{"Txt.Dropper.Sload-6835718-0": {"category": "Dropper", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "The Sload downloader launches PowerShell and gathers information about the infected system. The PowerShell may download the final payload or another downloader.", "hashes": ["247820502a0bb4066958963420bced4ede844f758b580ef553b83d22d2de99e6", "52c5a6d4d5984a25e098c5b48939e2d4fed914323d36cfc1a593fa4f39d88785", "6706cebc801e8f5dcbfea387e5626ecdc918ad9df4b66f81d1705e160b48495d", "6ccf2fd74da92da68edcf710b0e5f0e7c9abc57b4ac108bdf45aedb690836a45", "725c0459b17e799b8ee52e50436aabdda767a6c4affbbff0a70c1cde97708b7b", "b3198591f2f417712cc13c728bb516c890175483a76580e4ec30cd5bac77bd77", "d01e11c3130dd60993d6157dd1105e0248efbb4f9bb47623d423b501780774d6", "d673a40e2e3828f924af66a3cb1651a40e61689d58e5abcb86dabdfe8039da85", "e71b83215799c2e312285afc4b7ee22dbe3c30615b68aefc2d4401ffb6d2ff74", "f1acf589e8d7efdb1916c0e50f664a0511d3e61141ffb32f7fd8fa24f95f7ad8", "ff30f70845268fea1287e2d484a4afcb6f4da3cc365b21136318213be765e58c"], "iocs": {"domain": [], "file": [{"path": "%LocalAppData%\\TempTuH51.exe"}, {"path": "%LocalAppData%\\Temp\\dsise5x0.zjp.ps1"}, {"path": "%LocalAppData%\\Temp\\ovhjx4if.qdc.psm1"}], "ip": [{"ip": "92[.]63[.]197[.]153"}], "mutex": [], "registry": []}}, "Win.Malware.Ircbot-6832631-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Ircbot, also known as Eldorado, is known for injecting into processes, spreading to removable media, and gaining execution via Autorun.inf files.", "hashes": ["0155016685ec96cc0d9e032e57da2b16052f06bd5ea8a5fb448744405d8d1ace", "023d3a287d1bde943a50ed487db4622072f402e49c0e9c08c832927b68d5cf40", "0a2780abfe422e7bf4fdd117d4b2610b4e0f439893040615e18989f2238b1a52", "18149c8dc18edef48582007a00d96ed443427305f7d8b416d9e324f0e265bc88", "194e2936fd8619b889830e9dea05e3d2cbba81ed4fcc6466cc60bdecaa468d6f", "1bdbb51379c9a251842b8d82dd09c9feb1ca122c69f35a3ce971233a26cff3bb", "204b9ddd234085b28443bc1962ccc2fc4751529972593619fd1f8416f5f46dd1", "22a200305586a9d023edbe62ce72ce33d5800537c28071ea2b2d1e1173a1e429", "3335e5f96b84ba3ba92acf70f868340875856a5fc4d9fbb20a1fb8783e2a4d5f", "355c1a0b0acab5c0f981338a00195aca24391e030bf2b5dc86d40b0a6be8d9db", "385d96319115bbb45d56433998e760c8e91fa3b18cdad9e13e7ff5aac8cd18fa", "3cdede79cbbb84a194e8cc8b7a4e773fb7ac7422dba189c97e182b60cf5dc3e9", "416c4f95ec6425c7e10dbbf76aad05555581ce2afcd463312196488108a19d49", "458b83abe7158987c36e9adc7b53302a9f2c3a32515187aab2ab8a94547416eb", "47ff491c3eaf993620053967094442d55a7171a7392b20be5887b6df47923bfe", "495f52061c57729619359397a0727a5ac7292b4f4460293f2e73b1b57b21ddf7", "4c7a2291c7d7bec4c0c6f4a88365de272558e3468fe8792530fb437a9505866c", "4da013c828fda6709236939355624832f6cd5a881ce74d0e8ef62cbbb80a14e7", "4e15c0dfd45c1389bd5a242a06b1f6811f3ef12964cbb5d842733543f3c37461", "4f94991e91530687b0edd128f5032b8f5b689a5bcd86e50bb02a6202f2546a06", "5c4f4750c1d7ccbd0f28e4e19a427f70aeef6914e039e07907175ec72f7b55ab", "6b6283f336de2e90aaba477e95806875a750cd4d320ff76032b674b0664048b3", "7ba9e9ce4e5a4e2e96f01e2ae5726ca7449893df71ba9395834486a003f9db20", "7eea4d9381e165b9200410d56b7d3e52dae2261147d259837ab88c5297c6c157", "88955e642b622659964daae8899209553f3f90abe4454e043d7cbe05a48b23ec", "8dcfb454a5990a3e89c133339d7e2d1453d851378dc7f42cee21ec75baf3fd5e", "8f83d67abc5060343419b0a5ceb9090daa49606c809ae55ddbf90e5516f9b8c5", "926de0e6109d7f17987316e92cf0ebdef4213e69051426e09f5e9126ce072956", "936a8e8ab52c3ecb98503e4333f1213711d8354ee33d1cdadbab7e6a1b8007ed", "9895d180be2428a77952115f237d0ba1828333899ddaf70b163b81e4a7bdccc8", "9955022e2cf90920e6f171088ffb4c24fedde5a11e1ff0adef596bb8f6e131c1", "a32c241222792c885ef7c9023a82083c2c53e409a3bbb4ed0c2c65d666f2b233", "a94b3a3ba78d26312a2cca548e5b5610414d84e623a5085903b45bf17c9ba249", "abd8775c1fe2c0180effb8193c6523a52ded27930b3aca5d00f7cf0cda362aed", "bc92f51bc0d4cac2680e623dba9be37d31167a4a6681de9e5f56fd06d226b697", "c22cfc14cce5f543611c6e5c70e1cd26fbeb14fba58dbc9c2ba560d0c435ed57", "c7139a423d561c14ad7e0bdafa1792698aae568f60ad12488b09d330727e196a", "c742b1e4d911eb60f111f3ee9eb6eaa18739ebbbf692f4ef27f81aba8a9da396", "d6349471aae052b6975629db6f5185177558e59211c59c1d8aadcd13556ec434", "d7af455048e40c4920bcd0f071e771ab7852d82a8921b7dc1a21187e73998a06", "d92e2ce052b2f6a8afa27893a7a3f4dce0273d3bdca2ed5fa61b30432b8d31d1", "e02cb6126ce129d577f702d5308eb23e2bb3bfea4f7d684ee6adc1cb87d86fda", "ee5a0712b116b80446b4b2b825b1c0f45b240ab1c1c32614441472d55df78bed", "f7f75701f45c47660953b4cc13dc8fab8421e7e92a4812a326bc266df75ed27e", "fca5a38d5cadc48cf3f75d05d652c5bb0ffd7b2e5f8260b04100df1e3144072e", "fdcd319ec7bebd4eb38240f1f291379ec82a969ec8ddc95b9fb7f6eeab37100f", "fef2b3bf8a89db93ee36ac2b105a85b784554c8dc9c0bef1bfe38608a5af7a59", "ffb24bb224ec3d13021ffb1b2a4ab835a0cbee830e2d93dc9e4b76ebce81990f"], "iocs": {"domain": [{"host": "mokoaehaeihgiaheih[.]ru"}], "file": [{"path": "%SystemDrive%\\autorun.inf"}, {"path": "%AppData%\\winmgr.txt"}, {"path": "\\_\\DeviceConfigManager.exe"}, {"path": "%SystemDrive%\\DeviceConfigManager.vbs"}, {"path": "%LocalAppData%\\Temp\\edakubnfgu"}, {"path": "%LocalAppData%\\Temp\\gwhroqkhwu"}, {"path": "%LocalAppData%\\Temp\\rgjqmvnkyr"}, {"path": "%LocalAppData%\\Temp\\phqghumeay"}, {"path": "%WinDir%\\M-505079372036270397590263040\\winmgr.exe"}, {"path": "%LocalAppData%\\Temp\\akfbuwqisx.bat"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\plyfxhcodr.bat"}], "ip": [{"ip": "192[.]42[.]119[.]41"}], "mutex": [{"name": null}], "registry": [{"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "Microsoft Windows Manager"}]}}, "Win.Malware.Mikey-6832636-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "This cluster focuses on malware that can achieve persistence. The samples have anti-analysis tricks to complicate the analysis. This family is known for the plugin architecture and for the intense network activity. This week, Win.Malware.Mikey was seen delivering credential- and data-stealing malware such as Vidar and Lokibot.", "hashes": ["04fc9b401a35a597d116a04ddf44b12d33089c695bb0dcfe4a23fd8f2b2f0fea", "153263c5ac6d33b6794f356351a2f87427962d872c1a80454d9ff954f361b63d", "1de3670adb0c402e6d617ccb069f9cefab146c05e52d4f9f3373848a0f8e0b51", "38edc6ba8a59e8313451f8a97e8be294f0712712e5df835ffda5d77cd30a9a23", "39ccb7bf5a25f6c14b2bf4eedc6e79a41c7a35fd7904345e4350b0e3a030de98", "3e7dd0a781a6f30f86d456356aead93f92c8e35b465fc8f376d74d889b83ac08", "585c2b64c11a2923a948ac4b3b8d91fe2b4b513fab1d24356dc25b78ee1b936f", "62ea6bd48c060eac41280d0cbf875548bebeddfc1bf433d147be9cf81a2481cd", "6cf5c02df365b6a056fb8aaa18777837ee2773bbf8ad02b898e915b1c0265eb7", "7dc2571