Threat Roundup for October 27 to November 3
2023-11-4 05:18:45 Author: blog.talosintelligence.com(查看原文) 阅读量:15 收藏

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 27 and Nov. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Dropper.Tofsee-10012832-0DropperTofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and send a large volume of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Trojan.Miner-10012902-0TrojanThis malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html.
Win.Dropper.Glupteba-10012922-0DropperGlupteba is a multi-purpose trojan that is known to use the infected machine to mine cryptocurrency and steal sensitive information like usernames and passwords, spreads over the network using exploits like EternalBlue, and leverages a rootkit component to remain hidden. Glupteba has also been observed using the Bitcoin blockchain to store configuration information.
Win.Packed.Razy-10012926-0PackedRazy is frequently a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, and sends it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Zeus-10012956-0DropperZeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing.
Xls.Malware.Valyria-10012971-0MalwareValyria is a malicious Microsoft Word document family that distributes other malware, such as Emotet.

Threat Breakdown

Win.Dropper.Tofsee-10012832-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
\.DEFAULT\CONTROL PANEL\BUSES4
\.DEFAULT\CONTROL PANEL\BUSES 
Value Name: Config2
4
\.DEFAULT\CONTROL PANEL\BUSES 
Value Name: Config1
4
\.DEFAULT\CONTROL PANEL\BUSES 
Value Name: Config0
4
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA 
Value Name: Type
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA 
Value Name: Start
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA 
Value Name: ErrorControl
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA 
Value Name: DisplayName
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA 
Value Name: WOW64
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA 
Value Name: ObjectName
2
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA 
Value Name: ImagePath
2
\SYSTEM\CONTROLSET001\SERVICES\SCEZVNMI 
Value Name: ErrorControl
1
\SYSTEM\CONTROLSET001\SERVICES\SCEZVNMI 
Value Name: DisplayName
1
\SYSTEM\CONTROLSET001\SERVICES\SCEZVNMI 
Value Name: WOW64
1
\SYSTEM\CONTROLSET001\SERVICES\SCEZVNMI 
Value Name: ObjectName
1
\SYSTEM\CONTROLSET001\SERVICES\SCEZVNMI 
Value Name: Description
1
\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\scezvnmi
1
\SYSTEM\CONTROLSET001\SERVICES\KUWRNFEA 
Value Name: Description
1
\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\kuwrnfea
1
\SYSTEM\CONTROLSET001\SERVICES\RBDYUMLH1
\SYSTEM\CONTROLSET001\SERVICES\RBDYUMLH 
Value Name: Type
1
\SYSTEM\CONTROLSET001\SERVICES\RBDYUMLH 
Value Name: Start
1
\SYSTEM\CONTROLSET001\SERVICES\RBDYUMLH 
Value Name: ErrorControl
1
\SYSTEM\CONTROLSET001\SERVICES\RBDYUMLH 
Value Name: DisplayName
1
MutexesOccurrences
Global\14
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
176[.]113[.]115[.]1365
80[.]66[.]75[.]45
176[.]113[.]115[.]1355
45[.]143[.]201[.]2385
176[.]113[.]115[.]845
62[.]122[.]184[.]925
80[.]66[.]75[.]775
83[.]97[.]73[.]445
84[.]201[.]152[.]2205
31[.]13[.]65[.]1743
31[.]13[.]65[.]523
172[.]217[.]165[.]1323
142[.]250[.]72[.]993
34[.]120[.]241[.]2143
52[.]101[.]8[.]493
142[.]250[.]65[.]1962
93[.]115[.]25[.]492
93[.]115[.]25[.]132
93[.]115[.]25[.]102
93[.]115[.]25[.]732
20[.]236[.]44[.]1622
172[.]217[.]21[.]1642
149[.]154[.]167[.]991
31[.]31[.]196[.]811
172[.]217[.]165[.]1311

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]in-addr[.]arpa5
www[.]google[.]com5
vanaheim[.]cn5
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net4
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org4
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net4
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org4
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org4
microsoft-com[.]mail[.]protection[.]outlook[.]com4
microsoft[.]com4
i[.]instagram[.]com3
www[.]instagram[.]com3
www[.]evernote[.]com3
www[.]google[.]com[.]tw2
www[.]google[.]com[.]co1
www[.]google[.]be1
www[.]google[.]ch1
b[.]i[.]instagram[.]com1
www[.]tiktok[.]com1
smtp[.]office365[.]com1
ca[.]account[.]sony[.]com1
t[.]me1
my[.]account[.]sony[.]com1
www[.]googleapis[.]com1
m[.]freewallet[.]org1

