{"Doc.Downloader.Emotet-6878774-0": {"category": "Downloader", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Doc.Downloader.Emotet-6878774-0 is a well-known malicious downloader that typically spreads through email in the form of Microsoft Word documents, inviting the user to open the attachment, who will immediately get infected.", "hashes": ["066067b7ec8e80d50dec982621fbf4d86455579cab94bd64b02432c428bd73d9", "10ea8d3f3774af7b633330967a59a627987838ac13e50c3e4c6711bb9b75a895", "16fbd149fac4b9752d3d46f33816290ca20c773126a5d1a1cea288be26dcac69", "1e01cbc306d3d9bdd6427a6f6b52254494d83834afb303e2d21002ce1914101f", "40c8e5f3d6bb0657bce0d33e051e51a65339ab1e2a3015212f3702300ca61cf2", "412e5c8db88dab089a382c65355113c6da5b0b73aaba6ed6d29f766b2760da94", "45dd6ac76208435485be2e7bef2a3010cf391957c26f7f5cd13e4fe9ca55f927", "552adc75f4c3823ca4675ab3575731cc4eb8852a5975c96ce3e2bbb91a4af17a", "5b228ced9eec659cd9a80d699de841b5d8795c65171d11645e7657634545ed81", "616be0502a52a886d21aaaa1ffa465f08a0f21438d4c1d1b3f7810ed18a08b1a", "660e3165c571fab20b0c9d84dc8a9a87fc3122398ae270f0c695dc43f9b80b7b", "780b00aa4c06d2fa34f341dfe5fbda0d8d2ba540611df7f64c14877f373c171c", "7a3acb173ade4c4d0ac50dbad5ae6026af38ffe41d70081657ae42bdf6699b78", "7ea7598c83b94cb1b182ca41e2b1c6efef44aab17d96b40679ae3cbe6bb0407e", "7fb8815000d87512f061582dfa593f46a145c5474b9064247db5e6b781e827c6", "87267fdcf9ec4ec89d628719fe827a691741cb84136648460f84addc8c7333a2", "a206c65013710ca24bb5d6ec59b1f20ce28c0150b6bd76305a799114f5025817", "a44c48bfe41a7f38f858648fcafc59d68e09ce8e9255599e295d2a0f4ed0d5e3", "a7b9578f2e9fffdd97f7447ba20f2d28c141c54a0ff632b03ea477366429ceb5", "d125c268e5c9b296eff7ae98765c5c0d265cf5f3c9b0deaa5da25ef88d1bf052", "d524721a950892a07d062f2f91bac09dffcede0d49d9b6a15b671595db5c7674", "e05029e0c119d3dbf3258e13cfa66f33ee40a3eb6794d7f9068438c630d27d9e", "f4e6790b4118be870f4eba69596e576c8fe0c34b168115aa9a53027071f03f26"], "iocs": {"domain": [{"host": "www[.]litespeedtech[.]com"}, {"host": "www[.]hostloco[.]de"}, {"host": "hbmonte[.]com"}, {"host": "www[.]hostloco[.]com"}, {"host": "uka[.]me"}, {"host": "woelf[.]in"}, {"host": "erdemleryapimarket[.]com"}, {"host": "gtechuae[.]com"}, {"host": "beatport[.]com"}, {"host": "qantumthemes[.]xyz"}], "file": [{"path": "%AppData%\\Microsoft\\Word\\STARTUP"}, {"path": "%UserProfile%\\Documents\\20190305"}, {"path": "%LocalAppData%\\Temp\\903.exe"}, {"path": "%LocalAppData%\\Temp\\3miksw05.0qe.psm1"}], "ip": [{"ip": "94[.]73[.]149[.]212"}, {"ip": "68[.]66[.]194[.]12"}, {"ip": "195[.]34[.]83[.]119"}, {"ip": "98[.]129[.]229[.]92"}], "mutex": [], "registry": []}}, "Win.Malware.Autoit-6877140-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Win.Malware.Autoit-6877140-0 is a family leveraging the well-known AutoIT automation tool, widely used by system administrators. It exposes a rich scripting language that allows to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions.", "hashes": ["028914f9d3455b44d9186d218874047530a367cb1d20cbc7d9b047a42faf1774", "08c763e2c405884b9e98df0fe8c80bcf3f0849157f0d020aad12fcb2bbdd10c6", "1fcf1fb9d7966fcfe07687dabf59a358231d8807913660126c1fc1e0f733e7c8", "31cd978c76fd90716b57c0a9c64d1e170adc8eef42a974fce554aad542cf803e", "3607f653f4862019697f88de566a47309a6f9ff4aea4455f9d49645c698a64a8", "49a9be560e0323a6bb7c551d9b459d37f06a7712e36017f5a84e68bfd7582300", "5ee731f5f85627056e82ad1c53b7f3e1a407e993e863b6921d974c351af67d40", "6ed44d029afc8c32ce4cad58a917ac4738eeba149f3b9afb56118b8a936a1182", "770d42c268eb3b05de83bb3880748626e07e7d753689f85bcc64e09fc