Malware December |
Malware November |
Malware October |
Malware September |
Malware August |
Malware July |
Malware June |
Malware May |
Malware April |
Malware March |
Malware February |
Malware January |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M17-twn01 | Doc.Dropper.Agent_e06c1e62 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | e06c1e623a45b69730da1d9b40c20a84 | SHA1: 3276a2e939251f1a00dfcb3497b9b83fd2d17c2bMD5: e06c1e623a45b69730da1d9b40c20a84SHA256: 3cc669528549cc7394074ac3ffbaa6cf3eed14436a1653d70f54ca2b3d5cdeadhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-21l01 | CeeInject_a21f47b6 | Windows | This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems. | a21f47b69edf6a886a2273a6e7bc9d4e | SHA1: 2f756597391b9d2a138be5599a92d48c567fa6b9MD5: a21f47b69edf6a886a2273a6e7bc9d4eSHA256: d065ba2603790329d31e35cd45538b693c77f9870d98c4656e490c1a5034a8fahttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-t4101 | CeeInject_aa9a551a | Windows | This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems. | aa9a551a968b3a7831b82a34c926374e | SHA1: c5b7b26e7651b0f3229d244314951ede554c2309MD5: aa9a551a968b3a7831b82a34c926374eSHA256: 62a22fb0f59578de3679f70a41c2971b384167aebb032dd782f1d23d27015aa3http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-b5501 | Delf_b8845710 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | b8845710e4d48532a7e4426c93528bbf | SHA1: 7a6c0f696fc1d7bae9cbc6df7d8d6186ce8b7623MD5: b8845710e4d48532a7e4426c93528bbfSHA256: c14055b23eb3a90e163962c9c70df3338bca68b67a615531ef40c6e8f8f6eabehttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-r4201 | Delf_d9d5aabc | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | d9d5aabc90d5f8b978a84524e147680b | SHA1: b515808b145e9a1c642c05af1dba45e0804c5ca9MD5: d9d5aabc90d5f8b978a84524e147680bSHA256: b17f8e85944768cc88c0a3b7103290c6eab820348103fa7a8a412af945e1d1dchttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-g0o01 | Doc.Macro.Obfuscation_e3133b93 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro. | e3133b936cb53af89b03b2db9c287bd0 | SHA1: cba47111683347f13cb82ca01eed243e36322082MD5: e3133b936cb53af89b03b2db9c287bd0SHA256: 46217dc4ef9fcef981be9a931995008f56b71e3f510721c33ed4b58b577e8fbbhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-do701 | Doc.Dropper.Agent_c575c947 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | c575c94767a7bd4d1164a590650ee560 | SHA1: 017371a3fade367014af9fe2d5250ac51d8f3066MD5: c575c94767a7bd4d1164a590650ee560SHA256: 094842414f8029ea69cca6237b7758c2559dd553c98990cb4e8474e6653e0b9fhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-jzx01 | Delf_89d87940 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | 89d87940e1384c35b910be9604d15258 | SHA1: d3db116df15a9f968b8bdc77f972a2c0512129f0MD5: 89d87940e1384c35b910be9604d15258SHA256: 44e27c54ae3dc4c4c228dc10389d2b28d1230a8933d61661271f4eaf65925b1fhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-u9001 | Doc.Dropper.Agent_4574af0c | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 4574af0c85d983b5d495b7eb38e587eb | SHA1: af7c2982661c8e15e757708ea598ed5378f8db16MD5: 4574af0c85d983b5d495b7eb38e587ebSHA256: 2e6523b856a9f40bf3cf851407f3003a6564a7fb5d86657781a03bbd30d63966http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-9xm01 | Delf_18db1885 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | 18db18858d8067c0c3053bfd2e44fcd8 | SHA1: 2ae120eee658214f6cebe28394935dbefb8a6118MD5: 18db18858d8067c0c3053bfd2e44fcd8SHA256: 8486ba3a5d2ae2297118de5f39770fb89227752bbe3e59f951cd0ef0bab8c5b5http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-l4a01 | Delf_fad656b7 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | fad656b709ddaccffb84570e67d0c686 | SHA1: c77523d7ebae57ae158d83f57cd1a00894505a16MD5: fad656b709ddaccffb84570e67d0c686SHA256: f6bad3bc203c29350726c32d2aad744479de84bc72e1ffed0ad8392e5dde43d0http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-g2g01 | Doc.Macro.Obfuscation_04aefa19 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro. | 04aefa199d4a542d6352f928ed744b4a | SHA1: 61cd96f61a3a4b58931dd3841200f2f2d45f6defMD5: 04aefa199d4a542d6352f928ed744b4aSHA256: 4519c2f4fc0bc43cace2e70e464c00e7302e003262d7e6f903672becaba9e8edhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-43801 | Doc.Macro.Obfuscation_c6bf3a7b | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro. | c6bf3a7b5d4ec5203576c47a7f6e5ef0 | SHA1: 96311baa66659e23d2ce8d749f9e68995bca4dbdMD5: c6bf3a7b5d4ec5203576c47a7f6e5ef0SHA256: a44450c9b8514dd5647128f55d2704889c87e852e3eaceea80734ae7bf8d9f49http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-avd01 | Doc.Dropper.Agent_1d62d6fa | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 1d62d6fad83ecdeb772e83f78fd69d4a | SHA1: 5e267220daf60ffc7c4411baf2da24f77ce38217MD5: 1d62d6fad83ecdeb772e83f78fd69d4aSHA256: 0e9b2c7a5526c8d469c3e2183cd52a38d862773118d2401467c59472aaf17263http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-7yh01 | CeeInject_a584c3c5 | Windows | This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems. | a584c3c54dba8eee4b0fc362e7e76db2 | SHA1: 6536680a1ce032bac14475ae42d9ceadaae3093cMD5: a584c3c54dba8eee4b0fc362e7e76db2SHA256: 36d4800fb0bed77e59468ae9b732eb806d59999ec2832a72e0209473069af5b1http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-jz101 | Doc.Macro.Obfuscation_0e5d2902 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro. | 0e5d2902bbbb951f1ff03e46209701d0 | SHA1: 8af2947eb8096ee4ceba2dc6c947e95080328716MD5: 0e5d2902bbbb951f1ff03e46209701d0SHA256: baf01275b874c04687f84d78451e41231b31bfc0e71995e124830ba63379feddhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-d2h01 | Doc.Dropper.Agent_4fb21661 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 4fb216617e7b7dea0da5bf86fed57ba4 | SHA1: 540fa52a3d00e1abc974257888aeb6af46a9fab6MD5: 4fb216617e7b7dea0da5bf86fed57ba4SHA256: 3cae4325b4b559431dba511779feadeff19433aed194511e4ea8f4ef676ac6c7http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-09e01 | CeeInject_ae76efc0 | Windows | This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems. | ae76efc074b73cd22161133e927d2c43 | SHA1: fb1f9e9965aabd6f222f27b3cbc07c9ce42d0774MD5: ae76efc074b73cd22161133e927d2c43SHA256: 3507a76940a2e6c930882b5cde32d2f11ba48cc0e6bfd6e4771a973ebe9db5abhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-v3m01 | Delf_3e933209 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | 3e933209d6aa9be6fe1d6152fb0248d2 | SHA1: 235c3a7aed45b29cdd978fdfb7b030117cb65592MD5: 3e933209d6aa9be6fe1d6152fb0248d2SHA256: 3b221118a4c2716c6c76ddc1b6b01866fcc2643d7c29e38279d6aa2dd27d60a7http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-xgy01 | Doc.Dropper.Agent_421b5937 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 421b5937b5e764795d9052f378001ebd | SHA1: af750e75e69d868c62b5ab4afb87444950580b15MD5: 421b5937b5e764795d9052f378001ebdSHA256: 3ac9e97344506f3e443490eb6b0d5f877e0c8d4462ab9bf9544b5128aafc78bbhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-0kx01 | GenCNs_349830be | Windows | This strike sends a malware sample known as GenCNs. These samples of malware are trojans that contain dropper and adware components. The malware contacts many remote Chinese websites and attempts to download and execute additional files. | 349830bee2fefe24a51a9bc221e7c21c | SHA1: 07eb8ae1747a67a3086f40235ba2d35733f4113bMD5: 349830bee2fefe24a51a9bc221e7c21cSHA256: 354c9f630336cce0332558d73ae8000b62f61ca3eb7462e21183546f0da613b8http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-fpv01 | Delf_fd56a259 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | fd56a2593d4a72e52ad367a24b74be5f | SHA1: ff352d3aaf8d6a6980f47ac359cc81e79bd97dd6MD5: fd56a2593d4a72e52ad367a24b74be5fSHA256: 67ed3caf144d2b2dd0e8f0b6ed4de1e0ee4052e152cf32fdc22b9a3f8c935e67http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-kjp01 | Delf_782c6921 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | 782c69213cd06e9f38d2790bce8468cd | SHA1: 0c11455383ce954cb93a3710f52b4def2270b350MD5: 782c69213cd06e9f38d2790bce8468cdSHA256: 7a41c90ba46f40af093491c1f03fa64b36c6a10603c29a9af78540cde8440d60http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-40t01 | Delf_991bfd3e | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | 991bfd3ed82b4ff45b645fa8b26dc5cd | SHA1: 8d3eb9f9dd1b5df31a3e72f9bb274704c2204d7eMD5: 991bfd3ed82b4ff45b645fa8b26dc5cdSHA256: c45fabfd7e6f52fa519d8215ac1d569ca385bb4552eae82e63da4befa319f1d9http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-o9s01 | Delf_d3f52372 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | d3f523726090121c6b3e79d7d9f1275d | SHA1: 03c1af0b6e182bb77aca2da4a231d346abcf0c23MD5: d3f523726090121c6b3e79d7d9f1275dSHA256: 4bdae37fe1f8dab61a16f406f08a3bbe1482cd1387351f23b29849e1de64875dhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-4yf01 | Delf_e27abe5e | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | e27abe5e4316761071b481c24f8da33c | SHA1: ad0ea4e76d4da6688df72d3129a6a5f9d1e79872MD5: e27abe5e4316761071b481c24f8da33cSHA256: 9b6087e9607aa0149beecd97709d27cf2e3703fded3f7d31dd613a6d3f23ccafhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-m2w01 | Delf_b8fa4e0f | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | b8fa4e0f817ec962d896aee21e7526ac | SHA1: a13cdf1fdab36970378ab85d177fadc6bd38f8d9MD5: b8fa4e0f817ec962d896aee21e7526acSHA256: 482142f886ed2ee2610e2740695435e0488b5c7d6081daaeffdc93c87b6e2f93http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-rql01 | Delf_8f1ee3c9 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | 8f1ee3c99c001da889fd425ca8654cfc | SHA1: 058a91440614455f581346cc943f1d53ab4adb50MD5: 8f1ee3c99c001da889fd425ca8654cfcSHA256: 3dde0bb92308140701cb61711dc7e7298baff68668d96d2db9390e2b691efeb9http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-zi801 | CeeInject_b156268f | Windows | This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems. | b156268ffde83b0ee9938bd0d4c03842 | SHA1: 13da902ef4c126fa463b8b668fedda3a285e75beMD5: b156268ffde83b0ee9938bd0d4c03842SHA256: 58e226e02f8dded4b24ae60d2524497083c3d0dafb02436df5209fa9e1061085http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-ref01 | Delf_b4abdea5 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | b4abdea5409282a09c29f0600eef8950 | SHA1: f0062085a02ea2025fafd535df19e74ef0e50c7bMD5: b4abdea5409282a09c29f0600eef8950SHA256: 75eecd86ca4cbc10e60a6b5dc85964374fd91b25f0ecf08dcb7cd96d726ec581http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-02j01 | Doc.Dropper.Agent_0f25b221 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 0f25b2210b58010b4de329c6a01b50ea | SHA1: 7ea2638f582d3e540efee8c0e890a8fa908b9d7aMD5: 0f25b2210b58010b4de329c6a01b50eaSHA256: 0b81075cc3ef1121f3eca801d2f821719a7cfa31e5d95081ec3feb195f44d8c6http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-4s901 | Doc.Dropper.Agent_b70b4b06 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | b70b4b067e9e68044b8f86a69de6bbe6 | SHA1: b4348ada0f12083ebc7fe10ceccfc81f0d07b1bbMD5: b70b4b067e9e68044b8f86a69de6bbe6SHA256: 0099b9221eb92408f0b8bead5d703b5c7ecb11962f49f5e67f60725427318236http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-fyx01 | Delf_2b23f5b0 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | 2b23f5b038fb291689d44384df65e9e8 | SHA1: 050e8d256285b7fe52a44631c9a47e1e3ef104cfMD5: 2b23f5b038fb291689d44384df65e9e8SHA256: f1db091fff240dd3d49f0d22d4809db237fda042cb7ddf7afc81a0430f5c4b8chttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-a3k01 | Doc.Macro.Obfuscation_068777f3 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro. | 068777f3f9f62fefd51370d8490f47dd | SHA1: 09009a815366627d431838726bd77968ecea0db6MD5: 068777f3f9f62fefd51370d8490f47ddSHA256: 0f236dccbbdb81b7724f71569eff462c6fb40658f1697331617a38074a99c6e8http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-2hv01 | GenCNs_1e200f01 | Windows | This strike sends a malware sample known as GenCNs. These samples of malware are trojans that contain dropper and adware components. The malware contacts many remote Chinese websites and attempts to download and execute additional files. | 1e200f01c7326e1cdd15327d8a52b537 | SHA1: 4fcf4bbcaaba19aaf506058ce89e06c5dda48b5bMD5: 1e200f01c7326e1cdd15327d8a52b537SHA256: 093477fa334791163629386b655b01a8284cf9826760b2dd9c3046e370ce026bhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-3eu01 | CeeInject_a50ec9ab | Windows | This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems. | a50ec9ab44367eae2c1c278c66600944 | SHA1: 636f5221cd21a03545fb15c11e6d38d89b8126e3MD5: a50ec9ab44367eae2c1c278c66600944SHA256: 1a7de2ac4b22ca77acef5afe8e8b45dcc5150deb3408c8934221cfbbaee0655ehttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-axu01 | Doc.Macro.Obfuscation_c064974a | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro. | c064974ac92d98807829cdbe43420666 | SHA1: 71ce210f1a99aaa92446d24e3a39219a582dc564MD5: c064974ac92d98807829cdbe43420666SHA256: 0a6d8c964286f1ec0173cde38caf3d5e36147945baaa83a0200e6f35f82446afhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-hsp01 | Doc.Macro.Obfuscation_4346f550 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro. | 4346f5504d196b5155f98c8afb40eb09 | SHA1: be94f0f43d05f019a6396d6c778f741a8310ca74MD5: 4346f5504d196b5155f98c8afb40eb09SHA256: 5dbf9dc9341bd506eb2cdf5ec294c6c3029535424aa0a42e9b045cbd95c6d3dfhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-7zc01 | Doc.Macro.Obfuscation_c2b856bb | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro. | c2b856bb53d17d8175597a30904f7b83 | SHA1: 5d5d2eb7060fe78b7273f24fceff046daa42312cMD5: c2b856bb53d17d8175597a30904f7b83SHA256: d3e06e4d623b1bbf7b72ec709541c3b3fe66d09c4616c356cdc93240bd4b4c6ahttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-36k01 | CeeInject_b40e4e17 | Windows | This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems. | b40e4e17c4629638dc656008d312619e | SHA1: 5a1caa82ccf072576de8ad643d5699e81fef2e1eMD5: b40e4e17c4629638dc656008d312619eSHA256: fe33dc8941a6cd8ef4f64af295c2066eb0974966dfb355b5dd57e0c277261033http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-47t01 | CeeInject_b0cc4e21 | Windows | This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems. | b0cc4e2114239943e8e896620596b684 | SHA1: 1b52da03d5b443b34f79033126d82a632c8227f7MD5: b0cc4e2114239943e8e896620596b684SHA256: 952e29ae44bb49c78f2b3fcd8c13e22181bc0a610e36723e41b79f8c1147649fhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-pn601 | Delf_c4f402ed | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | c4f402ed89253dc6d3a3c66a0f8107da | SHA1: 179f35392c1f954751f14400f5d6fedf028658e4MD5: c4f402ed89253dc6d3a3c66a0f8107daSHA256: d44dff94eaf9ed08c7f4ef47e69e0a9b308ce49c8bc814b94b2c95c92ba53fc3http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-xkg01 | GenCNs_00616fd2 | Windows | This strike sends a malware sample known as GenCNs. These samples of malware are trojans that contain dropper and adware components. The malware contacts many remote Chinese websites and attempts to download and execute additional files. | 00616fd29add2b97de09b7a457be4709 | SHA1: 5a70be2e95529c920a9616b0c16ba5bffd5929b8MD5: 00616fd29add2b97de09b7a457be4709SHA256: 3e47b0d23d7e39af6759ca207d3307584862fe4181a6a4a54ea38cd45ce8c542http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-hgf01 | Delf_ac3b43ed | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | ac3b43ed7be4b848aec8d123f10ea7cf | SHA1: 6f9f31b4d847a8f8c803345bb60cb5d99013d45dMD5: ac3b43ed7be4b848aec8d123f10ea7cfSHA256: 04c3a321d00b8f54ae242969ede062ae10b8906ba5d7071fd0aa4f3b3b4ef73ehttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-i5m01 | Doc.Dropper.Agent_858e801a | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 858e801a0dc4f3cddaec207fe1273e1b | SHA1: 25a803179857c7f6d8bad45105ead4483c822092MD5: 858e801a0dc4f3cddaec207fe1273e1bSHA256: 14a415384df11be5271c58e66474cb4326aaeb4af0035afce1d61f75eaf53db3http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-7fo01 | CeeInject_ae933938 | Windows | This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems. | ae933938d5a3ec9425fc5ef91dba7cc7 | SHA1: c98d42a59c83f9cf4ff1e5be38d12cd08d6d3c77MD5: ae933938d5a3ec9425fc5ef91dba7cc7SHA256: b7ad41fbecce918894c0645aedbc60e4ac8daee24405b6a4957c98a728a14b9ahttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-ar901 | Delf_aeec7541 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | aeec754152015cb244aafd000cf0b1f2 | SHA1: 7ba4f851bd04efd427a5437ae7e6f1ef410bdba7MD5: aeec754152015cb244aafd000cf0b1f2SHA256: cc1eadad7810c4c94cdeebd63b7e54604253c4651c3a31bdf27dc96c189baa10http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-ena01 | Doc.Dropper.Agent_e0a7aed6 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | e0a7aed6203d6a5481231c75084f1ea2 | SHA1: 1d59eb2140f1680bfc7362ea30a881c064b31750MD5: e0a7aed6203d6a5481231c75084f1ea2SHA256: 365d356b6d8d463ee4d6924b37acfecf16624a58d8d2e6a783a9ef289e74ace3http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-mzt01 | Doc.Macro.Obfuscation_e4f24b19 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro. | e4f24b19e3d3a1c12dbcebacf0b71428 | SHA1: fa02d680cc152fd74ff51cf613290a7d8cf42035MD5: e4f24b19e3d3a1c12dbcebacf0b71428SHA256: 93900a04e4d7c629e03f3d510d249f1c8497cf94d818e0ae5913b685e467be6bhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-il001 | Delf_74d3b1c2 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | 74d3b1c2ea2baa2a623cc9faa5f2a697 | SHA1: 87ba051c8658112191ced987ea835897af075707MD5: 74d3b1c2ea2baa2a623cc9faa5f2a697SHA256: b7c8faa19fb394f42733df9c1bc7c5f0a5313ead7b0ec870c0db05f6e3baa910http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-kgd01 | Delf_71a5947f | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | 71a5947fe408ccf2790ad5cd7a333d89 | SHA1: 16adf91243b33bbcba754b690ff2d2ed06c3014aMD5: 71a5947fe408ccf2790ad5cd7a333d89SHA256: 248b6182fe5aaa120a6ad009595a93bf9431cbcd3e723ad711aef9b2d4562abfhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-kah01 | Delf_00a0c1e8 | Windows | This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen. | 00a0c1e82d42bcc7e433ac1694e04da7 | SHA1: db8941a83a6cc5cad20d49591bb1e794acede3f0MD5: 00a0c1e82d42bcc7e433ac1694e04da7SHA256: db1181dbda2b6053b008568b8f2f7b8a98cc3bd30fbea83ac8f69900d657e56fhttp://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
M17-ho701 | CeeInject_a0cda3e6 | Windows | This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems. | a0cda3e60c2b34a6ffcff9cf81e472d9 | SHA1: 830c3c07076262ae984668869e4fc8f432833451MD5: a0cda3e60c2b34a6ffcff9cf81e472d9SHA256: daee59ee955587d378dd6dc11af1a702d554c7926a9f42bac3752732c33e9317http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M17-a0h01 | Phisherly_141e78d1 | Mixed | This strike sends a malware sample known as Phisherly. Phisherly steals a user's credentials from an infected system. | 141e78d16456a072c9697454fc6d5f58 | SHA1: eff5e2a3ac471a1b5ecdf51a72e003a82c350506MD5: 141e78d16456a072c9697454fc6d5f58SHA256: c272a2d96aefdef746f983e7f8720792e8a6dee97a766a651dc55f70f605b23dhttps://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks |
M17-bqz01 | BitCoinMiner_b81901a8 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | b81901a8a96a333737c01e4848ccf28d | SHA1: c89f96d6f201d52ca41f5b60b2be340eab69e588MD5: b81901a8a96a333737c01e4848ccf28dSHA256: 7f783789ba87d344bf6450be97b0466c9b73e8cd1d320c08df8cb3636f09fbffhttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-fto01 | BitCoinMiner_f18d818e | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | f18d818e861b56da53deecd06c9db901 | SHA1: 1d2db370b9c01417251adb550bb6bd0013b1d64dMD5: f18d818e861b56da53deecd06c9db901SHA256: 7b4fbaabf1374e4f6c817f0ed5a359f65eabbda7cbd970cb427d57a8a44773d6http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-58001 | MSILTrojan_33d4bdc3 | Windows | This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware. | 33d4bdc3b0f88581cf6e6e8508845eba | SHA1: d01284e3b6a40c9aad311af45023902a323472ffMD5: 33d4bdc3b0f88581cf6e6e8508845ebaSHA256: 365505f8969a04992e5e3d835dbb6987a368439b2c757c24e59dc6daa13d60e6http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-huj01 | BitCoinMiner_90c80922 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 90c809221b14472eeb6f5a5fd3b72011 | SHA1: 051582083980bc2fb18dffbfe5178dca3b99da08MD5: 90c809221b14472eeb6f5a5fd3b72011SHA256: ed78e63401ee4290fb334cb0b159b1e94d86de345706f4fc30a4c1df0bd606f7http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-hmx01 | Win32.MainerLoader_a8d10ea1 | Windows | This strike sends a malware sample known as Win32.MainerLoader. Win32.MainerLoader sends out system information to an attacker's server. It also download and execute other files on the infected computer. The MD5 hash of this Win32. | a8d10ea1b0ce99f23f6397b263290b9d | SHA1: 8cc314dbd1021caf074cd12acce06891d006ee4cMD5: a8d10ea1b0ce99f23f6397b263290b9dSHA256: 4f51485cbb20d8a807c10150e51d948d5fc41307920fb47fb6d332a7f6386270https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_gen |
M17-ym801 | CryptoShuffler_50e52dbf | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 50e52dbf0e78fcddbc42657ed0661a3e | SHA1: a18c50258d0fd2db67848f43762851a6ec3a3298MD5: 50e52dbf0e78fcddbc42657ed0661a3eSHA256: a4e7e5d9d03a420b1fbc51bf8bb6482fbf37247e7c673e01281e42ddd0838343https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-m2r01 | BitCoinMiner_a40990fc | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | a40990fce9e03100df3c05872940a22b | SHA1: 67051a38989bddb096a9283301c3a914e860f733MD5: a40990fce9e03100df3c05872940a22bSHA256: bc9a756357e8a0d29931d1d9ec1747bb73855cdac99021abe99b444e5332a749http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-plg01 | CryptoShuffler_7ec256d0 | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 7ec256d0470b0755c952db122c6bdd0b | SHA1: a42142a5990ee7d7c6ddba2b5bb9b222ccb8c291MD5: 7ec256d0470b0755c952db122c6bdd0bSHA256: 6014e29490c1bce7ed3837681432ebc3755574aa934fd00fd399476a0cab2e62https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-rbl01 | MSILTrojan_99262704 | Windows | This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware. | 99262704560d9a7f91ff4ede923fb89c | SHA1: b02eb59d4e514d505f7bca1934d30809275a8613MD5: 99262704560d9a7f91ff4ede923fb89cSHA256: c78b70c786d299ecb97021fa4b989455852084ec3afc45f6e348a8a0489263dfhttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-xdl02 | Kovter_b8908bde | Windows | This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets. | b8908bde35ba9583ca50269559ce1042 | SHA1: ba2becd45f4f1a61563b457ec86d9a6e16146d2cMD5: b8908bde35ba9583ca50269559ce1042SHA256: e0467fca9d07a69a53cb436d7962499bc25be34295dacf5a5d19ae9596ad2d98http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-9tf01 | BitCoinMiner_bb5419da | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | bb5419da24e3322e89643e8a304b6b11 | SHA1: 6a9d8fb1b31fe5f1f1dd6b5b65f7e3c6af0505f2MD5: bb5419da24e3322e89643e8a304b6b11SHA256: 0e92444bdc28dbd0e645cedb0c7f1d81708e2073b7c7567956b7bc665cb6b648http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-p4q01 | BitCoinMiner_24d6a63c | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 24d6a63c35fa7d12b2f064416f3e2de3 | SHA1: cabcb6eecf6f44bef039e8b3faa649b1f085cfcbMD5: 24d6a63c35fa7d12b2f064416f3e2de3SHA256: 1814256a36032c226ddd8263395ecbe6fad92b4b11e62120ee4d35354cb670fehttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-1t101 | CryptoShuffler_1a05f512 | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 1a05f51212dea00c15b61e9c7b7e647b | SHA1: af0390b6c901cb7baad0b1cd12b1cabde666155eMD5: 1a05f51212dea00c15b61e9c7b7e647bSHA256: e8d189f83475c37631514925b5620957ba0528c2ec6fe2b41d70522f943827eehttps://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-crw01 | BitCoinMiner_e63f6558 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | e63f6558922f168106676055cfdf42a2 | SHA1: d819666f89c8f44af4dce69e4df4fc051406bfc0MD5: e63f6558922f168106676055cfdf42a2SHA256: 9dd467e34763c06e251c25d5c679e291030564a0b95b6a23a35bbe5a86889c01http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-6ka01 | CryptoShuffler_6eb7202b | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 6eb7202bb156e6d90d4931054f9e3439 | SHA1: ff3788e5482f0ee4f9e100bfd55302da5d00981bMD5: 6eb7202bb156e6d90d4931054f9e3439SHA256: 652d68f69c01a54632b185b1005e2811df65f64e509385e786017f8d29aae77dhttps://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-jwi01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands. | 61f796a5f81c329a665db9782c235891 | SHA1: 635c6c57f901b8b5fe5fefed5394b824dc60c96aMD5: 61f796a5f81c329a665db9782c235891SHA256: bac652b6a5cb65db95afdd9628c389f34c0e5609ed60d96f5598e43ebb151b73http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-bnr01 | BitCoinMiner_de1865b7 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | de1865b7ecdcb7c58a87253e7630fa04 | SHA1: c15d78b2dc7d55ef0c0af8f32c6cc4fb658f4f00MD5: de1865b7ecdcb7c58a87253e7630fa04SHA256: cc9e68134aab06089ec5b7404d5b54c572b56b04e61053d068cc8b4e67625ccehttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-lho01 | BitCoinMiner_9710aa0f | Mixed | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 9710aa0fc3583c64911e967e57988efa | SHA1: 228736959113b8cc9d7b7fe5b03236d04514c29eMD5: 9710aa0fc3583c64911e967e57988efaSHA256: 70de06f4911513162eb141787027f2cbe463e4382905e80724ad52ca6bae17bbhttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-aw201 | CryptoShuffler_25bf6a13 | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 25bf6a132aae35a9d99e23794a41765f | SHA1: 7fa9fff6bc838689c9f360f08f35677f9801c360MD5: 25bf6a132aae35a9d99e23794a41765fSHA256: d4125d1e48fb8b682cc108cc25e05fdc9a55a460d3be98de3f4657857300a8c6https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-9ow01 | Kovter_34ef4378 | Windows | This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets. | 34ef4378ab88eaffd95a8fa0e18a6136 | SHA1: 6b4e3e5fa351678e192936bf855d1a70c242f9e3MD5: 34ef4378ab88eaffd95a8fa0e18a6136SHA256: 468fdeeba11609d222b9554616dcb8b1ab10f565dcb6291bc5360dda3a97ab08http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-hmk01 | BitCoinMiner_4db0c337 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 4db0c33744bdc72fdf35ecc5f0297010 | SHA1: 6a3b664eaf9ad476467b04ed3a04f10226df1e54MD5: 4db0c33744bdc72fdf35ecc5f0297010SHA256: 84dd02debbf2b0c5ed7eebf813305543265e34ec98635139787bf8b882e7c7b4http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-o0r01 | BitCoinMiner_bbd30233 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | bbd30233f78fc3e3161eac893160ed40 | SHA1: 9a924c0561d02f7abb68f14c4255cb27d52b5801MD5: bbd30233f78fc3e3161eac893160ed40SHA256: e9a76ace7562d53aaa889caf517b827427162f8512c01ced0657cb08df4121f2http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-06o02 | BitCoinMiner_f7878b68 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | f7878b6815e9f48d390b0c77ae1ab871 | SHA1: dad734b20542638b170739a2bcdd81b7296861bfMD5: f7878b6815e9f48d390b0c77ae1ab871SHA256: 0487114a1df2852b2f3ba69aaa49930055e04c81ffc1e68dad6b47bec7ba2faahttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-y3g01 | BitCoinMiner_f5d00567 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | f5d005670dd61571af041f2260ecbf55 | SHA1: 3412e1ea4d3856b790d9441c0d3437decea05351MD5: f5d005670dd61571af041f2260ecbf55SHA256: a3d46a4fb9c6fa286c5dec80dd70a43c9ad70770b5d1540dea13e16b15d2ad26http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-20q01 | CryptoShuffler_d9a2cd86 | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | d9a2cd869152f24b1a5294a1c82b7e85 | SHA1: a84f8ddad371c0dc399a4c48eb5aeba99fb8ee93MD5: d9a2cd869152f24b1a5294a1c82b7e85SHA256: b84bed5c2c639dc68a20ba3a3f4aee6b4ee143249e2883399b6450888cb50f2ahttps://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-fe201 | CryptoShuffler_39569ef2 | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 39569ef2c295d1392c3bc53e70bcf158 | SHA1: ae45c72271f580053edc95991db3a05031c7ea68MD5: 39569ef2c295d1392c3bc53e70bcf158SHA256: 16e24d31e721ddb42841d1e408695f6af4ec74219488fe5ba97f4f5e5567c6e7https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-gc201 | Karagany_1560f684 | Windows | This strike sends a malware sample known as Karagany. This sample is a trojan that downloads malicious files onto the targeted machine. | 1560f68403c5a41e96b28d3f882de7f1 | SHA1: 95db15c67b48945237af7de61f3dbab92c99edd1MD5: 1560f68403c5a41e96b28d3f882de7f1SHA256: 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks |
