c3326dfa6c70274f1290c839add21a43e86b4b5d13728fb034ea
- dc71f3c1600d0ff268db18a77d7a11d23ee48e4167ec65589656369922217fec
- dd10835ba1d74e1d5700b2ab547f57cee0203033f0b6db35afeeb71f5b3ffa50
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Malware.Ursu-6696608-0
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value Name: internat.exe
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value Name: Windows Update
- N/A
- N/A
- smtp[.]zoho[.]com
- whatismyipaddress[.]com
- %AppData%\WindowsUpdate.exe
- %LocalAppData%\Temp\holderwb.txt
- %AppData%\pid.txt
- %AppData%\pidloc.txt
- %LocalAppData%\Temp\holdermail.txt
- 0296041fc0f243e34ca6c827c2085d9061301eb703769e2eac17c7962994d701
- 123adc0c7eebe5d9ad13f2d7097f5b6be248cd33e0c52158bdf5ce6b934b8c4f
- 12d7e1038baa1825cfe9ae38cc70ad4ce72952ff00460c7e633fb690c27d91ca
- 3eb7a917c937f7068b4cb71585f828fa24a619dce7ee6dd907a84fe26e78bbcb
- 50158998d1c51e90b6380f7d4b5eef27572cc3d1ea864cedf91f20f5aaf6ea2c
- 581f3d139547523a5ab8a16c6403bb1319a19d81bb908098bf89f7c38d80bb79
- 8bde6d65663cac076b7cec03fc444e3c19ae8c9a7d2849094a2103d1e9187e98
- 991bf6843f78bd0c67380fe07d78d5c97405a49a1a7ed42b13f9456a80ae8f28
- 99c7733e5328fe2d77526e1f3a09400425078ae4035883aaa965f6e5752a2668
- 9dd5cfe5160e7d757d631b832643f83b66caf5c7c44f21391add4ce8692510b6
- aab0dc518c4eae880bf148805b23493d73d7164f0970655d4159e1ca7bac009d
- b209df425de16a8fade136f2e3de9cd8c5ba6729cd47144ced562fae0273a753
- cbabc1094d0f2f1a45477ee3cfc91425384d10a546e4a54f9aa260d47c704d0d
- cc84984c43abe66d1bf1d93ecabaae132cc61e40998751e1c34b9d485565b05c
- e7627baacd38980106dbbdef4f3525c8af7452554373c56eb484d1414f84b74f
Coverage
Screenshots of Detection
AMP
ThreatGrid
Win.Virus.Sality-6696580-0
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007
- Value Name: 1768776769
- <HKCU>\SOFTWARE\AASPPAPMMXKVS
- Value Name: A1_0
- DBWinMutex
- csrss.exeM_284_
- csrss.exeM_328_
- dwm.exeM_288_
- explorer.exeM_1060_
- lsass.exeM_428_
- lsm.exeM_436_
- services.exeM_412_
- smss.exeM_204_
- spoolsv.exeM_1044_
- svchost.exeM_840_
- taskhost.exeM_1140_
- uxJLpe1m
- wininit.exeM_320_
- winlogon.exeM_356_
- wudfhost.exeM_1644_
- 3c419d67f98c8fd495eff616bb94d3e5de8c22d34b94124e1f3f0cfec8f3566M_1932_
- dllhost.exeM_1376_
- wmiprvse.exeM_1456_
- 195[.]22[.]26[.]248
- 206[.]189[.]61[.]126
- 64[.]29[.]151[.]221
- 63[.]249[.]150[.]76
- 23[.]253[.]126[.]58
- 195[.]38[.]137[.]100
- www[.]akpartisariveliler[.]com
- tn69abi[.]com
- abb[.]ind[.]in
- www[.]3pindia[.]in
- 1s2qvh91x[.]site[.]aplus[.]net
- gim8[.]pl
- acemoglusucuklari[.]com[.]tr
- a-bring[.]com
- aci[.]gratix[.]com[.]br
- aclassalerts[.]com
- \??\E:\autorun.inf
- %SystemDrive%\autorun.inf
- %LocalAppData%\Temp\fdqr.exe
- %LocalAppData%\Temp\winarxu.exe
- %LocalAppData%\Temp\winopfmni.exe
- %LocalAppData%\Temp\winpwho.exe
- %LocalAppData%\Temp\winyunh.exe
- %SystemDrive%\xwouo.pif
- \??\E:\vrbf.pif
- \vrbf.pif
- \xwouo.pif
- 0bcbac5dff686bb605adadb225fa540aab73bb3fb3251ba4226eb071cac6f0f1
- 0cdb71323cdf0ab4ec462f74b3830b87ae8d8212f6bfdb427ec12c06cc524220
- 14cbde97cb6d3df9841c8251884b664f689514d2ea8fa813fc95b323dd7ef8dd
- 3c419d67f98c8fd495eff616bb94d3e5de8c22d34b94124e1f3f0cfec8f3566d
- 3dac8250c89686244d433a9739bd59e719af950b60659d93e34b8b17cd72d0c4
- 7c544889d588ae668f13ff9e05eabc9ea048fa026b3a5af4882de10da8f8640c
- 7dc3fc8b4a572c0980b9de6ffc716fa422f627f48f8fcbc1720604e226346dff
- 919668829270d79de177615abf848bc09be41afd1877ef6682f8f0bbd3096880
- b57206a74a8dbce03e991a5855c8c16aac2bffea69da9ebbc64c39932d886ec5
- bd12db3c5dcc16b35cbb3cd42bbf9719ac8e69da6449c32659fc2a066d42265e
- c85d9321a025a39c5b6facb12dd663b9623a4f43a73e2be409e9e3d04f132d4c
- ea5e7e60a45331e504dcb30b29f6d9c7d438fb343aa2ae897047369b6863d712
- f6efc4a323520ba88ccb8f678f3c9167010c6c575afcd8225393bc0f664fc96b
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