71a8ba7", "79c528ad5b9b65028be90bbc555664dbdb45503b11311f0f81fe462c799fe80c", "7dfd2b5bdacffb4dda87fbd8c98c7ccabbca64899f2eb7e50dac7919af73d4f7", "7e37be325f4e6295d669342e11b3769e4872128379d800fafc6eb55055d403ef", "954623cda203d382113272d4481e849810953e5968b42ea24017d25d1d6fbb0c", "9644aa2b324ce9aedc0640a29a35dcf989785ba38d6ebcc59e666ce17d114866", "9c1c945c3ecd7dd5be0a39e299289e8161acdb77338a96f59c27864ca817fe97", "9f1f4ea064c03bdf669a92c8ff94cc8c26d04630b2e7541c60ee83b7a553b6f4", "a11f7486f33f69f874c5058081a9bdfb633660bae189c2f4cc6c3b175da2051b", "a7aa9d84152089ed6cb256dd9a9d7aae805d4b9638341b102dd154ede29908ab", "ca8a57aa5d7625b78fc6e9aa0e795a6961141713c724b4f24cb12b3843a4e253", "cf3fb472560517500c7c311dbcd838ad690b0aca82778f88a8713c5768390632", "d00dfbf02c16ff7e320702eaa41f8551084a1fcdbf2266da101df7b0ea4d4787", "df7de7d21eb8c02e986a390b2f041b9c2296615ce23248139a7487e50a5a3bc7", "eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521", "f79811d575ad411ea5196a8c46e7677571b6b85557fd8cb59e784241b3b9f006", "fa2aedf34c6b24c5cff46aab216c2fa6785f8b8a67eed29ad2fe9a5248a01551"], "iocs": {"domain": [{"host": "kuangdl[.]com"}], "file": [{"path": "\\PC*\\MAILSLOT\\NET\\NETLOGON"}, {"path": "%AllUsersProfile%\\images.exe"}, {"path": "%UserProfile%\\bi\\UevAppMonitor.exe"}, {"path": "%LocalAppData%\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SSZWDDXW\\upnp[1].exe"}, {"path": "%AppData%\\mjpkgqAFn.exe"}], "ip": [{"ip": "239[.]255[.]255[.]250"}, {"ip": "173[.]254[.]223[.]118"}, {"ip": "5[.]206[.]225[.]104"}], "mutex": [], "registry": [{"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "Images"}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CurrentVersion", "value_name": null}]}}, "Win.Malware.Bypassuac-6876875-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Win.Malware.Driverpack-6876568-0 leverages 7zip to install malware on the system in the form of an HTA file (HTML), which leverages javascript to perform malicious actions on the system.", "hashes": ["019df18c50002faa5704c94a01896f745677cdc643adc48ae9257031c539f7a6", "0eff6bd81b1bdc44924a5e662c3902c66b97a2542016574ace670edb135f7bc5", "108cedab59d537fca166fec822b22039a19dcdc700e17d9ef39949ca1d3063e6", "15c72f8cc77837cccede6e5f239bad225cd4abc65630470f779e8141d5e36987", "1e8caa9a82f5170227c8ddfbb8c8dda8a89e1d0ca4a8ce517b7214a30ceb5b75", "30f5055191f1b545cb56fb066b256238eea105343ca08a946e7e0b5644e5eb57", "3c389aec59d31f2801ac82ee5eb1c31f1ece8abbfad2e3010e5cbbbb9d51109c", "3faafbde8739f8900fdf4fec2a3be5d8c802ded73cea96e8e5d502a265ce9ed7", "5a3224c6a47f10ed893e44a22e52cf41713fd284966675d59d8ca38f926313d1", "5c382af6790fd2da04306edd283bce8cf84a7177417a33085e531043d9e381be", "6b42155af6114d7098e4078fcf3e39543c9c9f1fd19d8151812bfb3da9a9fb16", "791a4d46420633e62ad01fae3afe3078ec94c6714a242cee9fd6da688ff54b3d", "79e11a42cbabf436cab208e2bcf8026f8cd3a8cf6a37179b18248db3de5ee5ec", "7ab57ad3e74391934dcc5b47e2953a2061722c86bba878534a43fdc59dc84b3d", "7badc0500d9eed34ed2b1ed51fa5312aed4d64d145f7f019c8fc00f2674163df", "7bf1388b2c1d681687c57b55e60bfe32dae62f2c2f97a90e4c9c7385742f2a70", "7fc66452efaccea5892fb62ab8c98c543d6ee2bd4b8f3d90a315cb569b3fa176", "876ce89d537c1ef53ea7c8664208b93951e5a4069b09ce0a438955d70619bdc5", "916bacb16aebc630b7dada021467e71c4368ad72174e332d4ae00afebdcf66eb", "91b0f5e2ba392fae46a6ee0b19d7f54ae507619e698cab005ae69168af8b1015", "a93958ecd999fb16047e16c18412efa04cbf4bb2bd4fed0cda18dee4e244b8b3", "aa1c060f33a382cb9cbd6a6bec709242255f0923b3b0e644bd2762ed06625f74", "ab06d9f7f47870915f54101acbce0eb3d75995775c661a