{"Doc.Malware.Emotet-6866090-1": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.", "hashes": ["26bda8a7e04a3b4ba47ff57f776cb65b0ed11870bc5fa65b33353c53ab718566", "363371e71bfd3a0f6e8e0ffe1017918d65d5afe7ce1c6d7ea26f5604b26144ce", "3a162a09d1f8a4ee0248d72a60ff0ddbc2cef8084c3d2aed1cfb73192f628d42", "3d48920206c69924bd3c388e2d7a48845e48ba6a525f06ae466db235deaa6832", "415eda47173d571207d420861a66ea7419cea30d59a901f716354c8167c8373b", "4c70e7e49082dc78f27ac863bfaf671ce823ed43575d608e309cb6e839f093ce", "6055cf5b67690819f88a3a96685386afd8819377dd31454fab559809fc9ef6eb", "949bd24349829221977de531f8a1dc80d401bf5e0a8fc69a1b386261b474ee43", "9fa9d852c7f7a94a022347e7bf2325d41032163fb7ec61d362bfeb94a0ed9ee8", "ba0b908255f68bff48e58cc7d2ac0caa55e369b7a282fce5b9d58ae1df34b681", "bd1f913c5ceaf2042070666fba37fa0a8108f1e82ac19e516a7f74e9d5da5ea8", "cb83759cf47a4b6e44e5afcf6f85f64b475a6f4bbcd0bff82b31b45f048a64c9", "d523914940ef79338eeba96e8befae59574d1552f13ddff5c41500bf43d9192d", "db0478556a516ed5d8508f165251efd10fd3e68c84fda7d720730f6409af61b8", "e881930c362396744a2338740d28ac26377cf19c33b460cdac987fcb1255f804"], "iocs": {"domain": [{"host": "lenkinabasta[.]com"}], "file": [{"path": "%UserProfile%\\880.exe"}, {"path": "%WinDir%\\SysWOW64\\d1Ltzcv.exe"}, {"path": "%LocalAppData%\\Temp\\CVR3F73.tmp"}, {"path": "%LocalAppData%\\Temp\\ysrbsuxx.yb3.ps1"}, {"path": "%LocalAppData%\\Temp\\zh5htpos.q5s.psm1"}], "ip": [{"ip": "212[.]83[.]51[.]248"}, {"ip": "159[.]65[.]186[.]223"}, {"ip": "74[.]59[.]106[.]11"}], "mutex": [], "registry": [{"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\startedturned", "value_name": null}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED", "value_name": "Start"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED", "value_name": "ImagePath"}]}}, "Win.Malware.Bladabindi-6872031-8": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": false, "WSA": true}, "description": "njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.", "hashes": ["00c1545a8341307c8fbfbe10315ddd6742ff0a7471e959a25569456e901e3b64", "0c828e0e7c690afcf42c619562baf06eb2054fb2a76528c6e3d6374e6deee1b7", "17dc39add1ec5e7823521ef2b19f5a38525a20fd8af022f3f984b9b2c52fabcd", "23be58294c82887a32eddf964f9aa636092ab0199bbeebbc01027dac24ac741d", "2ee7564a6f0efbeb49e5e18a9bc922c9dee4b6a9825b442eab6c24b1e5c178d8", "36ac1e4bdb49d9a8e344daedded3f7135e5529b9170448ac640ad9887ec7cc3c", "3c49af04461bcf44feff0a1476d4c2aa0e8727589c5bcdd94ff61801dc606cd2", "3e6dc73e416087dff822e7b1155dacd150f8f55e522a0ea2c669ffb070b7349b", "4011bacd5f28a2ea3d6f5cb8aa6f903a11d724de952efb43fec2c4dc6290b1c0", "56f7759b5a937d04cc3b52b4776002621b1cbb4cca2a8c03e9a663dd0685bddc", "5710aca5b05ba6e9936dbbb64f09f634bd0d7aabafa805bc1e898af204bc842e", "5a8894812ad5ffb8786ece426c56316907d57cf690991eaf1f36ba31abcd8f1d", "5ef1459ea87c9092b343f92cae360bdde926b0d160e46fa0202bb2575d4bb16b", "6440a66af66551ca6997993e14acca0c00cf7d608b189e62ce9621cf66db371f", "64dba074080613d0d1950f4edda64830a5aa5c94dc4170de00b90470b925fcdc", "673f48756e3692c5bb50c1e4b73973eace36e1b4e