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\.exe5
%SystemRoot%\SysWOW64\config\systemprofile4
%SystemRoot%\SysWOW64\config\systemprofile:.repos4
%SystemRoot%\SysWOW64\kuwrnfea2
%SystemRoot%\SysWOW64\oyavrjie1
%SystemRoot%\SysWOW64\scezvnmi1
%SystemRoot%\SysWOW64\rbdyumlh1

File Hashes

0097a9426a4c40673425c9d58f0bc7b724ffcf06eb816a527db36bc68053f6b7
023e83acdd81d9497db966891d429c6f5fb7a68c86861bd24fd7cfd834972bd4
07850ea1732b07aae1b520bc4e07f939a29ea8f842993a5849965d71aec14cb1
186dc0bf672c39787daf011bb1cfff55e6edac5b4991879333b08f3b66899a8e
255d98301eead36518f991190fa7c4ef0e8d6f85707b63cbecf3f69c434632bc
2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
3460d0cc146f9a4ff500b493d0245ee7d34371849807735c4455af2362c0635a
5385d44b163f9251e1b3bbbd855508eef0d09dc19763047e6cf3ff0515679860
5e5674997dcbbc2906f5c6c30c5c0fb6bda6476b41b46e7efee510fe60510a4e
60b1f70b3143a44208316425fc4870e80f6a2a48004d1e4b2dcdb2ec0c5129fe
62a482b40415d3121d775a39d6832fc50e768eaf9daf8d93fa5cc65c1010d211
6544e6032d5708343d200d1504f7465208e88844cc39e660353713c0628a5706
6be4de87a4b879db5b7ba5250e20db48835eb548d06c7718cd91b9e7cc478268
6d2a158348cbde04534fe5c28bef8d260a3ef8f9f89c31d3e46ca6d41b194970
6fa572403ef1382743b8bf1801ad355840d001f60bb1c79a02482eebfe2071c9
927bbcc9c65a68871fc752b43b1b6f0d6ae5dbd8f2c5c446786a94f9ce42e1f3
af63001bfd4ed850fb3bf50862ef7265a6822ffc20f6b24ed741975918c56f2c
b385a475bc821a1d8c721c974beede2c358d3994b241d2510e7d41d67bff8897
bee6620b5ce8b72203fcd92db24830e7e5a99391d1183069e9c51c0cefc24c2a
c041fd76168566b1100bf0a2b419a2f9de04cfc3d3eaca9c90d5cc02544e3035
d322898276db0795ea8d758763ac4021ddd951555ce862a6acb28d1a98326f59
d4f4e03f23ae159efd3a6e188cb539c8b565985abe74ed5c5dd1e28078a2a1b3
db32ca20b111cad1ec84113ee725caff564bf9f857f17dc765b6f9545296502c
e8a4a40a5d06430ab9bab7a832711560635102e6259033f7035d272c8f62509a
eed76de86b8200456f420b784325e37771199c855ad5a1c89940d0aff1d2849d

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaThis has coverage
WSAThis has coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Trojan.Miner-10012902-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
MutexesOccurrences
4pC39Ev2yuzFY8izw76DGDJR11
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]10[.]68[.]1236
95[.]214[.]24[.]353
185[.]10[.]68[.]2202
109[.]71[.]252[.]452
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
eu[.]minerpool[.]pw11