4d4547deb87d0d2661", "ba9fee32734436ab17269197b2ec2a48ca31f7bedbade06d6e79bd450e30fc81", "be96c668c75e1f119ef9ec9e7ead125f92171186f4d7dab78b96cf68afdea206", "c80d9bfd7a1eda1c502cf75d425462bdc2e703d1542426f0a7bac78944804a7b", "cd6968efce61f114cdaa8bc2c1b4ba757868cb5230ade191222971d1da97df72", "d4f6ccf82fc1eedbdba7c7f831b2e81a7a292f1d7bdb1db2eb4a536ed57eba18", "d728163ff39625716103f557741997c9e657780d3a5344663555a79615b7a449", "f2961d86b5740ce5ae074209772eadcac53c5d0145091a5b1e89d17db66a4f2c"], "iocs": {"domain": [{"host": "www[.]aieov[.]com"}, {"host": "5isohu[.]com"}], "file": [{"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\7ZipSfx.000\\bin\\Tools\\Icon.ico"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\7ZipSfx.000\\bin\\Tools\\patch.reg"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\7ZipSfx.000\\bin\\drp.js"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\7ZipSfx.000\\bin\\prepare.js"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\7ZipSfx.000\\bin\\run.hta"}], "ip": [{"ip": "104[.]200[.]23[.]95"}], "mutex": [{"name": null}, {"name": null}], "registry": [{"key": "<HKCU>\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CurrentVersion", "value_name": null}, {"key": "<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", "value_name": null}]}}, "Win.Malware.Swisyn-6877070-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Win.Virus.Virut-6876761-0 is a loader that installs malicious software on the system, including remote access tool functionality, allowing the controller to perform any malicious action.", "hashes": ["00c57f8196927287304a24ed0fa46bb3a0d4baacf3d038c8624f694f4a5ecd7b", "00f0b9de74ca71e3d907d210f60546daf2da9d244c4646c4f1786e21296e9018", "01b52b7c23101fdf1fbdd9ad88ff09be58d23300369d110f38cc68206c7bc58d", "06bcf9f07be68b12278e4bf3310fe363bf2fef278cdda49241639ededbc6db8d", "0c768e1a537daacfa5bb48d96266e0f915c5890a41bf22bef1953e786cc3288e", "0dc13444c42147f30aa664d5a2abe3cc06ea059f61e82ba96a5a68e2fa9bd7fa", "0de78cdba09c4eaa305b45c34d80bcec684a364ba84b0089d797186748a62c79", "10ece857bff115588a8dd3525fafe6f7e76760007cf5cab15c49cc256ed44cdd", "13b5799113f9c99a83cd22043bbb4c6dc4a853236ce1f7c5ffaace667f6afc88", "141aaea895d753aa8cf3ef7c0b28d8a03c3498094816ad9545a7da6a9cada2a1", "18d86d6520c9a934f50f87c8236621d177f1b2b553147f981cbb04eb49d0632d", "1c1f4ab2eaef44d8e3ff0b9a628b82917bf0e3b4fefb426ab29d1f4a455ab414", "1cdb7a0378f4e5a0765ae7691caacc2a37bd623e16ae07e3b6400829925e21a0", "1edc0bd44c9532ab3a94f7e61803f84108afbf85bf71d6a7885aee11ec128105", "2349dcb9470d7021bc0516adf76029755958a1abb1f08ddda221585e84ac3016", "26dd985057a470b7b2f90e3c9172df1b951f9e799ace94612a98103dcab3c5fe", "26f8ce54e73c28667ba5cba252771c4cf4e65e566eccb2bd715e5b12bcbb1d1e", "282e36c2dd1acf6c898e050e899bc7dbb0c339b16b7725f6ceae2787b43fb4df", "2932125cacb1c6c780b920d0fd77e70c6d15d712d752f0db8d66e78c849e0a59", "304a99a82faf7adf1db513b596a620ccfe1efbd91179571a1d48932c64b731dd", "3066c0a0cf18ffab76c9cf568201859dea7338e92eed466841f78325bfe13904", "31aed7d12c98ef33c1a6dccbc290cf55b0fe3f17c4bd48e88c314a3a65d40dda", "3692dc820821cb35f58a3d52b7365710a03eec44cd97e27e15a8f61847d55683", "377281d2dc1d2ac4fa6d625c2548b5d99f2836d587c3da0810a6d7a6a3f91f10", "38d7368e001a9e7f5fb08b02bf014577ce4705b0b3498ad564192c05dcbf9684", "3d460d24c2f985375ff5d7ebc4db167ca0e29af00b4b8a915df41038cdc4120a", "3d6a4575ac0157b7303bc7b4855760231d18a47f66a5d836ef5f3f704aa2c2df", "3d9aede5828c25b768b2357c62c1864db9bbe2f67b3f8f5d0025d4aee67828de", "3e67bd6079c762b304f494657d41efd6a34f83717642b82a31adad6