Malware Update 2017

Malware Monthly Strikes

Malware December
Malware November
Malware October
Malware September
Malware August
Malware July
Malware June
Malware May
Malware April
Malware March
Malware February
Malware January

Malware Strikes December - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M17-twn01Doc.Dropper.Agent_e06c1e62Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.e06c1e623a45b69730da1d9b40c20a84SHA1: 3276a2e939251f1a00dfcb3497b9b83fd2d17c2b
MD5: e06c1e623a45b69730da1d9b40c20a84
SHA256: 3cc669528549cc7394074ac3ffbaa6cf3eed14436a1653d70f54ca2b3d5cdead
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-21l01CeeInject_a21f47b6Windows This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.a21f47b69edf6a886a2273a6e7bc9d4eSHA1: 2f756597391b9d2a138be5599a92d48c567fa6b9
MD5: a21f47b69edf6a886a2273a6e7bc9d4e
SHA256: d065ba2603790329d31e35cd45538b693c77f9870d98c4656e490c1a5034a8fa
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-t4101CeeInject_aa9a551aWindows This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.aa9a551a968b3a7831b82a34c926374eSHA1: c5b7b26e7651b0f3229d244314951ede554c2309
MD5: aa9a551a968b3a7831b82a34c926374e
SHA256: 62a22fb0f59578de3679f70a41c2971b384167aebb032dd782f1d23d27015aa3
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-b5501Delf_b8845710Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.b8845710e4d48532a7e4426c93528bbfSHA1: 7a6c0f696fc1d7bae9cbc6df7d8d6186ce8b7623
MD5: b8845710e4d48532a7e4426c93528bbf
SHA256: c14055b23eb3a90e163962c9c70df3338bca68b67a615531ef40c6e8f8f6eabe
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-r4201Delf_d9d5aabcWindows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.d9d5aabc90d5f8b978a84524e147680bSHA1: b515808b145e9a1c642c05af1dba45e0804c5ca9
MD5: d9d5aabc90d5f8b978a84524e147680b
SHA256: b17f8e85944768cc88c0a3b7103290c6eab820348103fa7a8a412af945e1d1dc
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-g0o01Doc.Macro.Obfuscation_e3133b93Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.e3133b936cb53af89b03b2db9c287bd0SHA1: cba47111683347f13cb82ca01eed243e36322082
MD5: e3133b936cb53af89b03b2db9c287bd0
SHA256: 46217dc4ef9fcef981be9a931995008f56b71e3f510721c33ed4b58b577e8fbb
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-do701Doc.Dropper.Agent_c575c947Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.c575c94767a7bd4d1164a590650ee560SHA1: 017371a3fade367014af9fe2d5250ac51d8f3066
MD5: c575c94767a7bd4d1164a590650ee560
SHA256: 094842414f8029ea69cca6237b7758c2559dd553c98990cb4e8474e6653e0b9f
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-jzx01Delf_89d87940Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.89d87940e1384c35b910be9604d15258SHA1: d3db116df15a9f968b8bdc77f972a2c0512129f0
MD5: 89d87940e1384c35b910be9604d15258
SHA256: 44e27c54ae3dc4c4c228dc10389d2b28d1230a8933d61661271f4eaf65925b1f
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-u9001Doc.Dropper.Agent_4574af0cMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.4574af0c85d983b5d495b7eb38e587ebSHA1: af7c2982661c8e15e757708ea598ed5378f8db16
MD5: 4574af0c85d983b5d495b7eb38e587eb
SHA256: 2e6523b856a9f40bf3cf851407f3003a6564a7fb5d86657781a03bbd30d63966
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-9xm01Delf_18db1885Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.18db18858d8067c0c3053bfd2e44fcd8SHA1: 2ae120eee658214f6cebe28394935dbefb8a6118
MD5: 18db18858d8067c0c3053bfd2e44fcd8
SHA256: 8486ba3a5d2ae2297118de5f39770fb89227752bbe3e59f951cd0ef0bab8c5b5
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-l4a01Delf_fad656b7Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.fad656b709ddaccffb84570e67d0c686SHA1: c77523d7ebae57ae158d83f57cd1a00894505a16
MD5: fad656b709ddaccffb84570e67d0c686
SHA256: f6bad3bc203c29350726c32d2aad744479de84bc72e1ffed0ad8392e5dde43d0
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-g2g01Doc.Macro.Obfuscation_04aefa19Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.04aefa199d4a542d6352f928ed744b4aSHA1: 61cd96f61a3a4b58931dd3841200f2f2d45f6def
MD5: 04aefa199d4a542d6352f928ed744b4a
SHA256: 4519c2f4fc0bc43cace2e70e464c00e7302e003262d7e6f903672becaba9e8ed
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-43801Doc.Macro.Obfuscation_c6bf3a7bMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.c6bf3a7b5d4ec5203576c47a7f6e5ef0SHA1: 96311baa66659e23d2ce8d749f9e68995bca4dbd
MD5: c6bf3a7b5d4ec5203576c47a7f6e5ef0
SHA256: a44450c9b8514dd5647128f55d2704889c87e852e3eaceea80734ae7bf8d9f49
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-avd01Doc.Dropper.Agent_1d62d6faMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.1d62d6fad83ecdeb772e83f78fd69d4aSHA1: 5e267220daf60ffc7c4411baf2da24f77ce38217
MD5: 1d62d6fad83ecdeb772e83f78fd69d4a
SHA256: 0e9b2c7a5526c8d469c3e2183cd52a38d862773118d2401467c59472aaf17263
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-7yh01CeeInject_a584c3c5Windows This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.a584c3c54dba8eee4b0fc362e7e76db2SHA1: 6536680a1ce032bac14475ae42d9ceadaae3093c
MD5: a584c3c54dba8eee4b0fc362e7e76db2
SHA256: 36d4800fb0bed77e59468ae9b732eb806d59999ec2832a72e0209473069af5b1
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-jz101Doc.Macro.Obfuscation_0e5d2902Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.0e5d2902bbbb951f1ff03e46209701d0SHA1: 8af2947eb8096ee4ceba2dc6c947e95080328716
MD5: 0e5d2902bbbb951f1ff03e46209701d0
SHA256: baf01275b874c04687f84d78451e41231b31bfc0e71995e124830ba63379fedd
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-d2h01Doc.Dropper.Agent_4fb21661Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.4fb216617e7b7dea0da5bf86fed57ba4SHA1: 540fa52a3d00e1abc974257888aeb6af46a9fab6
MD5: 4fb216617e7b7dea0da5bf86fed57ba4
SHA256: 3cae4325b4b559431dba511779feadeff19433aed194511e4ea8f4ef676ac6c7
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-09e01CeeInject_ae76efc0Windows This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.ae76efc074b73cd22161133e927d2c43SHA1: fb1f9e9965aabd6f222f27b3cbc07c9ce42d0774
MD5: ae76efc074b73cd22161133e927d2c43
SHA256: 3507a76940a2e6c930882b5cde32d2f11ba48cc0e6bfd6e4771a973ebe9db5ab
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-v3m01Delf_3e933209Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.3e933209d6aa9be6fe1d6152fb0248d2SHA1: 235c3a7aed45b29cdd978fdfb7b030117cb65592
MD5: 3e933209d6aa9be6fe1d6152fb0248d2
SHA256: 3b221118a4c2716c6c76ddc1b6b01866fcc2643d7c29e38279d6aa2dd27d60a7
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-xgy01Doc.Dropper.Agent_421b5937Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.421b5937b5e764795d9052f378001ebdSHA1: af750e75e69d868c62b5ab4afb87444950580b15
MD5: 421b5937b5e764795d9052f378001ebd
SHA256: 3ac9e97344506f3e443490eb6b0d5f877e0c8d4462ab9bf9544b5128aafc78bb
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-0kx01GenCNs_349830beWindows This strike sends a malware sample known as GenCNs. These samples of malware are trojans that contain dropper and adware components. The malware contacts many remote Chinese websites and attempts to download and execute additional files.349830bee2fefe24a51a9bc221e7c21cSHA1: 07eb8ae1747a67a3086f40235ba2d35733f4113b
MD5: 349830bee2fefe24a51a9bc221e7c21c
SHA256: 354c9f630336cce0332558d73ae8000b62f61ca3eb7462e21183546f0da613b8
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-fpv01Delf_fd56a259Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.fd56a2593d4a72e52ad367a24b74be5fSHA1: ff352d3aaf8d6a6980f47ac359cc81e79bd97dd6
MD5: fd56a2593d4a72e52ad367a24b74be5f
SHA256: 67ed3caf144d2b2dd0e8f0b6ed4de1e0ee4052e152cf32fdc22b9a3f8c935e67
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-kjp01Delf_782c6921Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.782c69213cd06e9f38d2790bce8468cdSHA1: 0c11455383ce954cb93a3710f52b4def2270b350
MD5: 782c69213cd06e9f38d2790bce8468cd
SHA256: 7a41c90ba46f40af093491c1f03fa64b36c6a10603c29a9af78540cde8440d60
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-40t01Delf_991bfd3eWindows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.991bfd3ed82b4ff45b645fa8b26dc5cdSHA1: 8d3eb9f9dd1b5df31a3e72f9bb274704c2204d7e
MD5: 991bfd3ed82b4ff45b645fa8b26dc5cd
SHA256: c45fabfd7e6f52fa519d8215ac1d569ca385bb4552eae82e63da4befa319f1d9
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-o9s01Delf_d3f52372Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.d3f523726090121c6b3e79d7d9f1275dSHA1: 03c1af0b6e182bb77aca2da4a231d346abcf0c23
MD5: d3f523726090121c6b3e79d7d9f1275d
SHA256: 4bdae37fe1f8dab61a16f406f08a3bbe1482cd1387351f23b29849e1de64875d
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-4yf01Delf_e27abe5eWindows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.e27abe5e4316761071b481c24f8da33cSHA1: ad0ea4e76d4da6688df72d3129a6a5f9d1e79872
MD5: e27abe5e4316761071b481c24f8da33c
SHA256: 9b6087e9607aa0149beecd97709d27cf2e3703fded3f7d31dd613a6d3f23ccaf
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-m2w01Delf_b8fa4e0fWindows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.b8fa4e0f817ec962d896aee21e7526acSHA1: a13cdf1fdab36970378ab85d177fadc6bd38f8d9
MD5: b8fa4e0f817ec962d896aee21e7526ac
SHA256: 482142f886ed2ee2610e2740695435e0488b5c7d6081daaeffdc93c87b6e2f93
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-rql01Delf_8f1ee3c9Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.8f1ee3c99c001da889fd425ca8654cfcSHA1: 058a91440614455f581346cc943f1d53ab4adb50
MD5: 8f1ee3c99c001da889fd425ca8654cfc
SHA256: 3dde0bb92308140701cb61711dc7e7298baff68668d96d2db9390e2b691efeb9
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-zi801CeeInject_b156268fWindows This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.b156268ffde83b0ee9938bd0d4c03842SHA1: 13da902ef4c126fa463b8b668fedda3a285e75be
MD5: b156268ffde83b0ee9938bd0d4c03842
SHA256: 58e226e02f8dded4b24ae60d2524497083c3d0dafb02436df5209fa9e1061085
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-ref01Delf_b4abdea5Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.b4abdea5409282a09c29f0600eef8950SHA1: f0062085a02ea2025fafd535df19e74ef0e50c7b
MD5: b4abdea5409282a09c29f0600eef8950
SHA256: 75eecd86ca4cbc10e60a6b5dc85964374fd91b25f0ecf08dcb7cd96d726ec581
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-02j01Doc.Dropper.Agent_0f25b221Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.0f25b2210b58010b4de329c6a01b50eaSHA1: 7ea2638f582d3e540efee8c0e890a8fa908b9d7a
MD5: 0f25b2210b58010b4de329c6a01b50ea
SHA256: 0b81075cc3ef1121f3eca801d2f821719a7cfa31e5d95081ec3feb195f44d8c6
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-4s901Doc.Dropper.Agent_b70b4b06Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.b70b4b067e9e68044b8f86a69de6bbe6SHA1: b4348ada0f12083ebc7fe10ceccfc81f0d07b1bb
MD5: b70b4b067e9e68044b8f86a69de6bbe6
SHA256: 0099b9221eb92408f0b8bead5d703b5c7ecb11962f49f5e67f60725427318236
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-fyx01Delf_2b23f5b0Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.2b23f5b038fb291689d44384df65e9e8SHA1: 050e8d256285b7fe52a44631c9a47e1e3ef104cf
MD5: 2b23f5b038fb291689d44384df65e9e8
SHA256: f1db091fff240dd3d49f0d22d4809db237fda042cb7ddf7afc81a0430f5c4b8c
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-a3k01Doc.Macro.Obfuscation_068777f3Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.068777f3f9f62fefd51370d8490f47ddSHA1: 09009a815366627d431838726bd77968ecea0db6
MD5: 068777f3f9f62fefd51370d8490f47dd
SHA256: 0f236dccbbdb81b7724f71569eff462c6fb40658f1697331617a38074a99c6e8
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-2hv01GenCNs_1e200f01Windows This strike sends a malware sample known as GenCNs. These samples of malware are trojans that contain dropper and adware components. The malware contacts many remote Chinese websites and attempts to download and execute additional files.1e200f01c7326e1cdd15327d8a52b537SHA1: 4fcf4bbcaaba19aaf506058ce89e06c5dda48b5b
MD5: 1e200f01c7326e1cdd15327d8a52b537
SHA256: 093477fa334791163629386b655b01a8284cf9826760b2dd9c3046e370ce026b
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-3eu01CeeInject_a50ec9abWindows This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.a50ec9ab44367eae2c1c278c66600944SHA1: 636f5221cd21a03545fb15c11e6d38d89b8126e3
MD5: a50ec9ab44367eae2c1c278c66600944
SHA256: 1a7de2ac4b22ca77acef5afe8e8b45dcc5150deb3408c8934221cfbbaee0655e
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-axu01Doc.Macro.Obfuscation_c064974aMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.c064974ac92d98807829cdbe43420666SHA1: 71ce210f1a99aaa92446d24e3a39219a582dc564
MD5: c064974ac92d98807829cdbe43420666
SHA256: 0a6d8c964286f1ec0173cde38caf3d5e36147945baaa83a0200e6f35f82446af
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-hsp01Doc.Macro.Obfuscation_4346f550Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.4346f5504d196b5155f98c8afb40eb09SHA1: be94f0f43d05f019a6396d6c778f741a8310ca74
MD5: 4346f5504d196b5155f98c8afb40eb09
SHA256: 5dbf9dc9341bd506eb2cdf5ec294c6c3029535424aa0a42e9b045cbd95c6d3df
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-7zc01Doc.Macro.Obfuscation_c2b856bbMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.c2b856bb53d17d8175597a30904f7b83SHA1: 5d5d2eb7060fe78b7273f24fceff046daa42312c
MD5: c2b856bb53d17d8175597a30904f7b83
SHA256: d3e06e4d623b1bbf7b72ec709541c3b3fe66d09c4616c356cdc93240bd4b4c6a
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-36k01CeeInject_b40e4e17Windows This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.b40e4e17c4629638dc656008d312619eSHA1: 5a1caa82ccf072576de8ad643d5699e81fef2e1e
MD5: b40e4e17c4629638dc656008d312619e
SHA256: fe33dc8941a6cd8ef4f64af295c2066eb0974966dfb355b5dd57e0c277261033
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-47t01CeeInject_b0cc4e21Windows This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.b0cc4e2114239943e8e896620596b684SHA1: 1b52da03d5b443b34f79033126d82a632c8227f7
MD5: b0cc4e2114239943e8e896620596b684
SHA256: 952e29ae44bb49c78f2b3fcd8c13e22181bc0a610e36723e41b79f8c1147649f
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-pn601Delf_c4f402edWindows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.c4f402ed89253dc6d3a3c66a0f8107daSHA1: 179f35392c1f954751f14400f5d6fedf028658e4
MD5: c4f402ed89253dc6d3a3c66a0f8107da
SHA256: d44dff94eaf9ed08c7f4ef47e69e0a9b308ce49c8bc814b94b2c95c92ba53fc3
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-xkg01GenCNs_00616fd2Windows This strike sends a malware sample known as GenCNs. These samples of malware are trojans that contain dropper and adware components. The malware contacts many remote Chinese websites and attempts to download and execute additional files.00616fd29add2b97de09b7a457be4709SHA1: 5a70be2e95529c920a9616b0c16ba5bffd5929b8
MD5: 00616fd29add2b97de09b7a457be4709
SHA256: 3e47b0d23d7e39af6759ca207d3307584862fe4181a6a4a54ea38cd45ce8c542
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-hgf01Delf_ac3b43edWindows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.ac3b43ed7be4b848aec8d123f10ea7cfSHA1: 6f9f31b4d847a8f8c803345bb60cb5d99013d45d
MD5: ac3b43ed7be4b848aec8d123f10ea7cf
SHA256: 04c3a321d00b8f54ae242969ede062ae10b8906ba5d7071fd0aa4f3b3b4ef73e
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-i5m01Doc.Dropper.Agent_858e801aMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.858e801a0dc4f3cddaec207fe1273e1bSHA1: 25a803179857c7f6d8bad45105ead4483c822092
MD5: 858e801a0dc4f3cddaec207fe1273e1b
SHA256: 14a415384df11be5271c58e66474cb4326aaeb4af0035afce1d61f75eaf53db3
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-7fo01CeeInject_ae933938Windows This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.ae933938d5a3ec9425fc5ef91dba7cc7SHA1: c98d42a59c83f9cf4ff1e5be38d12cd08d6d3c77
MD5: ae933938d5a3ec9425fc5ef91dba7cc7
SHA256: b7ad41fbecce918894c0645aedbc60e4ac8daee24405b6a4957c98a728a14b9a
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-ar901Delf_aeec7541Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.aeec754152015cb244aafd000cf0b1f2SHA1: 7ba4f851bd04efd427a5437ae7e6f1ef410bdba7
MD5: aeec754152015cb244aafd000cf0b1f2
SHA256: cc1eadad7810c4c94cdeebd63b7e54604253c4651c3a31bdf27dc96c189baa10
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-ena01Doc.Dropper.Agent_e0a7aed6Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.e0a7aed6203d6a5481231c75084f1ea2SHA1: 1d59eb2140f1680bfc7362ea30a881c064b31750
MD5: e0a7aed6203d6a5481231c75084f1ea2
SHA256: 365d356b6d8d463ee4d6924b37acfecf16624a58d8d2e6a783a9ef289e74ace3
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-mzt01Doc.Macro.Obfuscation_e4f24b19Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.e4f24b19e3d3a1c12dbcebacf0b71428SHA1: fa02d680cc152fd74ff51cf613290a7d8cf42035
MD5: e4f24b19e3d3a1c12dbcebacf0b71428
SHA256: 93900a04e4d7c629e03f3d510d249f1c8497cf94d818e0ae5913b685e467be6b
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-il001Delf_74d3b1c2Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.74d3b1c2ea2baa2a623cc9faa5f2a697SHA1: 87ba051c8658112191ced987ea835897af075707
MD5: 74d3b1c2ea2baa2a623cc9faa5f2a697
SHA256: b7c8faa19fb394f42733df9c1bc7c5f0a5313ead7b0ec870c0db05f6e3baa910
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-kgd01Delf_71a5947fWindows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.71a5947fe408ccf2790ad5cd7a333d89SHA1: 16adf91243b33bbcba754b690ff2d2ed06c3014a
MD5: 71a5947fe408ccf2790ad5cd7a333d89
SHA256: 248b6182fe5aaa120a6ad009595a93bf9431cbcd3e723ad711aef9b2d4562abf
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-kah01Delf_00a0c1e8Windows This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.00a0c1e82d42bcc7e433ac1694e04da7SHA1: db8941a83a6cc5cad20d49591bb1e794acede3f0
MD5: 00a0c1e82d42bcc7e433ac1694e04da7
SHA256: db1181dbda2b6053b008568b8f2f7b8a98cc3bd30fbea83ac8f69900d657e56f
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-ho701CeeInject_a0cda3e6Windows This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.a0cda3e60c2b34a6ffcff9cf81e472d9SHA1: 830c3c07076262ae984668869e4fc8f432833451
MD5: a0cda3e60c2b34a6ffcff9cf81e472d9
SHA256: daee59ee955587d378dd6dc11af1a702d554c7926a9f42bac3752732c33e9317
http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html

Malware Strikes November - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M17-a0h01Phisherly_141e78d1Mixed This strike sends a malware sample known as Phisherly. Phisherly steals a user's credentials from an infected system.141e78d16456a072c9697454fc6d5f58SHA1: eff5e2a3ac471a1b5ecdf51a72e003a82c350506
MD5: 141e78d16456a072c9697454fc6d5f58
SHA256: c272a2d96aefdef746f983e7f8720792e8a6dee97a766a651dc55f70f605b23d
https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
M17-bqz01BitCoinMiner_b81901a8Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.b81901a8a96a333737c01e4848ccf28dSHA1: c89f96d6f201d52ca41f5b60b2be340eab69e588
MD5: b81901a8a96a333737c01e4848ccf28d
SHA256: 7f783789ba87d344bf6450be97b0466c9b73e8cd1d320c08df8cb3636f09fbff
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-fto01BitCoinMiner_f18d818eWindows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.f18d818e861b56da53deecd06c9db901SHA1: 1d2db370b9c01417251adb550bb6bd0013b1d64d
MD5: f18d818e861b56da53deecd06c9db901
SHA256: 7b4fbaabf1374e4f6c817f0ed5a359f65eabbda7cbd970cb427d57a8a44773d6
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-58001MSILTrojan_33d4bdc3Windows This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.33d4bdc3b0f88581cf6e6e8508845ebaSHA1: d01284e3b6a40c9aad311af45023902a323472ff
MD5: 33d4bdc3b0f88581cf6e6e8508845eba
SHA256: 365505f8969a04992e5e3d835dbb6987a368439b2c757c24e59dc6daa13d60e6
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-huj01BitCoinMiner_90c80922Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.90c809221b14472eeb6f5a5fd3b72011SHA1: 051582083980bc2fb18dffbfe5178dca3b99da08
MD5: 90c809221b14472eeb6f5a5fd3b72011
SHA256: ed78e63401ee4290fb334cb0b159b1e94d86de345706f4fc30a4c1df0bd606f7
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-hmx01Win32.MainerLoader_a8d10ea1Windows This strike sends a malware sample known as Win32.MainerLoader. Win32.MainerLoader sends out system information to an attacker's server. It also download and execute other files on the infected computer. The MD5 hash of this Win32.a8d10ea1b0ce99f23f6397b263290b9dSHA1: 8cc314dbd1021caf074cd12acce06891d006ee4c
MD5: a8d10ea1b0ce99f23f6397b263290b9d
SHA256: 4f51485cbb20d8a807c10150e51d948d5fc41307920fb47fb6d332a7f6386270
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_gen
M17-ym801CryptoShuffler_50e52dbfWindows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.50e52dbf0e78fcddbc42657ed0661a3eSHA1: a18c50258d0fd2db67848f43762851a6ec3a3298
MD5: 50e52dbf0e78fcddbc42657ed0661a3e
SHA256: a4e7e5d9d03a420b1fbc51bf8bb6482fbf37247e7c673e01281e42ddd0838343
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-m2r01BitCoinMiner_a40990fcWindows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.a40990fce9e03100df3c05872940a22bSHA1: 67051a38989bddb096a9283301c3a914e860f733
MD5: a40990fce9e03100df3c05872940a22b
SHA256: bc9a756357e8a0d29931d1d9ec1747bb73855cdac99021abe99b444e5332a749
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-plg01CryptoShuffler_7ec256d0Windows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.7ec256d0470b0755c952db122c6bdd0bSHA1: a42142a5990ee7d7c6ddba2b5bb9b222ccb8c291
MD5: 7ec256d0470b0755c952db122c6bdd0b
SHA256: 6014e29490c1bce7ed3837681432ebc3755574aa934fd00fd399476a0cab2e62
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-rbl01MSILTrojan_99262704Windows This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.99262704560d9a7f91ff4ede923fb89cSHA1: b02eb59d4e514d505f7bca1934d30809275a8613
MD5: 99262704560d9a7f91ff4ede923fb89c
SHA256: c78b70c786d299ecb97021fa4b989455852084ec3afc45f6e348a8a0489263df
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-xdl02Kovter_b8908bdeWindows This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.b8908bde35ba9583ca50269559ce1042SHA1: ba2becd45f4f1a61563b457ec86d9a6e16146d2c
MD5: b8908bde35ba9583ca50269559ce1042
SHA256: e0467fca9d07a69a53cb436d7962499bc25be34295dacf5a5d19ae9596ad2d98
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-9tf01BitCoinMiner_bb5419daWindows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.bb5419da24e3322e89643e8a304b6b11SHA1: 6a9d8fb1b31fe5f1f1dd6b5b65f7e3c6af0505f2
MD5: bb5419da24e3322e89643e8a304b6b11
SHA256: 0e92444bdc28dbd0e645cedb0c7f1d81708e2073b7c7567956b7bc665cb6b648
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-p4q01BitCoinMiner_24d6a63cWindows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.24d6a63c35fa7d12b2f064416f3e2de3SHA1: cabcb6eecf6f44bef039e8b3faa649b1f085cfcb
MD5: 24d6a63c35fa7d12b2f064416f3e2de3
SHA256: 1814256a36032c226ddd8263395ecbe6fad92b4b11e62120ee4d35354cb670fe
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-1t101CryptoShuffler_1a05f512Windows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.1a05f51212dea00c15b61e9c7b7e647bSHA1: af0390b6c901cb7baad0b1cd12b1cabde666155e
MD5: 1a05f51212dea00c15b61e9c7b7e647b
SHA256: e8d189f83475c37631514925b5620957ba0528c2ec6fe2b41d70522f943827ee
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-crw01BitCoinMiner_e63f6558Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.e63f6558922f168106676055cfdf42a2SHA1: d819666f89c8f44af4dce69e4df4fc051406bfc0
MD5: e63f6558922f168106676055cfdf42a2
SHA256: 9dd467e34763c06e251c25d5c679e291030564a0b95b6a23a35bbe5a86889c01
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-6ka01CryptoShuffler_6eb7202bWindows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.6eb7202bb156e6d90d4931054f9e3439SHA1: ff3788e5482f0ee4f9e100bfd55302da5d00981b
MD5: 6eb7202bb156e6d90d4931054f9e3439
SHA256: 652d68f69c01a54632b185b1005e2811df65f64e509385e786017f8d29aae77d
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-jwi01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.61f796a5f81c329a665db9782c235891SHA1: 635c6c57f901b8b5fe5fefed5394b824dc60c96a
MD5: 61f796a5f81c329a665db9782c235891
SHA256: bac652b6a5cb65db95afdd9628c389f34c0e5609ed60d96f5598e43ebb151b73
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-bnr01BitCoinMiner_de1865b7Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.de1865b7ecdcb7c58a87253e7630fa04SHA1: c15d78b2dc7d55ef0c0af8f32c6cc4fb658f4f00
MD5: de1865b7ecdcb7c58a87253e7630fa04
SHA256: cc9e68134aab06089ec5b7404d5b54c572b56b04e61053d068cc8b4e67625cce
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-lho01BitCoinMiner_9710aa0fMixed This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.9710aa0fc3583c64911e967e57988efaSHA1: 228736959113b8cc9d7b7fe5b03236d04514c29e
MD5: 9710aa0fc3583c64911e967e57988efa
SHA256: 70de06f4911513162eb141787027f2cbe463e4382905e80724ad52ca6bae17bb
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-aw201CryptoShuffler_25bf6a13Windows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.25bf6a132aae35a9d99e23794a41765fSHA1: 7fa9fff6bc838689c9f360f08f35677f9801c360
MD5: 25bf6a132aae35a9d99e23794a41765f
SHA256: d4125d1e48fb8b682cc108cc25e05fdc9a55a460d3be98de3f4657857300a8c6
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-9ow01Kovter_34ef4378Windows This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.34ef4378ab88eaffd95a8fa0e18a6136SHA1: 6b4e3e5fa351678e192936bf855d1a70c242f9e3
MD5: 34ef4378ab88eaffd95a8fa0e18a6136
SHA256: 468fdeeba11609d222b9554616dcb8b1ab10f565dcb6291bc5360dda3a97ab08
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-hmk01BitCoinMiner_4db0c337Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.4db0c33744bdc72fdf35ecc5f0297010SHA1: 6a3b664eaf9ad476467b04ed3a04f10226df1e54
MD5: 4db0c33744bdc72fdf35ecc5f0297010
SHA256: 84dd02debbf2b0c5ed7eebf813305543265e34ec98635139787bf8b882e7c7b4
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-o0r01BitCoinMiner_bbd30233Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.bbd30233f78fc3e3161eac893160ed40SHA1: 9a924c0561d02f7abb68f14c4255cb27d52b5801
MD5: bbd30233f78fc3e3161eac893160ed40
SHA256: e9a76ace7562d53aaa889caf517b827427162f8512c01ced0657cb08df4121f2
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-06o02BitCoinMiner_f7878b68Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.f7878b6815e9f48d390b0c77ae1ab871SHA1: dad734b20542638b170739a2bcdd81b7296861bf
MD5: f7878b6815e9f48d390b0c77ae1ab871
SHA256: 0487114a1df2852b2f3ba69aaa49930055e04c81ffc1e68dad6b47bec7ba2faa
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-y3g01BitCoinMiner_f5d00567Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.f5d005670dd61571af041f2260ecbf55SHA1: 3412e1ea4d3856b790d9441c0d3437decea05351
MD5: f5d005670dd61571af041f2260ecbf55
SHA256: a3d46a4fb9c6fa286c5dec80dd70a43c9ad70770b5d1540dea13e16b15d2ad26
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-20q01CryptoShuffler_d9a2cd86Windows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.d9a2cd869152f24b1a5294a1c82b7e85SHA1: a84f8ddad371c0dc399a4c48eb5aeba99fb8ee93
MD5: d9a2cd869152f24b1a5294a1c82b7e85
SHA256: b84bed5c2c639dc68a20ba3a3f4aee6b4ee143249e2883399b6450888cb50f2a
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-fe201CryptoShuffler_39569ef2Windows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.39569ef2c295d1392c3bc53e70bcf158SHA1: ae45c72271f580053edc95991db3a05031c7ea68
MD5: 39569ef2c295d1392c3bc53e70bcf158
SHA256: 16e24d31e721ddb42841d1e408695f6af4ec74219488fe5ba97f4f5e5567c6e7
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-gc201Karagany_1560f684Windows This strike sends a malware sample known as Karagany. This sample is a trojan that downloads malicious files onto the targeted machine.1560f68403c5a41e96b28d3f882de7f1SHA1: 95db15c67b48945237af7de61f3dbab92c99edd1
MD5: 1560f68403c5a41e96b28d3f882de7f1
SHA256: 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0
https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
M17-23u01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.d2673239608588792c223fd130e59260SHA1: 053f5a39b3cd6996dd020dbed00d450085fb6d97
MD5: d2673239608588792c223fd130e59260
SHA256: 7372b2b16620b1a35fa83f4bd31af1f78fbb3fe7d3235b06c064c4d617461f69
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-tvq01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.6d7b0cd6f24f2e7757c903fd5b4c9261SHA1: 8b2c6cadf1e96606f8868b003cb9a4a0dbae501e
MD5: 6d7b0cd6f24f2e7757c903fd5b4c9261
SHA256: f3fb2e9dcc0544751fb66d9325b5328d59298e7578c877924bc26944cbadb078
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-qfv01Kovter_8cd89461Windows This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.8cd894611c813ba38483ca4db05ec8a4SHA1: fbfca6bd426236e91146fe9f09c6372cb0d8bef1
MD5: 8cd894611c813ba38483ca4db05ec8a4
SHA256: be11330dfb54a48734679f458381d69059c037bd45deb69f70148f9c2e36fc0d
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-oli01Kovter_2853f41cWindows This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.2853f41c7ca1acafcd49666ae9c6270aSHA1: 1c9737989560a5e254cd8e197bfe7680a5d9b516
MD5: 2853f41c7ca1acafcd49666ae9c6270a
SHA256: b0d41c21e5d8396f711e1224f190b3281bb04d3f797ceb9c77558a5f567e3fe4
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-bk201Magniber_8a0244eeWindows This strike sends a malware sample known as Magniber. Magniber is a Windows ransomware Trojan.It encrypts files with specific extensions on the infected computer.8a0244eedee8a26139bea287a7e419d9SHA1: 93619242ed888edfa3871035e0668cffa3643420
MD5: 8a0244eedee8a26139bea287a7e419d9
SHA256: 8968c1b7a7aa95931fcd9b72cdde8416063da27565d5308c818fdaafddfa3b51
https://www.fireeye.com/blog/threat-research/2017/10/magniber-ransomware-infects-only-the-right-people.html
M17-n8m01ANDROIDOS_JSMINER_628d47c8Android This strike sends a malware sample known as ANDROIDOS_JSMINER. ANDROIDOS_JSMINER has malicious cryptocurrency mining capabilities. It uses dynamic JavaScript loading and native code injection to avoid detection.628d47c8d487baf8f59ea83c291dc4e7SHA1: f85465431466ba2ae40cdb38367d2a8b52c593e8
MD5: 628d47c8d487baf8f59ea83c291dc4e7
SHA256: 440cc9913d623ed42563e90eec352da9438a9fdac331017af2ab9b87a5eee4af
http://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/
M17-aqo01Kovter_cf86c7b4Windows This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.cf86c7b48ab5632d19316f17fb35b218SHA1: cdb9798f09051d2ba91ad6f4122aabc4cd78b58a
MD5: cf86c7b48ab5632d19316f17fb35b218
SHA256: 6e445be806032f4a73d17d73cb00639f632b23f2731ac0c2267a4bb34237fd32
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-67m01BitCoinMiner_e9a20556Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.e9a20556ff2a4b5c5b3d9bbfac4d6697SHA1: 4999c6864d56c6b6e8b19ef8c61d380a69777fbf
MD5: e9a20556ff2a4b5c5b3d9bbfac4d6697
SHA256: a23bdb4e3973bc0a4e746038df90e5834efbd521a59df4d488f226a956144da5
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-afk01CryptoShuffler_7ae273cdWindows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.7ae273cd2243c4afcc52fda6bf1c2833SHA1: 94d09fbe0dbe265546c9b6e54b818ebf369aaaac
MD5: 7ae273cd2243c4afcc52fda6bf1c2833
SHA256: 04e6837fba02b594996b121386b33132e1539aa3d373680b3768ed8c3b7438aa
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-0nk01MSILTrojan_2e417156Windows This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.2e41715629ffb2504dbbe476fc5cc7caSHA1: 5435766916e00decde56002437d8fcfd1371f121
MD5: 2e41715629ffb2504dbbe476fc5cc7ca
SHA256: 6707d3ed970ced8091d64bbd0bc742e2d4d8f192e1e6c64ee9037451c04bca13
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-e5501Win32.Gibon_5baed560Windows This strike sends a malware sample known as Win32.Gibon. This ransomware is distributed via malspam with an attached malicious document, which contain macros that will download and install the ransomware on a computer. The MD5 hash of this Win32.5baed5607749deabddd1722f3c3bfa0fSHA1: 11cdb444bb7453b65453d584815005e228a1fe5d
MD5: 5baed5607749deabddd1722f3c3bfa0f
SHA256: 30b5c4609eadafc1b4f97b906a4928a47231b525d6d5c9028c873c4421bf6f98
https://www.bleepingcomputer.com/news/security/gibon-ransomware-being-distributued-by-malspam/
M17-muq01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.5a169af04c6b7b51a32bea36c24a5dccSHA1: ea19a62377acdeeac7c910442e4c74205cfdc047
MD5: 5a169af04c6b7b51a32bea36c24a5dcc
SHA256: 7684aa4355b4992a8e168956e54424f03acca1cab32d0c62a4c87e6b5522d991
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-kdd01BitCoinMiner_429cdb56Mixed This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.429cdb5672313d8e2dff29fe3e68cd7aSHA1: 8b5eab59d76eb42a59fee6aeac606154da0a3bce
MD5: 429cdb5672313d8e2dff29fe3e68cd7a
SHA256: 2888cc28bac5a432b2a819e08420e8f7e59f28d56ce8168c5865e6c3cd875776
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ws801BitCoinMiner_02793535Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.027935353d8c8f8bd70efdb55592e8edSHA1: 9002922f9a14faf7dbffd4db23ad5a892e52d0ff
MD5: 027935353d8c8f8bd70efdb55592e8ed
SHA256: 3daa009acb66af54564e8dd02da9f2ec1fbebb8c86382c461600cca5ca63ce20
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-u9f01AsiaHitGroup_60a71632Android This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.60a71632004ee431abb28bf91c3a4982SHA1: 18d99b25f0805c38737aeed025ecdf9cb4213eac
MD5: 60a71632004ee431abb28bf91c3a4982
SHA256: 5650d33173ecf1979d7648ee2f3faeb2494de5969373838c6bc16fac68175b55
https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-9qp01Kovter_83b2b7d7Windows This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.83b2b7d72a697c0b67d7d4680ba5d9b1SHA1: 3c234c10bc5d76b31ac2338d074338b59a9652af
MD5: 83b2b7d72a697c0b67d7d4680ba5d9b1
SHA256: c4e37130cc1688d204ef34f8762d9c3182552622bbf61b127b22c0b733a3b700
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-wxl01EMOTET_e3f53eb7Mixed This strike sends a malware sample known as EMOTET. Emotet is used as a banking Trojan that targeted users in Europe and the U.S.e3f53eb751acc7eb18645753a15a1325SHA1: b98d80994ef3f6a66ce37fabcb862752673de8d5
MD5: e3f53eb751acc7eb18645753a15a1325
SHA256: 455be9278594633944bfdada541725a55e5ef3b7189ae13be8b311848d473b53
http://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/
M17-zt901CosmicWindows This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server.00064289cfe524823d92e59f9502d3c7SHA1: 21b8e6a957e13b9eeea09d32462824eaaa3879fc
MD5: 00064289cfe524823d92e59f9502d3c7
SHA256: 496220acf4b44f5564898533636dc3f19304d86ef7d223fbeedfb858e1570fd3
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-xcx01BitCoinMiner_4de76e36Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.4de76e36b07903fb9edb4eb99178b9a3SHA1: 76b5ef6b17be91a3cfa03ef81b3015e49edaed50
MD5: 4de76e36b07903fb9edb4eb99178b9a3
SHA256: f26e6efc015b0dc9982b88fa02e3f2b2601173aaa300feb558104ef453c94941
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-b5o01CryptoShuffler_80df8640Windows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.80df8640893e2d7ccd6f66fff6216016SHA1: f4553d85c2414e76fcf8fd29cb4ee72f8dc7fefb
MD5: 80df8640893e2d7ccd6f66fff6216016
SHA256: 5a8910d46a33500f8aceb21022401a9f0f813aba816228374960f491b7ecdc0e
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-m5e01CryptoShuffler_14461d5eWindows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.14461d5ea29b26bb88abf79a36c1e449SHA1: 2cc7c759f20b53b9835b34b1ccb4f1023e45934e
MD5: 14461d5ea29b26bb88abf79a36c1e449
SHA256: c22248719c19ca31d60370e9054c7866758d842547c65953e461138e4ce09788
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-o6701BitCoinMiner_20be1c12Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.20be1c1252b41cffd918ceabfcb7fc1cSHA1: 4691fb23b0db41bd97effffd477173e3e437e705
MD5: 20be1c1252b41cffd918ceabfcb7fc1c
SHA256: 314fa254bd1da034501300e8766d000aa0ab306bbd19f42e243f9d2370473712
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ui801AsiaHitGroup_178e6737Android This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.178e6737a779a845b8f2baf143fdea15SHA1: 133e77bee8897052be054cbf238d64e858ee92ac
MD5: 178e6737a779a845b8f2baf143fdea15
SHA256: e6d4d7c7ff21dd359d94089c095aec85936120007a2b20931ad0087a05fa9aa5
https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-1nk01CosmicWindows This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server.0005a28a83a6767035ae2fa2bb9941e3SHA1: a1f5ea21b314848fe5f42fecbf9745e5098fbd90
MD5: 0005a28a83a6767035ae2fa2bb9941e3
SHA256: eababe6f24e25622d795bde97ccfc32c51c1d0ee346a3c345f26b8e191d54664
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-zrz01CryptoShuffler_0ad946c3Windows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.0ad946c351af8b53eac06c9b8526f8e4SHA1: 18cc6c59074f782b94ca0c2065b1245073b7b427
MD5: 0ad946c351af8b53eac06c9b8526f8e4
SHA256: 56e564ca187f03ff851522e8df7d19fe4f23b7299ff158f0895a464654b71b33
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-khj01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.6090a7ec6b5b44a061e21b8583077509SHA1: 9d3491bed9edde08ffc658f738efa2599102ebe5
MD5: 6090a7ec6b5b44a061e21b8583077509
SHA256: ecdeeda6b71b88d0367bfb63291afe5ab5e34a5a43244791604c28d43323f59a
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-rys01Kovter_2dc0bc50Windows This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.2dc0bc500df708a104cf9522acf28bdfSHA1: 1bc5af673571c8e1c5204727dd31c7b93934d4d6
MD5: 2dc0bc500df708a104cf9522acf28bdf
SHA256: da973bebb2c14bcd3f493ffc1cc2cd6225f3b49fe77c1189de35f2dcfa72bbf8
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-kdu01Marcher_0fdff6b5Android This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts and they are being spread through SMS/MMS containing links to popular Android applications.0fdff6b5dbe7c749720823b01bf03581SHA1: 7272f999fd0ca9517befbd14f8dd020551a3d0c3
MD5: 0fdff6b5dbe7c749720823b01bf03581
SHA256: 22df438b3dd1ba417700abf998e4b24a666623e1ce7dc05b0388c695f78898cd
https://info.phishlabs.com/blog/android.trojan.marcher-conclusion
https://info.phishlabs.com/blog/technique-change-observed-in-malicious-android-application-marcher-banking-trojan
M17-xh601CosmicWindows This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server.00012978bd7350d3348eaee157519f7bSHA1: 0013b6b96094490b5b71d7428a66a5df9e6a9264
MD5: 00012978bd7350d3348eaee157519f7b
SHA256: 792536894069dc265ae05a25f86a358a10011fa3d32ccf972e5867f862997925
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-baz01CryptoShuffler_1e785429Windows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.1e785429526cc2621baf8bb05ed17d86SHA1: da4247104540eb884f41780e675d8b3e1c116faa
MD5: 1e785429526cc2621baf8bb05ed17d86
SHA256: 00e3bcfd0ef917c73c5a3818daf5bc0271fb3da53817df1215c20bfa5e4e91da
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-h9901BitCoinMiner_884f4ad2Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.884f4ad2a0794df84686a171f2b537ecSHA1: 2333de451a4c2f939bb4f8f474853589b92e280e
MD5: 884f4ad2a0794df84686a171f2b537ec
SHA256: 3bcd92e4b5d1961e6b85f140d83698c37f0eba71993e41fc62c80a32e1a091c2
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-tcs01MSILTrojan_f5fba636Windows This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.f5fba636088a87a397646070e33b2879SHA1: ba7caa2338dcbaa3882226e3fbcb0dc3a6feb740
MD5: f5fba636088a87a397646070e33b2879
SHA256: 47c364ac3d539ac0874e66b3f7cb0c5a87e3c67323156b082575fc926d1ecb13
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-hjc01BitCoinMiner_f316095aWindows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.f316095aaf3c80fc343826ce1b0fedf2SHA1: fc367378558214aa1e23533c48b56e5cd43bf84c
MD5: f316095aaf3c80fc343826ce1b0fedf2
SHA256: 82bbc279515e29a63b38752d3532e6f9e5e36ffb6b4f1dd783c370eb68667b76
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-se101BitCoinMiner_cf67170fWindows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.cf67170f3aadc037c0244e3139d09ecbSHA1: b65e6be09d3f9ddc3a3bc623a7f7e10fb0962a9b
MD5: cf67170f3aadc037c0244e3139d09ecb
SHA256: 714069902c8b82e636cda415148847f5867a32706eaf4a3a04fcb0efac7cc03a
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-qbr01MSILTrojan_b4f78eedWindows This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.b4f78eed0970b137295f3a2ef8822adeSHA1: 8224b97eeba1a3a6d366854feb964360033097a0
MD5: b4f78eed0970b137295f3a2ef8822ade
SHA256: db8c2fa78a2751bafd2d1a95f778a725735d42854c901e42976d1599f75deef5
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-zfb01CryptoShuffler_aa46f95fWindows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.aa46f95f25c764a96f0fb3c75e1159f8SHA1: 77d98d609236c1ea6c8336a4dff59366be4ab1b2
MD5: aa46f95f25c764a96f0fb3c75e1159f8
SHA256: a933d57549ed5250e1038db316baffb21291a8b4738d020d940adf61e0cfed53
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-ent01Marcher_084390d7Android This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts and they are being spread through SMS/MMS containing links to popular Android applications.084390d758e66732645e8f51007f5ef1SHA1: 97b581a81c7c9fe4b03393f0bd2a91588457ab40
MD5: 084390d758e66732645e8f51007f5ef1
SHA256: 663dd58fcd4ed84c097d0b4abf86a24613dd1fe49112d59d6bf3cbfb11acd5b5
https://info.phishlabs.com/blog/android.trojan.marcher-conclusion
https://info.phishlabs.com/blog/technique-change-observed-in-malicious-android-application-marcher-banking-trojan
M17-t4n01BitCoinMiner_207b4096Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.207b4096ea7dec575b14c6459d4df895SHA1: be66427c06f87129c818ac61a904c7462167bdd5
MD5: 207b4096ea7dec575b14c6459d4df895
SHA256: de7d4019549e2f018789c902afe9552bd9127328dc439bbe59d8b79a8565569c
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-uth01BitCoinMiner_3f67d5cdWindows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.3f67d5cd0cf42aa15aba7295741b5725SHA1: 8c87c1e578caa47272ff56401c688e68be82eed6
MD5: 3f67d5cd0cf42aa15aba7295741b5725
SHA256: 293548f39cdaeac4d59fb55efbce7ac214349aa5ae46df0f905a0ab5cc1ae5ee
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ita01MSILTrojan_88eb478dWindows This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.88eb478d43bc41fdc3179151f1646d8eSHA1: f7a63f0297c8c946e70e7ef34bb3357e7a7693a2
MD5: 88eb478d43bc41fdc3179151f1646d8e
SHA256: b793ca990b4ebad46758253f8b3065334f923a7c077ce57c3b71308b6bd38422
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-k9001CosmicWindows This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server.0003087a16dcd93b55fd9867fece6806SHA1: fb56cb3dac0cb3e1e5c328f5b469623f9688c999
MD5: 0003087a16dcd93b55fd9867fece6806
SHA256: 98e5bc8b136f2aafc7b46308f71ceeb675f057f3220a44e90e7498e226d746d3
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-2pb01CryptoShuffler_b7adc869Windows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.b7adc8699cdc02d0ab2d1bb8be1847f4SHA1: 445d6cb81fe995e748026f1de9cbbeb3289fe91c
MD5: b7adc8699cdc02d0ab2d1bb8be1847f4
SHA256: 7d1486e42dd9ce388ed1a04c6ae1c9233dfb00b151512141370d322ea2822b6e
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-w8e01CosmicWindows This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server.00056cffa20df8ad95108490d2d1ebbbSHA1: d7699d0329d7b0e88778d75fdea8631510e12f98
MD5: 00056cffa20df8ad95108490d2d1ebbb
SHA256: 457bd4b9ad2c422f91fc5bcf74c52d392d32ace50f244d1beb624f42eebbaec8
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-knx01Dorshel_b3b5d67fWindows This strike sends a malware sample known as Dorshel. Dorshel is a Trojan that opens a backdoor on the infected machine.b3b5d67f5bbf5a043f5bf5d079dbcb56SHA1: c7eae6cd08d0601223b641745f078dffce285066
MD5: b3b5d67f5bbf5a043f5bf5d079dbcb56
SHA256: cee4211af96df184236e816ab0b11d95d1075148299a29719fcd9675b2714426
https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
M17-qhi01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.541c4ae0b75d2f4261ae69cda4722c76SHA1: 6c8885233d34af040c69310d2435143643a1dd00
MD5: 541c4ae0b75d2f4261ae69cda4722c76
SHA256: 0b8bcc0c7281c9ad5e2c03b08c881b48015d064906deeccbe7bf944f4ef6d532
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-v7x01AsiaHitGroup_b481ce9dAndroid This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.b481ce9d0b7295cda33b15f9c7809b95SHA1: 6e0dc1a6edffa26998b80a42c0773941d0cd36ca
MD5: b481ce9d0b7295cda33b15f9c7809b95
SHA256: 9d07dd6f6266167edeb83e7eeac1d10a4c038f349e18ba2d65a2fff9c8a17099
https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-e8i01CryptoShuffler_095536caWindows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.095536ca531ae11a218789cf297e71edSHA1: 6fc487600cf7b89bb29828b46f090635e0b17654
MD5: 095536ca531ae11a218789cf297e71ed
SHA256: e79733fb552d4c91268ec0f1d0bd4de6030123650ed8b4cf4d0bdbf9b48c2963
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-ggm01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.bb0c0d90c304ee48045db45bcb64d039SHA1: aaeae71d40a14a4ebf520a08f70726f2f31c7556
MD5: bb0c0d90c304ee48045db45bcb64d039
SHA256: dd8bd175e95c9bdc963f6b7a188f9a0e4184411097123e2bb76111c9550b12dd
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-tnm01BitCoinMiner_8dbb98a8Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.8dbb98a873ddd30eddd07fc0450dfb8cSHA1: b226981f2f524b6b996398b08d919f53768d87ae
MD5: 8dbb98a873ddd30eddd07fc0450dfb8c
SHA256: 63544397a0cfbf53588ad8792a870e6b7ff2fa0cf16dc6a3796a3ea4805776d6
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-n0f01EMOTET_c18a79a8Mixed This strike sends a malware sample known as EMOTET. Emotet is used as a banking Trojan that targeted users in Europe and the U.S.c18a79a8cdb7a8dc8237d9fe4c654902SHA1: 14db95d275bad7fe63fbdbacec967309b660240b
MD5: c18a79a8cdb7a8dc8237d9fe4c654902
SHA256: 3f75ee07639bbcebf9b904debae1b40ae1e2f2cbfcef44caeda21a9dae71c982
http://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/
M17-4bw01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.2f7d44061aa3ee95590a68a61281d41cSHA1: 1290b9a58304df9f86ea502c6d1942d49f2c12c3
MD5: 2f7d44061aa3ee95590a68a61281d41c
SHA256: f1231de08447a85356afedfdad5262e7ebba32bc68d23e73e5385164caf2182b
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-du501DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.2e705bff61f210c1395890d90b54a921SHA1: 5409ab136cb2261a71ed3e6af8a1b5900efa46ed
MD5: 2e705bff61f210c1395890d90b54a921
SHA256: 7c056f1a930943cd3afcba96555185cb598210f96c1b098b321a6e7d087599a8
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-43v01Kovter_9d0ef4a2Windows This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.9d0ef4a2161f47a7ece488906e0ed983SHA1: 30f8ed43aa45d75b330a6d9685086a4d90cb68d0
MD5: 9d0ef4a2161f47a7ece488906e0ed983
SHA256: fa0577e117929e21a3881b615a0a3cb087f5bbda6628b7612f036d0753c1b24b
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-8j701BitCoinMiner_27d24809Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.27d2480941a8bce3205854b38a61f7afSHA1: 63cb3988223961e2cb5063fcfb8f24c2aefc9db8
MD5: 27d2480941a8bce3205854b38a61f7af
SHA256: 7a6d865285069c90fcf5b8b3671b6daa7c9e6a9e39a37d4854ab630c6f094178
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-zv402EMOTET_d6c81263Windows This strike sends a malware sample known as EMOTET. Emotet is used as a banking Trojan that targeted users in Europe and the U.S.d6c8126371d37ffe3100755db6aa22edSHA1: 294b381e200aa3f343989877c9ef5efdda25ca42
MD5: d6c8126371d37ffe3100755db6aa22ed
SHA256: fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec
http://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/
M17-lcj01BitCoinMiner_39f7e72fWindows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.39f7e72f1749e4d76c0e7edd965e984fSHA1: 3017a7e1f3e4014085f0f347dd463bb3281e3c48
MD5: 39f7e72f1749e4d76c0e7edd965e984f
SHA256: aecfcd163d2665720b7b63288b6964dcab57960c2c3cd77e7674445c282c3188
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-28v01Kovter_8dc86428Windows This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.8dc864280742ac9c038522b33c40b6ecSHA1: cb15e8d0dc0ae34889cb0ffc9d1efcf4f3d43d53
MD5: 8dc864280742ac9c038522b33c40b6ec
SHA256: 36d5cee0fd6862ae64e0074e12ca1599be7953d7cdfa93ca3993c5f83c9cf1b2
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ghb01BitCoinMiner_fb675e13Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.fb675e1398e9f6b8b6c43937c6e9e351SHA1: 7c0884b56e5c40786f6cb8e4e42083116c36dfd4
MD5: fb675e1398e9f6b8b6c43937c6e9e351
SHA256: 019538248027b51c92cef1cc2e8cff4577c30508e0aa06a65adfdcc125c6846c
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ac801Kovter_b24b8f5cWindows This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.b24b8f5cd81ba3968ecee4b95f310ad0SHA1: 073b067a68e24e038ced211a7c343d8ca3379c62
MD5: b24b8f5cd81ba3968ecee4b95f310ad0
SHA256: cc714cbf5aac23f09bcc9eea1b8577d2e1673d9fe1433f5658eecc818a2f8469
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-5fw01Win32.BioData_fec0ca20Windows This strike sends a malware sample known as Win32.BioData. This malware exploits a vulnerability in the InPage program. It can download and execute malicious files on the infected system. The MD5 hash of this Win32.fec0ca2056d679a63ca18cb132223332SHA1: 5bf9d07d06be22f999e2f94fd3dbca4dd2ef0be6
MD5: fec0ca2056d679a63ca18cb132223332
SHA256: 5716509e4cdbf8ffa5fbce02b8881320cb852d98e590215455986a5604a453f7
https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/
M17-01o01AsiaHitGroup_995d5dc8Android This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.995d5dc873104b5e42b3c0af805359dbSHA1: f2be8f0f3228fa225a33e1c03b2836e4b9bc2ff9
MD5: 995d5dc873104b5e42b3c0af805359db
SHA256: 4629536b5c92fa3d7fb55c9dba87b255405c7224fe06d60c281edc13de21e754
https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-i8v01CryptoShuffler_d45b0a25Windows This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.d45b0a257f8a0710c7b27980de22616eSHA1: 565e71a83a99239ee32834ec2fc3620c6b039368
MD5: d45b0a257f8a0710c7b27980de22616e
SHA256: 5ce1f20b6136523e3ce01361e77062a21279f7b95124c9640e8d5cb53a6c4d3e
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-rv201MSILTrojan_9165ccceWindows This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.9165cccee0c1248d2f906b8634a175a5SHA1: 026708c4ecb7381392c430702cb08a1d07d7efae
MD5: 9165cccee0c1248d2f906b8634a175a5
SHA256: 987cdbc17259f87a9e6b04c1d6c3c971f23c380f7da1a0d93ff79584230e5b7c
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-qv701BitCoinMiner_91725ab4Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.91725ab4f5caf0154cc1eb424cee8c53SHA1: 386658978699d3f095598ef5aa32b540e230943d
MD5: 91725ab4f5caf0154cc1eb424cee8c53
SHA256: fdfe3ab063fd7dad96a6492cc1b7f43c169e270868a3541a89e177b8dacaf16b
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-0c001ANDROIDOS_JSMINER_fc1e0818Android This strike sends a malware sample known as ANDROIDOS_JSMINER. ANDROIDOS_JSMINER has malicious cryptocurrency mining capabilities. It uses dynamic JavaScript loading and native code injection to avoid detection.fc1e08187de3f4b7cb52bd09ea3c2594SHA1: 6241e89839c4a15472c963c4cce57dd31017daf4
MD5: fc1e08187de3f4b7cb52bd09ea3c2594
SHA256: 22581e7e76a09d404d093ab755888743b4c908518c47af66225e2da991d112f0
http://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/
M17-da401Win32.SunOrcald_8ea868f0Windows This strike sends a malware sample known as Win32.SunOrcald. This variant is used concurrently, with both Reaver and the traditional SunOrcal. It shares much of the same infrastructure. It downloads and executes DLL files on the infected system. It also adds a value to the RunOnce key in the Registry. The MD5 hash of this Win32.8ea868f0655560fb7ec299305fbaefbeSHA1: 9a62eac0757f2a056c7a9e0d8d971b61ef69362e
MD5: 8ea868f0655560fb7ec299305fbaefbe
SHA256: 67ef25b0708e6c268d2cbd78d03141acfc9cf895b8422da69beb2ca598f2fcc7
https://researchcenter.paloaltonetworks.com/2017/11/unit42-sunorcal-adds-github-steganography-repertoire-expands-vietnam-myanmar/
M17-d2j01BitCoinMiner_ce2250c0Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.ce2250c00516d99151a4d76f75942311SHA1: c4b3c4da5dd88e0dc561acd92afe9255f48d7ddc
MD5: ce2250c00516d99151a4d76f75942311
SHA256: 459a5346ac350d03b7e5fd5b9882afee243f2d1f838ead99ab06a2cde783c522
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ons01AsiaHitGroup_3cc02e4fAndroid This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.3cc02e4feceb488b084665e763968108SHA1: d18f3c0c318fad791e6d07dcdf255da30adc9be0
MD5: 3cc02e4feceb488b084665e763968108
SHA256: 858543599b9a6d6d48c9243b9e330fcbe24a464b942e53020fac4535b4d440f3
https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-5dj01AsiaHitGroup_7ceda121Android This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.7ceda121f9d452e9a32b8088f50012b8SHA1: bcc23e9ab5becc874c9c6ae1d891e25f8fe2a6ae
MD5: 7ceda121f9d452e9a32b8088f50012b8
SHA256: d43b5384bf21006754322de96ce15b12d7bac75ad40e6ac30fbe45a78c98f85f
https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-zwa01Credrix_a4cf567fWindows This strike sends a malware sample known as Credrix. Credrix is a tool that gathers Windows credentials from memory.a4cf567f27f3b2f8b73ae15e2e487f00SHA1: 4f2faef3d65099c19d617df73af5119dd719240c
MD5: a4cf567f27f3b2f8b73ae15e2e487f00
SHA256: 178348c14324bc0a3e57559a01a6ae6aa0cb4013aabbe324b51f906dcf5d537e
https://www.symantec.com/security_response/writeup.jsp?docid=2017-071015-4148-99
M17-uz501DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.520f6ccab58564e448fc5dfade163d47SHA1: 81b3ff18f520c546dac6e78a94172f8b2a07299a
MD5: 520f6ccab58564e448fc5dfade163d47
SHA256: 4d9f3de7aeca86a1ba1a653e04994eb69d31c6afc5802691ee9178bf8d593ed5
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-jxl01BitCoinMiner_ac11bc15Windows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.ac11bc15e3e6f4caa1c6f090659c397eSHA1: cf7431f9ac3682d9c980ca2dfcd7885fe75e7220
MD5: ac11bc15e3e6f4caa1c6f090659c397e
SHA256: 9d6b9fa1861b72f348a4fa8b209eb7f40f4a497bcf98204ba5fd389f7fa82b93
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-06o01AsiaHitGroup_7eec1c26Android This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.7eec1c26e60fede7644187b0082b6ac4SHA1: f43039b1fb54f0d292fc8e234d5021e041469687
MD5: 7eec1c26e60fede7644187b0082b6ac4
SHA256: e45cd99a664c5bb68ea7ab8e8f47f329bd01dc1193106e25962478b5259c0009
https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-1gc01BitCoinMiner_331e9bffWindows This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.331e9bff18d6d6394d2039a6ed22d295SHA1: 0a506b6b26c6e04d03f5aff533f8da68c3899084
MD5: 331e9bff18d6d6394d2039a6ed22d295
SHA256: 1a736b816b476800c1adb87169100192e503a1737ebedef5b1f14d695a100011
http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html