File Hashes

12450b3415939ac685ea225c32f52a9a0fd9542b3306fa473694e84fbbbc24e7
141f37c65369f12579ba8acc215924565257ff9dcab9aeeed0859e2e5f320ab8
499d911b649fc5631e73201f87d69c24b6284c0fbe07f6355b671d31e47788a0
71d971f6217adec3f291859bda92ef6156b003876a76ae9e2e950bf69ac2142a
800b5db323b0d93f4e61c797f8e2fbed7fad4ca5b82782e504c2554c7c8215ae
80a2e966df110a0da437108694ac44bb3f3abe9e66c0734bae8cb59b81e7ce97
af86df3304ffa56e10dbe2d28991f7b142ecf4b9c900b4a5538cc78817b602c3
d4f77d50218f1954eb6a5211b338a7b03ef6b1fa2d2ff5df8b3399a665a689be
d9e7c1e328418a3a1cbe43013be117e1c2b40a42950629f6e4007135d2def0f0
fb35617e508bf8681f0d2209e157dd3f4b57c5fde8f50f8dcfe1421573740e34
fd535d7fbf8e3c22416c8030d5c625d6eccf1c63dd84c5bd052fbc02f13535e3

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaN/A
WSAN/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Dropper.Glupteba-10012922-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 105 samples
Registry KeysOccurrences
\SOFTWARE\MICROSOFT\A1890984 
Value Name: PatchTime
105
\SOFTWARE\MICROSOFT\A1890984 
Value Name: PGDSE
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXWDDM 
Value Name: ImagePath
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXWDDM 
Value Name: DisplayName
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXWDDM 
Value Name: WOW64
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXWDDM 
Value Name: ObjectName
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXSF 
Value Name: Type
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXSF 
Value Name: Start
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXSF 
Value Name: ErrorControl
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXSF 
Value Name: ImagePath
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXSF 
Value Name: DisplayName
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXSF 
Value Name: WOW64
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXSF 
Value Name: ObjectName
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE 
Value Name: Type
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE 
Value Name: Start
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE 
Value Name: ErrorControl
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE 
Value Name: ImagePath
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE 
Value Name: DisplayName
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE 
Value Name: WOW64
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXMOUSE 
Value Name: ObjectName
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST 
Value Name: Type
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST 
Value Name: Start
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST 
Value Name: ErrorControl
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST 
Value Name: ImagePath
105
\SYSTEM\CONTROLSET001\SERVICES\VBOXGUEST 
Value Name: DisplayName
105
MutexesOccurrences
Global\SetupLog105
Global\WdsSetupLogInit105
Global\h48yorbq6rm87zot105
WininetConnectionMutex105
Global\qtxp9g8w105
Global\xmrigMUTEX3133715
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]219105
20[.]150[.]38[.]22864
172[.]67[.]212[.]18863
20[.]150[.]70[.]3661
20[.]150[.]79[.]6861
104[.]21[.]23[.]18440
185[.]82[.]216[.]10832
185[.]82[.]216[.]10431
185[.]82[.]216[.]11125
162[.]159[.]130[.]23324
162[.]159[.]134[.]23322
162[.]159[.]133[.]23321
162[.]159[.]129[.]23320
162[.]159[.]135[.]23318
81[.]3[.]27[.]4417
142[.]250[.]112[.]12717
142[.]250[.]144[.]12717
185[.]82[.]216[.]9617
172[.]253[.]120[.]12716
142[.]250[.]15[.]12712
74[.]125[.]128[.]12710
3[.]33[.]249[.]2489
15[.]197[.]250[.]1926
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
msdl[.]microsoft[.]com105
vsblobprodscussu5shard35[.]blob[.]core[.]windows[.]net105
vsblobprodscussu5shard60[.]blob[.]core[.]windows[.]net105
cdn[.]discordapp[.]com105
walkinglate[.]com103
stun[.]stunprotocol[.]org19
stun[.]l[.]google[.]com17
stun2[.]l[.]google[.]com17
stun[.]ipfire[.]org17
stun3[.]l[.]google[.]com16
stun[.]sipgate[.]net15
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]datadumpcloud[.]org14
stun1[.]l[.]google[.]com13
stun4[.]l[.]google[.]com10
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]databaseupgrade[.]ru10
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]dumperstats[.]org8
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]theupdatetime[.]org8
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]statsexplorer[.]org7
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]allstatsin[.]ru7
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]alldatadump[.]org7
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]dumppage[.]org6
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]myfastupdate[.]org6
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]filesdumpplace[.]org5
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]statstraffic[.]org5
79102df1-5f9d-4ca9-bdf6-1fa1060285b4[.]uuid[.]createupdate[.]org5