M17-23u01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands. | d2673239608588792c223fd130e59260 | SHA1: 053f5a39b3cd6996dd020dbed00d450085fb6d97MD5: d2673239608588792c223fd130e59260SHA256: 7372b2b16620b1a35fa83f4bd31af1f78fbb3fe7d3235b06c064c4d617461f69http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-tvq01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands. | 6d7b0cd6f24f2e7757c903fd5b4c9261 | SHA1: 8b2c6cadf1e96606f8868b003cb9a4a0dbae501eMD5: 6d7b0cd6f24f2e7757c903fd5b4c9261SHA256: f3fb2e9dcc0544751fb66d9325b5328d59298e7578c877924bc26944cbadb078http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-qfv01 | Kovter_8cd89461 | Windows | This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets. | 8cd894611c813ba38483ca4db05ec8a4 | SHA1: fbfca6bd426236e91146fe9f09c6372cb0d8bef1MD5: 8cd894611c813ba38483ca4db05ec8a4SHA256: be11330dfb54a48734679f458381d69059c037bd45deb69f70148f9c2e36fc0dhttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-oli01 | Kovter_2853f41c | Windows | This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets. | 2853f41c7ca1acafcd49666ae9c6270a | SHA1: 1c9737989560a5e254cd8e197bfe7680a5d9b516MD5: 2853f41c7ca1acafcd49666ae9c6270aSHA256: b0d41c21e5d8396f711e1224f190b3281bb04d3f797ceb9c77558a5f567e3fe4http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-bk201 | Magniber_8a0244ee | Windows | This strike sends a malware sample known as Magniber. Magniber is a Windows ransomware Trojan.It encrypts files with specific extensions on the infected computer. | 8a0244eedee8a26139bea287a7e419d9 | SHA1: 93619242ed888edfa3871035e0668cffa3643420MD5: 8a0244eedee8a26139bea287a7e419d9SHA256: 8968c1b7a7aa95931fcd9b72cdde8416063da27565d5308c818fdaafddfa3b51https://www.fireeye.com/blog/threat-research/2017/10/magniber-ransomware-infects-only-the-right-people.html |
M17-n8m01 | ANDROIDOS_JSMINER_628d47c8 | Android | This strike sends a malware sample known as ANDROIDOS_JSMINER. ANDROIDOS_JSMINER has malicious cryptocurrency mining capabilities. It uses dynamic JavaScript loading and native code injection to avoid detection. | 628d47c8d487baf8f59ea83c291dc4e7 | SHA1: f85465431466ba2ae40cdb38367d2a8b52c593e8MD5: 628d47c8d487baf8f59ea83c291dc4e7SHA256: 440cc9913d623ed42563e90eec352da9438a9fdac331017af2ab9b87a5eee4afhttp://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/ |
M17-aqo01 | Kovter_cf86c7b4 | Windows | This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets. | cf86c7b48ab5632d19316f17fb35b218 | SHA1: cdb9798f09051d2ba91ad6f4122aabc4cd78b58aMD5: cf86c7b48ab5632d19316f17fb35b218SHA256: 6e445be806032f4a73d17d73cb00639f632b23f2731ac0c2267a4bb34237fd32http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-67m01 | BitCoinMiner_e9a20556 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | e9a20556ff2a4b5c5b3d9bbfac4d6697 | SHA1: 4999c6864d56c6b6e8b19ef8c61d380a69777fbfMD5: e9a20556ff2a4b5c5b3d9bbfac4d6697SHA256: a23bdb4e3973bc0a4e746038df90e5834efbd521a59df4d488f226a956144da5http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-afk01 | CryptoShuffler_7ae273cd | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 7ae273cd2243c4afcc52fda6bf1c2833 | SHA1: 94d09fbe0dbe265546c9b6e54b818ebf369aaaacMD5: 7ae273cd2243c4afcc52fda6bf1c2833SHA256: 04e6837fba02b594996b121386b33132e1539aa3d373680b3768ed8c3b7438aahttps://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-0nk01 | MSILTrojan_2e417156 | Windows | This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware. | 2e41715629ffb2504dbbe476fc5cc7ca | SHA1: 5435766916e00decde56002437d8fcfd1371f121MD5: 2e41715629ffb2504dbbe476fc5cc7caSHA256: 6707d3ed970ced8091d64bbd0bc742e2d4d8f192e1e6c64ee9037451c04bca13http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-e5501 | Win32.Gibon_5baed560 | Windows | This strike sends a malware sample known as Win32.Gibon. This ransomware is distributed via malspam with an attached malicious document, which contain macros that will download and install the ransomware on a computer. The MD5 hash of this Win32. | 5baed5607749deabddd1722f3c3bfa0f | SHA1: 11cdb444bb7453b65453d584815005e228a1fe5dMD5: 5baed5607749deabddd1722f3c3bfa0fSHA256: 30b5c4609eadafc1b4f97b906a4928a47231b525d6d5c9028c873c4421bf6f98https://www.bleepingcomputer.com/news/security/gibon-ransomware-being-distributued-by-malspam/ |
M17-muq01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands. | 5a169af04c6b7b51a32bea36c24a5dcc | SHA1: ea19a62377acdeeac7c910442e4c74205cfdc047MD5: 5a169af04c6b7b51a32bea36c24a5dccSHA256: 7684aa4355b4992a8e168956e54424f03acca1cab32d0c62a4c87e6b5522d991http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-kdd01 | BitCoinMiner_429cdb56 | Mixed | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 429cdb5672313d8e2dff29fe3e68cd7a | SHA1: 8b5eab59d76eb42a59fee6aeac606154da0a3bceMD5: 429cdb5672313d8e2dff29fe3e68cd7aSHA256: 2888cc28bac5a432b2a819e08420e8f7e59f28d56ce8168c5865e6c3cd875776http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-ws801 | BitCoinMiner_02793535 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 027935353d8c8f8bd70efdb55592e8ed | SHA1: 9002922f9a14faf7dbffd4db23ad5a892e52d0ffMD5: 027935353d8c8f8bd70efdb55592e8edSHA256: 3daa009acb66af54564e8dd02da9f2ec1fbebb8c86382c461600cca5ca63ce20http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-u9f01 | AsiaHitGroup_60a71632 | Android | This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk. | 60a71632004ee431abb28bf91c3a4982 | SHA1: 18d99b25f0805c38737aeed025ecdf9cb4213eacMD5: 60a71632004ee431abb28bf91c3a4982SHA256: 5650d33173ecf1979d7648ee2f3faeb2494de5969373838c6bc16fac68175b55https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/ |
M17-9qp01 | Kovter_83b2b7d7 | Windows | This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets. | 83b2b7d72a697c0b67d7d4680ba5d9b1 | SHA1: 3c234c10bc5d76b31ac2338d074338b59a9652afMD5: 83b2b7d72a697c0b67d7d4680ba5d9b1SHA256: c4e37130cc1688d204ef34f8762d9c3182552622bbf61b127b22c0b733a3b700http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-wxl01 | EMOTET_e3f53eb7 | Mixed | This strike sends a malware sample known as EMOTET. Emotet is used as a banking Trojan that targeted users in Europe and the U.S. | e3f53eb751acc7eb18645753a15a1325 | SHA1: b98d80994ef3f6a66ce37fabcb862752673de8d5MD5: e3f53eb751acc7eb18645753a15a1325SHA256: 455be9278594633944bfdada541725a55e5ef3b7189ae13be8b311848d473b53http://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/ |
M17-zt901 | Cosmic | Windows | This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server. | 00064289cfe524823d92e59f9502d3c7 | SHA1: 21b8e6a957e13b9eeea09d32462824eaaa3879fcMD5: 00064289cfe524823d92e59f9502d3c7SHA256: 496220acf4b44f5564898533636dc3f19304d86ef7d223fbeedfb858e1570fd3http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-xcx01 | BitCoinMiner_4de76e36 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 4de76e36b07903fb9edb4eb99178b9a3 | SHA1: 76b5ef6b17be91a3cfa03ef81b3015e49edaed50MD5: 4de76e36b07903fb9edb4eb99178b9a3SHA256: f26e6efc015b0dc9982b88fa02e3f2b2601173aaa300feb558104ef453c94941http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-b5o01 | CryptoShuffler_80df8640 | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 80df8640893e2d7ccd6f66fff6216016 | SHA1: f4553d85c2414e76fcf8fd29cb4ee72f8dc7fefbMD5: 80df8640893e2d7ccd6f66fff6216016SHA256: 5a8910d46a33500f8aceb21022401a9f0f813aba816228374960f491b7ecdc0ehttps://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-m5e01 | CryptoShuffler_14461d5e | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 14461d5ea29b26bb88abf79a36c1e449 | SHA1: 2cc7c759f20b53b9835b34b1ccb4f1023e45934eMD5: 14461d5ea29b26bb88abf79a36c1e449SHA256: c22248719c19ca31d60370e9054c7866758d842547c65953e461138e4ce09788https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-o6701 | BitCoinMiner_20be1c12 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 20be1c1252b41cffd918ceabfcb7fc1c | SHA1: 4691fb23b0db41bd97effffd477173e3e437e705MD5: 20be1c1252b41cffd918ceabfcb7fc1cSHA256: 314fa254bd1da034501300e8766d000aa0ab306bbd19f42e243f9d2370473712http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-ui801 | AsiaHitGroup_178e6737 | Android | This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk. | 178e6737a779a845b8f2baf143fdea15 | SHA1: 133e77bee8897052be054cbf238d64e858ee92acMD5: 178e6737a779a845b8f2baf143fdea15SHA256: e6d4d7c7ff21dd359d94089c095aec85936120007a2b20931ad0087a05fa9aa5https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/ |
M17-1nk01 | Cosmic | Windows | This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server. | 0005a28a83a6767035ae2fa2bb9941e3 | SHA1: a1f5ea21b314848fe5f42fecbf9745e5098fbd90MD5: 0005a28a83a6767035ae2fa2bb9941e3SHA256: eababe6f24e25622d795bde97ccfc32c51c1d0ee346a3c345f26b8e191d54664http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-zrz01 | CryptoShuffler_0ad946c3 | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 0ad946c351af8b53eac06c9b8526f8e4 | SHA1: 18cc6c59074f782b94ca0c2065b1245073b7b427MD5: 0ad946c351af8b53eac06c9b8526f8e4SHA256: 56e564ca187f03ff851522e8df7d19fe4f23b7299ff158f0895a464654b71b33https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-khj01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands. | 6090a7ec6b5b44a061e21b8583077509 | SHA1: 9d3491bed9edde08ffc658f738efa2599102ebe5MD5: 6090a7ec6b5b44a061e21b8583077509SHA256: ecdeeda6b71b88d0367bfb63291afe5ab5e34a5a43244791604c28d43323f59ahttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-rys01 | Kovter_2dc0bc50 | Windows | This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets. | 2dc0bc500df708a104cf9522acf28bdf | SHA1: 1bc5af673571c8e1c5204727dd31c7b93934d4d6MD5: 2dc0bc500df708a104cf9522acf28bdfSHA256: da973bebb2c14bcd3f493ffc1cc2cd6225f3b49fe77c1189de35f2dcfa72bbf8http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-kdu01 | Marcher_0fdff6b5 | Android | This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts and they are being spread through SMS/MMS containing links to popular Android applications. | 0fdff6b5dbe7c749720823b01bf03581 | SHA1: 7272f999fd0ca9517befbd14f8dd020551a3d0c3MD5: 0fdff6b5dbe7c749720823b01bf03581SHA256: 22df438b3dd1ba417700abf998e4b24a666623e1ce7dc05b0388c695f78898cdhttps://info.phishlabs.com/blog/android.trojan.marcher-conclusionhttps://info.phishlabs.com/blog/technique-change-observed-in-malicious-android-application-marcher-banking-trojan |
M17-xh601 | Cosmic | Windows | This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server. | 00012978bd7350d3348eaee157519f7b | SHA1: 0013b6b96094490b5b71d7428a66a5df9e6a9264MD5: 00012978bd7350d3348eaee157519f7bSHA256: 792536894069dc265ae05a25f86a358a10011fa3d32ccf972e5867f862997925http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-baz01 | CryptoShuffler_1e785429 | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 1e785429526cc2621baf8bb05ed17d86 | SHA1: da4247104540eb884f41780e675d8b3e1c116faaMD5: 1e785429526cc2621baf8bb05ed17d86SHA256: 00e3bcfd0ef917c73c5a3818daf5bc0271fb3da53817df1215c20bfa5e4e91dahttps://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-h9901 | BitCoinMiner_884f4ad2 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 884f4ad2a0794df84686a171f2b537ec | SHA1: 2333de451a4c2f939bb4f8f474853589b92e280eMD5: 884f4ad2a0794df84686a171f2b537ecSHA256: 3bcd92e4b5d1961e6b85f140d83698c37f0eba71993e41fc62c80a32e1a091c2http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-tcs01 | MSILTrojan_f5fba636 | Windows | This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware. | f5fba636088a87a397646070e33b2879 | SHA1: ba7caa2338dcbaa3882226e3fbcb0dc3a6feb740MD5: f5fba636088a87a397646070e33b2879SHA256: 47c364ac3d539ac0874e66b3f7cb0c5a87e3c67323156b082575fc926d1ecb13http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-hjc01 | BitCoinMiner_f316095a | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | f316095aaf3c80fc343826ce1b0fedf2 | SHA1: fc367378558214aa1e23533c48b56e5cd43bf84cMD5: f316095aaf3c80fc343826ce1b0fedf2SHA256: 82bbc279515e29a63b38752d3532e6f9e5e36ffb6b4f1dd783c370eb68667b76http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-se101 | BitCoinMiner_cf67170f | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | cf67170f3aadc037c0244e3139d09ecb | SHA1: b65e6be09d3f9ddc3a3bc623a7f7e10fb0962a9bMD5: cf67170f3aadc037c0244e3139d09ecbSHA256: 714069902c8b82e636cda415148847f5867a32706eaf4a3a04fcb0efac7cc03ahttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-qbr01 | MSILTrojan_b4f78eed | Windows | This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware. | b4f78eed0970b137295f3a2ef8822ade | SHA1: 8224b97eeba1a3a6d366854feb964360033097a0MD5: b4f78eed0970b137295f3a2ef8822adeSHA256: db8c2fa78a2751bafd2d1a95f778a725735d42854c901e42976d1599f75deef5http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-zfb01 | CryptoShuffler_aa46f95f | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | aa46f95f25c764a96f0fb3c75e1159f8 | SHA1: 77d98d609236c1ea6c8336a4dff59366be4ab1b2MD5: aa46f95f25c764a96f0fb3c75e1159f8SHA256: a933d57549ed5250e1038db316baffb21291a8b4738d020d940adf61e0cfed53https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-ent01 | Marcher_084390d7 | Android | This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts and they are being spread through SMS/MMS containing links to popular Android applications. | 084390d758e66732645e8f51007f5ef1 | SHA1: 97b581a81c7c9fe4b03393f0bd2a91588457ab40MD5: 084390d758e66732645e8f51007f5ef1SHA256: 663dd58fcd4ed84c097d0b4abf86a24613dd1fe49112d59d6bf3cbfb11acd5b5https://info.phishlabs.com/blog/android.trojan.marcher-conclusionhttps://info.phishlabs.com/blog/technique-change-observed-in-malicious-android-application-marcher-banking-trojan |
M17-t4n01 | BitCoinMiner_207b4096 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 207b4096ea7dec575b14c6459d4df895 | SHA1: be66427c06f87129c818ac61a904c7462167bdd5MD5: 207b4096ea7dec575b14c6459d4df895SHA256: de7d4019549e2f018789c902afe9552bd9127328dc439bbe59d8b79a8565569chttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-uth01 | BitCoinMiner_3f67d5cd | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 3f67d5cd0cf42aa15aba7295741b5725 | SHA1: 8c87c1e578caa47272ff56401c688e68be82eed6MD5: 3f67d5cd0cf42aa15aba7295741b5725SHA256: 293548f39cdaeac4d59fb55efbce7ac214349aa5ae46df0f905a0ab5cc1ae5eehttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-ita01 | MSILTrojan_88eb478d | Windows | This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware. | 88eb478d43bc41fdc3179151f1646d8e | SHA1: f7a63f0297c8c946e70e7ef34bb3357e7a7693a2MD5: 88eb478d43bc41fdc3179151f1646d8eSHA256: b793ca990b4ebad46758253f8b3065334f923a7c077ce57c3b71308b6bd38422http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-k9001 | Cosmic | Windows | This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server. | 0003087a16dcd93b55fd9867fece6806 | SHA1: fb56cb3dac0cb3e1e5c328f5b469623f9688c999MD5: 0003087a16dcd93b55fd9867fece6806SHA256: 98e5bc8b136f2aafc7b46308f71ceeb675f057f3220a44e90e7498e226d746d3http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-2pb01 | CryptoShuffler_b7adc869 | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | b7adc8699cdc02d0ab2d1bb8be1847f4 | SHA1: 445d6cb81fe995e748026f1de9cbbeb3289fe91cMD5: b7adc8699cdc02d0ab2d1bb8be1847f4SHA256: 7d1486e42dd9ce388ed1a04c6ae1c9233dfb00b151512141370d322ea2822b6ehttps://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-w8e01 | Cosmic | Windows | This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server. | 00056cffa20df8ad95108490d2d1ebbb | SHA1: d7699d0329d7b0e88778d75fdea8631510e12f98MD5: 00056cffa20df8ad95108490d2d1ebbbSHA256: 457bd4b9ad2c422f91fc5bcf74c52d392d32ace50f244d1beb624f42eebbaec8http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-knx01 | Dorshel_b3b5d67f | Windows | This strike sends a malware sample known as Dorshel. Dorshel is a Trojan that opens a backdoor on the infected machine. | b3b5d67f5bbf5a043f5bf5d079dbcb56 | SHA1: c7eae6cd08d0601223b641745f078dffce285066MD5: b3b5d67f5bbf5a043f5bf5d079dbcb56SHA256: cee4211af96df184236e816ab0b11d95d1075148299a29719fcd9675b2714426https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks |
M17-qhi01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands. | 541c4ae0b75d2f4261ae69cda4722c76 | SHA1: 6c8885233d34af040c69310d2435143643a1dd00MD5: 541c4ae0b75d2f4261ae69cda4722c76SHA256: 0b8bcc0c7281c9ad5e2c03b08c881b48015d064906deeccbe7bf944f4ef6d532http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-v7x01 | AsiaHitGroup_b481ce9d | Android | This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk. | b481ce9d0b7295cda33b15f9c7809b95 | SHA1: 6e0dc1a6edffa26998b80a42c0773941d0cd36caMD5: b481ce9d0b7295cda33b15f9c7809b95SHA256: 9d07dd6f6266167edeb83e7eeac1d10a4c038f349e18ba2d65a2fff9c8a17099https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/ |
M17-e8i01 | CryptoShuffler_095536ca | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | 095536ca531ae11a218789cf297e71ed | SHA1: 6fc487600cf7b89bb29828b46f090635e0b17654MD5: 095536ca531ae11a218789cf297e71edSHA256: e79733fb552d4c91268ec0f1d0bd4de6030123650ed8b4cf4d0bdbf9b48c2963https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-ggm01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands. | bb0c0d90c304ee48045db45bcb64d039 | SHA1: aaeae71d40a14a4ebf520a08f70726f2f31c7556MD5: bb0c0d90c304ee48045db45bcb64d039SHA256: dd8bd175e95c9bdc963f6b7a188f9a0e4184411097123e2bb76111c9550b12ddhttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-tnm01 | BitCoinMiner_8dbb98a8 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 8dbb98a873ddd30eddd07fc0450dfb8c | SHA1: b226981f2f524b6b996398b08d919f53768d87aeMD5: 8dbb98a873ddd30eddd07fc0450dfb8cSHA256: 63544397a0cfbf53588ad8792a870e6b7ff2fa0cf16dc6a3796a3ea4805776d6http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-n0f01 | EMOTET_c18a79a8 | Mixed | This strike sends a malware sample known as EMOTET. Emotet is used as a banking Trojan that targeted users in Europe and the U.S. | c18a79a8cdb7a8dc8237d9fe4c654902 | SHA1: 14db95d275bad7fe63fbdbacec967309b660240bMD5: c18a79a8cdb7a8dc8237d9fe4c654902SHA256: 3f75ee07639bbcebf9b904debae1b40ae1e2f2cbfcef44caeda21a9dae71c982http://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/ |
M17-4bw01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands. | 2f7d44061aa3ee95590a68a61281d41c | SHA1: 1290b9a58304df9f86ea502c6d1942d49f2c12c3MD5: 2f7d44061aa3ee95590a68a61281d41cSHA256: f1231de08447a85356afedfdad5262e7ebba32bc68d23e73e5385164caf2182bhttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-du501 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands. | 2e705bff61f210c1395890d90b54a921 | SHA1: 5409ab136cb2261a71ed3e6af8a1b5900efa46edMD5: 2e705bff61f210c1395890d90b54a921SHA256: 7c056f1a930943cd3afcba96555185cb598210f96c1b098b321a6e7d087599a8http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-43v01 | Kovter_9d0ef4a2 | Windows | This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets. | 9d0ef4a2161f47a7ece488906e0ed983 | SHA1: 30f8ed43aa45d75b330a6d9685086a4d90cb68d0MD5: 9d0ef4a2161f47a7ece488906e0ed983SHA256: fa0577e117929e21a3881b615a0a3cb087f5bbda6628b7612f036d0753c1b24bhttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-8j701 | BitCoinMiner_27d24809 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 27d2480941a8bce3205854b38a61f7af | SHA1: 63cb3988223961e2cb5063fcfb8f24c2aefc9db8MD5: 27d2480941a8bce3205854b38a61f7afSHA256: 7a6d865285069c90fcf5b8b3671b6daa7c9e6a9e39a37d4854ab630c6f094178http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-zv402 | EMOTET_d6c81263 | Windows | This strike sends a malware sample known as EMOTET. Emotet is used as a banking Trojan that targeted users in Europe and the U.S. | d6c8126371d37ffe3100755db6aa22ed | SHA1: 294b381e200aa3f343989877c9ef5efdda25ca42MD5: d6c8126371d37ffe3100755db6aa22edSHA256: fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eechttp://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/ |
M17-lcj01 | BitCoinMiner_39f7e72f | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 39f7e72f1749e4d76c0e7edd965e984f | SHA1: 3017a7e1f3e4014085f0f347dd463bb3281e3c48MD5: 39f7e72f1749e4d76c0e7edd965e984fSHA256: aecfcd163d2665720b7b63288b6964dcab57960c2c3cd77e7674445c282c3188http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-28v01 | Kovter_8dc86428 | Windows | This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets. | 8dc864280742ac9c038522b33c40b6ec | SHA1: cb15e8d0dc0ae34889cb0ffc9d1efcf4f3d43d53MD5: 8dc864280742ac9c038522b33c40b6ecSHA256: 36d5cee0fd6862ae64e0074e12ca1599be7953d7cdfa93ca3993c5f83c9cf1b2http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-ghb01 | BitCoinMiner_fb675e13 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | fb675e1398e9f6b8b6c43937c6e9e351 | SHA1: 7c0884b56e5c40786f6cb8e4e42083116c36dfd4MD5: fb675e1398e9f6b8b6c43937c6e9e351SHA256: 019538248027b51c92cef1cc2e8cff4577c30508e0aa06a65adfdcc125c6846chttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-ac801 | Kovter_b24b8f5c | Windows | This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets. | b24b8f5cd81ba3968ecee4b95f310ad0 | SHA1: 073b067a68e24e038ced211a7c343d8ca3379c62MD5: b24b8f5cd81ba3968ecee4b95f310ad0SHA256: cc714cbf5aac23f09bcc9eea1b8577d2e1673d9fe1433f5658eecc818a2f8469http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-5fw01 | Win32.BioData_fec0ca20 | Windows | This strike sends a malware sample known as Win32.BioData. This malware exploits a vulnerability in the InPage program. It can download and execute malicious files on the infected system. The MD5 hash of this Win32. | fec0ca2056d679a63ca18cb132223332 | SHA1: 5bf9d07d06be22f999e2f94fd3dbca4dd2ef0be6MD5: fec0ca2056d679a63ca18cb132223332SHA256: 5716509e4cdbf8ffa5fbce02b8881320cb852d98e590215455986a5604a453f7https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/ |
M17-01o01 | AsiaHitGroup_995d5dc8 | Android | This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk. | 995d5dc873104b5e42b3c0af805359db | SHA1: f2be8f0f3228fa225a33e1c03b2836e4b9bc2ff9MD5: 995d5dc873104b5e42b3c0af805359dbSHA256: 4629536b5c92fa3d7fb55c9dba87b255405c7224fe06d60c281edc13de21e754https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/ |
M17-i8v01 | CryptoShuffler_d45b0a25 | Windows | This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard. | d45b0a257f8a0710c7b27980de22616e | SHA1: 565e71a83a99239ee32834ec2fc3620c6b039368MD5: d45b0a257f8a0710c7b27980de22616eSHA256: 5ce1f20b6136523e3ce01361e77062a21279f7b95124c9640e8d5cb53a6c4d3ehttps://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/ |
M17-rv201 | MSILTrojan_9165ccce | Windows | This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware. | 9165cccee0c1248d2f906b8634a175a5 | SHA1: 026708c4ecb7381392c430702cb08a1d07d7efaeMD5: 9165cccee0c1248d2f906b8634a175a5SHA256: 987cdbc17259f87a9e6b04c1d6c3c971f23c380f7da1a0d93ff79584230e5b7chttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-qv701 | BitCoinMiner_91725ab4 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 91725ab4f5caf0154cc1eb424cee8c53 | SHA1: 386658978699d3f095598ef5aa32b540e230943dMD5: 91725ab4f5caf0154cc1eb424cee8c53SHA256: fdfe3ab063fd7dad96a6492cc1b7f43c169e270868a3541a89e177b8dacaf16bhttp://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-0c001 | ANDROIDOS_JSMINER_fc1e0818 | Android | This strike sends a malware sample known as ANDROIDOS_JSMINER. ANDROIDOS_JSMINER has malicious cryptocurrency mining capabilities. It uses dynamic JavaScript loading and native code injection to avoid detection. | fc1e08187de3f4b7cb52bd09ea3c2594 | SHA1: 6241e89839c4a15472c963c4cce57dd31017daf4MD5: fc1e08187de3f4b7cb52bd09ea3c2594SHA256: 22581e7e76a09d404d093ab755888743b4c908518c47af66225e2da991d112f0http://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/ |
M17-da401 | Win32.SunOrcald_8ea868f0 | Windows | This strike sends a malware sample known as Win32.SunOrcald. This variant is used concurrently, with both Reaver and the traditional SunOrcal. It shares much of the same infrastructure. It downloads and executes DLL files on the infected system. It also adds a value to the RunOnce key in the Registry. The MD5 hash of this Win32. | 8ea868f0655560fb7ec299305fbaefbe | SHA1: 9a62eac0757f2a056c7a9e0d8d971b61ef69362eMD5: 8ea868f0655560fb7ec299305fbaefbeSHA256: 67ef25b0708e6c268d2cbd78d03141acfc9cf895b8422da69beb2ca598f2fcc7https://researchcenter.paloaltonetworks.com/2017/11/unit42-sunorcal-adds-github-steganography-repertoire-expands-vietnam-myanmar/ |
M17-d2j01 | BitCoinMiner_ce2250c0 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | ce2250c00516d99151a4d76f75942311 | SHA1: c4b3c4da5dd88e0dc561acd92afe9255f48d7ddcMD5: ce2250c00516d99151a4d76f75942311SHA256: 459a5346ac350d03b7e5fd5b9882afee243f2d1f838ead99ab06a2cde783c522http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-ons01 | AsiaHitGroup_3cc02e4f | Android | This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk. | 3cc02e4feceb488b084665e763968108 | SHA1: d18f3c0c318fad791e6d07dcdf255da30adc9be0MD5: 3cc02e4feceb488b084665e763968108SHA256: 858543599b9a6d6d48c9243b9e330fcbe24a464b942e53020fac4535b4d440f3https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/ |
M17-5dj01 | AsiaHitGroup_7ceda121 | Android | This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk. | 7ceda121f9d452e9a32b8088f50012b8 | SHA1: bcc23e9ab5becc874c9c6ae1d891e25f8fe2a6aeMD5: 7ceda121f9d452e9a32b8088f50012b8SHA256: d43b5384bf21006754322de96ce15b12d7bac75ad40e6ac30fbe45a78c98f85fhttps://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/ |
M17-zwa01 | Credrix_a4cf567f | Windows | This strike sends a malware sample known as Credrix. Credrix is a tool that gathers Windows credentials from memory. | a4cf567f27f3b2f8b73ae15e2e487f00 | SHA1: 4f2faef3d65099c19d617df73af5119dd719240cMD5: a4cf567f27f3b2f8b73ae15e2e487f00SHA256: 178348c14324bc0a3e57559a01a6ae6aa0cb4013aabbe324b51f906dcf5d537ehttps://www.symantec.com/security_response/writeup.jsp?docid=2017-071015-4148-99 |
M17-uz501 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands. | 520f6ccab58564e448fc5dfade163d47 | SHA1: 81b3ff18f520c546dac6e78a94172f8b2a07299aMD5: 520f6ccab58564e448fc5dfade163d47SHA256: 4d9f3de7aeca86a1ba1a653e04994eb69d31c6afc5802691ee9178bf8d593ed5http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-jxl01 | BitCoinMiner_ac11bc15 | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | ac11bc15e3e6f4caa1c6f090659c397e | SHA1: cf7431f9ac3682d9c980ca2dfcd7885fe75e7220MD5: ac11bc15e3e6f4caa1c6f090659c397eSHA256: 9d6b9fa1861b72f348a4fa8b209eb7f40f4a497bcf98204ba5fd389f7fa82b93http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
M17-06o01 | AsiaHitGroup_7eec1c26 | Android | This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk. | 7eec1c26e60fede7644187b0082b6ac4 | SHA1: f43039b1fb54f0d292fc8e234d5021e041469687MD5: 7eec1c26e60fede7644187b0082b6ac4SHA256: e45cd99a664c5bb68ea7ab8e8f47f329bd01dc1193106e25962478b5259c0009https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/ |
M17-1gc01 | BitCoinMiner_331e9bff | Windows | This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute. | 331e9bff18d6d6394d2039a6ed22d295 | SHA1: 0a506b6b26c6e04d03f5aff533f8da68c3899084MD5: 331e9bff18d6d6394d2039a6ed22d295SHA256: 1a736b816b476800c1adb87169100192e503a1737ebedef5b1f14d695a100011http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M17-evu01 | CCleaner_384ca346 | Windows | This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | 384ca346f00feb0e361c0f081f56ddf3 | SHA1: a21403e47a1eddffefa3dd9dd1bd8fb77be9fe6fMD5: 384ca346f00feb0e361c0f081f56ddf3SHA256: 30b1dfd6eae2e473464c7d744a094627e5a70a89b62916457e30e3e773761c48http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-ma601 | Office | Windows | This strike sends a malware sample known as Office DDE Vortex Payload PE. This sample is a payload associated with the Microsoft Office DDE attacks. Specifically this payload disguises itself as a NVIDIA service and communicates with beer-ranking.pl. The sample grabs a crypto key and is in fact the ransomware Vortex. | 09d71f068d2bbca9fac090bde74e762b | SHA1: a0d537e6093561e003648a756c9f9138386c4c00MD5: 09d71f068d2bbca9fac090bde74e762bSHA256: fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669http://pedramamini.postach.io/https://www.peerlyst.com/posts/microsoft-office-dde-vortex-ransomware-targeting-poland-inquest-nethttp://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-vy101 | TorrentLocker_1fbf4f38 | Windows | This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom. | 1fbf4f38b0d853e9fff54f92a204a064 | SHA1: 337690de61d7a7aa45f94306b522558ce5e83df3MD5: 1fbf4f38b0d853e9fff54f92a204a064SHA256: cc07ae7275b177c6882cffce894389383ca2c76af5dc75094453699252c9c831http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-en301 | TrickBot_6e5209d1 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | 6e5209d1bc0a6815913b242c27709f30 | SHA1: b47a0d2b81a34e67ba32f473cf1ba9823b37afbeMD5: 6e5209d1bc0a6815913b242c27709f30SHA256: e6bd4d23467ee8df96837140695de5689cc7f7b73cffd9a9d40e33444766496ahttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-bvc01 | BadRabbit_1d724f95 | Windows | This strike sends a malware sample known as BadRabbit. This sample included with BadRabbit is named infpub.dat. It is executed via run32 and contains a list of credentials that are used in brute force attempts to get the scheduled tasks to execute the ransomware. | 1d724f95c61f1055f0d02c2154bbccd3 | SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907MD5: 1d724f95c61f1055f0d02c2154bbccd3SHA256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648https://securingtomorrow.mcafee.com/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/http://blog.talosintelligence.com/2017/10/bad-rabbit.html |