dc07349d0", "4240bf03c14fe2a4755da37896bc5e79881d4661e50abdb17f21c67dd81f2653", "4810ecb2b18a94bc57914a6b58e2c8b4a7f7eefb4d1b8ff5080e08107d9979a9", "4911fb8ce798c687fd3d42cf9161e2e1e3dd13df0f76b0bea81cb2def3593ebd", "492c9a4c7f4b16a1c61820fbedd676ec7f81f15006e8a0fd245ac16dd5250cda", "495b5e00215d1f8d118658632a0bb095f0511b5f5530ae088de0f99e12d62ad6", "4a2f62101bd28d1f56c5cf104e237fd24a2a6aad877f36cfbc65ee177b933291", "4b89aca68989f3f5b377e9d677fa7a4d492a783538a15a4269a48f5512a3fc9a", "4cd3ce32bcb2535e5157aed76adbbf5d0b84dd4138e020dfa818afea43793cbf", "4d5348e040096644f3b4eba308ab0fd986273411846cb6b2ed1edcf728953c90", "4e56c6eb44e1592118c576c0ee5b262060748f3dbaa086cb5b68f076a898e26b", "511e6159952d35300685540f4a42ae403acffcb4c0c7aa06c1d3bcf59d41b1a4", "51a182762ff6ada6db8be48fbbbbecb5733e94f322f93a1e728758adb93b9483", "52c02e329aab2a3ec3b3a3149a3f5a85acbfafc95fe6809c996d299889c70ece", "5312c324d2d5e17c86f167b18316b5115e0f059d27dddf3035db5a7c9fc3126b", "55e9cc1c7c871b85bb3a2fcf95a862d37328e5376c4cef8c9a1ba2772264fdba", "56699eab702600d711d8970b84143405bcb59cbacc2e0c66a591fe61a85d014b", "59be55f75bd35a8d033de5083a6c07aa97a9b3b015056247d1e4cfa623e8a472", "5a361043cc0f493674a0c2be26bc6ffc2b09140088f41dabf2668438b4e0b4fc", "5c415938cdb6819da869c49a3583d045b14e008a17e1aa157065c0e61f7f07c3", "5c6e339962fb7195a96e351dbedc2be54f1418aeed4d7ff7d42838e2ef4036f5", "60c084cfec65719a91cf7e96ae881b1fb49d0e976efb88eaa3db7f755056a94a", "63b2f917ad9c3e19d9a9035c0cba009d2ed652c8d8107f8486662ee0437d94fb", "63f19c540e82f1c16b507120d2d43a799e21742cbf83d53b1a695ff2ce868dfa", "65a877f77127391e089d26828622a79a21d4824cdfd0e05069788eb1912b7ec2", "6775814615f009cf1e5f1b541a5023477854e6c052b2f3a323ac4048227ff518", "6c78eaf25f2779f4e26e169f82ecbb943d75ac2e167afd581f4fb7139d52f28d", "6eff9df3fb9f1bcf99981ef892f76710273c354874944e168c93e2e2ee7828d4", "6f82e34a7d1006e7a0b554717c2c69fb46d838962f1731e6ec9a8eaf231943d3", "73d9daac6d513a6230dec860f0738b60d8599605bad937b2489b0aecac8e7d10", "73fb3e5cc4706afa2a64897079954c812ee08bc94f102be1bcdca5b71de788ec", "76db14685d9ab3aa480c859ea58790001a4d25d981df3d3bae7acce343c8005d", "7b681b8f679d9840cc8127d311e7277bd1d911c2f469d3805113b24a5d3161e4", "7ba3fef0436746b2157ac79a8dca001cd537d967eaf43a0e5c35d671ec09bf3d", "7ca4f76502c7f48972cce6133830d6305a5145e37066bdf05c26adeb8a02e365", "7d3ca45723723b892c56a906f5ee07ea45d25e4672dbee5f273bbef9e6fcfe29", "7e1d92d07380ba79a3bdecb3c1811f3b3b7e32b618902a5084190ec1fae4cac8", "7f9c92156a2feb3135db213da3189fdb7f5ee64ff12203badfb7c809b9fc64ee", "81a4f4102e6b87f8d2ad22a43080fad61e20849ea9c87c55b715cc187ca0fbe0", "81eeaa2af33a21ae99d1751d068677c96106a0bf0359031c12d7f5ca5da4c44c", "84be713c1dc841986aa2592eaf8d6494c9da3856391a9e18d32b956b0c8e592a", "84dfb734f683275a56317f11d9bcbad7b4d10d2d083b66f9cb310cf282ddc9cd", "897c19253d9a51c06c7a4ef3bdfd4ae3b821ef7ed6155697df5c041a6e558b49", "8a829e9fc2fb4e656a1b5acabb0a6ce8bd5b1c25ba942d466ae7c8301318c2dd", "8e0048794e5b77128fe65dc689132f0f69a0f1a4c74b0ebb8dfc1f42bb45b3f3", "8ec75dd22a86b4e589cfd8d16d5928f86f42e17968a2d91755e3849ac67689e7", "918067ad355185546dcebbf6f35c1df762ad6f8dddf513d41c2e7d1fa5578bf0", "956626f600a626a042c01c936bd85557e5e8fefe6afd578f58d5b8c7d55f68b6", "988fcaa9ffbbb1373834113f121a85392c5a610161d046f35a08a436aa7ef72c", "9a08716dcedf326138c5403bc174e506f5aa0794c95902aefa6f464270c5af86", "9c7ce9b354015a6181234ada8e16a9c16eecff110154a1e05aea63d84476ec10", "9dff5524e8282a74c7cf71137c92c3dc9cd8e7b5530fec89dd4c46c1a2a95c05", "9fb5e6600a6730b7f18e2f80485550501ecf3b3f834d60293b2b5a97d9f54fe