{"Doc.Downloader.Emotet-6787868-0": {"category": "Downloader", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": false}, "description": "Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails.", "hashes": ["0432b3023902e6923a125718c35108cdd55b58ddf985e3cc7efb5a4b79e1c208", "4c254727bf72c8de54c7a1554e6d6afeaea1ce89f7279e15005b5ff034881c8d", "54d028fa1a679a62c8353bc90b03821e20892e399c11755a8d3243efa92027fb", "5abafc4436cabaf8688ceb4cfc2a2c3f2b1ae06a34ffb9ecfe8ea5e06bc6d065", "5b13e439c9bc2479ec8aaaeabc516377178fdeafff910e94ec586e6b665aa031", "5faf00a77ff090520fbfb4b8404a4eb5631204a078872177dcee0dfe814c7487", "6207c24972e68133a2f34cac9e49035ae0dbece716af77006626d2232c2260f3", "745f36d617fcc238ba47e7046463b4486a48512ef12c1a27b9d6314d7b7bce35", "764122c8c7d3c80f2c4c5c812333b6d804683a90cd5c6ffe28d36e6bbd2ac90e", "79c780828198f042895e303ced50c193d8cfe9f9c6403760051a7b0c1b5e168c", "79e206f16b62c3727b50f8c02c461d794e8be5c0af2eb4be3d9eeca92ae7ded7", "84705ead26ec41c8839f764d5534c666bb58078c55ab7c066cfc95db51023176", "8a228be2084ea4a753e165f5822fe763edd2eae0c8cb69992316352afdd95b73", "8cda701543cbfc2647a6e7d80d4ee7f19a4f95c3b6f9ec6250afe2eb1e26f35c", "8ceb40dbc8754cbf6c5daf65b5fc8bb70fbd7f357906e4957bf0357172ef8ef7", "8ec0d258429998102d6974937b6acbb31005a714c65b96349883e76f7fefe822", "9df9d4884b2500037994a989411328a95a3cf5147b31477c5f01d71933fc3d6d", "9fc740bc37aa0b29f27885daa6ee480a58aee5526710a5f99239b8921a159bc7", "ae14cb3d22626f71614f9c25c082d9165b1d8726943364c72b1ca1ec2641fc6f", "c7874af7335c770faff29f4a78bd24092079ace115e3dc2fd7f498f361c3295c", "ce7524428873a974c4fa9784f493cddcf68e440b8305f2efb8dbc6d8994e60b7", "d28441e57833bfbbe1460f784f48ab2f8d6bc8d7478795f6ff64b5c1dd7ccafb", "d4104c8b0ded4e59f51d21fc38de99fb4aef4da6f6e216b4b631f0da3253363c", "e461292f3bbf040aab42c2ea7d3b660db7bf017c9c95f5b95dff513697289d78", "ea6090949f3c83cfd7091a3c0f96fd2ee79b10ea297f7cb8c67e218afe5ecdc3", "eb3f53c38fe972fd2a73636d2c86e3b5cc17d755c3fee1c9610eb962f5b7ecac", "ee21e25fc479e08e637097ccd6469ee63f0970e139a3f3da675d1042fefbfd33", "f704486b7acbe5a1bb8ebf08b81f2eca9ac98abb6a27c7e35bcfcfbc57e5d901"], "iocs": {"domain": [{"host": "www[.]litespeedtech[.]com"}, {"host": "artikeltentangwanita[.]com"}, {"host": "akgemc[.]com"}, {"host": "webartikelbaru[.]web[.]id"}, {"host": "lariotgrill[.]com"}, {"host": "newspectiveaddress[.]com"}], "file": [{"path": "%UserProfile%\\Documents\\20181218"}, {"path": "%UserProfile%\\797.exe"}, {"path": "%LocalAppData%\\Temp\\2qopiijd.reb.ps1"}, {"path": "%LocalAppData%\\Temp\\hlz2v4bf.x33.psm1"}, {"path": "%LocalAppData%\\Temp\\CVR4A8E.tmp"}], "ip": [{"ip": "192[.]0[.]1[.]32"}, {"ip": "192[.]254[.]158[.]3"}, {"ip": "116[.]90[.]163[.]134"}, {"ip": "202[.]73[.]26[.]97"}, {"ip": "103[.]253[.]72[.]38"}], "mutex": [], "registry": []}}, "Doc.Malware.Valyria-6788933-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "These variants of Valyria are malicious Microsoft Office files that contain embedded VBA macros used to distribute other malware. ", "hashes": ["004eee7ef5fdca7cc5ccd2b2033e0c8c6c030794bb53b04ca50048659958efb0", "0140aa6cfbbc6676f2a53f5bb1758dca2b9463528b61b22779eef7a9187c9d54", "02e9a850f3968b0228ac2a4179763ca713e74e39db0c1e10f3f988ccb0db77c1", "04c62c82abb85b5a118be75da0170fa609bc25ea6f16a6e130af2a3de9a89223", "056efe751bc98382dadf1266a60ea1b9d61c99ef4314d3785a869fb0cf0e3be8", "107c21b01ad6ea637895ae013bf94b207edab5a24c5890969bc5c7d6f66f73cd", "16edce5014a6e7421d4e27ed2f1a86a1b281d68f3d7b25af3990f1ba2a449a86", "1925b795206b4791b5d89bb8ece497e16807c9d6e5d031778e6462dca775eb2a", "27d52b898c7bb9ea40d794f476fc469d659ffdf978596d223f8ea150245bead0", "28c59ae39330afac94ea9216b0427de90f4d6a23e983b517173070c5ee6ca726", "2c95fb67001b1e52bef79b8ff4a0df234557c76b8ad255f853f4b83ea836322f", "318b72ee23afc45270ed759985852fc0b20be8bf9db5c1461fc19d12ad1f6cc5", "380339373b23041f0397710f1e94c2b967e4c6da9cad87023668fd46fda005d3", "3b15a24d6a83234329d580bc2e76a7a9c378b6e886160242881c2e9d23345d59", "4608adb9fb21c032c61bb5856f69bf02259163d0eb4f2d8c9cf1764ac4b08d7e", "4803a9181557f13c4b8452f9776a2f585175ff9d687b26fc1ac8b8fb5009b68f", "4dc26501fa7098bd5c0a59818c6fe23c2eaf9a15d0f669999fbaba9b88927451", "4e2aa9345a49f8200fd386eec899ad5774713c820e3acf525cb6c2d0e1d4e61e", "57717770805f263dad675df3ceaf050c6cf2e1bd5153a8e915ba1900e2444a9e", "5dc3beeaaac0572bfa565e6dd5db98d177e98c49039c3dbd632e2002a5d87f58", "603734a2269496c89d8afd7713269688716e1c5aa956ba5086d460104235e488", "627d5b3003a99eae3d97d6aec811f9593dd3029692491782e2f0ffcab87fd9e7", "65eedc84c9bcd56c0ad6cf2a1ae526864ccf36ed5d385279f083bfa50dac2ee1", "6a414f8de1c03f53d41e07f1c100cfad3a0b9c6e449ec4490b9955c3c988e8c3", "6f436432d2b2a2fd846be6f1bb3b37b42e0d055a24c94ce214b90455c4ce18ac", "719397a45e58a83dda5c4ffc193926eb4dacbe90c1b55fc3ce5ccb6ea98ddc69", "7430c42f82f67c41e642157461a773f3abe20fcab3bfa8c8d9754a4306953d19", "7e6deb4ef736f3c149527ccab45b70e9e3a9f3c31f7d06eb0ad66b3d72e41e69", "87f365e484c24c447378a1b38a2e90a42d8385e97adbe4c47b600aaf2ba585a2", "88760e33a42a11aefe476974c452b7bf908da161b7ec9f209387098d552d5b9c", "897051290f8dc4548ffa6e65e349c7672768e7d7749aaaf7708e3dbeaf697f1c", "8974b7cc559e2c03ddca887c121a0891a6e6b9dae05e20602efde0dae215a079", "8f8d24601e2ca92e74dcb47ae924ce390c8cde6fd6991caafd514baf42a7b7d2", "98fc37eddcf5eb6a115881be3d262a8b90cba8c6783a9d837efc7840e33639f0", "9a03241f4162604c15d246e9ec48194c6e311c5ad25623a2e2ffccd7954d8cca", "a380c0e9715bc10a3c8c36b4d4db598c48a3abb4baacfc900ccf94b7e12cd409", "a5b339450e8dc308e6b2e8ad95b942f78b84986093acd8f30a61ac9d158fd98a", "a6ad69c8ec52a98ec8bbef824880234eeb9a277d03a0eef23a6921cce45ed7d1", "acdac580c302a29395abea36481e53b8cb623fc2787df3065c7b0a48abbf8b11", "ad06d8f4e8989ffbe7bc83cc9b490e4c97bc981f5bf6e8abbcb52ea97e8f5261", "b2934c085c414292dbf6c0b8c27c76b7b486e43ad4488a916e16f237d809702d", "b4b6761169fd32f4d7b013b7c0c59a5200e4da359724e39c7d4ea66d6a57c563", "bb15ee38d69336289ba4cb76d4b0126eb50de8fc5fe6e055280fa88444337970", "c65994cfd058b0e4258701a0773a89c5b46314d3ef6459d2d12f4e8908c779b6", "cd3be27bb69860c738c39deb6ec53e61cb9d2f29a13aecccf7817440023d81e2", "e1c6a8a81e869ed96d6afeafb3eca1ed05e0eadefe60f7e0d45358a26885f509", "e6c1a0137499b8746a5afbd1da3a5351508132bd0168e7dd95c44097fa221ec3", "e977d0f0620caec98804afb18e664e9a763cdbc1fefbad48d6d134154630b272", "f2eb76b2632b2fadf6a0411583fa56d88e3b75ff8d9e0533e05e575503e5b2b3", "f53dd12de1dd67a2df6ca4e55c2d9b09793713252226d14f51fcc2bad785cc13", "f83ed0b8740d63b8e020df41c168e9a535b3af5bc537c1a4a56871ed63470e54"], "iocs": {"domain": [{"host": "p3nlhclust404[.]shr[.]prod[.]phx3[.]secureserver[.]net"}, {"host": "customersupport[.]networksolutions[.]com"}, {"host": "zoelowney[.]com"}, {"host": "www[.]Thepark14[.]com"}, {"host": "www[.]networksolutions[.]com"}, {"host": "www[.]triptur[.]com[.]br"}, {"host": "thepark14[.]com"}, {"host": "onenightlife[.]com"}, {"host": "testcarion[.]be"}, {"host": "triptur[.]com[.]br"}], "file": [{"path": "%LocalAppData%\\Temp\\626.exe"}, {"path": "%LocalAppData%\\Temp\\hvlpgv4j.q4f.ps1"}, {"path": "%LocalAppData%\\Temp\\otr1qrrw.hyk.psm1"}, {"path": "%LocalAppData%\\Temp\\CVRF1F5.tmp"}], "ip": [{"ip": "72[.]167[.]191[.]65"}, {"ip": "208[.]91[.]197[.]27"}, {"ip": "177[.]185[.]192[.]131"}, {"ip": "50[.]62[.]26[.]129"}, {"ip": "87[.]233[.]175[.]130"}, {"ip": "132[.]148[.]50[.]1"}], "mutex": [{"name": null}], "registry": []}}, "Win.Ransomware.Gandcrab-6787437-0": {"category": "Ransomware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension \".GDCB,\" \".CRAB\" or \".KRAB\". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.", "hashes": ["0015f92aa3456a094fe6d9c09cf15f046ba5d7f74904dd006d4af3869b1aea34", "086e3771fad25e73aa321cd96454342640154d260066e571f558a129e949cf32", "08c2cc445f435bdb67c1a9c45ad874f3731c99a9750b405a07c558638242e0f4", "092749d7406d8352055cfed48c7e8ed5cae75fac72c483c91db5e17802198d8d", "0b0f9fd1433a4224fe60e5beb7c45ce128baea6746273cad2bdfa7b954e8768e", "0be345dc9693b4233ea4e27fbe9d4ce062e46369593f3fbedf5231e01e203cea", "0f1b7056412ec5a14a6d74aba89f07704f6a6826deb47ec517890114a0db2d3a", "0ffcba92585e387f954bc98381f6bc37e29c6008e3c7f8976fe8498acf9311f5", "115b5ae85e9354fe041847e089cd8a1f885f60b8d13e467c75f5b4fb34d83534", "13d22f0a7f0ee53fe8888a257529a877eeaa977abcf0093809e4760dda5a67ab", "157307235f3e8e4534b6e7ba65541e7ee45d00faae5da5879fc597b95879bac0", "236c1c35d4a1f391350da68b6fc908d7204f1253e8fca1e7eb35497605b3a5f1", "28570bf801f50d5f25d19c5a13d5e1f9b38426fe9e2128226809ec60b176d9e1", "2fcc75031e55b279035dc76257c44a005e8c736f19f57bfe0ee07701bc32c8d4", "304bb540d964d3254da2c4735d37a2100d3062cdf126c78028821a3e14b67803", "34b8fabb21d7cc71f31b6c8ca63e5547324d7935ed5b6cc2930739fcf2d16de6", "34b9d4093fd6cc00f6c5bc6beee404349456f1121162926eed1f6197d7a7bc05", "3d8a5ba13330cb488b17cc126ae7c52899ccc349261262a9a30b182fb092aa79", "3e5e14efc14afef057c50054a99d6fa66794da9fe18dd8554b63d8d370a7e2bf", "3f29a22d0d2d934292e3f9912e0a06492558e69c6a27b76c0ec44b32df7a1900", "4113f0dff0141dc1a934029e12994b804a78024ca430452b02c3c1eb3d8af3c7", "41416dfc9c44834bc96313df01d72f82fbaf7d439df7b3d2fe81dc71a93490c7", "43bd2036932e256252c8637098cfa52e4dabe9245bbe861e4287afed4a0ca85a", "444c0a8a8b5fb4c06be83a3fc67660386fa374b6664c2dad35b291a840e2f5a2", "549a1f61d85008cd4599e75de76029478c80ff68fff010bc5cd75004c118221e", "58b4f5f5d2138ba7c34bb796e7c992ae7fdaad9ba90f7bae09bea56e499f1595", "5b587149965cdc8eac2704effd1aadbb6497368e685534ed8be7a20287ffb39d", "5e6681b141b1af607cc7c164b1ee385c7b2e3cd7b6ba6672cb1ac4340f3c7448", "5ed7178787d4eb423b54b398543a6d453a9e7d68186cc2f1932f8288c8c02e68", "625023572e5f671abe0e8693b32fe8fd2c458d7f059edc86a697bb1b103fb41c", "63a44d009fbe3ec79fc8f1dc9970df79e634343525c8a57f9dc1f447d6ba391c", "66ba7b66ffbbc0ebc4f07faa35865033dcc1ddb8b19c9ef6e13c1aa1e8171667", "6a58e94852eebfdded6aadf89bf9c652c31e6429529b7e890814571cf6dd722d", "6ce55c427b7bdeb15440d6990598eaed48c9c2ea403736d9395ed49121112e73", "709e167d98926ed5c7f7f79d984ed6cce4c554b57f3444d4008e995a590d06b2", "72a54e4dc584d3a781a9062c57179bd9c1b1519e302f3f30f6acf7db5ab7b08a", "7abfc37ea1031f1e10568d0ca971744c664d58c7635f6bb9db916670efb9899f", "80128bd8d1f2f602988355198e83d6a511f7cf76346f12a02c291f31c59fff30", "80a483ee33f38014af03ddae5cd2799996ffc299b6440494a8f77e6d6922bd45", "831f25a34442bb51cbc16e209b3822878bb9b275c5c9cdf3f7c6956fb15f783f", "8946d083c2cfcc287ee6172c2545de37182ef0c1292b831ddef13bef1fb39f8b", "920f183bd2ec22b51959eb7b1e10c9290cbf48ab3ae4cde717e9bfe5f9eda08a", "94eeca7d9c48a6679d5164a7fdc753258bdeb8a7bedc7538115ef93825f9aa19", "99c472e84dd4d2797eda5043d35fef08b1b16479ff8ee9b29b24194c8bc95384", "9cdb60cc9923594332aadc1746037afd51e0f94bd45cdf668f9b49b4d68d700f", "9f22759220cdf788cfb03af09295e8214752fb33012a5526aee48938b4e39943", "a143456a6ca6dce5f6196855d40bf1694a7bb6c4057a4c3bc285b1c6a83dcb54", "a3cca4ee95a0043568283b24d27ca75e850a64a2ebc618a4cb7a1384c75773d5", "a6614c272ad89fcc38dd1195014434f8cdcf4079cff9c635758c2132a1818c97", "a7571240ee18bf72993d83a4604573d3c24791d603e7888c96917b2053ec59ff", "a8b03a433dfdfa4dae3bc01f2853f5dd5be60b1653733699e1b9a132b