M17-xo001 | Tofsee_acad9e88 | Windows | This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam. | acad9e88923eb9702c24ff3fa8a068ff | SHA1: 9d51bcc4860db3acf3c994fae9fa7b20290d6efaMD5: acad9e88923eb9702c24ff3fa8a068ffSHA256: 6cbb53ee5485e756bd8680944961b6c27d59c1a610c5f93c1788a2dafd1f5706http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-41n01 | Tofsee_732773ce | Windows | This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam. | 732773ce4e83a4ad7ce41617a7d4cad6 | SHA1: fb01078080a10537f0e4a479df42252693742480MD5: 732773ce4e83a4ad7ce41617a7d4cad6SHA256: 5ecce618b7b65cac1a5930608aa939241f4312a54a3efbfaf8c3bb5e27056b91http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-m8601 | RevengeRat_2031d7a4 | Windows | This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data. | 2031d7a4f5f2aba56b2f7c5186c70fcd | SHA1: 280277d0218f4eb5a2bf46c8e7a0ab5b2f9ac6b5MD5: 2031d7a4f5f2aba56b2f7c5186c70fcdSHA256: fdb99a0527be797fc7d7b7f48088c21d034bce6a5c848ede43714d86d3266661http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-zzl01 | Jrat_396adbc1 | Mixed | This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code. | 396adbc1de0d0748baf3fb6bbe912e4f | SHA1: 14503f8fe1f22d6cb256f3bd16dfe90394f752d6MD5: 396adbc1de0d0748baf3fb6bbe912e4fSHA256: bb4793538712834408cd9b3b58c1edf8da81906ffc12e25766fb40ddabe1c383http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-xl301 | Beeldeb_7eba8802 | Windows | This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable. | 7eba88026a13a88d2e68bce88fff9d2f | SHA1: 710fe6d8aee660eb4e8652787c85ff8b475e15e2MD5: 7eba88026a13a88d2e68bce88fff9d2fSHA256: ca07844200067101a91d23604a7fb425ee8b47a66567a953103a9949f66d74cchttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-q6401 | Jrat_2071f755 | Mixed | This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code. | 2071f755c30a63b0a73791156f273c02 | SHA1: 8d9f5af4a548abd03550702dbb53a0e0428ca12cMD5: 2071f755c30a63b0a73791156f273c02SHA256: fff6555400d65b28590cdde1a1f1a8731f02e8c21c1a9f167d53dc1054cc865ahttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-psn01 | Emotet_9646fbee | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 9646fbeeb768f431f5440ab2c2259ed4 | SHA1: d95826fd488a873e866ee0793daa602ee90bede5MD5: 9646fbeeb768f431f5440ab2c2259ed4SHA256: f7972ab6d27883f9c1a0fb6b0e54466eb6305eaa1bfb6c09da82e1539bbe7fc4http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-qcz01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 5bac0670f7baf2ead07145303a9ddcbb | SHA1: 268fbf5dcb1486166925b76af3b73a129104298dMD5: 5bac0670f7baf2ead07145303a9ddcbbSHA256: 4abacdd4177a4446dedc00992c7d33538fd0046ba99971c2dcbdff49d51a7664http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-2vg01 | TorrentLocker_03f3e0bc | Windows | This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom. | 03f3e0bc4d0e3d9817610eb7761f8041 | SHA1: 0f15149fb8e6a085cbfb2d076f6e859e495da457MD5: 03f3e0bc4d0e3d9817610eb7761f8041SHA256: bf795a1676a6dd795fb6915ecfbfdc200687907cae8769c55b9e26328b026f88http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-oik01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 7526bd6675aa6ad84f1fa760d17f3cb9 | SHA1: 3bdd523ad094b923f8ceb9f8986d9ae8a1ebbe68MD5: 7526bd6675aa6ad84f1fa760d17f3cb9SHA256: 85fe7541480ab4165d31d0d83a020068a3de0f673e50b3aefa4be22f51f47704http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-46t01 | Vilsel_d9bf36e7 | Windows | This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name. | d9bf36e74781a10a154144b2da587723 | SHA1: 49ea899396b52dc2ba48ce3237f1dad91d517fbeMD5: d9bf36e74781a10a154144b2da587723SHA256: 89782f35fef2dad9aadcad63b07fb6ed39077c9edfdccd0716facac53293f872http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-pje01 | Office | Mixed | This strike sends a malware sample known as Office DDE Powershell Payload. This sample is a Powershell payload script associated with the Microsoft Office DDE attacks, and it is from citycarpark.my/components/com_admintools/mscorier. | bba246f7ff0519dd89e980233cc3c927 | SHA1: 6c151176212c597cebb1b278be3cd6daf7bc6593MD5: bba246f7ff0519dd89e980233cc3c927SHA256: 2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28chttp://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-58u01 | TrickBot_b3bc6e96 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | b3bc6e96c1775d26b4336d42428dc24e | SHA1: 0fc7bd58126e7969b1d3c013a60a2e2a51288f7fMD5: b3bc6e96c1775d26b4336d42428dc24eSHA256: a3355d8e3e5f21b84072993032341bf1edee8dd6b28a9aece5cc6ffe0e123621http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-h4701 | TrickBot_c5900370 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | c5900370760d126e5a7c2f24a704a191 | SHA1: 0fb6b9079d8721f2b7e6f3db69c50725988aedf0MD5: c5900370760d126e5a7c2f24a704a191SHA256: f45334629dc79665d85cd4748e97b876de4330094759dc4c227da19ffbbd2a34http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-qxl01 | Jrat_a2ccf1c3 | Mixed | This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code. | a2ccf1c3e98c0eed0126061a6f35afba | SHA1: 59c990f519f97056fd13b80cd82b1ff6c49258b7MD5: a2ccf1c3e98c0eed0126061a6f35afbaSHA256: db4d85d172b31413c1f93162053032a9a2e26b273dfdea8b7506ee8ca982e32fhttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-bea01 | Emotet_517d9598 | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 517d9598ac8aa0ef0cb7145ffd64805e | SHA1: 82519982e32708e94c54ffce3c652714049a04f6MD5: 517d9598ac8aa0ef0cb7145ffd64805eSHA256: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-o8e01 | TrickBot_bd427dd1 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | bd427dd15a2dc5695fbeab5519595d30 | SHA1: 7a571716fe3fb54e50e79d9e1032354c192ed4a5MD5: bd427dd15a2dc5695fbeab5519595d30SHA256: 38748c33121e51307108ca9711c4a5109223d86565f8902268e902f83a202fbdhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-45801 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 3124f76cabc753b93b212f228bf7d407 | SHA1: 650d41813ab9b22bcd30583ff9481d2336bd91bdMD5: 3124f76cabc753b93b212f228bf7d407SHA256: 0b2799af3a38a865c37fe534c3f2f67d085757b09f5e489025037a1ed90f9b98http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-87b01 | CCleaner_ec1b25ed | Windows | This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | ec1b25ed79331115f202f8ac6b309107 | SHA1: abcfd38b53e04dd36cd8a75acece03b691417d40MD5: ec1b25ed79331115f202f8ac6b309107SHA256: 04622bcbeb45a2bd360fa0adc55a2526eac32e4ce8f522eaeb5bee1f501a7d3dhttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-1tk01 | Emotet_c0ef4f02 | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | c0ef4f029f8947b2d8f66196cd2b041e | SHA1: 6968938c35b0cff739c31899764a295ad2fd2a80MD5: c0ef4f029f8947b2d8f66196cd2b041eSHA256: 0c34b872ba2266c2028e27c9fc9bed8fe9c6f04221695e19c5194200a9638d6ehttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-pds01 | BadRabbit_b4e6d97d | Windows | This strike sends a malware sample known as BadRabbit. This sample included with the BadRabbit ransomware is a legitimate Diskcryptor driver. Diskcryptor is an open source disk encryption software. | b4e6d97dafd9224ed9a547d52c26ce02 | SHA1: 59cd4907a438b8300a467cee1c6fc31135757039MD5: b4e6d97dafd9224ed9a547d52c26ce02SHA256: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806http://blog.talosintelligence.com/2017/10/bad-rabbit.html |
M17-fun01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 85e1c384120de66b721849b88255c5e0 | SHA1: 61e4a7c5241f07cf3bcc24377452b53ca44b499aMD5: 85e1c384120de66b721849b88255c5e0SHA256: 81bcde515e51332cd4b92996655fb28448c2b3a83b6a63443ee680ad63acdce1http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-wnv01 | DollarShell_0fc095f4 | Mixed | This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro. | 0fc095f4868450c4339b700ac49c32a0 | SHA1: 2af8df8ffa31ced85d0ff3f5bbb19b54501dd7b5MD5: 0fc095f4868450c4339b700ac49c32a0SHA256: bb1a67049f2f65ce40d68a111becaf0f772754c024013b8d8a869d59472af9ebhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-0bo01 | TrickBot_0acc6a1e | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | 0acc6a1ec80acd4ee150255b7fe6187d | SHA1: 60eaaa3ad6cfa4d3c46a274afc00e2d2cb2f775eMD5: 0acc6a1ec80acd4ee150255b7fe6187dSHA256: 5619eeb7b8702693f78b452a0ca3df99a23b858d2b4d181bcd5588878411284ehttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-hlg01 | Emotet_cfb0a91a | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | cfb0a91a53aae5356c0ac9007a706c4f | SHA1: 9fe298dd844a0a522fbcde12b3917d0e53be84bfMD5: cfb0a91a53aae5356c0ac9007a706c4fSHA256: ee69976d53e2f0ee0d502f416ac54cb795059005f82989e095bdc7e5e299acbehttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-tac01 | TorrentLocker_d080c988 | Windows | This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom. | d080c988772068811e1955af91185f9b | SHA1: 1da4c4f74568fe19c57ee68307b673405a0b0232MD5: d080c988772068811e1955af91185f9bSHA256: ae7a23e9b4c2645c26dce4a83a97953fa5ca008570aa9ac32e0826369593a099http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-ya201 | Emotet_3f4296e6 | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 3f4296e6b95436242fe4355c258bbecd | SHA1: 92cf0e6b2d366f33e2618cfe427ed319ea04b077MD5: 3f4296e6b95436242fe4355c258bbecdSHA256: 4a5d8769935f5126bca4ccfd5f0c658fb6e7d41a34475d9b7712d51b3884e2f3http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-zqc01 | Emotet_3647353c | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 3647353cdbdb77ea002616f4c02fe762 | SHA1: 17803b316214b1ba0889aabc2b33ff473aac454bMD5: 3647353cdbdb77ea002616f4c02fe762SHA256: ef38926f1932b370abe835b38c51b806d4282e420ee06b312d9a2a25c446cf44http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-4yi01 | Beeldeb_814c9c27 | Windows | This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable. | 814c9c27a6b69f7a81372db1bba90375 | SHA1: 8ad0f9caf2afdb07ffbd392b1ff9419d5d08266aMD5: 814c9c27a6b69f7a81372db1bba90375SHA256: 36e92852d67e66cb3c99312f107f83080605c2badf787108f619d6b54e6c85fchttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-nf601 | Vilsel_6a085b16 | Windows | This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name. | 6a085b165438169d518740feb6432fce | SHA1: a00b111f3e47986d87cf5c518920d5b948ef632cMD5: 6a085b165438169d518740feb6432fceSHA256: eff9dcc0bebee521ebc2cb48a4398c3fe55e878fe127fda6f2ac02208e135325http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-v5k01 | DollarShell_1c29fbfe | Mixed | This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro. | 1c29fbfe17b495cb4d313fd2d8bf6180 | SHA1: 8920146ae70741dd75ffed38c8a5e3487e655653MD5: 1c29fbfe17b495cb4d313fd2d8bf6180SHA256: 26582ff0d7d9578d564bedc4f3add7d0d2326be6959039b7dc2372458390e810http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-qzr01 | MS | Mixed | This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between. | a40958399bcabff1d3d45152c4235b11 | SHA1: c194fc6750a6133d36d9d9f4660e872330c50e9bMD5: a40958399bcabff1d3d45152c4235b11SHA256: e95c8bf136de1cd79bfd3811072e7d02441aa5e8f57ab60e2b1478a4d4ca5678http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-kl801 | Jrat_e019728b | Mixed | This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code. | e019728b34270f1b334be69d26f7c3f3 | SHA1: 54aa2ce08b90ae01338527f761326ddf5266af4eMD5: e019728b34270f1b334be69d26f7c3f3SHA256: d29a6afc4b35eef25811664369471688a0ecd89fc2a5eb676de9c5518c9914f2http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-1hx01 | MS | Mixed | This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between. | 676ce727ae0dfb8822852e4fd0c86d39 | SHA1: 7f060a247ba188933dd18b2b41d12919f2f8dcdaMD5: 676ce727ae0dfb8822852e4fd0c86d39SHA256: 9949dccece62023379790e8b563d8a93bae156be13e7698f851a3804b72fa1c3http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-6zs01 | Microsoft | Mixed | This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's filename is SBNG20171010.docx. | 8be9633d5023699746936a2b073d2d67 | SHA1: 07e2eaf420ea974ac99ea7b17c1b491ca1ada1eaMD5: 8be9633d5023699746936a2b073d2d67SHA256: 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-nwn01 | Microsoft | Mixed | This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is Auto_mal.docx. | aee33500f28791f91c278abb3fcdd942 | SHA1: e82fb48a7b4dc02efe0d8779f29017f5e06ab66cMD5: aee33500f28791f91c278abb3fcdd942SHA256: 7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-yeu01 | Emotet_38b60d63 | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 38b60d6365d2b73cc8db79ef5cebd106 | SHA1: 0efee5f307bfe3153a53f7d57fc0a9eb94be091aMD5: 38b60d6365d2b73cc8db79ef5cebd106SHA256: 5b060682f0a97793797856af8c37265825d2c6769d9e69bc14833a98672e004ahttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-7lk01 | CCleaner_74dca8f8 | Windows | This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | 74dca8f8ad273f6a5b095c14dfd2f4d3 | SHA1: 80746f984b50b9127a15773db42204123c2e0c59MD5: 74dca8f8ad273f6a5b095c14dfd2f4d3SHA256: 53c6ad85a6b0db342ce07910d355dad53765767b4b9142912611ec81bee0f322http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-wfe01 | CCleaner_748aa5fc | Windows | This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | 748aa5fcfa2af451c76039faf6a8684d | SHA1: e7cca2da5161a313161a81a38a8b5773310a6801MD5: 748aa5fcfa2af451c76039faf6a8684dSHA256: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-nka01 | TorrentLocker_dddde9f8 | Windows | This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom. | dddde9f8a2459e18583434b1421bb509 | SHA1: a927adc32cdc315702a903e4de522a4ca79adb57MD5: dddde9f8a2459e18583434b1421bb509SHA256: 4312486eb32d7edc49d437a598d7e0453e8c9d1222b8b9ba429c73e0598db1a9http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-flu01 | TorrentLocker_f661a576 | Windows | This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom. | f661a5769a6969eeb262e6c471dd1b35 | SHA1: bf019ba422f96f251adea5a9c79bcf3b6f028e42MD5: f661a5769a6969eeb262e6c471dd1b35SHA256: 5c66755aeeed65c21c8d9774baebd79c962311a57b733cb19d4d2bb6a0eb52c3http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-jw501 | Tofsee_a8c123a8 | Windows | This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam. | a8c123a8e47f93b5631e94fa20d88321 | SHA1: 69ed2a5de0be259c228c06dbdbb20433d10be701MD5: a8c123a8e47f93b5631e94fa20d88321SHA256: 94cab1cdda2cdf19e077add232b00de9b141f981f6def5c7309521613f6423cbhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-qa201 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 0ee3d7d618bf806fe66ca97da1fb78d0 | SHA1: 063fdba12a10422820c623d79cbb328d47d70f87MD5: 0ee3d7d618bf806fe66ca97da1fb78d0SHA256: b2c8a5be4249b5eb4b4a28cffaa3ef247589e0eb5ce0b7a914f8c1704b7f6cb4http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-t1901 | CCleaner_b3947a26 | Windows | This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | b3947a26d4d5f98b82f8d8afacf403f0 | SHA1: 0c23449c86895b97ecbdb9fc0ae747b1b3d2a8a5MD5: b3947a26d4d5f98b82f8d8afacf403f0SHA256: 8562c9bb71391ab40d4e6986836795bcf742afdaff9a936374256056415c5e25http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-iwr01 | RevengeRat_179e16ae | Windows | This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data. | 179e16ae9eb6e1726d1660c1c6907a18 | SHA1: 35dac8b3c4b0bf366ca78a4f1ec48b25d00d9803MD5: 179e16ae9eb6e1726d1660c1c6907a18SHA256: e60613e2453d6568cb04ad8e09ac64b6652318079be2444156293f092cc9ff52http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-z4g01 | Tofsee_040e3b7e | Windows | This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam. | 040e3b7e2d2eb7420537446324a3bda9 | SHA1: 37c3a3c6ea9e76ea87a83f57516d3b7804f7f91dMD5: 040e3b7e2d2eb7420537446324a3bda9SHA256: d02cd223f8284826a4dd1d51ecb61cc39e2588c534c0e6b848f6fbfd772fc02ahttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-f4y01 | TrickBot_bed6c109 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | bed6c109e1ce4ec3e0673c4445b1a043 | SHA1: 3ab49d6e009c2b97a6f23ef97f8642d3f828e900MD5: bed6c109e1ce4ec3e0673c4445b1a043SHA256: 0d92b1656112ed73fe98fd6c714d7959dd8ecc85759b87a6b01747a2ab0f8335http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-iip01 | BadRabbit_347ac3b6 | Windows | This strike sends a malware sample known as BadRabbit. This is 1 of 2 samples included with BadRabbit that has similar functionality to Mimikatz. Mimikiatz is a tool known for its ability to retrieve user credentials from computer memory using different techniques. | 347ac3b6b791054de3e5720a7144a977 | SHA1: 413eba3973a15c1a6429d9f170f3e8287f98c21cMD5: 347ac3b6b791054de3e5720a7144a977SHA256: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347chttp://blog.talosintelligence.com/2017/10/bad-rabbit.html |
M17-74g01 | TrickBot_5e5727ac | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | 5e5727ac12a2bf5fbef68f550317fd14 | SHA1: 8c37a2f1bfc13ae34861f6c699746a1692a43705MD5: 5e5727ac12a2bf5fbef68f550317fd14SHA256: 3ac1c23c28d19111e254649153b2cf0c03782f7523ce2062200a5ecd1c24f210http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-ozb01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 5bfe4be6ee3b7e74dce3510659f33568 | SHA1: 9e8f55fd2c9575cac2b177e35d20f7f084f70c30MD5: 5bfe4be6ee3b7e74dce3510659f33568SHA256: 1e85b7f0d09e6a43cd83a66c287c1d34125ab9ee8e2f81d86a6c46ef44e37c20http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-ric01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 593a477c7099b171fb214fec4288e46b | SHA1: b5840987462a7fb007f074ef3c6179270eb642c6MD5: 593a477c7099b171fb214fec4288e46bSHA256: fd5c9b1ea6c9c76f3282634f8d7b02e0dba6e9813ae0143c7073ecdd925ee2f8http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-taw01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 5961a6cce9f77280d321f4579735cbcc | SHA1: d83c01e5ea84c93f5e9a03a8e706e02b3853a864MD5: 5961a6cce9f77280d321f4579735cbccSHA256: c1a87f71d9f51cbbc82c03b58b75bdd6feb7d1be1d9d292c4a6a107b78a64efchttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-iiv01 | Microsoft | Mixed | This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is InformesFINAL.docx. | 78f07a1860ae99c093cc80d31b8bef14 | SHA1: 5b1bbf4f3f6c21829719543de7b262e0073403c7MD5: 78f07a1860ae99c093cc80d31b8bef14SHA256: 9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-zn401 | Microsoft | Mixed | This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is EDGAR_Rules.docx. | 0bcadcf65bcf8940fff6fc776dd56563 | SHA1: 8d650fccdf3497112708a3f4832240905bc6b0c3MD5: 0bcadcf65bcf8940fff6fc776dd56563SHA256: bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cbhttp://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-1c501 | Jrat_926d057d | Mixed | This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code. | 926d057d2dac94b1bd4203b5cbc1c7c3 | SHA1: c147fe65bda2672248d0afd75805864e7a59e3d4MD5: 926d057d2dac94b1bd4203b5cbc1c7c3SHA256: 522a804aeee581c63049d0a5983a558c2a3225c4b14814cf0acb8912b79260d6http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-r8a01 | Emotet_82a6b105 | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 82a6b1051f9bff80c5b0ae7e89baa979 | SHA1: ca7f2d187a9ea3603a7bb28d50faa8fb868ef338MD5: 82a6b1051f9bff80c5b0ae7e89baa979SHA256: 4beabf7a352c6dc30a2273392f4daa5793e43412c3eba3724e2ed9e5631c41c2http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-c6z01 | Beeldeb_8ee52b53 | Windows | This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable. | 8ee52b537cebe88a7dcf9027e68216e0 | SHA1: 724a32dcdd091b51cff5d47ee20842ed9f2d4a6cMD5: 8ee52b537cebe88a7dcf9027e68216e0SHA256: 07de12cf4c78151a0bdd6d8dcf8b5d0b91f51b606fd8ec0774e54fcb16e3440ahttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-39701 | TrickBot_b41f2f58 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | b41f2f58ae888fa1fa0b2cb5d6b09c1b | SHA1: 5506e526adae964a95389967d4b16a91f65d5200MD5: b41f2f58ae888fa1fa0b2cb5d6b09c1bSHA256: 5351019f9879a285561e72acae1024e8a86a822f33b7bbb95c795a6bc465ff53http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-x5101 | Beeldeb_93242553 | Windows | This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable. | 93242553da82490acca7b7e7ae267f2e | SHA1: e465e0f5f3cbde6c61370dfc0112ec8256215ec3MD5: 93242553da82490acca7b7e7ae267f2eSHA256: eea366f807de6e4a0834e9fcf8dc0847b7ab4707314191448950a22cc0dbfa76http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-yzi01 | MS | Mixed | This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between. | 4529961cd564ac79e8e38105bd8ec3c2 | SHA1: 189e7c614ca9419029c691c89db757eb2b4de8c0MD5: 4529961cd564ac79e8e38105bd8ec3c2SHA256: a6026baa4f4062b2bbf66dc3a3707f965e34271cdd3f00cae45f771e4b4b9013http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-lnm01 | RevengeRat_ce4a2f2d | Windows | This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data. | ce4a2f2d4b839854048dd9c3ed392fdc | SHA1: 276faf04fa87982665e2e534e87404c7676ef9a1MD5: ce4a2f2d4b839854048dd9c3ed392fdcSHA256: d06ffdfe71bd471b8ba5c2c9fd1191e661c6a9d2332243bc4f93f3838cbff75bhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-bpi01 | CCleaner_06e485d3 | Windows | This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | 06e485d323110b76a0da9b3d063a0c9a | SHA1: cfdcd830ba34d2ee02017999a672608e0e82cbf3MD5: 06e485d323110b76a0da9b3d063a0c9aSHA256: 8a8485d2ba00eafaad2dbad5fad741a4c6af7a1eedd3010ad3693d128d94afabhttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-qcp01 | DollarShell_4147656d | Mixed | This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro. | 4147656d10dd24d2f531dfd9c1409103 | SHA1: 8cf69e901c06a4699754910e931a72ce5e7b7455MD5: 4147656d10dd24d2f531dfd9c1409103SHA256: 5c3fff626f931fff80d79e53fdbf41a591f8dc048df2c7b636aa2d7a388d8e63http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-eac01 | BadRabbit_fbbdc39a | Windows | This strike sends a malware sample known as BadRabbit. This sample of BadRabbit is the dropper. It contains the BadRabbit ransomware. It requires user interaction to facilitate the infection and does not utilize and exploit to infect the system in any way. | fbbdc39af1139aebba4da004475e8839 | SHA1: de5c8d858e6e41da715dca1c019df0bfb92d32c0MD5: fbbdc39af1139aebba4da004475e8839SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0dahttp://blog.talosintelligence.com/2017/10/bad-rabbit.html |
M17-lh801 | TorrentLocker_1392ca8c | Windows | This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom. | 1392ca8c92d5e729f8f34813f966ef97 | SHA1: 39d0bfbe04fbbc9bd43fd61f9f3f606d59c942feMD5: 1392ca8c92d5e729f8f34813f966ef97SHA256: 58f36594d9502e3e8e135d0a449e5c07a62ae6fcd34a32c5c4d9243cb28d958bhttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-y6n01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 34de33d32fed9a72c142b138d667a5d4 | SHA1: 1854457d5d71892c6299e20bf09a62950dacdc8bMD5: 34de33d32fed9a72c142b138d667a5d4SHA256: 6f7b63d2f5be6d7ada5c8146e076af21acd4273d538d46c1dddf6bed222a6d4dhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-4kl01 | Emotet_2da06ce1 | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 2da06ce1cdcc98cc531cbb71e14fb105 | SHA1: 4aba63873f914ea5317a065cf7f21e5a6bc967b7MD5: 2da06ce1cdcc98cc531cbb71e14fb105SHA256: d91e08ac9c92e97acc03c87aeb20383150f17a26946e74eb450f48ddf612d5dchttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-nco01 | BadRabbit_37945c44 | Windows | This strike sends a malware sample known as BadRabbit. This is 1 of 2 samples included with BadRabbit that has similar functionality to Mimikatz. Mimikiatz is a tool known for its ability to retrieve user credentials from computer memory using different techniques. | 37945c44a897aa42a66adcab68f560e0 | SHA1: 16605a4a29a101208457c47ebfde788487be788dMD5: 37945c44a897aa42a66adcab68f560e0SHA256: 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035http://blog.talosintelligence.com/2017/10/bad-rabbit.html |