6", "a2cf337ec7fa909856e2ab9a0f6ba4823d3d068d56b29264efe68fc8574d10f4", "a3358c3f4da29e9d2e104ee84f4a34079fb1b56748ed8a03cb949adbc4cec9cd", "a44fabf3dc4b1e167146835381488d18397f520f8c2925e0fd9a0b9af303cdb3", "a468c15c42e966c81b274979a57e88d03ad8f76a783c9995c21b5db4e3fa105b", "a55352b7e4f2bb1ffc169ce12e7994c8accba3c549aa95f09adecb235a903bf9", "a7b0659163a35db71fa4a32ce8f303a364ea38620bfc844f7306753ceb7ab7b0", "a9836b8b6350f9a7cf08c7cfb45df97b25273f5c52abf77a3616476ce27f2fef", "a9ae8c5a9c0f36d97cbb230cb7801023dd7f9a128e2ad057bf2a34a6a7954294", "ab39341fcf32125c6535dcfe0a44ee37906c72b130ab110f28a7f9573f4825e2", "afb4e8a3b21e08896c3573af85e8b39c3f485be9f2f19bfcbe14398d333f051a", "b03a6ac22a9f8a7f18c461e9105ff21e1f4e12b14e087dbc3e8b21e7bbc77896", "b05bbde60875fa48703fb3d2f216c4abd3a294c5ba15c8c975abf22027084e1c", "b11eaa8007be97eeeedd16829d586fa4976547a216238d320258448eb0155629", "b1de4c211d9216d1bae9a08a4b35359fde899f2de7bae894b024d3a14189175e", "b4a7cb8d0f95e64e455cb4def76e75eb9e01e95d95fef27d662fab57cd28764a", "b4fd8cbab19d7bd91ca1bf8ebaa6a3d78dd523740eb165c9ddb9085923982d7f", "b87bb7ce0f76f65ac78f1666637b83371d3d20015dc2297cec48736ab28ba05f", "b8f7b263323f21abfff3d02c6c1da2b02ced5a80a0004fb40a46bfe23c909e8d", "b99d62979c2cec64b12adbd5904cb5a98aec6760360e6cf241c642dc0aeb785d", "bab393a781393c4fa1b43fd5d6c362b63c76cbc9aca3e62e70de2978ed154dd9", "be13bdeb3d666dcfdbf7a7b61a599e687b22f45f8a3fcb5fa4a01df28bcc139f", "bf1e70fcf585ec1c867e14e8965430762026569f6245a340ea24dc903c8ef370", "bf76719f56193a2926c8bf88ba889739c63d987ae65b45004895b230c05ff4d3", "c123997db087d491a861661973076a3352853942d85c131ea3b6a4330ce53e3c", "c1256912c5f10c160fc3383a35e3c492f0044173c27866cde2a1608b212b0af1", "c3647234929063f4f7d8e8c2f293e9517ef063fb6b4709708026b7ecdb7ddf38", "c47de3fcd0fdad88aa736ede18022bbf05ac40da1a7d6d32fb4d30ab147c88e1", "c4fbb5054f651f34532e03081057b0e14a4c84599678dc8ccd36370a3e935bb7", "c580bad08a46ca954aeeda75dfd97504fba0913359943594349255a5715a3f06", "c72c0a5949c7814c76d26329a1e7dcf159b03c29373f81e808b3566387a862e7", "c92b33f17a599d61a142d8e317bd2dd52ccc5c91aa374a75d44595d9305b5298", "ca71bd8793ffff7106176e50ea78f7390e6a1fec2678bea1941fc3d9ab893d30", "caac46a67024d7cca15bdeb87f5c6533d89e495665e3d8a43f8b82690b42989e", "cad3960d2ca40a76ab16458ccee106bfc859a5d4b98d1fb97eb60328cf4184f5", "cce9accfb516f2bbc643cd4b982ad779ec4b9a4bf5637bb740b7e0fb7b2036c4", "cd8d2060bed268c6bf00b327f328ae692a3a698595fe1586fa15d9e9223218c8", "ce484d7cb212a679c400dc206e96fcb968b46bca5731ede4d051f2566409c2c9", "cf3761012be9d349d1d2fb6725e213e36a1da94fa1276e4c8621d605fe72023e", "d09338316bb8d31a87cb4aa2cc8af246f9610b314bee939f92c28bcc6ca7fadf", "d173334067d7c4398d9cfe038de7496d5bcafebcfc0b3acec036ea88cf00b1a9", "d1a398ddc40671ca44ceec1975a52472593595c8a194a0a4148b9d16814ced1c", "d42b78b47707c72eeb95c322699c4d054b25103ef22f8f3e98db5655103ec10c", "d47a726bfb73d6c9ce7dfe1d9d0372f1bdd2a7a7878d8b08d85d2a96641afa07", "d49d300f116ceda33908802436e18ac304531bd2069b690ba33165000f096f7c", "d7b2c8633d40d191d753cfe23d6105cf368232dd5ac77aab60edc601fc8bce48", "ddfccd505707c5b4421bde250a30cb40b987896637f38bd7d6d751c9454c450a", "de78c74dc5d7e2c00073f36fba5898dd602266c0967299c296e0b0e21352857d", "e01fddb4dd55a7bebe12b633a28d4c175898df9fd76ac135427b18a58ce4fb72", "e5b500222978b1c873bd98d84862856da33845c186c3b047ae1b7cef23919266", "e6af52c2b6cee2096b1bdddb6f49716c117c99d762bbe1181839b4f8ed000e48", "e759f7b86e1ecd0a154eba4618b28658067a0ef59f52a5f4c6eaf8f7ad6c9712", "e8cf066b71dc0ed8ee6749471f57e10efe16aa665d6d9d09d0d719df4d619124", "ea