136100b", "a9127113d9001ced57bb86e2ce3ea3bd43442cbd054becf82afa75e7d5060bc0", "ab314b7d74f8797a6347ac4a89e538dadfd9fa877489f013e84d4d4e37bb23e7", "ab3368f8c13c45f7f8bcae5990e7fa68e7aea19240a8150b6af776d97d5577e9", "b062d1c536f98a93bec69751e7cb123716478420471e23cc32850b7ddd94420b", "ba561f4b833926ade886c8746c8609913314a6a9fa0ccbb6d649143a5a3e1ae0", "bac9f33d7e5c3d14313c6925f3351c8ecf08013e6cd0171f812ab2a4d3259aad", "bc429470f66f6158355e3dc8b98db20b8360cc19b7e2d6460564fdc17e894628", "bdd2c03c0b63f580df15fd7d032c23196af0336b6b0285279df4515af4d8903a", "c7ac8f04fc10b232e8debeca7cbf5f342771c7f9921fd9fd6070c58e7519cdd6", "c7f374e09549fd6596a9a6395a0452b0d181c7fcdea397135d92828c3c6cb8a4", "cc01bc773212a9a12188ce85ac934a91a06fca0eddfa521e44597b621a4a585c", "d0421ccf1544fa2cf1ffcf8dc3fc879c098100d34d4638132c771ae022916987", "d147443d489723d7b38ed43cc1d0b0ac2f4e989a92028f14644f8d8fbf47ad2c", "d194763028d7ac8cc0e115bf5d281b48d43185c4d57b909d6be4d41d8c770575", "d6ad2a1aa4704fadc8fa259ea140b412f89d064f230a11823fe7bd0daae08018", "da667ca21f1c96f3ff4f30174421dd4c057313a03714a71bb6fa4760ca16f481", "dc8b194355fa7d03b7b11e4bf004367aacbc0ffc874ea6781b6e30b5de85ac34", "e292809e9397442890f74ce049fecfb6603291e077eac1af6be3e3ec129805c2", "e840fa0750fec78aab29426d85539154626a6f579a8bf87f2ac487b6a9f9dc17", "e9f9fbaf49b396ae09d019478674bb2df01ea33f4ae7ff4220bf406f4845dc69", "eba201208641a71f8e659a051f9aa87e2c320fc215568417a9c81b70e05d7ea1", "f19dec797709be6399dbfab9e5805109d4586020c5f76dcb3db490cfde075bb0", "f89f405194991d5fb2361f47c4eff2dfe740c949c4a0186c438742aec14566b4", "f8d6c8e28d1d05cfd519ee6fa20e87f05b8c6ffb68421b59dde6a7ba349740e7", "f9e679b5f40e050896bd10fd8ac3006c19f7d94fd88123c765dca1fdc5cb5640", "fa083fa2f0d5da34e413087691cb16793dd473f1dcb2629cd738b045a83af476", "fb3030183ba83fc22f8be86d00a8967afacd44868698070829600510f3ca8665", "fce8196dd75ec9f15b85cfb429dc96ebfdb57085e0f911f84a23a25b79cfee8e", "fcead2505c44db35ece2c3550512062f040ef3d8053a1000983cac6165e00e8e", "fd87af876b4159edb49ebe36540bf8cc601c167678dd7d4adfc7bbdc9b6a1823", "ff6e3e6b20e8f745d536c4284b98cfac248a277806f4bb3d1c80c03900d3cf66"], "iocs": {"domain": [{"host": "ns1[.]wowservers[.]ru"}, {"host": "carder[.]bit"}, {"host": "ransomware[.]bit"}, {"host": "ns2[.]wowservers[.]ru"}], "file": [{"path": "%AppData%\\Microsoft\\omlrnu.exe"}, {"path": "%AppData%\\Microsoft\\exddyf.exe"}], "ip": [{"ip": "66[.]171[.]248[.]178"}], "mutex": [{"name": null}], "registry": []}}, "Win.Spyware.Ursnif-6788669-0": {"category": "Spyware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": false, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.", "hashes": ["04fc3595ff5622af9a763068407b416089d54411eb16c7413bf1c1a2987db58e", "0c03a3212af16f9822d0163a8d2881497c09c4f60cf025ec88361071a9c30304", "129e906daa08bd12a1e90ab90c3cd6b5193b46eae35d455530d6f51dbd1d0af8", "161684617424a69a01e719c8008899c18fb05e44232857e0152fc35a26833950", "26f4dbef4ba7edb8598d81935277585e0412b3753302df2fbb5f73a866e77579", "2e7ed6ded2c239c8bc817ca9e27768abcde45695c641592853b5a6178b217661", "32ebd30445e90030fc00fa74700e8407f0422a7f496b4b9907e720ae885d1d1f", "3c635891c53685eb6cbbe1faa5fd92a7819f58b8de262b385dfcdbb95929dc6c", "3e7c5f21e7bc0802623d75f67d151db82aec26d45821a70cee3228037393b5d2", "55fd061691926019516b05b41594d5a935fc185003b1a4f5783382c3ca6a9d2f", "5896180c801646ab8f030875f8a14b3a82568f0ca69cb46809d09f8b5f1cd248", "5af51e4987ae779cb269c9eeea419592c64a92b451f2680812f49038fe16db2c", "5f41e961339d508e2374cf2df739cae90185ca50fe55417c405b73a045d30c32", "65f3d0de94ac30d4d47147fb00c1d32f31b0a3d60bc0af9848404cb4a3eb169b", "6628371e0e02e1dcf27af1c571d59121b7f21a5cc7585520cce875c1e60f02eb", "69ed0233422a492f251f243bc4110f6860aa4fb065b44f515ea24ca80850ae6d", "6c85e349cb3b3f17d363312c2da9a94b4336189da41e1576849f39fbd2b0b65e", "6e48c2261151dd4983f497c73acd298538fbcfea37c859dccd1da9906ab4e410", "777e7b0ffaea4f1ce299b0fcc36ddb41fedd3a5f3a986f123d9a0a5ff34e7719", "7a1b75d881709ba0ac2df408a08ad1af5f3acd99b761bce7ad86b37d5950b20c", "7e579e63a579a730d05b2bae1f1fbea0532f8ea9f916f76f59bd1c2475a6f59e", "81fdc042297fadf3a3691e2a1c6218b646887ed5b4962a2e5cf57a2b4c0dc537", "8d9c1c7b55c5f1c47e14084240c4d1385484326741d54036517d1e27acf3ab4e", "96b71c77d4b8470ba1f28abc7f2920afb8ad2887591cf1a487f942a80d5aa053", "9734531e5e4d05f4d88b5791f8e864fa95d860e88abaaafec82b0dfd05197073", "98726cb5ce9e11e6cda2a8413440ebbb293d37e3858afb0c88fa8cffe9c4fa8d", "9c93a400ccd92e407b968fc87da78f7a374e87b58aaf01c4604cc9bff7bacb2f", "9df8a2856d90809dfdd55169c5210d8d2e2ef9b4d7bcc93101105050f4947bba", "a172158205052a3c2b18c5b193d6c722695e1507ac0aa5c5b6678d6d1c48b96a", "a200351f69a01baa8dcff2b15b54602cd024d7047b8be10248dad655fad19132", "acbbb5ee03d1fa8acd13ec48c54e9862fa7b2234eac45e2ec92cd7e956bcf916", "b6ae53dccfc57e74d41faccc09d2175fd3a4313318d92c8683ac276234abdf28", "be6faaba33c049aed735f7f2d2ed1c2252cd8c2dcd171a58dfb4075fa39e605b", "bf7949e2bfccbb8d7786b20bea031914dda45037501c70e4ce335f79a516cf5d", "c257cd4fbddf70d40fd1f2954b94637d486e70ef31c221720892529759629525", "c29cef6c41a0fb37f5bb8559b16ba50a7f38524bf114c11969e45214e8057863", "cd51d97e9de9e8382176515f91e96a742d48bbc213d57cff2bb09b683a5b6886", "cf61a04ea08464fd2ede04dddc5dcbaefe47b787b4dff25cdc89f723b2c04623", "d0d0e72c61a70ffefd75b1d710a466089f0c829b722c4eec795a9501f2a14ac5", "d0f37b3a179bba8b25f50813af47b2ef984e37f1826aa009a64989f562be8e79", "d14d2d02a91dc0ee5b7a325545aff86707164e012d872e55be22fb91e61bdfd5", "e5a3c81db12b296372f7ef89c76114b25663115d3b67d18f5b8c149a69d19382", "faad81178720832702