M17-lpv01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | e55a4eab9bc17d81febf152e98ae2eb7 | SHA1: 4fdb7c7e7b24d50ddbccd3feaf863b4411a260c9MD5: e55a4eab9bc17d81febf152e98ae2eb7SHA256: 7cdeb17d6bfa95e937868b7761be87ded361ec49cf6be88286a1c2cb22f3976ahttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-wwf01 | DollarShell_a4548556 | Mixed | This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro. | a454855668408ffa0732fe835b7b1508 | SHA1: 1ae8809cf30ca33478043a2464323d91204cc2dbMD5: a454855668408ffa0732fe835b7b1508SHA256: 25948723a1ed54e5d7994639b0002f5074ff60b0bbd61a78c1e59dd80ebb4c54http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-kss01 | Microsoft | Mixed | This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is ~WRD0003.tmp. | d78ae3b9650328524c3150bef2224460 | SHA1: 9cbc4333230c73578e469ed21b9c54674404b1a4MD5: d78ae3b9650328524c3150bef2224460SHA256: 11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-vph01 | RevengeRat_5eee3b34 | Windows | This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data. | 5eee3b343a6e5818716e1a9f3425410b | SHA1: 608357a6a6d1304b6dbe1bece5e37bf9c35f02dcMD5: 5eee3b343a6e5818716e1a9f3425410bSHA256: bd3bcfecf479bd347540d6305001b068583696aa81279739ee8b32eb34f2a0dfhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-5w601 | TrickBot_53affce6 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | 53affce6c64deda07f05deda966471e0 | SHA1: 863ec7b034527bcdef66fdb6503b7220e84a2012MD5: 53affce6c64deda07f05deda966471e0SHA256: ae860de508c56045b39679b72b570028f820d9523f7e5d6ddb326c9a757c5c77http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-18k01 | TrickBot_a65305be | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | a65305bec3b9b5e5b38245cd735880f0 | SHA1: 6e4a2e0340e72d21ea3f4ebb1cedec1a9661ca26MD5: a65305bec3b9b5e5b38245cd735880f0SHA256: 27bc34902437285c3f4fe0a0e3446314baecb7ee002fcd1060b91543c27b9369http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-zrl01 | RevengeRat_a7eabbac | Windows | This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data. | a7eabbac8906f141b1790cbb606c1d4e | SHA1: 4bf46eb61b8fe9da528ab376b6de4e0511006ad8MD5: a7eabbac8906f141b1790cbb606c1d4eSHA256: 6fe71c4b59fba4e0200f2e71e308a791eadc3e6518ab87acb66db4c79df66985http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-za801 | CCleaner_52dda1e6 | Windows | This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | 52dda1e6ac12c24f2997cf05e0ea42c9 | SHA1: 82691bf5d8ca1c760e0dbc67c99f89ecd890de08MD5: 52dda1e6ac12c24f2997cf05e0ea42c9SHA256: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4fhttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-rqq01 | Beeldeb_252bbf14 | Windows | This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable. | 252bbf14eee52b2e33e265d2fd07d4fe | SHA1: d1d32cf0916a423f754405c66aac6ae90f8ec85fMD5: 252bbf14eee52b2e33e265d2fd07d4feSHA256: c4cf29d4e6a6b905e08534108ab07318d5704d91df50c9d5477b998a19395effhttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-ff001 | Microsoft | Mixed | This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is DanePrzesylki17016.doc. | 5786dbcbe1959b2978e979bf1c5cb450 | SHA1: 0dd5a58e89036beaa7a63c9f5541bf1402c9c4d4MD5: 5786dbcbe1959b2978e979bf1c5cb450SHA256: bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-2s401 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | c452d8d53f32fba1828f9d5cb56dc56d | SHA1: e7a4cb5f77f88d4f88105bbb2ab1b28769f3c19fMD5: c452d8d53f32fba1828f9d5cb56dc56dSHA256: 6adbd32b36470178e4cbc4bf7c757e4338457cac8c53fc5f8a86b3bcfec2fa6dhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-3i401 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | ff321f7b270167136be7f584ce693f42 | SHA1: aeaf65ac3b5f8de831b989d86ef85be2cb011854MD5: ff321f7b270167136be7f584ce693f42SHA256: e0d0d55c04eb477c6becda415eed279895c56e4468df63ae302be7d389c95741http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-ico01 | DollarShell_3f4735a1 | Mixed | This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro. | 3f4735a16a8d46d65e0cf2dfc9536499 | SHA1: c3b76e8ef1973d6ad9d4ec4dcb8e44b22784a519MD5: 3f4735a16a8d46d65e0cf2dfc9536499SHA256: 2c34d5de4bfbca74b4a782a221c44311fba086f876af6020f16c36b8759dcd24http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-v3z01 | Vilsel_0bdda5b2 | Windows | This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name. | 0bdda5b203548929ce49ca0a47e51730 | SHA1: ab9a3f79859d3bd587317945136c053c8d08ae9dMD5: 0bdda5b203548929ce49ca0a47e51730SHA256: 51b411f1c6b10e8ee9bea405e66fc2f1f8f84d29106f119b2423de59101bbbd8http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-58601 | TrickBot_eed13f83 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | eed13f831889481bd6f8f9875ac6fd9e | SHA1: 1d30abdb2d6f7acbce158293c77f45e07ad0677eMD5: eed13f831889481bd6f8f9875ac6fd9eSHA256: 721c1d648a245bc350d1ace7537db518162f725f2dab14bd4a149d8165144962http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-f8b01 | MS | Mixed | This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between. | 579702e392a78e07695353691e1e482e | SHA1: 49d8c84b9a6c560ffd9570030546e370a1ed6ce9MD5: 579702e392a78e07695353691e1e482eSHA256: 4bc6d7e5960831476f33ac3d9f632ebae9c2a22aa975d20fffb0830b94bf3143http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-a5h01 | Jrat_2aa5b591 | Mixed | This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code. | 2aa5b591ce3ef5894729e4c80289bb3b | SHA1: cf4439ea97f0880cf118efca8a7bb41a3adce7a9MD5: 2aa5b591ce3ef5894729e4c80289bb3bSHA256: 1508a8ab14c4639853c9f2e598a142756517bd078f505274b5783ddda8fed0a0http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-vbe01 | TorrentLocker_e4997fd3 | Windows | This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom. | e4997fd30092248f2e4de8e5f8223e5e | SHA1: a53ff63cc5745a6d6da6b97b55b9c05ec53e4520MD5: e4997fd30092248f2e4de8e5f8223e5eSHA256: 1a78a5c1c4ebb8a0047cbb4a8a27782212603d71cae2aeb033bceab76795a294http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-emo01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | aef86a60e907b7f5e8540643ad7a8c48 | SHA1: 2fddab183182d926349a4fe546c4dbfa54610d86MD5: aef86a60e907b7f5e8540643ad7a8c48SHA256: 7ba4b97d8ef2eb865b6d6e76c77446657eb39269b5d276e77f458fa3fd639e2chttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-0wi01 | MS | Mixed | This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between. | 37a146d0ee31b358fa92b1726abf028f | SHA1: 8cd3a6594a2b289ecc514305606ee4f651fd1f77MD5: 37a146d0ee31b358fa92b1726abf028fSHA256: 195cb14fade7c435e10d673170dd975ee9b3f1c15fd932dc5c9d2663b4a7af10http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-pr501 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 035e632c7164f593dd9b592d25335721 | SHA1: b980506e2ab625480bff8dd88be3934f97dfe096MD5: 035e632c7164f593dd9b592d25335721SHA256: 25210b1abea142ae5d2fa21e2a2ea836f1eb3a62cc7118f2188bf63904c9523ahttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-pzc01 | MS | Mixed | This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between. | d9ba9684df6ec50d76eb54aa16a0e0f3 | SHA1: a66a51c776ed96671bfa7a10f5ba3bee304b9c69MD5: d9ba9684df6ec50d76eb54aa16a0e0f3SHA256: 4b9703f52464b8025e0146ae4792400f7c077194b0007b3d2ae31eb80642c517http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-4qi01 | TrickBot_fe309ae2 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | fe309ae2b5be60ca6e242fa1453d674e | SHA1: 03e65781dc8baa1c554b696c67f802c684b0f335MD5: fe309ae2b5be60ca6e242fa1453d674eSHA256: 3a4ea7d6ce3bf31398f34e831249aaccc3a6c123eae239bca37ab1dd57749c19http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-l1h01 | MS | Mixed | This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between. | 0137c8f7dbc6b64a1b4c8ab9d16773c2 | SHA1: 7c25b065d753e31c6097b6708b89831a8dce6f7eMD5: 0137c8f7dbc6b64a1b4c8ab9d16773c2SHA256: db1ba6f50f367209db4733b94e8d22c8703665bf5b90716bfc754b3639d4c76ahttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-y6z01 | Emotet_3d3b3030 | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 3d3b30300206c5df413797e360bb49e0 | SHA1: 8f086f4c54d6c724cd5fc34a5abba45f28d49c7bMD5: 3d3b30300206c5df413797e360bb49e0SHA256: 73ca04dd07cefa6bc4fc68714e0f2ec98f251833ff48eb8276f8cea09526fa89http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-ae501 | CCleaner_04c940f8 | Windows | This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | 04c940f8755ecfd89472dec010a27980 | SHA1: 794c6899961dbb0c55c864271e89aaf981d5f5fcMD5: 04c940f8755ecfd89472dec010a27980SHA256: 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06fhttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-2df01 | Microsoft | Mixed | This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's filename is EDGAR_Rules_2017.docx. | 2c0cfdc5b5653cb3e8b0f8eeef55fc32 | SHA1: 3a7956ac437c87fc6ca594c59d4de086ed6c8865MD5: 2c0cfdc5b5653cb3e8b0f8eeef55fc32SHA256: 1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-i1q01 | Emotet_17550aae | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 17550aae49290ff9cf99137f2a8d6d2b | SHA1: ae88296d6394c6d7a248a31e8dffb4eb47bbff8dMD5: 17550aae49290ff9cf99137f2a8d6d2bSHA256: a38563a27a75eab4ddc5d76a99a1e8589775add35fce1e20d0b2bc6b64bf2cfbhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-2ng01 | MS | Mixed | This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between. | 9afb2a93e3426f8add62145e93187344 | SHA1: 43377fcac1b50b6cb80680982f66a4b745431daeMD5: 9afb2a93e3426f8add62145e93187344SHA256: ca38154915f53ec6c2793e94639e2ce9701de8236e41064cba35fe7e6387af70http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-r4z01 | Tofsee_a06a4691 | Windows | This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam. | a06a4691a360c7e5d02d2caddd1a8da2 | SHA1: 44cd1bfade1c63a5ca4fdad6a537d30b6c4d9f07MD5: a06a4691a360c7e5d02d2caddd1a8da2SHA256: fa1645ec20a84fd16d9d5eb2960b1caafb168f4456c7a14c8b8e5219bd15b29chttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-akj01 | Cossta_73ba6fd6 | Windows | This strike sends a malware sample known as Cossta. This sample is a trojan that downloads more malicious code and commands in order to execute additional functionality. | 73ba6fd61e41c274c3236ffa4ce493d0 | SHA1: 08225137bf178ff7fcf0879f10c114dc31023ae2MD5: 73ba6fd61e41c274c3236ffa4ce493d0SHA256: 424e36fd9975a43f25fad06e0282833d1280bcd9e6d5ef8221dc322fd16fbaa0http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-14f01 | RevengeRat_82216a2f | Windows | This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data. | 82216a2f1e20a67f7ecfe60cd271aa55 | SHA1: 4e3b51f644f9a8453001fd065ccfbe785072a8a8MD5: 82216a2f1e20a67f7ecfe60cd271aa55SHA256: 7d0474c514e78deac6f690006546bf92c029836c60d547504ceebdd21bf6130chttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-o9l01 | TrickBot_2187fd87 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | 2187fd870f1f8f01b21db7eaf21cf4aa | SHA1: ddbebdce1b672dc16dc5e508bb0052cd45cbe6b7MD5: 2187fd870f1f8f01b21db7eaf21cf4aaSHA256: 8c937c4364f8c5c003f35771dd7983def26a073a9ad5dda9fca302f762dd4c83http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-blt01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | f174ae37eb7f20af733053975a6d05cc | SHA1: cd7072e306c8710b10761215711e521027a3e162MD5: f174ae37eb7f20af733053975a6d05ccSHA256: 1da8eda0545dbe5a53d41fb1b9ed71c7129cf14b2395acffd601056b7d6765fdhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-k1a01 | Emotet_02e3887d | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 02e3887db869113cb223d9ebd9c6117f | SHA1: 6c43c961756dbcffce0e26e09f97de6775b217edMD5: 02e3887db869113cb223d9ebd9c6117fSHA256: e77ff24ea71560ffcb9b6e63e9920787d858865ba09f5d63a7e44cb86a569a6ehttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-dlj01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 750e0859d26265725906ce6d69f975ea | SHA1: 76de96ea0cbdbebdc38c752c22b8ddda39cf06b1MD5: 750e0859d26265725906ce6d69f975eaSHA256: 0ff727f106fecde4e4292f0e35092376786cf8a9097da064623ffa912db7e9bfhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-lux01 | RevengeRat_b9840247 | Windows | This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data. | b984024785d559801b952cd08e50e68b | SHA1: b8317c8992240b3cf5324b0ecad8d906cd171c24MD5: b984024785d559801b952cd08e50e68bSHA256: e422cc0f5bb2d56d1def4063ac21cb8e18f97dfc48287e8b47ba07863704a8afhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-tpz01 | Office | Mixed | This strike sends a malware sample known as Office DDE Powershell Payload. This sample is a stage 2 Powershell script that has been associated with Microsoft Office DDE attacks. | 1ced468b2f59063f0575c8b2409d8efb | SHA1: 185d5476f0e908a9022eabaae48bbf8767079e2dMD5: 1ced468b2f59063f0575c8b2409d8efbSHA256: 8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cfhttp://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-3gc01 | Vilsel_60d248d4 | Windows | This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name. | 60d248d41b06518e3a0df48c3b3f495e | SHA1: b2303ba54eec80d0d42d86b56af06204c020886aMD5: 60d248d41b06518e3a0df48c3b3f495eSHA256: c3ff4ab8815d9934a5a2bb5e02de372e20d70ef2ea519bf96bd3188187ab8a63http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-qo701 | TrickBot_3bc3e105 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | 3bc3e1051501cd45858d8802a67f10e2 | SHA1: 38432c9b2a8b181bac9c2ced078f5bfbdb2dd048MD5: 3bc3e1051501cd45858d8802a67f10e2SHA256: 28df3fd75d3c3748b26931a449229f585f4e4543aa25a0caf37367444bb7a7c2http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-adl01 | CCleaner_4c339080 | Windows | This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | 4c3390800de3bf59c8187d7f3d056ed6 | SHA1: 4e2ffcf1508af2f6e5ab8bd2c34d6b888acd8554MD5: 4c3390800de3bf59c8187d7f3d056ed6SHA256: dbf648e5522c693a87a76657e93f4d44bfd8031c0b7587f8b751c110d3a6e09fhttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-gg301 | Beeldeb_dd49d79e | Windows | This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable. | dd49d79e92a0785fddd2af6badd2d8c6 | SHA1: 7feb92fd77af91d5631d77f39010a1ae71523002MD5: dd49d79e92a0785fddd2af6badd2d8c6SHA256: e15dc2879dccd3c62d77169fe77d869455e61e2706006da829013d55b42107bahttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-9zr01 | Tofsee_ee5b4403 | Windows | This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam. | ee5b4403f1854620ff45955657310554 | SHA1: 59492294c94d974c4cb6ecaacd26ebcbacc590dbMD5: ee5b4403f1854620ff45955657310554SHA256: b637127d56d4b02c131bfdeaa8a42d95210bdd33285ef5788249ba8f631a0abfhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-2eg01 | Microsoft | Mixed | This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is Giveaway.docx. | 507784c0796ffebaef7c6fc53f321cd6 | SHA1: ea8d91434705af3766fb4d6e7435b43c92546995MD5: 507784c0796ffebaef7c6fc53f321cd6SHA256: 313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-88n01 | Jrat_bd2fe03a | Mixed | This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code. | bd2fe03a6ca8049998bba6d8a6e0c8c1 | SHA1: 70bdde14a8fe71f328a91f017adccb4c2696a194MD5: bd2fe03a6ca8049998bba6d8a6e0c8c1SHA256: 1570586012e23a7de3a8fd965bdc2d3a96175fd8a77d284827c1ed6d58944a7ehttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-q6u01 | Tofsee_c8ae48a5 | Windows | This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam. | c8ae48a597b5d3b859a1e59580063a5b | SHA1: d2713d694de53d7f9779e8ede146d2f58b3b1069MD5: c8ae48a597b5d3b859a1e59580063a5bSHA256: baaf07eff95de3672affcae2e00aca57540b8bfcb1c6010ee359213d8700bd0ehttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-99x01 | Tofsee_5ddcb7eb | Windows | This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam. | 5ddcb7eb1592c47d3989721fa825de6b | SHA1: 3b633face0ab1f10b76cd5a6bee0d17def57f845MD5: 5ddcb7eb1592c47d3989721fa825de6bSHA256: 0f4d468818d80d3048879c26546dc5b413956ca2a5ec5261fa54a00d03e0b393http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-o7a01 | Microsoft | Mixed | This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is Filings_and_Forms.docx. | 47111e9854db533c328ddbe6e962602a | SHA1: e8b6b61b3c882cca895673c23a0168268c6926c7MD5: 47111e9854db533c328ddbe6e962602aSHA256: 9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984dhttp://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-91t01 | TrickBot_1d017e8f | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | 1d017e8f2dcbc1b4746b104ffa92c6fc | SHA1: 02f59e1595b32dd0f29a1f37b4b446a8b5d4d204MD5: 1d017e8f2dcbc1b4746b104ffa92c6fcSHA256: 99714908dc8d8316bcad7089c8d100755cd25f77c52bce91af0ed3a9a44db1bfhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-r3v01 | Emotet_6e6118f6 | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 6e6118f6e06d8cff7fdf5ff86417e326 | SHA1: ca90c4c4a0d5869bb82e9c83b91c89a0680dc055MD5: 6e6118f6e06d8cff7fdf5ff86417e326SHA256: b160f7e0036a12a9b7b499249950aaeec569484ff0d50122c4d32d72c75aaf49http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-a6z01 | Beeldeb_5ff9e9b0 | Windows | This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable. | 5ff9e9b08389b3680a87f8bde3bbde41 | SHA1: 49f18e00751bf463cecd38b56d8962e32716a32bMD5: 5ff9e9b08389b3680a87f8bde3bbde41SHA256: 2c89cbab497a1a5219b5d66f1ba39473b6ffc15ec4f53a2bb09c070a15a537e8http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-m4k01 | Beeldeb_91c456af | Windows | This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable. | 91c456af934c996615971350abe59d9b | SHA1: c7c42ceca41ffefd1c06f742fafbe5ec5a28cc37MD5: 91c456af934c996615971350abe59d9bSHA256: 1e76a00a1e6e4265ad5ff364d3139a62013a9628d90edd7e6a155e7f0a8193e8http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-xf301 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 41b3b3891b2ff0f02fc37722814b2e44 | SHA1: a3f656592d267c7228223fb89729ce169b6f949aMD5: 41b3b3891b2ff0f02fc37722814b2e44SHA256: 9e316bc8edd80e260d8ef24accfd2f1c1561665171d0721f4a36585e9b1cbe99http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-d5u01 | BadRabbit_edb72f4a | Windows | This strike sends a malware sample known as BadRabbit. This sample included with the BadRabbit ransomware is a legitimate Diskcryptor driver. Diskcryptor is an open source disk encryption software. | edb72f4a46c39452d1a5414f7d26454a | SHA1: 08f94684e83a27f2414f439975b7f8a6d61fc056MD5: edb72f4a46c39452d1a5414f7d26454aSHA256: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6http://blog.talosintelligence.com/2017/10/bad-rabbit.html |
M17-bmh01 | Emotet_2718d8af | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | 2718d8af5a07402f52c0de6e41abb99a | SHA1: 84dd202e55479bc3a751685e3d6567d4bc811a6fMD5: 2718d8af5a07402f52c0de6e41abb99aSHA256: 24b041585da64a03245c460805f68dbac94b63d19aba6f1bbf7f7d6fa3a26033http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-p1q01 | Vilsel_33a4a3bd | Windows | This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name. | 33a4a3bd945302e799b90c250f9de22f | SHA1: dd484940a55ec3240f65185a2bb77acc9190b850MD5: 33a4a3bd945302e799b90c250f9de22fSHA256: 1b8ba3bde52f7c979d427a03d636c9658b010724b8b93fd98c31a888bcc3123chttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-aee01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 30be88192aa73ae0120f5e225204b108 | SHA1: 9fba5890634f229b7145f17686f70d48c5e5f897MD5: 30be88192aa73ae0120f5e225204b108SHA256: a7b7a582248f4ed47c8816c9436e7a49f2c02a83d18014509d0215e217f19e9ehttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-nev01 | TrickBot_466187a5 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | 466187a5d3cc9e941dc2c7274b1c6709 | SHA1: 94a7e837ff4577f555ee7ab1f6532df7d846d716MD5: 466187a5d3cc9e941dc2c7274b1c6709SHA256: 37e7afe3da64064dacbc53b5cac88972662a181aa864e094b4a45ce88318d7f3http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-w3b01 | MS | Windows | This strike sends a malware sample known as MS Office DDE Payload PE. This sample is a dropped payload associated with the Microsoft Office DDE attacks. The filename is Citibk_MT103_Ref71943.exe. | 3a4d0c6957d8727c0612c37f27480f1e | SHA1: 705de08f2a4b939b406f496e7c21afbdb7436215MD5: 3a4d0c6957d8727c0612c37f27480f1eSHA256: 316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8eahttp://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-eit01 | MS | Mixed | This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between. | 1a4471c427c7b4d87f3edf0c150e4c89 | SHA1: 3c41291459807bfbe05fe9b7c1c40e6a2ab97cd7MD5: 1a4471c427c7b4d87f3edf0c150e4c89SHA256: 2747932c56b816aae80ace812975e868b3227ab651903c1dc01e987231cccc96http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-tx001 | MS | Mixed | This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between. | 1549333bbc2ca45390d73c7876ef7704 | SHA1: 0a456e5f7f7fb43b0d017ec752af986330cceebeMD5: 1549333bbc2ca45390d73c7876ef7704SHA256: 57794867310c0c673a34eccea666780b09287f8ca42e4c5aadd21abec43d8168http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-7u401 | Beeldeb_83642fc3 | Windows | This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable. | 83642fc30d69a624f5b5c3c6dbef590f | SHA1: dca5899ec909dcf5c29212c4a7cf969a51b154d6MD5: 83642fc30d69a624f5b5c3c6dbef590fSHA256: a864f592f8fd01a57cf8302056a413e4a688f6cfa2beae8c5e136a40384f7b56http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-8fv01 | MS | Windows | This strike sends a malware sample known as MS Office DDE Payload PE. This sample is the final dropped payload in an Microsoft Office DDE attack targeting Freddie Mac employees. | 4f3a6e16950b92bf9bd4efe8bbff9a1e | SHA1: 9f09b4e99e7fd50d53d9df67236a0dfd0a22acc6MD5: 4f3a6e16950b92bf9bd4efe8bbff9a1eSHA256: 5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046fhttp://pedramamini.postach.io/http://blog.inquest.net/blog/2017/10/14/02-microsoft-office-dde-freddie-mac-targeted-lure/http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-sex01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 3cc8af9aed58a99c5c1884ed17e0daa7 | SHA1: 904c859e56bc6a6f59e1ac7335c9b59502ca86f3MD5: 3cc8af9aed58a99c5c1884ed17e0daa7SHA256: 9de97b64e55209d946f21d8e1be015932f0df9df1acc0c282b8aaf6885b5d254http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-ipj01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | ffc42a752bc20745f0f20a112a416a8e | SHA1: d9a065c5ca4fd19e571af5a12492dcb9a39ef1f3MD5: ffc42a752bc20745f0f20a112a416a8eSHA256: ee787d5959e57fe1787b36a3bfa3fd4d90e4a0b1705f96f4a90a06d0bdd75cabhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-b8601 | MS | Mixed | This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between. | 9e76e0aa0bbc164c35d34641194ab0be | SHA1: 2264c10d35c17626f9ad94c63071be9382182bdcMD5: 9e76e0aa0bbc164c35d34641194ab0beSHA256: 2374d35b524259f14a3cd41eca49417c69fafdab226a4d00788c014b3c2c922chttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-nof01 | TrickBot_9e2a44f5 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | 9e2a44f56e89d074ff8b4ccc49d8eecf | SHA1: a5dcb49bd204a916cf8fe27e509a41e7d15ba8bdMD5: 9e2a44f56e89d074ff8b4ccc49d8eecfSHA256: b4492030182ee0e7c3257f417fe98d4e52d301230e31491a4563cb41fa6b3343http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-y8l01 | TrickBot_adbf41e8 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | adbf41e8d5cc1f2ace5410439bc02784 | SHA1: 3d69c7a7e963d1b63b696ccba8b51b5159b7c8feMD5: adbf41e8d5cc1f2ace5410439bc02784SHA256: 6acd175a2971b370ae7413bad180f8f745a4b391b0fa4f3e70ef660f5e3bee75http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-xsw01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 5544f6c63933909929da0e907546c42f | SHA1: 7a844dc2045c002a6224597ed7a9d93c738a6527MD5: 5544f6c63933909929da0e907546c42fSHA256: b49adc35b4a6add49bc0accfc9ce9b6d2f8c093af0c2ee6dd05750aba2c75503http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-hnf01 | Cossta_a72550cc | Windows | This strike sends a malware sample known as Cossta. This sample is a trojan that downloads more malicious code and commands in order to execute additional functionality. | a72550cc54425d5660f2913a6b7f240e | SHA1: 0fc84405183a9f1af5db4c6e911d2f3059e17620MD5: a72550cc54425d5660f2913a6b7f240eSHA256: 2e3b79c0bc90f46218700afba5d5a55cb00832969a00f254ec113d342d76a992http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-w3t01 | TerrorEK_6ea344d0 | Windows | This strike sends a malware sample known as TerrorEK. Terror EK is an exploit kit that uses adult web site traffic malvertising for distribution. It can fingerprint its target to determine which exploits to deliver. | 6ea344d0db80ab6e5cabdc9dcecd5ad4 | SHA1: b19796bdd0e86b7f754900950465c1b3b054483eMD5: 6ea344d0db80ab6e5cabdc9dcecd5ad4SHA256: cf51ef5c787407e343c132febde8cba563015165b37e7824078baebe1bf20109https://threatpost.com/malvertising-campaign-redirects-browsers-to-terror-exploit-kit/128596/ |
M17-qfe01 | BadRabbit_b14d8faf | Windows | This strike sends a malware sample known as BadRabbit. This sample included with the BadRabbit ransomware is a legitimate Diskcryptor client. Diskcryptor is an open source disk encryption software. | b14d8faf7f0cbcfad051cefe5f39645f | SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2addMD5: b14d8faf7f0cbcfad051cefe5f39645fSHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93http://blog.talosintelligence.com/2017/10/bad-rabbit.html |
M17-3dz01 | TrickBot_f1c5db30 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | f1c5db30b092fdbc27892ce4ccf67eeb | SHA1: 461306e3b6f95d791e0185b919ee02e40a946d76MD5: f1c5db30b092fdbc27892ce4ccf67eebSHA256: 08a5a27b430bdc6d157ebdbf5dd0e7c648d7fc0e9e3e52baf54f5b770f72e919http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-9mh01 | RevengeRat_f8e91818 | Windows | This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data. | f8e91818df8255195ffa3700a8a91020 | SHA1: 6ca5c2f79c431717033f244f95ee223287f53d73MD5: f8e91818df8255195ffa3700a8a91020SHA256: b110def3771963078f3ce54d13d23a6f751ea6dc41e5177e242208791a0a8342http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-llu01 | Jrat_ae95cb1c | Mixed | This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code. | ae95cb1ce2361ee8a243a165a30671ea | SHA1: d4913dc755088d1e3d129c6b9c9458a62a514c81MD5: ae95cb1ce2361ee8a243a165a30671eaSHA256: 50c1020efca0698519c89b468fc25926d1bad2eeb421482d9c17b6ab24535217http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-yya01 | Emotet_de42982a | Mixed | This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads. | de42982a6a16c1bdf40f2baad8e72511 | SHA1: b1049b482ad0a4745fac3455e11005ec2568a421MD5: de42982a6a16c1bdf40f2baad8e72511SHA256: 56aa0e876398efcb1ba2e8465e8bd91109e700147eff81acac5ad2514e2f011ahttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-5zk01 | TorrentLocker_4111ff07 | Windows | This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom. | 4111ff07e1f54723cc323c0a0ed88080 | SHA1: dc9605648dadaa9cc463acd711a1ee9908328f54MD5: 4111ff07e1f54723cc323c0a0ed88080SHA256: ba4fe6e91aae42e7a12747422443a361201898a4a5d2454472cf8d42b8d5cc52http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-xag01 | Beeldeb_39c16536 | Windows | This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable. | 39c165367e163aad7a384c3f565a9875 | SHA1: 8a90d33befcc9c9c28439bde56215378d8a189b9MD5: 39c165367e163aad7a384c3f565a9875SHA256: bb8e4aec824aa052fdda739abb8472caf2bd6c34d1773248ea3072e5c024140ahttp://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html |
M17-ees01 | Tofsee_3b8d76c2 | Windows | This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam. | 3b8d76c2886b2deeec94060f1353e35b | SHA1: 7a3388475aa5a955619dd11d1d09c2b242ebc5f2MD5: 3b8d76c2886b2deeec94060f1353e35bSHA256: b29d5908edaa7a98e7b7aca5614e0dbbcbaa5e15e93540f037451db52905ebdfhttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-z7801 | RevengeRat_0ab4672f | Windows | This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data. | 0ab4672ff9298e2bdd1ad12966fba880 | SHA1: 51fcd86363149c3c164bfa31219b76eef3f97eeaMD5: 0ab4672ff9298e2bdd1ad12966fba880SHA256: 0d576038349acf0892cbb0124b9558bb4b80c070875017c320dd12bdc0c21f9ahttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-ry101 | Tofsee_66fbf228 | Windows | This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam. | 66fbf2288948d8f39516bfcf772df514 | SHA1: de1c9685c1a12acf3fca5a5f958afc75c379bb05MD5: 66fbf2288948d8f39516bfcf772df514SHA256: 9f33ee45c11c52f6c6a38bb004457046f5743d51bde77282b2dc1847e9c6cbe9http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-5ec01 | TrickBot_f8fda0ca | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | f8fda0ca1102b83e8848f7b678a4d52f | SHA1: 09696e0cfaf65d7be27167586563d23c3851d2e2MD5: f8fda0ca1102b83e8848f7b678a4d52fSHA256: 793c3af7a30ca9cbb1a9f33b1986b8628af45ec1c2a04c1dd98a5cfa376f55behttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-odh01 | TrickBot_15a86455 | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | 15a86455f789404d6a0f499b2349abf7 | SHA1: 3c425cb3d7cc2dedc522ac1316b39ce401355437MD5: 15a86455f789404d6a0f499b2349abf7SHA256: dcfcc1a702447925e8826cf1b15a79db9ceee264c46e0447f62856c52be76c9ahttp://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-zku01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | 3971be2d09be971e83bb783bf15e496b | SHA1: a9c8c15cead43c25929c28ff4d8a0d8499553d9fMD5: 3971be2d09be971e83bb783bf15e496bSHA256: 485ac8f15a1ed8005940365da1dd1031244eb9b18b86cc97a001483d23983e01http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
M17-nw901 | Microsoft | Mixed | This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is ~WRD0000.tmp. | 42027846162fe156e1bb8da39c6b7288 | SHA1: 280a0697c5aa33d79d482df8614b6b044747ee8dMD5: 42027846162fe156e1bb8da39c6b7288SHA256: 8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html |