07b840483a49f107541fdaecd81401776a9ce338f6f23abb09881050f9c80e", "eaa6cfbd7829b0c7b6dba3bc72284c8f26b1ffffd1c2e444101b0566a28d779d", "ecd54ed6ed19802ffbc580e4ce2b3336226e71592856a47a4a298940a6d6cd47", "eeb2c17ad5bc151910e58e734bde33f293aad3e06d0e7bebd82938f1dad37ead", "efb23c0c1f066b39687f8b24524aab39b51221e9e3081fad76f2f541faa98929", "f1b076cc1af96bc0539d81c0637b875174ac2022d888e2d7108f44493a3a788b", "f21537a9991ff59fe0c8b905e636fcaf378b140217e0218a3d94a5dd3fe732c7", "f3249b142ffc771e9456ab020d13d1f0c41188937ec7c6e6d69d4fc51bb8f309", "f4fdd181aa0052e4e912df6bdf365b4e2e14e214102270569915d8705ea0c235", "f6909ed0cbc2539179154c5aaf3f4fb707cf479409dd403d8b960448b4c6c0d0", "f7559e021a5e927309654cfa5dc938f85da19a433e5d86a4ed7c2fefededa0f8", "f80c837387e47e61d9d2380168c0ae6c46b7ad189cfb3fbd016dbaa4916cd2ad", "f811786226c2ee32d0216be11a6ceab1902b2123f19b5ef627de33540a89a874", "faa1f45b05fd26a3b4584ec966f5de7493d6d15d8ad8f35795512e870ad16c12", "fb4308e7c2d72ab024a2d3be5bf060b92351b184966aa745124e227e58b04e9e", "fc41b6b2971ce4c49bfea95dd3687f31dc394c47f8c4afb91bf81f1a9c9b79bd", "fd43ce0619e1b17dd57ffde1f8073e2fd595fe94dce79c2a0f4c7eb92cf2b43c", "feb2ccdb5eee08a55fd267ac6ae2bd6195285ede97951de925d5d1a4ae445f25", "ff976d16d8774fd644b73f7f03b342684a3880a68b7edef4a6144c85140b4099", "fffa453c4112cba4d04940320664319d327bb2137942a91597a213b1ee0e1e0d"], "iocs": {"domain": [{"host": "sys[.]zief[.]pl"}], "file": [{"path": "%System32%\\drivers\\etc\\hosts"}, {"path": "%System32%\\wbem\\Performance\\WmiApRpl_new.h"}, {"path": "%System32%\\wbem\\Performance\\WmiApRpl_new.ini"}], "ip": [{"ip": "148[.]81[.]111[.]121"}], "mutex": [{"name": null}], "registry": [{"key": "<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", "value_name": null}]}}, "Win.Malware.Tinba-6877885-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Win.Malware.Tinba-6877885-0 is a well-known trojan capable of stealing banking credentials, as well as potentially installing additional malware or performing other malicious actions.", "hashes": ["01ae6c57ac2debd611960648013ee28a351ec631a5ecc3008520247765ab654b", "0cd46a0b5f2fccdbaad0c726c1688b676dbe4b56f9ab2e8a8e3a01cf31778361", "146500e14954b8d588b76786670c7f54d4cc2e9d807c8c6f4810e18a046b5c64", "2c427fd2e95371120ab9157ca3f66a5f0c9e4c3ab222407910af6aaaaa9e3813", "414bcee562deab35cd6b486c6334abd5b13cde91629aa2bb227c2c7b7e1ff9ff", "46bb9a573b6cf3988ce6378870ce0575a130a1b0f79ae9ec94a36f1bb9787c97", "478cab0d41118f0e46f98a2c10a9cee60c8c2f9d367e974b56ef43603d25d6f3", "549bb79723bdb89dd5832968c0222c5447ccc58cc49918aeb4bd971ef35039d8", "5a2e5cf96ba1ffa184b2dcf8dda95fccc0565138ada245612cee2e93cc9eb69b", "686f37fd5a86bf87495805f409fe6203fffa9f25e297d97d7cfeeffe3e19ce83", "6e4d29d509894f88e805d1b090d275b6a6af49b13acaad2ede39ef322658d579", "6f423075e86048454f921fd80d8f64981952019a4007b7ed8e4cc03dac38eca6", "713ae90314c0f774b5a00656db375c4b014fc9c0d5a4175bf0cd36b41a8074e7", "72ee4bbdec92a89949f62a75a80f78074445b4f598a8c5db32b092d7f17df18d", "7ee2a424f18cd91df14339bdc5852066002e4d4ec18f4f2bd9366db258c52210", "8ede393ec05a909c6397d6cfb5834e00280175be6a60f0b21b2b8473212f5c86", "9b011301e0aebcc888b54e460bcec2d8f2e43bc79f9b6b989dbd066850b73491", "9b49555e77ad97f9b3f65d4b33c829fcb228fbeeba6f2d1abd0651370bc57cdf", "9cd799126e6d3575b46226967767c5b58bf634039babfeb1c5f461396d050760", "9e89025c4e1aeeefbf4bcf3df807c3847024448e407dd5c65c0913ffc836f637", "9f20a17a7b530c7158d7e2f06d7b7a2dc2ea9b52fb450e4393cb0a4baf841df6", "a01c0e9146b18dfa6bc652807de1b0f32f3c8f4121b1ee940982bff45128e316", "a30245cf232f2c34