Malware Strikes October - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M17-evu01CCleaner_384ca346Windows This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.384ca346f00feb0e361c0f081f56ddf3SHA1: a21403e47a1eddffefa3dd9dd1bd8fb77be9fe6f
MD5: 384ca346f00feb0e361c0f081f56ddf3
SHA256: 30b1dfd6eae2e473464c7d744a094627e5a70a89b62916457e30e3e773761c48
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-ma601OfficeWindows This strike sends a malware sample known as Office DDE Vortex Payload PE. This sample is a payload associated with the Microsoft Office DDE attacks. Specifically this payload disguises itself as a NVIDIA service and communicates with beer-ranking.pl. The sample grabs a crypto key and is in fact the ransomware Vortex.09d71f068d2bbca9fac090bde74e762bSHA1: a0d537e6093561e003648a756c9f9138386c4c00
MD5: 09d71f068d2bbca9fac090bde74e762b
SHA256: fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669
http://pedramamini.postach.io/
https://www.peerlyst.com/posts/microsoft-office-dde-vortex-ransomware-targeting-poland-inquest-net
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-vy101TorrentLocker_1fbf4f38Windows This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.1fbf4f38b0d853e9fff54f92a204a064SHA1: 337690de61d7a7aa45f94306b522558ce5e83df3
MD5: 1fbf4f38b0d853e9fff54f92a204a064
SHA256: cc07ae7275b177c6882cffce894389383ca2c76af5dc75094453699252c9c831
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-en301TrickBot_6e5209d1Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.6e5209d1bc0a6815913b242c27709f30SHA1: b47a0d2b81a34e67ba32f473cf1ba9823b37afbe
MD5: 6e5209d1bc0a6815913b242c27709f30
SHA256: e6bd4d23467ee8df96837140695de5689cc7f7b73cffd9a9d40e33444766496a
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-bvc01BadRabbit_1d724f95Windows This strike sends a malware sample known as BadRabbit. This sample included with BadRabbit is named infpub.dat. It is executed via run32 and contains a list of credentials that are used in brute force attempts to get the scheduled tasks to execute the ransomware.1d724f95c61f1055f0d02c2154bbccd3SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907
MD5: 1d724f95c61f1055f0d02c2154bbccd3
SHA256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
https://securingtomorrow.mcafee.com/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-xo001Tofsee_acad9e88Windows This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.acad9e88923eb9702c24ff3fa8a068ffSHA1: 9d51bcc4860db3acf3c994fae9fa7b20290d6efa
MD5: acad9e88923eb9702c24ff3fa8a068ff
SHA256: 6cbb53ee5485e756bd8680944961b6c27d59c1a610c5f93c1788a2dafd1f5706
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-41n01Tofsee_732773ceWindows This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.732773ce4e83a4ad7ce41617a7d4cad6SHA1: fb01078080a10537f0e4a479df42252693742480
MD5: 732773ce4e83a4ad7ce41617a7d4cad6
SHA256: 5ecce618b7b65cac1a5930608aa939241f4312a54a3efbfaf8c3bb5e27056b91
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-m8601RevengeRat_2031d7a4Windows This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.2031d7a4f5f2aba56b2f7c5186c70fcdSHA1: 280277d0218f4eb5a2bf46c8e7a0ab5b2f9ac6b5
MD5: 2031d7a4f5f2aba56b2f7c5186c70fcd
SHA256: fdb99a0527be797fc7d7b7f48088c21d034bce6a5c848ede43714d86d3266661
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-zzl01Jrat_396adbc1Mixed This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.396adbc1de0d0748baf3fb6bbe912e4fSHA1: 14503f8fe1f22d6cb256f3bd16dfe90394f752d6
MD5: 396adbc1de0d0748baf3fb6bbe912e4f
SHA256: bb4793538712834408cd9b3b58c1edf8da81906ffc12e25766fb40ddabe1c383
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-xl301Beeldeb_7eba8802Windows This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.7eba88026a13a88d2e68bce88fff9d2fSHA1: 710fe6d8aee660eb4e8652787c85ff8b475e15e2
MD5: 7eba88026a13a88d2e68bce88fff9d2f
SHA256: ca07844200067101a91d23604a7fb425ee8b47a66567a953103a9949f66d74cc
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-q6401Jrat_2071f755Mixed This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.2071f755c30a63b0a73791156f273c02SHA1: 8d9f5af4a548abd03550702dbb53a0e0428ca12c
MD5: 2071f755c30a63b0a73791156f273c02
SHA256: fff6555400d65b28590cdde1a1f1a8731f02e8c21c1a9f167d53dc1054cc865a
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-psn01Emotet_9646fbeeMixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.9646fbeeb768f431f5440ab2c2259ed4SHA1: d95826fd488a873e866ee0793daa602ee90bede5
MD5: 9646fbeeb768f431f5440ab2c2259ed4
SHA256: f7972ab6d27883f9c1a0fb6b0e54466eb6305eaa1bfb6c09da82e1539bbe7fc4
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-qcz01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.5bac0670f7baf2ead07145303a9ddcbbSHA1: 268fbf5dcb1486166925b76af3b73a129104298d
MD5: 5bac0670f7baf2ead07145303a9ddcbb
SHA256: 4abacdd4177a4446dedc00992c7d33538fd0046ba99971c2dcbdff49d51a7664
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-2vg01TorrentLocker_03f3e0bcWindows This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.03f3e0bc4d0e3d9817610eb7761f8041SHA1: 0f15149fb8e6a085cbfb2d076f6e859e495da457
MD5: 03f3e0bc4d0e3d9817610eb7761f8041
SHA256: bf795a1676a6dd795fb6915ecfbfdc200687907cae8769c55b9e26328b026f88
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-oik01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.7526bd6675aa6ad84f1fa760d17f3cb9SHA1: 3bdd523ad094b923f8ceb9f8986d9ae8a1ebbe68
MD5: 7526bd6675aa6ad84f1fa760d17f3cb9
SHA256: 85fe7541480ab4165d31d0d83a020068a3de0f673e50b3aefa4be22f51f47704
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-46t01Vilsel_d9bf36e7Windows This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name.d9bf36e74781a10a154144b2da587723SHA1: 49ea899396b52dc2ba48ce3237f1dad91d517fbe
MD5: d9bf36e74781a10a154144b2da587723
SHA256: 89782f35fef2dad9aadcad63b07fb6ed39077c9edfdccd0716facac53293f872
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-pje01OfficeMixed This strike sends a malware sample known as Office DDE Powershell Payload. This sample is a Powershell payload script associated with the Microsoft Office DDE attacks, and it is from citycarpark.my/components/com_admintools/mscorier.bba246f7ff0519dd89e980233cc3c927SHA1: 6c151176212c597cebb1b278be3cd6daf7bc6593
MD5: bba246f7ff0519dd89e980233cc3c927
SHA256: 2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-58u01TrickBot_b3bc6e96Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.b3bc6e96c1775d26b4336d42428dc24eSHA1: 0fc7bd58126e7969b1d3c013a60a2e2a51288f7f
MD5: b3bc6e96c1775d26b4336d42428dc24e
SHA256: a3355d8e3e5f21b84072993032341bf1edee8dd6b28a9aece5cc6ffe0e123621
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-h4701TrickBot_c5900370Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.c5900370760d126e5a7c2f24a704a191SHA1: 0fb6b9079d8721f2b7e6f3db69c50725988aedf0
MD5: c5900370760d126e5a7c2f24a704a191
SHA256: f45334629dc79665d85cd4748e97b876de4330094759dc4c227da19ffbbd2a34
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-qxl01Jrat_a2ccf1c3Mixed This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.a2ccf1c3e98c0eed0126061a6f35afbaSHA1: 59c990f519f97056fd13b80cd82b1ff6c49258b7
MD5: a2ccf1c3e98c0eed0126061a6f35afba
SHA256: db4d85d172b31413c1f93162053032a9a2e26b273dfdea8b7506ee8ca982e32f
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-bea01Emotet_517d9598Mixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.517d9598ac8aa0ef0cb7145ffd64805eSHA1: 82519982e32708e94c54ffce3c652714049a04f6
MD5: 517d9598ac8aa0ef0cb7145ffd64805e
SHA256: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-o8e01TrickBot_bd427dd1Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.bd427dd15a2dc5695fbeab5519595d30SHA1: 7a571716fe3fb54e50e79d9e1032354c192ed4a5
MD5: bd427dd15a2dc5695fbeab5519595d30
SHA256: 38748c33121e51307108ca9711c4a5109223d86565f8902268e902f83a202fbd
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-45801DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.3124f76cabc753b93b212f228bf7d407SHA1: 650d41813ab9b22bcd30583ff9481d2336bd91bd
MD5: 3124f76cabc753b93b212f228bf7d407
SHA256: 0b2799af3a38a865c37fe534c3f2f67d085757b09f5e489025037a1ed90f9b98
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-87b01CCleaner_ec1b25edWindows This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.ec1b25ed79331115f202f8ac6b309107SHA1: abcfd38b53e04dd36cd8a75acece03b691417d40
MD5: ec1b25ed79331115f202f8ac6b309107
SHA256: 04622bcbeb45a2bd360fa0adc55a2526eac32e4ce8f522eaeb5bee1f501a7d3d
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-1tk01Emotet_c0ef4f02Mixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.c0ef4f029f8947b2d8f66196cd2b041eSHA1: 6968938c35b0cff739c31899764a295ad2fd2a80
MD5: c0ef4f029f8947b2d8f66196cd2b041e
SHA256: 0c34b872ba2266c2028e27c9fc9bed8fe9c6f04221695e19c5194200a9638d6e
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-pds01BadRabbit_b4e6d97dWindows This strike sends a malware sample known as BadRabbit. This sample included with the BadRabbit ransomware is a legitimate Diskcryptor driver. Diskcryptor is an open source disk encryption software.b4e6d97dafd9224ed9a547d52c26ce02SHA1: 59cd4907a438b8300a467cee1c6fc31135757039
MD5: b4e6d97dafd9224ed9a547d52c26ce02
SHA256: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-fun01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.85e1c384120de66b721849b88255c5e0SHA1: 61e4a7c5241f07cf3bcc24377452b53ca44b499a
MD5: 85e1c384120de66b721849b88255c5e0
SHA256: 81bcde515e51332cd4b92996655fb28448c2b3a83b6a63443ee680ad63acdce1
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-wnv01DollarShell_0fc095f4Mixed This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro.0fc095f4868450c4339b700ac49c32a0SHA1: 2af8df8ffa31ced85d0ff3f5bbb19b54501dd7b5
MD5: 0fc095f4868450c4339b700ac49c32a0
SHA256: bb1a67049f2f65ce40d68a111becaf0f772754c024013b8d8a869d59472af9eb
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-0bo01TrickBot_0acc6a1eMixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.0acc6a1ec80acd4ee150255b7fe6187dSHA1: 60eaaa3ad6cfa4d3c46a274afc00e2d2cb2f775e
MD5: 0acc6a1ec80acd4ee150255b7fe6187d
SHA256: 5619eeb7b8702693f78b452a0ca3df99a23b858d2b4d181bcd5588878411284e
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-hlg01Emotet_cfb0a91aMixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.cfb0a91a53aae5356c0ac9007a706c4fSHA1: 9fe298dd844a0a522fbcde12b3917d0e53be84bf
MD5: cfb0a91a53aae5356c0ac9007a706c4f
SHA256: ee69976d53e2f0ee0d502f416ac54cb795059005f82989e095bdc7e5e299acbe
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-tac01TorrentLocker_d080c988Windows This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.d080c988772068811e1955af91185f9bSHA1: 1da4c4f74568fe19c57ee68307b673405a0b0232
MD5: d080c988772068811e1955af91185f9b
SHA256: ae7a23e9b4c2645c26dce4a83a97953fa5ca008570aa9ac32e0826369593a099
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-ya201Emotet_3f4296e6Mixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.3f4296e6b95436242fe4355c258bbecdSHA1: 92cf0e6b2d366f33e2618cfe427ed319ea04b077
MD5: 3f4296e6b95436242fe4355c258bbecd
SHA256: 4a5d8769935f5126bca4ccfd5f0c658fb6e7d41a34475d9b7712d51b3884e2f3
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-zqc01Emotet_3647353cMixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.3647353cdbdb77ea002616f4c02fe762SHA1: 17803b316214b1ba0889aabc2b33ff473aac454b
MD5: 3647353cdbdb77ea002616f4c02fe762
SHA256: ef38926f1932b370abe835b38c51b806d4282e420ee06b312d9a2a25c446cf44
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-4yi01Beeldeb_814c9c27Windows This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.814c9c27a6b69f7a81372db1bba90375SHA1: 8ad0f9caf2afdb07ffbd392b1ff9419d5d08266a
MD5: 814c9c27a6b69f7a81372db1bba90375
SHA256: 36e92852d67e66cb3c99312f107f83080605c2badf787108f619d6b54e6c85fc
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-nf601Vilsel_6a085b16Windows This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name.6a085b165438169d518740feb6432fceSHA1: a00b111f3e47986d87cf5c518920d5b948ef632c
MD5: 6a085b165438169d518740feb6432fce
SHA256: eff9dcc0bebee521ebc2cb48a4398c3fe55e878fe127fda6f2ac02208e135325
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-v5k01DollarShell_1c29fbfeMixed This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro.1c29fbfe17b495cb4d313fd2d8bf6180SHA1: 8920146ae70741dd75ffed38c8a5e3487e655653
MD5: 1c29fbfe17b495cb4d313fd2d8bf6180
SHA256: 26582ff0d7d9578d564bedc4f3add7d0d2326be6959039b7dc2372458390e810
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-qzr01MSMixed This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.a40958399bcabff1d3d45152c4235b11SHA1: c194fc6750a6133d36d9d9f4660e872330c50e9b
MD5: a40958399bcabff1d3d45152c4235b11
SHA256: e95c8bf136de1cd79bfd3811072e7d02441aa5e8f57ab60e2b1478a4d4ca5678
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-kl801Jrat_e019728bMixed This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.e019728b34270f1b334be69d26f7c3f3SHA1: 54aa2ce08b90ae01338527f761326ddf5266af4e
MD5: e019728b34270f1b334be69d26f7c3f3
SHA256: d29a6afc4b35eef25811664369471688a0ecd89fc2a5eb676de9c5518c9914f2
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-1hx01MSMixed This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.676ce727ae0dfb8822852e4fd0c86d39SHA1: 7f060a247ba188933dd18b2b41d12919f2f8dcda
MD5: 676ce727ae0dfb8822852e4fd0c86d39
SHA256: 9949dccece62023379790e8b563d8a93bae156be13e7698f851a3804b72fa1c3
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-6zs01MicrosoftMixed This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's filename is SBNG20171010.docx.8be9633d5023699746936a2b073d2d67SHA1: 07e2eaf420ea974ac99ea7b17c1b491ca1ada1ea
MD5: 8be9633d5023699746936a2b073d2d67
SHA256: 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-nwn01MicrosoftMixed This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is Auto_mal.docx.aee33500f28791f91c278abb3fcdd942SHA1: e82fb48a7b4dc02efe0d8779f29017f5e06ab66c
MD5: aee33500f28791f91c278abb3fcdd942
SHA256: 7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-yeu01Emotet_38b60d63Mixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.38b60d6365d2b73cc8db79ef5cebd106SHA1: 0efee5f307bfe3153a53f7d57fc0a9eb94be091a
MD5: 38b60d6365d2b73cc8db79ef5cebd106
SHA256: 5b060682f0a97793797856af8c37265825d2c6769d9e69bc14833a98672e004a
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-7lk01CCleaner_74dca8f8Windows This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.74dca8f8ad273f6a5b095c14dfd2f4d3SHA1: 80746f984b50b9127a15773db42204123c2e0c59
MD5: 74dca8f8ad273f6a5b095c14dfd2f4d3
SHA256: 53c6ad85a6b0db342ce07910d355dad53765767b4b9142912611ec81bee0f322
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-wfe01CCleaner_748aa5fcWindows This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.748aa5fcfa2af451c76039faf6a8684dSHA1: e7cca2da5161a313161a81a38a8b5773310a6801
MD5: 748aa5fcfa2af451c76039faf6a8684d
SHA256: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-nka01TorrentLocker_dddde9f8Windows This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.dddde9f8a2459e18583434b1421bb509SHA1: a927adc32cdc315702a903e4de522a4ca79adb57
MD5: dddde9f8a2459e18583434b1421bb509
SHA256: 4312486eb32d7edc49d437a598d7e0453e8c9d1222b8b9ba429c73e0598db1a9
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-flu01TorrentLocker_f661a576Windows This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.f661a5769a6969eeb262e6c471dd1b35SHA1: bf019ba422f96f251adea5a9c79bcf3b6f028e42
MD5: f661a5769a6969eeb262e6c471dd1b35
SHA256: 5c66755aeeed65c21c8d9774baebd79c962311a57b733cb19d4d2bb6a0eb52c3
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-jw501Tofsee_a8c123a8Windows This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.a8c123a8e47f93b5631e94fa20d88321SHA1: 69ed2a5de0be259c228c06dbdbb20433d10be701
MD5: a8c123a8e47f93b5631e94fa20d88321
SHA256: 94cab1cdda2cdf19e077add232b00de9b141f981f6def5c7309521613f6423cb
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-qa201DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.0ee3d7d618bf806fe66ca97da1fb78d0SHA1: 063fdba12a10422820c623d79cbb328d47d70f87
MD5: 0ee3d7d618bf806fe66ca97da1fb78d0
SHA256: b2c8a5be4249b5eb4b4a28cffaa3ef247589e0eb5ce0b7a914f8c1704b7f6cb4
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-t1901CCleaner_b3947a26Windows This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.b3947a26d4d5f98b82f8d8afacf403f0SHA1: 0c23449c86895b97ecbdb9fc0ae747b1b3d2a8a5
MD5: b3947a26d4d5f98b82f8d8afacf403f0
SHA256: 8562c9bb71391ab40d4e6986836795bcf742afdaff9a936374256056415c5e25
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-iwr01RevengeRat_179e16aeWindows This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.179e16ae9eb6e1726d1660c1c6907a18SHA1: 35dac8b3c4b0bf366ca78a4f1ec48b25d00d9803
MD5: 179e16ae9eb6e1726d1660c1c6907a18
SHA256: e60613e2453d6568cb04ad8e09ac64b6652318079be2444156293f092cc9ff52
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-z4g01Tofsee_040e3b7eWindows This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.040e3b7e2d2eb7420537446324a3bda9SHA1: 37c3a3c6ea9e76ea87a83f57516d3b7804f7f91d
MD5: 040e3b7e2d2eb7420537446324a3bda9
SHA256: d02cd223f8284826a4dd1d51ecb61cc39e2588c534c0e6b848f6fbfd772fc02a
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-f4y01TrickBot_bed6c109Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.bed6c109e1ce4ec3e0673c4445b1a043SHA1: 3ab49d6e009c2b97a6f23ef97f8642d3f828e900
MD5: bed6c109e1ce4ec3e0673c4445b1a043
SHA256: 0d92b1656112ed73fe98fd6c714d7959dd8ecc85759b87a6b01747a2ab0f8335
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-iip01BadRabbit_347ac3b6Windows This strike sends a malware sample known as BadRabbit. This is 1 of 2 samples included with BadRabbit that has similar functionality to Mimikatz. Mimikiatz is a tool known for its ability to retrieve user credentials from computer memory using different techniques.347ac3b6b791054de3e5720a7144a977SHA1: 413eba3973a15c1a6429d9f170f3e8287f98c21c
MD5: 347ac3b6b791054de3e5720a7144a977
SHA256: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-74g01TrickBot_5e5727acMixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.5e5727ac12a2bf5fbef68f550317fd14SHA1: 8c37a2f1bfc13ae34861f6c699746a1692a43705
MD5: 5e5727ac12a2bf5fbef68f550317fd14
SHA256: 3ac1c23c28d19111e254649153b2cf0c03782f7523ce2062200a5ecd1c24f210
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ozb01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.5bfe4be6ee3b7e74dce3510659f33568SHA1: 9e8f55fd2c9575cac2b177e35d20f7f084f70c30
MD5: 5bfe4be6ee3b7e74dce3510659f33568
SHA256: 1e85b7f0d09e6a43cd83a66c287c1d34125ab9ee8e2f81d86a6c46ef44e37c20
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ric01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.593a477c7099b171fb214fec4288e46bSHA1: b5840987462a7fb007f074ef3c6179270eb642c6
MD5: 593a477c7099b171fb214fec4288e46b
SHA256: fd5c9b1ea6c9c76f3282634f8d7b02e0dba6e9813ae0143c7073ecdd925ee2f8
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-taw01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.5961a6cce9f77280d321f4579735cbccSHA1: d83c01e5ea84c93f5e9a03a8e706e02b3853a864
MD5: 5961a6cce9f77280d321f4579735cbcc
SHA256: c1a87f71d9f51cbbc82c03b58b75bdd6feb7d1be1d9d292c4a6a107b78a64efc
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-iiv01MicrosoftMixed This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is InformesFINAL.docx.78f07a1860ae99c093cc80d31b8bef14SHA1: 5b1bbf4f3f6c21829719543de7b262e0073403c7
MD5: 78f07a1860ae99c093cc80d31b8bef14
SHA256: 9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-zn401MicrosoftMixed This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is EDGAR_Rules.docx.0bcadcf65bcf8940fff6fc776dd56563SHA1: 8d650fccdf3497112708a3f4832240905bc6b0c3
MD5: 0bcadcf65bcf8940fff6fc776dd56563
SHA256: bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-1c501Jrat_926d057dMixed This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.926d057d2dac94b1bd4203b5cbc1c7c3SHA1: c147fe65bda2672248d0afd75805864e7a59e3d4
MD5: 926d057d2dac94b1bd4203b5cbc1c7c3
SHA256: 522a804aeee581c63049d0a5983a558c2a3225c4b14814cf0acb8912b79260d6
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-r8a01Emotet_82a6b105Mixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.82a6b1051f9bff80c5b0ae7e89baa979SHA1: ca7f2d187a9ea3603a7bb28d50faa8fb868ef338
MD5: 82a6b1051f9bff80c5b0ae7e89baa979
SHA256: 4beabf7a352c6dc30a2273392f4daa5793e43412c3eba3724e2ed9e5631c41c2
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-c6z01Beeldeb_8ee52b53Windows This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.8ee52b537cebe88a7dcf9027e68216e0SHA1: 724a32dcdd091b51cff5d47ee20842ed9f2d4a6c
MD5: 8ee52b537cebe88a7dcf9027e68216e0
SHA256: 07de12cf4c78151a0bdd6d8dcf8b5d0b91f51b606fd8ec0774e54fcb16e3440a
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-39701TrickBot_b41f2f58Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.b41f2f58ae888fa1fa0b2cb5d6b09c1bSHA1: 5506e526adae964a95389967d4b16a91f65d5200
MD5: b41f2f58ae888fa1fa0b2cb5d6b09c1b
SHA256: 5351019f9879a285561e72acae1024e8a86a822f33b7bbb95c795a6bc465ff53
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-x5101Beeldeb_93242553Windows This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.93242553da82490acca7b7e7ae267f2eSHA1: e465e0f5f3cbde6c61370dfc0112ec8256215ec3
MD5: 93242553da82490acca7b7e7ae267f2e
SHA256: eea366f807de6e4a0834e9fcf8dc0847b7ab4707314191448950a22cc0dbfa76
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-yzi01MSMixed This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.4529961cd564ac79e8e38105bd8ec3c2SHA1: 189e7c614ca9419029c691c89db757eb2b4de8c0
MD5: 4529961cd564ac79e8e38105bd8ec3c2
SHA256: a6026baa4f4062b2bbf66dc3a3707f965e34271cdd3f00cae45f771e4b4b9013
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-lnm01RevengeRat_ce4a2f2dWindows This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.ce4a2f2d4b839854048dd9c3ed392fdcSHA1: 276faf04fa87982665e2e534e87404c7676ef9a1
MD5: ce4a2f2d4b839854048dd9c3ed392fdc
SHA256: d06ffdfe71bd471b8ba5c2c9fd1191e661c6a9d2332243bc4f93f3838cbff75b
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-bpi01CCleaner_06e485d3Windows This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.06e485d323110b76a0da9b3d063a0c9aSHA1: cfdcd830ba34d2ee02017999a672608e0e82cbf3
MD5: 06e485d323110b76a0da9b3d063a0c9a
SHA256: 8a8485d2ba00eafaad2dbad5fad741a4c6af7a1eedd3010ad3693d128d94afab
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-qcp01DollarShell_4147656dMixed This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro.4147656d10dd24d2f531dfd9c1409103SHA1: 8cf69e901c06a4699754910e931a72ce5e7b7455
MD5: 4147656d10dd24d2f531dfd9c1409103
SHA256: 5c3fff626f931fff80d79e53fdbf41a591f8dc048df2c7b636aa2d7a388d8e63
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-eac01BadRabbit_fbbdc39aWindows This strike sends a malware sample known as BadRabbit. This sample of BadRabbit is the dropper. It contains the BadRabbit ransomware. It requires user interaction to facilitate the infection and does not utilize and exploit to infect the system in any way.fbbdc39af1139aebba4da004475e8839SHA1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
MD5: fbbdc39af1139aebba4da004475e8839
SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-lh801TorrentLocker_1392ca8cWindows This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.1392ca8c92d5e729f8f34813f966ef97SHA1: 39d0bfbe04fbbc9bd43fd61f9f3f606d59c942fe
MD5: 1392ca8c92d5e729f8f34813f966ef97
SHA256: 58f36594d9502e3e8e135d0a449e5c07a62ae6fcd34a32c5c4d9243cb28d958b
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-y6n01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.34de33d32fed9a72c142b138d667a5d4SHA1: 1854457d5d71892c6299e20bf09a62950dacdc8b
MD5: 34de33d32fed9a72c142b138d667a5d4
SHA256: 6f7b63d2f5be6d7ada5c8146e076af21acd4273d538d46c1dddf6bed222a6d4d
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-4kl01Emotet_2da06ce1Mixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.2da06ce1cdcc98cc531cbb71e14fb105SHA1: 4aba63873f914ea5317a065cf7f21e5a6bc967b7
MD5: 2da06ce1cdcc98cc531cbb71e14fb105
SHA256: d91e08ac9c92e97acc03c87aeb20383150f17a26946e74eb450f48ddf612d5dc
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-nco01BadRabbit_37945c44Windows This strike sends a malware sample known as BadRabbit. This is 1 of 2 samples included with BadRabbit that has similar functionality to Mimikatz. Mimikiatz is a tool known for its ability to retrieve user credentials from computer memory using different techniques.37945c44a897aa42a66adcab68f560e0SHA1: 16605a4a29a101208457c47ebfde788487be788d
MD5: 37945c44a897aa42a66adcab68f560e0
SHA256: 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-lpv01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.e55a4eab9bc17d81febf152e98ae2eb7SHA1: 4fdb7c7e7b24d50ddbccd3feaf863b4411a260c9
MD5: e55a4eab9bc17d81febf152e98ae2eb7
SHA256: 7cdeb17d6bfa95e937868b7761be87ded361ec49cf6be88286a1c2cb22f3976a
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-wwf01DollarShell_a4548556Mixed This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro.a454855668408ffa0732fe835b7b1508SHA1: 1ae8809cf30ca33478043a2464323d91204cc2db
MD5: a454855668408ffa0732fe835b7b1508
SHA256: 25948723a1ed54e5d7994639b0002f5074ff60b0bbd61a78c1e59dd80ebb4c54
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-kss01MicrosoftMixed This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is ~WRD0003.tmp.d78ae3b9650328524c3150bef2224460SHA1: 9cbc4333230c73578e469ed21b9c54674404b1a4
MD5: d78ae3b9650328524c3150bef2224460
SHA256: 11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-vph01RevengeRat_5eee3b34Windows This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.5eee3b343a6e5818716e1a9f3425410bSHA1: 608357a6a6d1304b6dbe1bece5e37bf9c35f02dc
MD5: 5eee3b343a6e5818716e1a9f3425410b
SHA256: bd3bcfecf479bd347540d6305001b068583696aa81279739ee8b32eb34f2a0df
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-5w601TrickBot_53affce6Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.53affce6c64deda07f05deda966471e0SHA1: 863ec7b034527bcdef66fdb6503b7220e84a2012
MD5: 53affce6c64deda07f05deda966471e0
SHA256: ae860de508c56045b39679b72b570028f820d9523f7e5d6ddb326c9a757c5c77
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-18k01TrickBot_a65305beMixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.a65305bec3b9b5e5b38245cd735880f0SHA1: 6e4a2e0340e72d21ea3f4ebb1cedec1a9661ca26
MD5: a65305bec3b9b5e5b38245cd735880f0
SHA256: 27bc34902437285c3f4fe0a0e3446314baecb7ee002fcd1060b91543c27b9369
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-zrl01RevengeRat_a7eabbacWindows This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.a7eabbac8906f141b1790cbb606c1d4eSHA1: 4bf46eb61b8fe9da528ab376b6de4e0511006ad8
MD5: a7eabbac8906f141b1790cbb606c1d4e
SHA256: 6fe71c4b59fba4e0200f2e71e308a791eadc3e6518ab87acb66db4c79df66985
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-za801CCleaner_52dda1e6Windows This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.52dda1e6ac12c24f2997cf05e0ea42c9SHA1: 82691bf5d8ca1c760e0dbc67c99f89ecd890de08
MD5: 52dda1e6ac12c24f2997cf05e0ea42c9
SHA256: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-rqq01Beeldeb_252bbf14Windows This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.252bbf14eee52b2e33e265d2fd07d4feSHA1: d1d32cf0916a423f754405c66aac6ae90f8ec85f
MD5: 252bbf14eee52b2e33e265d2fd07d4fe
SHA256: c4cf29d4e6a6b905e08534108ab07318d5704d91df50c9d5477b998a19395eff
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-ff001MicrosoftMixed This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is DanePrzesylki17016.doc.5786dbcbe1959b2978e979bf1c5cb450SHA1: 0dd5a58e89036beaa7a63c9f5541bf1402c9c4d4
MD5: 5786dbcbe1959b2978e979bf1c5cb450
SHA256: bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-2s401DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.c452d8d53f32fba1828f9d5cb56dc56dSHA1: e7a4cb5f77f88d4f88105bbb2ab1b28769f3c19f
MD5: c452d8d53f32fba1828f9d5cb56dc56d
SHA256: 6adbd32b36470178e4cbc4bf7c757e4338457cac8c53fc5f8a86b3bcfec2fa6d
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-3i401DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.ff321f7b270167136be7f584ce693f42SHA1: aeaf65ac3b5f8de831b989d86ef85be2cb011854
MD5: ff321f7b270167136be7f584ce693f42
SHA256: e0d0d55c04eb477c6becda415eed279895c56e4468df63ae302be7d389c95741
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ico01DollarShell_3f4735a1Mixed This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro.3f4735a16a8d46d65e0cf2dfc9536499SHA1: c3b76e8ef1973d6ad9d4ec4dcb8e44b22784a519
MD5: 3f4735a16a8d46d65e0cf2dfc9536499
SHA256: 2c34d5de4bfbca74b4a782a221c44311fba086f876af6020f16c36b8759dcd24
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-v3z01Vilsel_0bdda5b2Windows This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name.0bdda5b203548929ce49ca0a47e51730SHA1: ab9a3f79859d3bd587317945136c053c8d08ae9d
MD5: 0bdda5b203548929ce49ca0a47e51730
SHA256: 51b411f1c6b10e8ee9bea405e66fc2f1f8f84d29106f119b2423de59101bbbd8
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-58601TrickBot_eed13f83Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.eed13f831889481bd6f8f9875ac6fd9eSHA1: 1d30abdb2d6f7acbce158293c77f45e07ad0677e
MD5: eed13f831889481bd6f8f9875ac6fd9e
SHA256: 721c1d648a245bc350d1ace7537db518162f725f2dab14bd4a149d8165144962
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-f8b01MSMixed This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.579702e392a78e07695353691e1e482eSHA1: 49d8c84b9a6c560ffd9570030546e370a1ed6ce9
MD5: 579702e392a78e07695353691e1e482e
SHA256: 4bc6d7e5960831476f33ac3d9f632ebae9c2a22aa975d20fffb0830b94bf3143
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-a5h01Jrat_2aa5b591Mixed This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.2aa5b591ce3ef5894729e4c80289bb3bSHA1: cf4439ea97f0880cf118efca8a7bb41a3adce7a9
MD5: 2aa5b591ce3ef5894729e4c80289bb3b
SHA256: 1508a8ab14c4639853c9f2e598a142756517bd078f505274b5783ddda8fed0a0
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-vbe01TorrentLocker_e4997fd3Windows This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.e4997fd30092248f2e4de8e5f8223e5eSHA1: a53ff63cc5745a6d6da6b97b55b9c05ec53e4520
MD5: e4997fd30092248f2e4de8e5f8223e5e
SHA256: 1a78a5c1c4ebb8a0047cbb4a8a27782212603d71cae2aeb033bceab76795a294
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-emo01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.aef86a60e907b7f5e8540643ad7a8c48SHA1: 2fddab183182d926349a4fe546c4dbfa54610d86
MD5: aef86a60e907b7f5e8540643ad7a8c48
SHA256: 7ba4b97d8ef2eb865b6d6e76c77446657eb39269b5d276e77f458fa3fd639e2c
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-0wi01MSMixed This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.37a146d0ee31b358fa92b1726abf028fSHA1: 8cd3a6594a2b289ecc514305606ee4f651fd1f77
MD5: 37a146d0ee31b358fa92b1726abf028f
SHA256: 195cb14fade7c435e10d673170dd975ee9b3f1c15fd932dc5c9d2663b4a7af10
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-pr501DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.035e632c7164f593dd9b592d25335721SHA1: b980506e2ab625480bff8dd88be3934f97dfe096
MD5: 035e632c7164f593dd9b592d25335721
SHA256: 25210b1abea142ae5d2fa21e2a2ea836f1eb3a62cc7118f2188bf63904c9523a
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-pzc01MSMixed This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.d9ba9684df6ec50d76eb54aa16a0e0f3SHA1: a66a51c776ed96671bfa7a10f5ba3bee304b9c69
MD5: d9ba9684df6ec50d76eb54aa16a0e0f3
SHA256: 4b9703f52464b8025e0146ae4792400f7c077194b0007b3d2ae31eb80642c517
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-4qi01TrickBot_fe309ae2Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.fe309ae2b5be60ca6e242fa1453d674eSHA1: 03e65781dc8baa1c554b696c67f802c684b0f335
MD5: fe309ae2b5be60ca6e242fa1453d674e
SHA256: 3a4ea7d6ce3bf31398f34e831249aaccc3a6c123eae239bca37ab1dd57749c19
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-l1h01MSMixed This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.0137c8f7dbc6b64a1b4c8ab9d16773c2SHA1: 7c25b065d753e31c6097b6708b89831a8dce6f7e
MD5: 0137c8f7dbc6b64a1b4c8ab9d16773c2
SHA256: db1ba6f50f367209db4733b94e8d22c8703665bf5b90716bfc754b3639d4c76a
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-y6z01Emotet_3d3b3030Mixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.3d3b30300206c5df413797e360bb49e0SHA1: 8f086f4c54d6c724cd5fc34a5abba45f28d49c7b
MD5: 3d3b30300206c5df413797e360bb49e0
SHA256: 73ca04dd07cefa6bc4fc68714e0f2ec98f251833ff48eb8276f8cea09526fa89
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ae501CCleaner_04c940f8Windows This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.04c940f8755ecfd89472dec010a27980SHA1: 794c6899961dbb0c55c864271e89aaf981d5f5fc
MD5: 04c940f8755ecfd89472dec010a27980
SHA256: 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-2df01MicrosoftMixed This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's filename is EDGAR_Rules_2017.docx.2c0cfdc5b5653cb3e8b0f8eeef55fc32SHA1: 3a7956ac437c87fc6ca594c59d4de086ed6c8865
MD5: 2c0cfdc5b5653cb3e8b0f8eeef55fc32
SHA256: 1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-i1q01Emotet_17550aaeMixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.17550aae49290ff9cf99137f2a8d6d2bSHA1: ae88296d6394c6d7a248a31e8dffb4eb47bbff8d
MD5: 17550aae49290ff9cf99137f2a8d6d2b
SHA256: a38563a27a75eab4ddc5d76a99a1e8589775add35fce1e20d0b2bc6b64bf2cfb
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-2ng01MSMixed This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.9afb2a93e3426f8add62145e93187344SHA1: 43377fcac1b50b6cb80680982f66a4b745431dae
MD5: 9afb2a93e3426f8add62145e93187344
SHA256: ca38154915f53ec6c2793e94639e2ce9701de8236e41064cba35fe7e6387af70
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-r4z01Tofsee_a06a4691Windows This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.a06a4691a360c7e5d02d2caddd1a8da2SHA1: 44cd1bfade1c63a5ca4fdad6a537d30b6c4d9f07
MD5: a06a4691a360c7e5d02d2caddd1a8da2
SHA256: fa1645ec20a84fd16d9d5eb2960b1caafb168f4456c7a14c8b8e5219bd15b29c
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-akj01Cossta_73ba6fd6Windows This strike sends a malware sample known as Cossta. This sample is a trojan that downloads more malicious code and commands in order to execute additional functionality.73ba6fd61e41c274c3236ffa4ce493d0SHA1: 08225137bf178ff7fcf0879f10c114dc31023ae2
MD5: 73ba6fd61e41c274c3236ffa4ce493d0
SHA256: 424e36fd9975a43f25fad06e0282833d1280bcd9e6d5ef8221dc322fd16fbaa0
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-14f01RevengeRat_82216a2fWindows This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.82216a2f1e20a67f7ecfe60cd271aa55SHA1: 4e3b51f644f9a8453001fd065ccfbe785072a8a8
MD5: 82216a2f1e20a67f7ecfe60cd271aa55
SHA256: 7d0474c514e78deac6f690006546bf92c029836c60d547504ceebdd21bf6130c
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-o9l01TrickBot_2187fd87Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.2187fd870f1f8f01b21db7eaf21cf4aaSHA1: ddbebdce1b672dc16dc5e508bb0052cd45cbe6b7
MD5: 2187fd870f1f8f01b21db7eaf21cf4aa
SHA256: 8c937c4364f8c5c003f35771dd7983def26a073a9ad5dda9fca302f762dd4c83
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-blt01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.f174ae37eb7f20af733053975a6d05ccSHA1: cd7072e306c8710b10761215711e521027a3e162
MD5: f174ae37eb7f20af733053975a6d05cc
SHA256: 1da8eda0545dbe5a53d41fb1b9ed71c7129cf14b2395acffd601056b7d6765fd
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-k1a01Emotet_02e3887dMixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.02e3887db869113cb223d9ebd9c6117fSHA1: 6c43c961756dbcffce0e26e09f97de6775b217ed
MD5: 02e3887db869113cb223d9ebd9c6117f
SHA256: e77ff24ea71560ffcb9b6e63e9920787d858865ba09f5d63a7e44cb86a569a6e
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-dlj01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.750e0859d26265725906ce6d69f975eaSHA1: 76de96ea0cbdbebdc38c752c22b8ddda39cf06b1
MD5: 750e0859d26265725906ce6d69f975ea
SHA256: 0ff727f106fecde4e4292f0e35092376786cf8a9097da064623ffa912db7e9bf
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-lux01RevengeRat_b9840247Windows This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.b984024785d559801b952cd08e50e68bSHA1: b8317c8992240b3cf5324b0ecad8d906cd171c24
MD5: b984024785d559801b952cd08e50e68b
SHA256: e422cc0f5bb2d56d1def4063ac21cb8e18f97dfc48287e8b47ba07863704a8af
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-tpz01OfficeMixed This strike sends a malware sample known as Office DDE Powershell Payload. This sample is a stage 2 Powershell script that has been associated with Microsoft Office DDE attacks.1ced468b2f59063f0575c8b2409d8efbSHA1: 185d5476f0e908a9022eabaae48bbf8767079e2d
MD5: 1ced468b2f59063f0575c8b2409d8efb
SHA256: 8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-3gc01Vilsel_60d248d4Windows This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name.60d248d41b06518e3a0df48c3b3f495eSHA1: b2303ba54eec80d0d42d86b56af06204c020886a
MD5: 60d248d41b06518e3a0df48c3b3f495e
SHA256: c3ff4ab8815d9934a5a2bb5e02de372e20d70ef2ea519bf96bd3188187ab8a63
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-qo701TrickBot_3bc3e105Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.3bc3e1051501cd45858d8802a67f10e2SHA1: 38432c9b2a8b181bac9c2ced078f5bfbdb2dd048
MD5: 3bc3e1051501cd45858d8802a67f10e2
SHA256: 28df3fd75d3c3748b26931a449229f585f4e4543aa25a0caf37367444bb7a7c2
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-adl01CCleaner_4c339080Windows This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.4c3390800de3bf59c8187d7f3d056ed6SHA1: 4e2ffcf1508af2f6e5ab8bd2c34d6b888acd8554
MD5: 4c3390800de3bf59c8187d7f3d056ed6
SHA256: dbf648e5522c693a87a76657e93f4d44bfd8031c0b7587f8b751c110d3a6e09f
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-gg301Beeldeb_dd49d79eWindows This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.dd49d79e92a0785fddd2af6badd2d8c6SHA1: 7feb92fd77af91d5631d77f39010a1ae71523002
MD5: dd49d79e92a0785fddd2af6badd2d8c6
SHA256: e15dc2879dccd3c62d77169fe77d869455e61e2706006da829013d55b42107ba
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-9zr01Tofsee_ee5b4403Windows This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.ee5b4403f1854620ff45955657310554SHA1: 59492294c94d974c4cb6ecaacd26ebcbacc590db
MD5: ee5b4403f1854620ff45955657310554
SHA256: b637127d56d4b02c131bfdeaa8a42d95210bdd33285ef5788249ba8f631a0abf
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-2eg01MicrosoftMixed This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is Giveaway.docx.507784c0796ffebaef7c6fc53f321cd6SHA1: ea8d91434705af3766fb4d6e7435b43c92546995
MD5: 507784c0796ffebaef7c6fc53f321cd6
SHA256: 313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-88n01Jrat_bd2fe03aMixed This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.bd2fe03a6ca8049998bba6d8a6e0c8c1SHA1: 70bdde14a8fe71f328a91f017adccb4c2696a194
MD5: bd2fe03a6ca8049998bba6d8a6e0c8c1
SHA256: 1570586012e23a7de3a8fd965bdc2d3a96175fd8a77d284827c1ed6d58944a7e
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-q6u01Tofsee_c8ae48a5Windows This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.c8ae48a597b5d3b859a1e59580063a5bSHA1: d2713d694de53d7f9779e8ede146d2f58b3b1069
MD5: c8ae48a597b5d3b859a1e59580063a5b
SHA256: baaf07eff95de3672affcae2e00aca57540b8bfcb1c6010ee359213d8700bd0e
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-99x01Tofsee_5ddcb7ebWindows This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.5ddcb7eb1592c47d3989721fa825de6bSHA1: 3b633face0ab1f10b76cd5a6bee0d17def57f845
MD5: 5ddcb7eb1592c47d3989721fa825de6b
SHA256: 0f4d468818d80d3048879c26546dc5b413956ca2a5ec5261fa54a00d03e0b393
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-o7a01MicrosoftMixed This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is Filings_and_Forms.docx.47111e9854db533c328ddbe6e962602aSHA1: e8b6b61b3c882cca895673c23a0168268c6926c7
MD5: 47111e9854db533c328ddbe6e962602a
SHA256: 9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-91t01TrickBot_1d017e8fMixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.1d017e8f2dcbc1b4746b104ffa92c6fcSHA1: 02f59e1595b32dd0f29a1f37b4b446a8b5d4d204
MD5: 1d017e8f2dcbc1b4746b104ffa92c6fc
SHA256: 99714908dc8d8316bcad7089c8d100755cd25f77c52bce91af0ed3a9a44db1bf
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-r3v01Emotet_6e6118f6Mixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.6e6118f6e06d8cff7fdf5ff86417e326SHA1: ca90c4c4a0d5869bb82e9c83b91c89a0680dc055
MD5: 6e6118f6e06d8cff7fdf5ff86417e326
SHA256: b160f7e0036a12a9b7b499249950aaeec569484ff0d50122c4d32d72c75aaf49
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-a6z01Beeldeb_5ff9e9b0Windows This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.5ff9e9b08389b3680a87f8bde3bbde41SHA1: 49f18e00751bf463cecd38b56d8962e32716a32b
MD5: 5ff9e9b08389b3680a87f8bde3bbde41
SHA256: 2c89cbab497a1a5219b5d66f1ba39473b6ffc15ec4f53a2bb09c070a15a537e8
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-m4k01Beeldeb_91c456afWindows This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.91c456af934c996615971350abe59d9bSHA1: c7c42ceca41ffefd1c06f742fafbe5ec5a28cc37
MD5: 91c456af934c996615971350abe59d9b
SHA256: 1e76a00a1e6e4265ad5ff364d3139a62013a9628d90edd7e6a155e7f0a8193e8
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-xf301DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.41b3b3891b2ff0f02fc37722814b2e44SHA1: a3f656592d267c7228223fb89729ce169b6f949a
MD5: 41b3b3891b2ff0f02fc37722814b2e44
SHA256: 9e316bc8edd80e260d8ef24accfd2f1c1561665171d0721f4a36585e9b1cbe99
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-d5u01BadRabbit_edb72f4aWindows This strike sends a malware sample known as BadRabbit. This sample included with the BadRabbit ransomware is a legitimate Diskcryptor driver. Diskcryptor is an open source disk encryption software.edb72f4a46c39452d1a5414f7d26454aSHA1: 08f94684e83a27f2414f439975b7f8a6d61fc056
MD5: edb72f4a46c39452d1a5414f7d26454a
SHA256: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-bmh01Emotet_2718d8afMixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.2718d8af5a07402f52c0de6e41abb99aSHA1: 84dd202e55479bc3a751685e3d6567d4bc811a6f
MD5: 2718d8af5a07402f52c0de6e41abb99a
SHA256: 24b041585da64a03245c460805f68dbac94b63d19aba6f1bbf7f7d6fa3a26033
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-p1q01Vilsel_33a4a3bdWindows This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name.33a4a3bd945302e799b90c250f9de22fSHA1: dd484940a55ec3240f65185a2bb77acc9190b850
MD5: 33a4a3bd945302e799b90c250f9de22f
SHA256: 1b8ba3bde52f7c979d427a03d636c9658b010724b8b93fd98c31a888bcc3123c
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-aee01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.30be88192aa73ae0120f5e225204b108SHA1: 9fba5890634f229b7145f17686f70d48c5e5f897
MD5: 30be88192aa73ae0120f5e225204b108
SHA256: a7b7a582248f4ed47c8816c9436e7a49f2c02a83d18014509d0215e217f19e9e
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-nev01TrickBot_466187a5Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.466187a5d3cc9e941dc2c7274b1c6709SHA1: 94a7e837ff4577f555ee7ab1f6532df7d846d716
MD5: 466187a5d3cc9e941dc2c7274b1c6709
SHA256: 37e7afe3da64064dacbc53b5cac88972662a181aa864e094b4a45ce88318d7f3
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-w3b01MSWindows This strike sends a malware sample known as MS Office DDE Payload PE. This sample is a dropped payload associated with the Microsoft Office DDE attacks. The filename is Citibk_MT103_Ref71943.exe.3a4d0c6957d8727c0612c37f27480f1eSHA1: 705de08f2a4b939b406f496e7c21afbdb7436215
MD5: 3a4d0c6957d8727c0612c37f27480f1e
SHA256: 316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-eit01MSMixed This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.1a4471c427c7b4d87f3edf0c150e4c89SHA1: 3c41291459807bfbe05fe9b7c1c40e6a2ab97cd7
MD5: 1a4471c427c7b4d87f3edf0c150e4c89
SHA256: 2747932c56b816aae80ace812975e868b3227ab651903c1dc01e987231cccc96
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-tx001MSMixed This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.1549333bbc2ca45390d73c7876ef7704SHA1: 0a456e5f7f7fb43b0d017ec752af986330cceebe
MD5: 1549333bbc2ca45390d73c7876ef7704
SHA256: 57794867310c0c673a34eccea666780b09287f8ca42e4c5aadd21abec43d8168
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-7u401Beeldeb_83642fc3Windows This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.83642fc30d69a624f5b5c3c6dbef590fSHA1: dca5899ec909dcf5c29212c4a7cf969a51b154d6
MD5: 83642fc30d69a624f5b5c3c6dbef590f
SHA256: a864f592f8fd01a57cf8302056a413e4a688f6cfa2beae8c5e136a40384f7b56
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-8fv01MSWindows This strike sends a malware sample known as MS Office DDE Payload PE. This sample is the final dropped payload in an Microsoft Office DDE attack targeting Freddie Mac employees.4f3a6e16950b92bf9bd4efe8bbff9a1eSHA1: 9f09b4e99e7fd50d53d9df67236a0dfd0a22acc6
MD5: 4f3a6e16950b92bf9bd4efe8bbff9a1e
SHA256: 5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f
http://pedramamini.postach.io/
http://blog.inquest.net/blog/2017/10/14/02-microsoft-office-dde-freddie-mac-targeted-lure/
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-sex01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.3cc8af9aed58a99c5c1884ed17e0daa7SHA1: 904c859e56bc6a6f59e1ac7335c9b59502ca86f3
MD5: 3cc8af9aed58a99c5c1884ed17e0daa7
SHA256: 9de97b64e55209d946f21d8e1be015932f0df9df1acc0c282b8aaf6885b5d254
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ipj01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.ffc42a752bc20745f0f20a112a416a8eSHA1: d9a065c5ca4fd19e571af5a12492dcb9a39ef1f3
MD5: ffc42a752bc20745f0f20a112a416a8e
SHA256: ee787d5959e57fe1787b36a3bfa3fd4d90e4a0b1705f96f4a90a06d0bdd75cab
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-b8601MSMixed This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.9e76e0aa0bbc164c35d34641194ab0beSHA1: 2264c10d35c17626f9ad94c63071be9382182bdc
MD5: 9e76e0aa0bbc164c35d34641194ab0be
SHA256: 2374d35b524259f14a3cd41eca49417c69fafdab226a4d00788c014b3c2c922c
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-nof01TrickBot_9e2a44f5Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.9e2a44f56e89d074ff8b4ccc49d8eecfSHA1: a5dcb49bd204a916cf8fe27e509a41e7d15ba8bd
MD5: 9e2a44f56e89d074ff8b4ccc49d8eecf
SHA256: b4492030182ee0e7c3257f417fe98d4e52d301230e31491a4563cb41fa6b3343
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-y8l01TrickBot_adbf41e8Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.adbf41e8d5cc1f2ace5410439bc02784SHA1: 3d69c7a7e963d1b63b696ccba8b51b5159b7c8fe
MD5: adbf41e8d5cc1f2ace5410439bc02784
SHA256: 6acd175a2971b370ae7413bad180f8f745a4b391b0fa4f3e70ef660f5e3bee75
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-xsw01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.5544f6c63933909929da0e907546c42fSHA1: 7a844dc2045c002a6224597ed7a9d93c738a6527
MD5: 5544f6c63933909929da0e907546c42f
SHA256: b49adc35b4a6add49bc0accfc9ce9b6d2f8c093af0c2ee6dd05750aba2c75503
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-hnf01Cossta_a72550ccWindows This strike sends a malware sample known as Cossta. This sample is a trojan that downloads more malicious code and commands in order to execute additional functionality.a72550cc54425d5660f2913a6b7f240eSHA1: 0fc84405183a9f1af5db4c6e911d2f3059e17620
MD5: a72550cc54425d5660f2913a6b7f240e
SHA256: 2e3b79c0bc90f46218700afba5d5a55cb00832969a00f254ec113d342d76a992
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-w3t01TerrorEK_6ea344d0Windows This strike sends a malware sample known as TerrorEK. Terror EK is an exploit kit that uses adult web site traffic malvertising for distribution. It can fingerprint its target to determine which exploits to deliver.6ea344d0db80ab6e5cabdc9dcecd5ad4SHA1: b19796bdd0e86b7f754900950465c1b3b054483e
MD5: 6ea344d0db80ab6e5cabdc9dcecd5ad4
SHA256: cf51ef5c787407e343c132febde8cba563015165b37e7824078baebe1bf20109
https://threatpost.com/malvertising-campaign-redirects-browsers-to-terror-exploit-kit/128596/
M17-qfe01BadRabbit_b14d8fafWindows This strike sends a malware sample known as BadRabbit. This sample included with the BadRabbit ransomware is a legitimate Diskcryptor client. Diskcryptor is an open source disk encryption software.b14d8faf7f0cbcfad051cefe5f39645fSHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
MD5: b14d8faf7f0cbcfad051cefe5f39645f
SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-3dz01TrickBot_f1c5db30Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.f1c5db30b092fdbc27892ce4ccf67eebSHA1: 461306e3b6f95d791e0185b919ee02e40a946d76
MD5: f1c5db30b092fdbc27892ce4ccf67eeb
SHA256: 08a5a27b430bdc6d157ebdbf5dd0e7c648d7fc0e9e3e52baf54f5b770f72e919
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-9mh01RevengeRat_f8e91818Windows This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.f8e91818df8255195ffa3700a8a91020SHA1: 6ca5c2f79c431717033f244f95ee223287f53d73
MD5: f8e91818df8255195ffa3700a8a91020
SHA256: b110def3771963078f3ce54d13d23a6f751ea6dc41e5177e242208791a0a8342
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-llu01Jrat_ae95cb1cMixed This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.ae95cb1ce2361ee8a243a165a30671eaSHA1: d4913dc755088d1e3d129c6b9c9458a62a514c81
MD5: ae95cb1ce2361ee8a243a165a30671ea
SHA256: 50c1020efca0698519c89b468fc25926d1bad2eeb421482d9c17b6ab24535217
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-yya01Emotet_de42982aMixed This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.de42982a6a16c1bdf40f2baad8e72511SHA1: b1049b482ad0a4745fac3455e11005ec2568a421
MD5: de42982a6a16c1bdf40f2baad8e72511
SHA256: 56aa0e876398efcb1ba2e8465e8bd91109e700147eff81acac5ad2514e2f011a
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-5zk01TorrentLocker_4111ff07Windows This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.4111ff07e1f54723cc323c0a0ed88080SHA1: dc9605648dadaa9cc463acd711a1ee9908328f54
MD5: 4111ff07e1f54723cc323c0a0ed88080
SHA256: ba4fe6e91aae42e7a12747422443a361201898a4a5d2454472cf8d42b8d5cc52
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-xag01Beeldeb_39c16536Windows This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.39c165367e163aad7a384c3f565a9875SHA1: 8a90d33befcc9c9c28439bde56215378d8a189b9
MD5: 39c165367e163aad7a384c3f565a9875
SHA256: bb8e4aec824aa052fdda739abb8472caf2bd6c34d1773248ea3072e5c024140a
http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-ees01Tofsee_3b8d76c2Windows This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.3b8d76c2886b2deeec94060f1353e35bSHA1: 7a3388475aa5a955619dd11d1d09c2b242ebc5f2
MD5: 3b8d76c2886b2deeec94060f1353e35b
SHA256: b29d5908edaa7a98e7b7aca5614e0dbbcbaa5e15e93540f037451db52905ebdf
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-z7801RevengeRat_0ab4672fWindows This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.0ab4672ff9298e2bdd1ad12966fba880SHA1: 51fcd86363149c3c164bfa31219b76eef3f97eea
MD5: 0ab4672ff9298e2bdd1ad12966fba880
SHA256: 0d576038349acf0892cbb0124b9558bb4b80c070875017c320dd12bdc0c21f9a
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ry101Tofsee_66fbf228Windows This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.66fbf2288948d8f39516bfcf772df514SHA1: de1c9685c1a12acf3fca5a5f958afc75c379bb05
MD5: 66fbf2288948d8f39516bfcf772df514
SHA256: 9f33ee45c11c52f6c6a38bb004457046f5743d51bde77282b2dc1847e9c6cbe9
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-5ec01TrickBot_f8fda0caMixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.f8fda0ca1102b83e8848f7b678a4d52fSHA1: 09696e0cfaf65d7be27167586563d23c3851d2e2
MD5: f8fda0ca1102b83e8848f7b678a4d52f
SHA256: 793c3af7a30ca9cbb1a9f33b1986b8628af45ec1c2a04c1dd98a5cfa376f55be
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-odh01TrickBot_15a86455Mixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.15a86455f789404d6a0f499b2349abf7SHA1: 3c425cb3d7cc2dedc522ac1316b39ce401355437
MD5: 15a86455f789404d6a0f499b2349abf7
SHA256: dcfcc1a702447925e8826cf1b15a79db9ceee264c46e0447f62856c52be76c9a
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-zku01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.3971be2d09be971e83bb783bf15e496bSHA1: a9c8c15cead43c25929c28ff4d8a0d8499553d9f
MD5: 3971be2d09be971e83bb783bf15e496b
SHA256: 485ac8f15a1ed8005940365da1dd1031244eb9b18b86cc97a001483d23983e01
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-nw901MicrosoftMixed This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is ~WRD0000.tmp.42027846162fe156e1bb8da39c6b7288SHA1: 280a0697c5aa33d79d482df8614b6b044747ee8d
MD5: 42027846162fe156e1bb8da39c6b7288
SHA256: 8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184
http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-sxi01DocumentMixed This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.ec15f34b51e13bd70b558ba54be82597SHA1: d88cb8e80bc03c1dbd5b63943741d5ee4ab49efd
MD5: ec15f34b51e13bd70b558ba54be82597
SHA256: 984730d87bc7df01d890f8719f83712c7eaf7af05de5cb9a49d3132dc6251751
http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html