M17-sxi01 | Document | Mixed | This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis. | ec15f34b51e13bd70b558ba54be82597 | SHA1: d88cb8e80bc03c1dbd5b63943741d5ee4ab49efdMD5: ec15f34b51e13bd70b558ba54be82597SHA256: 984730d87bc7df01d890f8719f83712c7eaf7af05de5cb9a49d3132dc6251751http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M17-p5w01 | Symmi_4533f3cf | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | 4533f3cf126bea0971299bfcb664fd8f | SHA1: 7f38b9f01390d0e7be186d6d9e3780d4354cbceaMD5: 4533f3cf126bea0971299bfcb664fd8fSHA256: e76a23d8d8e16a6e1cd78e28ad875f5ca61221f3d0c44dddf750e5920dc5acc2http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-q1o01 | Doc.Macro.Obfuscation_481bb264 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro. | 481bb264685f1fd953c2e4902e33b9ba | SHA1: 37c9df70788833508a1b5c51720d25300f4a02c0MD5: 481bb264685f1fd953c2e4902e33b9baSHA256: 0dd881a73d020780715e7a4ee943288fe5174ff27ae3ae90405785e8f584c225http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-r1401 | Symmi_b6181cea | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | b6181cea5538d1d990f01175005bc1c5 | SHA1: ecf8926e36e844179c85c4fbcf131591204b567fMD5: b6181cea5538d1d990f01175005bc1c5SHA256: 17ae6bd9e77a9a783caf5bc398f03ff47691134f9a6c5600a903159057c78b17http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-5i701 | Valyria_558a6786 | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | 558a6786fadce8649252cf4f3548c0b0 | SHA1: 60956c5bcc5c91205c7024055ebb47ed1cd0c460MD5: 558a6786fadce8649252cf4f3548c0b0SHA256: f543e6e17ca16d883f3da521b9c8e0070ab7a1ee6c83eb8bca701bea7af6385fhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-ub901 | AlmanCloud_307a4d25 | Windows | This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers. | 307a4d25ee4bbdfe53aea2a0d400508f | SHA1: fb568c00d9971caf90a87cf8c0f85aded90dd6bbMD5: 307a4d25ee4bbdfe53aea2a0d400508fSHA256: 5e0fcf513867bb834af4ebb405a328d66838e528e32e420a89eab7b8619f1830http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-epd01 | Symmi_a7bf3e40 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | a7bf3e40fc8366e973b2794bd021c594 | SHA1: 0df167157518e2b46d1f197c881d915525a67615MD5: a7bf3e40fc8366e973b2794bd021c594SHA256: 2a6794ad2014b95abca5512d85f748aaaf08a1d1f9a7be3583987bd1523f5f1bhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-2rx01 | Symmi_0333b1aa | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | 0333b1aa179d9685137aa394e99f4524 | SHA1: 6ba0790ed9d8d1d158db8e27f3e5d68fc7b1b4fbMD5: 0333b1aa179d9685137aa394e99f4524SHA256: 7156221c0787b78866de2621828fa2ea48ebdba2b06219576337db8bf342c6cfhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-cot01 | TrickBot_c2d71afe | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | c2d71afecb3afab088f8f72e38643555 | SHA1: 1194c6e068f7d9fe94269a4f32f3799a2ffb0ad2MD5: c2d71afecb3afab088f8f72e38643555SHA256: 2419210bdd20b352b357573e72eb82bafa801b078f25517546bd348e2e93a505http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-xdl01 | Cmig_395c0336 | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | 395c03366c6b4ad8579441cf87050fe7 | SHA1: 8aceacc6a915e27d220d5ff2a0b7b0ae1d277173MD5: 395c03366c6b4ad8579441cf87050fe7SHA256: 359c0c9d53f14552ede1a37f73b4554f8fa8004ec0a25a6b6741dfd4f2df5682http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-acy01 | Valyria_2f432869 | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | 2f432869c66584e0761325a8e43d10c5 | SHA1: e8b9c8fec8d1a3b26c79163ee46a387776853b53MD5: 2f432869c66584e0761325a8e43d10c5SHA256: e9d062f1b899f805c95b79165873b6c4e7eb6ec3185347ec0d67e2d30caff67bhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-py101 | Symmi_32583c0b | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | 32583c0b33172fdd8291ae201e0f9f4b | SHA1: 6e433f11a9a44100a2c90af7db766600c4c5506aMD5: 32583c0b33172fdd8291ae201e0f9f4bSHA256: a94ef67587dde19950297b9b69e90254f16cd5e6653fc596524044377a2e1193http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-wnu01 | Symmi_c45a851a | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | c45a851a0948b30997d95c789a7a487a | SHA1: f08536521390087d5a4776c8dc19f75cb99c6934MD5: c45a851a0948b30997d95c789a7a487aSHA256: d778483fb3f3afdc4efd06ae0f605a53d7ee4e512459aa3b287cc246cc6097b5http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-a5101 | Ursnif_c04e0926 | Windows | This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan. | c04e0926efec768033d5458210c80dea | SHA1: 680a208f2459a369fe7f9c9b73a5b9c440464947MD5: c04e0926efec768033d5458210c80deaSHA256: 6f2af5771522f2ce3843f57c2a72a2451e0b73a71505cd50abad031267915be3http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-g7f01 | Valyria_e602fa89 | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | e602fa89e592d87673b1ee21ba781962 | SHA1: 491cc002b8c3cdf49b6b53806539ffe6f93893e1MD5: e602fa89e592d87673b1ee21ba781962SHA256: 59400bc70eab4810a1b7a5c8556879315cdc2233b51e812587fe259a3dde69a6http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-8ds01 | Cmig_c08bae3d | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | c08bae3d02bc5c866b97f4cdaa92a423 | SHA1: ebba2f3676d211e4784d86f26f83b89cda35e8e2MD5: c08bae3d02bc5c866b97f4cdaa92a423SHA256: 251984e04c9654cab912e5ab74f510c808a3fd34bc10d81f20eef7350dc51339http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-wyj01 | CC | Windows | This strike sends a malware sample known as CC Cleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | 75735db7291a19329190757437bdb847 | SHA1: c705c0b0210ebda6a3301c6ca9c6091b2ee11d5bMD5: 75735db7291a19329190757437bdb847SHA256: 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ffhttp://blog.talosintelligence.com/2017/09/avast-distributes-malware.html |
M17-i3p01 | Cmig_094735c4 | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | 094735c41e4f4779c5a1503b2b4c2645 | SHA1: de032fc317e8cbe2827d1ee35516e442c4552428MD5: 094735c41e4f4779c5a1503b2b4c2645SHA256: 12b2c3dd430777d50966f542668eb022b2871a3c2ec77003911080fa90c32c5bhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-nl101 | Cmig_b922cf0e | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | b922cf0ed1f18434326e6ed940fdc1df | SHA1: c139a4fe693eff29239c71ccb5c30d6ae003914fMD5: b922cf0ed1f18434326e6ed940fdc1dfSHA256: 2fe55bd75831905bd35b0928ecd70f064330311ec0749bda01cff595b9af6b27http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-71x01 | Dinwood_003acd74 | Windows | This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection. | 003acd74e09cda434d08a9f5ba2ea538 | SHA1: e373f234220294da1f556e02353ff9d6521a3af0MD5: 003acd74e09cda434d08a9f5ba2ea538SHA256: 06ebf78a7f2f3cbc7a8961051f3bfe9211b8dc8fd255be6f9df7b96f261a46adhttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-laa01 | Cmig_37e3b74c | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | 37e3b74c24f4928d098b526738945eee | SHA1: 4f5fc5eb1766ece68e8f4e486093f7a3d34f7771MD5: 37e3b74c24f4928d098b526738945eeeSHA256: 3d3d7e837aafbd8f42ade61f867114cc28af14c5d4ace788f351df0ad58cadf1http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-xqy01 | Doc.Macro.Obfuscation_abf1049b | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro. | abf1049b698b8bffbfc936ef383a374b | SHA1: 5e03b849d2311d922a8dfaf7e283e06eaff2513aMD5: abf1049b698b8bffbfc936ef383a374bSHA256: 6ff2121b359d8a2776c25293aa96b823759b0796e559e70bc6d2e8adaf208fd7http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-3l401 | Doc.Macro.Obfuscation_62bb7e2b | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro. | 62bb7e2b0a31bbfa624e95023863dfa2 | SHA1: ba30dceb90f9b65ecb869d00e2debf533000dca8MD5: 62bb7e2b0a31bbfa624e95023863dfa2SHA256: 51e75edc5abe46280a4ef590047bb0bf4ab0d409da07711cbd2917b4ce103c59http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-crq01 | Cmig_c69a6d7c | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | c69a6d7c64c8642ecf7bc06c97f8bd66 | SHA1: e19c844ee754e3a3f4b62f155e4a747138c3d613MD5: c69a6d7c64c8642ecf7bc06c97f8bd66SHA256: 3706c1b476c5a7093dbf71f51daa053d817668b854b99ef8ab939f2498fe253fhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-fmi01 | Cmig_112f97d8 | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | 112f97d822db7cc0782ebdaf58826fc1 | SHA1: 26b7e9e0192d46a8e280c4933bae646591cc1f74MD5: 112f97d822db7cc0782ebdaf58826fc1SHA256: 14eeda627d8c65edea9e8c7b3a02f381079f1c28be3f1408a0f6f4f0968da27chttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-xo501 | Cmig_5f54bada | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | 5f54bada97635cafb076e08f1a9247bd | SHA1: a0834384f03048f77b3f86b29d82f9498ff1c9c5MD5: 5f54bada97635cafb076e08f1a9247bdSHA256: 05baa0dc22cf5b14b5a8e70c4a0183c50f366da7916fdee0f1b26835f48e43c1http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-uqf01 | Cmig_ee102894 | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | ee102894e4fae149d39e2054a7155729 | SHA1: a607a8d6337bf95978e312b0e93e3f4907ac1759MD5: ee102894e4fae149d39e2054a7155729SHA256: 28c5bd99d92cf80443f93cb12344cade4e9685a89e936d490b9e04edd6207f1ahttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-msb01 | Valyria_8b136d7f | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | 8b136d7fb8f2306fc0530115a2ad891d | SHA1: 201c1162a5eb5c9ed85f4418dcbdcad71a6862f4MD5: 8b136d7fb8f2306fc0530115a2ad891dSHA256: 8263c8ab8cf63264e39de0c237e26c7f08e36427ec47e0699f7ff8726af40db5http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-3f701 | Cmig_80526918 | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | 805269188a5c032767af7bf00024b25a | SHA1: bf664be50eac27f4b90ed77ff7a705f6552a8408MD5: 805269188a5c032767af7bf00024b25aSHA256: 2b9d669d44fb21199c4ad9f51566d641cb1613907c1a8f66c49c3a0766fbd386http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-8si01 | Dinwood_00089c7c | Windows | This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection. | 00089c7c29ceb806e122292d3756c42f | SHA1: 6eceaa806237afe891d51d4fa60ac653b1b0dba5MD5: 00089c7c29ceb806e122292d3756c42fSHA256: 076e08eb3eae357b4ee75f9bc1e9fe8a9ea3b3e3ddafe244e0583e320a0bfd26http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-ytd01 | Symmi_ec22cff1 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | ec22cff1b6aa42743366097b32d6f5f0 | SHA1: 2ae525cbce103e15c5e14d885e83cc5cc4eba0deMD5: ec22cff1b6aa42743366097b32d6f5f0SHA256: 2c0f383fcc3b07a893fa0ce0cfbe025d31c6ebfe46979b129bd8090712256c42http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-kzb01 | Symmi_a5cdff79 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | a5cdff796de0034b8c95eb71b00545ec | SHA1: 57433dd0843146de661b9eb9c24ca54c90a8c3fcMD5: a5cdff796de0034b8c95eb71b00545ecSHA256: 10e8f34991079b2c40f2e72babdbd3d0fd97703870552061752b341b704153b3http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-ynk01 | KHRAT_404518f4 | Windows | This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing. | 404518f469a0ca85017136b6b5166ae3 | SHA1: 8fff5fe410927095bd13fa15d84e69df0b0754feMD5: 404518f469a0ca85017136b6b5166ae3SHA256: 53e27fd13f26462a58fa5587ecd244cab4da23aa80cf0ed6eb5ee9f9de2688c1https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/ |
M17-85z01 | Cmig_48a2a59b | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | 48a2a59bb81bc15069fbed23fe5efcca | SHA1: 79aa73d369fa48076d8be68aeeb84c795543c724MD5: 48a2a59bb81bc15069fbed23fe5efccaSHA256: 1828387d77ccd498e318dc2bdf580a51ef8161dfda186651cb4c6300aea6ecf5http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-g6w01 | Dinwood_004492f8 | Windows | This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection. | 004492f8f78e65c80cb6b2f64f7b6b11 | SHA1: 3543b278d9e3742ab1fa787e38b6b09c467b7f51MD5: 004492f8f78e65c80cb6b2f64f7b6b11SHA256: 07ab8a56baed7f7014781b275e8324e8bb7974360ac05d017c65d40ed05e1869http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-v5101 | Symmi_e36ff9cc | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | e36ff9ccc5c93bdac286622763efb74b | SHA1: a06a976e0c33842faadb66b50881066f2431ea00MD5: e36ff9ccc5c93bdac286622763efb74bSHA256: 4763992ecb0dc5bbda30d2d00dd99927fb8aa2be759c9058f2dafb691ccf0f0bhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-g2u01 | Cmig_0fede0a4 | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | 0fede0a4e3ac69d30fdc862175fee7fd | SHA1: 3529763feeddb6bea3ac7ba85e9788dce36bcf68MD5: 0fede0a4e3ac69d30fdc862175fee7fdSHA256: 0898ded2110056e9bc720860640282384f08d4064918322cf99c6e79554208f6http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-yqv01 | Dinwood_00415f0e | Windows | This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection. | 00415f0eeae6c54c5a5242c3264d5bca | SHA1: f5ca077ee489067b4fc5f8bcec8c177142b78f29MD5: 00415f0eeae6c54c5a5242c3264d5bcaSHA256: 07b5361cde1a670a587bd7d58160c97282415a025b4b9d1efa806a121e577027http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-oed01 | Symmi_d86e6e58 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | d86e6e58e4ffa7ef3bd0d870c54f6bfd | SHA1: 97d1e8df0d79b1e90523900fe02d0d01a91c3d14MD5: d86e6e58e4ffa7ef3bd0d870c54f6bfdSHA256: d6d82c71a400735446318832a57f7a2573cfa4073aa31ec6a8b742d43f93e9ddhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-zwj01 | Symmi_c0b45967 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | c0b4596717367eb8577f0cf5af9642fa | SHA1: 1f50d8e3518505b761467ea0674da3430a8adb76MD5: c0b4596717367eb8577f0cf5af9642faSHA256: c7fc560bff6d3fbc3a72355463836eaf9b3d7d18ade95ce72436926568626edchttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-fh701 | Cmig_e3cb47c1 | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | e3cb47c1910e2390ba15727b60a9fee1 | SHA1: 283d0b36d87c1b19ab1f456f34a6a66fe1869599MD5: e3cb47c1910e2390ba15727b60a9fee1SHA256: 3ee7edf180cc44da6f2f79f90cc965dddb0eee97e32d9e340e873c71ce3d57e0http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-c5u01 | Rtf.Exploit.CVE_2017_0199_447823c9 | Mixed | This strike sends a malware sample known as Rtf.Exploit.CVE_2017_0199. This sample is an RTF document that contains an embedded OLE2 object. The OLE2 object contains links to other existing documents. If that file is an .hta file, it will download and then execute it. The MD5 hash of this Rtf.Exploit. | 447823c9c915a90b834da8380ec25711 | SHA1: 5f6e438aec4386f4bee4f24b67112b4232e140ccMD5: 447823c9c915a90b834da8380ec25711SHA256: 9b366a6ab581517c6d62c5195e606eba6cb764ff813df7c247f34455af7db567http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-m8a01 | Valyria_57b41a86 | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | 57b41a867d18839dea702dd8b902fa6e | SHA1: c4f00588756c1fe3d445871a9d544a7323bd56acMD5: 57b41a867d18839dea702dd8b902fa6eSHA256: 7eed89f56f776f61421242f428edc4a93bd250e8b98fe44b6f71a67ec8a3fb08http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-ls101 | Symmi_d842d35d | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | d842d35de8665b2f7d0c29cee667899c | SHA1: 5da812069fb7b28a3c86154c15f48cf86edce1c5MD5: d842d35de8665b2f7d0c29cee667899cSHA256: fc30aafd75f5bcf3d4a73a6336ba1f2fb150a410712e32f5887d2afe8504f717http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-2i501 | Valyria_283be610 | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | 283be61009f20a86bfcd9690343b23f3 | SHA1: 04d37de141fea4a0cf590942f0438ee9f103f6e6MD5: 283be61009f20a86bfcd9690343b23f3SHA256: af2229c42175b9c6591427f82619564c8a8a1fcb1fa3f912502b098563c12643http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-52401 | Win.Trojan.Agent_0099daaa | Windows | This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan. | 0099daaa9f5180e143527683df94d3ea | SHA1: f9eed5ad4c15bbb9861f4fd87ef25ceefef6d421MD5: 0099daaa9f5180e143527683df94d3eaSHA256: 55acc591f5c6c0d2313ddd4ba47c25fe3b81bbcb64b4ad77c4668dfcc559748chttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-shq01 | KHRAT_1bdee062 | Mixed | This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing. | 1bdee0623bb85e64057c80ca5dd69722 | SHA1: 56cae3ae7ded838b6909be92eb17231ca67ea2dfMD5: 1bdee0623bb85e64057c80ca5dd69722SHA256: c51fab0fc5bfdee1d4e34efcc1eaf4c7898f65176fd31fd8479c916fa0bcc7cchttps://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/ |
M17-87n01 | Symmi_d8dfbb2c | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | d8dfbb2ce28e59995052ce16d768d3c2 | SHA1: e33e2485ebbd9b34b9e36e15cc9a666f0a49fa23MD5: d8dfbb2ce28e59995052ce16d768d3c2SHA256: 983f1a853f5f7f1c7aa2e687761ae736d2a4397884dfd455685bbc5ae1d0b2efhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-w3901 | Symmi_c05699e0 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | c05699e0fb2a98e1b045fef3003dda3d | SHA1: d79c18351b5cd83a7f1fd4aeb7fc9e5db136ce59MD5: c05699e0fb2a98e1b045fef3003dda3dSHA256: 6c51d2e568f033b8a8c6764d54583da5af6fcec7a21d283e536063861c156ff4http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-1u901 | Symmi_bafe3514 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | bafe3514816d56106c209ae5e4687d40 | SHA1: fceb3ce8123228655c3e9f29965056e5cf88f138MD5: bafe3514816d56106c209ae5e4687d40SHA256: a6099ef0093736c0757c589890df229b39e4efbb38ebc63d460ea06186e09f69http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-kze01 | Doc.Macro.Obfuscation_65747d8f | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro. | 65747d8f5f0ed59db0e70505745fb988 | SHA1: e0f3ece5d671f6d56f4a1ee188c21a5b650031ebMD5: 65747d8f5f0ed59db0e70505745fb988SHA256: 4c45540ba41c37f6c4cc0c4385139b63e56e58798c1c3ac94ea9cfca15ab8a98http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-hm601 | Valyria_c7d7bab1 | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | c7d7bab1b1d627dd32d4b62a72dfbb02 | SHA1: c0a1213cac601819c36d2f15e000e213efaf95eeMD5: c7d7bab1b1d627dd32d4b62a72dfbb02SHA256: 02a384b45673cf0c1e7dbe129fa397d92d43add25b22b080b4308def418e7927http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-jwe01 | Doc.Macro.Obfuscation_1eeea25f | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro. | 1eeea25fb11b3337fe810f635eb4aa64 | SHA1: 9231ac029e93e1da22db9b0d8949eba8aae60378MD5: 1eeea25fb11b3337fe810f635eb4aa64SHA256: 6891e0c2fe9c3b7bf9c02fbd81950c60118df47cf8e7d80ca92853fae72d9178http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-8oo01 | Dinwood_003a976b | Windows | This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection. | 003a976b169928872492c2ee4e089e2e | SHA1: 3329b14e18f66fd11881ba23b626dfb1d58c7e4fMD5: 003a976b169928872492c2ee4e089e2eSHA256: 04d8c0fd0f85b534c8a225be38e7bda9dc7edc248b1f6419fb64a99fde5b4b11http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-ggl01 | Doc.Dropper.Agent_cfe30780 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | cfe307803873c0271adb73f63141ab38 | SHA1: 751f91321c835d15d9c644da0cead19035d1c6abMD5: cfe307803873c0271adb73f63141ab38SHA256: aecf2b9c77b76f08c6a240cd5b0782f3abba0a872caea783f5105b3b3f42851ahttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-hza01 | Doc.Dropper.Agent_06e5c6e4 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 06e5c6e4ea1d9fcc89dad6fc6e96c306 | SHA1: cdb34592b1b0e4bfa9e239a5b4e82e05f37406dfMD5: 06e5c6e4ea1d9fcc89dad6fc6e96c306SHA256: d6ece69e9f8035de573411d57ea11e0bb22d243e0d47b620b9cb99793218b121http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-wzu01 | Doc.Macro.Obfuscation_576b8fff | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro. | 576b8fff45897ff4997de4f454e95bb8 | SHA1: cfd97986965f90150e655b5c164fefd7a67db9efMD5: 576b8fff45897ff4997de4f454e95bb8SHA256: b980586f7fe22ae71badba8d2b202115f98821b743593ca36e15387fbda4f361http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-6bn01 | Valyria_d2808446 | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | d2808446ec0f9f213b0a78aa6d1bd88d | SHA1: 14607f94d3f421a917690ce96d895eb3f7fc8165MD5: d2808446ec0f9f213b0a78aa6d1bd88dSHA256: 4c16cda58dbd96b74579eafe2a73740c6d98d588bdebee6a3830140d1326aafdhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-wdd01 | Valyria_964666e5 | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | 964666e54eb5923a1425d090521df401 | SHA1: b560d1d4744e069dc7de058d37974a9b068fc98aMD5: 964666e54eb5923a1425d090521df401SHA256: 7291b9989f4ef506f1792dd4bae6d7f8b1d4f7c770295552a05acf38a41c0b26http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-xlw01 | Doc.Macro.Obfuscation_e4bc58de | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro. | e4bc58de75d4f80ee90cf233aa99f39c | SHA1: 013e2d8cdee0f81666fb3b962b0887dd3d5e83a0MD5: e4bc58de75d4f80ee90cf233aa99f39cSHA256: d0b4b36c3c50c58869ae58f34c9d05c4ae8333e20d29b6c35d85cc85a5d7e38chttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-v9k01 | Dinwood_0040cde3 | Windows | This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection. | 0040cde3982b41cac39c6230b454a3ed | SHA1: 895b1fdf006bb36216b1d117670e440937269f70MD5: 0040cde3982b41cac39c6230b454a3edSHA256: 01b538e451a390f7cfcdc263355dca070ea1a578d083fa94762912cff36b226bhttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-id401 | Doc.Macro.Obfuscation_26ca2f0b | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro. | 26ca2f0b5f96b970aa8e73ea283856b4 | SHA1: 103b85c1597d23e24938e057658fa6100363a978MD5: 26ca2f0b5f96b970aa8e73ea283856b4SHA256: 029923c7508a27907e2c88baf9cc2effa2f78e81f4728eae2c185935f2a51fbdhttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-cu101 | Symmi_c77921e9 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | c77921e9d76e20f3388888545ebef11f | SHA1: 85ab9b47ab73a138a9df2a862792dc96cbbaa4d1MD5: c77921e9d76e20f3388888545ebef11fSHA256: 54ac75db11197dc919f3574eefb88fe8b653de92ee5a6ed99cf00eb1b373d622http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-ice01 | Symmi_d26cbc38 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | d26cbc382a8ce77063a1875819b079d6 | SHA1: 84e292bac73e1cd04057de41b7faf7d8b7bbe68cMD5: d26cbc382a8ce77063a1875819b079d6SHA256: 89c9a8a7f47bb27a175632ad48317b93fe8a2b59502c73371df48982168a70dbhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-a6g01 | TrickBot_2d6507ea | Mixed | This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks. | 2d6507eae46601952ee210566b902755 | SHA1: fed75c646669a3468304cb6887d4c8e49c62a09fMD5: 2d6507eae46601952ee210566b902755SHA256: 14ab690a2f5d4fd74f280804a1b59f5c5442c1280e79ee861e68a421cac80ce3http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-fky01 | Doc.Macro.Obfuscation_996cfaca | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro. | 996cfaca2a0ceedea80355f8cae186c8 | SHA1: 72114534b7418f66aa68db021c871afc437fd3d5MD5: 996cfaca2a0ceedea80355f8cae186c8SHA256: 179d8ad5e80d814aa8d04633ac9c624b60f2273e50dcd6ae5fd7441522ea714ehttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-6ir01 | Doc.Dropper.Agent_c5a6a2d9 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | c5a6a2d9d381f6b9313af4171dc76cbe | SHA1: 71884c5c04383624da142a7f87865e7a7c844e79MD5: c5a6a2d9d381f6b9313af4171dc76cbeSHA256: 220128b685d4e96e793756636e32257b8fd22e038890d8f194d1681343bea923http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-kol01 | Win.Trojan.Agent_0050d19b | Windows | This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan. | 0050d19bd0e7d076fb5d7a0c12f6daeb | SHA1: 5361d96b95a35a230cb58b144b784460cdc90d51MD5: 0050d19bd0e7d076fb5d7a0c12f6daebSHA256: 8b20f9e78855218c693ade8a89b9c74487304df9bfdbcdbe8c65b05bfaa5b71bhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-9b401 | AlmanCloud_077a70b6 | Windows | This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers. | 077a70b6d6c784098d87fa1592173ac0 | SHA1: 529f5229d94d1c4a86f0e03effc64fb6485d5aecMD5: 077a70b6d6c784098d87fa1592173ac0SHA256: 64091a671d00602e4f81f987207ac2b16f5c3e86f98add903bf369b528db2d38http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-53o01 | Win.Trojan.Agent_005e3024 | Windows | This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan. | 005e30242048a0b9fbbe189b50850039 | SHA1: c7c9feb8eb06f08080f097fa25de1384e86ce011MD5: 005e30242048a0b9fbbe189b50850039SHA256: b001932b6938223033229e9d5bfbb5754680ab786c927396bb540e1a6db1ba7ahttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-mwd01 | KHRAT_c50ac000 | Windows | This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing. | c50ac000a2cf07fc1d7892cd4ab33fe5 | SHA1: 289172d8467432b331aac9d2b76ec2e7ba9eadecMD5: c50ac000a2cf07fc1d7892cd4ab33fe5SHA256: c0baa57cbb66b8a86aac7d4eeab7a0dc1ecfb528d8e92a45bdb987d1cd5cb9b2https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/ |
M17-gyh01 | Symmi_790c7428 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | 790c7428b271a1ef2d37eaf8d961990a | SHA1: 2ad2cb9b04ad87ab8c2a2919a971ceb9e405fe5bMD5: 790c7428b271a1ef2d37eaf8d961990aSHA256: 5917eb033004f3a29a3ac843f9c90844cab3cf0520e78e8739cc8cbfff83ef02http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-lyo01 | Valyria_f8072467 | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | f8072467999b75efb18a49ef75d6ef35 | SHA1: 412b4ac24667820944ba7ed0a1925d5e863ef9b4MD5: f8072467999b75efb18a49ef75d6ef35SHA256: 764b5f6e36f12e80dd801db166f6c1357745a1c7a5526c00e1a1eb057624f56chttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-41a01 | Win.Trojan.Agent_00949032 | Windows | This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan. | 00949032460ac6c050a200e46cd0e219 | SHA1: bd17866c89a1285bf44dab8a88dab6280273e274MD5: 00949032460ac6c050a200e46cd0e219SHA256: 0e9eeedbc7e293a83b9ebc3929b033e8c2061bdbacd8f17cd29b12505d2e777bhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-fr101 | Dinwood_002c356e | Windows | This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection. | 002c356ee05f789cad320ce2952e0645 | SHA1: 91de512ade8f2c816d386f9ab884981c685f6827MD5: 002c356ee05f789cad320ce2952e0645SHA256: 07509506034c49b52314ee53984af6556396da7070c9d0069324f555f722db6dhttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-6nt01 | Win.Trojan.Agent_00277552 | Windows | This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan. | 002775524c9dc7c02bbcd1edd1b54551 | SHA1: 99315ede38132d55042a997fdef55e193bedcff4MD5: 002775524c9dc7c02bbcd1edd1b54551SHA256: 5554e16e209aec408f7f7ba49caff85e568de76a05ebe41cf74002a7ca35d973http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-rgg01 | CC | Windows | This strike sends a malware sample known as CC Cleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | d488e4b61c233293bec2ee09553d3a2f | SHA1: 7e9cfa3cca5000fe56e4cf5c660f7939487e531aMD5: d488e4b61c233293bec2ee09553d3a2fSHA256: 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html |
M17-9cs01 | Ursnif_a542cadf | Windows | This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan. | a542cadf7596c079aaa8af466ad6420d | SHA1: 54a32630e976945efb06847d24353007414e711cMD5: a542cadf7596c079aaa8af466ad6420dSHA256: 46da8289c027a187b14826f3648d61c187398ad170ef60ec3311b5dae3b52d61http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-ujc01 | Symmi_c5c51ada | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | c5c51adaf9772caa52caefdc53316ea1 | SHA1: 67b8cf72c62bc230bf2e3d1b9ef6ab4c4d0c1b14MD5: c5c51adaf9772caa52caefdc53316ea1SHA256: 90e0adc73ca753d91fe32b1d3761c3f6f6e7216f3b77a87fdbe2a8e7f5e889fchttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-8rs01 | Doc.Dropper.Agent_dd9a5d67 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | dd9a5d67b7eb01fee1d59ffa4b3ffab9 | SHA1: 55d7c07048b67b3f222e0e25c7ad5636ed043976MD5: dd9a5d67b7eb01fee1d59ffa4b3ffab9SHA256: 946def9e50a762ef29de5b56086d976f26446f0bcb5f2590c0354eae1318e0fbhttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-9mn01 | AlmanCloud_22eadb47 | Windows | This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers. | 22eadb476b05c6651d0f4d749d3fa12c | SHA1: f64ea56b8d17c4f74014b334f6ccf22479ee007eMD5: 22eadb476b05c6651d0f4d749d3fa12cSHA256: f095ae655db18fb27667ece1c168b97d42b1b164991cda154022d6f8e270cd49http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-i2601 | AlmanCloud_01826241 | Windows | This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers. | 0182624172186eb3dafb5d7ed0498d2d | SHA1: 646852a14508e66dfb233fd2aeeaf24b0b9c219cMD5: 0182624172186eb3dafb5d7ed0498d2dSHA256: 9727223d176381c88f6f5f17a2e7f99981eaba31282a41c1ceb3158bccbe08f4http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-9jc01 | CC | Windows | This strike sends a malware sample known as CC Cleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload. | ef694b89ad7addb9a16bb6f26f1efaf7 | SHA1: 8983a49172af96178458266f93d65fa193eaaef2MD5: ef694b89ad7addb9a16bb6f26f1efaf7SHA256: 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html |