ce3c8516f03c300bfce139d9cd4ecbe76c2dfab6a479fa"], "iocs": {"domain": [{"host": "pulneselle[.]com"}, {"host": "vivitempen[.]com"}, {"host": "jewayelome[.]com"}], "file": [{"path": "%LocalAppData%\\Temp\\~DF999D0908F9AB8DA6.TMP"}, {"path": "%LocalAppData%\\Temp\\~DFA1DCD5ED0F4B1991.TMP"}, {"path": "%LocalAppData%\\Temp\\~DF6EAE44F7763B7295.TMP"}, {"path": "%LocalAppData%\\Temp\\~DF4B1ABF6D6A9DC6E3.TMP"}, {"path": "%LocalAppData%\\Temp\\~DF88BBAB8557CDD7E3.TMP"}, {"path": "%LocalAppData%\\Temp\\~DFA1AFEB97E8C0B1FD.TMP"}, {"path": "%LocalAppData%\\Temp\\~DFEBFBFB87C6F7EC1B.TMP"}, {"path": "%LocalAppData%\\Temp\\~DFFFF0E8FCA29DD7E1.TMP"}, {"path": "%LocalAppData%\\Temp\\~DF80997BBE116A8874.TMP"}, {"path": "%LocalAppData%\\Temp\\~DF8D4E5C8DCC40C732.TMP"}, {"path": "%LocalAppData%\\Temp\\~DFD177FDDDE87A34E5.TMP"}, {"path": "%LocalAppData%\\Temp\\~DF8E8A9C1983E71879.TMP"}, {"path": "%LocalAppData%\\Temp\\~DFA8F13799CC417142.TMP"}, {"path": "%LocalAppData%\\Temp\\~DF0AB2387849E59D01.TMP"}], "ip": [{"ip": "204[.]79[.]197[.]200"}], "mutex": [{"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}], "registry": []}}, "Win.Trojan.Ircbot-6790011-0": {"category": "Trojan", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Ircbot, also known as Eldorado, is known for injecting into processes, spreading to removable media, and gaining execution via Autorun.inf files.", "hashes": ["02b19a5969e8835fcc7ddfcd3aab054445f617a27bf30092222703a8b4a3f856", "08a94b76a4b98d8d8e9611e22ca9bac26535175abcafc598311cb7ef0f0bab2e", "098b522b3df96f6b103801ff0f146c197b9bc16fb4a82c2e35077f0ee9d60f40", "14bb0e23ca5ff85bb8c87eb16ffd8c00c4fca779ff6f3f6425aa48727f81e363", "1c43fcd55b4097c060594ef6bd2f3dc9a9ecb695e855c908a293ee0b58c07e9c", "280388ae896f081759a34e72a23be71d561fff411791447a5d1ca3955f512cc8", "6dee684652d14ded24772bc07f146dbd7eee3784dc190cb374b9e78ebbf8a47a", "6fc943a77694773debde1e6ae93ec51692568fff0adc7a2d00b424021b97f405", "74c26ab8808722b5e7ca5c5039b6d0dc46e45d3f12652e280257796a8dc55a13", "74c2bc41e4dcc3da2a92754e21367f27cdab96377ece81acdd4e93a9c7d1cde1", "774507352a7a4e7cf2ecb254e3b4a3e0b91fa9535d7aa823257a24e16a852bc4", "83eedc1cd9b85b497b4753c4b0049486cd727559b5c4512569274dd6f74c78c0", "a7b0b3b373bd6adce3210d3c3118ec0c0049cd6902289f649e7157469fe05352", "b64ce6c5e89b60d7869621e53f9af3081d32b36ae60f38e7e9ea0db0507875b7", "b9120712772e2b97860804115a5dfd4a530d6e75d809afbe453369b9d005f899", "d3766174efa61ecf9344b0bfdaaabd9cf3e0ada543310b4ff724b4ecb8b985f2", "e7445bcc33ad77757817184493e1c72b0a1433f399aad4cb359fb9f944e6dd6a", "ec3f2dfdeb90feea711119880e9e044ad841ec159f7e0dfbc00c166b284a0f7b"], "iocs": {"domain": [{"host": "tux[.]shannen[.]cc"}, {"host": "fghfg[.]translate-google-cache[.]com"}, {"host": "urcdw[.]zavoddebila[.]com"}], "file": [{"path": "\\Autorun.inf"}, {"path": "%LocalAppData%\\Temp\\sesdessetri.exe"}, {"path": "%LocalAppData%\\Temp\\explorer_smece22487.tmp"}, {"path": "\\PC\\PC\\Desktop.ini"}, {"path": "\\PC\\PC\\PCph13.exe"}], "ip": [{"ip": "199[.]2[.]137[.]20"}], "mutex": [{"name": null}], "registry": [{"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "internat.exe"}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "Driver Control Manager v8.1"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "Driver Control Manager v8.1"}]}}, "Win.Trojan.Zegost-6787448-0": {"category": "Trojan", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": false, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as \"explorer.exe\" and \"winver.exe\". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.", "hashes": ["0e3285bd2185663e1edbe7f203f325254d0f759c1a413fa363aa53500d097804", "0f9eedb0084fa1734391818b6157e2b75fb58c81d63444e30dc3591930266e7e", "119a103b8fc90e4ecf2ccc9f189709d974e3416045ff99347b39bf462b297c1f", "16c9dd76b69c995ffc554cf9bf45102dceef74a544ce1d69f3b24a1ce9f18c1e", "1a0dfd0200c9abb101547047c1a3d2384748a7bce2cdd296068b093aa383ff66", "1cd1fcf50709a673f9412c4b3b3285b8fad7425f9bd61f195e774a6b9cd7ca96", "23bb5973dcaa26f1ed4688372b06bacafcedbf4fcc1dc468cbe3f16309c4a030", "2527bcf0338afbd438dfd1e8f077fb0ec36d633e25e5471c7647dcc8ae502f75", "2cdaae20046ff09aee47427055f3ed33aa4e5fec4e1290597a94d291719e0e75", "2f985459179152f346124d95458102143bc5a5840f8ac84a86a8af6cfe1faad2", "306c3da827a85c572ebc5c40ee5541e308c842d993daffa1e762c28fd17c117f", "3a9b982afb3f78f071470e423e445972a73507172727556785a22a0b260dff8c", "43e386150567a3439af0dac195538d52a0c81f5a968801046bf3fb1b641fcfad", "4bbd00499960ed33e2d9757cb8bb2ee90e8ca51048230c3ece52551af7bc6d58", "50e3c05c87924d9d27772292c30e4c354a5efa1fdc84fad626418d6cca306de8", "53db05f59a5ad099ad96ef935338d545b1354f484abe61bad70222afb854f3ba", "5457112b465507bf1829265904053e482475ecd56ffb9344e045afff4d2c5a5b", "565d3b34a150850ba1cb7bda6c4da8a44367ffaeae60ce593845b0d49f69e6f6", "576b404322cb8b14cc0947e2448e17c484270e980fa10a2d04a268acdf009cd8", "59825f1890c3055bfcc4a989da45f172fd7ef283afcb84ef8f0d521bb2973c68", "5c91bddb8c5abf829f1ef69b516eea42f224bc29e0785bde4f38fc3b47ec07e3", "5cfd01cdac224dcb162f3404815d95623bfc0f19b67d0a71e13cdec8f72cc99a", "618458db2b3ad35636c0147611ffd1e6af953fa26674a40eaa47a1b1f8391ceb", "64a9c1e8026e23f6a3fe8a3e7bebfe9ad04b5d2e7bca6572f46b5a1a2132586e", "679f472c1c7cb4714454a7ce98f708e388f38a71498d37d722b41b67641cc0d7", "73864d7ee45ecc34fd04bb3aee53390b44d6bb589b9e96512f6a8a9a1d3d1971", "799396084565bfb718558ba29da423aafe741bb79d8bcdfcc087f45be2026840", "79fb2215a364d39ac25db7e2ac1524a04e291a9b7a9c439568fce76974e9df9f", "7e3deb44fd0423439776090048f71ab9090c7e7cdf849d7243bbecfc5f3abc15", "80e9880bf252533615a7aea3bf9c62f876e3d5dac3fd7d1c951d60e0b5b48b1d", "85058e70c89f2a237c1705ffe51b309acbea8a4ea4765fff2bfa0f12b5c6cd57", "86fd8e870822c43040e5fd34f7a8f6325e1bc375928e284d6b5b35dc259856ae", "8effc47633c4370a1581383aa09f6dad2d574bd3b8982cb0c49bb592103a20e5", "9170c7c4536f5ae9a9e3038c39613392482bd68002b3307e9e6cbb0a307f5208", "926719335508bf40bf96de106ee584f48c4a81abdf31263b1ad5229718700ae9", "98ee3903dcd5c27609f388708297b1bf623c2d02ab5398fb234d32403c617987", "9df0d1af60696dc014b901c971c82612d58755db73c02362c5dd2265bc262c1e", "a2022ce2d248de8a8470acec8f4a57dacc1b874c88be4136381b094f87768e3e", "a5c5d7e8d62bd0480ead73c160de2dafb6a04257f06bf3205c8959c0e5081456", "ad93c51f60dbe4ed663b1b463c2472684fb625c32664170c099cea8c8cdeb4ba", "adec5cc581dd3d46fcf0209e6ad02ea0a9e7eb7a631ee38469a2eb0a4611a4c9", "b1cd4e79d5a1f1295d4a87d7a7e34647f655e1e6bd44d988f5e983175a3e50c5", "b232f1f70f88f2668ed9f06930da1356ff632a635e3959ea88e1c799c55c35f6", "b8208b74cd4bbf5f4bf3680c95a4cbb45f71e56c429d6e3a77ad5d6db544d432", "bb42968485009beb3db8c7535fae79d8cb985877adced5bc78e681634f7503d3", "c0f0e303d8b9c4f035c20a7b90216a7acf8034698b494b752255a283f9b3be36", "c1721d94a6ab1aae61f3f7cdb8fdbd8f364978d8d54751e4cfc269a5774b7bef", "c73324fa005a8336fcd934df79599b2dca1e3984fd89d40f8f189cde33aebf31", "c76b270312085760fef04894d0747ecf9b1b42955cdde3189c3c16525686c517", "c77f90f9152ddc4399dc2c7166cdcccc60cb352391c96f31f329e1a4967957b2", "c7bc632c9a37f1b96b29ceaef6eace5133bc66328c3f2becafa979be7682b0f9", "c92a1ffcc46831584b4f2abe9e88b51db6925e18afb440371550933508445500", "cc641ce51e9148b7bcd7d9977a0dbfd6a87d22db2181ccd4e7fae07b0c04ff38", "d65f2d6b1ba7fa233cd49439ac9b778b949461cd337401b3711160332ef2a76c", "de9cc0e19ba24795beb76d3717097e70c5d79483fbfdcb7c90a2d6708aa9ff7c", "dea89952e1164d3059fb9b683473f1148bdb74fe81f246b9464cb0024298ec67", "def8d094d85e9d32d8a749ec131ffe6db5effbaad89c8cb535976082f6ceff35", "e80cf660ff9cbee6e737b06dc789c5acd1f64adcc65014d6de59c00849b2232f", "e8bdaabd37b6d4f29a2799683a428c745441e6887228dbf09890b15319a85a08", "ee32462b9e005b81e71ca22a8244bd96d048a05176208ea4c63bfdb87609ee75", "f32e49b52f02717744142066e292ad8cbcebd78f04f174f39dac8d06407d758e", "f879230151689625503390480eba34f40ec96aa4dd77f5605a802589f39b0bce"], "iocs": {"domain": [{"host": "haidishijie[.]3322[.]org"}], "file": [{"path": "%WinDir%\\(null)0.exe"}, {"path": "%WinDir%\\BJ.exe"}], "ip": [{"ip": "183[.]236[.]2[.]18"}], "mutex": [{"name": null}], "registry": [{"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "Kris"}]}}, "Win.Worm.Lolbot-6787741-0": {"category": "Worm", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": false, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "Lolbot, also known as Ganelp, is a family of worms that spread through removable drives. It can download or upload other files onto the targeted system.", "hashes": ["01a3c9adc3aac00d08524a6dbb3032dd334e367f0472f2ea9d3a6589cec37289", "01c38084198b17d9505b71e2047df154e3f429820a8ddfb15efd8f54d0eeed51", "0387259309c3be75131fba4995f29c3411bfdd1215561cba86dd4c32daf6413e", "03cce506492d375c5b3af8bae957f5b03054013e18b52def2f49fcf704fd333c", "06528a8e957eeb930eb2a87d901af51b64a71769c72715c8950e02d8aa1c5460", "0667ccae012ed7d32d43ab24e93d19539a82f69da5a4bfcacd9a279ec9d25350", "0a3420da8bad37f8a52b24ec71c75d28df84ffb22c95e39ddf2aeb2d7a8a4ec0", "0bcde343224d4ae938be1f131b7d48004bcb70f184ff6918f651557d5ccf8788", "0d67c9e039cee7c9c232a02a6f4c7c779445753a047f5361acd5eaa1102604e9", "0e0a1358dd6c7c66d29afbd16571e2357b4b8b85bf38871220b0a5e35dd0722f", "100b943bcfd27a51245fece5b4c769bb90a3251278704381ca9c2d32dc8e5d71", "11d34c7a95a89226c7a51e4a92a185bb4444746f286e354cd29bfd383e567dc2", "13afad9652869bf360698da46a44ade7ef9377df2dfeb53083a5cc04d523a9a2", "14fede536b4486221936726a6872a3c31286c4a6bb0400ded57fbd44d07ae226", "172c7bc9eebc84cd89c818ba5f55c8c38d4441885c52cac5427fa35d7a7be018", "1b3422534d883844fed3e7a0a80c8dac410755ef6094408293a3c911d557c811", "1fc95720a2d0435524e29499eb84c8d1eaf76ac13836345b2e0372a5a71335ea", "2057825a54ddc57c2f9f8fa9deff855a6356afefec27737899c9833c4e584dce", "20cab422a853d13c1f507cfdbbc85bd5c6d9c0ba0a0a2de5d89a006fd02a5d92", "2423ed1c57586490516169d783bb380c7a2031d5339aba4bf297d6330dd2a811", "2537493dfbe4079ca5fdcbadbfa4d99f7d9ad317838e1fae99b9d7ad3d6d8c73", "2578af5d42ec216d598ed0a7cffeffc7d5e70902c8145b2b92649bdbf0c3586e", "267b9e6666e9b09cde6d796b51d79ffaf0f99a3093022abaaa6911f7771a0bcf", "2a6890810aea9e772a61bbffcb3c47c2b8140505ee205e86a1403332805aa41c", "2e17c234a7bf0d01b1617e2fb93599a9079b2738b44f10f99f6fdc9e9866cf16", "2f730e08ee00dd0cd9311bf54390834d94ce4f366f2521babff57e561a31c182", "36a4401270a4e4b49c995743550f3cb39cd84404a3369e5c31a2b45a491f0369", "38280d9e8d9329cbacb3647be35ab7b058ed7bb85d224e289c02988f06014aac", "38666388b76c310c55dcac4c432aff13cef4dd88a042e4df1d88b79636eec5f4", "38e9818e2b2f87d53c60364f85ddc789ad268debc5cf1d424d4115df85885525", "3c55fcdcbcd15707f00239252a04033ef3914716e9c7f714e29b19eebd23501d", "3dbb9c73b4451c28217c44d770ec9e2739f4752ae1d7c74754bb27f1c2398010", "416a8213461b109627f6ca1c3570167d4bc77caaa78c3d6160ef608a0548fda3", "4254e56ca603462163344cf04ff665689b8b2bd57eb1a69507fe53b31e4611bf", "4273323f0f6ba28b1ee10e5907815cbc7abde7bc02cac89e83c6e126427d418c", "4456f55766fa67b796887d440ef48234d4d99bd9ebd30fe97959ff2085f0f229", "45cb2cbe5bfabc83d3cb9b8caa005086df922edebd458f1d377090891a3a7bcd", "479358b3715070d627c9bf761a70f2af24282e991394264553e3d5385caeab4c", "4b27df50e161a46eb2fbd6be9a731779bf6c64208a4