Malware Strikes September - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M17-p5w01Symmi_4533f3cfWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.4533f3cf126bea0971299bfcb664fd8fSHA1: 7f38b9f01390d0e7be186d6d9e3780d4354cbcea
MD5: 4533f3cf126bea0971299bfcb664fd8f
SHA256: e76a23d8d8e16a6e1cd78e28ad875f5ca61221f3d0c44dddf750e5920dc5acc2
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-q1o01Doc.Macro.Obfuscation_481bb264Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.481bb264685f1fd953c2e4902e33b9baSHA1: 37c9df70788833508a1b5c51720d25300f4a02c0
MD5: 481bb264685f1fd953c2e4902e33b9ba
SHA256: 0dd881a73d020780715e7a4ee943288fe5174ff27ae3ae90405785e8f584c225
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-r1401Symmi_b6181ceaWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.b6181cea5538d1d990f01175005bc1c5SHA1: ecf8926e36e844179c85c4fbcf131591204b567f
MD5: b6181cea5538d1d990f01175005bc1c5
SHA256: 17ae6bd9e77a9a783caf5bc398f03ff47691134f9a6c5600a903159057c78b17
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-5i701Valyria_558a6786Mixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.558a6786fadce8649252cf4f3548c0b0SHA1: 60956c5bcc5c91205c7024055ebb47ed1cd0c460
MD5: 558a6786fadce8649252cf4f3548c0b0
SHA256: f543e6e17ca16d883f3da521b9c8e0070ab7a1ee6c83eb8bca701bea7af6385f
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ub901AlmanCloud_307a4d25Windows This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers.307a4d25ee4bbdfe53aea2a0d400508fSHA1: fb568c00d9971caf90a87cf8c0f85aded90dd6bb
MD5: 307a4d25ee4bbdfe53aea2a0d400508f
SHA256: 5e0fcf513867bb834af4ebb405a328d66838e528e32e420a89eab7b8619f1830
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-epd01Symmi_a7bf3e40Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.a7bf3e40fc8366e973b2794bd021c594SHA1: 0df167157518e2b46d1f197c881d915525a67615
MD5: a7bf3e40fc8366e973b2794bd021c594
SHA256: 2a6794ad2014b95abca5512d85f748aaaf08a1d1f9a7be3583987bd1523f5f1b
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-2rx01Symmi_0333b1aaWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.0333b1aa179d9685137aa394e99f4524SHA1: 6ba0790ed9d8d1d158db8e27f3e5d68fc7b1b4fb
MD5: 0333b1aa179d9685137aa394e99f4524
SHA256: 7156221c0787b78866de2621828fa2ea48ebdba2b06219576337db8bf342c6cf
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-cot01TrickBot_c2d71afeMixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.c2d71afecb3afab088f8f72e38643555SHA1: 1194c6e068f7d9fe94269a4f32f3799a2ffb0ad2
MD5: c2d71afecb3afab088f8f72e38643555
SHA256: 2419210bdd20b352b357573e72eb82bafa801b078f25517546bd348e2e93a505
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-xdl01Cmig_395c0336Windows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.395c03366c6b4ad8579441cf87050fe7SHA1: 8aceacc6a915e27d220d5ff2a0b7b0ae1d277173
MD5: 395c03366c6b4ad8579441cf87050fe7
SHA256: 359c0c9d53f14552ede1a37f73b4554f8fa8004ec0a25a6b6741dfd4f2df5682
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-acy01Valyria_2f432869Mixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.2f432869c66584e0761325a8e43d10c5SHA1: e8b9c8fec8d1a3b26c79163ee46a387776853b53
MD5: 2f432869c66584e0761325a8e43d10c5
SHA256: e9d062f1b899f805c95b79165873b6c4e7eb6ec3185347ec0d67e2d30caff67b
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-py101Symmi_32583c0bWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.32583c0b33172fdd8291ae201e0f9f4bSHA1: 6e433f11a9a44100a2c90af7db766600c4c5506a
MD5: 32583c0b33172fdd8291ae201e0f9f4b
SHA256: a94ef67587dde19950297b9b69e90254f16cd5e6653fc596524044377a2e1193
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-wnu01Symmi_c45a851aWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.c45a851a0948b30997d95c789a7a487aSHA1: f08536521390087d5a4776c8dc19f75cb99c6934
MD5: c45a851a0948b30997d95c789a7a487a
SHA256: d778483fb3f3afdc4efd06ae0f605a53d7ee4e512459aa3b287cc246cc6097b5
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-a5101Ursnif_c04e0926Windows This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.c04e0926efec768033d5458210c80deaSHA1: 680a208f2459a369fe7f9c9b73a5b9c440464947
MD5: c04e0926efec768033d5458210c80dea
SHA256: 6f2af5771522f2ce3843f57c2a72a2451e0b73a71505cd50abad031267915be3
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-g7f01Valyria_e602fa89Mixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.e602fa89e592d87673b1ee21ba781962SHA1: 491cc002b8c3cdf49b6b53806539ffe6f93893e1
MD5: e602fa89e592d87673b1ee21ba781962
SHA256: 59400bc70eab4810a1b7a5c8556879315cdc2233b51e812587fe259a3dde69a6
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-8ds01Cmig_c08bae3dWindows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.c08bae3d02bc5c866b97f4cdaa92a423SHA1: ebba2f3676d211e4784d86f26f83b89cda35e8e2
MD5: c08bae3d02bc5c866b97f4cdaa92a423
SHA256: 251984e04c9654cab912e5ab74f510c808a3fd34bc10d81f20eef7350dc51339
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-wyj01CCWindows This strike sends a malware sample known as CC Cleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.75735db7291a19329190757437bdb847SHA1: c705c0b0210ebda6a3301c6ca9c6091b2ee11d5b
MD5: 75735db7291a19329190757437bdb847
SHA256: 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
M17-i3p01Cmig_094735c4Windows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.094735c41e4f4779c5a1503b2b4c2645SHA1: de032fc317e8cbe2827d1ee35516e442c4552428
MD5: 094735c41e4f4779c5a1503b2b4c2645
SHA256: 12b2c3dd430777d50966f542668eb022b2871a3c2ec77003911080fa90c32c5b
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-nl101Cmig_b922cf0eWindows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.b922cf0ed1f18434326e6ed940fdc1dfSHA1: c139a4fe693eff29239c71ccb5c30d6ae003914f
MD5: b922cf0ed1f18434326e6ed940fdc1df
SHA256: 2fe55bd75831905bd35b0928ecd70f064330311ec0749bda01cff595b9af6b27
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-71x01Dinwood_003acd74Windows This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.003acd74e09cda434d08a9f5ba2ea538SHA1: e373f234220294da1f556e02353ff9d6521a3af0
MD5: 003acd74e09cda434d08a9f5ba2ea538
SHA256: 06ebf78a7f2f3cbc7a8961051f3bfe9211b8dc8fd255be6f9df7b96f261a46ad
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-laa01Cmig_37e3b74cWindows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.37e3b74c24f4928d098b526738945eeeSHA1: 4f5fc5eb1766ece68e8f4e486093f7a3d34f7771
MD5: 37e3b74c24f4928d098b526738945eee
SHA256: 3d3d7e837aafbd8f42ade61f867114cc28af14c5d4ace788f351df0ad58cadf1
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-xqy01Doc.Macro.Obfuscation_abf1049bMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro.abf1049b698b8bffbfc936ef383a374bSHA1: 5e03b849d2311d922a8dfaf7e283e06eaff2513a
MD5: abf1049b698b8bffbfc936ef383a374b
SHA256: 6ff2121b359d8a2776c25293aa96b823759b0796e559e70bc6d2e8adaf208fd7
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-3l401Doc.Macro.Obfuscation_62bb7e2bMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.62bb7e2b0a31bbfa624e95023863dfa2SHA1: ba30dceb90f9b65ecb869d00e2debf533000dca8
MD5: 62bb7e2b0a31bbfa624e95023863dfa2
SHA256: 51e75edc5abe46280a4ef590047bb0bf4ab0d409da07711cbd2917b4ce103c59
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-crq01Cmig_c69a6d7cWindows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.c69a6d7c64c8642ecf7bc06c97f8bd66SHA1: e19c844ee754e3a3f4b62f155e4a747138c3d613
MD5: c69a6d7c64c8642ecf7bc06c97f8bd66
SHA256: 3706c1b476c5a7093dbf71f51daa053d817668b854b99ef8ab939f2498fe253f
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-fmi01Cmig_112f97d8Windows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.112f97d822db7cc0782ebdaf58826fc1SHA1: 26b7e9e0192d46a8e280c4933bae646591cc1f74
MD5: 112f97d822db7cc0782ebdaf58826fc1
SHA256: 14eeda627d8c65edea9e8c7b3a02f381079f1c28be3f1408a0f6f4f0968da27c
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-xo501Cmig_5f54badaWindows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.5f54bada97635cafb076e08f1a9247bdSHA1: a0834384f03048f77b3f86b29d82f9498ff1c9c5
MD5: 5f54bada97635cafb076e08f1a9247bd
SHA256: 05baa0dc22cf5b14b5a8e70c4a0183c50f366da7916fdee0f1b26835f48e43c1
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-uqf01Cmig_ee102894Windows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.ee102894e4fae149d39e2054a7155729SHA1: a607a8d6337bf95978e312b0e93e3f4907ac1759
MD5: ee102894e4fae149d39e2054a7155729
SHA256: 28c5bd99d92cf80443f93cb12344cade4e9685a89e936d490b9e04edd6207f1a
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-msb01Valyria_8b136d7fMixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.8b136d7fb8f2306fc0530115a2ad891dSHA1: 201c1162a5eb5c9ed85f4418dcbdcad71a6862f4
MD5: 8b136d7fb8f2306fc0530115a2ad891d
SHA256: 8263c8ab8cf63264e39de0c237e26c7f08e36427ec47e0699f7ff8726af40db5
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-3f701Cmig_80526918Windows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.805269188a5c032767af7bf00024b25aSHA1: bf664be50eac27f4b90ed77ff7a705f6552a8408
MD5: 805269188a5c032767af7bf00024b25a
SHA256: 2b9d669d44fb21199c4ad9f51566d641cb1613907c1a8f66c49c3a0766fbd386
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-8si01Dinwood_00089c7cWindows This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.00089c7c29ceb806e122292d3756c42fSHA1: 6eceaa806237afe891d51d4fa60ac653b1b0dba5
MD5: 00089c7c29ceb806e122292d3756c42f
SHA256: 076e08eb3eae357b4ee75f9bc1e9fe8a9ea3b3e3ddafe244e0583e320a0bfd26
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-ytd01Symmi_ec22cff1Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.ec22cff1b6aa42743366097b32d6f5f0SHA1: 2ae525cbce103e15c5e14d885e83cc5cc4eba0de
MD5: ec22cff1b6aa42743366097b32d6f5f0
SHA256: 2c0f383fcc3b07a893fa0ce0cfbe025d31c6ebfe46979b129bd8090712256c42
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-kzb01Symmi_a5cdff79Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.a5cdff796de0034b8c95eb71b00545ecSHA1: 57433dd0843146de661b9eb9c24ca54c90a8c3fc
MD5: a5cdff796de0034b8c95eb71b00545ec
SHA256: 10e8f34991079b2c40f2e72babdbd3d0fd97703870552061752b341b704153b3
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ynk01KHRAT_404518f4Windows This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing.404518f469a0ca85017136b6b5166ae3SHA1: 8fff5fe410927095bd13fa15d84e69df0b0754fe
MD5: 404518f469a0ca85017136b6b5166ae3
SHA256: 53e27fd13f26462a58fa5587ecd244cab4da23aa80cf0ed6eb5ee9f9de2688c1
https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/
M17-85z01Cmig_48a2a59bWindows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.48a2a59bb81bc15069fbed23fe5efccaSHA1: 79aa73d369fa48076d8be68aeeb84c795543c724
MD5: 48a2a59bb81bc15069fbed23fe5efcca
SHA256: 1828387d77ccd498e318dc2bdf580a51ef8161dfda186651cb4c6300aea6ecf5
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-g6w01Dinwood_004492f8Windows This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.004492f8f78e65c80cb6b2f64f7b6b11SHA1: 3543b278d9e3742ab1fa787e38b6b09c467b7f51
MD5: 004492f8f78e65c80cb6b2f64f7b6b11
SHA256: 07ab8a56baed7f7014781b275e8324e8bb7974360ac05d017c65d40ed05e1869
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-v5101Symmi_e36ff9ccWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.e36ff9ccc5c93bdac286622763efb74bSHA1: a06a976e0c33842faadb66b50881066f2431ea00
MD5: e36ff9ccc5c93bdac286622763efb74b
SHA256: 4763992ecb0dc5bbda30d2d00dd99927fb8aa2be759c9058f2dafb691ccf0f0b
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-g2u01Cmig_0fede0a4Windows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.0fede0a4e3ac69d30fdc862175fee7fdSHA1: 3529763feeddb6bea3ac7ba85e9788dce36bcf68
MD5: 0fede0a4e3ac69d30fdc862175fee7fd
SHA256: 0898ded2110056e9bc720860640282384f08d4064918322cf99c6e79554208f6
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-yqv01Dinwood_00415f0eWindows This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.00415f0eeae6c54c5a5242c3264d5bcaSHA1: f5ca077ee489067b4fc5f8bcec8c177142b78f29
MD5: 00415f0eeae6c54c5a5242c3264d5bca
SHA256: 07b5361cde1a670a587bd7d58160c97282415a025b4b9d1efa806a121e577027
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-oed01Symmi_d86e6e58Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.d86e6e58e4ffa7ef3bd0d870c54f6bfdSHA1: 97d1e8df0d79b1e90523900fe02d0d01a91c3d14
MD5: d86e6e58e4ffa7ef3bd0d870c54f6bfd
SHA256: d6d82c71a400735446318832a57f7a2573cfa4073aa31ec6a8b742d43f93e9dd
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-zwj01Symmi_c0b45967Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.c0b4596717367eb8577f0cf5af9642faSHA1: 1f50d8e3518505b761467ea0674da3430a8adb76
MD5: c0b4596717367eb8577f0cf5af9642fa
SHA256: c7fc560bff6d3fbc3a72355463836eaf9b3d7d18ade95ce72436926568626edc
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-fh701Cmig_e3cb47c1Windows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.e3cb47c1910e2390ba15727b60a9fee1SHA1: 283d0b36d87c1b19ab1f456f34a6a66fe1869599
MD5: e3cb47c1910e2390ba15727b60a9fee1
SHA256: 3ee7edf180cc44da6f2f79f90cc965dddb0eee97e32d9e340e873c71ce3d57e0
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-c5u01Rtf.Exploit.CVE_2017_0199_447823c9Mixed This strike sends a malware sample known as Rtf.Exploit.CVE_2017_0199. This sample is an RTF document that contains an embedded OLE2 object. The OLE2 object contains links to other existing documents. If that file is an .hta file, it will download and then execute it. The MD5 hash of this Rtf.Exploit.447823c9c915a90b834da8380ec25711SHA1: 5f6e438aec4386f4bee4f24b67112b4232e140cc
MD5: 447823c9c915a90b834da8380ec25711
SHA256: 9b366a6ab581517c6d62c5195e606eba6cb764ff813df7c247f34455af7db567
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-m8a01Valyria_57b41a86Mixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.57b41a867d18839dea702dd8b902fa6eSHA1: c4f00588756c1fe3d445871a9d544a7323bd56ac
MD5: 57b41a867d18839dea702dd8b902fa6e
SHA256: 7eed89f56f776f61421242f428edc4a93bd250e8b98fe44b6f71a67ec8a3fb08
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ls101Symmi_d842d35dWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.d842d35de8665b2f7d0c29cee667899cSHA1: 5da812069fb7b28a3c86154c15f48cf86edce1c5
MD5: d842d35de8665b2f7d0c29cee667899c
SHA256: fc30aafd75f5bcf3d4a73a6336ba1f2fb150a410712e32f5887d2afe8504f717
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-2i501Valyria_283be610Mixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.283be61009f20a86bfcd9690343b23f3SHA1: 04d37de141fea4a0cf590942f0438ee9f103f6e6
MD5: 283be61009f20a86bfcd9690343b23f3
SHA256: af2229c42175b9c6591427f82619564c8a8a1fcb1fa3f912502b098563c12643
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-52401Win.Trojan.Agent_0099daaaWindows This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.0099daaa9f5180e143527683df94d3eaSHA1: f9eed5ad4c15bbb9861f4fd87ef25ceefef6d421
MD5: 0099daaa9f5180e143527683df94d3ea
SHA256: 55acc591f5c6c0d2313ddd4ba47c25fe3b81bbcb64b4ad77c4668dfcc559748c
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-shq01KHRAT_1bdee062Mixed This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing.1bdee0623bb85e64057c80ca5dd69722SHA1: 56cae3ae7ded838b6909be92eb17231ca67ea2df
MD5: 1bdee0623bb85e64057c80ca5dd69722
SHA256: c51fab0fc5bfdee1d4e34efcc1eaf4c7898f65176fd31fd8479c916fa0bcc7cc
https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/
M17-87n01Symmi_d8dfbb2cWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.d8dfbb2ce28e59995052ce16d768d3c2SHA1: e33e2485ebbd9b34b9e36e15cc9a666f0a49fa23
MD5: d8dfbb2ce28e59995052ce16d768d3c2
SHA256: 983f1a853f5f7f1c7aa2e687761ae736d2a4397884dfd455685bbc5ae1d0b2ef
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-w3901Symmi_c05699e0Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.c05699e0fb2a98e1b045fef3003dda3dSHA1: d79c18351b5cd83a7f1fd4aeb7fc9e5db136ce59
MD5: c05699e0fb2a98e1b045fef3003dda3d
SHA256: 6c51d2e568f033b8a8c6764d54583da5af6fcec7a21d283e536063861c156ff4
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-1u901Symmi_bafe3514Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.bafe3514816d56106c209ae5e4687d40SHA1: fceb3ce8123228655c3e9f29965056e5cf88f138
MD5: bafe3514816d56106c209ae5e4687d40
SHA256: a6099ef0093736c0757c589890df229b39e4efbb38ebc63d460ea06186e09f69
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-kze01Doc.Macro.Obfuscation_65747d8fMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.65747d8f5f0ed59db0e70505745fb988SHA1: e0f3ece5d671f6d56f4a1ee188c21a5b650031eb
MD5: 65747d8f5f0ed59db0e70505745fb988
SHA256: 4c45540ba41c37f6c4cc0c4385139b63e56e58798c1c3ac94ea9cfca15ab8a98
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-hm601Valyria_c7d7bab1Mixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.c7d7bab1b1d627dd32d4b62a72dfbb02SHA1: c0a1213cac601819c36d2f15e000e213efaf95ee
MD5: c7d7bab1b1d627dd32d4b62a72dfbb02
SHA256: 02a384b45673cf0c1e7dbe129fa397d92d43add25b22b080b4308def418e7927
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-jwe01Doc.Macro.Obfuscation_1eeea25fMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.1eeea25fb11b3337fe810f635eb4aa64SHA1: 9231ac029e93e1da22db9b0d8949eba8aae60378
MD5: 1eeea25fb11b3337fe810f635eb4aa64
SHA256: 6891e0c2fe9c3b7bf9c02fbd81950c60118df47cf8e7d80ca92853fae72d9178
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-8oo01Dinwood_003a976bWindows This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.003a976b169928872492c2ee4e089e2eSHA1: 3329b14e18f66fd11881ba23b626dfb1d58c7e4f
MD5: 003a976b169928872492c2ee4e089e2e
SHA256: 04d8c0fd0f85b534c8a225be38e7bda9dc7edc248b1f6419fb64a99fde5b4b11
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-ggl01Doc.Dropper.Agent_cfe30780Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.cfe307803873c0271adb73f63141ab38SHA1: 751f91321c835d15d9c644da0cead19035d1c6ab
MD5: cfe307803873c0271adb73f63141ab38
SHA256: aecf2b9c77b76f08c6a240cd5b0782f3abba0a872caea783f5105b3b3f42851a
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-hza01Doc.Dropper.Agent_06e5c6e4Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.06e5c6e4ea1d9fcc89dad6fc6e96c306SHA1: cdb34592b1b0e4bfa9e239a5b4e82e05f37406df
MD5: 06e5c6e4ea1d9fcc89dad6fc6e96c306
SHA256: d6ece69e9f8035de573411d57ea11e0bb22d243e0d47b620b9cb99793218b121
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-wzu01Doc.Macro.Obfuscation_576b8fffMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.576b8fff45897ff4997de4f454e95bb8SHA1: cfd97986965f90150e655b5c164fefd7a67db9ef
MD5: 576b8fff45897ff4997de4f454e95bb8
SHA256: b980586f7fe22ae71badba8d2b202115f98821b743593ca36e15387fbda4f361
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-6bn01Valyria_d2808446Mixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.d2808446ec0f9f213b0a78aa6d1bd88dSHA1: 14607f94d3f421a917690ce96d895eb3f7fc8165
MD5: d2808446ec0f9f213b0a78aa6d1bd88d
SHA256: 4c16cda58dbd96b74579eafe2a73740c6d98d588bdebee6a3830140d1326aafd
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-wdd01Valyria_964666e5Mixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.964666e54eb5923a1425d090521df401SHA1: b560d1d4744e069dc7de058d37974a9b068fc98a
MD5: 964666e54eb5923a1425d090521df401
SHA256: 7291b9989f4ef506f1792dd4bae6d7f8b1d4f7c770295552a05acf38a41c0b26
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-xlw01Doc.Macro.Obfuscation_e4bc58deMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.e4bc58de75d4f80ee90cf233aa99f39cSHA1: 013e2d8cdee0f81666fb3b962b0887dd3d5e83a0
MD5: e4bc58de75d4f80ee90cf233aa99f39c
SHA256: d0b4b36c3c50c58869ae58f34c9d05c4ae8333e20d29b6c35d85cc85a5d7e38c
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-v9k01Dinwood_0040cde3Windows This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.0040cde3982b41cac39c6230b454a3edSHA1: 895b1fdf006bb36216b1d117670e440937269f70
MD5: 0040cde3982b41cac39c6230b454a3ed
SHA256: 01b538e451a390f7cfcdc263355dca070ea1a578d083fa94762912cff36b226b
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-id401Doc.Macro.Obfuscation_26ca2f0bMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro.26ca2f0b5f96b970aa8e73ea283856b4SHA1: 103b85c1597d23e24938e057658fa6100363a978
MD5: 26ca2f0b5f96b970aa8e73ea283856b4
SHA256: 029923c7508a27907e2c88baf9cc2effa2f78e81f4728eae2c185935f2a51fbd
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-cu101Symmi_c77921e9Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.c77921e9d76e20f3388888545ebef11fSHA1: 85ab9b47ab73a138a9df2a862792dc96cbbaa4d1
MD5: c77921e9d76e20f3388888545ebef11f
SHA256: 54ac75db11197dc919f3574eefb88fe8b653de92ee5a6ed99cf00eb1b373d622
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ice01Symmi_d26cbc38Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.d26cbc382a8ce77063a1875819b079d6SHA1: 84e292bac73e1cd04057de41b7faf7d8b7bbe68c
MD5: d26cbc382a8ce77063a1875819b079d6
SHA256: 89c9a8a7f47bb27a175632ad48317b93fe8a2b59502c73371df48982168a70db
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-a6g01TrickBot_2d6507eaMixed This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.2d6507eae46601952ee210566b902755SHA1: fed75c646669a3468304cb6887d4c8e49c62a09f
MD5: 2d6507eae46601952ee210566b902755
SHA256: 14ab690a2f5d4fd74f280804a1b59f5c5442c1280e79ee861e68a421cac80ce3
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-fky01Doc.Macro.Obfuscation_996cfacaMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.996cfaca2a0ceedea80355f8cae186c8SHA1: 72114534b7418f66aa68db021c871afc437fd3d5
MD5: 996cfaca2a0ceedea80355f8cae186c8
SHA256: 179d8ad5e80d814aa8d04633ac9c624b60f2273e50dcd6ae5fd7441522ea714e
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-6ir01Doc.Dropper.Agent_c5a6a2d9Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.c5a6a2d9d381f6b9313af4171dc76cbeSHA1: 71884c5c04383624da142a7f87865e7a7c844e79
MD5: c5a6a2d9d381f6b9313af4171dc76cbe
SHA256: 220128b685d4e96e793756636e32257b8fd22e038890d8f194d1681343bea923
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-kol01Win.Trojan.Agent_0050d19bWindows This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.0050d19bd0e7d076fb5d7a0c12f6daebSHA1: 5361d96b95a35a230cb58b144b784460cdc90d51
MD5: 0050d19bd0e7d076fb5d7a0c12f6daeb
SHA256: 8b20f9e78855218c693ade8a89b9c74487304df9bfdbcdbe8c65b05bfaa5b71b
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-9b401AlmanCloud_077a70b6Windows This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers.077a70b6d6c784098d87fa1592173ac0SHA1: 529f5229d94d1c4a86f0e03effc64fb6485d5aec
MD5: 077a70b6d6c784098d87fa1592173ac0
SHA256: 64091a671d00602e4f81f987207ac2b16f5c3e86f98add903bf369b528db2d38
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-53o01Win.Trojan.Agent_005e3024Windows This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.005e30242048a0b9fbbe189b50850039SHA1: c7c9feb8eb06f08080f097fa25de1384e86ce011
MD5: 005e30242048a0b9fbbe189b50850039
SHA256: b001932b6938223033229e9d5bfbb5754680ab786c927396bb540e1a6db1ba7a
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-mwd01KHRAT_c50ac000Windows This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing.c50ac000a2cf07fc1d7892cd4ab33fe5SHA1: 289172d8467432b331aac9d2b76ec2e7ba9eadec
MD5: c50ac000a2cf07fc1d7892cd4ab33fe5
SHA256: c0baa57cbb66b8a86aac7d4eeab7a0dc1ecfb528d8e92a45bdb987d1cd5cb9b2
https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/
M17-gyh01Symmi_790c7428Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.790c7428b271a1ef2d37eaf8d961990aSHA1: 2ad2cb9b04ad87ab8c2a2919a971ceb9e405fe5b
MD5: 790c7428b271a1ef2d37eaf8d961990a
SHA256: 5917eb033004f3a29a3ac843f9c90844cab3cf0520e78e8739cc8cbfff83ef02
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-lyo01Valyria_f8072467Mixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.f8072467999b75efb18a49ef75d6ef35SHA1: 412b4ac24667820944ba7ed0a1925d5e863ef9b4
MD5: f8072467999b75efb18a49ef75d6ef35
SHA256: 764b5f6e36f12e80dd801db166f6c1357745a1c7a5526c00e1a1eb057624f56c
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-41a01Win.Trojan.Agent_00949032Windows This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.00949032460ac6c050a200e46cd0e219SHA1: bd17866c89a1285bf44dab8a88dab6280273e274
MD5: 00949032460ac6c050a200e46cd0e219
SHA256: 0e9eeedbc7e293a83b9ebc3929b033e8c2061bdbacd8f17cd29b12505d2e777b
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-fr101Dinwood_002c356eWindows This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.002c356ee05f789cad320ce2952e0645SHA1: 91de512ade8f2c816d386f9ab884981c685f6827
MD5: 002c356ee05f789cad320ce2952e0645
SHA256: 07509506034c49b52314ee53984af6556396da7070c9d0069324f555f722db6d
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-6nt01Win.Trojan.Agent_00277552Windows This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.002775524c9dc7c02bbcd1edd1b54551SHA1: 99315ede38132d55042a997fdef55e193bedcff4
MD5: 002775524c9dc7c02bbcd1edd1b54551
SHA256: 5554e16e209aec408f7f7ba49caff85e568de76a05ebe41cf74002a7ca35d973
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-rgg01CCWindows This strike sends a malware sample known as CC Cleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.d488e4b61c233293bec2ee09553d3a2fSHA1: 7e9cfa3cca5000fe56e4cf5c660f7939487e531a
MD5: d488e4b61c233293bec2ee09553d3a2f
SHA256: 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
M17-9cs01Ursnif_a542cadfWindows This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.a542cadf7596c079aaa8af466ad6420dSHA1: 54a32630e976945efb06847d24353007414e711c
MD5: a542cadf7596c079aaa8af466ad6420d
SHA256: 46da8289c027a187b14826f3648d61c187398ad170ef60ec3311b5dae3b52d61
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ujc01Symmi_c5c51adaWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.c5c51adaf9772caa52caefdc53316ea1SHA1: 67b8cf72c62bc230bf2e3d1b9ef6ab4c4d0c1b14
MD5: c5c51adaf9772caa52caefdc53316ea1
SHA256: 90e0adc73ca753d91fe32b1d3761c3f6f6e7216f3b77a87fdbe2a8e7f5e889fc
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-8rs01Doc.Dropper.Agent_dd9a5d67Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.dd9a5d67b7eb01fee1d59ffa4b3ffab9SHA1: 55d7c07048b67b3f222e0e25c7ad5636ed043976
MD5: dd9a5d67b7eb01fee1d59ffa4b3ffab9
SHA256: 946def9e50a762ef29de5b56086d976f26446f0bcb5f2590c0354eae1318e0fb
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-9mn01AlmanCloud_22eadb47Windows This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers.22eadb476b05c6651d0f4d749d3fa12cSHA1: f64ea56b8d17c4f74014b334f6ccf22479ee007e
MD5: 22eadb476b05c6651d0f4d749d3fa12c
SHA256: f095ae655db18fb27667ece1c168b97d42b1b164991cda154022d6f8e270cd49
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-i2601AlmanCloud_01826241Windows This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers.0182624172186eb3dafb5d7ed0498d2dSHA1: 646852a14508e66dfb233fd2aeeaf24b0b9c219c
MD5: 0182624172186eb3dafb5d7ed0498d2d
SHA256: 9727223d176381c88f6f5f17a2e7f99981eaba31282a41c1ceb3158bccbe08f4
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-9jc01CCWindows This strike sends a malware sample known as CC Cleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.ef694b89ad7addb9a16bb6f26f1efaf7SHA1: 8983a49172af96178458266f93d65fa193eaaef2
MD5: ef694b89ad7addb9a16bb6f26f1efaf7
SHA256: 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
M17-w7x01Valyria_ecf099ebMixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.ecf099eb816d2213cab3275fef9c1f36SHA1: c2a1202fffba49db6bd61416426f8ce1210927e7
MD5: ecf099eb816d2213cab3275fef9c1f36
SHA256: c9210ef989809971703aea1b0d12b83aa85fcc7e0547b877b6645456d4945051
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-xyd01Symmi_17f82b7eWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.17f82b7e4d2ccf2961723b618718b6b1SHA1: bf85eaa67e3d9a245ce8007f48431a680b510acd
MD5: 17f82b7e4d2ccf2961723b618718b6b1
SHA256: e7eb60dd2d0830ae2d42a913afc5db98392a3d5846ef85ac32ec6fdd08b67fae
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-yfn01Win.Trojan.Agent_00c2bc5dWindows This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.00c2bc5d80f45c3b8037e836f1b5bd05SHA1: f2d4cef0eacb04916145c516b54b21976fb029c4
MD5: 00c2bc5d80f45c3b8037e836f1b5bd05
SHA256: e26c807c8e5d5ba8b41de497a24da81b8db0325a0a2c64bb04ee7beaae12904b
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-r7z01Doc.Macro.Obfuscation_31ce45bfMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.31ce45bf6918f47021883ab2504aca92SHA1: c5ba18668ba3ed15dff5aca4db3df65e7936f2f2
MD5: 31ce45bf6918f47021883ab2504aca92
SHA256: e9e03d8cf474e69197beefecdb5db453740cb4349535dffe4476febee8e5fc8b
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-2qk01Ursnif_abd41cabWindows This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.abd41cabaa8f3fe7226fba448bc45475SHA1: 1849bd805c912020813a716f35c6397ea9badcaa
MD5: abd41cabaa8f3fe7226fba448bc45475
SHA256: a753a288318dd38709ac1c26374cdc1fdb930b8476788d2868a1cae79cc8f352
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-hnt01Symmi_f909499eWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.f909499e19691eb9ede4181e826a7111SHA1: 071120745948d256e4414fde30e48ba6741f5959
MD5: f909499e19691eb9ede4181e826a7111
SHA256: 848993b12b05369d0873975aded55f837dc0a583c3839c05abe96bc4c3b68408
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-z0z01Dinwood_000d8fb3Windows This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.000d8fb3bc12e893c8ad4afbfbdcc882SHA1: f95b1b440de794740afa37265cec6b4015c82143
MD5: 000d8fb3bc12e893c8ad4afbfbdcc882
SHA256: 026a7284b6420e06f20e683054e0ed01a0afa14321fe4094c14bdb63a46ee17f
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-azg01Symmi_c4244e71Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.c4244e71742e40a6017c9445fd52196fSHA1: df0ca4092c9340c70305ec2c747e025f88b56743
MD5: c4244e71742e40a6017c9445fd52196f
SHA256: e5a8eba740a5acc1a6b5e11bb64be0be88a8556e48d78c292732048fa2c56003
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-wvg01Symmi_cf599f0bWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.cf599f0bc92301b76e8ba08448dfae4fSHA1: 61de01da90610855570a8a6bc23e040f87988187
MD5: cf599f0bc92301b76e8ba08448dfae4f
SHA256: d8a3df456b94acea22b8ebeb4f7f860687dd6ab4ac2b687631b63342f7cbf927
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-adj01Dinwood_000bf3ecWindows This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.000bf3eca7e8fe285670e4aefbe855fcSHA1: 6ca9d250b3418f26a6c197ace6552913ea0531f1
MD5: 000bf3eca7e8fe285670e4aefbe855fc
SHA256: 002eb4fddf6e8f9165e28694da6f368626282bd7e99c11f1eaeb365339c2331a
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-k7n01Cmig_b830f976Windows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.b830f976ffac2770008c63aaf5641b87SHA1: 075d2de8b270726c5a64ea8b20dffe69251c0586
MD5: b830f976ffac2770008c63aaf5641b87
SHA256: 01f78108dacea6db392dfc6700e987754cb15aaab6f8ff85ae9349f4fcef1044
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-tzt01Valyria_ac6e83a2Mixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.ac6e83a24b2fd4de9b814e69fd6870efSHA1: 56f1ac2c336a9a0f9d1dc9954d21379255cdfa22
MD5: ac6e83a24b2fd4de9b814e69fd6870ef
SHA256: 68edb052cd861ebe7dad58a9923723c1ed711ec4d965ba13a3cf10d70a90d11f
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-lql01Doc.Macro.Obfuscation_5299474fMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro.5299474fafb2174b2801c89fe031b6eeSHA1: b3397dad810ba72830b64d4119547e840118ecf8
MD5: 5299474fafb2174b2801c89fe031b6ee
SHA256: 0009657099e7e3f555a68ae39827099905339f5dafe648585175de089a75ba6b
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-y4901Cmig_b66821a4Windows This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.b66821a4cb87c0ed62ad555b3c584940SHA1: d7f10540662be4519820502b85c5be815bf8441d
MD5: b66821a4cb87c0ed62ad555b3c584940
SHA256: 09e7612bce428fb51593cfc286d7e9904a1c372771a7ad1870538a4a72046d15
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-hcq01Symmi_c9bf66c3Windows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.c9bf66c360c0ae03ddeb0de5b7a14195SHA1: 3b57a2cecaad3a9f076a23e9341d51ca2ae5f419
MD5: c9bf66c360c0ae03ddeb0de5b7a14195
SHA256: 4395a481c0e8afbc60cd6bf4eef233bb2067485581a47e56ff310cb7466ee681
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-p9801Symmi_b0ccbd7dWindows This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.b0ccbd7d8de4c43519a83698d2333619SHA1: a7e63a2ecc47b32c1badc3c9db5d931d1a963ecf
MD5: b0ccbd7d8de4c43519a83698d2333619
SHA256: 5542e1e52c63ceea56446d3c2f1f9c12adc60033d92289bb5d3450a40e02acd5
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-3il01Doc.Dropper.Agent_ab44534bMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.ab44534b2475aaabd212812a65b0ed4cSHA1: c411b88ef70806cd541faffed736c15a569f8283
MD5: ab44534b2475aaabd212812a65b0ed4c
SHA256: a4ad5629d490b466e4e62bf9048968ff45466c73849609b64d6617bf32e5cc5f
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-ix501Doc.Dropper.Agent_1e5612c8Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.1e5612c8d23ad7985db786a559902484SHA1: d92280da11d8187bafdfba9b3986faaaee1378ce
MD5: 1e5612c8d23ad7985db786a559902484
SHA256: 56ef4bb6608968653af98649fddf204933134038b6b27b118ebedcdc5ec5af0e
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-6kv01Doc.Macro.Obfuscation_0c2a84a0Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.0c2a84a0ecf34bb63e4a4a847816a5d5SHA1: 341bbc3fe0c86f0ea43bc61b039306e52d3870ab
MD5: 0c2a84a0ecf34bb63e4a4a847816a5d5
SHA256: 9416f466a01d60b4bccaf8658b0a78bbe84a8de3a1bc1abb77e541e224a6c197
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ufp01Doc.Macro.Obfuscation_e24e5f44Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro.e24e5f4477ee3b4f77e951b0b99b359bSHA1: de4347bf6488b7db3c250e707d6c88a0d283a8a5
MD5: e24e5f4477ee3b4f77e951b0b99b359b
SHA256: 9ef470811ceaab0d47bb4b8e0abdf7d783902c208fedda35f8292b60af7f6870
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-kro01Win.Trojan.Agent_0084b3b7Windows This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.0084b3b7ac8f9daccbc9bc6cc4b119aeSHA1: a0ff2c9d5a5eed9ff045f15febf20660d279e067
MD5: 0084b3b7ac8f9daccbc9bc6cc4b119ae
SHA256: 768ef3bae40d69715d2cfe3948fe3e9b0adb047525e8fa6d067269e859d0832b
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-5yj01Valyria_bc958404Mixed This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.bc95840460783481f560e5d18e33e11eSHA1: 50ad996b1252fb59d7b167e37c2ea1c4b8ea0e8d
MD5: bc95840460783481f560e5d18e33e11e
SHA256: 568f8b461fe97728ebca0231b5b8b00bc85de9909ab83c7d2fc60d134739819f
http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-9cx01Dinwood_003066e7Windows This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.003066e75cffbd470f01f06d60f16a71SHA1: 28ffad992e26cfc2125a2fbbacc72789bf67e61c
MD5: 003066e75cffbd470f01f06d60f16a71
SHA256: 050e9daae7c0778e00b17a71d70f34a9ec60c7ac1d309d53ffd23e7a74f81b2e
http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-oow01KHRAT_2ef97f48Windows This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing.2ef97f487c288d71f26d433b7e9196f8SHA1: 4203c2934882a070599f6c0a1cefe1afd5721462
MD5: 2ef97f487c288d71f26d433b7e9196f8
SHA256: de4ab35a2de67832298f5eb99a9b626a69d1beca78aaffb1ce62ff54b45c096a
https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/