1f23925864d570508efd1ab", "aa491525b45991154405aa5382b354494d69d24130bc61c96f02b2b13598d2e7", "b44fa6d7da5bc0dccd76440f17ed79b0accd7229f7f380ebfad498ef4bab71de", "e0bec776e2059e85dbae9ccead0ad5404f7ff1be4e44fec99fc1905ea9d82dd5", "fbe3e1d761cc96909caa72abc3443dd15236adb17091abdac00fde2044554496"], "iocs": {"domain": [{"host": "aaasssddd[.]ddns[.]net"}], "file": [{"path": "%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\5489098719807719809090807918.exe"}, {"path": "%LocalAppData%\\Temp\\rat.exe"}, {"path": "%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\76cbed672042da4827cdb3dabad9650b.exe"}, {"path": "%SystemDrive%\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\5489098719807719809090807918.exe"}], "ip": [{"ip": "75[.]115[.]14[.]18"}], "mutex": [], "registry": [{"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "internat.exe"}, {"key": "<HKLM>\\System\\CurrentControlSet\\Services\\NapAgent\\Shas", "value_name": null}, {"key": "<HKLM>\\System\\CurrentControlSet\\Services\\NapAgent\\Qecs", "value_name": null}, {"key": "<HKCU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2", "value_name": null}, {"key": "<HKLM>\\System\\CurrentControlSet\\Services\\NapAgent\\LocalConfig", "value_name": null}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NAPAGENT\\LOCALCONFIG\\Enroll\\HcsGroups", "value_name": null}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NAPAGENT\\LOCALCONFIG\\UI", "value_name": null}, {"key": "<HKCU>\\Software\\76cbed672042da4827cdb3dabad9650b", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "76cbed672042da4827cdb3dabad9650b"}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "76cbed672042da4827cdb3dabad9650b"}]}}, "Win.Malware.Ekstak-6871246-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": false, "WSA": true}, "description": "This malware persists with SYSTEM privileges by installing itself as a new service called \"localNETService.\"", "hashes": ["02aebb6edf1d2ae7df3d9adca31b397c9032b6e0844a2796e0028b17c19cf345", "055f622eae00bf5cbe062b706bbf55ff4b4d9ac0ae4ac91b0552d2b32f4ccb05", "220a6e183611bd6730eeb2cfdd4536eca6829283566e2c0d5c410adc6552a058", "387a3f8e33297a952ab2b93dd4f6c0a97fe797e18ead0c9cf050f0918758d1dc", "3bd06213aae4214b81d1dd83d8d456a593122584708b86980e02f3f2e0472710", "3bd551b75a97dda9d0aa66d9ae24fbee3e0d4dcae0b4a4aa98be994a4ec59d9f", "5d6ce39c286eca1777a5e5bd93bd52e76ce042d0249db6ca32648611d30a5b2d", "6073475e3a8bd7eba6a13f771a51245c929e49e40afe97c0eccf3887df18826d", "63806671769e485496408fd6c1c4e845ef35087c74b02fb104dc06a52b90d636", "6f0702d5a7a8a07c0f27da9850c0953634577bbfef272016d26795c40b1e95c7", "7372e040d1d26c864f261ac7df8c7a509594c3efce26e03c3e14389e55c526bf", "81376a8e386940982bd552e0be5fd0cbfffb9ae39bbb97280e7f6096fc4a7af1", "81cc82b599e1cc44fd7dde9366315886f5a1c40e7cae7f4edbbcb2dd104a69e9", "825b8e7b877bacf8d24afe1e1082eff72e43633b3a411104d624d0b66e3f8dce", "9fbe12ce5275b09a48bd1efdd6208b7ffae37878febf82fd1805db49212578e1", "a24a1a691d04ff091d2b99970d40108726c188224dc4503b1e3a7f9a22df4ebb", "a295919ff4794ccccaf3750a5540476e