db00def41d9ceb57d79203a692e2b1d498b1af7e82c98af7aea157778", "7e0dc31d89ab9984bcd87bacd436a88cafe4ed4c7a26f9c817e161970e01f97f", "a64e51d88767f4a13ce80fd8dc5c7de19a3759a8a908ffbfd5dedaa862adcadf", "bcd2bb9f0102fb0e8c32db81da0febb6c8da21ad34654cca9820be5b02fa069f", "cbbcb3663fa758abe7028118fdfd5d18eecef043ac7f08f8b70874773ebf7004", "feb81e6fc80e9338b19cde6f6ce58293c0db387ce50e5e457668b0ce580958ef"], "iocs": {"domain": [{"host": "www[.]britanniapharmaceutical[.]net"}], "file": [{"path": "%AppData%\\D282E1\\1E80C5.lck"}, {"path": "%AppData%\\D282E1"}, {"path": "%AppData%\\D1CC40\\0F3583.hdb"}, {"path": "%AppData%\\D1CC40\\0F3583.lck"}], "ip": [{"ip": "199[.]79[.]62[.]18"}], "mutex": [{"name": null}], "registry": []}}, "Win.Malware.Nymaim-6832988-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.", "hashes": ["026587694b3c6c2b805ce3349f7de0188ae5eb64aec3fa4fb1d7941ed909bdf3", "02751abec497c2eabd985f8302af076e8389a07634fd1b50af4fd2007eeea2e6", "03f11327cc260cac961607d223b918c2a13eb1d2b9b38e01249ba5c0b3ba1ea6", "04f5aac7cc404319b34002b6052dfd884fdff7ebffd70488352be923bbaf5b5b", "052775d28aa2f225fdff6dca5ab26b94889fd1c36a1b87501f2c977f1264635a", "059c431655ba6c80881dbad93efcdb720bfe6a5580ae956074474cfd41b5c5cd", "08f9579ab7a73b489d74ce5889790d01a9875dbbeebfad1d8c32de163942bbb6", "09556303b704dd636a500f354fb8acf90ecbdb48a4588e98957efdfed3e07c92", "0a336eca0241a00a7236416172c4dc3d3c6e7e6c048f03e5252b583453fcc14f", "13257148820b602f9ea243c3ef0f0af3049396848702ce7c431a19bb3b92d078", "15887d922b368ae79c0a9cbfb151851151b5f7ac85e4c17cf33711daab12b7ed", "169ccd6fec92c295224a17c2454f5e8a10aca73d5b91b3347b79f97eac6cbd0f", "17d9a7c863966c8f8d06a3e874b50cdfb8d9f04617243a2c82b8a1917c2d1401", "1a3477bf67688bc79e975c197aad329ef8131b002cea06f29f41edc432915944", "1b570e1b58ed4f5f28370807f365fdab8da5ee11744dc0b0753a9ce643447776", "1d5b6e6cf7d911cacae10c2a4a3cec81988c55bebed8eff63b590fe65f987a44", "1f92f057a6c8e3e8ebe57a791be9fd0337cd4e18dbfaa6d70923428dead10f87", "21a0b26ff905b34dc3e648bc5a895d77198138048c97a44aa011a92bc1682d3c", "22c4afb82854338010a5d0359431b72226fc6f61219036c09a1b8226a2de233f", "23d9099b8596bb36fe8fd4f5e3e129a80d56f28bef0a169a3161c3cd1f917d73", "2744ffd5c3c6e9d1402c518cc7be298f385c94ef4cf586239190439a8ef1273e", "282805957430611b783bc1383c793bca96d2c9b9a01ad1cd959d6870d64f7510", "28839dea14fa732585347278b5e14bc0a5d741d645af8f3726efa52e747f37e6", "28dd921beecc08c8a4151646d7fabc16c494eb96deff2271a88da7e55db60cf3", "29cb7da2ab5e7431bb7227c7bffbc1bb35e47d3dd48d5f90de680d64ad3d17ac", "2b1ba6edce4220b9c9ba7521121c26d32758e027a2a3b12e24e0dc280902799b", "2b55302598f535dc77324aed5d9a56f6831765c5d1d3909376fdbd39dbf2a5bb", "2d03bd805b74ac8e0cb46abba4878899f6005c8faa477d21b75508e78577f7f0", "2f7e827163d627269ca2b4c0c6e6367c3a0a911b0a4fdd56a1c97162d191e849", "2f9579c32f34db474eb0c29813afd0f5015eb5912fbc24aec0956d164c6b572a", "350f3c729b054b72d076e4bd81ae4b9848cc3130d457a7d4dc7845ec8b0a9169", "3774e7403d80b5163b7e4fe607bc2fa57ca5d073f1bd417f995561b5f1b98e9e", "39d050c477c21a460550657ebba049363176326a76320f1836fa69727ab4fe6e", "3a8233ae3987465b94e9b31ea465de498889a10e7c0251f097bb81487238cb58", "3bf5615cbc6e06e572ad55ae9a1376882350a99fad7661560a16dff5eb573c56", "3e2e09de4ec21b97c3f27bc4af9bb8316738bf23edf645f8d92118c072958936", "3f9b4c5cd9b8cce7b722213e2902870