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\Logs\CBS\CBS.log105
%SystemRoot%\rss105
%SystemRoot%\rss\csrss.exe105
%TEMP%\csrss105
%TEMP%\csrss\dsefix.exe105
%TEMP%\csrss\patch.exe105
%System32%\drivers\Winmon.sys105
%System32%\drivers\WinmonFS.sys105
%System32%\drivers\WinmonProcessMonitor.sys105
%TEMP%\Symbols105
%TEMP%\Symbols\ntkrnlmp.pdb105
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02105
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02\download.error105
%TEMP%\Symbols\pingme.txt105
%TEMP%\Symbols\winload_prod.pdb105
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361105
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361\download.error105
%TEMP%\dbghelp.dll105
%TEMP%\ntkrnlmp.exe105
%TEMP%\osloader.exe105
%TEMP%\symsrv.dll105
%TEMP%\csrss\DBG0.tmp105
%System32%\Tasks\csrss105
%TEMP%\csrss\injector105
%TEMP%\csrss\injector\NtQuerySystemInformationHook.dll105

*See JSON for more IOCs

File Hashes

01aaff065260cd63f0c18f9f4fa41ebac93d8bc14b04cd0e121226e23f2ae5c0
0302c1191062a1789016750ddf9e20a521bb7a03b527fe23a0317b9041700fd0
06627ddd2e2d54d12fff1f27eeae643ae68c1b07361de3414428d9da68d30076
06e60787fd2b39cb49b2792587c18d03fd61a0f9d6fb31ec8686b5e5a07a1f94
080171591483337e33c1a6ea0919ab115b2e75133df74f4c8055fa55cbc1abab
0dc63cc86d3e3a2283f35e9ef62d343a3a9c367e4b8de0f150242e12f9fd5f62
0e10919209f191782c13b2b341021ad9a411f0afcf9cf5643241aec45ffcd658
0fd07fbed1c94d7feb81aebaef5fcccfe6b68490284101ae030cad7ece9b7ab3
0ffa3a5cc46231b9435668266760f1595e772bc0af6222a2d172af75e9867e72
11cb90274137aaaafe36b159d8a91e30b875d1faee6918cb5b2344f08eaff2ec
14216c329fa614a9d3feb93686d84099f6d614370a88132307f3f70971f5c4db
2014c9a8601be8be3953c202b8e76db73691ce30f3e94fcfeaa1e68faae132cf
22d05ede3d27433167300d25968e6ce2f41721dc3846f905ecff1c18675deee6
2776378b548a1b72133cbf0c6286f4f570a87f9dba936092b575dee34e79f02f
2ab2a3d5b3f3b9eab7828bb1190580fe87a4ff13eeb77e0da501cf5b75788f67
2e8836d196f49c6edfcc64bf859c96629360e57949024cb3c9cd032a445b17f5
2ea3379e1da37fbb276be2bf32a6aa4bf04f1a87288f00527c5f82430b95c836
2fbf18f71d1dd521fa63587e180383312f9d7ba4f630de4cbb06030d9cb568a7
3357900a688b465106213f79c56284aade72123f9ca4769e8dc552863e50d157
35ca7983a695fd47696ea29a99706d95a353ed8d520d45584b5b7343ff5d819d
38de029329f8f17f34d76f5a796aeb6361f0daf8ac0551e610aa0f163a38f84f
3955ac87189e3cbf038608d45852e19827cc538afb9b783559a76627503355e2
3a62edd73ec6741d07d3d752e81c7773f385502182c8ad5aceaa1d8af19362b8
45a46c4baf9618eae6bb6ded13fcf8c2638108de9deacebb195caca8a30fc8cf
46db78c231f1ad6d3acc1b55b5d43a52b5f730c2b1a8667af09286b68fad34eb