M17-w7x01 | Valyria_ecf099eb | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | ecf099eb816d2213cab3275fef9c1f36 | SHA1: c2a1202fffba49db6bd61416426f8ce1210927e7MD5: ecf099eb816d2213cab3275fef9c1f36SHA256: c9210ef989809971703aea1b0d12b83aa85fcc7e0547b877b6645456d4945051http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-xyd01 | Symmi_17f82b7e | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | 17f82b7e4d2ccf2961723b618718b6b1 | SHA1: bf85eaa67e3d9a245ce8007f48431a680b510acdMD5: 17f82b7e4d2ccf2961723b618718b6b1SHA256: e7eb60dd2d0830ae2d42a913afc5db98392a3d5846ef85ac32ec6fdd08b67faehttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-yfn01 | Win.Trojan.Agent_00c2bc5d | Windows | This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan. | 00c2bc5d80f45c3b8037e836f1b5bd05 | SHA1: f2d4cef0eacb04916145c516b54b21976fb029c4MD5: 00c2bc5d80f45c3b8037e836f1b5bd05SHA256: e26c807c8e5d5ba8b41de497a24da81b8db0325a0a2c64bb04ee7beaae12904bhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-r7z01 | Doc.Macro.Obfuscation_31ce45bf | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro. | 31ce45bf6918f47021883ab2504aca92 | SHA1: c5ba18668ba3ed15dff5aca4db3df65e7936f2f2MD5: 31ce45bf6918f47021883ab2504aca92SHA256: e9e03d8cf474e69197beefecdb5db453740cb4349535dffe4476febee8e5fc8bhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-2qk01 | Ursnif_abd41cab | Windows | This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan. | abd41cabaa8f3fe7226fba448bc45475 | SHA1: 1849bd805c912020813a716f35c6397ea9badcaaMD5: abd41cabaa8f3fe7226fba448bc45475SHA256: a753a288318dd38709ac1c26374cdc1fdb930b8476788d2868a1cae79cc8f352http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-hnt01 | Symmi_f909499e | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | f909499e19691eb9ede4181e826a7111 | SHA1: 071120745948d256e4414fde30e48ba6741f5959MD5: f909499e19691eb9ede4181e826a7111SHA256: 848993b12b05369d0873975aded55f837dc0a583c3839c05abe96bc4c3b68408http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-z0z01 | Dinwood_000d8fb3 | Windows | This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection. | 000d8fb3bc12e893c8ad4afbfbdcc882 | SHA1: f95b1b440de794740afa37265cec6b4015c82143MD5: 000d8fb3bc12e893c8ad4afbfbdcc882SHA256: 026a7284b6420e06f20e683054e0ed01a0afa14321fe4094c14bdb63a46ee17fhttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-azg01 | Symmi_c4244e71 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | c4244e71742e40a6017c9445fd52196f | SHA1: df0ca4092c9340c70305ec2c747e025f88b56743MD5: c4244e71742e40a6017c9445fd52196fSHA256: e5a8eba740a5acc1a6b5e11bb64be0be88a8556e48d78c292732048fa2c56003http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-wvg01 | Symmi_cf599f0b | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | cf599f0bc92301b76e8ba08448dfae4f | SHA1: 61de01da90610855570a8a6bc23e040f87988187MD5: cf599f0bc92301b76e8ba08448dfae4fSHA256: d8a3df456b94acea22b8ebeb4f7f860687dd6ab4ac2b687631b63342f7cbf927http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-adj01 | Dinwood_000bf3ec | Windows | This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection. | 000bf3eca7e8fe285670e4aefbe855fc | SHA1: 6ca9d250b3418f26a6c197ace6552913ea0531f1MD5: 000bf3eca7e8fe285670e4aefbe855fcSHA256: 002eb4fddf6e8f9165e28694da6f368626282bd7e99c11f1eaeb365339c2331ahttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-k7n01 | Cmig_b830f976 | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | b830f976ffac2770008c63aaf5641b87 | SHA1: 075d2de8b270726c5a64ea8b20dffe69251c0586MD5: b830f976ffac2770008c63aaf5641b87SHA256: 01f78108dacea6db392dfc6700e987754cb15aaab6f8ff85ae9349f4fcef1044http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-tzt01 | Valyria_ac6e83a2 | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | ac6e83a24b2fd4de9b814e69fd6870ef | SHA1: 56f1ac2c336a9a0f9d1dc9954d21379255cdfa22MD5: ac6e83a24b2fd4de9b814e69fd6870efSHA256: 68edb052cd861ebe7dad58a9923723c1ed711ec4d965ba13a3cf10d70a90d11fhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-lql01 | Doc.Macro.Obfuscation_5299474f | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro. | 5299474fafb2174b2801c89fe031b6ee | SHA1: b3397dad810ba72830b64d4119547e840118ecf8MD5: 5299474fafb2174b2801c89fe031b6eeSHA256: 0009657099e7e3f555a68ae39827099905339f5dafe648585175de089a75ba6bhttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-y4901 | Cmig_b66821a4 | Windows | This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans. | b66821a4cb87c0ed62ad555b3c584940 | SHA1: d7f10540662be4519820502b85c5be815bf8441dMD5: b66821a4cb87c0ed62ad555b3c584940SHA256: 09e7612bce428fb51593cfc286d7e9904a1c372771a7ad1870538a4a72046d15http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-hcq01 | Symmi_c9bf66c3 | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | c9bf66c360c0ae03ddeb0de5b7a14195 | SHA1: 3b57a2cecaad3a9f076a23e9341d51ca2ae5f419MD5: c9bf66c360c0ae03ddeb0de5b7a14195SHA256: 4395a481c0e8afbc60cd6bf4eef233bb2067485581a47e56ff310cb7466ee681http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-p9801 | Symmi_b0ccbd7d | Windows | This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system. | b0ccbd7d8de4c43519a83698d2333619 | SHA1: a7e63a2ecc47b32c1badc3c9db5d931d1a963ecfMD5: b0ccbd7d8de4c43519a83698d2333619SHA256: 5542e1e52c63ceea56446d3c2f1f9c12adc60033d92289bb5d3450a40e02acd5http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-3il01 | Doc.Dropper.Agent_ab44534b | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | ab44534b2475aaabd212812a65b0ed4c | SHA1: c411b88ef70806cd541faffed736c15a569f8283MD5: ab44534b2475aaabd212812a65b0ed4cSHA256: a4ad5629d490b466e4e62bf9048968ff45466c73849609b64d6617bf32e5cc5fhttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-ix501 | Doc.Dropper.Agent_1e5612c8 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 1e5612c8d23ad7985db786a559902484 | SHA1: d92280da11d8187bafdfba9b3986faaaee1378ceMD5: 1e5612c8d23ad7985db786a559902484SHA256: 56ef4bb6608968653af98649fddf204933134038b6b27b118ebedcdc5ec5af0ehttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-6kv01 | Doc.Macro.Obfuscation_0c2a84a0 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro. | 0c2a84a0ecf34bb63e4a4a847816a5d5 | SHA1: 341bbc3fe0c86f0ea43bc61b039306e52d3870abMD5: 0c2a84a0ecf34bb63e4a4a847816a5d5SHA256: 9416f466a01d60b4bccaf8658b0a78bbe84a8de3a1bc1abb77e541e224a6c197http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-ufp01 | Doc.Macro.Obfuscation_e24e5f44 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro. | e24e5f4477ee3b4f77e951b0b99b359b | SHA1: de4347bf6488b7db3c250e707d6c88a0d283a8a5MD5: e24e5f4477ee3b4f77e951b0b99b359bSHA256: 9ef470811ceaab0d47bb4b8e0abdf7d783902c208fedda35f8292b60af7f6870http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-kro01 | Win.Trojan.Agent_0084b3b7 | Windows | This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan. | 0084b3b7ac8f9daccbc9bc6cc4b119ae | SHA1: a0ff2c9d5a5eed9ff045f15febf20660d279e067MD5: 0084b3b7ac8f9daccbc9bc6cc4b119aeSHA256: 768ef3bae40d69715d2cfe3948fe3e9b0adb047525e8fa6d067269e859d0832bhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-5yj01 | Valyria_bc958404 | Mixed | This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell. | bc95840460783481f560e5d18e33e11e | SHA1: 50ad996b1252fb59d7b167e37c2ea1c4b8ea0e8dMD5: bc95840460783481f560e5d18e33e11eSHA256: 568f8b461fe97728ebca0231b5b8b00bc85de9909ab83c7d2fc60d134739819fhttp://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html |
M17-9cx01 | Dinwood_003066e7 | Windows | This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection. | 003066e75cffbd470f01f06d60f16a71 | SHA1: 28ffad992e26cfc2125a2fbbacc72789bf67e61cMD5: 003066e75cffbd470f01f06d60f16a71SHA256: 050e9daae7c0778e00b17a71d70f34a9ec60c7ac1d309d53ffd23e7a74f81b2ehttp://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html |
M17-oow01 | KHRAT_2ef97f48 | Windows | This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing. | 2ef97f487c288d71f26d433b7e9196f8 | SHA1: 4203c2934882a070599f6c0a1cefe1afd5721462MD5: 2ef97f487c288d71f26d433b7e9196f8SHA256: de4ab35a2de67832298f5eb99a9b626a69d1beca78aaffb1ce62ff54b45c096ahttps://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/ |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M17-rf601 | Cryptocurrency | Windows | This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is part of the Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. This sample downloads the actual coin mining payload. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components. | c0602223c09e444c537b0445d6563304 | SHA1: c7c374073b9631c2ce0345a9ff79bb353bd507c1MD5: c0602223c09e444c537b0445d6563304SHA256: 674f2df2cdadab5be61271550605163a731a2df8f4c79732481cad532f00525dhttp://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/ |
M17-q7k01 | Ovidiy_781e41b5 | Windows | This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries. | 781e41b558870a28624b892ff028102d | SHA1: 83449bf8ae20e93de938a1c9b42a46e831737c04MD5: 781e41b558870a28624b892ff028102dSHA256: 062bd1d88e7b5c08444de559961f68694a445bc69807f57aa4ac581c377bc432http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-ovt01 | Doc.Dropper.Agent_158e958e | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 158e958e488b5ba8404c87e34816de66 | SHA1: 597aed9722e33e86431415bb81e8b15929d0354bMD5: 158e958e488b5ba8404c87e34816de66SHA256: 3ca148e6d17868544170351c7e0dbef38e58de9435a2f33fe174c83ea9a5a7f5http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-eea01 | Doc.Dropper.Agent_b7ae96ba | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | b7ae96ba7a0518bb197d404d0ec6352a | SHA1: 77404b76af23551c9fdad5fbc4bfab161517f0b0MD5: b7ae96ba7a0518bb197d404d0ec6352aSHA256: 9859e621b4d259798b2813377f9cd1736497f51cb501c6b3ea44ccae57d4e4fahttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-y3401 | Doc.Dropper.Agent_852fe2e7 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 852fe2e75d4131cd0de58ad6d623c0f8 | SHA1: c406fa3b4b71c624ad39505fdd6a1b0254a9f961MD5: 852fe2e75d4131cd0de58ad6d623c0f8SHA256: 0419cd8e5884e2918c5f0746d54efe2e2d9f0385523ecdbc395200df4004d87ahttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-cum01 | Tinba_a0793f80 | Windows | This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers. | a0793f809380a045902330de7f5ed36e | SHA1: 6f6cf5bd484222ba1cd61855e7b46221e4bf9ae4MD5: a0793f809380a045902330de7f5ed36eSHA256: e2776a037dcad9e2c752ac4f07dfae0412312ba9b1b748a48922ed572f83eb9chttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-zxo01 | Doc.Dropper.Agent_e7de7c5b | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | e7de7c5b0623ee1e9d7bf10a597d6aab | SHA1: 9418fdb83b346e32af734e3f734c884d463ab75bMD5: e7de7c5b0623ee1e9d7bf10a597d6aabSHA256: c7cab605153ac4718af23d87c506e46b8f62ee2bc7e7a3e6140210c0aeb83d48http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-p0m01 | Doc.Dropper.Agent_7820df79 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 7820df7937afbc1ef18b3a18abcc7d9c | SHA1: ef81f57b49d5c3a54d6a15c7ae54e7a9e02b28e2MD5: 7820df7937afbc1ef18b3a18abcc7d9cSHA256: 190cda0ade0c0348786652b7ee12fde595e12ab561d893224cfdafbd58ec7b75http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-3gm01 | Nitol_2adf8db9 | Windows | This strike sends a malware sample known as Nitol. The Nitol malware performs DDoS attacks. It is placed into a Windows directory and then creates a registry key to maintain persistence on the system. | 2adf8db977ce00b903b2a43cf1f4be66 | SHA1: 26d5b5bc60fd7ce5c5a5c7719fe0ec2be480dbb6MD5: 2adf8db977ce00b903b2a43cf1f4be66SHA256: e018f2cb152ab5c9bedef63a760b223eb91e965703a691877550ca390e46ea84http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-vsa01 | Doc.Dropper.Agent_36a2704a | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 36a2704a797a519a59c3ee18795323e9 | SHA1: 6c2ae5ce67260fb509749dc9a54df9040ab036fbMD5: 36a2704a797a519a59c3ee18795323e9SHA256: 1c364ed502fa3710d9fa3c5a4a2ac6688bea3610acee2a6f958220d8ffca908bhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-29j01 | Doc.Dropper.Agent_3b11cbc5 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 3b11cbc51f04dceee2bcf42e62a312e5 | SHA1: a9a1e738d1d5895e45c61570c8163170c04ff61eMD5: 3b11cbc51f04dceee2bcf42e62a312e5SHA256: 4e812653205426b75038ce2796be5b254b61ee02da376462f3ad1ac23d898282http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-wg401 | Doc.Dropper.Agent_ae811c13 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | ae811c137b5531cd1c375447160de2a2 | SHA1: 85d46dd184ef2ad4432e57056622d5d7156bee44MD5: ae811c137b5531cd1c375447160de2a2SHA256: 9f404502e944f4cd76b902abf67717054732528a9399e23b3d90e2825316818dhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-16a01 | Madangel_c70d2230 | Windows | This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables. | c70d2230d3c03574f1a18cda499fa139 | SHA1: d4f5364e4e9009d1bd305b8b24b1517c0e290bedMD5: c70d2230d3c03574f1a18cda499fa139SHA256: 4080076d8016be14b7493a4fd365b03073ae90cba70590b25039ef76b2d36aeahttp://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-sh001 | Doc.Dropper.Agent_eeb40d0c | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | eeb40d0c6f5e98c31f51fde1f08a50ac | SHA1: be8d00132821f6fcc2d3e7378dde12f9ef93d35dMD5: eeb40d0c6f5e98c31f51fde1f08a50acSHA256: c3e6a58e8a68518ffb43ee9026508b6520016e8d7096bf94ec2d1ed5cd328d76http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-a5701 | Doc.Dropper.Agent_916a67bb | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 916a67bb0988d5b2681883a6a0a8d8bb | SHA1: c1ccd6edf3187b883a8f484cd1294c8ed5570549MD5: 916a67bb0988d5b2681883a6a0a8d8bbSHA256: a31cbc1ce4abaa2ba7cab9ff97e1f647c3b1264c9cb7db0e20c74d151db2634dhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-k5w01 | Doc.Dropper.Agent_333b1bfc | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 333b1bfc685eac9c35aba5786e63d996 | SHA1: 95a2432922cb25bfe6ae608bbac49f0bdefcdf94MD5: 333b1bfc685eac9c35aba5786e63d996SHA256: d52318c1f83d086fcb94b8ae7288f2acb85f6e441c66a3f1d09365a1018c80bdhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-g8n01 | Upatre_877e2c25 | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 877e2c25a545d334aea454f8a3b17530 | SHA1: 7640ea6e303d93dc08c107040cde76e69a4bbfa1MD5: 877e2c25a545d334aea454f8a3b17530SHA256: ec439a41172d7683ee803e336e4b175b8baebc8d4ceed40c6b63b5649d7855ffhttp://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-rm101 | Doc.Dropper.Agent_98e2266b | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 98e2266bd624e77261d0383fa149a0d3 | SHA1: 4a731838e923d397f25f11bb7d779c6da877f905MD5: 98e2266bd624e77261d0383fa149a0d3SHA256: 712a907f98efa76de2b349c90084fbef6d40d9df32a41df98fc62e19fab5329dhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-hwe01 | Doc.Dropper.Agent_2e05637a | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 2e05637abc17d9dda037ed9ee0c4f5c4 | SHA1: edc746ef3e467ef639bac38621b3711db774789aMD5: 2e05637abc17d9dda037ed9ee0c4f5c4SHA256: 09f89667dbbd0f72478f317aed5196f743693190aa3afe1f1cfccc67dad88fb6http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-jqq01 | Cryptocurrency | Mixed | This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is a Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components. | 830b8dc142f16aa928ada0e271a58572 | SHA1: 53267b43122ed52aba6ec9faa50397f311a295e8MD5: 830b8dc142f16aa928ada0e271a58572SHA256: 6315657fd523118f51e294e35158f6bd89d032b26fe7749a4de985edc81e5f86http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/ |
M17-r6w01 | Upatre_3882bc98 | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 3882bc98466ecdda4864bba0dea11815 | SHA1: e47bc8a49aef6b42912740ad165c6b2a477234d0MD5: 3882bc98466ecdda4864bba0dea11815SHA256: 5f2c8ac317bf4d58610c803c01c95d358cb25600f632644e01d5c31a74fd2554http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-ykc01 | Doc.Dropper.Agent_372f877c | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 372f877c900f6fdd3d14c9d451972eea | SHA1: bc8cbb4da5b16d8dbcc36dc38d0e5be8761dace3MD5: 372f877c900f6fdd3d14c9d451972eeaSHA256: 366f1f331e940a462447e2b4abe9196ae7b977d281c2b9fe5e19bb0c2927b705http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-lhl01 | Doc.Dropper.Agent_867c1b3d | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 867c1b3d8fbede2e4d888330a624abdd | SHA1: 8f6cc7dfcc105a47df2d8a269dae86410d1b2eaeMD5: 867c1b3d8fbede2e4d888330a624abddSHA256: bf958c7ba44b9dfdcba50eeb6f7b59fe3bd2948f1ab1a7c8ee0f162b7cac3b2chttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-vwh01 | Upatre_12c5301e | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 12c5301ef9525dc629dfd839d35b8edf | SHA1: 5f54f8a1b198c5f16db41c9b919e054e4b565c23MD5: 12c5301ef9525dc629dfd839d35b8edfSHA256: 9d4effa16fa83e12179a674966af8a49bb592fa58de53ee2866f5ceda8206733http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-yth01 | Doc.Dropper.Agent_ca8d0bce | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | ca8d0bce7c253674c7351b4d5180d593 | SHA1: af9a3b26e6ece959cdd4ede2bc9b57369d7f033dMD5: ca8d0bce7c253674c7351b4d5180d593SHA256: bec41e3e8d3093b58170d743ca905af81ed745a4828a42a9d39cd3373252a84dhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-pn201 | Doc.Dropper.Agent_09c2547f | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 09c2547faec5def76969da50521e3dda | SHA1: f07cee0b7c61098b95091e47d0b663347c1683a7MD5: 09c2547faec5def76969da50521e3ddaSHA256: 5dd873a5cd07c4ac6edc7bfad7c92e1111cbddab5e72de96291e2990e0ab62e0http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-xfw01 | Doc.Dropper.Agent_6f23cef1 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 6f23cef17d1f1a9f1b2972f1e86aa7e6 | SHA1: b752f94dcf23d8aab927985875c425beb1f1db18MD5: 6f23cef17d1f1a9f1b2972f1e86aa7e6SHA256: cad134945e7f20e99efed18650d4a7c573f8902b32c10ae89639518f94e646d0http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-iir01 | Upatre_e27f5105 | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | e27f5105a7a08cbd93412bf625d7ea2e | SHA1: cf7b20862f86fe0d1c6fb7e8e1667f5f3ff240acMD5: e27f5105a7a08cbd93412bf625d7ea2eSHA256: 75309ff6942162fa19e4c7d430456a699cbee26106afeffc71f02325c9ab37c4http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-fk501 | Upatre_0155d835 | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 0155d835f1376b33091549bba14ae9a2 | SHA1: 55df4b36cb8812baef77f451e7e357d5effe2530MD5: 0155d835f1376b33091549bba14ae9a2SHA256: c9975f106e8e0e7ceee70bd285159226e7687076a0e3b84c525a953657f6b1ffhttp://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-f5601 | Tinba_b3b81927 | Windows | This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers. | b3b819273aae385b7c2595406848d286 | SHA1: 582b67bdd458d904a2e4d9b5943492ffe8850c27MD5: b3b819273aae385b7c2595406848d286SHA256: 0ce6189ecd16fbf2f885a8516836c7bb9d0685f6ff2c4a3df80e236ef5d0d803http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-upd01 | Expiro_d553e02a | Windows | This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute. | d553e02a4a7d3840c8fc361ae5f1be31 | SHA1: b5170b5fa1067ca043cb0eac7cae0a3a99253a78MD5: d553e02a4a7d3840c8fc361ae5f1be31SHA256: 5ffa0097ebcba0e1921c6607a644e2649532ae07b1c7d6533a3cbef52ee51620http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-eb701 | Doc.Dropper.Agent_1c90b3ba | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 1c90b3ba01aca0d7b8665046713a8bec | SHA1: f951e821cf06d1c6aa1a5daa4fdaa34a7e8a0f8eMD5: 1c90b3ba01aca0d7b8665046713a8becSHA256: d076c672bdb9bd3b738edb882560482bebde469d02acd1ccda11e9c9cb6feaebhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-35q01 | Doc.Dropper.Agent_cd213d4d | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | cd213d4d9aceca22a36b16b6557ca3fe | SHA1: 21c66b0e787f728c259accc05a5c6dc699629232MD5: cd213d4d9aceca22a36b16b6557ca3feSHA256: 3d081fe6a220b546af09139fda7deceb5e7f16b52fb47d15ff4e69bab9175734http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-tvs01 | Tinba_a710326a | Windows | This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers. | a710326a2b1b0a9a8c8f5d8832c57774 | SHA1: 4101db06545b0353212a5652e0150220f8f76274MD5: a710326a2b1b0a9a8c8f5d8832c57774SHA256: 7bbd6d3d6bf6e991e023395e3cb31c18b2a106eef036ad175736a17fb1099b39http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-n1401 | Doc.Dropper.Agent_891cf7a1 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 891cf7a1cb04a6f1e4dabe62240936c7 | SHA1: 9e244e7dbe98eee7a8e3cbf4dec1b1679ef7e15bMD5: 891cf7a1cb04a6f1e4dabe62240936c7SHA256: 94395a2b7bd0a120b55e39b3107f934f9b76faa9e2679dbae1237f69f2c3f1b9http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-rtf01 | Nitol_af18639b | Windows | This strike sends a malware sample known as Nitol. The Nitol malware performs DDoS attacks. It is placed into a Windows directory and then creates a registry key to maintain persistence on the system. | af18639bcb54e3b8994f64afebe1df75 | SHA1: de57bed4cc85493ad73cd029b0b78b7bb25f1990MD5: af18639bcb54e3b8994f64afebe1df75SHA256: 2136e6be115617349992b506aced588dced1f5496e97443dfcc31344873f624dhttp://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-8m701 | Doc.Dropper.Agent_5d458bd7 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 5d458bd72860af93a84d85b80aef6670 | SHA1: 696bcd52db26baac027288287320c3be85e11d09MD5: 5d458bd72860af93a84d85b80aef6670SHA256: 0e5240bf70e304781511de29a000c308f675d6209735c118cd0054b519eaa096http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-o7301 | Tinba_af05ee63 | Windows | This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers. | af05ee6361a30887457d465697a5c047 | SHA1: 6f665e285b07b77f887ecef080debd77a9b3a1b8MD5: af05ee6361a30887457d465697a5c047SHA256: 856ed534a7c32ab7799756c33f7ee104718c89add001428a41dc57e8449167c8http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-osn01 | Cryptocurrency | Mixed | This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is a Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components. | 98d615c222293ca937ab4b1b4a7c8118 | SHA1: bec02c55c98612ee716bb5956f68e0dd27cf0afcMD5: 98d615c222293ca937ab4b1b4a7c8118SHA256: 8c5bb89596cd732af59693b8da021a872fee9b3696927b61d4387b427834c461http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/ |
M17-iqw01 | Tinba_ac897bac | Windows | This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers. | ac897bac2fc6250d3813fc402acaa13a | SHA1: 5b2a89c30b63f07ff6cedef84a2a603597237b07MD5: ac897bac2fc6250d3813fc402acaa13aSHA256: 7607a0e1be2a8f50959ef42b78edd156aa76741fdc8ee2be9d375610c0b130b2http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-zfy01 | Doc.Dropper.Agent_41ce3241 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 41ce32415f50b38285f84283eb66260a | SHA1: 9c7f6e6fa1a894ce156447326634e0ba4dbab121MD5: 41ce32415f50b38285f84283eb66260aSHA256: bbe5988f2470a296186ca43a76636fceb523b45273a32e83aa14a8cc1f4e3a8ehttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-igp01 | Doc.Dropper.Agent_e2a9dd67 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | e2a9dd6751a2b8e81e78b0bfffd2881d | SHA1: 9db713fed68aff0bbe895ca04dbf6d2e101ddd15MD5: e2a9dd6751a2b8e81e78b0bfffd2881dSHA256: 45112ef00b7d34a471655f3a7318fd2b69de1ade1889647839ff897c6e6f1c67http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-ldh01 | Doc.Dropper.Agent_624320b1 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 624320b15af74da84a68d477343457ea | SHA1: 26be2fb6d263434fbfb1605915e69bfbc3ae840dMD5: 624320b15af74da84a68d477343457eaSHA256: de0e7aae207f7a7a1f242d849bb61c7f4e98d84f74b228439d296e6a46b2f812http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-c7c01 | Doc.Dropper.Agent_3afc0911 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 3afc0911b32f240a4589a902e204a945 | SHA1: 612a2a5ec1ac66d686b8cfbd35c6ad7a3dfd9a61MD5: 3afc0911b32f240a4589a902e204a945SHA256: 5624e26cace481fa4144f5ccd5bdcc7b5c3d42c035c88250312833041cf55807http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-fux01 | Doc.Dropper.Agent_b1c2aabc | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | b1c2aabced51d7fa1a7769a3456e8dc7 | SHA1: 733747432c630017dfd149a6569a8adf7a479f4fMD5: b1c2aabced51d7fa1a7769a3456e8dc7SHA256: dcfddf26b9699622bde12c6b64a78e5446172e57c5a29c3ea0267a0df85bc1e3http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-j6l01 | Expiro_0132bc93 | Windows | This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute. | 0132bc9325db31ad1a4e2a92d1019b71 | SHA1: 275561f1155d95ad3ad283027e0a2a60a6a8a401MD5: 0132bc9325db31ad1a4e2a92d1019b71SHA256: 5fe205ea4f5f975703e242e8079dc471a5363538535d76584e7138ed3fb67546http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-u6e01 | Doc.Dropper.Agent_280175d3 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 280175d3d1f1710fb023454323ee56d2 | SHA1: 2660fc4e77fb7a7c27955bcc79a524afe58738cbMD5: 280175d3d1f1710fb023454323ee56d2SHA256: acdae0dde63863e8be98935254c901439b5fc36fb45f974fd7ce7c298e3ca0cahttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-f6q01 | Upatre_da1126f9 | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | da1126f91d0989e65c7315278060c72f | SHA1: a4fac9bd9c6a00989663dc8478e29b391ef88ab9MD5: da1126f91d0989e65c7315278060c72fSHA256: 8978bcef1799a5ea3324ce88b9a848e85987958b8ea7dcc0ba511120e6602aa0http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-oe001 | Doc.Dropper.Agent_4377385b | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 4377385b36ee38c3c7189a62bb5637fe | SHA1: d50a114b7f843a2a35a16d95d1e723ae4d65621cMD5: 4377385b36ee38c3c7189a62bb5637feSHA256: 3728cecd2be075b09a3a6d8d8c5923fe14cf381e3070266cf05fa51585def305http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-94d01 | Doc.Dropper.Agent_2cff6bff | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 2cff6bff7ad585b9e6e0b79fdc40edbd | SHA1: f7fcc6118eac486a388de009887a13fcb0fd0368MD5: 2cff6bff7ad585b9e6e0b79fdc40edbdSHA256: 0db7513e4ec8cea44afdce2d37991f5f9cbde0bb779856c10d9ffa75bed53d0fhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-idx01 | Tinba_aaeec015 | Windows | This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers. | aaeec015fcf1fccea28f194a9a7ef145 | SHA1: dd39546082787a9197163f4b27aa64aaeaeffb98MD5: aaeec015fcf1fccea28f194a9a7ef145SHA256: 6fd80f8da071c3dc482314cbc994b22f105bce22acdad9e9bd86bae5abed53d9http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-0zm01 | Doc.Dropper.Agent_2ab698b7 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 2ab698b733ab810f49f1986144a666e6 | SHA1: 67be5562a9188d7a180cfdc24d9334219093271fMD5: 2ab698b733ab810f49f1986144a666e6SHA256: 056bce922fab367aabfd43f5e85bb5397755db08afcc8c38d992ffb4fe8f766fhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-9wb01 | Doc.Dropper.Agent_a071f7f6 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | a071f7f613da5ae0a5f0f83febae64c2 | SHA1: 2f8bac775f7b16e6ae60c216c2978b2424e8464aMD5: a071f7f613da5ae0a5f0f83febae64c2SHA256: e631b1dd070f71e53dd7b5c36a1921c027257f0c79bc7964551f27d0f4ece78bhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-ssu01 | Upatre_9d460f7f | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 9d460f7f267f86cd01f786bf536ed220 | SHA1: a32d114627189854513c6843825d7bcbc120086cMD5: 9d460f7f267f86cd01f786bf536ed220SHA256: eb0601efd61b34a2fac8468b613913983c2b1968b77aec8848c2dddf4443e952http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-9d601 | Doc.Dropper.Agent_9b91d292 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 9b91d2925dd7e4471101fc61dd5fc46d | SHA1: 7426ef6922c9719d868a18e9ffb7da8dbd1137a7MD5: 9b91d2925dd7e4471101fc61dd5fc46dSHA256: 6ea7a564a6a7ba8f4c97e2eaefbedafab6dd1424d56716f1255b03f8b5879161http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-8lv01 | Doc.Dropper.Agent_0f66aece | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 0f66aece479cecc416c1888db9d1cd17 | SHA1: 6e8729fa8aba8165479973f2f9fa799f766bed3eMD5: 0f66aece479cecc416c1888db9d1cd17SHA256: 37e79b45ee53bc266d3602ec2cb79762a3c6360b5c173e89da045491150dbfb1http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-kxt01 | Ovidiy_88c61b86 | Windows | This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries. | 88c61b86e30c3d185d041278c14e0b39 | SHA1: af22d0f090a4f196b80e99fb4c60011b6c1114cdMD5: 88c61b86e30c3d185d041278c14e0b39SHA256: 8f6939ac776dac54c2433b33386169b4d45cfea9b8eb59fef3b922d994313b71http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-yr302 | Doc.Dropper.Agent_88119880 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 881198803b04ec52cbd3423a2578c244 | SHA1: 7e0b2cdd9684161e4b559022dcf981db2d37918fMD5: 881198803b04ec52cbd3423a2578c244SHA256: 1496ddfb94f11120267fe9d6bf233ba4726754bebf3075340496a144777a6539http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-odf01 | Doc.Dropper.Agent_6ef85716 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 6ef85716cfc24a424c4de5bbab0cb50f | SHA1: 71915e84e4a2122281f8eb13351f9c993aac4c3fMD5: 6ef85716cfc24a424c4de5bbab0cb50fSHA256: ffc6c04d292e6618826bb09c8c63a06af3993e7b6b14171c45c7b44619b4421ahttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-ly901 | Doc.Dropper.Agent_7a38982e | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 7a38982ee737b7ee829f67d7000a2b00 | SHA1: c8e682ed4bbf3bd8307b8828b97359b2faba27deMD5: 7a38982ee737b7ee829f67d7000a2b00SHA256: 7a703a5e7f30a1621e204669ffefe91f22a1619814c4ef40872cd750cffb9125http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-dns01 | Doc.Dropper.Agent_5c4cde05 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 5c4cde05b083f94e7af8623038cbcbde | SHA1: eb6c29bd72fc3bb628e28551616d8aaf7b06dc02MD5: 5c4cde05b083f94e7af8623038cbcbdeSHA256: 4cf480e7bab22fdd7d64c43d8f18c3c5358c25fbd063bc2d2855885b886718achttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-wbz01 | Doc.Dropper.Agent_f7be7a1d | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | f7be7a1dd9c78b40e3785e5cce5aceb3 | SHA1: da2421ca0771355d5e6f66993864af4aa0e7146cMD5: f7be7a1dd9c78b40e3785e5cce5aceb3SHA256: c685f1c782e6b9250035f922ebc80400f2d6515e5f343a933c6c12920eb89e92http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-fi601 | Doc.Dropper.Agent_039b52b4 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 039b52b4638a8088c47214fdec37bbf7 | SHA1: bb032753e6aefe431ab8cb6855362a02978bc4a3MD5: 039b52b4638a8088c47214fdec37bbf7SHA256: 425e004b3c9034aa17071b137ca1d4ae7a35dde5f588c05295e491b716125e2ahttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-km501 | Forshare | Windows | This strike sends a malware sample known as Forshare Backdoor. This sample is a backdoor used in coinminer malware. The backdoor installs and executes scripts in WMI System Classes and is detected as JS_COINMINER.QO. | b6b68faa706f7740dafd8941c4c5e35a | SHA1: 806027db01b4997f71aefde8a5dbee5b8d9dbe98MD5: b6b68faa706f7740dafd8941c4c5e35aSHA256: a095f60ff79470c99752b73f8286b78926bc46eb2168b3ecd4783505a204a3b0http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/ |