Malware Strikes August - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M17-rf601CryptocurrencyWindows This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is part of the Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. This sample downloads the actual coin mining payload. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components.c0602223c09e444c537b0445d6563304SHA1: c7c374073b9631c2ce0345a9ff79bb353bd507c1
MD5: c0602223c09e444c537b0445d6563304
SHA256: 674f2df2cdadab5be61271550605163a731a2df8f4c79732481cad532f00525d
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-q7k01Ovidiy_781e41b5Windows This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries.781e41b558870a28624b892ff028102dSHA1: 83449bf8ae20e93de938a1c9b42a46e831737c04
MD5: 781e41b558870a28624b892ff028102d
SHA256: 062bd1d88e7b5c08444de559961f68694a445bc69807f57aa4ac581c377bc432
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ovt01Doc.Dropper.Agent_158e958eMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.158e958e488b5ba8404c87e34816de66SHA1: 597aed9722e33e86431415bb81e8b15929d0354b
MD5: 158e958e488b5ba8404c87e34816de66
SHA256: 3ca148e6d17868544170351c7e0dbef38e58de9435a2f33fe174c83ea9a5a7f5
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-eea01Doc.Dropper.Agent_b7ae96baMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.b7ae96ba7a0518bb197d404d0ec6352aSHA1: 77404b76af23551c9fdad5fbc4bfab161517f0b0
MD5: b7ae96ba7a0518bb197d404d0ec6352a
SHA256: 9859e621b4d259798b2813377f9cd1736497f51cb501c6b3ea44ccae57d4e4fa
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-y3401Doc.Dropper.Agent_852fe2e7Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.852fe2e75d4131cd0de58ad6d623c0f8SHA1: c406fa3b4b71c624ad39505fdd6a1b0254a9f961
MD5: 852fe2e75d4131cd0de58ad6d623c0f8
SHA256: 0419cd8e5884e2918c5f0746d54efe2e2d9f0385523ecdbc395200df4004d87a
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-cum01Tinba_a0793f80Windows This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.a0793f809380a045902330de7f5ed36eSHA1: 6f6cf5bd484222ba1cd61855e7b46221e4bf9ae4
MD5: a0793f809380a045902330de7f5ed36e
SHA256: e2776a037dcad9e2c752ac4f07dfae0412312ba9b1b748a48922ed572f83eb9c
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-zxo01Doc.Dropper.Agent_e7de7c5bMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.e7de7c5b0623ee1e9d7bf10a597d6aabSHA1: 9418fdb83b346e32af734e3f734c884d463ab75b
MD5: e7de7c5b0623ee1e9d7bf10a597d6aab
SHA256: c7cab605153ac4718af23d87c506e46b8f62ee2bc7e7a3e6140210c0aeb83d48
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-p0m01Doc.Dropper.Agent_7820df79Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.7820df7937afbc1ef18b3a18abcc7d9cSHA1: ef81f57b49d5c3a54d6a15c7ae54e7a9e02b28e2
MD5: 7820df7937afbc1ef18b3a18abcc7d9c
SHA256: 190cda0ade0c0348786652b7ee12fde595e12ab561d893224cfdafbd58ec7b75
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-3gm01Nitol_2adf8db9Windows This strike sends a malware sample known as Nitol. The Nitol malware performs DDoS attacks. It is placed into a Windows directory and then creates a registry key to maintain persistence on the system.2adf8db977ce00b903b2a43cf1f4be66SHA1: 26d5b5bc60fd7ce5c5a5c7719fe0ec2be480dbb6
MD5: 2adf8db977ce00b903b2a43cf1f4be66
SHA256: e018f2cb152ab5c9bedef63a760b223eb91e965703a691877550ca390e46ea84
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-vsa01Doc.Dropper.Agent_36a2704aMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.36a2704a797a519a59c3ee18795323e9SHA1: 6c2ae5ce67260fb509749dc9a54df9040ab036fb
MD5: 36a2704a797a519a59c3ee18795323e9
SHA256: 1c364ed502fa3710d9fa3c5a4a2ac6688bea3610acee2a6f958220d8ffca908b
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-29j01Doc.Dropper.Agent_3b11cbc5Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.3b11cbc51f04dceee2bcf42e62a312e5SHA1: a9a1e738d1d5895e45c61570c8163170c04ff61e
MD5: 3b11cbc51f04dceee2bcf42e62a312e5
SHA256: 4e812653205426b75038ce2796be5b254b61ee02da376462f3ad1ac23d898282
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-wg401Doc.Dropper.Agent_ae811c13Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.ae811c137b5531cd1c375447160de2a2SHA1: 85d46dd184ef2ad4432e57056622d5d7156bee44
MD5: ae811c137b5531cd1c375447160de2a2
SHA256: 9f404502e944f4cd76b902abf67717054732528a9399e23b3d90e2825316818d
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-16a01Madangel_c70d2230Windows This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables.c70d2230d3c03574f1a18cda499fa139SHA1: d4f5364e4e9009d1bd305b8b24b1517c0e290bed
MD5: c70d2230d3c03574f1a18cda499fa139
SHA256: 4080076d8016be14b7493a4fd365b03073ae90cba70590b25039ef76b2d36aea
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-sh001Doc.Dropper.Agent_eeb40d0cMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.eeb40d0c6f5e98c31f51fde1f08a50acSHA1: be8d00132821f6fcc2d3e7378dde12f9ef93d35d
MD5: eeb40d0c6f5e98c31f51fde1f08a50ac
SHA256: c3e6a58e8a68518ffb43ee9026508b6520016e8d7096bf94ec2d1ed5cd328d76
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-a5701Doc.Dropper.Agent_916a67bbMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.916a67bb0988d5b2681883a6a0a8d8bbSHA1: c1ccd6edf3187b883a8f484cd1294c8ed5570549
MD5: 916a67bb0988d5b2681883a6a0a8d8bb
SHA256: a31cbc1ce4abaa2ba7cab9ff97e1f647c3b1264c9cb7db0e20c74d151db2634d
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-k5w01Doc.Dropper.Agent_333b1bfcMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.333b1bfc685eac9c35aba5786e63d996SHA1: 95a2432922cb25bfe6ae608bbac49f0bdefcdf94
MD5: 333b1bfc685eac9c35aba5786e63d996
SHA256: d52318c1f83d086fcb94b8ae7288f2acb85f6e441c66a3f1d09365a1018c80bd
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-g8n01Upatre_877e2c25Windows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.877e2c25a545d334aea454f8a3b17530SHA1: 7640ea6e303d93dc08c107040cde76e69a4bbfa1
MD5: 877e2c25a545d334aea454f8a3b17530
SHA256: ec439a41172d7683ee803e336e4b175b8baebc8d4ceed40c6b63b5649d7855ff
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-rm101Doc.Dropper.Agent_98e2266bMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.98e2266bd624e77261d0383fa149a0d3SHA1: 4a731838e923d397f25f11bb7d779c6da877f905
MD5: 98e2266bd624e77261d0383fa149a0d3
SHA256: 712a907f98efa76de2b349c90084fbef6d40d9df32a41df98fc62e19fab5329d
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-hwe01Doc.Dropper.Agent_2e05637aMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.2e05637abc17d9dda037ed9ee0c4f5c4SHA1: edc746ef3e467ef639bac38621b3711db774789a
MD5: 2e05637abc17d9dda037ed9ee0c4f5c4
SHA256: 09f89667dbbd0f72478f317aed5196f743693190aa3afe1f1cfccc67dad88fb6
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-jqq01CryptocurrencyMixed This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is a Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components.830b8dc142f16aa928ada0e271a58572SHA1: 53267b43122ed52aba6ec9faa50397f311a295e8
MD5: 830b8dc142f16aa928ada0e271a58572
SHA256: 6315657fd523118f51e294e35158f6bd89d032b26fe7749a4de985edc81e5f86
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-r6w01Upatre_3882bc98Windows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.3882bc98466ecdda4864bba0dea11815SHA1: e47bc8a49aef6b42912740ad165c6b2a477234d0
MD5: 3882bc98466ecdda4864bba0dea11815
SHA256: 5f2c8ac317bf4d58610c803c01c95d358cb25600f632644e01d5c31a74fd2554
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-ykc01Doc.Dropper.Agent_372f877cMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.372f877c900f6fdd3d14c9d451972eeaSHA1: bc8cbb4da5b16d8dbcc36dc38d0e5be8761dace3
MD5: 372f877c900f6fdd3d14c9d451972eea
SHA256: 366f1f331e940a462447e2b4abe9196ae7b977d281c2b9fe5e19bb0c2927b705
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-lhl01Doc.Dropper.Agent_867c1b3dMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.867c1b3d8fbede2e4d888330a624abddSHA1: 8f6cc7dfcc105a47df2d8a269dae86410d1b2eae
MD5: 867c1b3d8fbede2e4d888330a624abdd
SHA256: bf958c7ba44b9dfdcba50eeb6f7b59fe3bd2948f1ab1a7c8ee0f162b7cac3b2c
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-vwh01Upatre_12c5301eWindows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.12c5301ef9525dc629dfd839d35b8edfSHA1: 5f54f8a1b198c5f16db41c9b919e054e4b565c23
MD5: 12c5301ef9525dc629dfd839d35b8edf
SHA256: 9d4effa16fa83e12179a674966af8a49bb592fa58de53ee2866f5ceda8206733
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-yth01Doc.Dropper.Agent_ca8d0bceMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.ca8d0bce7c253674c7351b4d5180d593SHA1: af9a3b26e6ece959cdd4ede2bc9b57369d7f033d
MD5: ca8d0bce7c253674c7351b4d5180d593
SHA256: bec41e3e8d3093b58170d743ca905af81ed745a4828a42a9d39cd3373252a84d
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-pn201Doc.Dropper.Agent_09c2547fMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.09c2547faec5def76969da50521e3ddaSHA1: f07cee0b7c61098b95091e47d0b663347c1683a7
MD5: 09c2547faec5def76969da50521e3dda
SHA256: 5dd873a5cd07c4ac6edc7bfad7c92e1111cbddab5e72de96291e2990e0ab62e0
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-xfw01Doc.Dropper.Agent_6f23cef1Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.6f23cef17d1f1a9f1b2972f1e86aa7e6SHA1: b752f94dcf23d8aab927985875c425beb1f1db18
MD5: 6f23cef17d1f1a9f1b2972f1e86aa7e6
SHA256: cad134945e7f20e99efed18650d4a7c573f8902b32c10ae89639518f94e646d0
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-iir01Upatre_e27f5105Windows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.e27f5105a7a08cbd93412bf625d7ea2eSHA1: cf7b20862f86fe0d1c6fb7e8e1667f5f3ff240ac
MD5: e27f5105a7a08cbd93412bf625d7ea2e
SHA256: 75309ff6942162fa19e4c7d430456a699cbee26106afeffc71f02325c9ab37c4
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-fk501Upatre_0155d835Windows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.0155d835f1376b33091549bba14ae9a2SHA1: 55df4b36cb8812baef77f451e7e357d5effe2530
MD5: 0155d835f1376b33091549bba14ae9a2
SHA256: c9975f106e8e0e7ceee70bd285159226e7687076a0e3b84c525a953657f6b1ff
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-f5601Tinba_b3b81927Windows This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.b3b819273aae385b7c2595406848d286SHA1: 582b67bdd458d904a2e4d9b5943492ffe8850c27
MD5: b3b819273aae385b7c2595406848d286
SHA256: 0ce6189ecd16fbf2f885a8516836c7bb9d0685f6ff2c4a3df80e236ef5d0d803
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-upd01Expiro_d553e02aWindows This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute.d553e02a4a7d3840c8fc361ae5f1be31SHA1: b5170b5fa1067ca043cb0eac7cae0a3a99253a78
MD5: d553e02a4a7d3840c8fc361ae5f1be31
SHA256: 5ffa0097ebcba0e1921c6607a644e2649532ae07b1c7d6533a3cbef52ee51620
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-eb701Doc.Dropper.Agent_1c90b3baMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.1c90b3ba01aca0d7b8665046713a8becSHA1: f951e821cf06d1c6aa1a5daa4fdaa34a7e8a0f8e
MD5: 1c90b3ba01aca0d7b8665046713a8bec
SHA256: d076c672bdb9bd3b738edb882560482bebde469d02acd1ccda11e9c9cb6feaeb
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-35q01Doc.Dropper.Agent_cd213d4dMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.cd213d4d9aceca22a36b16b6557ca3feSHA1: 21c66b0e787f728c259accc05a5c6dc699629232
MD5: cd213d4d9aceca22a36b16b6557ca3fe
SHA256: 3d081fe6a220b546af09139fda7deceb5e7f16b52fb47d15ff4e69bab9175734
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-tvs01Tinba_a710326aWindows This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.a710326a2b1b0a9a8c8f5d8832c57774SHA1: 4101db06545b0353212a5652e0150220f8f76274
MD5: a710326a2b1b0a9a8c8f5d8832c57774
SHA256: 7bbd6d3d6bf6e991e023395e3cb31c18b2a106eef036ad175736a17fb1099b39
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-n1401Doc.Dropper.Agent_891cf7a1Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.891cf7a1cb04a6f1e4dabe62240936c7SHA1: 9e244e7dbe98eee7a8e3cbf4dec1b1679ef7e15b
MD5: 891cf7a1cb04a6f1e4dabe62240936c7
SHA256: 94395a2b7bd0a120b55e39b3107f934f9b76faa9e2679dbae1237f69f2c3f1b9
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-rtf01Nitol_af18639bWindows This strike sends a malware sample known as Nitol. The Nitol malware performs DDoS attacks. It is placed into a Windows directory and then creates a registry key to maintain persistence on the system.af18639bcb54e3b8994f64afebe1df75SHA1: de57bed4cc85493ad73cd029b0b78b7bb25f1990
MD5: af18639bcb54e3b8994f64afebe1df75
SHA256: 2136e6be115617349992b506aced588dced1f5496e97443dfcc31344873f624d
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-8m701Doc.Dropper.Agent_5d458bd7Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.5d458bd72860af93a84d85b80aef6670SHA1: 696bcd52db26baac027288287320c3be85e11d09
MD5: 5d458bd72860af93a84d85b80aef6670
SHA256: 0e5240bf70e304781511de29a000c308f675d6209735c118cd0054b519eaa096
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-o7301Tinba_af05ee63Windows This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.af05ee6361a30887457d465697a5c047SHA1: 6f665e285b07b77f887ecef080debd77a9b3a1b8
MD5: af05ee6361a30887457d465697a5c047
SHA256: 856ed534a7c32ab7799756c33f7ee104718c89add001428a41dc57e8449167c8
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-osn01CryptocurrencyMixed This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is a Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components.98d615c222293ca937ab4b1b4a7c8118SHA1: bec02c55c98612ee716bb5956f68e0dd27cf0afc
MD5: 98d615c222293ca937ab4b1b4a7c8118
SHA256: 8c5bb89596cd732af59693b8da021a872fee9b3696927b61d4387b427834c461
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-iqw01Tinba_ac897bacWindows This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.ac897bac2fc6250d3813fc402acaa13aSHA1: 5b2a89c30b63f07ff6cedef84a2a603597237b07
MD5: ac897bac2fc6250d3813fc402acaa13a
SHA256: 7607a0e1be2a8f50959ef42b78edd156aa76741fdc8ee2be9d375610c0b130b2
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-zfy01Doc.Dropper.Agent_41ce3241Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.41ce32415f50b38285f84283eb66260aSHA1: 9c7f6e6fa1a894ce156447326634e0ba4dbab121
MD5: 41ce32415f50b38285f84283eb66260a
SHA256: bbe5988f2470a296186ca43a76636fceb523b45273a32e83aa14a8cc1f4e3a8e
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-igp01Doc.Dropper.Agent_e2a9dd67Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.e2a9dd6751a2b8e81e78b0bfffd2881dSHA1: 9db713fed68aff0bbe895ca04dbf6d2e101ddd15
MD5: e2a9dd6751a2b8e81e78b0bfffd2881d
SHA256: 45112ef00b7d34a471655f3a7318fd2b69de1ade1889647839ff897c6e6f1c67
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ldh01Doc.Dropper.Agent_624320b1Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.624320b15af74da84a68d477343457eaSHA1: 26be2fb6d263434fbfb1605915e69bfbc3ae840d
MD5: 624320b15af74da84a68d477343457ea
SHA256: de0e7aae207f7a7a1f242d849bb61c7f4e98d84f74b228439d296e6a46b2f812
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-c7c01Doc.Dropper.Agent_3afc0911Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.3afc0911b32f240a4589a902e204a945SHA1: 612a2a5ec1ac66d686b8cfbd35c6ad7a3dfd9a61
MD5: 3afc0911b32f240a4589a902e204a945
SHA256: 5624e26cace481fa4144f5ccd5bdcc7b5c3d42c035c88250312833041cf55807
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-fux01Doc.Dropper.Agent_b1c2aabcMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.b1c2aabced51d7fa1a7769a3456e8dc7SHA1: 733747432c630017dfd149a6569a8adf7a479f4f
MD5: b1c2aabced51d7fa1a7769a3456e8dc7
SHA256: dcfddf26b9699622bde12c6b64a78e5446172e57c5a29c3ea0267a0df85bc1e3
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-j6l01Expiro_0132bc93Windows This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute.0132bc9325db31ad1a4e2a92d1019b71SHA1: 275561f1155d95ad3ad283027e0a2a60a6a8a401
MD5: 0132bc9325db31ad1a4e2a92d1019b71
SHA256: 5fe205ea4f5f975703e242e8079dc471a5363538535d76584e7138ed3fb67546
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-u6e01Doc.Dropper.Agent_280175d3Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.280175d3d1f1710fb023454323ee56d2SHA1: 2660fc4e77fb7a7c27955bcc79a524afe58738cb
MD5: 280175d3d1f1710fb023454323ee56d2
SHA256: acdae0dde63863e8be98935254c901439b5fc36fb45f974fd7ce7c298e3ca0ca
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-f6q01Upatre_da1126f9Windows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.da1126f91d0989e65c7315278060c72fSHA1: a4fac9bd9c6a00989663dc8478e29b391ef88ab9
MD5: da1126f91d0989e65c7315278060c72f
SHA256: 8978bcef1799a5ea3324ce88b9a848e85987958b8ea7dcc0ba511120e6602aa0
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-oe001Doc.Dropper.Agent_4377385bMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.4377385b36ee38c3c7189a62bb5637feSHA1: d50a114b7f843a2a35a16d95d1e723ae4d65621c
MD5: 4377385b36ee38c3c7189a62bb5637fe
SHA256: 3728cecd2be075b09a3a6d8d8c5923fe14cf381e3070266cf05fa51585def305
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-94d01Doc.Dropper.Agent_2cff6bffMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.2cff6bff7ad585b9e6e0b79fdc40edbdSHA1: f7fcc6118eac486a388de009887a13fcb0fd0368
MD5: 2cff6bff7ad585b9e6e0b79fdc40edbd
SHA256: 0db7513e4ec8cea44afdce2d37991f5f9cbde0bb779856c10d9ffa75bed53d0f
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-idx01Tinba_aaeec015Windows This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.aaeec015fcf1fccea28f194a9a7ef145SHA1: dd39546082787a9197163f4b27aa64aaeaeffb98
MD5: aaeec015fcf1fccea28f194a9a7ef145
SHA256: 6fd80f8da071c3dc482314cbc994b22f105bce22acdad9e9bd86bae5abed53d9
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-0zm01Doc.Dropper.Agent_2ab698b7Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.2ab698b733ab810f49f1986144a666e6SHA1: 67be5562a9188d7a180cfdc24d9334219093271f
MD5: 2ab698b733ab810f49f1986144a666e6
SHA256: 056bce922fab367aabfd43f5e85bb5397755db08afcc8c38d992ffb4fe8f766f
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-9wb01Doc.Dropper.Agent_a071f7f6Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.a071f7f613da5ae0a5f0f83febae64c2SHA1: 2f8bac775f7b16e6ae60c216c2978b2424e8464a
MD5: a071f7f613da5ae0a5f0f83febae64c2
SHA256: e631b1dd070f71e53dd7b5c36a1921c027257f0c79bc7964551f27d0f4ece78b
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ssu01Upatre_9d460f7fWindows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.9d460f7f267f86cd01f786bf536ed220SHA1: a32d114627189854513c6843825d7bcbc120086c
MD5: 9d460f7f267f86cd01f786bf536ed220
SHA256: eb0601efd61b34a2fac8468b613913983c2b1968b77aec8848c2dddf4443e952
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-9d601Doc.Dropper.Agent_9b91d292Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.9b91d2925dd7e4471101fc61dd5fc46dSHA1: 7426ef6922c9719d868a18e9ffb7da8dbd1137a7
MD5: 9b91d2925dd7e4471101fc61dd5fc46d
SHA256: 6ea7a564a6a7ba8f4c97e2eaefbedafab6dd1424d56716f1255b03f8b5879161
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-8lv01Doc.Dropper.Agent_0f66aeceMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.0f66aece479cecc416c1888db9d1cd17SHA1: 6e8729fa8aba8165479973f2f9fa799f766bed3e
MD5: 0f66aece479cecc416c1888db9d1cd17
SHA256: 37e79b45ee53bc266d3602ec2cb79762a3c6360b5c173e89da045491150dbfb1
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-kxt01Ovidiy_88c61b86Windows This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries.88c61b86e30c3d185d041278c14e0b39SHA1: af22d0f090a4f196b80e99fb4c60011b6c1114cd
MD5: 88c61b86e30c3d185d041278c14e0b39
SHA256: 8f6939ac776dac54c2433b33386169b4d45cfea9b8eb59fef3b922d994313b71
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-yr302Doc.Dropper.Agent_88119880Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.881198803b04ec52cbd3423a2578c244SHA1: 7e0b2cdd9684161e4b559022dcf981db2d37918f
MD5: 881198803b04ec52cbd3423a2578c244
SHA256: 1496ddfb94f11120267fe9d6bf233ba4726754bebf3075340496a144777a6539
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-odf01Doc.Dropper.Agent_6ef85716Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.6ef85716cfc24a424c4de5bbab0cb50fSHA1: 71915e84e4a2122281f8eb13351f9c993aac4c3f
MD5: 6ef85716cfc24a424c4de5bbab0cb50f
SHA256: ffc6c04d292e6618826bb09c8c63a06af3993e7b6b14171c45c7b44619b4421a
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ly901Doc.Dropper.Agent_7a38982eMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.7a38982ee737b7ee829f67d7000a2b00SHA1: c8e682ed4bbf3bd8307b8828b97359b2faba27de
MD5: 7a38982ee737b7ee829f67d7000a2b00
SHA256: 7a703a5e7f30a1621e204669ffefe91f22a1619814c4ef40872cd750cffb9125
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-dns01Doc.Dropper.Agent_5c4cde05Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.5c4cde05b083f94e7af8623038cbcbdeSHA1: eb6c29bd72fc3bb628e28551616d8aaf7b06dc02
MD5: 5c4cde05b083f94e7af8623038cbcbde
SHA256: 4cf480e7bab22fdd7d64c43d8f18c3c5358c25fbd063bc2d2855885b886718ac
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-wbz01Doc.Dropper.Agent_f7be7a1dMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.f7be7a1dd9c78b40e3785e5cce5aceb3SHA1: da2421ca0771355d5e6f66993864af4aa0e7146c
MD5: f7be7a1dd9c78b40e3785e5cce5aceb3
SHA256: c685f1c782e6b9250035f922ebc80400f2d6515e5f343a933c6c12920eb89e92
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-fi601Doc.Dropper.Agent_039b52b4Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.039b52b4638a8088c47214fdec37bbf7SHA1: bb032753e6aefe431ab8cb6855362a02978bc4a3
MD5: 039b52b4638a8088c47214fdec37bbf7
SHA256: 425e004b3c9034aa17071b137ca1d4ae7a35dde5f588c05295e491b716125e2a
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-km501ForshareWindows This strike sends a malware sample known as Forshare Backdoor. This sample is a backdoor used in coinminer malware. The backdoor installs and executes scripts in WMI System Classes and is detected as JS_COINMINER.QO.b6b68faa706f7740dafd8941c4c5e35aSHA1: 806027db01b4997f71aefde8a5dbee5b8d9dbe98
MD5: b6b68faa706f7740dafd8941c4c5e35a
SHA256: a095f60ff79470c99752b73f8286b78926bc46eb2168b3ecd4783505a204a3b0
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-v3w01Ovidiy_6838bce2Windows This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries.6838bce2f6c831414df831040fc14287SHA1: d03b5ba006986ea5f980468bcec1f245eb92b685
MD5: 6838bce2f6c831414df831040fc14287
SHA256: c16408967de0ca4d3a1d28530453e1c395a5166b469893f14c47fc6683033cb3
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-qf601Doc.Dropper.Agent_02522b84Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.02522b84e5c8757aaea14c65627b3f7fSHA1: c679d26f98969738489dd65c41cfce78b0e0997f
MD5: 02522b84e5c8757aaea14c65627b3f7f
SHA256: f2fbac0942b08720073373536520b471229c918474cabb63fd19c3d006caaa1b
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-v0q01Doc.Dropper.Agent_9d4f149dMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.9d4f149dc213d5cbbc6065c6c39f978cSHA1: 2d83ec7e08817a1ac6ab1495e9a563da485ab0dd
MD5: 9d4f149dc213d5cbbc6065c6c39f978c
SHA256: db8ee4755c2b30756abb68e14e30b7c10d283b2f989fc7f3556f92389a2c32b9
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-utj01Doc.Dropper.Agent_2f7441e9Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.2f7441e9c30fae211c738c76293c2e25SHA1: e3651c3de8f11dc2ddd176da0bb95ead946f59ff
MD5: 2f7441e9c30fae211c738c76293c2e25
SHA256: 0752a00c66125520f78673e70af10123cb5b78fe4786d368f7beb586d5ce3531
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-e7c01Doc.Dropper.Agent_e15e6ec9Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.e15e6ec956e484b71ed1d38bb0aaa3bfSHA1: 4d581ca02833554440ea709085d02f3fa865f255
MD5: e15e6ec956e484b71ed1d38bb0aaa3bf
SHA256: cccb32f7f0408b32f3ad7f5a75adf1b955ba83a712e59c64f16b07713a6b44b8
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ehz01Expiro_77468f8fWindows This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute.77468f8f46838cf5d8f2fa7e2068c1caSHA1: abe8c5978c790a1e126bd3d86711f02e5dcd3ef1
MD5: 77468f8f46838cf5d8f2fa7e2068c1ca
SHA256: 60d2422af917cb8aa58c14b8b78d4af112c9c78343da8f7aa3fbcb87be1a4de0
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-g8j01Upatre_2920dca3Windows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.2920dca3bca5ed300468b86dfeccf88aSHA1: 77cac1356b4a02789ace4c49b6f9ea88a1a89358
MD5: 2920dca3bca5ed300468b86dfeccf88a
SHA256: c75bc2341ed612c8e5154cb88e7110544e3ff59fed30af28e441c0d31d088da8
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-4q001Tinba_adbd1f4eWindows This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.adbd1f4ea401fa99ff71adb5f4399cd2SHA1: fa8b9ad32327028b075778ff762eb31b81b0365a
MD5: adbd1f4ea401fa99ff71adb5f4399cd2
SHA256: 51769c916a89522975cb1babb4c9c7b18f3530286c66f3d735751cbdac02a160
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-uwn01Doc.Dropper.Agent_9dce5f03Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.9dce5f03b45f332a44ac411379cc31a3SHA1: d5615e91f1ada91ec77b06ff0ddf1c0cbf34eb7c
MD5: 9dce5f03b45f332a44ac411379cc31a3
SHA256: 31b34ac21405f6450bef3c18249e83a7bc464dea5cd4fb239becfe0a800875a2
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-oei01Upatre_6d8b1e33Windows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.6d8b1e334303ddcc93b4a7ec6373bcf5SHA1: f259b1ceb58216298a0e5c6be9e455a2f2ea6c06
MD5: 6d8b1e334303ddcc93b4a7ec6373bcf5
SHA256: c707645487cd7d7c8001fa40cfa2475c23705f65048c3831eefb5580e39b3845
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-zoa01Doc.Dropper.Agent_e7b2b379Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.e7b2b379f6c18c23cb6e2efce2c2aa10SHA1: a2fb8cf5f7fffd76d9f8ae1283d403c9f5a1b9aa
MD5: e7b2b379f6c18c23cb6e2efce2c2aa10
SHA256: 5df3016ba1cfd870d1d72e75ab9ec1d0a08a7e11d9fe7ec6b32fa0ce468206e7
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-rdq01Doc.Dropper.Agent_3078afd6Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.3078afd65e9b691dd070c17fe981b280SHA1: fd00dc09d74efb31ab13af8ad87cd3cf052607be
MD5: 3078afd65e9b691dd070c17fe981b280
SHA256: 9b6d3e01584f4d1238a55050c7ffad0e14299e911db8497b81529bd58afa4bc7
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-zik01Doc.Dropper.Agent_de30c6ffMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.de30c6ff05f944c0a9487451f69b9abbSHA1: 1788092a01feab6cf35672942974618b59b34df7
MD5: de30c6ff05f944c0a9487451f69b9abb
SHA256: 8c4813043fa78b4aec7ada10556ddbe06eedbc81b115e4ff08371d8ee132d645
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-j9e01Ovidiy_727ae120Windows This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries.727ae120f5afe39bf9736a43bef17be2SHA1: e0d4ed2d470808f33b1384d8b9cec6e16142a17c
MD5: 727ae120f5afe39bf9736a43bef17be2
SHA256: 22fc445798cd3481018c66b308af8545821b2f8f7f5a86133f562b362fc17a05
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ass01Doc.Dropper.Agent_dc412d59Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.dc412d59bbf9e8393326141a3be9b4eaSHA1: 903ef0c1a668a18a39b7c58dd13a40edce16c95a
MD5: dc412d59bbf9e8393326141a3be9b4ea
SHA256: f0b670afe4781d3e8899bf742fbd613636424681f56c4388168acea84ea344af
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-lyh01Expiro_b739ddb5Windows This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute.b739ddb5dda521fb061ef4121d909c21SHA1: 7b53cf4d52c2a6974124a4ab624c337ab1da38ad
MD5: b739ddb5dda521fb061ef4121d909c21
SHA256: 5fd134b6abe1473fd5a7f96c711a4270fbc364bc6e3b10b5b344e0a1bfb0e4d8
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-7ax01Doc.Dropper.Agent_c9841f71Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.c9841f716752e0b751da6737002e2e18SHA1: 13aaa0dbe1b9234f4973131c033e8bdc5f9db5d2
MD5: c9841f716752e0b751da6737002e2e18
SHA256: 168c49c8207019008bdf746d0fa4ab33a154277c5fe50fd4900e9d77ec6a2e7d
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-wtp01CryptocurrencyWindows This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is a Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components.010a7fa751f4a64c989eacabf58c8fbfSHA1: 2db34fb90ec273120afa831cde91a5a7158b8fe6
MD5: 010a7fa751f4a64c989eacabf58c8fbf
SHA256: f37a0d5f11078ef296a7c032b787f8fa485d73b0115cbd24d62cdf2c1a810625
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-kv501Doc.Dropper.Agent_3be1c2f0Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.3be1c2f0af0c149b05091ff6d3cd1d58SHA1: a5f1d3be379d94c2fa53e46ee5a381183ef53054
MD5: 3be1c2f0af0c149b05091ff6d3cd1d58
SHA256: 29a7f99f81dd37bcbd196d635837c01d2aa48045ce4efd999a6d0da92bfbe917
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-8u301Doc.Dropper.Agent_05a9858cMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.05a9858cd9b89b725006963d773fa1aeSHA1: 1fc4aa7f4e315021e6849d5ae72789c9fe1b2d03
MD5: 05a9858cd9b89b725006963d773fa1ae
SHA256: e8290589cab3707f80ada754a31263e239b870dac5bdece15bf2e331cae5acf1
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-i2201Upatre_4cf5364aWindows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.4cf5364a2637143c96646a554f4f256fSHA1: d3b2edb7cb97c20cf7bbdef3f071a0afbf471329
MD5: 4cf5364a2637143c96646a554f4f256f
SHA256: 0f6325d3fd6177cee19770b12d97efa8da46cb23a7173e227efc2291e59034d3
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-3nx01Doc.Dropper.Agent_3659c8b2Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.3659c8b26c8bf4b9feefbfc100bd9656SHA1: 353a4a6775544748c3101466b7e067276c8a3838
MD5: 3659c8b26c8bf4b9feefbfc100bd9656
SHA256: 4b495c54056aa68e91fd481168a7ddc5d5a6cae713ab359777340f1ba901ae65
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-pew01Doc.Dropper.Agent_34f86b2dMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.34f86b2da35c647a5e01aa44057ca5f6SHA1: bb4021b575c7611babd35e48556a953759788b57
MD5: 34f86b2da35c647a5e01aa44057ca5f6
SHA256: 947ec2662ab377aca91f9ccb5b2a0e823ab5b814be719494c5cb8f0e7e228252
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-kxk01Upatre_1f9c87cbWindows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.1f9c87cb98f8df3df00874507f5aa354SHA1: 6f05eedf798c03a7a189e8fa88880bde3b9b004f
MD5: 1f9c87cb98f8df3df00874507f5aa354
SHA256: f6ae56489c1063a48079b1cf5c1252a8f1f3af70918c58fed90ce453bd6cec9e
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-87301Doc.Dropper.Agent_481a76f0Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.481a76f09eeef4cd68da96efa5321a60SHA1: 6d7f413da9dd32f471e2e533e19c1b11b4b94979
MD5: 481a76f09eeef4cd68da96efa5321a60
SHA256: d08c719c8ea6e5d7546e6449e6aed748ce74359e7c0dbd1f9bd08e2e8b795c68
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-oel01Upatre_29fa856dWindows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.29fa856d838b45f851414ee9847341e5SHA1: 82feb051efb1d474ec2bda7fdd68a83bbb97ec5b
MD5: 29fa856d838b45f851414ee9847341e5
SHA256: 19a4c65bc812eb74df5b41c058f345c5a4fbc838de59e4127e4cf784770a63df
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-kvr01Doc.Dropper.Agent_a838f93fMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.a838f93f7a6f35ce04bef4aabf5044e0SHA1: 0af4904f63eb4c99b74b10ff43a310a21e354de2
MD5: a838f93f7a6f35ce04bef4aabf5044e0
SHA256: 4808a9fc9a33cf5df06d5a56f85b6e2dfdb8fc5fbb4cbd2ede05488dd566f6f5
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ugo01Tinba_a1a4ea05Windows This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.a1a4ea059e2d1350cea94e056eeeea41SHA1: 35669a1eb529176931c7f670f58dd233822f79bd
MD5: a1a4ea059e2d1350cea94e056eeeea41
SHA256: 968ff771eab9d14d1847f489f425e44532522c7b9fe7407b09d7cc594da0eb84
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-14l01Doc.Dropper.Agent_e23f2ebfMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.e23f2ebf0d6a32b7d061b04fefd831a3SHA1: 2728f3e77cfbb5c07528ba895cd2ab9fb129dda5
MD5: e23f2ebf0d6a32b7d061b04fefd831a3
SHA256: 5edbc08d4e919f7186aa2b8a6e3d49ef38035c2a55b6e226910fcc60fe26a335
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-8l801Doc.Dropper.Agent_c17c9d18Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.c17c9d18b0d2c390d317f22078714e38SHA1: ab4cb1ce4fd96fdabdb703dfb9a037e236516efb
MD5: c17c9d18b0d2c390d317f22078714e38
SHA256: 36472a674c751c65c15cbaab276c0fba8f3f1709750473b24e5d3c21e468617f
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ov101Ovidiy_cd671a72Windows This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries.cd671a726a8498a8fd70c6c76069fb54SHA1: 6b2e2ff345e0001a047d461e8a91ee34b3693617
MD5: cd671a726a8498a8fd70c6c76069fb54
SHA256: 80d450ca5b01a086806855356611405b2c87b3822c0c1c38a118bca57d87c410
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-9b301Doc.Dropper.Agent_ab210c06Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.ab210c06ffac47325abc1dacebbd2a43SHA1: 8f3c1518b12636a937f0afb28040511dec05858f
MD5: ab210c06ffac47325abc1dacebbd2a43
SHA256: 6dc6070451995a7dae4d5b741e291ce525aec2cf3144d9fdb8484f39079ef9e2
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-kjg01Doc.Dropper.Agent_fab13a88Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.fab13a887c0ab39d971099cf40c3398fSHA1: 77a1e05ab6038f621e5c9af9c52b95c798c836aa
MD5: fab13a887c0ab39d971099cf40c3398f
SHA256: bd7ed9514afabc723da282f32ad1dcfe81796a83555b7b4a6738dd0254c06ccd
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-uq201Doc.Dropper.Agent_f0a39d78Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.f0a39d788b53d8c6ee03dc67c4e2d9beSHA1: 5c3e0a8128099f5174b6209a4d87c8eb057dabb0
MD5: f0a39d788b53d8c6ee03dc67c4e2d9be
SHA256: 0524147db311dedc4631e0749bb79865ac673763bd5ebc576855fcb9431de98b
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-6mc01Upatre_637170caWindows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.637170ca0e32ed7e2c283fa2370e5a18SHA1: 2ed47485e5e08b58005a9446c7e6ce1284fcdfaf
MD5: 637170ca0e32ed7e2c283fa2370e5a18
SHA256: a67638a9940841bc5222a160b0d28930c5244be769e6091122cfc7aaefa71335
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-g4h01Doc.Dropper.Agent_578a44deMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.578a44dec0e58d9545ce53453c205328SHA1: 2de64dc8e000141128f8a97eb20f77f4ff6d6965
MD5: 578a44dec0e58d9545ce53453c205328
SHA256: e92710c582f71c4a9cb127774fa4cce0d8abb837a38d50d22d17ef7061646c92
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-8f201Doc.Dropper.Agent_e0ebcdd2Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.e0ebcdd2f7274c1d5737c21de737c44fSHA1: 9738e192b00fb5353ca8bf04e70073d14697a540
MD5: e0ebcdd2f7274c1d5737c21de737c44f
SHA256: 6250f069e1268801cb3afaee2523df1aca628fa791a666f1d05b6cb981913461
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-f0x01Doc.Dropper.Agent_5f4cca2cMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.5f4cca2cad48595d3300d9f2fce4d3d8SHA1: 2ecb1d4d95b1c642bf70131bd23d9bb7b5fb8323
MD5: 5f4cca2cad48595d3300d9f2fce4d3d8
SHA256: 4111dc9ca29508aa89caf873ac9359ad579270c3b3025ab0ba8098dea9c3c459
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-hys01Upatre_90c7f61aWindows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.90c7f61a4cb3c7af757d56659290bfffSHA1: 5e63eb42af94c89e0fdf34d796e1a5cadc34b429
MD5: 90c7f61a4cb3c7af757d56659290bfff
SHA256: 23da35463015938e649624b1e606507fc1c36998a3cdb730f02309055609bd2f
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-1fn01Upatre_3f84e89aWindows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.3f84e89a99fa5a07c70b234ac1be7952SHA1: d91b929536314be2a2df8d806da150c7efe16635
MD5: 3f84e89a99fa5a07c70b234ac1be7952
SHA256: fc0f51ffddad995a4588fbc28d10d0037cc36708e4875a057629bd5a2d975a43
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-lpr01Doc.Dropper.Agent_b656b353Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.b656b353955bf30289570727ab032cd8SHA1: 03bba9de2bff6f5c917a324962b570d1b6b46a77
MD5: b656b353955bf30289570727ab032cd8
SHA256: 31755c56408a13f44d620971a60342bb0170ad78217c923c518fe4b58b4da365
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-vqb01Doc.Dropper.Agent_a6fd9939Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.a6fd99393b519c8acde3d7e2c92edd17SHA1: ed996dfc599e65398b6845b6e08390edf9a0e86b
MD5: a6fd99393b519c8acde3d7e2c92edd17
SHA256: b3fffd7e92a3bb920456b149717c353c8779e45a947c0e756889956c6bc48d7a
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-4vm01Doc.Dropper.Agent_cd3a6a2dMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.cd3a6a2d3915a64ea6f1a1e11b5646a1SHA1: cc4ef105245df2b176365cfc401277040fdec5e5
MD5: cd3a6a2d3915a64ea6f1a1e11b5646a1
SHA256: eb99cecc433a5134414024c98c227f52bae7660343a36469ccf0e6a8f5af4a6d
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-gw201Doc.Dropper.Agent_95a095a0Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.95a095a00455bc303387d2df6c44d4f1SHA1: d2df019b8fa837aec31bac9a2e3406a3e0b04bd1
MD5: 95a095a00455bc303387d2df6c44d4f1
SHA256: 27772ef48d027d7e23e1f78d8ea86cb1bbcf4240cd59a8dc7ebc82f8a3a8b6dd
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-13g01Expiro_694a024aWindows This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute.694a024a80fd829dd08c1159bf9ead57SHA1: be6beb1c805d33f3388d510f5e5a6e04c5dd57ae
MD5: 694a024a80fd829dd08c1159bf9ead57
SHA256: 5f5e9e5952765887211883b42e508b4b14c62a1685092978f98c6619229796b5
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-fr301Doc.Dropper.Agent_b2dc50ecMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.b2dc50ecc318d6ebcba1a518105593a9SHA1: eddd2ba7ff3d23b2f5891cbaeea48fdbf0fd0728
MD5: b2dc50ecc318d6ebcba1a518105593a9
SHA256: b05c34ffdc8c82862b408a1f628b21bb08362de4340d768a08c511132ce7d34d
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-6b801Doc.Dropper.Agent_c2ad9bddMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.c2ad9bdd89be2719d7fb7d9f77ee9ee7SHA1: 6e9fc299719596ed5d0fd2589856567af077518c
MD5: c2ad9bdd89be2719d7fb7d9f77ee9ee7
SHA256: f8913513ec19ea386cb812e5e7249d44a4e4a3092fbfcea23fce692d7ed88970
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-5ex01Doc.Dropper.Agent_0e27fc6eMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.0e27fc6e52b599e151a9eb0223b2ce6eSHA1: 7acd905f7f85259c9045bbb2025cdc224b9ee21d
MD5: 0e27fc6e52b599e151a9eb0223b2ce6e
SHA256: b0610f20ce7be29f5864a02d72bcfa54e215d3159bf381d05fac58d2fa703f0d
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-f6001Doc.Dropper.Agent_06d15dd3Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.06d15dd3999ecc88ed062d6e04073c2aSHA1: 6e04eb861091a601fb85904cc8db3229d4e2e91d
MD5: 06d15dd3999ecc88ed062d6e04073c2a
SHA256: e342cae3c710674f0e73ea2ed1e72085d790a653e249e1b5e4d8e6696e110041
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-3s801Madangel_c76a7118Windows This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables.c76a7118fd76a9ea44908cb338311600SHA1: 7bd6319a1fff7a9b57753b40deb647c78febaeac
MD5: c76a7118fd76a9ea44908cb338311600
SHA256: fbf9d40bc0abe116c19404298d324fcb5a2ddd19d2d97dc31418446be3637a22
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-hey01Doc.Dropper.Agent_67969a29Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.67969a2971e05dd27eb1ee86e8aa2184SHA1: 0fb8d22c3d5386967e70a5fda985b95894a756d5
MD5: 67969a2971e05dd27eb1ee86e8aa2184
SHA256: f20256df607a29ef83bd035ee27fc424307712e59298f54803150a88ea5c5ece
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-y9a01Madangel_c711312eWindows This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables.c711312e1f07a9b6c37fea8ff62a8132SHA1: cb124507f769a63f5e4671c17922a5106bf280d7
MD5: c711312e1f07a9b6c37fea8ff62a8132
SHA256: 7ad3924efe8802153b9dadc5bc055b329ec8c2850b91dc5f5a1bba42533a8758
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-9ay01Doc.Dropper.Agent_7025dd3bMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.7025dd3b7cff6adb5083701cf00a25beSHA1: 53e2c82ced38ad23223a4557555eeb24f0ae72d9
MD5: 7025dd3b7cff6adb5083701cf00a25be
SHA256: 758a4e1ea1fc0c9846d21f643013fd934fd23b187ca1fd32c90334ff48a60372
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-fsf01Doc.Dropper.Agent_f3e19146Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.f3e19146696752674c78ddb3b21cb8d2SHA1: 49a5f32b3138218bb16ba1e95c166dc1a94ab6b5
MD5: f3e19146696752674c78ddb3b21cb8d2
SHA256: d526ffe1710b4b39866bebceb3660e1386e41df17b13a6055078b0ce7db74fbe
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-qmg01Tinba_a40bb152Windows This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.a40bb152eaded8ef9c6e1226dddc4c13SHA1: b567005e063ce04ffb8c33877916f7bac829a731
MD5: a40bb152eaded8ef9c6e1226dddc4c13
SHA256: 33fd66f4cee5bdd9f30eb2e5bd7a65367e10f55495c1122430685a8ff0d90fcc
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-3kg01Madangel_c72f49d9Windows This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables.c72f49d97ea8e0440c8310747517f1c8SHA1: c8948449da2756d6cbd4c5c501b65dd0f573b3ef
MD5: c72f49d97ea8e0440c8310747517f1c8
SHA256: a010da80c2d35d420958b858fc1e5e700fab866799aa786e1feab4fba5ee6dbb
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-bk001Upatre_8775e784Windows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.8775e784d51dd71768aa1f231b39815eSHA1: 47f4fb4e5e0ede7d8f2840ebaf67024c994dcb4a
MD5: 8775e784d51dd71768aa1f231b39815e
SHA256: 6c44efb2baabb7b66849e69567c8b3394919efdb2491a1392ff237090c380f1f
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-hep01AvastWindows This strike sends a malware sample known as Avast Signed Dropper. This malicious executable is signed by Avast as their SafeZone Browser. The file generates a PowerShell script that modifies Windows firewall rules and adds registry keys for persistence.5fd9e7a51f49eae4d722cabd84999ef5SHA1: da7d5d84ec06da830330601077f5d01075de2ed5
MD5: 5fd9e7a51f49eae4d722cabd84999ef5
SHA256: 6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7
https://isc.sans.edu/forums/diary/Malicious+script+dropping+an+executable+signed+by+Avast/22748/
M17-jz901Doc.Dropper.Agent_fd086e90Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.fd086e90e4980be48055912c8d12f00cSHA1: ba40d953c299f7d708150fe7bb5bbafca26451b2
MD5: fd086e90e4980be48055912c8d12f00c
SHA256: 8c43427b886d65c06a43f823511f0927b85dc5956dc7bd1bd16c59af548db6b8
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-3rx01Doc.Dropper.Agent_f094271eMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.f094271e6c8a722492774a22b420749eSHA1: 60929619ddc37dbeac968fa6e93209c9136473be
MD5: f094271e6c8a722492774a22b420749e
SHA256: 454ed2ca7a116ad34864d4e8b232dcb50c063ffbd70f23753262aabb6b34d24e
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-xjf01Madangel_c75b1ec2Windows This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables.c75b1ec23a96fd1e8b997d26ddad20faSHA1: 781bdad48d3dd49947d01b4e2f80e59c100b82cb
MD5: c75b1ec23a96fd1e8b997d26ddad20fa
SHA256: 3ad3d18277238e0a6e0a84a6e901395ad647466a0e68275a7426203216b05025
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-sj801Doc.Dropper.Agent_86724060Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.867240603ed0748450be2b1b2d7a87d3SHA1: d08e8e29031f1720204cfc47d28755831e2038ca
MD5: 867240603ed0748450be2b1b2d7a87d3
SHA256: 717f927b9c0b01a60eb94254d39ac5eeee24a2c10d0c59266252630202a36323
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-j2c01Doc.Dropper.Agent_f12ce0b9Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.f12ce0b9a92aabf66f1c11c22283d3b5SHA1: a97e917364186994b78556fd172d8d4e6ec930c0
MD5: f12ce0b9a92aabf66f1c11c22283d3b5
SHA256: 6451b45a4f8bdccdbce6bcd14e5fda1f976c81efed2c4dfd028386cce31250d1
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-mhb01ForshareWindows This strike sends a malware sample known as Forshare Backdoor. This sample is a backdoor used in coinminer malware. The backdoor installs and executes scripts in WMI System Classes and is detected as JS_COINMINER.QO.a206d9e633c7d74a735190299b125271SHA1: 2b10fc7ebad4eb93d1a907cc6f5211be6cf73d5e
MD5: a206d9e633c7d74a735190299b125271
SHA256: e6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-zqr01Doc.Dropper.Agent_59b4e709Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.59b4e709c6e85a978b8c9d15b05b7b49SHA1: 142b05761c150df687c09c2f835869ca81386a47
MD5: 59b4e709c6e85a978b8c9d15b05b7b49
SHA256: 44b6060a5406112556049bd3efef8d876fe335bb4aa0f0a6f7d0210184918c71
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-lkb01Doc.Dropper.Agent_0d0541abMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.0d0541abecae2601c01e070198ab7d6fSHA1: 2e82936395906e7f3e556f125742c4c13efb3cf4
MD5: 0d0541abecae2601c01e070198ab7d6f
SHA256: 976c6ce6c484aef7d0d801c2f5ee31c984136d91636656a7e5425fbc4e848029
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-2zx01Doc.Dropper.Agent_d92e56e0Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.d92e56e06ba9a6af62661ca60b14b94aSHA1: 9af416ce66dd4c76742c900c9028a7d98e94943f
MD5: d92e56e06ba9a6af62661ca60b14b94a
SHA256: e14472604877ad85c119703225fb6086053bcaa2ebae60d38762bbdd192e2244
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-py001Doc.Dropper.Agent_b56f9163Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.b56f91631190e6024dd3136ee0d4f289SHA1: 9d37e56d4b470bd46739b20c20d00f83f569dfa6
MD5: b56f91631190e6024dd3136ee0d4f289
SHA256: d26ebbc2bdf6a6b59d805f7f1e9a9b505b6ff6e8b99e254f9c5c36413142d3f8
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-uej01Upatre_3978a6dbWindows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.3978a6db3a1c56ab376ef1356a335a2aSHA1: 5d39294b88264e2164976255256a577da4712806
MD5: 3978a6db3a1c56ab376ef1356a335a2a
SHA256: 249698d153aec8b19f511529aae5efc852cacbbc4f45020e4b9a3bdea933a6fa
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-n8t01Upatre_2303e7f5Windows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.2303e7f512925fa15023e257738fb23dSHA1: 5dc69b519e8bfba8effae680986a6e5202ae3f67
MD5: 2303e7f512925fa15023e257738fb23d
SHA256: 5f3a9efa98d7acfb0793292b2475eba2d547632c63f3b4ca5d1958731d264506
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-9rd01Doc.Dropper.Agent_b68fab03Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.b68fab0356e9b5412aaf20717f7c9a8aSHA1: a370905b8f30f7040b7720d53add12fb7cf5f44e
MD5: b68fab0356e9b5412aaf20717f7c9a8a
SHA256: 5f1827ab138eb25289a1a76910f5dc9c96aed87dd8aa2db7e3b0d310267a5a67
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-rt001Doc.Dropper.Agent_cb354f22Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.cb354f22c0c835ab81a48bee0c639ef5SHA1: 4a4537bd0990b5a68f87e973a9da5f5def1c8ed9
MD5: cb354f22c0c835ab81a48bee0c639ef5
SHA256: 2aaf7791ed0a57e48c3d363b46ba5247e78a2290549bfd7f98793e9bee4c3e55
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-2fg01AvastWindows This strike sends a malware sample known as Avast Signed Dropper. This malicious executable is signed by Avast as their SafeZone Browser. The file generates a PowerShell script that modifies Windows firewall rules and adds registry keys for persistence.8129efe8afe6aeaa9793356300b2d8d8SHA1: de045c4d74cb3eb6804f8fc1114aa58fc31c7609
MD5: 8129efe8afe6aeaa9793356300b2d8d8
SHA256: 2ee0c761a25310e34c9d3c9d3e810192d8bbd10d4051522e3eefdc1bd71a17bb
https://isc.sans.edu/forums/diary/Malicious+script+dropping+an+executable+signed+by+Avast/22748/
M17-mmm01Upatre_1ffe648fWindows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.1ffe648f92602af0e297abb8e73ecdf0SHA1: ca419874bc65acace2aba98293a017958f05ad89
MD5: 1ffe648f92602af0e297abb8e73ecdf0
SHA256: ad54d0d8d9b80aff216cc9097849efc52b2990a6b8f9d6a24f9a22709be35267
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-ili01Doc.Dropper.Agent_e972a0baMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.e972a0ba3cc4c131c36d2ed910199076SHA1: 2afc5fa213b6c2a5046353c13787e0686346051a
MD5: e972a0ba3cc4c131c36d2ed910199076
SHA256: a4692d62273960b017d80e2b3ee9befe9b186d0609dbf4aedd1dcaf6d3aef671
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-osh01Doc.Dropper.Agent_93a6182aMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.93a6182a6d48455bc911294cb461a379SHA1: c05ac2ca24373440332b137306a5727f4063edfd
MD5: 93a6182a6d48455bc911294cb461a379
SHA256: b588aa1d5901e2ded7dfc9fe8efbd13304f2bed37086b5c9aa498fdffaed48ba
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ymt01Upatre_11b19e9fWindows This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.11b19e9f954304116631d772d507ef40SHA1: ab5c4f5f4c3b00683e42d1344a33a6b4bf01fd3d
MD5: 11b19e9f954304116631d772d507ef40
SHA256: 570323e1150fe8e0802b03eb7848452c89ea1247512365bdb8621ecac4d15507
http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-ea101Doc.Dropper.Agent_6926a83cMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.6926a83c4ad890e8e4b5d47273849ba4SHA1: f8bbce1362d00d4078036587150ba855f2bcc934
MD5: 6926a83c4ad890e8e4b5d47273849ba4
SHA256: b3dc9a164f1548ca0fd4618dbaae44c6a9ea05f66aafcf67758d9985b1409cb0
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-yqi01Doc.Dropper.Agent_287c2bb9Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.287c2bb9c1ced63562cc45a4560c4e77SHA1: 3a78de80158174bcd111de44fedbb5c73dfc0ab1
MD5: 287c2bb9c1ced63562cc45a4560c4e77
SHA256: b1e4e3be5dd686424763f39f8930e28044a9cda7a48d8962ba6e8978ef532fa0
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-dfv01Doc.Dropper.Agent_893490aaMixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.893490aaed99e679ca5570b7bce8b85dSHA1: 350c4b7cbad4ad87f9f127734f772346953d5226
MD5: 893490aaed99e679ca5570b7bce8b85d
SHA256: f6c2aea9dbc12ff2dbf77637560093234465cdae03c40ee4f0afcf8365ebfab7
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ljq01Doc.Dropper.Agent_19caf486Mixed This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.19caf486adadf70038b8205f2778ea99SHA1: 51d4a1a196a04cca8798da647157910e7042c72a
MD5: 19caf486adadf70038b8205f2778ea99
SHA256: 9d52dd2437d0408e5971598b44c5dc1e1475004241bb5928d1eaee9a9aea51e1
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-rqm01Tinba_a1aeef75Windows This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.a1aeef758711b5db8670ecb655c5d1c0SHA1: 5728e5d6246ebca4d6a2f4698a1fa2c179f50c37
MD5: a1aeef758711b5db8670ecb655c5d1c0
SHA256: 56f91537753491cd32a250428b146d7685362c762c7e8f39703b4cf6cd92c020
http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html