e445bcde2839e275cfca6", "4b3707fd5e26307884f4f8d4b64fad0b6981816642dac9a5de20eff4b43305ca", "4b3722abf5bd8bc75e60312830f5a7ab8c78ed64dca4262c6669c806f92554b0", "4c02c28c956518459acbc999c08fed87f03dfc9aa6edaea2d54d52d531c7298d", "4c4e87bb59cc00098cb226ad2de45e367c6bbc084834e6e66a5783a3f724f388", "4f2ad9ff2260cc1b483158804aa23f7af2301aa452bed4f9866fd69689632bd2", "4fc66ee1f8a0046eb91f4ec472394254266656e1086c3cd4e6707d52d7adbcfe", "51bd9286936ba729a3ef5f70dd896ce60ce6e404b629caf758b4d78e29024cf1", "527150f400545f03a3f886fa26c33de214509654b282c1daaa1489b589c2c859", "54ce3f84966b22477e6827bbf972f31e48908952686e50a19ffcf07367018bcf", "55ca7036ec3ce9aa284f66925dac1a8fce15a74f371b58dd02c3f6a3b9616294", "57342bf9c74f58371e22ffd5d52c8066962991bc82d575abf86aa76ff26b2e5e", "58386255932442dfcf36df53e9ffa727e4e1a76aea268e39efd140fbe165981c", "58c9efe29797db8bbb690e969ffa8a16d5e9b8e1e0357d49eeb474e2a7c80500", "59b09502ac0f62d5912760ff150ef28b136dd3be7980310273cb07839f3f0cc5", "5aeaa9e6e6407f0fac34164f111c8df2e280a031ba2db0c09cd2785a50c2f524", "5e184d82e57372de0dc2e92a6534d4f634150cc7dfcaabae2bd67067db95bd85", "5ed87508cf5588e5e4ffe2ce0da4854adef17410e75ad9f126b641fd4f2754ab", "5f00edd03b186ac2c6bcf1cd985a98ff7850c7e92eb87e79888f8e0f8c5111ca", "6022ca5406c55ca94005c289976cbdb27f63283fdf950998d107ec6211c44ef2", "6113a208a6c7805d2677d59201fad85e1a7bd67b1906a51cb63a6679307e904e", "6237b7f32acface4b5fbb0cc98fd6f622eb1aafca66c8d04b43a3cefc545ea91", "64071a59dde2f2f385eac4b6c2cadd16fca704d092137d5c98f8ce30f4053747", "65997260e57b8fba2f96cf2a0dad65c2975120ac4d84644a592a5fb2351b7241", "675410a6755d1f71ab8d7601ac00cf9139c8d00845c6c38993366f530b47bafd", "67964d7a4ca8d0c51298a5132f6680dcffc2ba2e326db013999f3819243302c2", "68d0fd380a7759cb123f2528775e885ca318fc82d7237be9957102f9dda5c6a6", "69a6708c57e9b41332e342e29d6da6bc8b761fd95a7cb7991d3f9b373031471a", "6b84cf64d27c669d39a2ced9ba306674aeac21959c89ee53ba73933ed7927c90", "6bc8bf6a0666e9290a60cee082e2add2a23692e6b037df9149aa4465dfd9a840", "6c4af7ace142625ca14286e810b3ae53cefebebe0dbe3b8628c79e66103d7ad4", "6ec4a2f7ac3ffee7dbc4542a8c39b0fd6c7ff80720a12cb547f9064e6b40e9f5", "6ee94c8a45ff80476f7922a9fd418bb5ad54b95399b0f960486a905613940a70", "70fc0bbc9fe4c5cff60d204e5d2b136da7bb233ecde0f458b773c3838daad1b4", "7155d4e629b149629cd9f06ccd6633f6a6a64b6fb9203b9c46d9eba5c0d68448", "715d144f44c1a86d2be387aa3cd9c94ff1a62df34bea2cb44687106f695bcd72", "71ea5b6300fca097318c7cde2227604aff7ae6ba9d523a4421571bf6bfcb8499", "736f9eb4ae887b350ed7ccb91586d39baab72c7f853c95e46160d6e8bf516e7d", "774609c8527d3794dd2b7b18a3e93d5917118a71353c9c5e1b18f013a8c46609", "79b415521af471964322d4887c71425cfbaf3bd07b7b80a1cc08cbee1f2b1690", "7a401d4941e52063dfd764bf86bc154f47251cd8285c643d0b0f6dfb8cdccdcd", "7ebc3639ff075edb698407762068207362bfb636388ff1e4adf487e33c309f85", "803ae85422f44a89104a5643915c7140f7e2c7cc723b368643a05741d6345572", "814776f8de1b5ca71b8bad126bd2bea86a1ddca5abca40b85d93a41af3fad592", "81711da98d64a2891ac41342d881e659ad5b79c5896dd93f6aa6bb6d4bfa9cd9", "84b9da479548bbe6384808d75bd780e06ba7dbd93f461ff635c74201f3c5e402", "86bd80ac4ba33c4889f9ce268868f0ba5bb2a8a6770efbe04599a897965dc4ae", "8f429dd29f6dd735d29d1f612f678b8880e142dab3d1197863f8b1a1c282e104", "9115b476f6ea7e9c5f142e0fb9df0de3382d810fdd9898f739eba0a8918c1ae2", "914dba7a80536346800a38ab41068dff3110fd955d7609b585043f7e161bb064", "931ea90faaaec9e8f67938c8b760cbb66e8ecf6b9d47ddbd4b51c2cce6953bfe", "94297f22ea1500a4fe164782e96ef8b735f0e711920258c9343c2bfeb489f0c8", "945dd944527afeb620e8ed357c4796afdd3940af546e91bedb1a32c83f1cc3ca", "9a7b279a3da1db28cb663a5a1bb0425547ed5f4ba396de8a52c777676753435a", "9be47d4e105e2dd018c0c31e3c8265c40098fd448dd0f0be96b7e13ae8e98672", "9c52e6848ec49a7eb13a88d8b52e83a09840a97294afa90616c270c7bbeefb14", "9cfa2c36ee8aeaa38cd2c5e58a62d2dcea2f397a335260c4a0e0a30e650683f4", "9d3ef46822080eb010d85d11f981e49f3e5297dd57e49b40eec70b7d7d6ba6e1", "9d91930af8efbc51e32fbbd41ae06d49b673162e1c4ac494836fc1f8a5b01944", "a32f207996cf05327f5e6d966384ff56821e20fe06e1faa73b00b7408b171f06", "a52555ed3b58107fccc3333da6f340c1502608bb8d1085fa800c17929c19a70e", "a5a11b64a4e8b4d6abc26ef989a73a76a1d115314126203e1a01c38bc5026dd7", "a944bedf119ad101b674b844f51fd169ea4454ea9e3b0a0da6efb8d9af087055", "a96d1e1dc07e3340162d49f35a51447637becba0d3d2c86bf0477dfd54c6a4dc", "aad9704025d083b8dadd1d30902b4d4f6491d226e5b304241d9329c6a5a70af7", "b0c46372ffa4ece2c6903664c2caa48ccdf9286759319d0b8d73f1a12555bb9d", "b15ba8e95dac1218ccae4f2aeee08f555f2ec997a6aecf3ff7c21ed6a1a6dcbb", "b2145e0ae73053a085d8a364248a98d75e136fe1d65821e2acf4a93b20778117", "b44dd33fc3d0d47122d1e31af5bd6ec6f2b1569335e62a12e5d1faffa7137d71", "b5acd066cf4896a3b985aba0d125a2216dde955a9343db41a071b3fe61791be9", "b661cdd0fbe7122db9b14526e00579782338db63b679cbcad49fe3dcca537cf8", "b83c5bc83d91ee0f7bf8a3e83460c63aad7d43930d46aa1ddd905b6f7848907d", "ba3d3267bb4e15899b12bc0fc2a3edd1d6e23d06e2c9d82bfb8961de223b4cb9", "bac492a6880ba97bfa8167a05ccb3bc08970c4753d64513e299dff77aff0d15c", "bfa1ea90f9fbb2db6f70a9cd96c53086c9d518e5bf9b74e7fc82cfa1794455e8", "bfae292ce7ce6e087efae95de6754a57ab2a1fb9a0c0ab51df7d2629b694037c", "c09b5f05602cefdcc0ac60c6d37250745429f1718e67993466a2a7c4b6b8f826", "c09b91e3bb194d9687c6fa04eef1946f51894b4b5ff8e5467d5808d4b669b06d", "c0f5ead85e7084db96cb5d58126020d0632637db9a08522d949a751ce81ab455", "c2c08175ac01c51d930ea4157e8746f1355bea5c747e3026f300b1b4199f0765", "c31d19cf0d3b87e8a9360a2a7f0196caa4f1d491739682dd89fc913ac9505e37", "c3c32b2c09410900720efe4015e310945d407a71a057506