M17-v3w01 | Ovidiy_6838bce2 | Windows | This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries. | 6838bce2f6c831414df831040fc14287 | SHA1: d03b5ba006986ea5f980468bcec1f245eb92b685MD5: 6838bce2f6c831414df831040fc14287SHA256: c16408967de0ca4d3a1d28530453e1c395a5166b469893f14c47fc6683033cb3http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-qf601 | Doc.Dropper.Agent_02522b84 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 02522b84e5c8757aaea14c65627b3f7f | SHA1: c679d26f98969738489dd65c41cfce78b0e0997fMD5: 02522b84e5c8757aaea14c65627b3f7fSHA256: f2fbac0942b08720073373536520b471229c918474cabb63fd19c3d006caaa1bhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-v0q01 | Doc.Dropper.Agent_9d4f149d | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 9d4f149dc213d5cbbc6065c6c39f978c | SHA1: 2d83ec7e08817a1ac6ab1495e9a563da485ab0ddMD5: 9d4f149dc213d5cbbc6065c6c39f978cSHA256: db8ee4755c2b30756abb68e14e30b7c10d283b2f989fc7f3556f92389a2c32b9http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-utj01 | Doc.Dropper.Agent_2f7441e9 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 2f7441e9c30fae211c738c76293c2e25 | SHA1: e3651c3de8f11dc2ddd176da0bb95ead946f59ffMD5: 2f7441e9c30fae211c738c76293c2e25SHA256: 0752a00c66125520f78673e70af10123cb5b78fe4786d368f7beb586d5ce3531http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-e7c01 | Doc.Dropper.Agent_e15e6ec9 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | e15e6ec956e484b71ed1d38bb0aaa3bf | SHA1: 4d581ca02833554440ea709085d02f3fa865f255MD5: e15e6ec956e484b71ed1d38bb0aaa3bfSHA256: cccb32f7f0408b32f3ad7f5a75adf1b955ba83a712e59c64f16b07713a6b44b8http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-ehz01 | Expiro_77468f8f | Windows | This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute. | 77468f8f46838cf5d8f2fa7e2068c1ca | SHA1: abe8c5978c790a1e126bd3d86711f02e5dcd3ef1MD5: 77468f8f46838cf5d8f2fa7e2068c1caSHA256: 60d2422af917cb8aa58c14b8b78d4af112c9c78343da8f7aa3fbcb87be1a4de0http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-g8j01 | Upatre_2920dca3 | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 2920dca3bca5ed300468b86dfeccf88a | SHA1: 77cac1356b4a02789ace4c49b6f9ea88a1a89358MD5: 2920dca3bca5ed300468b86dfeccf88aSHA256: c75bc2341ed612c8e5154cb88e7110544e3ff59fed30af28e441c0d31d088da8http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-4q001 | Tinba_adbd1f4e | Windows | This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers. | adbd1f4ea401fa99ff71adb5f4399cd2 | SHA1: fa8b9ad32327028b075778ff762eb31b81b0365aMD5: adbd1f4ea401fa99ff71adb5f4399cd2SHA256: 51769c916a89522975cb1babb4c9c7b18f3530286c66f3d735751cbdac02a160http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-uwn01 | Doc.Dropper.Agent_9dce5f03 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 9dce5f03b45f332a44ac411379cc31a3 | SHA1: d5615e91f1ada91ec77b06ff0ddf1c0cbf34eb7cMD5: 9dce5f03b45f332a44ac411379cc31a3SHA256: 31b34ac21405f6450bef3c18249e83a7bc464dea5cd4fb239becfe0a800875a2http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-oei01 | Upatre_6d8b1e33 | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 6d8b1e334303ddcc93b4a7ec6373bcf5 | SHA1: f259b1ceb58216298a0e5c6be9e455a2f2ea6c06MD5: 6d8b1e334303ddcc93b4a7ec6373bcf5SHA256: c707645487cd7d7c8001fa40cfa2475c23705f65048c3831eefb5580e39b3845http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-zoa01 | Doc.Dropper.Agent_e7b2b379 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | e7b2b379f6c18c23cb6e2efce2c2aa10 | SHA1: a2fb8cf5f7fffd76d9f8ae1283d403c9f5a1b9aaMD5: e7b2b379f6c18c23cb6e2efce2c2aa10SHA256: 5df3016ba1cfd870d1d72e75ab9ec1d0a08a7e11d9fe7ec6b32fa0ce468206e7http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-rdq01 | Doc.Dropper.Agent_3078afd6 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 3078afd65e9b691dd070c17fe981b280 | SHA1: fd00dc09d74efb31ab13af8ad87cd3cf052607beMD5: 3078afd65e9b691dd070c17fe981b280SHA256: 9b6d3e01584f4d1238a55050c7ffad0e14299e911db8497b81529bd58afa4bc7http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-zik01 | Doc.Dropper.Agent_de30c6ff | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | de30c6ff05f944c0a9487451f69b9abb | SHA1: 1788092a01feab6cf35672942974618b59b34df7MD5: de30c6ff05f944c0a9487451f69b9abbSHA256: 8c4813043fa78b4aec7ada10556ddbe06eedbc81b115e4ff08371d8ee132d645http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-j9e01 | Ovidiy_727ae120 | Windows | This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries. | 727ae120f5afe39bf9736a43bef17be2 | SHA1: e0d4ed2d470808f33b1384d8b9cec6e16142a17cMD5: 727ae120f5afe39bf9736a43bef17be2SHA256: 22fc445798cd3481018c66b308af8545821b2f8f7f5a86133f562b362fc17a05http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-ass01 | Doc.Dropper.Agent_dc412d59 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | dc412d59bbf9e8393326141a3be9b4ea | SHA1: 903ef0c1a668a18a39b7c58dd13a40edce16c95aMD5: dc412d59bbf9e8393326141a3be9b4eaSHA256: f0b670afe4781d3e8899bf742fbd613636424681f56c4388168acea84ea344afhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-lyh01 | Expiro_b739ddb5 | Windows | This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute. | b739ddb5dda521fb061ef4121d909c21 | SHA1: 7b53cf4d52c2a6974124a4ab624c337ab1da38adMD5: b739ddb5dda521fb061ef4121d909c21SHA256: 5fd134b6abe1473fd5a7f96c711a4270fbc364bc6e3b10b5b344e0a1bfb0e4d8http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-7ax01 | Doc.Dropper.Agent_c9841f71 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | c9841f716752e0b751da6737002e2e18 | SHA1: 13aaa0dbe1b9234f4973131c033e8bdc5f9db5d2MD5: c9841f716752e0b751da6737002e2e18SHA256: 168c49c8207019008bdf746d0fa4ab33a154277c5fe50fd4900e9d77ec6a2e7dhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-wtp01 | Cryptocurrency | Windows | This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is a Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components. | 010a7fa751f4a64c989eacabf58c8fbf | SHA1: 2db34fb90ec273120afa831cde91a5a7158b8fe6MD5: 010a7fa751f4a64c989eacabf58c8fbfSHA256: f37a0d5f11078ef296a7c032b787f8fa485d73b0115cbd24d62cdf2c1a810625http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/ |
M17-kv501 | Doc.Dropper.Agent_3be1c2f0 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 3be1c2f0af0c149b05091ff6d3cd1d58 | SHA1: a5f1d3be379d94c2fa53e46ee5a381183ef53054MD5: 3be1c2f0af0c149b05091ff6d3cd1d58SHA256: 29a7f99f81dd37bcbd196d635837c01d2aa48045ce4efd999a6d0da92bfbe917http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-8u301 | Doc.Dropper.Agent_05a9858c | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 05a9858cd9b89b725006963d773fa1ae | SHA1: 1fc4aa7f4e315021e6849d5ae72789c9fe1b2d03MD5: 05a9858cd9b89b725006963d773fa1aeSHA256: e8290589cab3707f80ada754a31263e239b870dac5bdece15bf2e331cae5acf1http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-i2201 | Upatre_4cf5364a | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 4cf5364a2637143c96646a554f4f256f | SHA1: d3b2edb7cb97c20cf7bbdef3f071a0afbf471329MD5: 4cf5364a2637143c96646a554f4f256fSHA256: 0f6325d3fd6177cee19770b12d97efa8da46cb23a7173e227efc2291e59034d3http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-3nx01 | Doc.Dropper.Agent_3659c8b2 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 3659c8b26c8bf4b9feefbfc100bd9656 | SHA1: 353a4a6775544748c3101466b7e067276c8a3838MD5: 3659c8b26c8bf4b9feefbfc100bd9656SHA256: 4b495c54056aa68e91fd481168a7ddc5d5a6cae713ab359777340f1ba901ae65http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-pew01 | Doc.Dropper.Agent_34f86b2d | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 34f86b2da35c647a5e01aa44057ca5f6 | SHA1: bb4021b575c7611babd35e48556a953759788b57MD5: 34f86b2da35c647a5e01aa44057ca5f6SHA256: 947ec2662ab377aca91f9ccb5b2a0e823ab5b814be719494c5cb8f0e7e228252http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-kxk01 | Upatre_1f9c87cb | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 1f9c87cb98f8df3df00874507f5aa354 | SHA1: 6f05eedf798c03a7a189e8fa88880bde3b9b004fMD5: 1f9c87cb98f8df3df00874507f5aa354SHA256: f6ae56489c1063a48079b1cf5c1252a8f1f3af70918c58fed90ce453bd6cec9ehttp://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-87301 | Doc.Dropper.Agent_481a76f0 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 481a76f09eeef4cd68da96efa5321a60 | SHA1: 6d7f413da9dd32f471e2e533e19c1b11b4b94979MD5: 481a76f09eeef4cd68da96efa5321a60SHA256: d08c719c8ea6e5d7546e6449e6aed748ce74359e7c0dbd1f9bd08e2e8b795c68http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-oel01 | Upatre_29fa856d | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 29fa856d838b45f851414ee9847341e5 | SHA1: 82feb051efb1d474ec2bda7fdd68a83bbb97ec5bMD5: 29fa856d838b45f851414ee9847341e5SHA256: 19a4c65bc812eb74df5b41c058f345c5a4fbc838de59e4127e4cf784770a63dfhttp://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-kvr01 | Doc.Dropper.Agent_a838f93f | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | a838f93f7a6f35ce04bef4aabf5044e0 | SHA1: 0af4904f63eb4c99b74b10ff43a310a21e354de2MD5: a838f93f7a6f35ce04bef4aabf5044e0SHA256: 4808a9fc9a33cf5df06d5a56f85b6e2dfdb8fc5fbb4cbd2ede05488dd566f6f5http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-ugo01 | Tinba_a1a4ea05 | Windows | This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers. | a1a4ea059e2d1350cea94e056eeeea41 | SHA1: 35669a1eb529176931c7f670f58dd233822f79bdMD5: a1a4ea059e2d1350cea94e056eeeea41SHA256: 968ff771eab9d14d1847f489f425e44532522c7b9fe7407b09d7cc594da0eb84http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-14l01 | Doc.Dropper.Agent_e23f2ebf | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | e23f2ebf0d6a32b7d061b04fefd831a3 | SHA1: 2728f3e77cfbb5c07528ba895cd2ab9fb129dda5MD5: e23f2ebf0d6a32b7d061b04fefd831a3SHA256: 5edbc08d4e919f7186aa2b8a6e3d49ef38035c2a55b6e226910fcc60fe26a335http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-8l801 | Doc.Dropper.Agent_c17c9d18 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | c17c9d18b0d2c390d317f22078714e38 | SHA1: ab4cb1ce4fd96fdabdb703dfb9a037e236516efbMD5: c17c9d18b0d2c390d317f22078714e38SHA256: 36472a674c751c65c15cbaab276c0fba8f3f1709750473b24e5d3c21e468617fhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-ov101 | Ovidiy_cd671a72 | Windows | This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries. | cd671a726a8498a8fd70c6c76069fb54 | SHA1: 6b2e2ff345e0001a047d461e8a91ee34b3693617MD5: cd671a726a8498a8fd70c6c76069fb54SHA256: 80d450ca5b01a086806855356611405b2c87b3822c0c1c38a118bca57d87c410http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-9b301 | Doc.Dropper.Agent_ab210c06 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | ab210c06ffac47325abc1dacebbd2a43 | SHA1: 8f3c1518b12636a937f0afb28040511dec05858fMD5: ab210c06ffac47325abc1dacebbd2a43SHA256: 6dc6070451995a7dae4d5b741e291ce525aec2cf3144d9fdb8484f39079ef9e2http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-kjg01 | Doc.Dropper.Agent_fab13a88 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | fab13a887c0ab39d971099cf40c3398f | SHA1: 77a1e05ab6038f621e5c9af9c52b95c798c836aaMD5: fab13a887c0ab39d971099cf40c3398fSHA256: bd7ed9514afabc723da282f32ad1dcfe81796a83555b7b4a6738dd0254c06ccdhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-uq201 | Doc.Dropper.Agent_f0a39d78 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | f0a39d788b53d8c6ee03dc67c4e2d9be | SHA1: 5c3e0a8128099f5174b6209a4d87c8eb057dabb0MD5: f0a39d788b53d8c6ee03dc67c4e2d9beSHA256: 0524147db311dedc4631e0749bb79865ac673763bd5ebc576855fcb9431de98bhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-6mc01 | Upatre_637170ca | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 637170ca0e32ed7e2c283fa2370e5a18 | SHA1: 2ed47485e5e08b58005a9446c7e6ce1284fcdfafMD5: 637170ca0e32ed7e2c283fa2370e5a18SHA256: a67638a9940841bc5222a160b0d28930c5244be769e6091122cfc7aaefa71335http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-g4h01 | Doc.Dropper.Agent_578a44de | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 578a44dec0e58d9545ce53453c205328 | SHA1: 2de64dc8e000141128f8a97eb20f77f4ff6d6965MD5: 578a44dec0e58d9545ce53453c205328SHA256: e92710c582f71c4a9cb127774fa4cce0d8abb837a38d50d22d17ef7061646c92http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-8f201 | Doc.Dropper.Agent_e0ebcdd2 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | e0ebcdd2f7274c1d5737c21de737c44f | SHA1: 9738e192b00fb5353ca8bf04e70073d14697a540MD5: e0ebcdd2f7274c1d5737c21de737c44fSHA256: 6250f069e1268801cb3afaee2523df1aca628fa791a666f1d05b6cb981913461http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-f0x01 | Doc.Dropper.Agent_5f4cca2c | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 5f4cca2cad48595d3300d9f2fce4d3d8 | SHA1: 2ecb1d4d95b1c642bf70131bd23d9bb7b5fb8323MD5: 5f4cca2cad48595d3300d9f2fce4d3d8SHA256: 4111dc9ca29508aa89caf873ac9359ad579270c3b3025ab0ba8098dea9c3c459http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-hys01 | Upatre_90c7f61a | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 90c7f61a4cb3c7af757d56659290bfff | SHA1: 5e63eb42af94c89e0fdf34d796e1a5cadc34b429MD5: 90c7f61a4cb3c7af757d56659290bfffSHA256: 23da35463015938e649624b1e606507fc1c36998a3cdb730f02309055609bd2fhttp://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-1fn01 | Upatre_3f84e89a | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 3f84e89a99fa5a07c70b234ac1be7952 | SHA1: d91b929536314be2a2df8d806da150c7efe16635MD5: 3f84e89a99fa5a07c70b234ac1be7952SHA256: fc0f51ffddad995a4588fbc28d10d0037cc36708e4875a057629bd5a2d975a43http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-lpr01 | Doc.Dropper.Agent_b656b353 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | b656b353955bf30289570727ab032cd8 | SHA1: 03bba9de2bff6f5c917a324962b570d1b6b46a77MD5: b656b353955bf30289570727ab032cd8SHA256: 31755c56408a13f44d620971a60342bb0170ad78217c923c518fe4b58b4da365http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-vqb01 | Doc.Dropper.Agent_a6fd9939 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | a6fd99393b519c8acde3d7e2c92edd17 | SHA1: ed996dfc599e65398b6845b6e08390edf9a0e86bMD5: a6fd99393b519c8acde3d7e2c92edd17SHA256: b3fffd7e92a3bb920456b149717c353c8779e45a947c0e756889956c6bc48d7ahttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-4vm01 | Doc.Dropper.Agent_cd3a6a2d | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | cd3a6a2d3915a64ea6f1a1e11b5646a1 | SHA1: cc4ef105245df2b176365cfc401277040fdec5e5MD5: cd3a6a2d3915a64ea6f1a1e11b5646a1SHA256: eb99cecc433a5134414024c98c227f52bae7660343a36469ccf0e6a8f5af4a6dhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-gw201 | Doc.Dropper.Agent_95a095a0 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 95a095a00455bc303387d2df6c44d4f1 | SHA1: d2df019b8fa837aec31bac9a2e3406a3e0b04bd1MD5: 95a095a00455bc303387d2df6c44d4f1SHA256: 27772ef48d027d7e23e1f78d8ea86cb1bbcf4240cd59a8dc7ebc82f8a3a8b6ddhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-13g01 | Expiro_694a024a | Windows | This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute. | 694a024a80fd829dd08c1159bf9ead57 | SHA1: be6beb1c805d33f3388d510f5e5a6e04c5dd57aeMD5: 694a024a80fd829dd08c1159bf9ead57SHA256: 5f5e9e5952765887211883b42e508b4b14c62a1685092978f98c6619229796b5http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-fr301 | Doc.Dropper.Agent_b2dc50ec | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | b2dc50ecc318d6ebcba1a518105593a9 | SHA1: eddd2ba7ff3d23b2f5891cbaeea48fdbf0fd0728MD5: b2dc50ecc318d6ebcba1a518105593a9SHA256: b05c34ffdc8c82862b408a1f628b21bb08362de4340d768a08c511132ce7d34dhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-6b801 | Doc.Dropper.Agent_c2ad9bdd | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | c2ad9bdd89be2719d7fb7d9f77ee9ee7 | SHA1: 6e9fc299719596ed5d0fd2589856567af077518cMD5: c2ad9bdd89be2719d7fb7d9f77ee9ee7SHA256: f8913513ec19ea386cb812e5e7249d44a4e4a3092fbfcea23fce692d7ed88970http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-5ex01 | Doc.Dropper.Agent_0e27fc6e | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 0e27fc6e52b599e151a9eb0223b2ce6e | SHA1: 7acd905f7f85259c9045bbb2025cdc224b9ee21dMD5: 0e27fc6e52b599e151a9eb0223b2ce6eSHA256: b0610f20ce7be29f5864a02d72bcfa54e215d3159bf381d05fac58d2fa703f0dhttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-f6001 | Doc.Dropper.Agent_06d15dd3 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 06d15dd3999ecc88ed062d6e04073c2a | SHA1: 6e04eb861091a601fb85904cc8db3229d4e2e91dMD5: 06d15dd3999ecc88ed062d6e04073c2aSHA256: e342cae3c710674f0e73ea2ed1e72085d790a653e249e1b5e4d8e6696e110041http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-3s801 | Madangel_c76a7118 | Windows | This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables. | c76a7118fd76a9ea44908cb338311600 | SHA1: 7bd6319a1fff7a9b57753b40deb647c78febaeacMD5: c76a7118fd76a9ea44908cb338311600SHA256: fbf9d40bc0abe116c19404298d324fcb5a2ddd19d2d97dc31418446be3637a22http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-hey01 | Doc.Dropper.Agent_67969a29 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 67969a2971e05dd27eb1ee86e8aa2184 | SHA1: 0fb8d22c3d5386967e70a5fda985b95894a756d5MD5: 67969a2971e05dd27eb1ee86e8aa2184SHA256: f20256df607a29ef83bd035ee27fc424307712e59298f54803150a88ea5c5ecehttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-y9a01 | Madangel_c711312e | Windows | This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables. | c711312e1f07a9b6c37fea8ff62a8132 | SHA1: cb124507f769a63f5e4671c17922a5106bf280d7MD5: c711312e1f07a9b6c37fea8ff62a8132SHA256: 7ad3924efe8802153b9dadc5bc055b329ec8c2850b91dc5f5a1bba42533a8758http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-9ay01 | Doc.Dropper.Agent_7025dd3b | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 7025dd3b7cff6adb5083701cf00a25be | SHA1: 53e2c82ced38ad23223a4557555eeb24f0ae72d9MD5: 7025dd3b7cff6adb5083701cf00a25beSHA256: 758a4e1ea1fc0c9846d21f643013fd934fd23b187ca1fd32c90334ff48a60372http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-fsf01 | Doc.Dropper.Agent_f3e19146 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | f3e19146696752674c78ddb3b21cb8d2 | SHA1: 49a5f32b3138218bb16ba1e95c166dc1a94ab6b5MD5: f3e19146696752674c78ddb3b21cb8d2SHA256: d526ffe1710b4b39866bebceb3660e1386e41df17b13a6055078b0ce7db74fbehttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-qmg01 | Tinba_a40bb152 | Windows | This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers. | a40bb152eaded8ef9c6e1226dddc4c13 | SHA1: b567005e063ce04ffb8c33877916f7bac829a731MD5: a40bb152eaded8ef9c6e1226dddc4c13SHA256: 33fd66f4cee5bdd9f30eb2e5bd7a65367e10f55495c1122430685a8ff0d90fcchttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-3kg01 | Madangel_c72f49d9 | Windows | This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables. | c72f49d97ea8e0440c8310747517f1c8 | SHA1: c8948449da2756d6cbd4c5c501b65dd0f573b3efMD5: c72f49d97ea8e0440c8310747517f1c8SHA256: a010da80c2d35d420958b858fc1e5e700fab866799aa786e1feab4fba5ee6dbbhttp://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-bk001 | Upatre_8775e784 | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 8775e784d51dd71768aa1f231b39815e | SHA1: 47f4fb4e5e0ede7d8f2840ebaf67024c994dcb4aMD5: 8775e784d51dd71768aa1f231b39815eSHA256: 6c44efb2baabb7b66849e69567c8b3394919efdb2491a1392ff237090c380f1fhttp://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-hep01 | Avast | Windows | This strike sends a malware sample known as Avast Signed Dropper. This malicious executable is signed by Avast as their SafeZone Browser. The file generates a PowerShell script that modifies Windows firewall rules and adds registry keys for persistence. | 5fd9e7a51f49eae4d722cabd84999ef5 | SHA1: da7d5d84ec06da830330601077f5d01075de2ed5MD5: 5fd9e7a51f49eae4d722cabd84999ef5SHA256: 6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7https://isc.sans.edu/forums/diary/Malicious+script+dropping+an+executable+signed+by+Avast/22748/ |
M17-jz901 | Doc.Dropper.Agent_fd086e90 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | fd086e90e4980be48055912c8d12f00c | SHA1: ba40d953c299f7d708150fe7bb5bbafca26451b2MD5: fd086e90e4980be48055912c8d12f00cSHA256: 8c43427b886d65c06a43f823511f0927b85dc5956dc7bd1bd16c59af548db6b8http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-3rx01 | Doc.Dropper.Agent_f094271e | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | f094271e6c8a722492774a22b420749e | SHA1: 60929619ddc37dbeac968fa6e93209c9136473beMD5: f094271e6c8a722492774a22b420749eSHA256: 454ed2ca7a116ad34864d4e8b232dcb50c063ffbd70f23753262aabb6b34d24ehttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-xjf01 | Madangel_c75b1ec2 | Windows | This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables. | c75b1ec23a96fd1e8b997d26ddad20fa | SHA1: 781bdad48d3dd49947d01b4e2f80e59c100b82cbMD5: c75b1ec23a96fd1e8b997d26ddad20faSHA256: 3ad3d18277238e0a6e0a84a6e901395ad647466a0e68275a7426203216b05025http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-sj801 | Doc.Dropper.Agent_86724060 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 867240603ed0748450be2b1b2d7a87d3 | SHA1: d08e8e29031f1720204cfc47d28755831e2038caMD5: 867240603ed0748450be2b1b2d7a87d3SHA256: 717f927b9c0b01a60eb94254d39ac5eeee24a2c10d0c59266252630202a36323http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-j2c01 | Doc.Dropper.Agent_f12ce0b9 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | f12ce0b9a92aabf66f1c11c22283d3b5 | SHA1: a97e917364186994b78556fd172d8d4e6ec930c0MD5: f12ce0b9a92aabf66f1c11c22283d3b5SHA256: 6451b45a4f8bdccdbce6bcd14e5fda1f976c81efed2c4dfd028386cce31250d1http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-mhb01 | Forshare | Windows | This strike sends a malware sample known as Forshare Backdoor. This sample is a backdoor used in coinminer malware. The backdoor installs and executes scripts in WMI System Classes and is detected as JS_COINMINER.QO. | a206d9e633c7d74a735190299b125271 | SHA1: 2b10fc7ebad4eb93d1a907cc6f5211be6cf73d5eMD5: a206d9e633c7d74a735190299b125271SHA256: e6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36bhttp://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/ |
M17-zqr01 | Doc.Dropper.Agent_59b4e709 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 59b4e709c6e85a978b8c9d15b05b7b49 | SHA1: 142b05761c150df687c09c2f835869ca81386a47MD5: 59b4e709c6e85a978b8c9d15b05b7b49SHA256: 44b6060a5406112556049bd3efef8d876fe335bb4aa0f0a6f7d0210184918c71http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-lkb01 | Doc.Dropper.Agent_0d0541ab | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 0d0541abecae2601c01e070198ab7d6f | SHA1: 2e82936395906e7f3e556f125742c4c13efb3cf4MD5: 0d0541abecae2601c01e070198ab7d6fSHA256: 976c6ce6c484aef7d0d801c2f5ee31c984136d91636656a7e5425fbc4e848029http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-2zx01 | Doc.Dropper.Agent_d92e56e0 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | d92e56e06ba9a6af62661ca60b14b94a | SHA1: 9af416ce66dd4c76742c900c9028a7d98e94943fMD5: d92e56e06ba9a6af62661ca60b14b94aSHA256: e14472604877ad85c119703225fb6086053bcaa2ebae60d38762bbdd192e2244http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-py001 | Doc.Dropper.Agent_b56f9163 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | b56f91631190e6024dd3136ee0d4f289 | SHA1: 9d37e56d4b470bd46739b20c20d00f83f569dfa6MD5: b56f91631190e6024dd3136ee0d4f289SHA256: d26ebbc2bdf6a6b59d805f7f1e9a9b505b6ff6e8b99e254f9c5c36413142d3f8http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-uej01 | Upatre_3978a6db | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 3978a6db3a1c56ab376ef1356a335a2a | SHA1: 5d39294b88264e2164976255256a577da4712806MD5: 3978a6db3a1c56ab376ef1356a335a2aSHA256: 249698d153aec8b19f511529aae5efc852cacbbc4f45020e4b9a3bdea933a6fahttp://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-n8t01 | Upatre_2303e7f5 | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 2303e7f512925fa15023e257738fb23d | SHA1: 5dc69b519e8bfba8effae680986a6e5202ae3f67MD5: 2303e7f512925fa15023e257738fb23dSHA256: 5f3a9efa98d7acfb0793292b2475eba2d547632c63f3b4ca5d1958731d264506http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-9rd01 | Doc.Dropper.Agent_b68fab03 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | b68fab0356e9b5412aaf20717f7c9a8a | SHA1: a370905b8f30f7040b7720d53add12fb7cf5f44eMD5: b68fab0356e9b5412aaf20717f7c9a8aSHA256: 5f1827ab138eb25289a1a76910f5dc9c96aed87dd8aa2db7e3b0d310267a5a67http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-rt001 | Doc.Dropper.Agent_cb354f22 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | cb354f22c0c835ab81a48bee0c639ef5 | SHA1: 4a4537bd0990b5a68f87e973a9da5f5def1c8ed9MD5: cb354f22c0c835ab81a48bee0c639ef5SHA256: 2aaf7791ed0a57e48c3d363b46ba5247e78a2290549bfd7f98793e9bee4c3e55http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-2fg01 | Avast | Windows | This strike sends a malware sample known as Avast Signed Dropper. This malicious executable is signed by Avast as their SafeZone Browser. The file generates a PowerShell script that modifies Windows firewall rules and adds registry keys for persistence. | 8129efe8afe6aeaa9793356300b2d8d8 | SHA1: de045c4d74cb3eb6804f8fc1114aa58fc31c7609MD5: 8129efe8afe6aeaa9793356300b2d8d8SHA256: 2ee0c761a25310e34c9d3c9d3e810192d8bbd10d4051522e3eefdc1bd71a17bbhttps://isc.sans.edu/forums/diary/Malicious+script+dropping+an+executable+signed+by+Avast/22748/ |
M17-mmm01 | Upatre_1ffe648f | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 1ffe648f92602af0e297abb8e73ecdf0 | SHA1: ca419874bc65acace2aba98293a017958f05ad89MD5: 1ffe648f92602af0e297abb8e73ecdf0SHA256: ad54d0d8d9b80aff216cc9097849efc52b2990a6b8f9d6a24f9a22709be35267http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-ili01 | Doc.Dropper.Agent_e972a0ba | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | e972a0ba3cc4c131c36d2ed910199076 | SHA1: 2afc5fa213b6c2a5046353c13787e0686346051aMD5: e972a0ba3cc4c131c36d2ed910199076SHA256: a4692d62273960b017d80e2b3ee9befe9b186d0609dbf4aedd1dcaf6d3aef671http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-osh01 | Doc.Dropper.Agent_93a6182a | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 93a6182a6d48455bc911294cb461a379 | SHA1: c05ac2ca24373440332b137306a5727f4063edfdMD5: 93a6182a6d48455bc911294cb461a379SHA256: b588aa1d5901e2ded7dfc9fe8efbd13304f2bed37086b5c9aa498fdffaed48bahttp://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-ymt01 | Upatre_11b19e9f | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 11b19e9f954304116631d772d507ef40 | SHA1: ab5c4f5f4c3b00683e42d1344a33a6b4bf01fd3dMD5: 11b19e9f954304116631d772d507ef40SHA256: 570323e1150fe8e0802b03eb7848452c89ea1247512365bdb8621ecac4d15507http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html |
M17-ea101 | Doc.Dropper.Agent_6926a83c | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 6926a83c4ad890e8e4b5d47273849ba4 | SHA1: f8bbce1362d00d4078036587150ba855f2bcc934MD5: 6926a83c4ad890e8e4b5d47273849ba4SHA256: b3dc9a164f1548ca0fd4618dbaae44c6a9ea05f66aafcf67758d9985b1409cb0http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-yqi01 | Doc.Dropper.Agent_287c2bb9 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 287c2bb9c1ced63562cc45a4560c4e77 | SHA1: 3a78de80158174bcd111de44fedbb5c73dfc0ab1MD5: 287c2bb9c1ced63562cc45a4560c4e77SHA256: b1e4e3be5dd686424763f39f8930e28044a9cda7a48d8962ba6e8978ef532fa0http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-dfv01 | Doc.Dropper.Agent_893490aa | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 893490aaed99e679ca5570b7bce8b85d | SHA1: 350c4b7cbad4ad87f9f127734f772346953d5226MD5: 893490aaed99e679ca5570b7bce8b85dSHA256: f6c2aea9dbc12ff2dbf77637560093234465cdae03c40ee4f0afcf8365ebfab7http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-ljq01 | Doc.Dropper.Agent_19caf486 | Mixed | This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper. | 19caf486adadf70038b8205f2778ea99 | SHA1: 51d4a1a196a04cca8798da647157910e7042c72aMD5: 19caf486adadf70038b8205f2778ea99SHA256: 9d52dd2437d0408e5971598b44c5dc1e1475004241bb5928d1eaee9a9aea51e1http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
M17-rqm01 | Tinba_a1aeef75 | Windows | This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers. | a1aeef758711b5db8670ecb655c5d1c0 | SHA1: 5728e5d6246ebca4d6a2f4698a1fa2c179f50c37MD5: a1aeef758711b5db8670ecb655c5d1c0SHA256: 56f91537753491cd32a250428b146d7685362c762c7e8f39703b4cf6cd92c020http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M17-twg01 | CopyCat_d44cda7f | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | d44cda7feb8e37d7373fbca2199c6820 | SHA1: b68f5bf6e2280f2cda96b7dcacea9f90815731ffMD5: d44cda7feb8e37d7373fbca2199c6820SHA256: e5091cf03936db47dea112c4588a8818a483de06c15a8c717eda5886209f2d4bhttps://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-tl001 | CopyCat_065c8960 | Android | This strike sends a malware sample known as CopyCat. | 065c8960a0338eb64845721687478d8b | SHA1: fb1b2a0063004f71f6ca5a5141128d43640a239dMD5: 065c8960a0338eb64845721687478d8bSHA256: 1fe8af825d232bf55bd1d535ebdb0ebb88ba39e21914e40d33274b29d32680f7 |