Malware Strikes July - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M17-twg01CopyCat_d44cda7fAndroid This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.d44cda7feb8e37d7373fbca2199c6820SHA1: b68f5bf6e2280f2cda96b7dcacea9f90815731ff
MD5: d44cda7feb8e37d7373fbca2199c6820
SHA256: e5091cf03936db47dea112c4588a8818a483de06c15a8c717eda5886209f2d4b
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-tl001CopyCat_065c8960Android This strike sends a malware sample known as CopyCat.065c8960a0338eb64845721687478d8bSHA1: fb1b2a0063004f71f6ca5a5141128d43640a239d
MD5: 065c8960a0338eb64845721687478d8b
SHA256: 1fe8af825d232bf55bd1d535ebdb0ebb88ba39e21914e40d33274b29d32680f7
M17-2ef01Doc.Downloader.Agent-6333860-0_dc20ea04Mixed This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.dc20ea0463f1956f2e4c658984a2a17dSHA1: 346eebaa4b09dfab368397b958a20262f1211e95
MD5: dc20ea0463f1956f2e4c658984a2a17d
SHA256: 13fd575d1474ae579f55615733f75fa50231447b8653e6eb58678103ee82e99e
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-qip01CopyCat_9a031f2fAndroid This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.9a031f2f5022fae13849b566a1b89579SHA1: 67cec2e8784219774e8500064113caa535d3a41a
MD5: 9a031f2f5022fae13849b566a1b89579
SHA256: 4cbcb8f8eafb3d475362bdb7eddc4cb255c89926e03813ff0efa7652bb696e97
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-wpp01Win.Trojan.DelphiSpamDown-6333_0c4f0ad1Windows This strike sends a malware sample known as Win.Trojan.DelphiSpamDown-6333. This malware sample is a Delphi downloader. It can be found in the wild, and is related to a spam campaign. The MD5 hash of this Win.Trojan.0c4f0ad10c18a15bf78f5840155540d4SHA1: bd6afe5b786c9feca58949e36a63503fdfe07a18
MD5: 0c4f0ad10c18a15bf78f5840155540d4
SHA256: f23220f487d021aed897deee04e7aaada2521d096406517cd3adcacf4754beac
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-dfo01CopyCat_2172a6e2Android This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.2172a6e20ee9f121606c4bd47311074bSHA1: a5fcede7a2d3925478955281e6a3388e387037f7
MD5: 2172a6e20ee9f121606c4bd47311074b
SHA256: 51dc097980b46d053085ff079b153f107d866a27dc19670b79928ec55ab336d7
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-apt01.NetWindows This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .9c9f9b127becf7667df4ff9726420ccbSHA1: 5a5ada4e68f7e2964868b6435a6dc5dda0e86999
MD5: 9c9f9b127becf7667df4ff9726420ccb
SHA256: 5981576009cd18282cad4eed8dbc33d8f2e7c7a7222c1de31ac6c1f4b8f3aff2
https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-h9q01Nitol_a2326cd7Windows This strike sends a malware sample known as Nitol. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.a2326cd780697d756d0fd9cd0323f410SHA1: 5fc41e1775bb81e3d11b6a0e93d385bcef3897c7
MD5: a2326cd780697d756d0fd9cd0323f410
SHA256: a28cc443757838e979bf2bb178f5d5c1408c043ba2537fbd194eac7b5ee04d0d
M17-7qi01Win.Virus.Virlock-6332874-0_bbe0914fWindows This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.bbe0914f4441e2b65d50e46fa26e9bf0SHA1: 2c558318fea7fa6adb326fcd99f5f242bb26d74a
MD5: bbe0914f4441e2b65d50e46fa26e9bf0
SHA256: 94549c01f4ca88d7169141b7a8aaa0a79a28e2770811ef84febd639af70c7a74
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-fxv01CopyCat_a14e9bfcAndroid This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.a14e9bfc6dfdfa6fca36a7aefe7590d1SHA1: e7781b298b4c41d858d0cbbc7c1f41e23362cac8
MD5: a14e9bfc6dfdfa6fca36a7aefe7590d1
SHA256: d77d9242bbf4594277b96ed9af5f2fa721b82c578d0e0c640f42928ec8002257
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-np001.NetWindows This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .85d35dd33f898a1f03ffb3b2ec111132SHA1: 5c68c117772b59705af63ecfcbae3711537ec49e
MD5: 85d35dd33f898a1f03ffb3b2ec111132
SHA256: 52a481fda8d5d674beb46faddfdec6329c1c63f1ef00f439aaa7e8ef947d7512
https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-2s001CopyCat_6797aebfAndroid This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.6797aebf0ff789fbf37f543acc126a98SHA1: 97e7d60c53b409b06acdf5088e9b2b0452084d6b
MD5: 6797aebf0ff789fbf37f543acc126a98
SHA256: ca44d2f261c3404a303f46afd6819ed2c077f724032bd0f550cff9b450270706
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-b7i01Doc.Downloader.Agent-6333860-0_6002bbb0Mixed This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.6002bbb0ca96b698af3e64d2ce8295d4SHA1: 1208966ff8079169bfbbf260f5268c1c877c6c57
MD5: 6002bbb0ca96b698af3e64d2ce8295d4
SHA256: 0fc8af1a3deb4d2895b9bb202278299369a16950239288577472bc06fbf07e4b
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-fj601CopyCat_87fb37f2Android This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.87fb37f226bcb7effe755b9ef9c94d4fSHA1: 4ceca867c1f769f5e2d4b7f71ac5e21f0c074456
MD5: 87fb37f226bcb7effe755b9ef9c94d4f
SHA256: 5a7a908733b71f71bd8f103d9ad2f8c229282d42a50bea2d080b942541b8c93d
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-jsi01.NetWindows This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .049af19db6ddd998ac94be3147050217SHA1: c291c2a9d32bb5eff1c1bbdae3edf1df48a2cefe
MD5: 049af19db6ddd998ac94be3147050217
SHA256: 91df20cfd25c140da8728f67e004dc42277922aac62b8dce7589ee82f84ca52a
https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-di701Petya/NotPetya_a1d5895fWindows This strike sends a malware sample known as Petya/NotPetya. Petya/NotPetya is a ransomware that has been tied to the Petya ransomware due to the nature of how encrypts files and displays them in the ransom note. However, further analysis has shown that it is very dissimilar from Petya and may be a different family of malware entirely.a1d5895f85751dfe67d19cccb51b051aSHA1: 9288fb8e96d419586fc8c595dd95353d48e8a060
MD5: a1d5895f85751dfe67d19cccb51b051a
SHA256: 17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd
https://www.carbonblack.com/2017/06/27/protect-organization-petya-ransomware-carbon-black/
M17-b2101Doc.Downloader.Agent-6333860-0_df15ea72Mixed This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.df15ea72c114910ef7fb07bccfc16d2eSHA1: a7cf768944a59e6402daced81bab4f87cd3f726c
MD5: df15ea72c114910ef7fb07bccfc16d2e
SHA256: 1b01632e1a44445124165ed61592527fe649a32ed889ee75fdb73d07bf396812
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-t5a01Doc.Downloader.Agent-6333860-0_1b044fa9Mixed This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.1b044fa9aed5c94ee4a4ad77800bd8baSHA1: 978402697c7f5e6fba8ae34478f982ed2711d09f
MD5: 1b044fa9aed5c94ee4a4ad77800bd8ba
SHA256: 2248f89b848781c0405cc0cead60172ec75e035aca12e8c147818192fde2266d
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-lc201NukeBot_9e469e1aWindows This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.9e469e1adf9aae06bae6017a392b4aa9SHA1: 12a7a1d90ab72e83fa8308ca5ae08dac9dc17e00
MD5: 9e469e1adf9aae06bae6017a392b4aa9
SHA256: ba27dced648485cd81f117dbf1eb67ac75cf9c54899f5a7f69906f3044cff737
https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-7ha01Win.Trojan.AutoIT-6333854-0_029a44e2Windows This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.029a44e2935d5268cb551ef67f3a2bacSHA1: 581ba698ace559658486844d745ee4d35fe6989e
MD5: 029a44e2935d5268cb551ef67f3a2bac
SHA256: 62f72450c470bd01096766ac25e8b6ca4edb79683c2ee5b2cc89ec2234983c44
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-uoi01Doc.Downloader.Agent-6333860-0_e8d7d75dMixed This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.e8d7d75d94314d0af1919a6f2bb2edb9SHA1: 8c8cb1fa0f687604f2e4e37e28c9dac8c745178f
MD5: e8d7d75d94314d0af1919a6f2bb2edb9
SHA256: 07aa3365d733098e11e91ece1628130217414488d3fce0e2e261bfb29ab6fed9
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-tk601CopyCat_ee1bcb0dAndroid This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.ee1bcb0d5036b4ba72036f79c538c8b1SHA1: 0520045a2acae640cb3b70b5425d2bcc57721e99
MD5: ee1bcb0d5036b4ba72036f79c538c8b1
SHA256: 3e9274183426e5b6986d0534f3331e3761daa800da1e68acdbbd50cdffed5b77
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-17h01Doc.Downloader.Agent-6333860-0_bd17aa6bMixed This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.bd17aa6b70c0907497aa6242fb1acc37SHA1: ab6e993bfa7e53e35d811bd24021eeef99a0f700
MD5: bd17aa6b70c0907497aa6242fb1acc37
SHA256: 01c4f96c8117df219cf9f50723454ace242edcf2d22b09e8e72c5d0c92aad540
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-f7s01Doc.Downloader.Agent-6333860-0_fe4fb002Mixed This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.fe4fb002ec991c7f2a431ac1cb9c2f83SHA1: 9b2c14275adf709fa45c53654c88c4df93f581c6
MD5: fe4fb002ec991c7f2a431ac1cb9c2f83
SHA256: 070e56e7170fc63c1c42c3b0b37df5a25f5c7e2e0a5fd454e8e8e63de2b71bdf
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-zk401Win.Trojan.AutoIT-6333854-0_5d2d24b7Windows This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.5d2d24b74349f16c857536f96f2d3526SHA1: 2723f6aea64851703ab7f70d6bcea9bcf150bde7
MD5: 5d2d24b74349f16c857536f96f2d3526
SHA256: ea047fca20938acaeaf82d7753a86bdf9c6ed1bcb6573634d8f515d15b6ddd13
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-hzp01Win.Trojan.DelphiSpamDown-6333_44b21e02Windows This strike sends a malware sample known as Win.Trojan.DelphiSpamDown-6333. This malware sample is a Delphi downloader. It can be found in the wild, and is related to a spam campaign. The MD5 hash of this Win.Trojan.44b21e02e76c20916ad6ba762d8e4e0aSHA1: 689ea54b12ab63ce3347a88f77a91d8b72a0679f
MD5: 44b21e02e76c20916ad6ba762d8e4e0a
SHA256: d603a19fb425aa77308ee7d3527f03e0a455667aed2030b4fc2c46388a230dad
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-3wz01Doc.Macro.Obfuscation_78b61795Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.78b61795bf73ccc31fadeb04090c9cd5SHA1: 0c77388f55d27b4357303b92851ce1af269f979f
MD5: 78b61795bf73ccc31fadeb04090c9cd5
SHA256: a84e3659977948b8f14cb2bfacef19d997463e779fed8750fa2d44b4342584b4
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-g4p01TerrorEK_cd580370Windows This strike sends a malware sample known as TerrorEK. Terror EK is an exploit kit that uses adult web site traffic malvertising for distribution. It can fingerprint its target to determine which exploits to deliver.cd580370d94103205cc1e1e196205840SHA1: b7315fabb56e19cef664cc61a6267c7e317bb9f9
MD5: cd580370d94103205cc1e1e196205840
SHA256: 404108a0066f6df22bfb4abcec849c214eed089c69b115f5300a2ac631863b1a
https://blog.malwarebytes.com/cybercrime/2017/07/terror-ek-actor-experiments-with-url-shortener-fraud/
M17-q9301LockPoS_3d0f6367Windows This strike sends a malware sample known as LockPoS. LockPoS is a point of sale malware that was first discovered targeting systems in Brazil. The malware utilizes HTTP to perform C2 communications and credit card data exfiltration.3d0f6367f1fedfc08734b35200c7abf9SHA1: 419311da2ef6b2a9ca27dba3241a0d62a4e25848
MD5: 3d0f6367f1fedfc08734b35200c7abf9
SHA256: 93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488
https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/
M17-s2301CopyCat_99e77c51Android This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.99e77c51b74ec18adf2e3d63871f087bSHA1: 9c33df5ea05e73c5e4a5f8dc7ac28baed8705ca2
MD5: 99e77c51b74ec18adf2e3d63871f087b
SHA256: cea1a2984bd529d5451e1108e8f83cfe485350b43b51f754ccbe467ebcc1a429
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-70a01LeakerLocker_7ed5e8f3Android This strike sends a malware sample known as LeakerLocker. This Android ransomware sample does not encrypt files, but instead collects personal and private information from the device, and threatens to share them if a ransom is not paid.7ed5e8f3de77bf3d88896fbc756f4ee4SHA1: bda4483bc6b999618a1ff637d380ce253ac79a0e
MD5: 7ed5e8f3de77bf3d88896fbc756f4ee4
SHA256: cb0a777e79bcef4990159e1b6577649e1fca632bfca82cb619eea0e4d7257e7b
https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-acts-without-encryption/
http://thehackernews.com/2017/07/leakerlocker-android-ransomware.html
M17-yn801Doc.Macro.Obfuscation_1ec50c62Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.1ec50c62b67bc6efabde292238cf3decSHA1: 065a6e0c9279b76709d27b279002981772e1a347
MD5: 1ec50c62b67bc6efabde292238cf3dec
SHA256: 29015d08a221749ca7cd1b9526ae4c434457199ac3226236f9e57fdb01b21213
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-fcj01Win.Trojan.AutoIT-6333854-0_5a7bf360Windows This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.5a7bf36062b7715b2fea57d3094306c9SHA1: 1813e1a8cc0b39cf2bfc48a2acad053bcebe7925
MD5: 5a7bf36062b7715b2fea57d3094306c9
SHA256: a831d5503c549917d333d45c72532f0407ed306ca5c95478dad11cb34342ca60
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-n9k01NukeBot_06330241Windows This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.0633024162d9096794324094935c62c0SHA1: eebfd8fb539c500e7cc398232fb85fe18cafd379
MD5: 0633024162d9096794324094935c62c0
SHA256: cde50cd8d7b86425f1fea457cba17321bc4f82ff90df8169d4c8091d2c3cb275
https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-g9001TrojanDropper_1431649fWindows This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.1431649fe7eb8e764a12b13f73d5ef3eSHA1: 939a7f5a55995940aceefdc41a2e191a9dc390c1
MD5: 1431649fe7eb8e764a12b13f73d5ef3e
SHA256: f4dadbc88510393f6ea05a3e78fc4ced3e44a227168e449fb83e010d52c1d3fd
M17-y6m01CopyCat_d7de0ee8Android This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.d7de0ee80aa16beca37ccbbc30031995SHA1: 55793c9680b8f3cbd84e7210d3250a0a4cabe62e
MD5: d7de0ee80aa16beca37ccbbc30031995
SHA256: 1ba7ad1ad23f58e8004ac874a4317e289870e192d2d518c75e0587df1c592719
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-xcg01Win.Trojan.AutoIT-6333854-0_ef659b99Windows This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.ef659b991298558a0c8abb4bc4052dd6SHA1: 9df6f40ed879244a4cf1d19cba8e1af69afae6e0
MD5: ef659b991298558a0c8abb4bc4052dd6
SHA256: f8305d63f8d4ebc4b4c4bea7c3dd75b3d3c3f53aa2f28cc789a2573d55b83613
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-9nb01NukeBot_a06a16bdWindows This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.a06a16bd77a0fcb95c2c4321be0d2b26SHA1: 296563d57efc1c5dc40bb0f872ea1aa42161cc94
MD5: a06a16bd77a0fcb95c2c4321be0d2b26
SHA256: 99f68d773b32e33136c33029f9276af5a526370be7ceadb013c5eac16ade1d38
https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-lrw01sPowerShell_a7200cd7Mixed This strike sends a malware sample known as sPowerShell. This sample is a JavaScript dropper for ransomware and information stealers.a7200cd7778c40292b17736184dcd2aeSHA1: 5367459f0405e7bae545b13223a11b7b01f2cef2
MD5: a7200cd7778c40292b17736184dcd2ae
SHA256: cce0da7814b5966ffacfecacec0e87aec83989889b56e4dc37eed7873b51617f
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-g9c01Cerber_0771f009Windows This strike sends a malware sample known as Cerber. The Cerber family started to emerge during the 1st quarter of 2016 and has been seen being distributed via Neutrino or Magnitude exploit kits and spam emails using VBScript files.0771f00985f1e0ce93740281da8752feSHA1: 46c7ac1b3ed05b10cde72c77b10418e18d09e1e0
MD5: 0771f00985f1e0ce93740281da8752fe
SHA256: 56f41afc8f025597659f11f59b191e66bd6c6525313cf3c0356c40490722b7c5
https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/
M17-6gk01NukeBot_93b14905Windows This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.93b14905d3b8fe67c2d552a85f06dec9SHA1: dfd6e7e6ef67339df85136c203be19b7b443a1ff
MD5: 93b14905d3b8fe67c2d552a85f06dec9
SHA256: 94129dc33aef44c4b20fce185e9dc877b6cd7f3785e011caec2979a66254e6a6
https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-cio01NukeBot_44230db0Windows This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.44230db078d5f1aeb7ad844590ddc13eSHA1: 66d8aaf4defa0fcc6c5ec319504ae15df2daf8af
MD5: 44230db078d5f1aeb7ad844590ddc13e
SHA256: 1ad1c47a0cbcdf08e45b8d93864eec32fdff16037acaef40562a8966e46ddd87
https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-ron01Doc.Macro.Obfuscation_986d7c12Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.986d7c1268664329565a12cef882abb7SHA1: 29c835641e68c333ccc956a6c2a667b3a4ba98fc
MD5: 986d7c1268664329565a12cef882abb7
SHA256: 41b9c93fed52bffe68d03abbcbe42086a9baf743d56f9262abd5b4c7fcbff951
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-m7101Win.Virus.Virlock-6332874-0_c3018da7Windows This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.c3018da794cafcfaf3528feaca1bb810SHA1: a367586015e9f804f3d04a582b3eb9b5f1bdfad7
MD5: c3018da794cafcfaf3528feaca1bb810
SHA256: d49a98d35bcb6ff16206c6d1e1495d4ddf9f1911f785bccda24c2b1e0bfe3d03
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-bjr01NukeBot_697a7037Windows This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.697a7037d30d8412df6a796a3297f37eSHA1: 205f65ee47935edd01ead4ac6bcfb808008b8857
MD5: 697a7037d30d8412df6a796a3297f37e
SHA256: 845cf83b9fd613d20b3d54a211300a7a04fd3fed2861d156f354bd186d975455
https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-jgh01CopyCat_0dec8b83Android This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.0dec8b83592db8fe690d8935d95c42f7SHA1: 0107327e7604d673e074c2729117b156c43ebd68
MD5: 0dec8b83592db8fe690d8935d95c42f7
SHA256: b0475da7c2934b24cc5830e0a03dec195f997af0132c8493635240f90d5bc15a
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-ujt01TrojanDropper_8e5948ecWindows This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.8e5948ec85ca0d6dce18411721e92c0aSHA1: 40583041b97ef429716a1fc72b78ad0c1da9aa3f
MD5: 8e5948ec85ca0d6dce18411721e92c0a
SHA256: f9a686680a20a8aeaaaa154ae9eb8c8fd018f109350c4bce2ce3bd4b3a33f1d2
M17-2rw01.NetWindows This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .e907ebeda7d6fd7f0017a6fb048c4d23SHA1: 8b2c012b2355e0c3c56d328ed532d0aa4225713b
MD5: e907ebeda7d6fd7f0017a6fb048c4d23
SHA256: 7d822d00cd31f4e3bc7bad3535a6590e2f838cc575b8128e716db59b37eb6fb5
https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-f7601Doc.Downloader.Agent-6333860-0_c6199a46Mixed This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.c6199a46d8326b08bc2114ff64a4af63SHA1: 6b9d533a7ce64c3452b9975d722180695be3b51e
MD5: c6199a46d8326b08bc2114ff64a4af63
SHA256: 01ed6302a7ea8d4c54d439b7016b99b6dca275f85d22611811bac8c135309d41
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-n2901CopyCat_f25e3352Android This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.f25e3352735aa210906527adf1140980SHA1: 5f161882b681f801b836f6ce8591cdf9716382f0
MD5: f25e3352735aa210906527adf1140980
SHA256: 2f83e80ad23c0aa5d0962c8846cf199842179d806ebec6d4d5ba10e797576101
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-93401CopyCat_d6de304cAndroid This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.d6de304ca960f4e948ef59f144de29aaSHA1: 4bb0503e1784cbe97e8e7d81d92899bbbe5fa33a
MD5: d6de304ca960f4e948ef59f144de29aa
SHA256: 934d2ce9e35ab01b2362c2dbbb6b08b77de5b16145e4debee41bb6780cf8848f
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-zss01CopyCat_f3f44065Android This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.f3f4406564543f7f471b4139b5f7d06bSHA1: 9e33853d5c0edee9900f3a71b61fb1f4fd286d9b
MD5: f3f4406564543f7f471b4139b5f7d06b
SHA256: 824119e6dc4fe6f236f9f248abffb77723b0da4632047c7f4edc336208b27b54
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-x3601Doc.Downloader.Agent-6333860-0_c67e57d2Mixed This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.c67e57d24c97e1966177924db6a42636SHA1: 7995d0f190cf28dba3d0d7ece974b505d77e9b58
MD5: c67e57d24c97e1966177924db6a42636
SHA256: 0634216b34baf0fdc293002632932312293fc4854701b143c6f4735e8cd98b45
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-t0501Doc.Macro.Obfuscation_f8ba8dbdMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.f8ba8dbdfb0d819dc77b14ce33571fe3SHA1: ebb49ca6fca45a004ff203957190e175ecc43bae
MD5: f8ba8dbdfb0d819dc77b14ce33571fe3
SHA256: a4e076bdea2bdc1028d232079b0bcf42a9b4997fb43e78fbda745f6bb047612c
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-03301Win.Trojan.AutoIT-6333854-0_ee622d9bWindows This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.ee622d9ba9a819cb7579b24d162e9f1dSHA1: 13f0ea1243856c65fad230392925a9c8f5328836
MD5: ee622d9ba9a819cb7579b24d162e9f1d
SHA256: bb51a0200e84137fb1c07e39fbd7f0ded1eda78d3c95cfa1e16887f0762ab665
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-jfv01Win.Virus.Virlock-6332874-0_30906e51Windows This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.30906e516b55ed0ee41e5c7575a8add2SHA1: d504db93625d2938ea71b7bde04080cd5dfb5f46
MD5: 30906e516b55ed0ee41e5c7575a8add2
SHA256: 7cd99c34887ea6213f18347720d7b1d257969f821bc78f6ad128f55ff137096c
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-c0k01PoSeidon_0c7631f7Windows This strike sends a malware sample known as PoSeidon. PoSeidon is a point of sale malware also known as FindPoS. This malware steals credit card information from point of sale devices and siphons it back to the remote attacker.0c7631f791c60f79faa1d879056c2e18SHA1: 5274255aa6032528360fc222b8aeb911caa35e40
MD5: 0c7631f791c60f79faa1d879056c2e18
SHA256: 66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75
https://krebsonsecurity.com/2017/07/self-service-food-kiosk-vendor-avanti-hacked/
M17-cl901NukeBot_031a8139Windows This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.031a8139f1e0f8802ff55bace423284fSHA1: a5f7867ea057690c4f3a58ea6ecb0c70a65088df
MD5: 031a8139f1e0f8802ff55bace423284f
SHA256: 8533d6ff4557a0870ccd0ed6268f7f4589f144ba9367bd4665e7239a99e8dcef
https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/
M17-3gj01CopyCat_e368fb1dAndroid This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.e368fb1d80bbf24fdfb4ebae7806c885SHA1: d44dbd5f953ef6fa338081ba707a35d385e48514
MD5: e368fb1d80bbf24fdfb4ebae7806c885
SHA256: 23520f0f96669fd4c57f2ce08bb35e2d3be62df2454743d997bc519e66d894b8
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-6q501LeakerLocker_531882c3Android This strike sends a malware sample known as LeakerLocker. This Android ransomware sample does not encrypt files, but instead collects personal and private information from the device, and threatens to share them if a ransom is not paid.531882c30198ae24329563a64e3199cdSHA1: e0bf48c49bde950e93e8bae186b813048a9d1132
MD5: 531882c30198ae24329563a64e3199cd
SHA256: 486f80edfb1dea13cde87827b14491e93c189c26830b5350e31b07c787b29387
https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-acts-without-encryption/
http://thehackernews.com/2017/07/leakerlocker-android-ransomware.html
M17-0sw01Doc.Macro.Obfuscation_3603129eMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.3603129e01b2a6cf35257c82b90166c4SHA1: 614c261e2208dd353ee80a6b0a3df5ac8bca540a
MD5: 3603129e01b2a6cf35257c82b90166c4
SHA256: 5702fa93b08399d8f8d7d1ef1eb2902e7f37a9bbaaf5d9aa6b85a2844224662e
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-es901Doc.Macro.Obfuscation_af92fbedMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.af92fbedc07a81efa7b7515545056ac9SHA1: 844379215865225dff948022ae8f4dae7bd07c38
MD5: af92fbedc07a81efa7b7515545056ac9
SHA256: 5d91e7426fb87e5f2c9a5aa575d8bc0e98b7e1a09947dcb4e4943c5c047933d9
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-avv01Petya/NotPetya_08828dafWindows This strike sends a malware sample known as Petya/NotPetya. Petya/NotPetya is a ransomware that has been tied to the Petya ransomware due to the nature of how encrypts files and displays them in the ransom note. However, further analysis has shown that it is very dissimilar from Petya and may be a different family of malware entirely.08828daf9a027e97fee2421ac6cbc868SHA1: ad1b006e99b9faded1a2dd4ec98cd3818cf245e3
MD5: 08828daf9a027e97fee2421ac6cbc868
SHA256: 4ee2ae805c31ec4f11f3f6ecf56e9c6e2f59dcd517a5a73210b5e5015f63beea
https://www.carbonblack.com/2017/06/27/protect-organization-petya-ransomware-carbon-black/
M17-9d401Win.Virus.Virlock-6332874-0_bce40383Windows This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.bce40383d98f77cfbe9257730d574ef0SHA1: 4f61f3a40507f6765ebe6a69063666cbe4cdca15
MD5: bce40383d98f77cfbe9257730d574ef0
SHA256: 6cff1fdde90a5708301b2d3c48729ebf3be7bb4a8f0e6992406affe034ad0a0f
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-vz702CopyCat_29e2f738Android This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.29e2f7388788c93f47f832cf9f6b00cbSHA1: 9ee904a51c848dabc5eb72895809fa1d4f716621
MD5: 29e2f7388788c93f47f832cf9f6b00cb
SHA256: 25942d57f2188c2a0181d15af7a5628e75376f1d1ce1dcf70930f80a781b418d
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-etz01Win.Virus.Virlock-6332874-0_a2b2f2b7Windows This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.a2b2f2b74a07b64de247c3f2ceaaa929SHA1: a81523d7d5936fae8a99f5299ccc530c8949ef38
MD5: a2b2f2b74a07b64de247c3f2ceaaa929
SHA256: 81bec8df30db0bd694ecf01d3950fbe91823854ab017c0cb176d32c9ada3f202
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-qc401Win.Trojan.AutoIT-6333854-0_995b5c4eWindows This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.995b5c4eb698bcf47e69729dee6a797cSHA1: 20c0604298c2d7f9b12704032b3dafdc9a83372a
MD5: 995b5c4eb698bcf47e69729dee6a797c
SHA256: 83a482b1771474915838db7251d00cf12ae5171c04966621bba82c5829e57b4a
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-b0701CopyCat_fe514fc5Android This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.fe514fc594c4f5248031ae1ab5111ec2SHA1: efaa96c0159a242a27e3abf6765ff789184e7d5e
MD5: fe514fc594c4f5248031ae1ab5111ec2
SHA256: a0cf53bf42cd59016a6ec86747f066db62a7a9461fd903d38fd692e8c23bb5a8
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-jgu01Win.Virus.Virlock-6332874-0_0717e99bWindows This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.0717e99b914fb74bafa67fe0c0c49a7dSHA1: cbdf94cc63ee85dd69c20a1907c6bbb37c2ebaa5
MD5: 0717e99b914fb74bafa67fe0c0c49a7d
SHA256: faaa74146e151d525e94e536ee2605a76c8a0d1699024979181712a03b249f25
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-uy701CopyCat_6d6fb0e4Android This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.6d6fb0e4bde18b65453fcd639ba24d6aSHA1: 97934510fd6e4c7c39789b32acb150613d66d4b5
MD5: 6d6fb0e4bde18b65453fcd639ba24d6a
SHA256: f3f71bbed9e9db95ada278aacb3d5fd53f481d785048a6fe8dbb2babc601baa3
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-v4701sPowerShell_d243b08cMixed This strike sends a malware sample known as sPowerShell. This sample is a JavaScript dropper for ransomware and information stealers.d243b08c672e6b8c0bc065458369fe78SHA1: 018189057dcd9fb02449c131ff592010d73b637a
MD5: d243b08c672e6b8c0bc065458369fe78
SHA256: 7a6d5ae7d7bc2849ea40907912a27e8aa6c83fafd952168f9e2d43f76881300c
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-4t401Gh0stRat_7365383fWindows This strike sends a malware sample known as Gh0stRat. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.7365383ff0368f8b6ff1d6f0157a14e0SHA1: 4dabb411ba0c75fc98e7d0624cf0b170e3c3e2d2
MD5: 7365383ff0368f8b6ff1d6f0157a14e0
SHA256: 153383b05a484845b3eb39915098fa6c8d68fcb639ade54215cda7fcbdeda14a
M17-mfm01Win.Virus.Virlock-6332874-0_f29adc89Windows This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.f29adc8991371b8b2c8b1bd19cc39a79SHA1: 68c540ed0bec4b91cce3a9d72013fb4a8195dc3c
MD5: f29adc8991371b8b2c8b1bd19cc39a79
SHA256: 6161ca5b2cd218ae1c277e6fcc509f571cc409ae4b2aba007d0e1ef28057fd7d
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-5v901TrojanDropper_8801cbc4Windows This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.8801cbc42062184ffa0440a136de2117SHA1: afed24723e3ee241a3cea34e009297c8afd87a63
MD5: 8801cbc42062184ffa0440a136de2117
SHA256: 8f1f7b271182f105f3f55815f4493e5b1ab103b9b555876c0854ec4a2935a8ad
M17-cgq01CopyCat_cc2bf64fAndroid This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.cc2bf64f2fb1330ab2acbfb783a68d1eSHA1: bfbb33c65fb8d73fb227524786a82dd9c9ed24f2
MD5: cc2bf64f2fb1330ab2acbfb783a68d1e
SHA256: 0db037e7a2d1357228e9e03cee5d65b22266a017d55b72570e615f07fc22cc2d
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-5uz01TrojanDropper_b1fcf154Windows This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.b1fcf154622b4274ad3044e8e0f68096SHA1: 98e1b55fda3a096d33b73505eb04e49f641d2ed0
MD5: b1fcf154622b4274ad3044e8e0f68096
SHA256: 188e15739ed2a33954b3166722f816d4bb3532ea7b633532dd2a4671f6ff4eaf
M17-ewn01NukeBot_8ebec289Windows This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.8ebec2892d033da58a8082c0c949c718SHA1: e7557d738fdb92798708f8b52131a00c9d8e9ce8
MD5: 8ebec2892d033da58a8082c0c949c718
SHA256: 6c8320e18721d4024290a33d8b610572180c4747d2ca8a50351d7adb0b83c5ed
https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-5d101.NetWindows This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .d628d2a9726b777961f2d1346f988767SHA1: 179ccf65842a6b7ea3a63028a3b392c44b79121a
MD5: d628d2a9726b777961f2d1346f988767
SHA256: dfe4222c135c369797b101929bcb8b7cb303fd446dee7a24fd312395842cd070
https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-i0d01Win.Trojan.AutoIT-6333854-0_d2ec5278Windows This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.d2ec5278d3554576f9187c7ca99a8a77SHA1: 393bfe994e8a0a34c2451e06568d549fedd6091c
MD5: d2ec5278d3554576f9187c7ca99a8a77
SHA256: f81a37d816c639fd977d7781f7fe54cc51e2e34aa3bb8bc877c74ae140025003
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-m1j01NukeBot_faf24fc7Windows This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.faf24fc768c43b95c744dde551d1e191SHA1: 34a5fa75977333c35e161bd2e55c11fed4b4e4be
MD5: faf24fc768c43b95c744dde551d1e191
SHA256: d404ae1cc6821e18482fa16a8839c99541a9176b78bc4e45fb9bc4bc6177c818
https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-b3g01Win.Virus.Virlock-6332874-0_bb0199b0Windows This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.bb0199b0128def72d75b3f307c9c22d0SHA1: b9f8463ebc0a663bc890d071272ed236da33c56f
MD5: bb0199b0128def72d75b3f307c9c22d0
SHA256: 824eed3471a9f86836ac4bced8a5ce7f57df95048a995dc0219feab771404f28
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-mco01Doc.Macro.Obfuscation_ed54bfd0Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.ed54bfd08d039baf8d61f38e86be76c2SHA1: db3cd8192b24dbe4904dfda7465fc77cb536f67b
MD5: ed54bfd08d039baf8d61f38e86be76c2
SHA256: f04ce92cb9f190f8c06d444ac5431f637b6ea8ba864201a549903e3115968403
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-8gh01CopyCat_4b66e5f8Android This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.4b66e5f820a40e2ee6ab6bb4b09997d7SHA1: c7d1187caa6e0ceaa4b10e277332b1a3d70dca9a
MD5: 4b66e5f820a40e2ee6ab6bb4b09997d7
SHA256: da58b4519e52660f26c81d6fc2b8c0c6ba11262265597360d4de62023f5e5d90
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-vz701Win.Trojan.AutoIT-6333854-0_ff59bd24Windows This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.ff59bd2423cd50288c6bee9cda102eedSHA1: 16bfc7cf7459008846110fa4f6fdde7862624391
MD5: ff59bd2423cd50288c6bee9cda102eed
SHA256: 38dfdc80844d6f6b0d1a73843f1a4704d7bb12cf2ca61d98a54d1cdb5722ac66
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-03j01FlokiBot_624f84a9Mixed This strike sends a malware sample known as FlokiBot. FlokiBot is a Zeus based banking trojan variant that uses C2 communication to perform DDoS and credit card scraping functionality.624f84a9d8979789c630327a6b08c7c6SHA1: f9484baf6f7194248a388d41dfd06543b3dc5d26
MD5: 624f84a9d8979789c630327a6b08c7c6
SHA256: a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa
https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/
M17-wyq01FlokiBot_2510953fWindows This strike sends a malware sample known as FlokiBot. FlokiBot is a Zeus based banking trojan variant that uses C2 communication to perform DDoS and credit card scraping functionality.2510953f05dcd2c758ad29160bbc3911SHA1: 9e0094cc8be1bbe494d7dac88a57a3db235f8a04
MD5: 2510953f05dcd2c758ad29160bbc3911
SHA256: fbf23b449db5ae1122c503756d9ad7f4d1c77ed367f0874ffe8dde5c578dd2c8
https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/
M17-mgu01CopyCat_7282c48bAndroid This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.7282c48bdad45f3861edd8244061c26eSHA1: df579f335eb8be8b5403fcf85dd19a638452e573
MD5: 7282c48bdad45f3861edd8244061c26e
SHA256: 1dcce039352f4dcabc693fdc66121b61849767498fb68bb3b4e4b8f00757a359
https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-1sq01Doc.Macro.Obfuscation_69ffb531Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.69ffb531e7dc45cabcef030626a397bfSHA1: 93fdf068ed8f8f22a49d21be92e482b213b633f6
MD5: 69ffb531e7dc45cabcef030626a397bf
SHA256: 2611831b22f6b0df892e363d429a666b5a4bb9303a97b30c527fb4f43379a462
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-1iv01PoSeidon_767ae03aWindows This strike sends a malware sample known as PoSeidon. PoSeidon is a point of sale malware also known as FindPoS. This malware steals credit card information from point of sale devices and siphons it back to the remote attacker.767ae03a2f291121616815a9f47456e2SHA1: aeddf10827f063228aa20e034ccb9ca19cde3cb0
MD5: 767ae03a2f291121616815a9f47456e2
SHA256: 8b7252c0e7cc4b2311bda423f08cf62fdb75de591c62babd40693147ef022a7a
https://krebsonsecurity.com/2017/07/self-service-food-kiosk-vendor-avanti-hacked/
M17-ts501Petya/NotPetya_7e37ab34Windows This strike sends a malware sample known as Petya/NotPetya. Petya/NotPetya is a ransomware that has been tied to the Petya ransomware due to the nature of how encrypts files and displays them in the ransom note. However, further analysis has shown that it is very dissimilar from Petya and may be a different family of malware entirely.7e37ab34ecdcc3e77e24522ddfd4852dSHA1: 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
MD5: 7e37ab34ecdcc3e77e24522ddfd4852d
SHA256: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
https://www.carbonblack.com/2017/06/27/protect-organization-petya-ransomware-carbon-black/
M17-y4f01Win.Trojan.AutoIT-6333854-0_63a07f35Windows This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.63a07f352a5443a4b4e57cb69a69743fSHA1: d7c69654d92aea7dfe4b0a134a8d5b8523f1952a
MD5: 63a07f352a5443a4b4e57cb69a69743f
SHA256: 2cd44a3204106c4fa3e11c310f21a3d0a89795ae90cad00117c779386ea619fd
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-9bj01Win.Trojan.AutoIT-6333854-0_09301932Windows This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.09301932b011592585bb3560bc3a6ad7SHA1: a577f9caf8c481c38a31a6bd82abdf86e09b8357
MD5: 09301932b011592585bb3560bc3a6ad7
SHA256: 927bd28d825adc6569d1e307bd3709f73350b3ca2b0f98bbbdd2370526ae19b6
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-cub01Doc.Downloader.Agent-6333860-0_87865982Mixed This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.878659824c6dcb28edfbc8a8826adf22SHA1: 9e02e611f6d968a22580d49e2afb381ec30525b7
MD5: 878659824c6dcb28edfbc8a8826adf22
SHA256: 204ecc72a94c1d1ef60a08ccb132a5123d2e8dcfc16ef1cacebb20887049ec2d
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-n3r01Win.Virus.Virlock-6332874-0_ea39c1c5Windows This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.ea39c1c57c2446b2b71b8b7896269be8SHA1: 71e9f0e92dc95bff7e9b4cb134ce024c2363b6d5
MD5: ea39c1c57c2446b2b71b8b7896269be8
SHA256: 61012a5ae49bcfc6c31110b0117c9ed3d3f810cb8053857ef3017b403aeb4ad0
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-zij01Doc.Macro.Obfuscation_fe672cd7Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.fe672cd7a871b0a4dd2ca6300dbff515SHA1: ba3e2b5c42c12b5ef5ebba32cb13a3fb1ed5bb7c
MD5: fe672cd7a871b0a4dd2ca6300dbff515
SHA256: 341b86bd427dfca140ef6b3f47c7f269fe3ada974692237cc038f5910326d806
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-hay01Doc.Macro.Obfuscation_36f030f5Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.36f030f5107843b382537768edd49254SHA1: 8ea2a18608f1bdbcfc956955893174d1ae96881f
MD5: 36f030f5107843b382537768edd49254
SHA256: f11534d903c19da7f9b951419fb31fc8027c27f7ed7e3fdb89a923004a838ca1
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-nr901Win.Virus.Virlock-6332874-0_8b969fdbWindows This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.8b969fdb7154cf74b74243e82f8ae6faSHA1: fdc5dcb2c8f1a8f7ca6d2b68fa4e3c37afb4a3ac
MD5: 8b969fdb7154cf74b74243e82f8ae6fa
SHA256: db2415f2259b7ec9aaa6ab004a659753ad51dafccbc8696f0a5e906750304efc
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-23201Win.Virus.Virlock-6332874-0_f30ea2f3Windows This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.f30ea2f3952e4dc32f4e193a7b47b7e1SHA1: de4ed67b32e3e8b3fd66e06c20066f1669c2e1ef
MD5: f30ea2f3952e4dc32f4e193a7b47b7e1
SHA256: cacc1b16c233ad74c95b051edb5542a2824441314aba3f12e0397b857222c0a9
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-pdw01Doc.Macro.Obfuscation_b0ffc6d0Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.b0ffc6d0cdfd4f510ad3b3b703ffb773SHA1: 3be99b2039c69a41113527693394344d57c1ba72
MD5: b0ffc6d0cdfd4f510ad3b3b703ffb773
SHA256: 0dd337e3bef51dd39867317b47870076c8bda3efede772fc571b48d59ff79bcf
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-88t01Doc.Macro.Obfuscation_cefd07f0Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.cefd07f03498b5baf3a2c7ca97872328SHA1: e523974da31af97cf08de7780e0a0d9c2d9a46e4
MD5: cefd07f03498b5baf3a2c7ca97872328
SHA256: 7ac2d7693119e8e07ee9ab0979a219f99763deb2b4134e8a6c18cec7aba1a76a
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-lcu01Doc.Macro.Obfuscation_9d65ae5aMixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.9d65ae5a5015402e85d8694f684322caSHA1: a37ef548edfdf526b7274c0712f7967242aebc9f
MD5: 9d65ae5a5015402e85d8694f684322ca
SHA256: 727d8957c910dd733b4960f22535e61375e417cc521b820ae8a917597af86295
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-6q801Win.Trojan.DelphiSpamDown-6333_e9f45c7aWindows This strike sends a malware sample known as Win.Trojan.DelphiSpamDown-6333. This malware sample is a Delphi downloader. It can be found in the wild, and is related to a spam campaign. The MD5 hash of this Win.Trojan.e9f45c7a87e2535835c30dfeeb98d97bSHA1: 6c0ca799263fa113fcd8c76ef700a5809f889c59
MD5: e9f45c7a87e2535835c30dfeeb98d97b
SHA256: 72464898f83126f1a89d76cf76b2867b58655b3b316c2000dd185f2c31a4d786
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-0jq01NukeBot_9831b109Windows This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.9831b1092d9acaeb30351e1db30e8521SHA1: 3b25a4553abced0c237198335fd967f92ad86756
MD5: 9831b1092d9acaeb30351e1db30e8521
SHA256: 916c68203f329eaf00e0dbf5a7571107708ce037935b5f51d7eed41ad581cdfd
https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-v0l01LockPoS_0ad35a56Windows This strike sends a malware sample known as LockPoS. LockPoS is a point of sale malware that was first discovered targeting systems in Brazil. The malware utilizes HTTP to perform C2 communications and credit card data exfiltration.0ad35a566cfb60959576835ede75983bSHA1: 2faa933c98cd21515b236d139476a6d09a3d624d
MD5: 0ad35a566cfb60959576835ede75983b
SHA256: 063f14091c811feb0b99de21d52dc55ca2ccb0c387b515e7407ea09a4337ceef
https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/
M17-4un01.NetMixed This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .2a07346045558f49cad9da0d249963f1SHA1: 08f2c18438296576c650ee2da713319ca9c9ca30
MD5: 2a07346045558f49cad9da0d249963f1
SHA256: b920e5f907caced96cebd946cbf6aad02b10676712c2663f2187a8a9fad5b311
https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-7rx01LeakerLocker_0d780a9fAndroid This strike sends a malware sample known as LeakerLocker. This Android ransomware sample does not encrypt files, but instead collects personal and private information from the device, and threatens to share them if a ransom is not paid.0d780a9f05bed552d6450ff3bc791c04SHA1: afe2d4ec4ae8250f8d3131338b6158e9a3c6f3a2
MD5: 0d780a9f05bed552d6450ff3bc791c04
SHA256: cd903fc02f88e45d01333b17ad077d9062316f289fded74b5c8c1175fdcdb9d8
https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-acts-without-encryption/
http://thehackernews.com/2017/07/leakerlocker-android-ransomware.html
M17-uxx01Doc.Macro.Obfuscation_a55c0e19Mixed This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.a55c0e191e6754909a051d5fbf00bdeaSHA1: 18aed4a0b16f6eb97e337acbf29c96523bdd3bd3
MD5: a55c0e191e6754909a051d5fbf00bdea
SHA256: 4c5f92378c3fe002163abb763ab30de3b167512255af8f90c0ab7ca85e15fe7f
http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-iix01NukeBot_078aa893Windows This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.078aa893c6963aac76b63018ee4ecbd3SHA1: 640702a92e4281515e755649cc4c01db21881394
MD5: 078aa893c6963aac76b63018ee4ecbd3
SHA256: aaf4d39111ba8681cf2b501ec90b612b54a6feae817f37925e99739009f9d37b
https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/