ac29d074c6ebe4067f0319b95cd77a53c9558d0aedd31330", "a40700059a7704c4ec059c4052f8dc46cdfd50a5a13ce2f5ea9cf6122903117b", "b3383f54841bbd099b35e19fc22037769e003f5545f9d31085b9a2c425953826", "b639f9f602f3c5fe7db7b0735149570f29051fec18eb834c29e8968854dc7308", "bc19b83c9bed43b8299876f767549186c7ed83b4cd25b1b7f2174dc8c086f076", "c52ea58a30b67e9e937b30b8b427146668524f23437c84496a17d1b75cecf7f1", "c807e40ae03c914160ae129b369ed91324351cca61c28aaaa21e1e837f2e2c9a", "cb44f07f63d4737c1f4652a1d5a7b9dbdcf5a2bb55017f5d1f8fad76a8a449b3", "d753e1f36bcc12fa43bf322d18d458ce13341d4dc9e7f30cdc865fa907746c30", "d9af0321f3902a5d274a71ec1b99c51f704cddbad4229c3e66fe774367d620cf", "e2c216ada9ec8447d38f28730f4be18bc9f0ddf1e4186ac6cd24e295d36cdc54", "e711394013c0e7f7fcb0095355de65f585bed11e32805251bf4e94e9e6a94202", "e94b3ea7c9bfd50bffea0bcf43dd73ee866465cf803e7c84fdb351db882edcd9", "efa7d6577232e2ec4bb75f93a38e30c4e9c6d23ff3d52fe8f91bfb8e2eee9906"], "iocs": {"domain": [{"host": "recdataoneveter[.]cc"}, {"host": "diiqngijkpop[.]com"}, {"host": "diiqngijkpop[.]net"}], "file": [{"path": "%AppData%\\5E60878D\\bin.exe"}, {"path": "%LocalAppData%\\Temp\\~DF795A5FD183ECC172.TMP"}], "ip": [{"ip": "216[.]218[.]185[.]162"}], "mutex": [{"name": null}, {"name": null}], "registry": [{"key": "<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "value_name": null}]}}, "Win.Malware.Upatre-6877602-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Win.Malware.Upatre-6877602-0 is a trojan that will install itself, contact a command and control (C2) server, and perform different malicious actions on the system on demand.\n", "hashes": ["021000945e0be13e5e4ecafcfa342de1741366722dcbd84ad11f47a869dd6dfd", "0958c14edec6c39c88019adb183f5c5064608560df9438a515d0bd0d6c30a299", "16c6fcdae71399a369fae48bb94b1ed3b68ff9737fe6c468e7a97828e49a1a23", "1b8686ab24cb569147932c35e34164bc4508fbea9816d4556751ac7bb69c4bff", "277bd23dbfd1d8090e2a1b97a525fdc56f025b61d966b5aaeb0a89600247c235", "4285e32d83e87188118ab9115456da9f93d32031b33b55426a53caf16f0840ef", "4a04408dab011db8870969101f41dd86872ba19cb57c057a63ac484bc0a776df", "4d9747e7b9a304e8b2c9d4c1e990c09c66f8bcfa580049c51c11d3cf28de8b00", "588a9be32c6a3f61da7ab5f60842398195d947017721c716b060a1345f90027a", "63597f36f154c84eba0d9624fbc5f9e94fb000a9d8e059af91b9d41c4cae72be", "78676aa1462a399d525b253d52c67938a0de90ac34f8f546d830cb3845456002", "8c8b93bb898a882b87259ca4158cdc7f80964162c2a249ce41c4b6e81a59eb69", "a96ac64b63ab1767a5fbafe793a4bbd326484746c4c9421d836a623ec5326c29", "aa74e0be469a8657b0c661e7fc10ab0351cad37fa0bd7f87834fdfc1ad6b26cc", "ad98380ca200a45daf7fe6cda9f1b62eda504ff4ba9262e406c9721e94c52b19", "c1df74ac76ce78cf49ea51879bf5e86db2435b727ddfcc2cdad94a974fe147a0", "db5e3d86143940f4509231fa1c588c8bc92525e227e687ac4c22fe31a1b0e132", "e8f96e00f7534193d696dbb47cbc6d3be9a1d255104d948c30de16bbdf71c37e"], "iocs": {"domain": [{"host": "cardiffpower[.]com"}], "file": [{"path": "%LocalAppData%\\Temp\\kgfdfjdk.exe"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\kgfdfjdk.exe"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\lrtsdnn.exe"}], "ip": [{"ip": "83[.]136[.]254[.]57"}], "mutex": [], "registry": [{"key": "<HKCU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "value_name": null}]}}, "Win.Worm.Vobfus-6877836-0": {"category": "Worm", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Win.Worm.Vobfus-6877836-0 is a trojan that will install itself on the system and try to propagate to external USB drives by creating executables and writing the autorun.inf file in different