*See JSON for more IOCs

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaThis has coverage
WSAThis has coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Packed.Razy-10012926-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
142[.]250[.]65[.]17425
104[.]20[.]68[.]14312
172[.]67[.]34[.]1707
104[.]20[.]67[.]1436
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com25
w[.]google[.]com25
www[.]odtka3180h[.]com1
www[.]tiowrgijve[.]com1
www[.]bztonapwpl[.]com1
www[.]peygqgx19k[.]com1
www[.]dk7m9xlvx6[.]com1
www[.]mzepqiwos7[.]com1
www[.]ksqijdlyco[.]com1
www[.]6bxzawid0x[.]com1
www[.]szvg1jscbo[.]com1
www[.]5g14dh09da[.]com1
www[.]31dbqaqbv7[.]com1
www[.]2z9is2h9ij[.]com1
www[.]chj5xirdp2[.]com1
www[.]vcgbwtxren[.]com1
www[.]qqoqcncrkk[.]com1
www[.]pdpdhkt5in[.]com1
www[.]mvay5eclml[.]com1
www[.]am1mehlnnu[.]com1
www[.]fspreo58vc[.]com1
www[.]jmgaabxx0e[.]com1
www[.]hii7d4vsoa[.]com1
www[.]zaqkbsqz6a[.]com1
www[.]vm609jjbfh[.]com1

*See JSON for more IOCs

Files and or directories createdOccurrences
%System32%\Tasks\Google_Trk_Updater25

File Hashes

04ecaf9dad1ca60c52143ec089fb5463c87e4645725a3853d84402fd3961073f
055070c4b69d9f29afb1f2f2b9e8fef553e2bdbe00780e55868c2eaa86a38888
085c0394f9e0fc84e7a4d7fda154609b0937e3c1e6c45b5c28d9b87c864b0f14
140e5d82269f889e555e5afe7634267525701473a846f6a14a93700dd38400a0
1e1c983f95ffb3e52a752d75bfcf33c027e8a54e9fe137b0827488a836601b9b
1f56fab3060ef82a3f985aab0bc7c67cbc0acfb4dd9e739da9e165988e373bef
28389dfb6cc2796e0b4cda8f4d6ef995f4208c45a98f01105c4b77385d8c1e0a
2c3c84c22dd3c9fde845d65bc9ce773b2f9690a5db8269bce668f79ad22cd2a5
2d52321e1208ab69cb9bfa6a5ffacc3da909a2470dd800fc46ba297a9bde0458
326c378004afeb6f14c0f21f27fd9658dfc12b6909ff8b9c7799eed7566364c3
33c49af615add6fe1bff0e78dbbcba84dc5bcf89b9e9eebfcc7b190377762722
368ac014cff7aa9910f10d0433b62b1bcbae5388086d03977530dbc4df6a3b04
383065a0187857d72a7639d8b4e95b2cd6365619114a8c3459a55d0b50d62866
40271962ca2e2da37fb23049e93176712419b9131af4d34cc350608255fd0dde
40294b0e660c584e8197a67ad70f9a67ec7f13d87674d1f9e32869569417194b
4747972fe86d52522303e6c7e2a1856c74ffe3563cae1a28227039717c2d1b87
4a9dfc7e232dce8ea490c3e7c678b042dd0f167abec94b5a0e8450463ad5c76d
53e37ee719388b7de47555e26bbbab69f78d1d11470d97550dc0e8522b24a6fe
59a914deaa2212b4942536e42845fc68b1e4ec3ec8bda822f3a469b4dd10fbb3
61ea3bd7ccf04ac6fca7d947a45f56cadcf623b03eca680a340fce3d7d30c1b6
672f7e8ca1821f981cc65c22347d006a070d8f5d2c0c4550583a2ac9d658f8bb
6898124ce021f02d18b6c64d05e65e9d963f80ffb34a2f3e9aa7a77d50b7e02d
6e149ff6370b7c37d6a609924999e277a31c02bf9bc1f034208eb9f42adc7cea
6f2fa8b75298205dbf516b69c8a829338699481d7ff6c45c502e3f47d12a8ba6
707c49bceb3e464a26ba301eea252dddf1edcbbede13b8f554f805eb4ca588ec