600e9a9736a7add51a7c60fa94b9baebc", "3fe062ea58fb25a693f25b407802253f4a808198eba08cf6bcc60334c1e4e5bf", "40f8ae3056ad489640c4681e4889f303b7314dd46fd4df827fe67b6d81f084b1", "44cf6582f59b58220ca960216d82418682465e6cdd87a6ee546f3a9a819de5ec", "4823a47661a235a753af966c4b34f55bbad5692e6021e8178c7b213e25a1de5b", "4b71900ae3c15ed291df18f25f60bdb452711ae697c67f2108253ccac47a6a8f", "4b7dc9e42722dc0d9dc6b14992d2f35efca9c5630111a177a64687690aebecfb", "57127518f52bdf1590eaab5d88b8276392f9a79825e4e18cda79a5d5d87bfe8c", "57dee40928d7d4ed9a09405338120a79597435763a2687c0ffdaf8ab4ecbb24a", "595942d830778db30b19ea62306549c2a47d69028281f03ce5ee04cb3358d896", "5a1fad60839a546ac8233480cd96757967de5caec1bad18a604438ccb1b72a12", "5b74b0794b307872c13050fb9c68e8d75658161e889ac4035de7361f06fb3169", "5bf54f219a43e2beece55d8e010c508d0afea6c52a76ce8400b82b6516353929", "5c1aa5391e51c0a2402e5ff54d487538a59fb1bba67a4d5a672f3d2e4441517e", "5c8e495a47e76d306edf247b944fb3c9dee8793d2152af5016ac1456d9b2e634", "5da9b894d7e172d1a0d93c93980b8c8d02152ea89fbbb59df5b748d42215badb", "5f36caa41c926006654576ebcbf02f49e8d77770fcbe0a5d644e7f2ea494b417", "63e43a9e1619b7b4c596b8f19e20ed6af7dce04e6e23c33f09f3f1bf19ae3d46", "670a1fc30ed6563736d0084a2edfd76f36386dfa7839a4165b917f6e91f1bc9b", "68cda1f704cddd91c48fb9858af1d9f4a36ca4b56cf593996a3fbfbd8514b445", "6b8790cb49040e34132cd41bde180466785d17568d071cf2640005232c5cbe8a", "6be40256714afa90ca3d41721876b0f5b11e1555312ef69d87e87149e3f66c61", "6c1dda9047adce136d0f96a8c8f5c7542a5f83e970997961be9bd4d151293c81", "73a3140f50add23968d9928195bd984a7cdc5d6c28f31ed4cc23e7cb4604224f", "75b788f52c8285f4a29a1be5ee30222d4ec39452d921a1ea56fb69909994a12f", "78e54b7ff447bdcad1aeebe56210248e102b4646e4d6c972f9cf1da0a7eaead5", "78f599e048d0103cf1c6487dfee91e1c0ae2021307f187789ac02c9817021c48", "798a50abe43cc96ab149d2b9eff4c2f99a97fd8c0b4d248098adff48704692b0", "79a19ed5714c3a558edbd82c3474910c0226cd5673873724c48ec8756f5c812d", "7c14788b48a1c5f39da6f04b359484c1a16d0951e00c30a27860dc435a85e4a7", "7d4fd960780b86c988cf561f44e9cb63bb203d53ff73492b0347566e4d649632", "80a35d41c49a3296ceebaa3134187cfeaff84b48cb29e8afbd61934e63ead3e8", "826f5b788ad922df91d705aa9e22961d7024a3588ea64f81ffa9bb6fb89ba7a1", "8320a57a30767d62c7393b760a0217f0b67dc97c6d9d921337b44833dbf80184", "84479fc8dfd4acc020ba7b12d167501f79180770218e1412de4bf050707bd02a", "891f0ca5c357e1fe92cb726bdf9797604d4e6c620f6a72463dba219e91ab5346", "89abc9042eccfb110255f1545773f67cebf3fbc578d284b787467709706b81e8", "8a84bdd8a170ee666df18588bcfc84bbd5268a81ae09aa6c60d8dcd9a478c787", "8bbb8fe395f8c1008b13096d20d90d6d9ae8b2ac88920e6de0b5f6d5fe9d761f", "8d7223be2eb9ba22ccc8e8748b790daca9ae9f1b933853688056b92df7e397b8", "8dc304c66815689043867a853c5097bc96d65322099520732fde1d565a42f8d6", "913480eb50c9f3b079325e20faad67ce11d064895e92d5c39caf5486d7e11a73", "9362dc2be8a80a994d6199b0a4e3af514bb40cd528362a90a27b484ff3a94fac", "93c7e88b845936652a2f9402425decf79692fd0ff6f92c4ef9f7b17c0473455c", "94a5479aaf341942a35bad9f0d85caf4674fd663d7dd474ac3d15692ba75ffea", "9586cc19e39718f5efa862922b6f1c62a792a42a8721a28f8adfa4610658f224", "978c750315e9f05cd8ece4fb164a23551a70f902e64b23efc0e50826271221ea", "9a9f2b1270d2d5d864d8f0274cd4956d0eea9a62213fdc5b68bfd26d4d14e954", "9ae0ca7593468a2a536ce81548dbe575a0a2a33925c21f561e73a361b14a1033", "9be174d352df2828e962c1be79ea08a565d242461992a1aca64c6818565a72ba", "9d8fef91439749cb3393be148936bfbbba5e9217daabb29a00b35056aadbfa1e", "9e4acbe6fa9397990b49fa0a2f72714fffac26628e14fffea319b80ab5dc7bcd", "9eba68ac5c7f1303057082faf1e5438bdc5c570f1f7f03e6ce7ab56ef3caad1a", "9f02483552d5ccbe9df533f5706d5a59684ce2820af2353c730373c3dffeefbf", "a0216486431c219b8834a987937935248be4a0784b2d704a493cff345bcb79af", "a071396cb2f78bb453d20c71d748aa178ce5f366bf444de87a91503bd10a38ed", "a2501c339a1332fac9fdd4ec62d2c0e4f896305e38c0f5fd8d5af5c58af4a29d", "a2f61d1df33387add2a93aa7b10ac2607658e8c636eb6246e080764854445362", "a3b5dc81463e6571289873bd7d0760774aea8c554ca37a01709c6537ad0b74a5", "a45621a7c4c892dc2694d557e2af47d7e152406aa22bafce8c73177e1e6f562e", "a5b6166888265e511a48da8c137f15f999636c2f5dd7fb0c261dbdcdc0bca9de", "a7e9421272d74e57e81cd5e8ef67c3b6f0259d8fc45877774548e5bde0c2aa4d", "a8478379967f5327dbb6e71abde92f786e1d04f7f38967981d41c578e40f59f6", "a97e79f068bd5a46f92d009ec1210a089f34772d77378c9e4c02793c05ec0c1c", "aa6a4156f9724057b06daba33801612e6887c4a64cd9ee80152fff9709aad32a", "accfe842b7f051e32fa7d77d93918cadce931cbf61cf60c61b0f939abfc89916", "ade016f5119f9fde62a135e77d78db27202d192b007c21357e025a27e08b5ff4", "adf71f746efeb98a50f5257a803d2e5e5792c4648f91e29ff996eec5b47e453f", "af4138d0feb080aa6bdf5f1c38528b62cef288e4d30dfafaff57a54542b2e22c", "b0185aa01f50a7483d1fbbdf76e6e82934b4f1f9360cba61c8136439ccce038d", "b545ccb6f7477070649bf8254a8a6b7bc9c652940bb9d103a303047649ddcdbb", "b632db9cbfbe128797fe89ae1726e753c0c1500aa9aa27d39f92ce19d7ed89f1", "b6fd8bd3cbc60acf7669e7eb2578f9ad1e6477aafa9e02247b8397e31d59efb7", "b8f8bdf0731d4b441f839849e57d46e7d4b3e78f7f56f430cc81ef4695587463", "ba13f7cd92fe68d696d6798d706a772b18b34896a0307cbfb70a6177f21c41ac", "bae1876cd62de09c89bec8fe5a2116588a01bb85dd407ac1c61fa4f89f7e7dae", "baf5a2066b530554e27c91f5f0479e213880b27c44576b39f7bb37c550bbc8dd", "bb19393e04e7d8d1cec0713b07411d9acaf0fd0dcac44b414fd0b2942368d277", "bb8d1ddb7d5e16734266cff274bd195b2f06d9f09db3743fde08fc6713363031", "bbb521c8d78bd3114a48b83bef2eee8e148878cc3bda29d56ec1b7acea55d482", "bea30403f35ad45fdfaee4056ce696cac1fd265c9ec8a38902e5ca063f101b12", "bfd9473b71eada04ac3eaa62d4c7d8c871ef0d5e7c799ac6e3a362d63d049f1c", "c27b8b84df97707bf29bc5be64d936043527428f1ede970b8018dbc3cfb6fe7e", "c6f74b5ca0825d52bb9a6b9990c50129e80b434e14cecda5047796d6713ef57e", "c728012548f59377004a8a3ca20b86a8dc909abd7252311847d2ca3e83a8885a", "c7adec12a6cc8fa30c10e2914d2c2ad2504d75168f988b427dd70d4f0569bcc4", "c7fd31b9d5979696d36b95be69233658c4c3d7e1b55011c738bcc46c893f9a7c", "c82a43981b38fea1dfd0b306b06dae4daa8d3bf4bf60df0ab83c30ffb0a254b8", "c9b488a0ac5520b8f08b0dca9007f99baa5d6730995eeececf2c5156678976ee", "c9be8661ea209e60e64a72669fdee88cc699a937172b9a244e5ab388892de6b6", "ca2cf91b7ba94e7b71b8f1bfd6e33b2e9711dd4693d3db3cc4df11967743395a", "cbc8d26bb7d2428c22832ca9e16e4b2c63179ebdf78bd0fe5545f0341da495f3", "cdeca2ef346d1559e5a899574f361c7bfca72051d92f8e65419f3fbd3fbc5ed7", "cdf42fba0e10db5aaa22b53b28ec94137baa91147863b8b2a74af12b5d2e8b18", "d10fc162571b1bc1751369be81c5f0eda2f41d0fbab7dc2aadbc3ec9e4569896", "d1ba7c23c4d4533568dee96409c238fee009cd86599f62121bac24a9d22d6b9e", "d2ad3995c645e46cb1211414665a79036a4d890d5e091f02e136443619251818", "d3edb2b9f347c437c72076b7ba26067e49