Malware Strikes June - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M17-s2701Valyria_Doc_Macro_3e0c5a01Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.3e0c5a01e1c13b6066d561f152b28291SHA1: 6323db3ff1bc490a6b8ceb4447c5791543f17732
MD5: 3e0c5a01e1c13b6066d561f152b28291
SHA256: 7fcd49ea71363a666377a734b80c7608842a9acb868e1b35a3820a1eefd68975
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-9hj01Fireball_79abd4f5Windows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.79abd4f5c79cd2eb0c0de0b4664652d5SHA1: da0ae02638e0f190f159a8a24b6d40ce80d1cdf0
MD5: 79abd4f5c79cd2eb0c0de0b4664652d5
SHA256: 656ceb29cf552689f2e3f1b10bbbd39ca74c0ce76451127aacf1851925e3c2ca
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-q1m01Fadok_01d9a9d8Windows This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.01d9a9d87e38c06f7a17382477be414dSHA1: f38a92520fbbbea0b1894084ca5df9c7ea407eeb
MD5: 01d9a9d87e38c06f7a17382477be414d
SHA256: 0ab690ef09a14798b9deb6cd0c116b8e0ed906b6bac16a05a5ae4bc38cabf467
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-55501GenericMalware_377b5d0cWindows This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.377b5d0cb365a8a124126a57ba1103ceSHA1: 614ab749f50a70faecfbcb54b442fb357f79f745
MD5: 377b5d0cb365a8a124126a57ba1103ce
SHA256: c97f4a5bee60b6c823abe53c28230df34026f49bc6fbdba5f1197caf7db47790
M17-wxd01Qakbot_4ac8b676Windows This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.4ac8b6761e6504e1e96d2165f6038cedSHA1: 107705a77990d78f63379bc3e498781a9477c6c8
MD5: 4ac8b6761e6504e1e96d2165f6038ced
SHA256: 4712cf80102b7886a946ab6454fb0978f9d94feacd52c5df18850dbefa0158ec
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-0nv01Sivis_1de38c8fWindows This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.1de38c8fb92851c60ec6019ac7924558SHA1: ba8326ba8e11e955ac99de4720dc629f592d6f14
MD5: 1de38c8fb92851c60ec6019ac7924558
SHA256: 38f441a14f81c370d0ac0934340d3d196bca832668ee6772ac88330614a91b2c
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-0bf01Fadok_a115b384Windows This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.a115b384fa775472d82cfa8290551bcfSHA1: 129c85d614eadacef177aed41aebd06033c2e184
MD5: a115b384fa775472d82cfa8290551bcf
SHA256: 03692f096e7fc9ab6bd470f7092ae80cc5dcfbf1dcb2a849dae2a2384e421315
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-xrt01Valyria_Doc_Macro_8d45f392Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.8d45f39227d5e8fd3bf9b270dc7d46adSHA1: e38a4ed2f3beb4722d5dbf1800334c678ec70374
MD5: 8d45f39227d5e8fd3bf9b270dc7d46ad
SHA256: be53a9f3aeca760dfcea58b676db1f687f238e0c6996ec57e36fa6040f43e75e
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-62401Valyria_Doc_Macro_12dca91fMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.12dca91f7b79b4bef4f408f042fcbda8SHA1: ec53f9456c433ea9a63c8404cf42836b992f102f
MD5: 12dca91f7b79b4bef4f408f042fcbda8
SHA256: 0cfe5dfa2b53c51076a5ea1aac89e7be91e83a70c6438b037dfd00ccd839ca6f
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-a3r01Qakbot_5838ce69Windows This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.5838ce69e86bfd9f93e32746d73a779dSHA1: 5ea507dca63035e969f4db6bff585896cf4bb096
MD5: 5838ce69e86bfd9f93e32746d73a779d
SHA256: 006b191a135afecf86bd4df2fbf619f8f019ab316d2edb33d053209384c7d4cd
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-d0k01Siggen_e3ab4a4aWindows This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.e3ab4a4a2f18c482e4add154f7ad5436SHA1: b852fc3e5bfb59978d905c064d0a79e526acb835
MD5: e3ab4a4a2f18c482e4add154f7ad5436
SHA256: 8998b35cd76f170e62275661c0f0256883ec2b8e34b9e5ff9530c9da4d07fb74
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-6qj01Gh0stRAT_47029c8dMixed This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.47029c8d9d652d45c15d8c0108f2c9aeSHA1: 9d11b23989615d9c4c161fc833801c063c141d4a
MD5: 47029c8d9d652d45c15d8c0108f2c9ae
SHA256: b6915dd2a9ffae5c6a969247e4a3e2b739e094ed9f90516b41251185d9d301a5
https://www.ixiacom.com/company/blog/state-eternalblue-exploitation-wild
M17-s2h01Gh0stRAT_26d01a08Windows This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.26d01a08650fd21664748cd7446f3396SHA1: 116c2d8eab2d6cfdd0de59b622eefbc526d4b043
MD5: 26d01a08650fd21664748cd7446f3396
SHA256: b60d4093fe1a7aa545d22292bd2daafaa07bdcda335aa5e9f2c56e0c4f8668cf
M17-49p01Valyria_Doc_Macro_5139ef78Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.5139ef78258da030fb38081cb48e6343SHA1: e5390594ab62a10d62a8377acee4fe28861a52d3
MD5: 5139ef78258da030fb38081cb48e6343
SHA256: 27a035174244dd347ee81cc932fccf414b1c32a0820fe6a55e242ee04e9c0686
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-xy701Fireball_bb2dec87Windows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.bb2dec875c10abe72b645bd6376c1c0eSHA1: b30d5b4fe6f11cb683c4daaf78dd337c1b94c8d9
MD5: bb2dec875c10abe72b645bd6376c1c0e
SHA256: 683d13ecc2c2faea61e7095a16f801ac2e00993de838b29042426498dbf92a01
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-ay001Valyria_Doc_Macro_05080c76Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.05080c76008874c298f4011ea33190d5SHA1: f6be84cad04bdec852a669e514d3d99def9b1e19
MD5: 05080c76008874c298f4011ea33190d5
SHA256: d845e07f961afb0341e8d8da25fc08896bccd09ccc5136e74454308c9f95eff6
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-15601EternalRocks_0e83b186Windows This strike sends a malware sample known as EternalRocks. EternalRocks is a network worm which uses the public (The Shadow Brokers NSA dump) SMB exploits: ETERNAL BLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY along with related programs DOUBLEPULSAR, ARCHITOUCH, and SMBTOUCH to spread.0e83b186a4d067299df2db817b724eb7SHA1: 1e24f6dfdcfac543d89e6e4ee8f2d9fc4321f264
MD5: 0e83b186a4d067299df2db817b724eb7
SHA256: 48b1024f599c3184a49c0d66c5600385265b9868d0936134185326e2db0ab441
https://github.com/stamparm/EternalRocks
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27113/en_US/McAfee_Labs_Threat_Advisory-EternalRocks.pdf
M17-58a01Crashoverride_11a67ff9Windows This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.11a67ff9ad6006bd44f08bcc125fb61eSHA1: 8e39eca1e48240c01ee570631ae8f0c9a9637187
MD5: 11a67ff9ad6006bd44f08bcc125fb61e
SHA256: 3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-8ah01Fadok_ee28f9a8Windows This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.ee28f9a8753c779b5c26f6271df09f00SHA1: 273ff949fda1d3d84259659fc29bedc40a85bc5a
MD5: ee28f9a8753c779b5c26f6271df09f00
SHA256: 06f89aa03b2e1f070b9fdfafd5356d0eaa1ea840f05ab7189d89f1cb1f70ff66
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-3mu01Valyria_Doc_Macro_24d4e462Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.24d4e462da6609e38a4b92b2674520afSHA1: d2c6ad43986fef31e212f87b95a35ce2f82f98a6
MD5: 24d4e462da6609e38a4b92b2674520af
SHA256: bb4e1f338f6d5c46d7890aa7eabe929de1467d8760a463c74379d651600638e8
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-5l701Siggen_5ebfb9feWindows This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.5ebfb9fe30b274780c0f37a22fa88ba3SHA1: b92adf5db6e0c047f0706a427fed6dcf65e5c295
MD5: 5ebfb9fe30b274780c0f37a22fa88ba3
SHA256: 76cac7eac498813164dcb94ed0812163bc4d261ef80232ec528aa941e0622479
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-e0d01BackdoorTrojan_a1dcc833Windows This strike sends a malware sample known as BackdoorTrojan. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.a1dcc83376ae59d6a156096b79c3c856SHA1: 0f876e85fa1b0e0449db420b8cac168d744829c7
MD5: a1dcc83376ae59d6a156096b79c3c856
SHA256: 65433c71ff7901c183d55bf42452e6b77c9554a2573cc983ff8ab31b0c4f29d6
M17-aq401Valyria_Doc_Macro_3dcc36e7Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.3dcc36e7164d4d1d2d2c8cdb93f8db46SHA1: b42cb2e11162a6a3876d4235398ba5d68d0f7bf4
MD5: 3dcc36e7164d4d1d2d2c8cdb93f8db46
SHA256: 38e71cd7dba75c6e6dbfa326843d10421d57ab3781c94c1174cfc260c86d4361
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-8uu01Qakbot_d0afd8dfWindows This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.d0afd8df9e7c9dad6d2e68d45a4f36c0SHA1: 4f1115d7f1da62b572c9dfa08c406a65efc0baf5
MD5: d0afd8df9e7c9dad6d2e68d45a4f36c0
SHA256: 02ad78b356cb9723b18122a2fad033e0487be7e367864d7481371bde0b0b8acf
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-ksv01Qakbot_8a3ab5d3Windows This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.8a3ab5d3fa3644ec1829e7825b0a22a3SHA1: d3f484c3e7ff9fe0a639728ee78edc19b324560b
MD5: 8a3ab5d3fa3644ec1829e7825b0a22a3
SHA256: d52f95bb330930af7477604547dd33fdf3fe76e20301a67a7d490f6b1ebe5247
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-zma01Gh0stRAT_0fe309feWindows This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.0fe309fea26d8747faaa4a5b51f6baf9SHA1: 7b8f4552b3aeae03b5f55373f8d538753035b68b
MD5: 0fe309fea26d8747faaa4a5b51f6baf9
SHA256: e0740ca59b46de2c823593aaf6ac5a2deab7b5257b4ebd74ea962c0f4683a90c
M17-e3g01Valyria_Doc_Macro_cd85a6c4Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.cd85a6c4130a6666261f583e0a66dea0SHA1: ec6db43027ba0e034d61348549832458fbce7666
MD5: cd85a6c4130a6666261f583e0a66dea0
SHA256: ff9b033e0f4d48b6f77ae849cf3a94ea411583ea8c232b1da6fd1bc99d5e40d4
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-k0501Siggen_3669fd09Windows This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.3669fd09ab7a14b79a324b5a729f4bd8SHA1: 873a65b0f441d8589e19463f1c807d888d6a1f21
MD5: 3669fd09ab7a14b79a324b5a729f4bd8
SHA256: 74a306f136aa3b098fe99f6e35a1163d808c996e7ca6f8cd03fc69ec0a2573c0
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-hyq01Dvmap_20d4b9ebAndroid This strike sends a malware sample known as Dvmap. Dvmap is believed to be the very first malware for Android to ever hide a malicious payload, and then unleash it and directly inject it into a device’s system files.20d4b9eb9377c499917c4d69bf4ccebeSHA1: 7eaed59d6a166bc3ec8ce19a27eeb3d5e9c5802c
MD5: 20d4b9eb9377c499917c4d69bf4ccebe
SHA256: 183e069c563bd16219c205f7aa1d64fc7cb93c8205adf8de77c50367d56dfc2b
M17-zvd01Dvmap_43680d19Android This strike sends a malware sample known as Dvmap. Dvmap is believed to be the very first malware for Android to ever hide a malicious payload, and then unleash it and directly inject it into a device’s system files.43680d1914f28e14c90436e1d42984e2SHA1: 05b0513cb53b0c5ee4ed55ce68cd694e676d4d2b
MD5: 43680d1914f28e14c90436e1d42984e2
SHA256: 92f8bcd9e62047b380c76afe772ab0fe12ced53b9702d08c37e98424dbb590ae
M17-84i01PonyVariant_Dropper_8a55ecadWindows This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process.8a55ecad10a7cf3dad3630ac40e420a1SHA1: c808faa7617fda487819622ac435cad5f90e929f
MD5: 8a55ecad10a7cf3dad3630ac40e420a1
SHA256: 47c916890c345a0588e52cc29e6488b5c709217823b0049a46b9a9e5e07a6efb
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-gu601Win32/Virut_b4e71b49Windows This strike sends a malware sample known as Win32/Virut. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.b4e71b493e165eb0aa15e8d9b427ac3dSHA1: 6d94a2b3fbdb70beafa49c4b653c6a8d0e2a99b6
MD5: b4e71b493e165eb0aa15e8d9b427ac3d
SHA256: 86a0383757ea9716facdc3cd71ebeaa4486ae87ff302a1217bbcf29a95a4003a
M17-ogg01Valyria_Doc_Macro_9243540eMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.9243540e9c72aeacbbbb557045249bdbSHA1: fa1fff26c23c168b6d4be1d64baa49885d6bb6b6
MD5: 9243540e9c72aeacbbbb557045249bdb
SHA256: 556556a774b187d2068e8d6e4cc2d098fd06fe146e0b4578b68a602d9b9c47f7
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-sme01Fireball_46ce735cWindows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.46ce735cacb3e63bd6c6b100918b25b0SHA1: 99e0d7dd87b3aa21cba43e6a853d2b1c9f726aab
MD5: 46ce735cacb3e63bd6c6b100918b25b0
SHA256: 8a7730de37028da75947da9dd008344c36536c5131b587ce64ba38ae53734944
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-8kr01GenericMalware_6b1e19c6Windows This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.6b1e19c656499a624b9319b9c9ba3f08SHA1: afcc00a2f4940cb5db74e5c5b1be951bccc48828
MD5: 6b1e19c656499a624b9319b9c9ba3f08
SHA256: c995fd44ce9ebe245c71e1768eeaa278e59247fc7002f870dd3c744940b8046d
M17-6qq01Valyria_Doc_Macro_76928501Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.769285015391f1771e82d16de5325b6eSHA1: e94f8b79adc5648b2b3bf31184d18eae3b16ed12
MD5: 769285015391f1771e82d16de5325b6e
SHA256: 3ea1c668e2b904c00f60d3bdd735a31261c49b29a39f2523c03271328a69c580
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-ojw01Valyria_Doc_Macro_d3adb534Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.d3adb534e7691d0f1efb12e649c171b5SHA1: 5c4530cd11ea1cedd8c5de64642c063b3097acc8
MD5: d3adb534e7691d0f1efb12e649c171b5
SHA256: 56e76f857ba0006ce64a71404b3a5e0166659e069c7d31d488de248e3e8a7af4
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-iw501Necurs_a9af7994Mixed This strike sends a malware sample known as Necurs. Necurs is a large botnet and when active it distributes massive volumes of malicious spam. It tends to take breaks on weekends and it currently has an ongoing campaign using malicious PDFs to download Jaff ransomware.a9af7994a9b1e0ba8a117eb64c31c926SHA1: d364eb043e01f61822c9d2906a36ad2f902c60d7
MD5: a9af7994a9b1e0ba8a117eb64c31c926
SHA256: 3d9728ec88afe74e3ad5bee49c5c64a771f6d39b5f4b16fab280175b989d79a6
https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/
M17-d2m01GenericMalware_59dcde96Windows This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.59dcde96ce99c4793a6c96d358921930SHA1: 79df1dc8bf60b9662ad045fbbf0769d5cea55edc
MD5: 59dcde96ce99c4793a6c96d358921930
SHA256: 260ebf8e4c489f80cc0f744f2d599810320792ac3bd318713f6e0062ddde366d
M17-28f01Valyria_Doc_Macro_f5cf1855Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.f5cf1855746885e59348062ca0cedc05SHA1: 6aea27de5a0e9c48902be8d6b8be55e30bd0be59
MD5: f5cf1855746885e59348062ca0cedc05
SHA256: e618d44cf1e7d121c9e934b1d530ebc4e830d1dd7d8228ac5b53a455def791a9
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-fup01Fireball_960045abWindows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.960045abfa2d230ab5d60fc992a08852SHA1: 95c7c5a3ff9c9e771c8369d81b6f09640469012a
MD5: 960045abfa2d230ab5d60fc992a08852
SHA256: d6c600ccacd3d37d6558333d6d8fed129d86fd028bb92ae5ea9da49fe6455b49
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-avj01Crashoverride_7a7ace48Windows This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.7a7ace486dbb046f588331a08e869d58SHA1: b92149f046f00bb69de329b8457d32c24726ee00
MD5: 7a7ace486dbb046f588331a08e869d58
SHA256: ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-zv401Keybase_48987f1fWindows This strike sends a malware sample known as Keybase. KeyBase is a trojan that can be used to capture screenshots, keystrokes, and other pieces of system information.48987f1f272848cb3b188bbe26a9ce08SHA1: be11eabc8bc566b02737580f74314250e4ceb1c1
MD5: 48987f1f272848cb3b188bbe26a9ce08
SHA256: 8b1c64f993778c52906b8170cc6c16a07f4116e23661956a738323aca7b12c3a
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-bic01Crashoverride_f67b65b9Windows This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.f67b65b9346ee75a26f491b70bf6091bSHA1: f6c21f8189ced6ae150f9ef2e82a3a57843b587d
MD5: f67b65b9346ee75a26f491b70bf6091b
SHA256: 37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-mqe01Valyria_Doc_Macro_b508df1dMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.b508df1db86363d813b21589a2f48531SHA1: af24bd58abb727cef7f6bba08d0926a36204254d
MD5: b508df1db86363d813b21589a2f48531
SHA256: c571b06649be9a8d07ae380a7131dd8deba1bee2aa7067557857fee8cbd2c130
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-oi801Valyria_Doc_Macro_bd93081fMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.bd93081f18c481680c05cb452ce59284SHA1: c15f37b5722862aa8addc2ceb9b32d3584748de0
MD5: bd93081f18c481680c05cb452ce59284
SHA256: fff62aadd6740b7c1a4b57758f95d5de0cc36e471e6d1ae40ca8141a5845a7eb
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-y8i01Valyria_Doc_Macro_d93a9a3bMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.d93a9a3b2a332fd69a3d0d7f1b64b5e7SHA1: fc1f0082257f9983c31c7b85c7efbd0ab4de98e6
MD5: d93a9a3b2a332fd69a3d0d7f1b64b5e7
SHA256: 2378d2f333b50cc341e08f574d300ebcf12ee7140cb897620bc9c35f93929854
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-t5x01Gh0stRAT_d5536e59Windows This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.d5536e59be24fd3ecfe07cdc8a1f8772SHA1: 4cfa4834b5278631e99ad3f5a3be9b3129889a34
MD5: d5536e59be24fd3ecfe07cdc8a1f8772
SHA256: 16c6a023ef62a69ae260972cd564e6e168ee656f4e751a6ee071c591b0aeddb1
M17-l8901Fireball_41e928afWindows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.41e928af129c0583d2eb8c13a6caee64SHA1: d7c6f623f941ff21d5e172ec599c9525e4bcf953
MD5: 41e928af129c0583d2eb8c13a6caee64
SHA256: 24f1b40015760028743e03f2e0dbd6333f07fa43bcbdb37bb33a1b6626eb0684
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-aux01Valyria_Doc_Macro_1eb97d04Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.1eb97d04bcb26e07565ffe223a969507SHA1: b2b9f29e076dd260c5315011c3696242444d0d99
MD5: 1eb97d04bcb26e07565ffe223a969507
SHA256: 7ec2376443a777c789d853489ba4192ff21923ab95f4810660faad4dd93e0813
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-0nr01Crashoverride_a193184eWindows This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.a193184e61e34e2bc36289deaafdec37SHA1: 94488f214b165512d2fc0438a581f5c9e3bd4d4c
MD5: a193184e61e34e2bc36289deaafdec37
SHA256: 7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-8op01Sivis_0a5d3828Windows This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.0a5d382821b9239d12f996bf6a623012SHA1: 712e446768496651dafd48725b5d7544e0a24ccf
MD5: 0a5d382821b9239d12f996bf6a623012
SHA256: 4e5297e0d0b8c702e6c97fbaeee1f329b2246a046790e0e8adb595f94accf47e
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-qcr01Fadok_eea3c727Windows This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.eea3c72780e07f805ffa1bb7bb76298aSHA1: 9686299e7fe5ddcef27e3e051916f5bb339fe39e
MD5: eea3c72780e07f805ffa1bb7bb76298a
SHA256: 148c4618e14a3c30f73dd6f910df6999ea4be2e32818f3747bdae03c175b7c48
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-s9z01PonyVariant_Dropper_55babe51Windows This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process.55babe5130c6b73b47fc48a46d0b0e16SHA1: a013f9e3652807743c366612f76c0435e874dbd3
MD5: 55babe5130c6b73b47fc48a46d0b0e16
SHA256: 24558ad4b3a745c24a2dd42c73800ccfcd0c10dc17c67d83f3dcb3a4e479d46c
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-xsv01BackdoorTrojan_82180b3dWindows This strike sends a malware sample known as BackdoorTrojan. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.82180b3dc79c71c15d10ce7f52c05db0SHA1: 66616825dbc92de5a12f75b188983bff971b2a7d
MD5: 82180b3dc79c71c15d10ce7f52c05db0
SHA256: a1f119908b935199ded134e9ff57ebf205e1d6c27e0c9562979634ddc1c5f9e5
M17-2fs01Valyria_Doc_Macro_674d849eMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.674d849e8fe0351d927e1262f13e8e17SHA1: f43ec260e655536519f41bdae66afc2ad3ec5a8b
MD5: 674d849e8fe0351d927e1262f13e8e17
SHA256: eaa3cb0af249967c7d9a66185db3cac7e93196da6281014206b6d0bc0fb7f34c
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-yma01Ursnif_23fb9126Windows This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.23fb91262a83aed54abcebbf86e2af96SHA1: 3bf342ec0a3aad1f4269c19eecf399be3afd4a94
MD5: 23fb91262a83aed54abcebbf86e2af96
SHA256: cbe692191547918894975784a02015b409923cfcda0ddb82b9331fecaa8e39f6
https://www.trustwave.com/Resources/SpiderLabs-Blog/URSNIF-is-Back-Riding-a-New-Wave-of-Spam/
M17-ala01Siggen_396a1016Windows This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.396a1016606c2539873ec0467440ea0fSHA1: 2bd4a382556d5ae7bc153cb8a7427250270b2d60
MD5: 396a1016606c2539873ec0467440ea0f
SHA256: 87701e501b48b94e9494bbda3f42a8b2a92a0e19d51d3e6023efae30b86f74a0
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-h8801Jaff_35eed9caMixed This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.35eed9cafb26975c42b7a621352565d2SHA1: 03b17da93cf91f61c9dbb4d25182016cefec0659
MD5: 35eed9cafb26975c42b7a621352565d2
SHA256: ddabbe9cac0a547105ba8ccf223c7bcadebd680e724bca39c9d17a998726f854
M17-1s101PonyVariant_Dropper_084b72fcWindows This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process.084b72fcf63d2628b157f4c7a9d9c00aSHA1: e308935ab855d4c4513dc030b035cc703d823ad2
MD5: 084b72fcf63d2628b157f4c7a9d9c00a
SHA256: 4fe60f488f45f914edb650cc2e248d156ad8b257b610ad4848b1c245f38053e3
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-y7301Valyria_Doc_Macro_be6dd256Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.be6dd2561ed2258740306253b58e2b49SHA1: e8214a0a00f8261458157a44dfba335caecd85f1
MD5: be6dd2561ed2258740306253b58e2b49
SHA256: a57fe946d0e6d5324080ad9625ed5f4cc2720c53cfa8dfc4185cecc9320c8e45
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-dzm01VBS.CobaStriDldr.A_3a1dca21Mixed This strike sends a malware sample known as VBS.CobaStriDldr.A. This malware has been reportedly used in a targeted attack campaign named as APT19. This phishing campaign targets global law and investment firms. The malware arrives on the infected system through a spear phishing email, containing a Microsoft Excel file or XLSM document. The MD5 hash of this VBS.CobaStriDldr.3a1dca21bfe72368f2dd46eb4d9b48c4SHA1: 3ddc3d2f40c64333adfafe508726344d90598c7b
MD5: 3a1dca21bfe72368f2dd46eb4d9b48c4
SHA256: 42ff4fa4a92fba9ec44371431997700195f22753d4ea16c0dda0a5c4116a61af
https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
M17-dod01Crashoverride_ab17f2b1Windows This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.ab17f2b17c57b731cb930243589ab0cfSHA1: 5a5fafbc3fec8d36fd57b075ebf34119ba3bff04
MD5: ab17f2b17c57b731cb930243589ab0cf
SHA256: 018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-1t601Valyria_Doc_Macro_788a6918Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.788a69180a4ad792e3798e4e50f61c1fSHA1: 5e122e37318aa8fd3d8f88ed23d1685fcbcfbe81
MD5: 788a69180a4ad792e3798e4e50f61c1f
SHA256: 17b965a0cf6b0b316da2c659ec2c7bbe747819d09c1c1401d5a80272f47b813a
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-28m01GenericMalware_4d621871Windows This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.4d621871d5de77993f46353cbcb2c571SHA1: e097699803af2f9b690f2f4c6d35613a73eaa49e
MD5: 4d621871d5de77993f46353cbcb2c571
SHA256: 4996a9d19d17e8e436a188164e3c7725595a64edc8c45f611005f7f2832a8e2c
M17-9p901Qakbot_24be8c46Windows This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.24be8c4601fe3170a01166969f8213c6SHA1: 7c03395e543e6f7123437682c81c89936195af14
MD5: 24be8c4601fe3170a01166969f8213c6
SHA256: 0200b37385ee4b54572e9ff8f9dca6b20ef6a41feefeb9f5eaf14fa35fe82b87
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-xmu01Qakbot_55ba2a99Windows This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.55ba2a99ee46c18e2d6f545bfb5ffff6SHA1: 5e384fafa16bf6c2103543d0d9bec3448aec7436
MD5: 55ba2a99ee46c18e2d6f545bfb5ffff6
SHA256: 0452810a21fc1207dc11a2a82127f30354fdc41aef95371b77a00b5592c11bb4
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-s7m01PonyVariant_Dropper_1dbf9a8eWindows This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process.1dbf9a8e3f11514aee40fcaab87a4794SHA1: 09647c9edd512adc143e449d58f789b02a527150
MD5: 1dbf9a8e3f11514aee40fcaab87a4794
SHA256: 50733aaab0b6ca4210df15017f51bb576c84fea2cbeb0912dd40a32056cd3c1b
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-hbu01Valyria_Doc_Macro_957d8224Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.957d8224e35c282d15b50b43257beb5dSHA1: 598aa2cd6b85674801b00ad077cf076b4faeb60b
MD5: 957d8224e35c282d15b50b43257beb5d
SHA256: e90846bb4883914000462df105e679bc4ad05d3d1b0900363dd18eba1aca5c33
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-qtq01Valyria_Doc_Macro_d770c4edMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.d770c4edfe83ea4b72336ccaf64422d3SHA1: e1e878411f2a6b7400ab963b12726c39d1259b69
MD5: d770c4edfe83ea4b72336ccaf64422d3
SHA256: 73b30d45b7f7a0893f8d8a1b3b55f10ff9d11e86619dccbb22a60d1f2462d5f6
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-yrt01Sivis_98f6a14bWindows This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.98f6a14bc884609eb523b125be4a8ecdSHA1: 75644ce47dc6f94a88390e9c2a0e2de2fb515c73
MD5: 98f6a14bc884609eb523b125be4a8ecd
SHA256: 7366a0faef62af909a1ef1da05e2cbd1fc9534cbb26e20e90538e043f4517d5c
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-qkr01Necurs_6686dec2Mixed This strike sends a malware sample known as Necurs. Necurs is a large botnet and when active it distributes massive volumes of malicious spam. It tends to take breaks on weekends and it currently has an ongoing campaign using malicious PDFs to download Jaff ransomware.6686dec2e57b635f864ec0597512703eSHA1: 2001971c7ddaa9b2550d1b870f5e377c56f15f70
MD5: 6686dec2e57b635f864ec0597512703e
SHA256: 778034b1c61ea7ab25a64bf49b5ae7d8c5dd2ce5f0ef3f8178adeee04f6a1e1f
https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/
M17-12k01Gh0stRAT_ec66f69eWindows This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.ec66f69e6ee7facceb6cde1fdae46276SHA1: 2d1077b5698382c22683f35d37711e7228b55dd6
MD5: ec66f69e6ee7facceb6cde1fdae46276
SHA256: 986e68ea037df3e00aa78ba996d31da0233a46aeea2eaa77be3ee5e4bc008176
M17-i4s01Sivis_930c0d6eWindows This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.930c0d6e81335a76ee13ebca9c78b9dfSHA1: b428f5be0fbe76595e86714bad964858cac7b98e
MD5: 930c0d6e81335a76ee13ebca9c78b9df
SHA256: ccbf43a2ab8074ca4a27952f0f3c052435ffe38cfa4644f63b609f96c978c014
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-oeu01Sivis_6fbaf919Windows This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.6fbaf919f8cd2f44f077572418b390faSHA1: 99cfe8649d79d93be19bd32ea8ef99d197ce6fa4
MD5: 6fbaf919f8cd2f44f077572418b390fa
SHA256: 0a08a78e10ffd4c2e176e089e092f3692b94da97457abcfc694082c525335fcf
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-55001Valyria_Doc_Macro_e65bf51bMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.e65bf51b842f903e2d8814f7c2973273SHA1: eecac6bd49051c53b67b0122161a39468a0cd9b6
MD5: e65bf51b842f903e2d8814f7c2973273
SHA256: 913b51d636924dc67655ac2bb69449858448f71363eafcd3cb7881da3fe12994
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-o6r01Valyria_Doc_Macro_50bdf5caMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.50bdf5ca6bdee15865eb3e21b9a297b3SHA1: 589e0635f90ab6fdd9cddc920076502d992cab00
MD5: 50bdf5ca6bdee15865eb3e21b9a297b3
SHA256: ac1803de8dea5bca07b2eb654f0ce9b013285686014483e6c81ae7235b68e1aa
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-c5h01Qakbot_08bacffcWindows This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.08bacffcc1e4df896670047790373497SHA1: 34b74953be0071c8a1d41115b3555664e085b0fc
MD5: 08bacffcc1e4df896670047790373497
SHA256: 5b7a5a58e4af312cd23e1f28597f2818953dd23abdeedb52adb882958e2766cb
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-76n01Crashoverride_497de9d3Windows This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.497de9d388d23bf8ae7230d80652af69SHA1: b335163e6eb854df5e08e85026b2c3518891eda8
MD5: 497de9d388d23bf8ae7230d80652af69
SHA256: 893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-tng01Valyria_Doc_Macro_2cff60d4Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.2cff60d45d124f27874d2ea0fe4195e2SHA1: d4ea353cc42ffe2337af79baf50e542bc7cb2e76
MD5: 2cff60d45d124f27874d2ea0fe4195e2
SHA256: 097de8a240500e67ed2b1b0d8d95a4bcd8f07764c5abdcf7eceb17d15c592611
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-8as01Fireball_fab40a7bWindows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.fab40a7bde5250a6bc8644f4d6b9c28fSHA1: 8b6388810047db449d3699333eca9091568a094c
MD5: fab40a7bde5250a6bc8644f4d6b9c28f
SHA256: 9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022
M17-bxd01Fireball_94e46b45Windows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.94e46b4519ef0610a6a7d91d01584192SHA1: 8a8c9c2e6401a5d11883d0459be32e435317dd2e
MD5: 94e46b4519ef0610a6a7d91d01584192
SHA256: d6b51900305241cc5a7ba26858f3f55e5b7ddcff101e8f5c7060cead328bc7c4
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-xfr01Fireball_66e4d7c4Windows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.66e4d7c44d23abf72069e745e6b617edSHA1: 7d9d44a8e33a7dd21d5f240eaa0fbc6e8de2e185
MD5: 66e4d7c44d23abf72069e745e6b617ed
SHA256: 8f2e624dd9e77d0e2e74b01e271faace40f13a4f51fab61a585fbf0779bea627
M17-we401Qakbot_142aaa6cWindows This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.142aaa6c5fcb885e211039ccb6b0f5d4SHA1: 66094ebc324bd90422bb4074ff204b92c594d07c
MD5: 142aaa6c5fcb885e211039ccb6b0f5d4
SHA256: 007f9ee2441329fe8c8ebf6f597c84eb1e4fea764dd228cfae9bed400c8af53b
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-zjq01Fadok_cd6a252fWindows This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.cd6a252f9e59da13b3f199419ed3ece8SHA1: 2d9d1e148fe5bfed0a4cb90cb055705f5affefea
MD5: cd6a252f9e59da13b3f199419ed3ece8
SHA256: 056b0bc81124cf9ad6c094092e1f16f2aa96bf7efebcaeaf3830a8a228464a9b
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-p3f01Siggen_90d18c3cWindows This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.90d18c3c4bf09f1c6d0dba8f4c638f2cSHA1: 2d3ffffa9286881ae0113aa19c444bb4e0677137
MD5: 90d18c3c4bf09f1c6d0dba8f4c638f2c
SHA256: 745d8d433cba5315749dc61810d9bf4eb1864fb9737c4a2fc3718eda75917d6f
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-qd401Valyria_Doc_Macro_fe6304e4Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.fe6304e4297dbeda72cd5afdbae8d7b2SHA1: ac0930e02103970658fc20eae0869c7088b8cfe0
MD5: fe6304e4297dbeda72cd5afdbae8d7b2
SHA256: 2669d31701a90345db7492bc3de46db51af6a9137ce1bafdab2fd3122d2e040e
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-u6u01Keybase_04311370Windows This strike sends a malware sample known as Keybase. KeyBase is a trojan that can be used to capture screenshots, keystrokes, and other pieces of system information.0431137025391490648c9b8334fbf092SHA1: 6ddf8c1c6d747553977e51cd685240c1aff7a61b
MD5: 0431137025391490648c9b8334fbf092
SHA256: 7d22f93bea6e24c11497a826e692216861bb5710e0e6a9842ed9c30463a11b24
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-85r01Gh0stRAT_88b8f7aaWindows This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.88b8f7aadeb8c5d5f0a5b182e0f6fc28SHA1: 407f4eda279c43c2e70e0fe2382524a6843a7843
MD5: 88b8f7aadeb8c5d5f0a5b182e0f6fc28
SHA256: e6bd0d021069df585eb281fd3206ecda655c40e6d4021a8ed0b6a7d4bd13776a
M17-w4301Valyria_Doc_Macro_526ba8e6Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.526ba8e6f3dd094439202fdafda0f024SHA1: f853532ac65154d37dad9328d1ecf1970731dfa7
MD5: 526ba8e6f3dd094439202fdafda0f024
SHA256: ceb3fd6d517aaff2a122df2f9e8ab368cbf1efc8644344d4f228198e90c56399
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-4mu01Fireball_2b307e28Windows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.2b307e28ce531157611825eb0854c15fSHA1: f7df2b019b5640c66e40b1cecbb327d1c9192560
MD5: 2b307e28ce531157611825eb0854c15f
SHA256: 7d68386554e514f38f98f24e8056c11c0a227602ed179d54ed08f2251dc9ea93
M17-tj401Siggen_61b2d117Windows This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.61b2d117272fde42efef918cecc6031cSHA1: b83a665772d11018cce2e72f24ca90aa27f3f298
MD5: 61b2d117272fde42efef918cecc6031c
SHA256: dd249e28e052a2e7747886a0596e7faf7e447fbef7260198509fc6e08c294bbb
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-qf801Fireball_7b2868faWindows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.7b2868faa915a7fc6e2d7cc5a965b1e7SHA1: 250a8bd174403e32ad77f7e710e7165e7df40a47
MD5: 7b2868faa915a7fc6e2d7cc5a965b1e7
SHA256: e4d4f6fbfbbbf3904ca45d296dc565138a17484c54aebbb00ba9d57f80dfe7e5
M17-30z01VBS.CobaStriDldr.A_bae0b391Windows This strike sends a malware sample known as VBS.CobaStriDldr.A. This malware has been reportedly used in a targeted attack campaign named as APT19. This phishing campaign targets global law and investment firms. The malware arrives on the infected system through a spear phishing email, containing a Microsoft Excel file or XLSM document. The MD5 hash of this VBS.CobaStriDldr.bae0b39197a1ac9e24bdf9a9483b18eaSHA1: 7b0d8394b32cb59c59e4ac9471dba676678fd91a
MD5: bae0b39197a1ac9e24bdf9a9483b18ea
SHA256: e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9
https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
M17-ryl01Carbanak_13a5fab5Windows This strike sends a malware sample known as Carbanak. Carbanak is a a Backdoor that targets the Windows platform. It sends out system information to a remote server and could accept commands that may provide an attacker with the ability to download/execute files, steal cookies, inject code.13a5fab598763ae4141955f2903d66f9SHA1: cf5b30e6ada0d6ee7449d6bde9986a35df6f2986
MD5: 13a5fab598763ae4141955f2903d66f9
SHA256: 6224efee6665118fe4b5bfbc0c4b1dbe611a43a4b385f61ae33b0a0af230da4e
https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/
M17-i2301Valyria_Doc_Macro_0b54f5acMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.0b54f5ac562cda7def5470b2d4612067SHA1: 714f80b2c610ab1899f2e550d8ca68dfcbf30eae
MD5: 0b54f5ac562cda7def5470b2d4612067
SHA256: ef6269b66111c365ef251e4128a286e16c972359ca406a02b6f81fa8b55b1cda
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-3bk01Siggen_e2ad0f4eWindows This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.e2ad0f4efa073582e3bafbef550c3c81SHA1: eaf6a846b4b1a34d091d5a4baf940c1a099dd80a
MD5: e2ad0f4efa073582e3bafbef550c3c81
SHA256: 4a1b26fd16f985e1da3f1b5619b55f6170584ac51923bd6d6c4c455fc86d44da
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-doq01Qakbot_74881c46Windows This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.74881c460b8a9227e3dc74f36f77b226SHA1: 3e68003a07b62f848e3051ea1766a04b2d14179e
MD5: 74881c460b8a9227e3dc74f36f77b226
SHA256: 00141f6303dd960c61a4fdb06e686ccc972c0e0f092adaf823444e4b7e32ae09
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-g9x01BackdoorTrojan_e93124feWindows This strike sends a malware sample known as BackdoorTrojan. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.e93124fef0a3ac7869f3ae6ee696beecSHA1: 03d4275dee52ef1b70e558abf9c2fef82a76339d
MD5: e93124fef0a3ac7869f3ae6ee696beec
SHA256: 926ed977382f409409d912cfb04191d3c375c9dc0b30a487510d3d83ab7cfc01
M17-vwg01Fireball_69ffdf99Windows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.69ffdf99149d19be7dc1c52f33aaa651SHA1: b6bbe04238834126043610115c253788f0cb8a39
MD5: 69ffdf99149d19be7dc1c52f33aaa651
SHA256: e3f69a1fb6fcaf9fd93386b6ba1d86731cd9e5648f7cff5242763188129cd158
M17-soi01PonyVariant_Dropper_8b998dddWindows This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process.8b998dddd5a658fc1f9f6e3adc9c6f12SHA1: 57200ec3b13d5ca0e3e632aa3bd0d7a163265736
MD5: 8b998dddd5a658fc1f9f6e3adc9c6f12
SHA256: 416d71ce82336aa2dda064e6ba93a555ccf46c7ae2ad1faba379513965d9d485
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-4qr01Crashoverride_f9005f8eWindows This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.f9005f8e9d9b854491eb2fbbd06a16e0SHA1: 79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a
MD5: f9005f8e9d9b854491eb2fbbd06a16e0
SHA256: 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-j7i01Gh0stRAT_233f31c1Windows This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.233f31c12bc5305cb4186469c17b7e4aSHA1: 03a288cc2cbd2cbe331a54c2afc5dd90761a82a9
MD5: 233f31c12bc5305cb4186469c17b7e4a
SHA256: 45aedb18335d58aee6bad2888038bfa16e12460f89e7d181495101267be76b07
M17-0e801Gh0stRAT_49e2f935Mixed This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.49e2f935dd760b81c8979d429b51264eSHA1: 5376a271f8f5d644ca1fb457b1c98a258d83b586
MD5: 49e2f935dd760b81c8979d429b51264e
SHA256: e2d31ee0a4b6209fffa3eb52066c23db851777b0cc9b974f3ce3af7b69c62655
https://www.ixiacom.com/company/blog/state-eternalblue-exploitation-wild
M17-tju01Qakbot_5ac1917cWindows This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.5ac1917cf9a1a814bf39d01200127b40SHA1: 62067adb0fe0b2e4a8357ea005fa7981523fd759
MD5: 5ac1917cf9a1a814bf39d01200127b40
SHA256: 9a238c95de1ba5bc414aa0fd45297bf79f02b1de03d93a65ad74e91e37eb9ae9
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-k4w01Siggen_0894a86fWindows This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.0894a86f8416bee1a519b438bb23ee83SHA1: 3d1610c412404f7c0b87dbccd3f1c05cd09f867f
MD5: 0894a86f8416bee1a519b438bb23ee83
SHA256: 5527923be2a750415d9565fcfc38550bf292206cee0e415278e8e08d3f3cdbdc
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-zz201Gh0stRAT_5c1a8b3eWindows This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.5c1a8b3ecfd936e3cb9128eb5063ece6SHA1: f181d60a82fe94e7f4bd892b1cc1e7e08b8e9193
MD5: 5c1a8b3ecfd936e3cb9128eb5063ece6
SHA256: 90a1737f38c52f92aa0fb49f2104f81481c77044817f04a231dc5dbe95bbb215
M17-e3801Fireball_8c61a693Windows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.8c61a6937963507dc87d8bf00385c0bcSHA1: 0312325d31072afaac87f3aafff58261b549db5d
MD5: 8c61a6937963507dc87d8bf00385c0bc
SHA256: 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3
M17-y7x01Fireball_b56d1d35Windows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.b56d1d35d46630335e03af9add84b488SHA1: cc725869679e5c8c4b7fcdffe98bcd4d612a909a
MD5: b56d1d35d46630335e03af9add84b488
SHA256: c7244d139ef9ea431a5b9cc6a2176a6a9908710892c74e215431b99cd5228359
M17-2q701Fireball_84dcb96bWindows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.84dcb96bdd84389d4449f13eac750986SHA1: 3c812ea95aa6a2234548814b5447c2ac786daa30
MD5: 84dcb96bdd84389d4449f13eac750986
SHA256: f964a4b95d5c518fd56f06044af39a146d84b801d9472e022de4c929a5b8fdcc
M17-98p01Crashoverride_ff69615eWindows This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.ff69615e3a8d7ddcdc4b7bf94d6c7ffbSHA1: 2cb8230281b86fa944d3043ae906016c8b5984d9
MD5: ff69615e3a8d7ddcdc4b7bf94d6c7ffb
SHA256: ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-wrk01Valyria_Doc_Macro_508cefdfMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.508cefdf3010539f2149f5c302026177SHA1: 7294eb013e53992a37239051e9c462e5925134d7
MD5: 508cefdf3010539f2149f5c302026177
SHA256: a3905f5dd2e106d19e260b36d9bdc7946cc8aae0f4343e8d6c7f671d0bdc7921
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-ohn01Valyria_Doc_Macro_678f87e5Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.678f87e5ef02699daad6da0da7d2d8beSHA1: ceab7dcc360a479c8955e1f2e9e14d0e7129cacb
MD5: 678f87e5ef02699daad6da0da7d2d8be
SHA256: 67e2d24be65f338f944eda6cffdda8013147088a8173e771795b399c3c182771
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-p3i01Fireball_7adb7f56Windows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.7adb7f56e81456f3b421c01ab19b1900SHA1: 30a176dde7aff87ee73c967d4f70d1b834a62dd4
MD5: 7adb7f56e81456f3b421c01ab19b1900
SHA256: fff2818caa9040486a634896f329b8aebaec9121bdf9982841f0646763a1686b
M17-z1o01Fadok_dfa89d72Windows This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.dfa89d72ef517428ce552bc8afc1a7aeSHA1: ea2325b643cf653ffa9b20dbe5fd25e6eb562afa
MD5: dfa89d72ef517428ce552bc8afc1a7ae
SHA256: 0fffda2d0105f10690d1989859deae3d50287474534649605a320f078616d658
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-7qg01Necurs_4d128c93Mixed This strike sends a malware sample known as Necurs. Necurs is a large botnet and when active it distributes massive volumes of malicious spam. It tends to take breaks on weekends and it currently has an ongoing campaign using malicious PDFs to download Jaff ransomware.4d128c93c03605be2460e0e6767603c1SHA1: 8e4f36e0710aee26f125acc69b14cac44467238f
MD5: 4d128c93c03605be2460e0e6767603c1
SHA256: 5da7c8bf86dc71531b2cd34e565385dae7b080cde104e5abe29577ed03787a71
https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/
M17-yee01Cerber_ae5a348bWindows This strike sends a malware sample known as Cerber. The Cerber family started to emerge during the 1st quarter of 2016 and has been seen being distributed via Neutrino or Magnitude exploit kits and spam emails using VBScript files.ae5a348b9dd0ac3a6a46e70c82fa9c38SHA1: f440edc4fe35452d0fbec35a5c352295f3e3bf0c
MD5: ae5a348b9dd0ac3a6a46e70c82fa9c38
SHA256: 73a7497c8fa283b444242259ae061d5cbb705be04b5f531f1096a2c236bb5204
https://www.trustwave.com/Resources/SpiderLabs-Blog/FakeGlobe-and-Cerber-Ransomware--Sneaking-under-the-radar-while-WeCry/
M17-mzy01Valyria_Doc_Macro_b4fb36c4Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.b4fb36c43f91d10ce9bd284fff4c7925SHA1: c3ceae4d0b9b288bac70dbb563ef6b4eba39fb78
MD5: b4fb36c43f91d10ce9bd284fff4c7925
SHA256: 95fd8ea6a9b5778a75b76804ae8c1da2514239598edd1c324f25eb30a93fd715
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-lum01Valyria_Doc_Macro_13f8df4aMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.13f8df4aea556dcd6d72f923faa24f3dSHA1: b31c34f428fda8e02d4b684555b3bb3ebf17a74c
MD5: 13f8df4aea556dcd6d72f923faa24f3d
SHA256: 6b6221926ec36c928f0d0eef2d254766f30342714c3e791645d97c6c86cec31f
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-y0901Gh0stRAT_b0424941Windows This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.b0424941ef8e58bf9db2fefcd53cb459SHA1: be347ce22989919d81bb5b2c1ef392b5282e7113
MD5: b0424941ef8e58bf9db2fefcd53cb459
SHA256: ed4b40578f0ddbfeb851835048cdadae0c1a9f8c8e67c6b00a9a1534c17b6252
M17-kso01Siggen_006ae6cdWindows This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.006ae6cd35f486808f3125eca11557f0SHA1: bd265c7cdac416b95078755e9f340fb1381130c5
MD5: 006ae6cd35f486808f3125eca11557f0
SHA256: 2dd6b33d9e07c68b79b6674e0972f28ee316548c5e53b28331d88c739d1a5b8f
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-66d01Valyria_Doc_Macro_1fac3695Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.1fac3695445d7f62094c5f25c856d91aSHA1: 586e4bedbe58e0f1b6fc923225f60ff2d46e7f77
MD5: 1fac3695445d7f62094c5f25c856d91a
SHA256: f6650409983332866425e807dedc231b28a7cd3a468fe9e17be029fda17efe15
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-2dk01Carbanak_36f36696Windows This strike sends a malware sample known as Carbanak. Carbanak is a a Backdoor that targets the Windows platform. It sends out system information to a remote server and could accept commands that may provide an attacker with the ability to download/execute files, steal cookies, inject code.36f36696b948b550ad4afe4b0bc53fbdSHA1: 83d0964f06e5f53d882f759e4933a6511730e07b
MD5: 36f36696b948b550ad4afe4b0bc53fbd
SHA256: 91ff7b9c4cdcaa61b01f0783dacdbbed3f848fb01013c635bc9d87a85183ebc0
https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/
M17-41901Valyria_Doc_Macro_eb9c35b3Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.eb9c35b3190fcb1e478028b24d2ec585SHA1: 7221fbfea71e10535005ea6ab1f13a8110afcda6
MD5: eb9c35b3190fcb1e478028b24d2ec585
SHA256: d6d05984c0d493eb75861c7d56c2cf649fcc912134e7df2894fc8bb3eec8980f
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-fan01Valyria_Doc_Macro_4f169840Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.4f169840bd08c25d9477a4ae9c31caecSHA1: cc7935cf02d42672c90903034b3abaeee6c3fc0b
MD5: 4f169840bd08c25d9477a4ae9c31caec
SHA256: 2de9f4f8df35ca71c1738d22bfb6a147670c25dcbe2014cfd0870a53e33f385a
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-w9m01Valyria_Doc_Macro_2250018fMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.2250018f91f2c6841f163e14874592ebSHA1: f5543f426cec914da878070d41836e506b298ea5
MD5: 2250018f91f2c6841f163e14874592eb
SHA256: 3d93b69809ad4d6cb2866583c7fc0144aa0db167fd4940ab17b3252c809bf1d1
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-jan01Win32/Virut_825e3522Windows This strike sends a malware sample known as Win32/Virut. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.825e3522037eab1da5bafc09a195ab92SHA1: d0a111636b10b02f599278220247f8fb82490c5c
MD5: 825e3522037eab1da5bafc09a195ab92
SHA256: d76818d5ac2a4ceec907bc6246862d64399f67cc954d66e31897afa414feda27
M17-dya01Valyria_Doc_Macro_42ea2531Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.42ea2531137994b6531f656b35bbe845SHA1: fb290b19c57e4e0fa70a14de3f8d705fcaa6e7af
MD5: 42ea2531137994b6531f656b35bbe845
SHA256: 5cc180f858ed3148aad169790640664280c4b908867256f7b1a0718575192c78
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-8ib01Fireball_5bce955cWindows This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.5bce955cf12af3417f055dadc0212920SHA1: 720ef2a0fbc262a3acedc05b12cc884a9e3cd2a5
MD5: 5bce955cf12af3417f055dadc0212920
SHA256: adcf6b8aa633286cd3a2ce7c79befab207802dec0e705ed3c74c043dabfc604c
M17-ou501GenericMalware_93d48870Windows This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.93d48870d5b55c1611f01261a37f25edSHA1: 9a766bd82a4dc8a016ff25292ad50f4573b04dad
MD5: 93d48870d5b55c1611f01261a37f25ed
SHA256: 6dc964d2c112fe3eab072f890e91b1bc9f79b340cf6bbb479c7d3c8ed096938a
M17-7u301Valyria_Doc_Macro_189f1358Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.189f13580169be011b73ba17a6dc051fSHA1: 48f334eb52c19d56f3f37bfc4b60460bc453ce61
MD5: 189f13580169be011b73ba17a6dc051f
SHA256: 900f2319a95ec33f4c42a4ceac088f0ab940aa0cde64c4da186b0322746d3e36
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-yzu01Valyria_Doc_Macro_be4d6281Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.be4d6281c8ecb2a008ed007fdc8b904fSHA1: 74a4325d9595f6f603cdbbfe02e8538c4eda2f4c
MD5: be4d6281c8ecb2a008ed007fdc8b904f
SHA256: b08b5eb8f5ab0a2fa8acebaf86bf48653f38b7efed83d88ba6076f0da4af9ace
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-ber01Valyria_Doc_Macro_bcec1085Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.bcec10859b916d1017a72c5a39f8961cSHA1: 6cb5d156e33d66361730e49f4d49c2f38f34e156
MD5: bcec10859b916d1017a72c5a39f8961c
SHA256: 3f3adeed33a1a057f697c49f9d776c27c7fb9afb7cfa62eec2936ac24ae0d19d
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-4e001Gh0stRAT_1778fc96Windows This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.1778fc969d29bb3e8537d24402ccb44aSHA1: eb036fb0c50c1d95f5c009f4987bcea384e5f504
MD5: 1778fc969d29bb3e8537d24402ccb44a
SHA256: dd023467cb90438086802cbe16bd80547e52e81fc21d05d6a92b0d268fa65f8b
M17-0qd01Fadok_1bcc4df9Windows This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.1bcc4df972bb5784a2cb05295db25b0aSHA1: 11a9062c8522e7746f702b52d88bf4081f9f9f35
MD5: 1bcc4df972bb5784a2cb05295db25b0a
SHA256: 0cac66a5a16efe52e2e878f5e8f6e34749e049c547ecf18f54955141e13e7058
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-20w01Valyria_Doc_Macro_86fe38f9Mixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.86fe38f913c7a296760db0af0a5eb2f6SHA1: f194d570c17f05d9d7a5987fe8bc312051785c39
MD5: 86fe38f913c7a296760db0af0a5eb2f6
SHA256: fbdee3574019ef790ca4609c0414bf63da402c051351552e3a24f4e325e494e2
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-cxm01Jaff_192b829bMixed This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.192b829bf7f6829549519168c173c931SHA1: 551f953db4ba48452a4f7de9f5f7149c98ddf52f
MD5: 192b829bf7f6829549519168c173c931
SHA256: e0573ec5a6ed61a6f38ab209e3d0d309b0c15af9dacc253240476c6899b5690b
https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/
M17-sk901Valyria_Doc_Macro_4903486eMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.4903486e2676500014cd644ece03300dSHA1: ed4f1cf48929316eef12652507af82b11f3d7b4d
MD5: 4903486e2676500014cd644ece03300d
SHA256: 24384267829131c7158c50c109afea6026d327c65a66ef559a6540c2c8863094
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-m3h01Gh0stRAT_acf5eae7Windows This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.acf5eae7273613c791ea665569935cf4SHA1: 78cccddcbd9db5db9e1445b9e16140043c3eef73
MD5: acf5eae7273613c791ea665569935cf4
SHA256: eb1f2d077482e389c3bbe8d93f01d47af63eb68b1cac2586ce43c3f1ecff1555
M17-kj501Siggen_86778a4eWindows This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.86778a4e35d9dd30a1f110ec40c6426cSHA1: 0f4f07d8de2d580866715c50832909294b915e48
MD5: 86778a4e35d9dd30a1f110ec40c6426c
SHA256: f20ef69203c8bd06da68071ccf38001fcd411de5c951bb38bb46a15e6d205458
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-18201Valyria_Doc_Macro_112d36daMixed This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.112d36da54ca80a330239cd0d42b99fbSHA1: 7a46a0dced16dac0dade93b0584490992e757770
MD5: 112d36da54ca80a330239cd0d42b99fb
SHA256: 4914a3125bf4d54a07ade2109325a324f813c500a5b6e8a2781b7c1876671455
http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-99b01Win32.Trojan.Nitol_79d54d06Windows This strike sends a malware sample known as Win32.Trojan.Nitol. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. The MD5 hash of this Win32.Trojan.79d54d066efe6691b606d8977a126258SHA1: d1f88097e99cc5b1821686050d1290dea4a0035b
MD5: 79d54d066efe6691b606d8977a126258
SHA256: f63e678fbf20ac431ff9f4ff6e3456d78aa2497cfb6b15e8adab0e7cf25fee63