*See JSON for more IOCs

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaN/A
WSAN/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Dropper.Zeus-10012956-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry KeysOccurrences
\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS13
\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\IMAGEVIEWER13
\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\IMAGEVIEWER\RECENT FILE LIST13
\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\IMAGEVIEWER\SETTINGS13
\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY 
Value Name: CleanCookies
1
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 
Value Name: CheckSetting
1
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 
Value Name: CheckSetting
1
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 
Value Name: CheckSetting
1
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 
Value Name: CheckSetting
1
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 
Value Name: CheckSetting
1
\SOFTWARE\MICROSOFT\XAUGYT1
\SOFTWARE\MICROSOFT\XAUGYT 
Value Name: Xiycweva
1
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: {579CCBAF-A961-2396-8190-F1E6D0D72F00}
1
MutexesOccurrences
Local\{B188B787-D549-C582-8190-F1E6D0D72F00}1
Local\{9A2ED2B6-B078-EE24-8190-F1E6D0D72F00}1
Local\{B188B784-D54A-C582-8190-F1E6D0D72F00}1
GLOBAL\{}1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
23[.]219[.]154[.]1361
185[.]215[.]4[.]561
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
apps[.]identrust[.]com1
angryflo[.]ru1
Files and or directories createdOccurrences
%TEMP%\tmpb0d3b90f.bat1
%APPDATA%\Hevot1
%APPDATA%\Hevot\otgi.exe1
%APPDATA%\Ogpal1
%APPDATA%\Ogpal\ymvuu.tei1

File Hashes

1b5e3aab3032393e53222dbb2de14b102d616408d77de1daed4d5b7d634e7575
2efda7bc99f5455ab1f7cad7c6c8c88ae583bd92c5c2e87d772c277512ae7064
2f4546dc1541beca18c78ad1ad29c20d93210c58f9dc7da99b8888a9f14eb595
40e4d8465573efb2b61a40a682f8751b8e4db3d7e74570c78bffa7f9e5b73aad
461a5b41b026f0759b0e6b963d8dd467298e797b8e8de8781fc796358126f03b
51d60e12abf0411eec2e6c78e783a4af3b4647f9bb5b3933e88ed3734dcfde70
8aa109b95ef2d8853d76a2862205ac29172930b0d91c67e533000c1e957faea9
90960f53fb566b7b65bf41a2539c6bb29741b43ec911f9e013a4b5b1bfe6e9ba
adb128c07472a36d4ed0825be283e3f545cfd2f78deafe967838428260e4346f
c5f03b5f709bff468213c6cc3e8d09d4d1641658d1dcff53c5ae387d01ac0d6e
deb72a96204ead9c91980aae08e9627163a08505b60553c954736ef280f8caf1
e96cb67f3a2ac1326abac2795d3f25093bab298ae6e48a516bcd6b3e98926e9a
ec8290b61e9e22ab205b5ce32c1a71d13e0878506fb08eebbe4e43a545edc45a

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaN/A
WSAN/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Xls.Malware.Valyria-10012971-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
MutexesOccurrences
Local\10MU_ACB10_S-1-5-5-0-6786310
Local\10MU_ACBPIDS_S-1-5-5-0-6786310
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
162[.]241[.]120[.]1803
70[.]32[.]23[.]942
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
creditcollectionglobal[.]co4
greenpayindia[.]com3
treasuringchristonline[.]com2
kadsec[.]com1
Files and or directories createdOccurrences
%APPDATA%\notepad.js4
%APPDATA%\brisk.vbs3
%APPDATA%\notepads.js2
%APPDATA%\credit.vbs1

File Hashes

3a37360930f0d13d19523597d36813f500afc518ab89c9076c6cc2386bedd44a
41c1c3519222e382bcfd79535285dfe92ab6050781d13c9168d06810e8a590ba
48d3346619e8344ee5eaf2b6cf6f7853289eb76cca52ed9fce336e6028ad16c0
4cfb33b79b0692db144e9ed4b9eebfc976406dbc1f00d4f6d20656a11c6f4a77
aa647446d5399c4b5e8612525528148673c7e953baba53b0a02e790781fc0f6a
ad521f3bbfeb4feae8cb4be431787d2e580087e6dbd9ac9a0773b832d6d4d7c5
e18773082c76655f9222fd26198eab9011af2bebea85fb4c7d525e37e3e84024
f8d06c20dc2af83af29551f384bbde4e5380911d8db0f9e56ca549bb5995d413
fb42713cea74ad7a0d4579b86d6c213b25b1f8594019787da3f2152e436fd8fd
fff32afde4621a3765374dd749723768b95a75f638914bdac0570ab1c40d4676

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityN/A
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaN/A
WSAN/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK



文章来源: https://blog.talosintelligence.com/threat-roundup-1027-1103/
如有侵权请联系:admin#unsafe.sh