6868766512d13db1a859bb64b4af59db", "b4ac2fb4da484e90e08e20db2270de2f15d6684e614d239abe2586896076a7f1", "b52449f5249e1937b6130149f59e6771605a0e64635d151ce8e2f5819c99d93c", "b5cb0d3df17907248b6d84a57279b26fa39c123c4a240b1507ae7b8233f2ec0d", "b9b0fea1d1dbc027dd27c1b4d07d5411a35cc60d43ed137d00a958a34292f4bb", "c48fbacb48492d59dac5fd7d2e9d8474e7282ca84d2605b23794e49f15229693", "c7974f414e32a93836f9e3a710251a23c4163a89cb2967bc99010c080034d9e3", "cc4bd522847f7673dcfdc37b7e330b470eacf5e9a47bd0f6d466267f5b152e3e", "d98eb303771aed9508601074db1e05dedeb028d1c09aa7313b0b15eff40f7eb7", "df459910d2065381d7ec1a51e3b1eed39da94aea66cb4e7b7a9333aedb4aa1ed", "f33e2833d7f1ee24ec4044c6617dc8475c0273487d1af23df6da8caccb60e567", "f3a8885c5181e26a6fbb292f6df2083df6d4ac83f5164260cdf6fb5d2fc6202c"], "iocs": {"domain": [], "file": [{"path": "%AllUsersProfile%\\localNETService\\localNETService.exe"}, {"path": "%LocalAppData%\\Temp\\tsc131118.dat"}], "ip": [{"ip": "216[.]218[.]206[.]69"}], "mutex": [], "registry": [{"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\localNETService", "value_name": null}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LOCALNETSERVICE", "value_name": "Start"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LOCALNETSERVICE", "value_name": "ImagePath"}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\LOCALNETSERVICE", "value_name": "Value_42632"}]}}, "Win.Malware.Vbtrojan-6871444-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": false, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "This is a malicious tool used to exploit Visual Basic 5. ", "hashes": ["050f57560e1691e7b09ccd86e92ec1c2c4ac361ba09862697ad908d6dfa93090", "2d2358fa90431448800c75dce6080b7c6132fcb574a3a0ef7eff8d6d90808ec7", "38eb2684819f7ae15b5b66bfabf0a123ff7af22dca1f014d52e8de8f88011cc6", "39ef144fefb739ea1ff1582e9c3da0f42566855c6769f9ed4c2d7f9427edf717", "4113c20eefdb7e002a631e2216e26b80c654f3e77f80908049176ccc7c105db3", "707c28b3f66d708609d8f31b506dade16aad80b157582abbcb90aa1352513160", "78bb2e2c086a0252e83307667178ed3e5d64a73dfcef3b82b05f4c64e4496009", "7b670e0cfa7367552b892ff42a79c2a79f80d91511f6a34f01dc1250ffe2a538", "7da38b9e6dbe8e58d688fe1488505275d54749bf063cf35cba4b151f0bfab0c7", "9ea4fceafec0c30c58c33314c97a17084681cfc0caeeec45eead64d3a94f2ba7", "a82ae00d8c84291c08a8edf86a8ca60bdca351ad94dd06135414636312b64809", "cfdea8ab0d2f4b82bf9d103b053b8a10eb456bd7e7896f29bed3d1f3649d2001", "dae4d4b71a86a15defa8f63fe3ef28e11436069d6869092b3b23fd0f95f465dd", "e3bd392d634b990676115698db9344201480c0cf6fd27bfaa6247f0728d41625", "e698f2b3d4b2d0b9544592ae05270bedfdedbdd01d356cb6bab740791f5b0263", "f0c556af8fab1d03cdd7592d0dfd999233555a0e7622b54c5f2cab6fae2d95da"], "iocs": {"domain": [], "file": [{"path": "%LocalAppData%\\Temp\\Ahk2Exe.tmp"}, {"path": "%LocalAppData%\\Temp\\AutoHotkeySC.bin"}, {"path": "%LocalAppData%\\Temp\\dnfahk.tmp"}, {"path": "%LocalAppData%\\Temp\\upx.exe"}, {"path": "%SystemDrive%\\ReadMe.txt"}, {"path": "%SystemDrive%\\SetInterval.bat"}, {"path": "%SystemDrive%\\keyboard.reg"}], "ip": [], "mutex": [], "registry": []}}, "Win.Trojan.Bifrost-6871028-0": {"category": "Trojan", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. In order to mark its presence in the system, Bifrost uses a mutex that may be named \"Bif1234,\" or \"Tr0gBot.