db7ae61de6cbc5960", "c427440e83f17b045a48a0a5a2924a5b287690fbb76e35c1f4dbe37e7dd6e5c9", "c6fd67b39e684e9e1037e364c8e0a4b23d3106661efda3d46f0a8282c67bb18f", "c8623c781f11865a23cf866c528ab27e10d91a9f351b432a366bb6ca705bfaa5", "c8b0ccfde7fd356345055fbc12aeba8eeaadfc6d2fe8efa8192bac5b7775bc6a", "ca22271c427bbaf71ace1a828e0c976f409d0b6a22d430c9bfa9384f13fa8128", "ca7b9fcf2f19473f0603e49279b0e502c199ef0885062603312f65409cbc9c66", "cc5bd62c30727e753d36b5405019f64aeb613af7d499cfc1af4d9afe13d74b70", "ccc19917bcd0a93f2f743ab1ccff7fbe247bcf0c56bbe099f85917a552533ef5", "ccc2fc08756277a233c9b436c142353474698db2757cc204f4d7e06aebe6acdf", "cd8fce9e62e579f7c00b928b2927a6af7b274c09d469d89b96501e875e405750", "d778597514ad96bc0633cb69358bad77f143561c78e845212579361d5ec29be7", "d9ccab7f20c72485c65a1ba28a0399953c9be25b59ea44f050c50f476fdf1d0b", "da07d3a61d31f5d7cc8a3af808e0bd7332c4e00ebf55e64608f9039bab10468f", "da3e72ccfe0f78cdc77f7d83a8d4e430773d65b9cda302a7625fb42ec56a5fca", "dcc3bac516820709e57c09f92717a26d93f925430da7a41f7cf91f241444ddc5", "dce301de199e65bda2b3a7d24f7e040db7af4ba7e617e9aee87906ea475e79c6", "dd7405eb6725f1a9462bd39f2426df9b83f21d1a2497554bb573165880c3e1d6", "df2f1b320b112c597c54ffdc88070b73cf9696a0168818850d3fb3e0858d02f6", "df3a6d5b650a357fb97f99e56246b8784150ece591d04b3f9512ae20a7a43ebf", "e013b637f1f32456fcc8f2a4689a8fdf4abd59e5e91c12170495fc924ba88791", "e087d502c47525e20363d40cd416945dcb94554ce78cbd654bb9a3270ed0a43f", "e39e7b9b595aba0783f0bdc7397ae5b625e84d36bcff2611d1ea22a507c7d6be", "e4f6b8d805cdbc48a11576cb2fc6565e556100b3131af4b87f461d8db87ded69", "e5699c5233491799c695f816feaab46c26af36220f4db99a0c08528ba88b63d0", "e5c1a0383bf25a37eb8c2533ffd427fac1149a9b5487270c30b3f9ede89fe60d", "e861bce39a14f89ae1570241a8df083f39881cd09b51f4ae1d0579b411a39884", "e91234d39ab1549abefe1c6d390a9386e5f4a0c22624dd5807b84a47eada7937", "e93a36eb996cb950eb38188ac8ad299554e787302d4f70b942dfa60bf6a2b456", "ed0a8f36eb7a6cdd9217acca8dcff17ee60fa1cba159ed70252425c0e2dc1713", "f0d96cfd28e06c7dd49d630b33e31ba011ad5365574d708e8676a941da007bf0", "f25cb7ab1760114af0649eaccc29c0d95d1ee8cfcad605102d726814f9fa6103", "f2bdb0775ef90e7a22f92c40c838eedde31073ad5b4fa252f4f4cb5c0a402ff2", "f3d42f242d6a029de400e870fe5b7ba25589c6828753f143984ba36238723327", "f5e51d8dafc29276021876cd6c617f739ef8e1136ed0135167b9845b52aa7d2f", "f60a6509bece9485a8399bcd628ebfdd324c851931850afbf90cce0bc19cf820", "f6a73ed57c8e2ece754e36d12176bc96fde1272733a22e80acfb1d48951b2bb1", "f772037e543a1038197b4e6d72e5e8577834d6c80cb36d445a78be979b6d2908", "f920f8b09f9cf80c9eeeebd986eb8bd9c0ce2c9f7c3b41a0863ca61488bda134", "fcfc331aa99559448d21c36f3ddd2a665ee3a439576cdcc2f5eaa4bedb166490", "fdb6cba0c37b33f545ae52fa5e5b235e90f79219ebff24427014ef1cc40023f0", "fe20374bfec546db5aa07d72c5326ac1975c6e2014883cbdfc12464313c56bcc", "fe740bebe8ff3bbc3696e296e94eb69a80acdb05fc420b6a36c16c4dc5655e0d", "fee850e8c2b8fdd39828c44340fc84652adf4f5d6677ab8f9fdd6b11f1d80ac9", "ffd6b10a919b2b04197b1faece7ccd35dfb8f25b12a670d3dc00855650341951"], "iocs": {"domain": [{"host": "griptoloji[.]host-ed[.]net"}, {"host": "ftp[.]tripod[.]com"}, {"host": "elegan_786444[.]el[.]funpic[.]org"}], "file": [{"path": "%ProgramFiles% (x86)\\98b68e3c"}, {"path": "%ProgramFiles% (x86)\\98b68e3c\\98b68e3c"}, {"path": "%ProgramFiles% (x86)\\98b68e3c\\jusched.exe"}, {"path": "\\??\\E:\\98b68e3c"}, {"path": "\\??\\E:\\98b68e3c .exe"}], "ip": [{"ip": "209[.]202[.]252[.]54"}], "mutex": [{"name": null}], "registry": []}}, "Win.Worm.Vobfus-6789235-0": {"category": "Worm", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": false, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.", "hashes": ["04723f64b7cde305f7cf8c5fea171fe09d6e94f23b87b12cb0b4e89b0b3e298f", "05db72e6249c677335bbed6e8413f4a57c5310245afa3355e94888c57c9debcf", "0c92e3f0b38584e2c7d8e937c9fee8f562747c0c86e74019606b53b0f8a25c26", "16b162c1e201897d1d54bb9523b8c41f508c05c410dae0628d693b4c59fd61ae", "1838959fe9b61d1f16a08aa40a283c56fc01bb8ae9e0f6ea27f0cf114d118bd7", "2090b52fa02d4cd7ebe82e93c67ae6b55e3fef596d58716a90e6d8e05ec0944b", "2442112ae087f44ae747c9c8e15e1c141a7001a832082661e3af2dfe86b91451", "254ab5f9730afb7cd2017cbf5b9c508a44119d037b57d88402f2a742842f0f1e", "29a0452c17164d6ff4fc7ba11190e434a57a3ba8c22f8e6d899100d28546df8a", "3438ee2ddd4449b78948fc9d7e1d1a1e38161a41f553b84e418530f08d87b992", "39bdf24760ec27af4ca5665bea804a6725699869079d9b6d49970eb91ea6caac", "39d142e05b2b0d9134f40914882fca7e0338ee27a20078ccdb85723a7008c9db", "4000775f2fbd716962f02690511177ec24c478f55dd61d18e1fa94ea40fa1edd", "403fbf3398139435fae206a2e88f18d193a99dd922b20b6c85cb80c0dfeef764", "415a60213b4845ba9fdd4a728b1f1844e289255859f87bc3f311b2597e2d598c", "440aa3626b3ffb435f21d3edbf5e99d62d241218b3b815f9720a1802193a9f15", "455eb97f5dcb8f5ca982485eae7aa5d52bb5cf3afb6c414bc1918df5c4c8e4a6", "5028bdd7fe45528aa67e362d9a70428b67abadef59a11c09c8a807c15d6d9055", "525917b1fc5bf9d1270bc55d2187cd96aff2d6fffb9a861ca56c09c855c2d24e", "529762923615c5077fd0509b7541c6af1c9c2520198fe60607cea67cb1ed2858", "5ff4e54e3f25564203ff8238b95fd2ccb0c32c8be3a9b13ee620530c9fc3b7e3", "727256f788aced2ee7d03573231e8a1d7d4e45abc4b29b27e98da3679e2cdc77", "73467deb291c727dce198453fa25c0e20717cdada8cc02a8b6092bed55405315", "786dc8d10957479457598d99e5b97e352f67eb50a6bc35ef30b46fe5ab07aa68", "7c97f4abe4d12e263f4447d225f92312434bf715e6191f3dc84d956390b98d4c", "7cb90ff1946295d6067a3f12ba5183cc80bba7978d4144dcf2a7f6302cfb6b33", "85072af8b07dfd60ede49b0ceee8496cd5598ae355acce536a81cb2d480ff7d3", "8990939fe242682168dc175