Malware Strikes May - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M17-as601Jaff_a88358ebWindows This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.a88358eb5e1efc92c74b35850ab6f2afSHA1: 8385a34d752d8e2c4fbbfa45a4cd3698210abd58
MD5: a88358eb5e1efc92c74b35850ab6f2af
SHA256: 341267f4794a49e566c9697c77e974a99e41445cf41d8387040049ee1b8b2f3b
http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-eh301EternalRocks_496131b9Windows This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.496131b90f83e8278462d2dd21213646SHA1: f1c027679d5009da067b12af258adc8afaade178
MD5: 496131b90f83e8278462d2dd21213646
SHA256: 94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-yr301EternalRocks_b7cf3852Windows This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.b7cf3852a0168777f8856e6565d8fe2eSHA1: 1cbc9d531ba0e5e67a1ada95cff19bf0020f88f8
MD5: b7cf3852a0168777f8856e6565d8fe2e
SHA256: 9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-jm101Jaff_ef87cec0Windows This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.ef87cec0cd8407f2be2e7c715fa5080bSHA1: e2b666ac2d90c9f03ea9ee068f29858129c2c97e
MD5: ef87cec0cd8407f2be2e7c715fa5080b
SHA256: 9f159fc971a397f8bc560f56a34c5de3626cfa4906408228c33730e2fe6c1c43
http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-ltz01WannaCry_7f7ccaa1Windows This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.7f7ccaa16fb15eb1c7399d422f8363e8SHA1: bd44d0ab543bf814d93b719c24e90d8dd7111234
MD5: 7f7ccaa16fb15eb1c7399d422f8363e8
SHA256: 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
https://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
M17-9zl01EternalRocks_198f27f5Windows This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.198f27f5ab972bfd99e89802e40d6ba7SHA1: e8b40f35af4d5bb24d73faa5a4babb86191b5310
MD5: 198f27f5ab972bfd99e89802e40d6ba7
SHA256: a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-68201WannaCry_d5dcd286Windows This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.d5dcd28612f4d6ffca0cfeaefd606bcfSHA1: cf60fa60d2f461dddfdfcebf16368e6b539cd9ba
MD5: d5dcd28612f4d6ffca0cfeaefd606bcf
SHA256: 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf
https://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
M17-y9401EternalRocks_ba629216Mixed This strike sends a malware sample known as exma-1.dll used by the EternalRocks malware. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.ba629216db6cf7c0c720054b0c9a13f3SHA1: 37bb800b2bb812d4430e2510f14b5b717099abaa
MD5: ba629216db6cf7c0c720054b0c9a13f3
SHA256: 15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
https://www.metadefender.com/?_escaped_fragment_=/results/file/aceebfc33b88455d9aa096456615447b/regular#!/results/file/aceebfc33b88455d9aa096456615447b/regular
M17-wlj01EternalRocks_c52f20a8Windows This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.c52f20a854efb013a0a1248fd84aaa95SHA1: 8a2cfe220eebde096c17266f1ba597a1065211ab
MD5: c52f20a854efb013a0a1248fd84aaa95
SHA256: cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-ckc01Jaff_924c8441Windows This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.924c84415b775af12a10366469d3df69SHA1: 8ab568db2bc914e3e6af048666eb0bc4ba2e414d
MD5: 924c84415b775af12a10366469d3df69
SHA256: 0746594fc3e49975d3d94bac8e80c0cdaa96d90ede3b271e6f372f55b20bac2f
http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-5r901WannaCry_db349b97Mixed This strike sends a malware sample known as WannaCry. A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'. The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.db349b97c37d22f5ea1d1841e3c89eb4SHA1: e889544aff85ffaf8b0d0da705105dee7c97fe26
MD5: db349b97c37d22f5ea1d1841e3c89eb4
SHA256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
http://blog.talosintelligence.com/2017/05/wannacry.html
M17-w9p01BondNet_e685219fWindows This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016.e685219f5704bd854d5ed6668b0e9146SHA1: a645b3f5956aba168437ed7368c6584db130b6bb
MD5: e685219f5704bd854d5ed6668b0e9146
SHA256: c1fee6f3375b891081fa9815c620ad8c1a80e3c62dccc7f24c5afee72cf3ddcd
https://www.guardicore.com/2017/05/the-bondnet-army/
http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html
M17-15o01WannaCrypt_d724d8ccWindows This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.d724d8cc6420f06e8a48752f0da11c66SHA1: 3b669778698972c402f7c149fc844d0ddb3a00e8
MD5: d724d8cc6420f06e8a48752f0da11c66
SHA256: 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-yqs01EternalRocks_3771b975Windows This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.3771b97552810a0ed107730b718f6fe1SHA1: f57f71ae1e52f25ec9f643760551e1b6cfb9c7ff
MD5: 3771b97552810a0ed107730b718f6fe1
SHA256: 64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-dfi01WannaCry_4287e15aWindows This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.4287e15af6191f5cab1c92ff7be8dcc3SHA1: cd79b536868efb8b2edd2db4e4100f0bd2f69e28
MD5: 4287e15af6191f5cab1c92ff7be8dcc3
SHA256: b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06
https://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
M17-g4v01Jaff_ab5f5327Windows This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.ab5f53278c24077be9bba7c7af9951e9SHA1: d148f8f990efcba6c49d73d33fc438185f61d6f2
MD5: ab5f53278c24077be9bba7c7af9951e9
SHA256: 03363f9f6938f430a58f3f417829aa3e98875703eb4c2ae12feccc07fff6ba47
http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-doy01WannaCry_4fef5e34Windows This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.4fef5e34143e646dbf9907c4374276f5SHA1: 47a9ad4125b6bd7c55e4e7da251e23f089407b8f
MD5: 4fef5e34143e646dbf9907c4374276f5
SHA256: 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-1kd01BondNet_37e2490dWindows This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016.37e2490d6c9391fe81043eeb7cfa637aSHA1: 6cdbd359838b7213f2958717b914b1ac4157408c
MD5: 37e2490d6c9391fe81043eeb7cfa637a
SHA256: 18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178
https://www.guardicore.com/2017/05/the-bondnet-army/
http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html
M17-lvk01Jaff_3f6c1a27Mixed This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.3f6c1a2735a8595cb1b03260bec9cb1bSHA1: be968fea50dea7568d19e79b1fe667d36f11ab13
MD5: 3f6c1a2735a8595cb1b03260bec9cb1b
SHA256: 9e16ad6391fa20ec5f59c8790ade437b495a344979bb5e22df3c6706b4380b0b
http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-0k701EternalRocks_2d540860Windows This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.2d540860d91cd25cc8d61555523c76ffSHA1: 822db2fd78b39b49547cce2f7fb92b276c74bcef
MD5: 2d540860d91cd25cc8d61555523c76ff
SHA256: ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-n4j01Gh0stRAT_4dbd1730Windows This strike sends a malware sample known as Gh0stRAT. The sample has been observed being spread by EternalBlue/DoublePulsar in-the-wild.4dbd1730fc1d9ee7dafe0cd19f2910f1SHA1: a1c6ea9579ab8376ec4173a86b71ba716524aa9a
MD5: 4dbd1730fc1d9ee7dafe0cd19f2910f1
SHA256: 86b6178314c57c51c67d91ae45ee25fad1fb6d6e37d35bc4307fa5c49bde2910
M17-syt01WannaCry_509c41ecWindows This strike sends a malware sample known as WannaCry. A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'. The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.509c41ec97bb81b0567b059aa2f50fe8SHA1: 87420a2791d18dad3f18be436045280a4cc16fc4
MD5: 509c41ec97bb81b0567b059aa2f50fe8
SHA256: 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
http://blog.talosintelligence.com/2017/05/wannacry.html
M17-dyn01WannaCrypt_84c82835Windows This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.84c82835a5d21bbcf75a61706d8ab549SHA1: 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
MD5: 84c82835a5d21bbcf75a61706d8ab549
SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-5tw01BondNet_8b11325fWindows This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016.8b11325f4b729b7072c050035b454759SHA1: a5a5cf1910339490ec429b605a324b74a92edb38
MD5: 8b11325f4b729b7072c050035b454759
SHA256: 785d97c2c215c3c0b76c11610680f04236ef1a5c7fbcf4a86fb5f89996858b78
https://www.guardicore.com/2017/05/the-bondnet-army/
http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html
M17-a3m01Adylkuzz_f2e1d236Windows This strike sends a malware sample known as Adylkuzz. Adylkuzz is a Windows malware which installs a cryptocurrency miner on compromised machines.f2e1d236c5d2c009e1749fc6479a9edeSHA1: 262c22ffd66c33da641558f3da23f7584881a782
MD5: f2e1d236c5d2c009e1749fc6479a9ede
SHA256: 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233
https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar
M17-2eu01WannaCry_8495400fWindows This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.8495400f199ac77853c53b5a3f278f3eSHA1: be5d6279874da315e3080b06083757aad9b32c23
MD5: 8495400f199ac77853c53b5a3f278f3e
SHA256: 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
https://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
M17-6q201WannaCrypt_a44964a7Windows This strike sends a malware sample known as WannaCrypt. This sample uses the exploit known as EternalBlue. It spreads by using CVE-2017-0145. Once infected, a host will encrypt all files and then search for others hosts to infected via SMB both on the local network and across the Internet.a44964a7be94072cdfe085bc43e7dc95SHA1: 507409fb6d519580efe81756ca49172f33bcd388
MD5: a44964a7be94072cdfe085bc43e7dc95
SHA256: f470fbf340e5ad8be24b29712f565eaff0c67564a4872e0cedb05a1876a838d0
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-bcd01Adylkuzz_71b0279fWindows This strike sends a malware sample known as Adylkuzz. Adylkuzz is a Windows malware which installs a cryptocurrency miner on compromised machines.71b0279ff6b5f1dddac59a0704070e28SHA1: ff50f7d7e1d09298ff5a37351a682f83c5df8c87
MD5: 71b0279ff6b5f1dddac59a0704070e28
SHA256: fab31a2d44e38e733e1002286e5df164509afe18149a8a2f527ec6dc5e71cb00
https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar
M17-n1f01EternalRocks_994bd0b2Windows This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.994bd0b23cce98b86e58218b9032ffabSHA1: b05f2d07d0af1184066f766bc78d1b680236c1b3
MD5: 994bd0b23cce98b86e58218b9032ffab
SHA256: e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-1ap01WannaCrypt_c65f526fWindows This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.c65f526f7a2868f9dcd9150c1ad1a0fcSHA1: 098e0ad1ff79ece7c514155bb4b9ef643848ff6b
MD5: c65f526f7a2868f9dcd9150c1ad1a0fc
SHA256: 00c3ddb3a4bccb0577041f0a4fc536a0a9fbc29aadc68e92359ec20373b94ede
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-zn801DDoSBot_154c03c6Windows This strike sends a malware sample known as DDoSBot. The sample has been observed being spread by EternalBlue/DoublePulsar in-the-wild.154c03c6d02d443898cddb6a6001a3d3SHA1: ca6af34d30067ee45c7671a4e4e70abbf36f4e85
MD5: 154c03c6d02d443898cddb6a6001a3d3
SHA256: 3ec21d093edc24aa7ffaff014cfa9ee2d5ea165f1434590bc0d1b0c31845c2a1
M17-aar01Jaff_f115d1feMixed This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.f115d1fe4f579841c054b03d1ba29c97SHA1: 65f36039af8c1f74de0d998965f22988a0fc4ef5
MD5: f115d1fe4f579841c054b03d1ba29c97
SHA256: 4028f165d9465df0541c431b8ec815e4b0208ac505b9101b8e8e4bfd558ee778
http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-8qf01EternalRocks_7f9596b3Windows This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.7f9596b332134a60f9f6b85ab616b141SHA1: 9f993f080b2708ece0d8d42df2c19dc77aaa80f1
MD5: 7f9596b332134a60f9f6b85ab616b141
SHA256: e77306d2e3d656fa04856f658885803243aef204760889ca2c09fbe9ba36581d
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-x7v01EternalRocks_5f714b56Windows This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.5f714b563aafef8574f6825ad9b5a0bfSHA1: 03f3901595438c7c3878fa6cf1c24ae3d06bd9e0
MD5: 5f714b563aafef8574f6825ad9b5a0bf
SHA256: 20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-ui301BondNet_e3427d9fWindows This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016.e3427d9f439aebefa3d9c299e2a94af3SHA1: ffff4672790378677ec30d3634fc593c10dfd37e
MD5: e3427d9f439aebefa3d9c299e2a94af3
SHA256: 7374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6aba
https://www.guardicore.com/2017/05/the-bondnet-army/
http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html
M17-n0201WannaCrypt_f107a717Windows This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.f107a717f76f4f910ae9cb4dc5290594SHA1: 51e4307093f8ca8854359c0ac882ddca427a813c
MD5: f107a717f76f4f910ae9cb4dc5290594
SHA256: f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-4lg01WannaCry_7bf2b57fWindows This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.7bf2b57f2a205768755c07f238fb32ccSHA1: 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
MD5: 7bf2b57f2a205768755c07f238fb32cc
SHA256: b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-8ku01WannaCrypt_465333f9Mixed This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.465333f97e486c74906464105320c5b2SHA1: bba61e561a4cfa3ba7929eae2395d99298043ed3
MD5: 465333f97e486c74906464105320c5b2
SHA256: 3abe4af565974df6727007ea63742289403477a85ce897d71b4612dd26950fde
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-ov601EternalRocks_67ef79eeWindows This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.67ef79ee308b8625d5f20ea3e5379436SHA1: 7d0a8cef28518f9be8ad083dcbd719ac4c85d89c
MD5: 67ef79ee308b8625d5f20ea3e5379436
SHA256: a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html

Malware Strikes April - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M17-4g501Locky_385e0361Mixed This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017.385e0361652c51b07cf73d670536a9a3SHA1: e2caed21a8d7a96f3c56a0b33c2e6bf4695101be
MD5: 385e0361652c51b07cf73d670536a9a3
SHA256: 52db4cca867773fdce9cd8d6d4e9b8ea66c2c0c4067f33fd4aaf6bfa0c5e4d62
http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html
M17-gv901LATENTBOT_c10dabb0Mixed This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive.c10dabb05a38edd8a9a0ddda1c9af10eSHA1: 9aed05edab5d0200eb509ed22c8c30f19652814c
MD5: c10dabb05a38edd8a9a0ddda1c9af10e
SHA256: f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
M17-2kr01Dimnie_555363ddWindows This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features.555363ddd1dc30b1f1dc2399fc404a5cSHA1: ba4f86a7f7d4a09c938600f057be58eaa8b9f425
MD5: 555363ddd1dc30b1f1dc2399fc404a5c
SHA256: f3a1fb80a5c79d3735ddc4328b915a4b034526ae96345c9b2465c16582ab54be
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/
http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html
M17-twk01Dimnie_72fe42ffWindows This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features.72fe42ff160524017760de177243518dSHA1: d52a7fa6d4dab80eacf95513139b9abb69e6dc9f
MD5: 72fe42ff160524017760de177243518d
SHA256: 3bb134617af6f7b0f0c483b315f7ea45b2ed2c4a91005b453c9ec9e86ef0d70b
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/
http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html
M17-gx401Dimnie_7853b5f8Windows This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features.7853b5f8407c70dfaa9bb5e8dc983e90SHA1: fae17a413c0418bb5439c209ae5764b150bd2efd
MD5: 7853b5f8407c70dfaa9bb5e8dc983e90
SHA256: 210024ece45a6935da89ab7c5ae3293616679414e96e2157e49f9f607c831bdc
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/
http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html
M17-2hq01cerber_eb94cadfWindows This strike sends a malware sample known as cerber. This ransomware sample was collected while analyzing exploits for CVE-2017-5638 during April 6th 2017.eb94cadf5b25feda33888b7ac35e04e9SHA1: d4c5e130a0ac94120fd68ecd988df12b5a25f0c2
MD5: eb94cadf5b25feda33888b7ac35e04e9
SHA256: 5952963708e4cf2e13c29ced6451a52284afb3f45a11ba4087c3c438dad2427d
M17-3vi01Dimnie_d03eb7fbWindows This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features.d03eb7fb350abc68de35fa9dc6cd22aaSHA1: 879dad113a572ebae9022eecc84c5cae0495d800
MD5: d03eb7fb350abc68de35fa9dc6cd22aa
SHA256: cbb7c2fedc753f62fa1bf47f2e0c6aa487eecfd27d867789764dbde97a8b9449
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/
http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html
M17-w3d01Locky_7fe902d6Mixed This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017.7fe902d6f42089267ea7ae60d9a4df01SHA1: 60584a00bcc2941376600d98d7d30f8c95e7224d
MD5: 7fe902d6f42089267ea7ae60d9a4df01
SHA256: 10ce87f33381989373c519e2ff539f86c2a0a2a4cab0b791e82d4afece0367e6
http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html
M17-7xo01Cerber_1fdcd604Windows This strike sends a malware sample known as Cerber. This sample of Cerber ransomware was discovered while analyzing drive by exploits abusing Apache Struts CVE-2017-5638.1fdcd6045c7e69f05fb7b4e497f813cfSHA1: 5f80cf741d7a8fac10e269d7b085d69558483c64
MD5: 1fdcd6045c7e69f05fb7b4e497f813cf
SHA256: 89e5cd34fc349ba0791ee42fc68b84c69f8b579bcb2207b2925762e14b36048e
M17-hik01LATENTBOT_025b6fb2Mixed This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive.025b6fb24dc9dc6c93aeaf6e5baec2aaSHA1: 88357af86c5984cca1b34150e7be08d5db58be03
MD5: 025b6fb24dc9dc6c93aeaf6e5baec2aa
SHA256: e9339747b31f576e6d4049696a4f4bd7053bcd29dafb0a7f2e55b8aab1539b67
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
M17-60z01Locky_32093440Mixed This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017.3209344017e6ebf524ad7cba9951dbedSHA1: bd91035775b260b1f48924bc8c0a2ebd71b71760
MD5: 3209344017e6ebf524ad7cba9951dbed
SHA256: eb822fb0d99a0b8aefcf70e484b997979a4a4c22325dfd52c4bec492e9937a03
http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html
M17-b4v01Dimnie_adc75bc4Windows This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features.adc75bc411a3b5e7d806606f09925f86SHA1: 356d5e07ca3157d6523c9878bc20b99935f6a897
MD5: adc75bc411a3b5e7d806606f09925f86
SHA256: 4b373c2d50e600fdae5259bbd3e989d002a776c443869b92afeb5d53b73bd1c0
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/
http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html
M17-byx01Locky_5636bb84Mixed This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017.5636bb8497a75a3fc676c9a0a0964c77SHA1: 12893670db1a209af2bd90e8acbee291120927f9
MD5: 5636bb8497a75a3fc676c9a0a0964c77
SHA256: 026fa1191fcf895ce375ad8f8f2bda47aa8b1cb27e6be490399a1ad47d452b68
http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html
M17-9qt01Locky_34a811aeMixed This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017.34a811ae4390bc9529ec79844e2a7eddSHA1: f235463d86aac9a2dc0b6a8d9eb985dc4ad5e0bc
MD5: 34a811ae4390bc9529ec79844e2a7edd
SHA256: 2665260758371f88ca4e49dd577e885fc138651a0e2b3564309b892eea36f7af
http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html
M17-zqx01Chrysaor_3a69bfbeAndroid This strike sends a malware sample known as Chrysaor. Chrysaor is an Android surveillance malware.3a69bfbe5bc83c4df938177e05cd7c7cSHA1: b6850881561265d89597d0d245b33dba3d7d3f47
MD5: 3a69bfbe5bc83c4df938177e05cd7c7c
SHA256: 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86
http://securityaffairs.co/wordpress/57702/malware/android-chrysaor-spyware.html
https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html
M17-pti01Cradlecore_53f6f9a0Windows This strike sends a malware sample known as Cradlecore. Cradlecore is a Windows ransomware.53f6f9a0d0867c10841b815a1eea1468SHA1: a2a164a4a535c5542accb45d1268ac072b48ff1a
MD5: 53f6f9a0d0867c10841b815a1eea1468
SHA256: 47d02763457fe39edd3b84f59e145330ffd455547da7cbf67c3f0cb3ddf10542
http://securityaffairs.co/wordpress/58089/malware/cradlecore-ransomware-source-code.html
https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale
M17-h5y01Cerber_7daecdceWindows This strike sends a malware sample known as Cerber. This sample of Cerber malware was collected by ATI's honeypot network on 4/7/2017.7daecdcec1739285f99e86e46f5dbd01SHA1: 16c95612c45351caadfeaac333a3625daa40b4db
MD5: 7daecdcec1739285f99e86e46f5dbd01
SHA256: 4570fd53f92d28fefb8c8c437ed7cd85f52e643921afd197c332707a45c08326
M17-cq401Philadelphia_0a380f78Windows This strike sends a malware sample known as Philadelphia. Philadelphia is a variant of Stampado ransomware. Philadelphia targets healthcare industry and it is distributed via phishing emails sent to hospitals.0a380f789a882f7c4e11a1b4f87bb4fdSHA1: 448c93e79bf0741798ed99bb3108d1ceb90b6901
MD5: 0a380f789a882f7c4e11a1b4f87bb4fd
SHA256: 2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c
https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector
http://securityaffairs.co/wordpress/57795/malware/philadelphia-ransomware.html
M17-gp301Rokrat_c909ca40Windows This strike sends a malware sample known as Rokrat. Rokrat is a Remote Access Tool (RAT) delivered via malicious Hangul Word Processor (HWP) document.c909ca40d1124fc86662a12d72e0fb78SHA1: 75d7f88e010e5c7d9a4617157034cff16da0733f
MD5: c909ca40d1124fc86662a12d72e0fb78
SHA256: 051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00
http://securityaffairs.co/wordpress/57709/malware/rokrat-rat-south-koread.html
http://blog.talosintelligence.com/2017/04/introducing-rokrat.html