fd4bc3079286e7d2acb25684ab3a0c", "d442024c364c5444cb305577b4ac6eb45fa9f84dcfe2a9c41564170fd72de1ce", "d48d6057371abeba7269da753b378206e5fb15b0ab78dbe0792d8e4a292155c5", "d843aae7ee8a93f96b32321aa764a8b0ef392d4cca439b1de9adef1faafbb76f", "d91f5b56f65a4289e6a2e0d69214e0de1467ac29d376bc0d2d0d38d2e9f550ad", "ddf2b9d4a23bdf22ca0c0616f90ca9d6a5a21838bfaf96951701d0397ea57c95", "df165d6615cfc8a22873274e1223dccbdf1ca25ac1fc705961e5f3ec2941b203", "df648a6be9c2fa30cb97dd1feb12d2c83eb8aeed9db864b117de545f3082bd20", "e049e2700e78d136010056b76d8b9fae62456f664a521c0a7575206060bc95d1", "e418d454c6ba4d678fd3cc2fbbebb3ea175f82d81f9347ec8c5ce34966abf5d1", "e63d72c157cd6e9ee04c960a3c61cb542a5a3e8d3c004aa797f1e4ef60358ec6", "e6c8974ecf16a1b74e92f47fde4c9097fc61d1518da734d77f37b1bbd21d7e32", "e99d09a2eb29bc176d1a74e0131566fe8defac688446aae3fbffacf240a8fd7a", "ebbb8dd6b2a1b67fd6453976c0fffa4364e0aef63b3cdf7b305143a6b743579a", "ecd0f8cb760098aa63112fc6578f127da2b83902c4853e1d747133117ad3f98b", "f0732a0b0ea0d7b47ef878efe4e23e92405e9043dbcf570a1ada22d7cb5160c5", "f2c80a8a1e52595e793d537263c96d2d6dadb0a4e5c9e04f31709dae39a46e0c", "f3a07796c59d996b4cc7441128554f4cb635b57b0f009a441f0efcf8c828edb1", "f6d8193037d1bf904b4381813cecf3ce7cf279c11a8c7c4551f85599db71afc9", "f755cac0dcefcb0233947fd936fe93116dc6340c909f877e2ded88d41786c99e", "f7c35f666e3f1d43ea8783b7106419f84eff4e0d8142e8e9e005e6b393f4af7f", "f911ccbccaccc30ab3949192b670a7fcb543af7d5becc22e79dc3f9fd1ed536f", "f9af556fa1227264e6e3ae658a06deb7303680bd8a51020f5a1465fc69345a22", "fa89ee78f5954a39a75c077929ee19a16c60329723510af3efbc97f0056c405a", "fadf90461ba5924084d2b4dd6fe9065ae66db94693721a5b44f766d2fb95ee1c", "fc52b5d6d51b2a0659da2cc431825b0a1b1c9bb8120b9e4d39b31a9b06666dab", "fce3f22402c6e97e0c6bbbc3f273748299b8b072e0df229fadf9fe2e62b53a56", "fd390d6c74f651e204227af360ee4bf0db18d2411bc4be6c0fc01b6e07497820", "fd9adc598860af51cf61d6e5dc8cac389ddf17bcbf4878102f10a97c0657cbbb"], "iocs": {"domain": [{"host": "xxvtlrbo[.]com"}, {"host": "zmupmfnkbmcp[.]pw"}, {"host": "plmypyiga[.]net"}, {"host": "fkpblrwoj[.]net"}, {"host": "akzce[.]in"}, {"host": "hxthmoalhozv[.]pw"}, {"host": "vmafqojqbxo[.]in"}, {"host": "uhizks[.]com"}], "file": [{"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\fro.dfx"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\npsosm.pan"}, {"path": "%SystemDrive%\\Documents and Settings\\All Users\\pxs\\dvf.evp"}, {"path": "%SystemDrive%\\Documents and Settings\\All Users\\pxs\\pil.ohu"}, {"path": "%AllUsersProfile%\\ph"}, {"path": "%AllUsersProfile%\\ph\\eqdw.dbc"}, {"path": "%AllUsersProfile%\\ph\\fktiipx.ftf"}, {"path": "%LocalAppData%\\Temp\\gocf.ksv"}, {"path": "%LocalAppData%\\Temp\\kpqlnn.iuy"}], "ip": [], "mutex": [], "registry": [{"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK", "value_name": "mbijg"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\KPQL", "value_name": "efp"}]}}, "Win.Malware.Razy-6836342-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": false, "WSA": true}, "description": "Razy is oftentimes a generic detection name for a Windows trojan. They collect sensitive information from the infected host, format and encrypt the data, and send it to a C2 