\"", "hashes": ["0040b9166f09670f4c3b16d247f4fbfae7aa5e989407dcf5237f05594c4c150e", "0082f04583eabadaa51f3f4a91c82d363eef5f553973765aacc58462c9b83525", "0ea44f69cdee613bd907dc2e4c97fc942d2f4807f28f69914514d1737709f223", "1eb3fb26576b32630aaf3f1ae2b81140e083639608a5ff4b695ee7805a70a87a", "2225b77359e3ad87306d38a22713167c33846488d0b091fe1a6890b3b6560979", "230afd73943ecb538ed51a50fda07b4ba0e37ee805dab7e263e2623a2dbb4dd9", "27d6fd04978ac887712c25756e03b14152bcc3a0649307c4d0e6fe491b68a41e", "2bbd0c136832d5e091ecae568a017e04ab6f3757e5e1a376c4700a4117e1b94e", "31ff3f68aa25f1200040f390297a044ab8d313ff9b1f377e23d016267d092fca", "4cf558585a8bef563e37238f9459092c627538e2fadb99ac1dbe9f22b63eb346", "4cfa43c370fc0a19826f19f48f60a3abba75ee4811c6df4d0313d0f0c3274f58", "50eba44b2ee65fc0c95539b3197a10ccafca91df34717b0f48f60553f6d694ee", "59c8baa550d491782d9b3899c2252fc8d71971b2c399a807f81b1917a4e31c65", "5e62499136f6391316d72edb7924744f2bc289776308c89a4b3a1a0d3ae081c1", "64ddbc85e24f4acf10ca1945110b16e2b7f0d53f68be8ca711b025ae4561dade", "6e5a78dc6bc5435005e4b5134d41d2469d76101e561e84dc23ce8bbf80e937d5", "778d3552da4d5b5d5586962b6f0d092c2f0b5c029ed514c13ad4f39847f771cb", "77b9574204c60ee0eb588ae3afbdf14912634fce0aefca81ffd0822c48f3468d", "82858882f23741cd930cff314994761b135b06d8d04cc8be09fa54567dcb94f8", "837301f97cdc69d729ab753bf6f284a988c0ff6793fe89924e3f360f467d0fba", "872f04d1d11643a224e8535e71139b3074aa4f98c157ade42da7c74dda4208f2", "875b76f081746c6299421dad1963ff5f212b43b0bb6217fe6681465e06a5d2b8", "8d72e7115a4564541d30649d2f3203306cccab27c543d58ba6267b4752c4528f", "914a3fb08cce05e93bfd8b2e41a8202341d8b7857f73b692190477a2bd0a1797", "9917d5deaa1b02d329454f1e08e548f750d3f0b09a0f38d55e6c94f84243ab4d", "aba2ee22ee4861ec4e1f17b63c9d9f3abfc2c39caa7a5e198c9b7cd69f418db2", "b25c0ebc95d4aecb7974d19412e611d2eebb103cc7e1ee67eec9e8b7567fb4b1", "c6c730f210ace4cb8f4217cf439b50a2c5286f1957558f3cb69d9a11b8386e82", "d2877b3f725dfd902d2ddd32318ddf135bba4c6006f6eda62d9e1341df0c9a3a", "db5edebeb039040857ad8b22177ed82a0679ecf6bc5f1700fbfeec041cfc88b4", "dd7873b0904997540a19879c25b12dad4f6e067577538c9ea47668e29dfc9dab", "f0e9a62db2577f32e07bf88feefd64920bd5531eda7a2bed00b694ae544da2b8", "f582d941986990812f40fafba74eec2e86f33fa564dcaa3e85a09ecf2cd1f66b", "fcdb974d14407066705914028f419cc62cc33f44ff7bba1dc304635f76feff70"], "iocs": {"domain": [{"host": "xyinyb[.]com"}, {"host": "rfyeoc[.]com"}, {"host": "owiueu[.]com"}, {"host": "paredx[.]com"}, {"host": "qlotay[.]com"}, {"host": "vlocie[.]com"}, {"host": "wbrthv[.]com"}, {"host": "pozswe[.]com"}, {"host": "kucqey[.]com"}, {"host": "tnsamu[.]com"}, {"host": "pydquj[.]com"}, {"host": "lbeewo[.]com"}, {"host": "pkoitz[.]com"}, {"host": "ufhspo[.]com"}, {"host": "qyevsy[.]com"}, {"host": "qsayev[.]com"}, {"host": "yvmoie[.]com"}, {"host": "lybcri[.]com"}, {"host": "ypauhr[.]com"}, {"host": "qdhoas[.]com"}], "file": [{"path": "%System32%\\drivers\\etc\\hosts"}, {"path": "%ProgramFiles%\\Bifrost\\server.exe"}], "ip": [{"ip": "148[.]81[.]111[.]121"}, {"ip": "204[.]95[.]99[.]100"}], "mutex": [{"name": null}], "registry": [{"key": "<HKLM>\\SOFTWARE\\Bifrost", "value_name": null}, {"key": "<HKU>\\Software\\Bifrost", "value_name": null}]}}, "Win.Trojan.Zbot-6871232-0": {"category": "Trojan", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.", "hashes": ["21a58e23e14143301c847d9f6151d024a8f38db8922e2797b2548a9b1e6b9b47", "2531e7bbc454b8b643c5f21fbd7ed88c71aed73dc3a4fcf20815092eefeefbe7", "2c8c8e0b5b378425b6a5d2ccff3e2274230734ffe419970a49c87c26d8d41047", "399dad77516c27f0b2f5a36605a5fa25aff0e6a0ec66feae6854838336ee8b0d", "3f32cdf15d079fe250d8b42a5abd58d1ff3012599f8478b074dd096bb25b537f", "48d0fd82b8625c9c789284fc23cd0ee9cb9bb3ef96728c61de4a25ce7d6fc21c", "5827e6c1a8a5ca100482c127b7c0402788ca4d870057eed2af089bc9d858bfb2", "5c46b61ca41c03433e5ab3f156116e312cda1b50079189af82f1df8721e3a73b", "739b9fec48a683f39fd924a24eaa0dcde0207cac1bcad4463223ff731f007ad3", "9f3129449f2ece4a84ddef0b071d9721945db8fa93bb06ac6bdb3b7f0388c35c", "abc68f3b8db8e6a50c56605c2f7fb153717a7c7f96a905b527059182fbdb8688", "bde83f62cdf8f9565146e44b2796c35368f81b9a38fed73670879cff44bc2956"], "iocs": {"domain": [{"host": "macrshops[.]eu"}], "file": [{"path": "%LocalAppData%\\Temp\\tmpa9735385.bat"}, {"path": "%AppData%\\Icda"}, {"path": "%AppData%\\Icda\\ehday.exe"}, {"path": "%AppData%\\Vyarqe\\erezu.loe"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\tmp2ad79550.bat"}, {"path": "%AppData%\\Kyba\\ryisl.ubo"}, {"path": "%AppData%\\Leve\\yhqy.exe"}], "ip": [{"ip": "23[.]253[.]126[.]58"}, {"ip": "104[.]239[.]157[.]210"}, {"ip": "104[.]239[.]157[.]210"}], "mutex": [], "registry": [{"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "internat.exe"}, {"key": "<HKU>\\Software\\Microsoft\\Internet Explorer\\PhishingFilter", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\Qaygra", "value_name": null}, {"key": "<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "value_name": null}, {"key": "<HKU>\\Software\\Microsoft\\Nabu", "value_name": null}]}}, "info": {"origin": "Cisco Talos Intelligence Group", "publication_date": "2019-03-01T15:20:19+00:00", "version": "1.0", "warning": "As a reminder, the information provided for the following threatsin this post is non-exhaustive and current as of the date ofpublication. Additionally, please keep in mind that IOC searchingis only one part of threat hunting. Spotting a single IOC does notnecessarily indicate maliciousness. Detection and coverage for thefollowing threats is subject to updates, pending additional threator vulnerability analysis. For the most current information, pleaserefer to your Firepower Management Center, Snort.org, or ClamAV.net."}, "signatures": ["Win.Malware.Bladabindi-6872031-8", "Win.Malware.Vbtrojan-6871444-0", "Win.Malware.Ekstak-6871246-0", "Win.Trojan.Zbot-6871232-0", "Win.Trojan.Bifrost-6871028-0", "Doc.Malware.Emotet-6866090-1"]}