Malware Strikes March - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M16-ew201PowerShellMalware_2abad0aeMixed This strike sends a malware sample known as PowerShellMalware. PowerShellMalware is a malware based on PowerShell scripts that communicates with the Command and Control through DNS messages.2abad0ae32dd72bac5da0af1e580a2ebSHA1: d00225d485c597bea712e7c7baa4fba7d7f281e3
MD5: 2abad0ae32dd72bac5da0af1e580a2eb
SHA256: 340795d1f2c2bdab1f2382188a7b5c838e0a79d3f059d2db9eb274b0205f6981
http://blog.talosintelligence.com/2017/03/dnsmessenger.html
http://securityaffairs.co/wordpress/56856/malware/dns-txt-malware.html
M16-1pn01BugDrop_1a6986feWindows This strike sends a malware sample known as BugDrop. BugDrop is a data stealer malware that downloads other data stealing plugins on the infected machine. BugDrop uploads all the stolen data on to Dropbox.1a6986fe9e1ba213dd738054118fcfddSHA1: 0f42a1ee54b0137f5d22741524e5361880a83973
MD5: 1a6986fe9e1ba213dd738054118fcfdd
SHA256: f778ca5942d3b762367be1fd85cf7add557d26794fad187c4511b3318aff5cfd
https://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/
http://thehackernews.com/2017/02/ukraine-russia-hacking_20.html
M16-g3f01Vortex_31329543Windows This strike sends a malware sample known as Vortex. Vortex is a ransomware based on a freeware encryption and decryption utility hosted on GitHub (AESxWin).31329543947f1ee13ce020c826fb4af5SHA1: 10fcf2dee3fa68c7676076623c0be570c67698a6
MD5: 31329543947f1ee13ce020c826fb4af5
SHA256: fd218e093741316782ec4ec89f520d2962a4f3850cb5b04f9c2c9fde567dc23b
https://www.bleepingcomputer.com/news/security/the-polski-vortex-flotera-ransomware-connection/
M16-gt101Disttrack_6a7bff61Windows This strike sends a malware sample known as Disttrack. Disttrack or Shamoon is a malware that's been around since 2012. In November 2016 security experts detected Disttrack in a new wave of attacks against a Saudi company. Disttrack's main focus is data destruction and system damage through a wiper component. Other components of which Disttrack is composed are the dropper and the communications components.6a7bff614a1c2fd2901a5bd1d878be59SHA1: 88fd8b5b6837f5b0342a4494d6491ef0e2e780c5
MD5: 6a7bff614a1c2fd2901a5bd1d878be59
SHA256: 7b589d45825c096d42bdf341193d3fd8fd9a0bd612a6ebd7466c26a753304df9
https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
M16-u9r01StoneDrill_0ccc9ec8Windows This strike sends a malware sample known as StoneDrill. StoneDrill is a disk wiping malware targeting European petroleum companies. It is similar to another disk wiping malware called Shamoon (Disttrack).0ccc9ec82f1d44c243329014b82d3125SHA1: 279ff728023eeaa1715403ec823801bf3493f5ca
MD5: 0ccc9ec82f1d44c243329014b82d3125
SHA256: 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260
http://usa.kaspersky.com/about-us/press-center/press-releases/2017/From_Shamoon_to_StoneDrill-Advanced_New_Destructive_Malware_Discovered_in_the_Wild_by_Kaspersky_Lab
https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
http://thehackernews.com/2017/03/stonedrill-data-wiping-malware.html
M16-74a01SwearingTrojan_25c2e013Android This strike sends a malware sample known as SwearingTrojan. SwearingTrojan is mobile banking malware that targets Chinese Android users. SwearingTrojan steals personal data and sends it to the attacker using SMS or email. SwearingTrojan spreads through infected apps or through phishing SMS messages impersonating Chinese telecom service providers.25c2e0139354ac8eb7ddcc7df361ccfbSHA1: d59e452d1535059cad3dae41fd6497c36ca000ff
MD5: 25c2e0139354ac8eb7ddcc7df361ccfb
SHA256: 7a7bef9d7bbbabc1bb16d1d8476fd0d48faffde0257f400bd5bd720736f8d207
http://blog.checkpoint.com/2017/03/21/swearing-trojan-continues-rage-even-authors-arrest/
http://securityaffairs.co/wordpress/57354/malware/rogue-cellphone-towers-spread-malware.html
M16-1pd01RozaLocker_8ea7224fWindows This strike sends a malware sample known as RozaLocker. RozaLocker is a ransomware that requests 10000 Rubles for decryption. It appends .ENC extension to encrypted files.8ea7224f71b5d248e9ec1b9cc56b33d4SHA1: aac3914f728626bfc7ea14a31ea20595ed78dcab
MD5: 8ea7224f71b5d248e9ec1b9cc56b33d4
SHA256: dfbea7de7c3e015eae2b121ff77133608cd5408e565bfe41bfe81ef82fb97426
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/
M16-yno01Disttrack_aae531a9Windows This strike sends a malware sample known as Disttrack. Disttrack or Shamoon is a malware that's been around since 2012. In November 2016 security experts detected Disttrack in a new wave of attacks against a Saudi company. Disttrack's main focus is data destruction and system damage through a wiper component. Other components of which Disttrack is composed are the dropper and the communications components.aae531a922d9cca9ddca3d98be09f9dfSHA1: d3fec4559eff85b42d8fd56ed8b403e95e211e07
MD5: aae531a922d9cca9ddca3d98be09f9df
SHA256: 25a3497d69604baf4be4d80b6824c06f1b7120144f98eeb0a13d57d6f72eb8e9
https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
M16-3yk01ELF_IMEIJ_a16a281cLinux This strike sends a malware sample known as ELF_IMEIJ. ELF_IMEIJ is a Linux malware targeting products from company AVTech.a16a281cbe544af40f8463c7f5186496SHA1: 931321a4e6fb126f83bb6a0ff8ad4ffd260b9438
MD5: a16a281cbe544af40f8463c7f5186496
SHA256: 8040422762138d28aa411d8bb2307a93432416f72b292bf884fb7c7efde9f3f5
http://blog.trendmicro.com/trendlabs-security-intelligence/new-linux-malware-exploits-cgi-vulnerability/
http://securityaffairs.co/wordpress/57067/malware/elf_imeij.html
M16-ss301xorddos_cdc45763Linux This strike sends a malware sample known as xorddos. This ELF32 binary is detected as XORDDoS. This sample was collected while analyzing attacks leveraging CVE-2017-5638 on Ixia honeypots.cdc457633178e845bb4b306531a4588bSHA1: f4bb1cbdab37e0107a9c9927f57b091c9a0f09bd
MD5: cdc457633178e845bb4b306531a4588b
SHA256: 98bd48f1574a891b5ae8dff726671255e10b4b30c2f562f3edc5f6f89f35804d
https://www.ixiacom.com/company/blog/apache-struts-honeypot-scanning
M16-g4w01BugDrop_38dfded4Mixed This strike sends a malware sample known as BugDrop. BugDrop is a data stealer malware that downloads other data stealing plugins on the infected machine. BugDrop uploads all the stolen data on to Dropbox.38dfded491a1d8d3792669cb8e41e31cSHA1: fff1e050f85d7b182e34e3737fc4808882d9f05b
MD5: 38dfded491a1d8d3792669cb8e41e31c
SHA256: 997841515222dbfa65d1aea79e9e6a89a0142819eaeec3467c31fa169e57076a
https://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/
http://thehackernews.com/2017/02/ukraine-russia-hacking_20.html
M16-xoo01Artemis!A70475EF2B22_a70475efWindows This strike sends a malware sample known as Artemis!A70475EF2B22. This sample of Artemis was discovered in a drive by exploit and download of CVE-2017-5638. It was intended to be dropped on Windows based servers running a vulnerable version of Apache Struts.a70475ef2b228c3edd2ade65ba3c6382SHA1: 9024e4be85ba673995e869241f5977ad55b7dd68
MD5: a70475ef2b228c3edd2ade65ba3c6382
SHA256: 39178b53f41b34e250957af3198a9744f5d5675e4502884e8a45c860a44d46c7
M16-nyo01StoneDrill_fb21f3ceWindows This strike sends a malware sample known as StoneDrill. StoneDrill is a disk wiping malware targeting European petroleum companies. It is similar to another disk wiping malware called Shamoon (Disttrack).fb21f3cea1aa051ba2a45e75d46b98b8SHA1: 0a4ffce8f301546100d7b00ba017f5e24d1b2d9b
MD5: fb21f3cea1aa051ba2a45e75d46b98b8
SHA256: 2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83
http://usa.kaspersky.com/about-us/press-center/press-releases/2017/From_Shamoon_to_StoneDrill-Advanced_New_Destructive_Malware_Discovered_in_the_Wild_by_Kaspersky_Lab
https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
http://thehackernews.com/2017/03/stonedrill-data-wiping-malware.html
M16-o6p01Word_Document_Dropper_a2a01354Mixed This strike sends a malware sample known as Word_Document_Dropper. Word_Document_Dropper is a dropper malware that spreads malware by executing VBA code. It targets both Apple Mac OS X and Microsoft Windows systems.a2a01354f9184d7fad24f37c93d77f67SHA1: 115e69cc9b405d783d7cdd4cc91c1798a2a46270
MD5: a2a01354f9184d7fad24f37c93d77f67
SHA256: 06a134a63ccae0f5654c15601d818ef44fba578d0fdf325cadfa9b089cf48a74
http://blog.fortinet.com/2017/03/22/microsoft-word-file-spreads-malware-targeting-both-apple-mac-os-x-and-microsoft-windows
http://securityaffairs.co/wordpress/57393/malware/malware-microsoft-apple-os.html
M16-bl601Kirk_78117f7aWindows This strike sends a malware sample known as Kirk. Kirk is a ransomware written in Python that appends .kirk extension to encrypted files.78117f7acc8b385e9b29fe711436d16dSHA1: 0d4dfe880f8ec4b394f49f1a2608200dd06ba8a6
MD5: 78117f7acc8b385e9b29fe711436d16d
SHA256: 39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc
https://www.bleepingcomputer.com/news/security/star-trek-themed-kirk-ransomware-brings-us-monero-and-a-spock-decryptor/
http://securityaffairs.co/wordpress/57261/malware/kirk-ransomware-star-trek.html
M16-63z01DiamondFox_08f3ed2eWindows This strike sends a malware sample known as DiamondFox. DiamondFox is an infostealer malware written in Visual Basic that has been around for several years.08f3ed2e71f71c6a700db2249cfeb4adSHA1: ee8132046d37baf3f25dec56f928611e56318ec3
MD5: 08f3ed2e71f71c6a700db2249cfeb4ad
SHA256: 858d3c7fb4953a2f2e98993826a4e95ceca25bc358ccbde732f0b85189158697
https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/
M16-n8601MajikPOS_8d37a246Windows This strike sends a malware sample known as MajikPOS. MajikPOS is a PoS malware targeting business in North America and Canada. MajikPOS is designed to steal information and send it to its Command and Control servers.8d37a2465daa53e8a507e7892be00ddeSHA1: 470726700027ef51a1e2036932935660bb083582
MD5: 8d37a2465daa53e8a507e7892be00dde
SHA256: 283d1780fbd96325b19b7f273343ba8f8a034bd59f92dbf9b35e3a000840a3b4
http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/
http://securityaffairs.co/wordpress/57176/malware/majikpos-malware.html
M16-bvf01DiamondFox_05ce3284Windows This strike sends a malware sample known as DiamondFox. DiamondFox is an infostealer malware written in Visual Basic that has been around for several years.05ce32843c7271464b48283fe8f179ccSHA1: c9e40a931298402a82ddda29579d374a2fc19558
MD5: 05ce32843c7271464b48283fe8f179cc
SHA256: 81af849b00fdaa2e504a750e028dba24dbd2f9db3f53ff8df851ec5ea46f0c2a
https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/
M16-1kk01Lick_43b1a4cfWindows This strike sends a malware sample known as Lick. Lick ransomware is a variant of Kirk ransomware. Lick encrypts various files and appends filenames with the extension ".43b1a4cf9ded9370d1daf5c3b96c6786SHA1: 1fef19eb03c6f06279a7ba558f4ba8056455b203
MD5: 43b1a4cf9ded9370d1daf5c3b96c6786
SHA256: db01302b012161d8b6e6a2a9be582c3d4100eaf09099c4e009685719a5c09d52
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/
M16-84b01DiamondFox_6e9373d1Windows This strike sends a malware sample known as DiamondFox. DiamondFox is an infostealer malware written in Visual Basic that has been around for several years.6e9373d18182d1ac6d027636de666aefSHA1: 4a011a0e5c4558c36cdbe841711494f55976f856
MD5: 6e9373d18182d1ac6d027636de666aef
SHA256: 179e71f74bbdbb3a00401c4efb0b08c637c26f38c06c8348e01bd74c4c5d70c2
https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/

Malware Strikes February - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M16-r1k01Mirai_91a12a4cWindows This strike sends a malware sample known as Mirai. Mirai or Linux/Mirai ELF is a trojan backdoor which is targeting IoT devices. A Mirai Windows variant has recently been spotted.91a12a4cf437589ba70b1687f5acad19SHA1: 938715263e1e24f3e3d82d72b4e1d2b60ab187b8
MD5: 91a12a4cf437589ba70b1687f5acad19
SHA256: 2d8cd23e33e56ab396960a0d426c232f6d8905e2ac5833f37c412b699135f6ce
https://www.bleepingcomputer.com/news/security/mirai-gets-a-windows-version-to-boost-distribution-efforts/
http://securityaffairs.co/wordpress/56103/malware/windows-mirai-bot.html
M16-s1t01TeamSpy_67c81b63Windows This strike sends a malware sample known as TeamSpy. TeamSpy is a malware that uses TeamViewer to steal private data from victims. A TeamViewer session started by the attackers will be invisible to the victim. This can lead to numerous forms of abuse against the services.67c81b63a5ba984396bd4e9ff5befadeSHA1: ecc8b7d5568eba6f75055ee4ffc4e95c0cfc577d
MD5: 67c81b63a5ba984396bd4e9ff5befade
SHA256: baef7e6b044bea15fba7970c768d0bba7ef3ccfe559981bc5444a8e56c7c781d
https://heimdalsecurity.com/blog/security-alert-teamspy-turn-teamviewer-into-spying-tool/
http://securityaffairs.co/wordpress/56490/malware/teamspy-malware.html
M16-8sh01KINS_20f7189cWindows This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.20f7189c2989305e03e730fcdc8bd9e1SHA1: 6aad1224f3ee26de0f0a06de01e834057b1bc440
MD5: 20f7189c2989305e03e730fcdc8bd9e1
SHA256: 786e347d5de0b2461049964b382ec2d93db62ad2541519c2f1be423fbde3e632
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-nqp01Pushdo_638940eaWindows This strike sends a malware sample known as Pushdo. Pushdo is a downloader trojan. When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.638940eacb4cf341bf586909c9a62419SHA1: 2c285799b4911e1361718d38d09e141d583a2acb
MD5: 638940eacb4cf341bf586909c9a62419
SHA256: f0c85788f33916c6d2f811860d5e1d6bdc44a44ada980aad7a65039757cae6c7
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-4ll01MacMacroMalware_1de4838fMixed This strike sends a malware sample known as MacMacroMalware. MacMacroMalware is the first macro malware detected in the wild. It uses malicious macros in Word documents in order to install malware on Mac computers.1de4838f13c49d9f959d04b363326ac1SHA1: 598ebb19bf9fbc17c0bf85ce4ece91fa061f74a6
MD5: 1de4838f13c49d9f959d04b363326ac1
SHA256: 07adb8253ccc6fee20940de04c1bf4a54a4455525b2ac33f9c95713a8a102f3d
http://securityaffairs.co/wordpress/56226/breaking-news/apple-mac-malware.html
http://thehackernews.com/2017/02/mac-osx-macro-malware.html
https://objective-see.com/blog/blog_0x17.html
M16-hbg01HummingWhale_5ee2367fAndroid This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HmmingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store.5ee2367fa2c4f8dc79a9d466148b3819SHA1: c26ad7e5aa53649d10c83d2e762afca737bb99a3
MD5: 5ee2367fa2c4f8dc79a9d466148b3819
SHA256: 952acb85c7763fbd5c5d6632b29dd4f8339e327bb71b421530c93e88d2f986f8
http://blog.checkpoint.com/2017/01/23/hummingbad-returns/
http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-roh01HummingWhale_e59c7891Android This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HmmingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store.e59c78910796699ec6ef63643605bf69SHA1: 8cf73cad9e229c7827a0d3a0c4ec6ca9fe176988
MD5: e59c78910796699ec6ef63643605bf69
SHA256: c86d7680332b074af05a022f22229bbe0bc45126fdbbb24ea4e96b1fa13dbdd5
http://blog.checkpoint.com/2017/01/23/hummingbad-returns/
http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-i8h01Tinba_9cd27525Windows This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.9cd27525e69ad4559c907539ea1464abSHA1: d6845a4815a869ff73508383e3e2eee8569904ac
MD5: 9cd27525e69ad4559c907539ea1464ab
SHA256: 3026114a699e5f50a49c2a4ee0844c8a6ac217f8e9185d1735b79a13379e8fd8
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-w5101Tinba_8ca23d7bWindows This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.8ca23d7bdf520c3e7ac538c1ceb7b555SHA1: 3b798dc89140abb59bcc92338fbda7ca8a76c6bc
MD5: 8ca23d7bdf520c3e7ac538c1ceb7b555
SHA256: a8c8b1fd20d79235fd74f7c3722453412ad5ff589bbd8e3ce300e364e3495c2e
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-hb801Tinba_1fc3ea4aWindows This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.1fc3ea4a9bf2b6e546a25dd5601517f0SHA1: 6ac08d546363cb0fb60cde9798730b7f815b08c0
MD5: 1fc3ea4a9bf2b6e546a25dd5601517f0
SHA256: 43740f3254084090f5d9dc5e74af184b8021a3e07c4d0e645f227852eccb0020
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-usr01Shiotob_16efcafbWindows This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms. Shiotob is a banking Trojan also known as URLZone and Bebloh.16efcafb19deb49f5c48df2a7297e4f7SHA1: 0fe15ab3bad991ae46d649550aed79bda9e7aafa
MD5: 16efcafb19deb49f5c48df2a7297e4f7
SHA256: fed5de3f9dbc37cf404e3a530d3358e6c1fbaf1a7d4833d19184b492a6f0da6b
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-mmk01Pushdo_4f01c4a9Windows This strike sends a malware sample known as Pushdo. Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.4f01c4a93ac21fb89869674414ccfed5SHA1: d4a58f72a0331e5d8b990ef5fe43a82e68d1af3f
MD5: 4f01c4a93ac21fb89869674414ccfed5
SHA256: 676a14cda7ff14af9d944326ec4635facf9eb999208f5a7badbeff76d55321e4
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-4bi01Ursnif_79f01039Windows This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.79f010394a2504472449d9c2c4ea8f64SHA1: 84d6eeb4ad34d7ac0089bcb557930830b6381708
MD5: 79f010394a2504472449d9c2c4ea8f64
SHA256: 1f739f3f90382fb729401085388e2142d12fac724684c5b3dcf367b645781695
http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniques
http://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.html
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-w1w01Marcher_80c797acAndroid This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts and they are being spread through SMS/MMS containing links to popular Android applications.80c797acf9bdbe225e877520275e15f5SHA1: f255de54ffbff87067cfa7bc30d6d87a00aded8f
MD5: 80c797acf9bdbe225e877520275e15f5
SHA256: fcd18a2b174a9ef22cd74bb3b727a11b4c072fcef316aefbb989267d21d8bf7d
http://securityaffairs.co/wordpress/56258/malware/marcher-android-banking-trojan.html
https://www.securify.nl/blog/SFY20170202/marcher___android_banking_trojan_on_the_rise.html
M16-9r901Marcher_9ddeda87Android This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts, and they are being spread through SMS/MMS containing links to popular Android applications.9ddeda87e85a17f25ac9ed86190b018eSHA1: c2569b8206a9bd74b13b36ea7e2ebaac3a7626cb
MD5: 9ddeda87e85a17f25ac9ed86190b018e
SHA256: b087728f732ebb11c4a0f06e02c6f8748d621b776522e8c1ed3fb59a3af69729
http://securityaffairs.co/wordpress/56258/malware/marcher-android-banking-trojan.html
https://www.securify.nl/blog/SFY20170202/marcher___android_banking_trojan_on_the_rise.html
M16-76j01StegBaus_ab818477Windows This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families.ab8184779f32477f7b965299e0ed2119SHA1: 3f443529ec7994ff5b5c57e489b906f7fae19281
MD5: ab8184779f32477f7b965299e0ed2119
SHA256: 669e80679707bd00bf48994cf9d4fee5b58f6b87534cf7da5aefe71c0bee3d34
http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/
M16-3e401Locky_5384149bMixed This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.5384149bb0fc79d8b1c1042764ae34b9SHA1: 972ba459d35bf413e28fe37de327dc75d930d108
MD5: 5384149bb0fc79d8b1c1042764ae34b9
SHA256: 0822a63725345e6b8921877367e43ee23696d75f712a9c54d5442dbc0d5f2056
http://blog.talosintel.com/2017/01/locky-struggles.html
https://continuum.cisco.com/2017/01/20/talos-locky-takes-a-break-and-returns-with-new-tricks/
http://securityaffairs.co/wordpress/55514/cyber-crime/necurs-botnet-returns.html
M16-frf01FireCrypt_d8e99fcaWindows This strike sends a malware sample known as FireCrypt. FireCrypt is a ransomware that appends .firecrypt to the encrypted files.d8e99fcae9a469c2081e7ff01675c361SHA1: ef7c4358717ec9d04b9adc8e40b1eb928885ebf0
MD5: d8e99fcae9a469c2081e7ff01675c361
SHA256: 757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4
https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/
http://securityaffairs.co/wordpress/55081/malware/firecrypt-ransomware.html
M16-19901KINS_2f9cdc2aWindows This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.2f9cdc2a7ce846fe626e47451f7fd63eSHA1: b8fcbf49aac665f338f1d3f8dd2120a2d987006e
MD5: 2f9cdc2a7ce846fe626e47451f7fd63e
SHA256: bd6b9940e87be866fd8cb893769c51a3e4266452f97270a97bc13685b420d308
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-3hi01Shiotob_863bd784Windows This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms.863bd784a74ccf76afc69ba099185ba9SHA1: 07bb89d6a8c16c6d91147702e3f7b8b4c013c3e1
MD5: 863bd784a74ccf76afc69ba099185ba9
SHA256: e0bdde6336208df8807c299ef8157ec7fd9e777dfd1cc1d49534c19e1a44f811
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-wsw01StegBaus_9eeb3a21Windows This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families.9eeb3a21ffe751bda6f708072ea8a74bSHA1: 84b177a20e13f719d22090a40cbf70f747ea4052
MD5: 9eeb3a21ffe751bda6f708072ea8a74b
SHA256: 7a457ced31004aeccbbdc169b66a02a55a38bd1934c0ed54d97a69980945f487
http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/
M16-31t01Shiotob_6db1e83fWindows This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms.6db1e83ff48abcf6906a6711b40d5e82SHA1: 87c924139c6871d77c4a86f0b323d1b5749f7093
MD5: 6db1e83ff48abcf6906a6711b40d5e82
SHA256: 0733779b99ccced9808136088e08bed6518097fd892c51c150a5d7e99b755562
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-p2601StegBaus_9f34374aWindows This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families.9f34374aecde06cc5b3c8474bcc2b367SHA1: 4321b67966538f1fe66e25e3a04df5b123bf5885
MD5: 9f34374aecde06cc5b3c8474bcc2b367
SHA256: b97c36f7d7118ab964ac7e7337dd3de0ab86cb286e724f3787b358aef5f2a5f1
http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/
M16-x7k01HummingWhale_0a533a3fAndroid This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HmmingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store.0a533a3f76496e57d11a9d6c3ed3258bSHA1: 8c6ce6029d4646fdadb4fc262c7863a3da809f07
MD5: 0a533a3f76496e57d11a9d6c3ed3258b
SHA256: d644444e6a8c7033df94fbc4fb7303441067933dcb085fd47c60903055c33f98
http://blog.checkpoint.com/2017/01/23/hummingbad-returns/
http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-klw01KINS_27ef0d56Windows This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.27ef0d565b8a125806fc0811c8eddd48SHA1: e023d169ae10e19f24a260ff2e8d0b7b8c1ba2e2
MD5: 27ef0d565b8a125806fc0811c8eddd48
SHA256: ea05b0aff29ff657a578eed301f79a2ae7a469cda10030151426eff85b2390ea
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-uy101HummingWhale_baad5914Android This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware.baad591455367c2682c16336ff5769e9SHA1: 8b41f9ab61ebead1e2a40282210742e0a3692169
MD5: baad591455367c2682c16336ff5769e9
SHA256: c752d601de41b08d1a94eb719584ce7813984217c7417b27c4b2adaedaf760bc
http://blog.checkpoint.com/2017/01/23/hummingbad-returns/
http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-ufp01Ursnif_f3c82e20Windows This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.f3c82e209d94b592b30acd740ea145e1SHA1: 449caf7925e874087a7005c7aa8862e434a6972a
MD5: f3c82e209d94b592b30acd740ea145e1
SHA256: c7a2bc376d6ddfc678e7c7b3324b021edf19c896a80ab1ec7c2f36bc004ef29e
http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniques
http://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.html
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-vn201Shiotob_c46e6aeeWindows This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms.c46e6aee8bd512fdedbee688e105df16SHA1: cd34148a1ce37b13389647674653e981cfacd522
MD5: c46e6aee8bd512fdedbee688e105df16
SHA256: 124e6d6d3da321ad04e7f3aa9ae1b29fea2f382e8903a72ce48091cce47127ce
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-yos01Spora_fbc7d35fWindows This strike sends a malware sample known as Spora. Spora is a ransomware written in C that has a ransom note written in Russian. Spora does not rename the files after it encrypts them.fbc7d35f452a291cf4aba1f56fd787e5SHA1: 236ca7ced117da12a3873f28c458cc6427702ba4
MD5: fbc7d35f452a291cf4aba1f56fd787e5
SHA256: 3a8067a03ed287888b90cf706b60ae12dc2881fe859fb1d42714ccd7dd7e16ed
https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/
M16-qvo01Locky_5c79eab9Windows This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.5c79eab9b160e423f32e52fc3477e0abSHA1: 13d379790ae8bdde0820e17521bf8217368fde97
MD5: 5c79eab9b160e423f32e52fc3477e0ab
SHA256: ec9c06a7cf810b07c342033588d2e7f5741e7acbea5f0c8e7009f6cc7087e1f7
http://blog.talosintel.com/2017/01/locky-struggles.html
https://continuum.cisco.com/2017/01/20/talos-locky-takes-a-break-and-returns-with-new-tricks/
http://securityaffairs.co/wordpress/55514/cyber-crime/necurs-botnet-returns.html
M16-t4g01Ursnif_4da11c82Windows This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.4da11c829f8fea1b690f317837af8387SHA1: 00c6ce1031f88b5276a5335e68fba663e769dadd
MD5: 4da11c829f8fea1b690f317837af8387
SHA256: 3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832
http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniques
http://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.html
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-67f01Zeus_30e8ddf1Windows This strike sends a malware sample known as Zeus. ZeuS performs stolen data exfiltration and remote commands via encrypted HTTP POST requests to a Command and Control web server. The encryption ZeuS uses is RC4, with a key that is embedded in the binary. While the primary function of this malware is to commit financial fraud, its general information stealing behaviors make it a threat to all enterprises.30e8ddf16279b6dacc6f9d47186b58f3SHA1: 5ead66a3ee3f3bab0dc6a87ee6f935028ae23ebb
MD5: 30e8ddf16279b6dacc6f9d47186b58f3
SHA256: 4b66d77bd775c7695f7211b95808e14c5cbef8c6d69e3749b21868bad296f22e
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-wx401Pushdo_c7bebfb8Windows This strike sends a malware sample known as Pushdo. Pushdo is a downloader trojan. When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.c7bebfb87ebea9eea43eeb681f7ff59bSHA1: fa1e574e9fd240e27f4f1b7449e4dac555bebe0a
MD5: c7bebfb87ebea9eea43eeb681f7ff59b
SHA256: 59a512bcd4af8aef4769ce8b4f31c5116c2e9b6bd09e76f4824a073072ea822e
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-sec01Tinba_7b9227f9Windows This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.7b9227f98eea65ad3cab1e755cc825a0SHA1: afb49223eafa9a12edc77f490c7270d6ae290da1
MD5: 7b9227f98eea65ad3cab1e755cc825a0
SHA256: 0482ac285c4e941a82de2425c3572ef2b951f90423d85627a282147fb3b95d14
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-hn501Pushdo_ef9eb44eWindows This strike sends a malware sample known as Pushdo. Pushdo is a downloader trojan. When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.ef9eb44ef708237cde29d841279e5371SHA1: 43ab4c6809505a47c0c63b4d46d455f4fb28528a
MD5: ef9eb44ef708237cde29d841279e5371
SHA256: e061a37cef414f8943972bf0fd2a990f7283a07b460aa2c9292c00323432f3b4
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-vr301StegBaus_ee4165edWindows This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families.ee4165edd514e03664e32b1ca162f99aSHA1: 048ae25b235d203c01f82ea73bbccb7bf73dfd61
MD5: ee4165edd514e03664e32b1ca162f99a
SHA256: e1fdd18455a4b256616f450af719721596804987a5fed0f8ef8fb0a96ab3b45e
http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/
M16-vtv01KINS_ed09632eWindows This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.ed09632e3d549edb8f31eaac5562df7cSHA1: d78f465ffb433d4f2c9382e22e028709567c7eba
MD5: ed09632e3d549edb8f31eaac5562df7c
SHA256: 62989ab56f11701b109cddf0eb20e995c833078bb40942a8c931589497c25948
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-7ie01Ursnif_4d5abd97Windows This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.4d5abd974d213339274581a49e9c2780SHA1: 84d211bdd139ac61f760a3d396c7e19680163313
MD5: 4d5abd974d213339274581a49e9c2780
SHA256: 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994
http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniques
http://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.html
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-r2201JobCrypter_5d4076d6Windows This strike sends a malware sample known as JobCrypter. JobCrypter is a ransomware that has recently been seen in the wild. The JobCrypter Ransomware drops TXT files on the victim's computer with information about the ransom payment.5d4076d6ca3391330504b9496c5d325cSHA1: ba1117865e17966bb90be636a256dfe03a0646c6
MD5: 5d4076d6ca3391330504b9496c5d325c
SHA256: d3ffc11e941727382d24f252d9627d126aabd9a0fc859436a74c06d31e6f5d2e
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/
M16-xj001Spora_570e9cf4Windows This strike sends a malware sample known as Spora. Spora is a ransomware written in C that has a ransom note written in Russian. Spora does not rename the files after it encrypts them.570e9cf484050e21346bcdcb99824d77SHA1: f889cbfd2f25e65fae443c9f70192bd310a04b51
MD5: 570e9cf484050e21346bcdcb99824d77
SHA256: 2637247ad66e6e57a68093528bb137c959cdbb438764318f09326fc8a79bdaaf
https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/
M16-ja801Rovnix_af2016cfWindows This strike sends a malware sample known as Rovnix. ROVNIX writes malicious rootkit drivers to an unpartitioned space of the NTFS drive. This effectively hides the driver since this unpartitioned space cannot be seen by the operating system and security products. To load the malicious driver, ROVNIX modifies the contents of the IPL. This code is modified so that the malicious rootkit driver is loaded before the operating system.af2016cf2b5d04543a94d83447103fc3SHA1: 172f38ad7a33e0c393863d0cd75b4a9ce8508fbc
MD5: af2016cf2b5d04543a94d83447103fc3
SHA256: fdca8fa4368763899eff263d472850273ac9df672e0867d4aa3546bb439be291
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-y1u01KINS_9fa264baWindows This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.9fa264baf6f92a626949352923fb679dSHA1: e8c636eee1ad5ec3384a0eb61ad4759c76ad11ce
MD5: 9fa264baf6f92a626949352923fb679d
SHA256: f3bf1e6cfd4a21f6f6907833bfbd9d44a9499eea4e27c0e4415f7e3975fa559f
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-wym01Shiotob_4a8b8eb2Windows This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms.4a8b8eb2afd717b679ffc800740b3bd2SHA1: 26866a6d392db1f8a0c8d25a1746bd268be96d6b
MD5: 4a8b8eb2afd717b679ffc800740b3bd2
SHA256: dbe42c50bfa0dd6fe0b236fe5371bc294f43d48bbf1243d4f3b2a98041f0d3ab
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-4wa01Tinba_1fa127ceWindows This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.1fa127ced06dac4a7f1b422dd4955327SHA1: c2a11ce032de364c6edb0a2716d4542ad0b8ec84
MD5: 1fa127ced06dac4a7f1b422dd4955327
SHA256: 94c12b0de0e28a5c88d9b3242793f1d1cd4ff4a86a4bce991e68f3d2e04c56a6
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-ebh01PortugueseRansomware_8a3a3256Windows This strike sends a malware sample known as PortugueseRansomware. PortugueseRansomware is a new ransomware that has its ransom note written in Portuguese.8a3a3256e0a6916812d559f745775a89SHA1: 9c1cb81a9e715f0b031db7b289946c5fab87f1c2
MD5: 8a3a3256e0a6916812d559f745775a89
SHA256: cab632fca64fc77a1f55168ad94561a8e98e47a6b27adcb5419e81fee90c959b
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/
M16-h8901KINS_39f5ace4Windows This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.39f5ace4ec18e8b7c6de54e6fc6d86f3SHA1: 74f4211bf2b352bbdb308ffd85ad70cb60c50a11
MD5: 39f5ace4ec18e8b7c6de54e6fc6d86f3
SHA256: 0f300996a5d57c43b90bf97f158fed23709284b1fe4bbcabc6b843538f4fe961
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-nn401Shiotob_69be1e62Windows This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms.69be1e62b00ba27cc4ae0e3b41720d41SHA1: afc6f64765529ba12da69f3ea536fca661ae4610
MD5: 69be1e62b00ba27cc4ae0e3b41720d41
SHA256: 164eab81c9ef0b14b4f93f7f5b60b0111d9eb3de3131c35f2f388837e0309b9e
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-s8z01Tinba_d7669dd5Windows This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.d7669dd586396502b25c9ebf37b10db4SHA1: 11ed83c66bd226a52915327bebc3cb073d579505
MD5: d7669dd586396502b25c9ebf37b10db4
SHA256: fcee667cb6900ddf55029f1f806995f73cd5be75912f1c94c905a6d177353e1f
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-hb501Pushdo_6f58a94bWindows This strike sends a malware sample known as Pushdo. Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.6f58a94b52aae9f0fe5c1256a4ce19a8SHA1: 1e147caade60277be732659a33878b3ff44d7b6a
MD5: 6f58a94b52aae9f0fe5c1256a4ce19a8
SHA256: 242f192b9e985864ba5e3f6b0cb15efc280980e2b097d2ebaabd1d8de7117663
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-7iu01Cerber_208a394bWindows This strike sends a malware sample known as Cerber. Cerber is a ransomware-type malware that infiltrates systems and encrypting various file types. After encrypting files, Cerber ransomware changes the desktop wallpaper with one that provides instructions of what to do and how much to pay in order to get your files decrypted.208a394b211726ac07d668ac28ad7ec1SHA1: e89fb7405e242e359b652e5dd1276d4ba20c5aed
MD5: 208a394b211726ac07d668ac28ad7ec1
SHA256: 547d791a4d8847926b250648898925ffe5ee41d636adc36aa3c1134cf43322de
http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/

Malware Strikes January - 2017

Back to top
Strike ID Malware Platform Info MD5 External References
M16-xku01Sage_b1bfa47eWindows This strike sends a malware sample known as Sage. Sage is a ransomware. It is considered to be a variant of CryLocker ransomware. Sage is distributed through Sundown and RIG exploit kits.b1bfa47e9776793c4d83f0c6fdad379cSHA1: 5b1428cce7ef22e6d9da05da79a4e3d9bb872bba
MD5: b1bfa47e9776793c4d83f0c6fdad379c
SHA256: 362baeb80b854c201c4e7a1cfd3332fd58201e845f6aebe7def05ff0e00bf339
https://isc.sans.edu/diary/Sage%2B2.0%2BRansomware/21959
http://securityaffairs.co/wordpress/55650/malware/sage-2-0-ransomware.html
M16-icm01EyePyramid_14db577aWindows This strike sends a malware sample known as EyePyramid. EyePyramid is a malware that targets politicians, bankers and law enforcement personalities in Italy. It is spread via phishing emails and after infection it grants access to all resources on the infected machine.14db577a9b0bfc62f3a25a9a51765bc5SHA1: 6b3e554e28b74343eee12fd801b166f7ac2f8234
MD5: 14db577a9b0bfc62f3a25a9a51765bc5
SHA256: 3b86409c26889be4fef9f3c4718193e1ea4d0e6551ec09eb55831dba761aecaa
http://securityaffairs.co/wordpress/55285/cyber-crime/eyepyramid-espionage-campaign.html
https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/
M16-p6y01Cerber_6f0b1c63Mixed This strike sends a malware sample known as Cerber. Cerber is a ransomware-type malware that infiltrates systems and encrypts various file types. After encrypting the files, Cerber changes the desktop wallpaper with one that provides instructions of what to do and how much to pay in order to get your files decrypted.6f0b1c63aa8e3ab57fe308d6c67c8413SHA1: 71fa6f482f001922d75a2fba5eea6a36338aa2a3
MD5: 6f0b1c63aa8e3ab57fe308d6c67c8413
SHA256: 40f70b1e12dcabba4303a98a324d421e69c9ae60746cbf2f026f1d9da2d8cd70
http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/
M16-qb701Ploutus_5af1f928Windows This strike sends a malware sample known as Ploutus. Ploutus is an ATM malware that was discovered in 2013. Ploutus' main purpose is to empty an ATM without the requirement of an ATM card.5af1f92832378772a7e3b07a0cad4fc5SHA1: dadf8493072a479950af004a58fa774f83fc984c
MD5: 5af1f92832378772a7e3b07a0cad4fc5
SHA256: aee97881d3e45ba0cae91f471db78aded16bcff1468d9e66edf9d3c0223d238f
http://securityaffairs.co/wordpress/55334/cyber-crime/ploutus-d.html
https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html
M16-9g701BleedGreen_c82617e2Windows This strike sends a malware sample known as BleedGreen. BleedGreen is the FileCrupy malware builder.c82617e2ea031d93d5c2ea8165656753SHA1: 62e495b8e7bf597cb5fac48828f808d46f064930
MD5: c82617e2ea031d93d5c2ea8165656753
SHA256: e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d
http://securityaffairs.co/wordpress/55081/malware/firecrypt-ransomware.html
https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/
M16-2uz01MerryXmas_887b35a8Windows This strike sends a malware sample known as MerryXmas. MerryXmas is a ransomware distributed as malicious spams disguised as customer complaints. This ransomware adds .RMCM1 extension to all encrypted files.887b35a87fb75e2d889694143e3c9014SHA1: c8be4500127bfce10ab38152a8a5003b75613603
MD5: 887b35a87fb75e2d889694143e3c9014
SHA256: 78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae
http://www.infosecurity-magazine.com/news/merry-christmas-ransomware-hangs/
https://isc.sans.edu/forums/diary/Merry+XMas+ransomware+from+Sunday+20170108/21905
M16-3tc01Marlboro_48629562Windows This strike sends a malware sample known as Marlboro. Marlboro is a ransomware that appends ".oops" extension to the encrypted files.4862956228816276ab2b1baaa019d4f8SHA1: 99911950e0d1fd1728d5b80da43a16d90e41ec45
MD5: 4862956228816276ab2b1baaa019d4f8
SHA256: b5c37f3cf90026a815925aa4d53882823221c97127a378f0beb1b8276686caad
https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/
M16-kw601HummingWhale_4c635fccAndroid This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HummingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store.4c635fcce49743de86d8f9cc58d2de8bSHA1: a87e15abc1b15443275e4d12d08d8070b793cec2
MD5: 4c635fcce49743de86d8f9cc58d2de8b
SHA256: 0908a85853e1c472e9fe02b787c5e3bee4f42a448185a6e033797b5a0ee00f54
http://blog.checkpoint.com/2017/01/23/hummingbad-returns/
http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-bzi01HummingWhale_700b2e0fAndroid This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HummingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store.700b2e0fb8f6fc866599255347ddde76SHA1: 5a747c5cd2f36b9731b097321a956001afe7c8eb
MD5: 700b2e0fb8f6fc866599255347ddde76
SHA256: 32d9c801ffccad7d95f3eb256ca23c585329863a19d0316f7bedc556b5d59d8f
http://blog.checkpoint.com/2017/01/23/hummingbad-returns/
http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-6e701Marlboro_52d66a72Mixed This strike sends a malware sample known as Marlboro. Marlboro is a ransomware that appends ".oops" extension to the encrypted files.52d66a72a492ef85bff1ea562fedf490SHA1: 91902bd2e95502d12cc8c00b8ef289e2b01e84a1
MD5: 52d66a72a492ef85bff1ea562fedf490
SHA256: a2cf2ccc1d4a71ead386156b8c39a4f6240068cf9af485513284bf98662ae9b3
https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/
M16-k7m01Cerber_7d181574Windows This strike sends a malware sample known as Cerber. Cerber is a ransomware-type malware that infiltrates systems and encrypts various file types. After encrypting the files, Cerber changes the desktop wallpaper with one that provides instructions of what to do and how much to pay in order to get your files decrypted.7d181574893ec9cb2795166623f8e531SHA1: 79440d8b1e4b8fa222f1be78435f43f86796f6dc
MD5: 7d181574893ec9cb2795166623f8e531
SHA256: a098c20dd46c6afa031bb653cd6d6eede4260a5a6244cf8c1dffcb4d8565b404
http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/
M16-m6n01Satan_c50deba5Windows This strike sends a malware sample known as Satan. Satan is a Ransomware as a Service (RaaS) which enables any criminal to create their own variant of Satan ransomware.c50deba5542672ce85086c6ad747a1e4SHA1: 25bb2935f75e15b4117779b93d064367049b5fa9
MD5: c50deba5542672ce85086c6ad747a1e4
SHA256: c04836696d715c544382713eebf468aeff73c15616e1cd8248ca8c4c7e931505
http://securityaffairs.co/wordpress/55487/malware/satan-raas.html
https://www.pcrisk.com/removal-guides/10854-satan-ransomware
M16-2vc01MerryXmas_1a7d5e0fMixed This strike sends a malware sample known as MerryXmas. MerryXmas is a ransomware distributed as malicious spams disguised as customer complaints. This ransomware adds .RMCM1 extension to all encrypted files.1a7d5e0fe2288a2fd4910c685b9142b3SHA1: 63a5e7851c9146554e2e5cef467f7d78c734169a
MD5: 1a7d5e0fe2288a2fd4910c685b9142b3
SHA256: 244b4205acb416700bec459c8b36be379c0b7e3d2a21a57c4a121ba95d229bc4
http://www.infosecurity-magazine.com/news/merry-christmas-ransomware-hangs/
https://isc.sans.edu/forums/diary/Merry+XMas+ransomware+from+Sunday+20170108/21905
M16-79x01Spora_312445d2Windows This strike sends a malware sample known as Spora. Spora is a ransomware written in C that has a ransom note written in Russian. Spora does not rename the files after it encrypts them.312445d2cca1cf82406af567596b9d8cSHA1: d3c89ccaf190890fc0583ea24396b1a2cd8317c4
MD5: 312445d2cca1cf82406af567596b9d8c
SHA256: dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbf
http://securityaffairs.co/wordpress/55260/malware/spora-ransomware.html
http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/
https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/
M16-uw401Sharik_727cbccbWindows This strike sends a malware sample known as Sharik. Sharik is a trojan loader. It is distributed via emails with the sender impersonating a telecommunications company. The emails contain a zip pdf attachment which, when opened, infect a victim machine with Sharik.727cbccb80206ebe6a989fc6386f222eSHA1: 21bacd8c51fab29c15c1df8f25f7e91697d3bba1
MD5: 727cbccb80206ebe6a989fc6386f222e
SHA256: 906d2ecdbc2b306ce7061b94d3d8cd64a9336fcfbc46f95d1a3bcddfdfbff7bb
http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/
M16-xnu01EyePyramid_b39a673aWindows This strike sends a malware sample known as EyePyramid. EyePyramid is a malware that targets politicians, bankers and law enforcement personalities in Italy. It is spread via phishing emails and after infection it grants access to all resources on the infected machine.b39a673a5d2ceaa1fb5571769097ca77SHA1: b61633975206c58df648df144c78bb3e20051d93
MD5: b39a673a5d2ceaa1fb5571769097ca77
SHA256: d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c
http://securityaffairs.co/wordpress/55285/cyber-crime/eyepyramid-espionage-campaign.html
https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/
M16-n7i01Marlboro_9c7a41fbWindows This strike sends a malware sample known as Marlboro. Marlboro is a ransomware that appends ".oops" extension to the encrypted files.9c7a41fbe431a41bfdf933436c846858SHA1: 15fd4e3c2aeffba55b9469820e9838e0062c72fb
MD5: 9c7a41fbe431a41bfdf933436c846858
SHA256: a95d7606d17b221bca0960d04bffdc5ff1585ca13a2511bbf5347a732a3a025c
https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/
M16-dfb01KillDisk_5cc42c3dWindows This strike sends a malware sample known as KillDisk. KillDisk is a data wiping malware that was used as a component in the BlackEnergy attacks against the Ukranian power grid.5cc42c3d67099d361c1c37750ae5ff04SHA1: 2379a29b4c137afb7c0fd80a58020f5e09716437
MD5: 5cc42c3d67099d361c1c37750ae5ff04
SHA256: a6a167e214acd34b4084237ba7f6476d2e999849281aa5b1b3f92138c7d91c7a
http://thehackernews.com/2017/01/linux-ransomware-malware.html
http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/
M16-3hv01Locky_afed9062Windows This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.afed90629bb84de0ce8e7c6d2231e9c3SHA1: 4e7fa838280b7ab7f70afd5e73c461639a1f0b5e
MD5: afed90629bb84de0ce8e7c6d2231e9c3
SHA256: 79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db
http://blog.talosintel.com/2017/01/locky-struggles.html
https://continuum.cisco.com/2017/01/20/talos-locky-takes-a-break-and-returns-with-new-tricks/
http://securityaffairs.co/wordpress/55514/cyber-crime/necurs-botnet-returns.html
M16-eiv01EyePyramid_a41c5374Windows This strike sends a malware sample known as EyePyramid. EyePyramid is a malware that targets politicians, bankers and law enforcement personalities in Italy. It is spread via phishing emails and after infection it grants access to all resources on the infected machine.a41c5374a14a2c7cbe093ff6b075e8acSHA1: b25222b289cb3a8e7877c46a8840e560d1ab375b
MD5: a41c5374a14a2c7cbe093ff6b075e8ac
SHA256: 137846f698de9b30fe0fb81af20f175f36cf7c6297e3f920996e607cf80f518a
http://securityaffairs.co/wordpress/55285/cyber-crime/eyepyramid-espionage-campaign.html
https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/
M16-y5g01Ploutus_c04a7cb9Windows This strike sends a malware sample known as Ploutus. Ploutus is an ATM malware that was discovered in 2013. Ploutus' main purpose is to empty an ATM without the requirement of an ATM card.c04a7cb926ccbf829d0a36a91ebf91bdSHA1: 66adf3ab1913e92be7f34adcd9be1b6eda677d59
MD5: c04a7cb926ccbf829d0a36a91ebf91bd
SHA256: 04db39463012add2eece6dfe6f311ad46b76dae55460eea30dec02d3d3f1c00a
http://securityaffairs.co/wordpress/55334/cyber-crime/ploutus-d.html
https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html