server.", "hashes": ["0478a5fe6b6f8426e7d4c974c793324e96f5c98ae2639e733bbf1a899109eab0", "11001e99cc3c630319a3e656affd9a4f99d6e415d9d11e5a19b38badbe2a6276", "19aa677502df6111edbea75aaa7da4c355b7ade7e2412b94df0f0153f3579a8e", "1dfd97941a2a7984c01fe705de5b2a509474717b2a59cd28e3565e827a9b27b6", "201699b6305f41121b0b38ac5514b2a18d6b44ac40361334343da2e949a368e7", "23ab227adc1b5ef3b49500b90b5414363436667ab2e1268206b098078ab74e35", "28d291b0699504ab6e5d551a00d16e90a9b5688af42a32c5dd1ad9229f3e5ea0", "5212cd679a3a0571a0a497d5953e1fd2e9eb0b0d64a09dc9d0ad928029065a03", "538774bed3fb08b2efb0f88b21092db3ddbc5563e503db019442029904c45533", "5d1179480e28c69afef5a78a1e1038de01c74482c0bec4030233f88ae5a9b6bd", "70fab993b38acc0f6a5d0a890a7ad432e977c32fa6068e004850b9094b632415", "8a11ba0d79dbbcfd9449c84132d3f4cb26abbac4d9856917e96687c32748d4de", "ad3b893cf85eb2719e9c99dbc9a39c3aa6a56e6ecc1827f5b7023465708fcdc8", "ae404720b381527be8150809b914c5da1038bc475d39ca647be7deca06440439", "d5693ccd1dde37f10582f5df251b8a239ecc85ef29d78a9528c82779d85a7d62", "e230deaf74421919f1277a6ebf52a7e77e124edab01366da5ff63e328a88f09b", "fc96e1acc7e4bdf7786d64c3d997f47d233812641e431b829dc554743978d863"], "iocs": {"domain": [{"host": "irokko[.]ddns[.]net"}], "file": [{"path": "%AppData%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\run.dat"}, {"path": "%ProgramFiles% (x86)\\AGP Manager\\agpmgr.exe"}, {"path": "%ProgramFiles%\\SCSI Host\\scsihost.exe"}, {"path": "%LocalAppData%\\Temp\\Feodor3.exe"}, {"path": "%TEMP%\\Feodor3.exe"}], "ip": [{"ip": "185[.]244[.]30[.]121"}], "mutex": [], "registry": [{"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "AGP Manager"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "Fremmanende"}]}}, "Win.Ransomware.Generickdz-6832954-0": {"category": "Ransomware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Win.Ransomware.Generickdz is often a generic detection name for a Windows trojan.  This particular signature detects malware in the Ursnif family.  Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader.", "hashes": ["00da836f3848a2df7d8b9d6eb4c02bd5a03cc618aac562c2d6dd3b000d6aba75", "011c084738878e7bc038ed2f56cd820e072f54f1994fa0efb1d03805f3ec575d", "015dd851a0aee35e6e46c47ee65d8e814dff7988c8a999db760d0c5cf2f184de", "01beb8642155e53e609f923f8488b02d2761e5579a4b5bf5f988fd4aa50c1a56", "0b84d79be2f1135333aa13494a2df0d661e6aa8b500dfc23e436e0a99c8cd957", "12afbc7f9292813c600ed57da2a9705626c01f9ed4ca5bf5703b92045e9f3204", "21536e8026154ef4ab6d872aab046c413fb5da2909fac4d88d8a38bdc7d037d2", "36b3e5325ec7bc85a8bafc3ffb07854a1bb838fa729841e9e03c0e1901d4a813", "3daa666719e5430dba3f6a47e9a4a56899a06fe10502956d9ed2a51e40d24d86", "467ab756dc72eb56d4024f8c67afbb344178edff2c421750763b031ed9ab564d", "4cc1114ed779f88b626e6b07a51069a218885af13583398e013851ebd3892fcf", "4f0eaf1066c3760577d973b8b431ba44598364db1839e30657f72678f5d06e74", "52804b826910bed6b531fb32523de464206ce8114d3401e96e96d630508452db", "5405a79fb980bb79fc2a827439a941de486f4fbf4d380e8f488aef4111599572", "569043f311f56553c92984b02c03cb7108c8a2eac5b193e66fce65973245dcf1", "56bfb16f5287bf176196a0302dc14658fc3519a4c3cd666d2289be11d72830a3", "56fd6905f84e32018f96409810d62e21c7e423f905aa09b17b7f3aa2e228b42c", "5dacf2bf6b83d7cfb4bb90abf0c16ba2c05f04904eb7a3ecfb04ee2ada5d6154", "5fc956f1e8bb17ffb59b78a23795442e91fb843b9de86f34c849988e0f5c9a74", "66f7bede6d972cdd883a74643bf4e7e2e29e35680f74ba7736863276