files. It tries to disguise itself using file names such as \"System Volume Information.exe\" and changes system configuration to disable windows updates. Finally, it will contact the command and control server to receive further instructions, potentially running any malicious action on the infected system.", "hashes": ["0c3b6645c222448d1d6e09e199acbef4ed86fc44aee1149a23682649291fc733", "1149f036bb4033a1ed49972386361ef9b1dc4770ccb44ff3efa7d6545158c95d", "31cd4091fa843cd5dcc43cfe0b4e80bb2cccfc8eb9f334a39fd4b5978ed4a2ab", "4476dc51703ba4efe1e32a3266c466d49386b6f23867b69af54d4a63b764014f", "4eca92bc9a9ce1cef10bae0fdcca30498fb9ff86bf09cdb5638f1d85bf1dadbe", "503cb71631d48a40f8bd2ed362db39e36f85ba5c177b47799ab109f4eba4df1c", "6418f8ed71ea55d61d786e2daafb90337cadb863ded94b9ea111dd4a2a266383", "6850dc31b6bfad3304202f0f4977e65a1bc09521330303f91ed88d106ed4f997", "6b663361002a078d7ac3a69c88b7689bc0f315554441325bc78c396f9203c61b", "7f630ee19177a544609bd9ef58cb153a62748a690dcd9baccacc077788e02c84", "82cbf00571f283546bf2e7ef61130e48e498f398365c3f65d3493059d04e2c54", "97ec12418e29486fbf47c5bcf47bac5ac15b63efda15a5bc1347bcfbd4b8f749", "9ca8807f8c3fa377bd07af42b692004210e12a5f51f7a4f0eef9848621c392e2", "b438d083fd2471c746be18ac1289d840a5b37d6257f3d2dd3c2615e79b3a80d0", "b71786e23ba7f5518878c16d77f2d889488ac2991d5bd4228d6910d98f3c0649", "b8e7137d112282b3baa97b7a8a86872e1f4f46270366c357539e7cd3169837c5", "c20a8a941e457b56f6d360f3c7354d1a7e050793fbf5c39f98401f21ef633e7e", "d5846dca5386b4452d70975fcdd6f41da6a0202c032ef39b8b275e519815b494", "e853753abcbf8312e1326416c1faa79f0b0f98612f7c8f2e8a76795203f5817d", "e96368504131c26f0cae6b7a68ce5c8747b1807d4cf755460cc79d77b4ff6156", "ee4cdc3f5b2a9b6be5a818b932f1c62fbcdd1d0fdadf13a4ae24004095850464"], "iocs": {"domain": [{"host": "ns1[.]chopsuwey[.]org"}, {"host": "ns1[.]chopsuwey[.]biz"}, {"host": "ns1[.]chopsuwey[.]info"}, {"host": "ns1[.]chopsuwey[.]com"}, {"host": "ns1[.]chopsuwey[.]net"}, {"host": "ns1[.]chopsuwey[.]net[.]example[.]org"}, {"host": "ns1[.]chopsuwey[.]com[.]example[.]org"}], "file": [{"path": "\\autorun.inf"}, {"path": "\\System Volume Information.exe"}, {"path": "\\Secret.exe"}, {"path": "\\??\\E:\\x.mpeg"}, {"path": "\\Passwords.exe"}, {"path": "\\Porn.exe"}, {"path": "\\Sexy.exe"}, {"path": "\\??\\E:\\teiasid.exe"}, {"path": "\\teiasid.exe"}], "ip": [], "mutex": [{"name": null}], "registry": [{"key": "<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WindowsUpdate", "value_name": null}, {"key": "<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "value_name": null}, {"key": "<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "value_name": null}]}}, "info": {"origin": "Cisco Talos Intelligence Group", "publication_date": "2019-03-08T15:58:41+00:00", "version": "1.0", "warning": "As a reminder, the information provided for the following threatsin this post is non-exhaustive and current as of the date ofpublication. Additionally, please keep in mind that IOC searchingis only one part of threat hunting. Spotting a single IOC does notnecessarily indicate maliciousness. Detection and coverage for thefollowing threats is subject to updates, pending additional threator vulnerability analysis. For the most current information, pleaserefer to your Firepower Management Center, Snort.org, or ClamAV.net."}, "signatures": ["Win.Malware.Bypassuac-6876875-0", "Win.Malware.Swisyn-6877070-0", "Win.Malware.Autoit-6877140-0", "Win.Malware.Upatre-6877602-0", "Win.Worm.Vobfus-6877836-0", "Win.Malware.Tinba-6877885-0", "Doc.Downloader.Emotet-6878774-0"]}