c5ad8fcf40140f73a20ddf3e259777b9f9b8bcdff", "92cf22616953c23a4dbfaffd6b19b9c3b6de1f2ad61d65bee5da7596cadccc60", "9697ecaabc12ab5d924e6c310b3e369b57690f6dccfc3a515f6d81893a55abd0", "9b30e2cd7593e86bc3c4aeb5e6abb0163cdfd2c0faf360828f10e033761878b1", "9fd78b81a7d9dbddd00a05444daba9f85f88fd52093eb27f556bdd3fe53c32d2", "a1f1f04413f258049e7db78fc31c63cea840328c7d814978912f5cbe0f1731cf", "a7238455475c985285a8a26bbdf16adc444206d42492b539695e28b47094d3d1", "a7595d1e49fedf3fe0c83f68f0ea7e26ff0bda70c5d85ea5ee93545201150162", "a81b77bbf4acee2babd11733e2157991dbd8428d5ad93c8dec12c6d325a8bcb0", "ab51cd3984c249cd71b8da036e59aca63da24e57694d587f3065979dd4f78bb7", "b2679e64efc189dde2b711e1437f30d797717081e24302052759f0e40ac90da0", "b406ac404a6fbac704a9d18a4d42a1686e538f9f3e5eafd1b9b92e296f3ec9ab", "b4ade621ac73a937925be0b5dfcd360c9bbaa0266785abc5935ebc459bc6d59b", "b5701d1588ee5754950b7bcb96b16a9f7560328ac8427ef9e3e1be6169eee98f", "b6a8cdd51d4efcffd43beb165e021c70d3fff8f102e8df3894ae84494da80cae", "beab3be1d77bc7f28c25f593f1f32b369a73f4a36398ff6538d60e8cd0433446", "c5366cfc98523d9bc5534b7b382b68b95f90c68c7b305b64bdc5dfddae96bc02", "c8b575bc5ef031da946b254fb0b10b30f6b66e6c1f39c04ba802f5568467fe88", "c996295e33019104ee92795ca366a9e12249d3941fffe78ddc1baca07c4986cf", "d099cf2563241e40127f9baaf057c1a2c58839c0d0d9b117d5a42cdf2b0cf25d", "d32e8c0e413b3a1137609021057e0a484dea799e7c56994d9f569d1066a09bca", "d484715173df8dd24abc2366dae58d4b6c1da1809ff68e5036a1295abf9c4942", "d7886f783605e982670a245275b10a62f6015aa1cfba53977547f722d4ec5d0e", "dbb7abdf35a77326fcc78d223a2ee7408b3bc512f051e8d5edb991c124015e96", "dd9bdcb6b756d8d31bf4a952af4c18ba980924a25ed3d476f34191ea66522d2d", "de1e422a97c4c3b36d869239e6895f12087e395784f8e1fb26454ae7b03ee383", "e12230eb4c8dada94c65c97863bc4ed8e592fd35a1abfb2e55b82244952fcd5c", "e6495c024885f757d7a135fa2461e046756d756b68159e9fccadd225d05feaa8", "eb67f0dcfbff7cbd44f80387d0ae505587e8a9c0e33498ff0042625ccd87f702", "fc61c3cc050874275b4cdd9f92c2a2452845527160d77d33482153f645ae64b7", "fca93a01edbda6fc1ec94e842add1d989531133b78750d033de30dde95c14091", "fe9e3602c133b06bc8f80549bda049e7c594c942bf21ae545e13805d940b9a7c"], "iocs": {"domain": [{"host": "ns1[.]dateback1[.]org"}, {"host": "ns1[.]dateback1[.]net"}, {"host": "ns1[.]dateback5[.]net"}, {"host": "ns1[.]dateback4[.]com"}, {"host": "ns1[.]dateback3[.]org"}, {"host": "ns1[.]dateback1[.]su"}, {"host": "ns1[.]dateback1[.]com"}, {"host": "ns1[.]dateback2[.]org"}, {"host": "ns1[.]dateback3[.]net"}, {"host": "ns1[.]dateback2[.]com"}, {"host": "ns1[.]dateback2[.]net"}, {"host": "ns1[.]dateback3[.]com"}, {"host": "ns1[.]dateback5[.]org"}, {"host": "ns1[.]dateback5[.]com"}], "file": [{"path": "\\??\\E:\\autorun.inf"}, {"path": "\\autorun.inf"}, {"path": "\\??\\E:\\System Volume Information.exe"}, {"path": "\\System Volume Information.exe"}, {"path": "\\$RECYCLE.BIN.exe"}, {"path": "\\??\\E:\\$RECYCLE.BIN.exe"}, {"path": "\\Secret.exe"}, {"path": "\\??\\E:\\Passwords.exe"}, {"path": "\\??\\E:\\Porn.exe"}, {"path": "\\??\\E:\\Secret.exe"}, {"path": "\\??\\E:\\Sexy.exe"}, {"path": "\\??\\E:\\x.mpeg"}, {"path": "\\Passwords.exe"}, {"path": "\\Porn.exe"}, {"path": "\\Sexy.exe"}, {"path": "%UserProfile%\\Passwords.exe"}, {"path": "%UserProfile%\\Porn.exe"}, {"path": "%UserProfile%\\Secret.exe"}, {"path": "%UserProfile%\\Sexy.exe"}, {"path": "%UserProfile%\\c"}, {"path": "%UserProfile%\\c\\Passwords.exe"}, {"path": "%UserProfile%\\c\\Porn.exe"}, {"path": "%UserProfile%\\c\\Secret.exe"}, {"path": "%UserProfile%\\c\\Sexy.exe"}, {"path": "%UserProfile%\\c\\autorun.inf"}, {"path": "%UserProfile%\\Secret.exe"}, {"path": "%UserProfile%\\Sexy.exe"}, {"path": "%UserProfile%\\fuuhef.exe"}, {"path": "%UserProfile%\\RCX469B.tmp"}, {"path": "%UserProfile%\\RCX46EA.tmp"}, {"path": "%UserProfile%\\RCX4739.tmp"}, {"path": "%UserProfile%\\RCX4788.tmp"}, {"path": "%UserProfile%\\RCX47D7.tmp"}, {"path": "%UserProfile%\\RCX4826.tmp"}, {"path": "%UserProfile%\\c\\RCX5753.tmp"}, {"path": "%UserProfile%\\c\\RCX5793.tmp"}, {"path": "%UserProfile%\\c\\RCX57D2.tmp"}, {"path": "%UserProfile%\\c\\RCX5821.tmp"}, {"path": "%UserProfile%\\c\\RCX5870.tmp"}, {"path": "%UserProfile%\\c\\RCX58B0.tmp"}, {"path": "\\??\\E:\\fuuhef.exe"}, {"path": "\\fuuhef.exe"}], "ip": [], "mutex": [{"name": null}], "registry": [{"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "internat.exe"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED", "value_name": "ShowSuperHidden"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "fuuhef"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "fuuhef"}]}}, "info": {"origin": "Cisco Talos Intelligence Group", "publication_date": "2018-12-21T14:44:12+00:00", "version": "1.0", "warning": "As a reminder, the information provided for the following threatsin this post is non-exhaustive and current as of the date ofpublication. Additionally, please keep in mind that IOC searchingis only one part of threat hunting. Spotting a single IOC does notnecessarily indicate maliciousness. Detection and coverage for thefollowing threats is subject to updates, pending additional threator vulnerability analysis. For the most current information, pleaserefer to your Firepower Management Center, Snort.org, or ClamAV.net."}, "signatures": ["Win.Trojan.Ircbot-6790011-0", "Doc.Malware.Valyria-6788933-0", "Doc.Downloader.Emotet-6787868-0", "Win.Worm.Vobfus-6789235-0", "Win.Spyware.Ursnif-6788669-0", "Win.Worm.Lolbot-6787741-0", "Win.Trojan.Zegost-6787448-0", "Win.Ransomware.Gandcrab-6787437-0"]}