dd95d5dd", "6938484ee56153097948d56f62d2a7f9251295b3c52b171d3f8366564c1ff985", "6edbcdf33c2a6fb29360fc61fbbddf384fb974de8d4d1dc827b113fd1b6383aa", "6f9ffb03fcc68a30c4bd3326e39d598c8b4fbf4e2c7569e1aab032f48900415a", "70cf8a8f77b550ee351934ca3fd506b1c00522cb268a19a9a0fc2e2d266665a2", "7325117939e856c87d9cb980a90be1f876765b992eb743c3813d93efcc422923", "7e33c95e704926b62db51bfc68ca82ce5cace59728d9bda8e03e841a9bde84cb", "80c32a1f6b866814d486b5153775f06354854bffd6380c6bc8b1e00d7082a955", "849a7e743b99ca24eabc8f269a8af2ba65a704dd65b76b6abcedf9d89a9a1e68", "85eef79bdf21b33ee2cb4f6b5bf956a2e7fe79c5bf8b4797b3d889ff74f6ebed", "87f4709b357a0017bdc34baf1684bc50e7beda06d18abb1e1d18130d5f8e018c", "8a86e8c9185d360fd92256d33d81d1df995d15d334832404dd3de0f6f34e44fb", "9103ddb1bb3b8b39c465ac54b34fa918f4771f5fa8417bccd42651f9dedb91d7", "98cc82961f48fbb11c293996acad10f645b2ec987b0d73c22b734e1cd18beb4b", "98eb0373f06fd122443aa6a818d75358da4e78cdf7f9404f2e2ce7b500f55983", "9ca43ed215539437e34d3451f1f6bd450553b1a43a4eb04e70c70985ef1a4152", "a31066fc58670d7a92df87cc2dfadc51cf8bdf1a013b62c0548bfd16941d2b94", "af556fae644888732fba705efbc30c2628b89b6c05247213e34b2c94cfc49d14", "b50246cbe719e9a48e6bb3b8746016c930a5278c577d03a30e68c1fc71dfce71", "ca6c04eb27bb9142e20c8947782402d95f4cfdb5d449c77ad35f668427d21121", "cdb8c56ffcc5f94ae0a340cbfffd5e75a568bbcde2fd293a714b6a289caea0dd", "d2ebe4abad7590dbff8b0d8bebc723a67e2ccbaba7c8ccad20505ad55210ddcc", "d404ab46fca9c9aad8abe7cd25a0a9499a7f6bdfd5f79c8074c2c1f7efc68eae", "d6f070d16941625645d16453474569da68dd7bc3552cb47f6c8f3af73eb97844", "da55cbde6e582a4e4daf671bf586bc7ed29c2b797d06b9f15dc06ccaf7ecb9e2", "da5e4094685ff29b45571ed16d6495c5531e697e2a53eb567afc0795f32d7775", "e293f8192e6971fe3c7456aa913bf9c01ade99a321941bcfbb03d830577db14b", "e8813c81fb20620940399e916324991b71dcab24eb8e58ac783ebafbaadddbb6", "eec483d910c6d004fb21113b41569e1ac3fe222099119b8cae12cc2d4fa9eebd", "f058f37437a3d8c9178d302d39ae2ec080f3938bc562d759cb75441174192d33", "fcd2cfd04c12772f5ce96e639d1e24047f5a932e8aa88c22521c39735e1e5306"], "iocs": {"domain": [{"host": "groupcreatedt[.]at"}], "file": [{"path": "%AppData%\\Microsoft\\Dmlogpui"}, {"path": "%AppData%\\Microsoft\\Dmlogpui\\datat3hc.exe"}, {"path": "%LocalAppData%\\Temp\\F74\\7BA.bat"}], "ip": [{"ip": "87[.]106[.]18[.]141"}, {"ip": "72[.]52[.]91[.]14"}], "mutex": [], "registry": [{"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "api-PQEC"}]}}, "info": {"origin": "Cisco Talos Intelligence Group", "publication_date": "2019-02-01T14:00:35+00:00", "version": "1.0", "warning": "As a reminder, the information provided for the following threatsin this post is non-exhaustive and current as of the date ofpublication. Additionally, please keep in mind that IOC searchingis only one part of threat hunting. Spotting a single IOC does notnecessarily indicate maliciousness. Detection and coverage for thefollowing threats is subject to updates, pending additional threator vulnerability analysis. For the most current information, pleaserefer to your Firepower Management Center, Snort.org, or ClamAV.net."}, "signatures": ["Win.Malware.Ircbot-6832631-0", "Win.Malware.Mikey-6832636-0", "Win.Ransomware.Generickdz-6832954-0", "Win.Malware.Nymaim-6832988-0", "Win.Malware.Razy-6836342-0", "Txt.Dropper.Sload-6835718-0"]}