M17-2ef01 | Doc.Downloader.Agent-6333860-0_dc20ea04 | Mixed | This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader. | dc20ea0463f1956f2e4c658984a2a17d | SHA1: 346eebaa4b09dfab368397b958a20262f1211e95MD5: dc20ea0463f1956f2e4c658984a2a17dSHA256: 13fd575d1474ae579f55615733f75fa50231447b8653e6eb58678103ee82e99ehttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-qip01 | CopyCat_9a031f2f | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | 9a031f2f5022fae13849b566a1b89579 | SHA1: 67cec2e8784219774e8500064113caa535d3a41aMD5: 9a031f2f5022fae13849b566a1b89579SHA256: 4cbcb8f8eafb3d475362bdb7eddc4cb255c89926e03813ff0efa7652bb696e97https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-wpp01 | Win.Trojan.DelphiSpamDown-6333_0c4f0ad1 | Windows | This strike sends a malware sample known as Win.Trojan.DelphiSpamDown-6333. This malware sample is a Delphi downloader. It can be found in the wild, and is related to a spam campaign. The MD5 hash of this Win.Trojan. | 0c4f0ad10c18a15bf78f5840155540d4 | SHA1: bd6afe5b786c9feca58949e36a63503fdfe07a18MD5: 0c4f0ad10c18a15bf78f5840155540d4SHA256: f23220f487d021aed897deee04e7aaada2521d096406517cd3adcacf4754beachttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-dfo01 | CopyCat_2172a6e2 | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | 2172a6e20ee9f121606c4bd47311074b | SHA1: a5fcede7a2d3925478955281e6a3388e387037f7MD5: 2172a6e20ee9f121606c4bd47311074bSHA256: 51dc097980b46d053085ff079b153f107d866a27dc19670b79928ec55ab336d7https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-apt01 | .Net | Windows | This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this . | 9c9f9b127becf7667df4ff9726420ccb | SHA1: 5a5ada4e68f7e2964868b6435a6dc5dda0e86999MD5: 9c9f9b127becf7667df4ff9726420ccbSHA256: 5981576009cd18282cad4eed8dbc33d8f2e7c7a7222c1de31ac6c1f4b8f3aff2https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/ |
M17-h9q01 | Nitol_a2326cd7 | Windows | This strike sends a malware sample known as Nitol. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | a2326cd780697d756d0fd9cd0323f410 | SHA1: 5fc41e1775bb81e3d11b6a0e93d385bcef3897c7MD5: a2326cd780697d756d0fd9cd0323f410SHA256: a28cc443757838e979bf2bb178f5d5c1408c043ba2537fbd194eac7b5ee04d0d |
M17-7qi01 | Win.Virus.Virlock-6332874-0_bbe0914f | Windows | This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus. | bbe0914f4441e2b65d50e46fa26e9bf0 | SHA1: 2c558318fea7fa6adb326fcd99f5f242bb26d74aMD5: bbe0914f4441e2b65d50e46fa26e9bf0SHA256: 94549c01f4ca88d7169141b7a8aaa0a79a28e2770811ef84febd639af70c7a74http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-fxv01 | CopyCat_a14e9bfc | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | a14e9bfc6dfdfa6fca36a7aefe7590d1 | SHA1: e7781b298b4c41d858d0cbbc7c1f41e23362cac8MD5: a14e9bfc6dfdfa6fca36a7aefe7590d1SHA256: d77d9242bbf4594277b96ed9af5f2fa721b82c578d0e0c640f42928ec8002257https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-np001 | .Net | Windows | This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this . | 85d35dd33f898a1f03ffb3b2ec111132 | SHA1: 5c68c117772b59705af63ecfcbae3711537ec49eMD5: 85d35dd33f898a1f03ffb3b2ec111132SHA256: 52a481fda8d5d674beb46faddfdec6329c1c63f1ef00f439aaa7e8ef947d7512https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/ |
M17-2s001 | CopyCat_6797aebf | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | 6797aebf0ff789fbf37f543acc126a98 | SHA1: 97e7d60c53b409b06acdf5088e9b2b0452084d6bMD5: 6797aebf0ff789fbf37f543acc126a98SHA256: ca44d2f261c3404a303f46afd6819ed2c077f724032bd0f550cff9b450270706https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-b7i01 | Doc.Downloader.Agent-6333860-0_6002bbb0 | Mixed | This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader. | 6002bbb0ca96b698af3e64d2ce8295d4 | SHA1: 1208966ff8079169bfbbf260f5268c1c877c6c57MD5: 6002bbb0ca96b698af3e64d2ce8295d4SHA256: 0fc8af1a3deb4d2895b9bb202278299369a16950239288577472bc06fbf07e4bhttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-fj601 | CopyCat_87fb37f2 | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | 87fb37f226bcb7effe755b9ef9c94d4f | SHA1: 4ceca867c1f769f5e2d4b7f71ac5e21f0c074456MD5: 87fb37f226bcb7effe755b9ef9c94d4fSHA256: 5a7a908733b71f71bd8f103d9ad2f8c229282d42a50bea2d080b942541b8c93dhttps://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-jsi01 | .Net | Windows | This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this . | 049af19db6ddd998ac94be3147050217 | SHA1: c291c2a9d32bb5eff1c1bbdae3edf1df48a2cefeMD5: 049af19db6ddd998ac94be3147050217SHA256: 91df20cfd25c140da8728f67e004dc42277922aac62b8dce7589ee82f84ca52ahttps://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/ |
M17-di701 | Petya/NotPetya_a1d5895f | Windows | This strike sends a malware sample known as Petya/NotPetya. Petya/NotPetya is a ransomware that has been tied to the Petya ransomware due to the nature of how encrypts files and displays them in the ransom note. However, further analysis has shown that it is very dissimilar from Petya and may be a different family of malware entirely. | a1d5895f85751dfe67d19cccb51b051a | SHA1: 9288fb8e96d419586fc8c595dd95353d48e8a060MD5: a1d5895f85751dfe67d19cccb51b051aSHA256: 17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbdhttps://www.carbonblack.com/2017/06/27/protect-organization-petya-ransomware-carbon-black/ |
M17-b2101 | Doc.Downloader.Agent-6333860-0_df15ea72 | Mixed | This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader. | df15ea72c114910ef7fb07bccfc16d2e | SHA1: a7cf768944a59e6402daced81bab4f87cd3f726cMD5: df15ea72c114910ef7fb07bccfc16d2eSHA256: 1b01632e1a44445124165ed61592527fe649a32ed889ee75fdb73d07bf396812http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-t5a01 | Doc.Downloader.Agent-6333860-0_1b044fa9 | Mixed | This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader. | 1b044fa9aed5c94ee4a4ad77800bd8ba | SHA1: 978402697c7f5e6fba8ae34478f982ed2711d09fMD5: 1b044fa9aed5c94ee4a4ad77800bd8baSHA256: 2248f89b848781c0405cc0cead60172ec75e035aca12e8c147818192fde2266dhttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-lc201 | NukeBot_9e469e1a | Windows | This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers. | 9e469e1adf9aae06bae6017a392b4aa9 | SHA1: 12a7a1d90ab72e83fa8308ca5ae08dac9dc17e00MD5: 9e469e1adf9aae06bae6017a392b4aa9SHA256: ba27dced648485cd81f117dbf1eb67ac75cf9c54899f5a7f69906f3044cff737https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/ |
M17-7ha01 | Win.Trojan.AutoIT-6333854-0_029a44e2 | Windows | This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan. | 029a44e2935d5268cb551ef67f3a2bac | SHA1: 581ba698ace559658486844d745ee4d35fe6989eMD5: 029a44e2935d5268cb551ef67f3a2bacSHA256: 62f72450c470bd01096766ac25e8b6ca4edb79683c2ee5b2cc89ec2234983c44http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-uoi01 | Doc.Downloader.Agent-6333860-0_e8d7d75d | Mixed | This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader. | e8d7d75d94314d0af1919a6f2bb2edb9 | SHA1: 8c8cb1fa0f687604f2e4e37e28c9dac8c745178fMD5: e8d7d75d94314d0af1919a6f2bb2edb9SHA256: 07aa3365d733098e11e91ece1628130217414488d3fce0e2e261bfb29ab6fed9http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-tk601 | CopyCat_ee1bcb0d | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | ee1bcb0d5036b4ba72036f79c538c8b1 | SHA1: 0520045a2acae640cb3b70b5425d2bcc57721e99MD5: ee1bcb0d5036b4ba72036f79c538c8b1SHA256: 3e9274183426e5b6986d0534f3331e3761daa800da1e68acdbbd50cdffed5b77https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-17h01 | Doc.Downloader.Agent-6333860-0_bd17aa6b | Mixed | This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader. | bd17aa6b70c0907497aa6242fb1acc37 | SHA1: ab6e993bfa7e53e35d811bd24021eeef99a0f700MD5: bd17aa6b70c0907497aa6242fb1acc37SHA256: 01c4f96c8117df219cf9f50723454ace242edcf2d22b09e8e72c5d0c92aad540http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-f7s01 | Doc.Downloader.Agent-6333860-0_fe4fb002 | Mixed | This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader. | fe4fb002ec991c7f2a431ac1cb9c2f83 | SHA1: 9b2c14275adf709fa45c53654c88c4df93f581c6MD5: fe4fb002ec991c7f2a431ac1cb9c2f83SHA256: 070e56e7170fc63c1c42c3b0b37df5a25f5c7e2e0a5fd454e8e8e63de2b71bdfhttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-zk401 | Win.Trojan.AutoIT-6333854-0_5d2d24b7 | Windows | This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan. | 5d2d24b74349f16c857536f96f2d3526 | SHA1: 2723f6aea64851703ab7f70d6bcea9bcf150bde7MD5: 5d2d24b74349f16c857536f96f2d3526SHA256: ea047fca20938acaeaf82d7753a86bdf9c6ed1bcb6573634d8f515d15b6ddd13http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-hzp01 | Win.Trojan.DelphiSpamDown-6333_44b21e02 | Windows | This strike sends a malware sample known as Win.Trojan.DelphiSpamDown-6333. This malware sample is a Delphi downloader. It can be found in the wild, and is related to a spam campaign. The MD5 hash of this Win.Trojan. | 44b21e02e76c20916ad6ba762d8e4e0a | SHA1: 689ea54b12ab63ce3347a88f77a91d8b72a0679fMD5: 44b21e02e76c20916ad6ba762d8e4e0aSHA256: d603a19fb425aa77308ee7d3527f03e0a455667aed2030b4fc2c46388a230dadhttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-3wz01 | Doc.Macro.Obfuscation_78b61795 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | 78b61795bf73ccc31fadeb04090c9cd5 | SHA1: 0c77388f55d27b4357303b92851ce1af269f979fMD5: 78b61795bf73ccc31fadeb04090c9cd5SHA256: a84e3659977948b8f14cb2bfacef19d997463e779fed8750fa2d44b4342584b4http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-g4p01 | TerrorEK_cd580370 | Windows | This strike sends a malware sample known as TerrorEK. Terror EK is an exploit kit that uses adult web site traffic malvertising for distribution. It can fingerprint its target to determine which exploits to deliver. | cd580370d94103205cc1e1e196205840 | SHA1: b7315fabb56e19cef664cc61a6267c7e317bb9f9MD5: cd580370d94103205cc1e1e196205840SHA256: 404108a0066f6df22bfb4abcec849c214eed089c69b115f5300a2ac631863b1ahttps://blog.malwarebytes.com/cybercrime/2017/07/terror-ek-actor-experiments-with-url-shortener-fraud/ |
M17-q9301 | LockPoS_3d0f6367 | Windows | This strike sends a malware sample known as LockPoS. LockPoS is a point of sale malware that was first discovered targeting systems in Brazil. The malware utilizes HTTP to perform C2 communications and credit card data exfiltration. | 3d0f6367f1fedfc08734b35200c7abf9 | SHA1: 419311da2ef6b2a9ca27dba3241a0d62a4e25848MD5: 3d0f6367f1fedfc08734b35200c7abf9SHA256: 93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/ |
M17-s2301 | CopyCat_99e77c51 | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | 99e77c51b74ec18adf2e3d63871f087b | SHA1: 9c33df5ea05e73c5e4a5f8dc7ac28baed8705ca2MD5: 99e77c51b74ec18adf2e3d63871f087bSHA256: cea1a2984bd529d5451e1108e8f83cfe485350b43b51f754ccbe467ebcc1a429https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-70a01 | LeakerLocker_7ed5e8f3 | Android | This strike sends a malware sample known as LeakerLocker. This Android ransomware sample does not encrypt files, but instead collects personal and private information from the device, and threatens to share them if a ransom is not paid. | 7ed5e8f3de77bf3d88896fbc756f4ee4 | SHA1: bda4483bc6b999618a1ff637d380ce253ac79a0eMD5: 7ed5e8f3de77bf3d88896fbc756f4ee4SHA256: cb0a777e79bcef4990159e1b6577649e1fca632bfca82cb619eea0e4d7257e7bhttps://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-acts-without-encryption/http://thehackernews.com/2017/07/leakerlocker-android-ransomware.html |
M17-yn801 | Doc.Macro.Obfuscation_1ec50c62 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | 1ec50c62b67bc6efabde292238cf3dec | SHA1: 065a6e0c9279b76709d27b279002981772e1a347MD5: 1ec50c62b67bc6efabde292238cf3decSHA256: 29015d08a221749ca7cd1b9526ae4c434457199ac3226236f9e57fdb01b21213http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-fcj01 | Win.Trojan.AutoIT-6333854-0_5a7bf360 | Windows | This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan. | 5a7bf36062b7715b2fea57d3094306c9 | SHA1: 1813e1a8cc0b39cf2bfc48a2acad053bcebe7925MD5: 5a7bf36062b7715b2fea57d3094306c9SHA256: a831d5503c549917d333d45c72532f0407ed306ca5c95478dad11cb34342ca60http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-n9k01 | NukeBot_06330241 | Windows | This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers. | 0633024162d9096794324094935c62c0 | SHA1: eebfd8fb539c500e7cc398232fb85fe18cafd379MD5: 0633024162d9096794324094935c62c0SHA256: cde50cd8d7b86425f1fea457cba17321bc4f82ff90df8169d4c8091d2c3cb275https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/ |
M17-g9001 | TrojanDropper_1431649f | Windows | This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 1431649fe7eb8e764a12b13f73d5ef3e | SHA1: 939a7f5a55995940aceefdc41a2e191a9dc390c1MD5: 1431649fe7eb8e764a12b13f73d5ef3eSHA256: f4dadbc88510393f6ea05a3e78fc4ced3e44a227168e449fb83e010d52c1d3fd |
M17-y6m01 | CopyCat_d7de0ee8 | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | d7de0ee80aa16beca37ccbbc30031995 | SHA1: 55793c9680b8f3cbd84e7210d3250a0a4cabe62eMD5: d7de0ee80aa16beca37ccbbc30031995SHA256: 1ba7ad1ad23f58e8004ac874a4317e289870e192d2d518c75e0587df1c592719https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-xcg01 | Win.Trojan.AutoIT-6333854-0_ef659b99 | Windows | This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan. | ef659b991298558a0c8abb4bc4052dd6 | SHA1: 9df6f40ed879244a4cf1d19cba8e1af69afae6e0MD5: ef659b991298558a0c8abb4bc4052dd6SHA256: f8305d63f8d4ebc4b4c4bea7c3dd75b3d3c3f53aa2f28cc789a2573d55b83613http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-9nb01 | NukeBot_a06a16bd | Windows | This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers. | a06a16bd77a0fcb95c2c4321be0d2b26 | SHA1: 296563d57efc1c5dc40bb0f872ea1aa42161cc94MD5: a06a16bd77a0fcb95c2c4321be0d2b26SHA256: 99f68d773b32e33136c33029f9276af5a526370be7ceadb013c5eac16ade1d38https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/ |
M17-lrw01 | sPowerShell_a7200cd7 | Mixed | This strike sends a malware sample known as sPowerShell. This sample is a JavaScript dropper for ransomware and information stealers. | a7200cd7778c40292b17736184dcd2ae | SHA1: 5367459f0405e7bae545b13223a11b7b01f2cef2MD5: a7200cd7778c40292b17736184dcd2aeSHA256: cce0da7814b5966ffacfecacec0e87aec83989889b56e4dc37eed7873b51617fhttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-g9c01 | Cerber_0771f009 | Windows | This strike sends a malware sample known as Cerber. The Cerber family started to emerge during the 1st quarter of 2016 and has been seen being distributed via Neutrino or Magnitude exploit kits and spam emails using VBScript files. | 0771f00985f1e0ce93740281da8752fe | SHA1: 46c7ac1b3ed05b10cde72c77b10418e18d09e1e0MD5: 0771f00985f1e0ce93740281da8752feSHA256: 56f41afc8f025597659f11f59b191e66bd6c6525313cf3c0356c40490722b7c5https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/ |
M17-6gk01 | NukeBot_93b14905 | Windows | This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers. | 93b14905d3b8fe67c2d552a85f06dec9 | SHA1: dfd6e7e6ef67339df85136c203be19b7b443a1ffMD5: 93b14905d3b8fe67c2d552a85f06dec9SHA256: 94129dc33aef44c4b20fce185e9dc877b6cd7f3785e011caec2979a66254e6a6https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/ |
M17-cio01 | NukeBot_44230db0 | Windows | This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers. | 44230db078d5f1aeb7ad844590ddc13e | SHA1: 66d8aaf4defa0fcc6c5ec319504ae15df2daf8afMD5: 44230db078d5f1aeb7ad844590ddc13eSHA256: 1ad1c47a0cbcdf08e45b8d93864eec32fdff16037acaef40562a8966e46ddd87https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/ |
M17-ron01 | Doc.Macro.Obfuscation_986d7c12 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | 986d7c1268664329565a12cef882abb7 | SHA1: 29c835641e68c333ccc956a6c2a667b3a4ba98fcMD5: 986d7c1268664329565a12cef882abb7SHA256: 41b9c93fed52bffe68d03abbcbe42086a9baf743d56f9262abd5b4c7fcbff951http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-m7101 | Win.Virus.Virlock-6332874-0_c3018da7 | Windows | This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus. | c3018da794cafcfaf3528feaca1bb810 | SHA1: a367586015e9f804f3d04a582b3eb9b5f1bdfad7MD5: c3018da794cafcfaf3528feaca1bb810SHA256: d49a98d35bcb6ff16206c6d1e1495d4ddf9f1911f785bccda24c2b1e0bfe3d03http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-bjr01 | NukeBot_697a7037 | Windows | This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers. | 697a7037d30d8412df6a796a3297f37e | SHA1: 205f65ee47935edd01ead4ac6bcfb808008b8857MD5: 697a7037d30d8412df6a796a3297f37eSHA256: 845cf83b9fd613d20b3d54a211300a7a04fd3fed2861d156f354bd186d975455https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/ |
M17-jgh01 | CopyCat_0dec8b83 | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | 0dec8b83592db8fe690d8935d95c42f7 | SHA1: 0107327e7604d673e074c2729117b156c43ebd68MD5: 0dec8b83592db8fe690d8935d95c42f7SHA256: b0475da7c2934b24cc5830e0a03dec195f997af0132c8493635240f90d5bc15ahttps://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-ujt01 | TrojanDropper_8e5948ec | Windows | This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 8e5948ec85ca0d6dce18411721e92c0a | SHA1: 40583041b97ef429716a1fc72b78ad0c1da9aa3fMD5: 8e5948ec85ca0d6dce18411721e92c0aSHA256: f9a686680a20a8aeaaaa154ae9eb8c8fd018f109350c4bce2ce3bd4b3a33f1d2 |
M17-2rw01 | .Net | Windows | This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this . | e907ebeda7d6fd7f0017a6fb048c4d23 | SHA1: 8b2c012b2355e0c3c56d328ed532d0aa4225713bMD5: e907ebeda7d6fd7f0017a6fb048c4d23SHA256: 7d822d00cd31f4e3bc7bad3535a6590e2f838cc575b8128e716db59b37eb6fb5https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/ |
M17-f7601 | Doc.Downloader.Agent-6333860-0_c6199a46 | Mixed | This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader. | c6199a46d8326b08bc2114ff64a4af63 | SHA1: 6b9d533a7ce64c3452b9975d722180695be3b51eMD5: c6199a46d8326b08bc2114ff64a4af63SHA256: 01ed6302a7ea8d4c54d439b7016b99b6dca275f85d22611811bac8c135309d41http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-n2901 | CopyCat_f25e3352 | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | f25e3352735aa210906527adf1140980 | SHA1: 5f161882b681f801b836f6ce8591cdf9716382f0MD5: f25e3352735aa210906527adf1140980SHA256: 2f83e80ad23c0aa5d0962c8846cf199842179d806ebec6d4d5ba10e797576101https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-93401 | CopyCat_d6de304c | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | d6de304ca960f4e948ef59f144de29aa | SHA1: 4bb0503e1784cbe97e8e7d81d92899bbbe5fa33aMD5: d6de304ca960f4e948ef59f144de29aaSHA256: 934d2ce9e35ab01b2362c2dbbb6b08b77de5b16145e4debee41bb6780cf8848fhttps://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-zss01 | CopyCat_f3f44065 | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | f3f4406564543f7f471b4139b5f7d06b | SHA1: 9e33853d5c0edee9900f3a71b61fb1f4fd286d9bMD5: f3f4406564543f7f471b4139b5f7d06bSHA256: 824119e6dc4fe6f236f9f248abffb77723b0da4632047c7f4edc336208b27b54https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-x3601 | Doc.Downloader.Agent-6333860-0_c67e57d2 | Mixed | This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader. | c67e57d24c97e1966177924db6a42636 | SHA1: 7995d0f190cf28dba3d0d7ece974b505d77e9b58MD5: c67e57d24c97e1966177924db6a42636SHA256: 0634216b34baf0fdc293002632932312293fc4854701b143c6f4735e8cd98b45http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-t0501 | Doc.Macro.Obfuscation_f8ba8dbd | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | f8ba8dbdfb0d819dc77b14ce33571fe3 | SHA1: ebb49ca6fca45a004ff203957190e175ecc43baeMD5: f8ba8dbdfb0d819dc77b14ce33571fe3SHA256: a4e076bdea2bdc1028d232079b0bcf42a9b4997fb43e78fbda745f6bb047612chttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-03301 | Win.Trojan.AutoIT-6333854-0_ee622d9b | Windows | This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan. | ee622d9ba9a819cb7579b24d162e9f1d | SHA1: 13f0ea1243856c65fad230392925a9c8f5328836MD5: ee622d9ba9a819cb7579b24d162e9f1dSHA256: bb51a0200e84137fb1c07e39fbd7f0ded1eda78d3c95cfa1e16887f0762ab665http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-jfv01 | Win.Virus.Virlock-6332874-0_30906e51 | Windows | This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus. | 30906e516b55ed0ee41e5c7575a8add2 | SHA1: d504db93625d2938ea71b7bde04080cd5dfb5f46MD5: 30906e516b55ed0ee41e5c7575a8add2SHA256: 7cd99c34887ea6213f18347720d7b1d257969f821bc78f6ad128f55ff137096chttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-c0k01 | PoSeidon_0c7631f7 | Windows | This strike sends a malware sample known as PoSeidon. PoSeidon is a point of sale malware also known as FindPoS. This malware steals credit card information from point of sale devices and siphons it back to the remote attacker. | 0c7631f791c60f79faa1d879056c2e18 | SHA1: 5274255aa6032528360fc222b8aeb911caa35e40MD5: 0c7631f791c60f79faa1d879056c2e18SHA256: 66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75https://krebsonsecurity.com/2017/07/self-service-food-kiosk-vendor-avanti-hacked/ |
M17-cl901 | NukeBot_031a8139 | Windows | This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers. | 031a8139f1e0f8802ff55bace423284f | SHA1: a5f7867ea057690c4f3a58ea6ecb0c70a65088dfMD5: 031a8139f1e0f8802ff55bace423284fSHA256: 8533d6ff4557a0870ccd0ed6268f7f4589f144ba9367bd4665e7239a99e8dcefhttps://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/ |
M17-3gj01 | CopyCat_e368fb1d | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | e368fb1d80bbf24fdfb4ebae7806c885 | SHA1: d44dbd5f953ef6fa338081ba707a35d385e48514MD5: e368fb1d80bbf24fdfb4ebae7806c885SHA256: 23520f0f96669fd4c57f2ce08bb35e2d3be62df2454743d997bc519e66d894b8https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-6q501 | LeakerLocker_531882c3 | Android | This strike sends a malware sample known as LeakerLocker. This Android ransomware sample does not encrypt files, but instead collects personal and private information from the device, and threatens to share them if a ransom is not paid. | 531882c30198ae24329563a64e3199cd | SHA1: e0bf48c49bde950e93e8bae186b813048a9d1132MD5: 531882c30198ae24329563a64e3199cdSHA256: 486f80edfb1dea13cde87827b14491e93c189c26830b5350e31b07c787b29387https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-acts-without-encryption/http://thehackernews.com/2017/07/leakerlocker-android-ransomware.html |
M17-0sw01 | Doc.Macro.Obfuscation_3603129e | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | 3603129e01b2a6cf35257c82b90166c4 | SHA1: 614c261e2208dd353ee80a6b0a3df5ac8bca540aMD5: 3603129e01b2a6cf35257c82b90166c4SHA256: 5702fa93b08399d8f8d7d1ef1eb2902e7f37a9bbaaf5d9aa6b85a2844224662ehttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-es901 | Doc.Macro.Obfuscation_af92fbed | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | af92fbedc07a81efa7b7515545056ac9 | SHA1: 844379215865225dff948022ae8f4dae7bd07c38MD5: af92fbedc07a81efa7b7515545056ac9SHA256: 5d91e7426fb87e5f2c9a5aa575d8bc0e98b7e1a09947dcb4e4943c5c047933d9http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-avv01 | Petya/NotPetya_08828daf | Windows | This strike sends a malware sample known as Petya/NotPetya. Petya/NotPetya is a ransomware that has been tied to the Petya ransomware due to the nature of how encrypts files and displays them in the ransom note. However, further analysis has shown that it is very dissimilar from Petya and may be a different family of malware entirely. | 08828daf9a027e97fee2421ac6cbc868 | SHA1: ad1b006e99b9faded1a2dd4ec98cd3818cf245e3MD5: 08828daf9a027e97fee2421ac6cbc868SHA256: 4ee2ae805c31ec4f11f3f6ecf56e9c6e2f59dcd517a5a73210b5e5015f63beeahttps://www.carbonblack.com/2017/06/27/protect-organization-petya-ransomware-carbon-black/ |
M17-9d401 | Win.Virus.Virlock-6332874-0_bce40383 | Windows | This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus. | bce40383d98f77cfbe9257730d574ef0 | SHA1: 4f61f3a40507f6765ebe6a69063666cbe4cdca15MD5: bce40383d98f77cfbe9257730d574ef0SHA256: 6cff1fdde90a5708301b2d3c48729ebf3be7bb4a8f0e6992406affe034ad0a0fhttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-vz702 | CopyCat_29e2f738 | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | 29e2f7388788c93f47f832cf9f6b00cb | SHA1: 9ee904a51c848dabc5eb72895809fa1d4f716621MD5: 29e2f7388788c93f47f832cf9f6b00cbSHA256: 25942d57f2188c2a0181d15af7a5628e75376f1d1ce1dcf70930f80a781b418dhttps://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-etz01 | Win.Virus.Virlock-6332874-0_a2b2f2b7 | Windows | This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus. | a2b2f2b74a07b64de247c3f2ceaaa929 | SHA1: a81523d7d5936fae8a99f5299ccc530c8949ef38MD5: a2b2f2b74a07b64de247c3f2ceaaa929SHA256: 81bec8df30db0bd694ecf01d3950fbe91823854ab017c0cb176d32c9ada3f202http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-qc401 | Win.Trojan.AutoIT-6333854-0_995b5c4e | Windows | This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan. | 995b5c4eb698bcf47e69729dee6a797c | SHA1: 20c0604298c2d7f9b12704032b3dafdc9a83372aMD5: 995b5c4eb698bcf47e69729dee6a797cSHA256: 83a482b1771474915838db7251d00cf12ae5171c04966621bba82c5829e57b4ahttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-b0701 | CopyCat_fe514fc5 | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | fe514fc594c4f5248031ae1ab5111ec2 | SHA1: efaa96c0159a242a27e3abf6765ff789184e7d5eMD5: fe514fc594c4f5248031ae1ab5111ec2SHA256: a0cf53bf42cd59016a6ec86747f066db62a7a9461fd903d38fd692e8c23bb5a8https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-jgu01 | Win.Virus.Virlock-6332874-0_0717e99b | Windows | This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus. | 0717e99b914fb74bafa67fe0c0c49a7d | SHA1: cbdf94cc63ee85dd69c20a1907c6bbb37c2ebaa5MD5: 0717e99b914fb74bafa67fe0c0c49a7dSHA256: faaa74146e151d525e94e536ee2605a76c8a0d1699024979181712a03b249f25http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-uy701 | CopyCat_6d6fb0e4 | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | 6d6fb0e4bde18b65453fcd639ba24d6a | SHA1: 97934510fd6e4c7c39789b32acb150613d66d4b5MD5: 6d6fb0e4bde18b65453fcd639ba24d6aSHA256: f3f71bbed9e9db95ada278aacb3d5fd53f481d785048a6fe8dbb2babc601baa3https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-v4701 | sPowerShell_d243b08c | Mixed | This strike sends a malware sample known as sPowerShell. This sample is a JavaScript dropper for ransomware and information stealers. | d243b08c672e6b8c0bc065458369fe78 | SHA1: 018189057dcd9fb02449c131ff592010d73b637aMD5: d243b08c672e6b8c0bc065458369fe78SHA256: 7a6d5ae7d7bc2849ea40907912a27e8aa6c83fafd952168f9e2d43f76881300chttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-4t401 | Gh0stRat_7365383f | Windows | This strike sends a malware sample known as Gh0stRat. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 7365383ff0368f8b6ff1d6f0157a14e0 | SHA1: 4dabb411ba0c75fc98e7d0624cf0b170e3c3e2d2MD5: 7365383ff0368f8b6ff1d6f0157a14e0SHA256: 153383b05a484845b3eb39915098fa6c8d68fcb639ade54215cda7fcbdeda14a |
M17-mfm01 | Win.Virus.Virlock-6332874-0_f29adc89 | Windows | This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus. | f29adc8991371b8b2c8b1bd19cc39a79 | SHA1: 68c540ed0bec4b91cce3a9d72013fb4a8195dc3cMD5: f29adc8991371b8b2c8b1bd19cc39a79SHA256: 6161ca5b2cd218ae1c277e6fcc509f571cc409ae4b2aba007d0e1ef28057fd7dhttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-5v901 | TrojanDropper_8801cbc4 | Windows | This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 8801cbc42062184ffa0440a136de2117 | SHA1: afed24723e3ee241a3cea34e009297c8afd87a63MD5: 8801cbc42062184ffa0440a136de2117SHA256: 8f1f7b271182f105f3f55815f4493e5b1ab103b9b555876c0854ec4a2935a8ad |
M17-cgq01 | CopyCat_cc2bf64f | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | cc2bf64f2fb1330ab2acbfb783a68d1e | SHA1: bfbb33c65fb8d73fb227524786a82dd9c9ed24f2MD5: cc2bf64f2fb1330ab2acbfb783a68d1eSHA256: 0db037e7a2d1357228e9e03cee5d65b22266a017d55b72570e615f07fc22cc2dhttps://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-5uz01 | TrojanDropper_b1fcf154 | Windows | This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | b1fcf154622b4274ad3044e8e0f68096 | SHA1: 98e1b55fda3a096d33b73505eb04e49f641d2ed0MD5: b1fcf154622b4274ad3044e8e0f68096SHA256: 188e15739ed2a33954b3166722f816d4bb3532ea7b633532dd2a4671f6ff4eaf |
M17-ewn01 | NukeBot_8ebec289 | Windows | This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers. | 8ebec2892d033da58a8082c0c949c718 | SHA1: e7557d738fdb92798708f8b52131a00c9d8e9ce8MD5: 8ebec2892d033da58a8082c0c949c718SHA256: 6c8320e18721d4024290a33d8b610572180c4747d2ca8a50351d7adb0b83c5edhttps://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/ |
M17-5d101 | .Net | Windows | This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this . | d628d2a9726b777961f2d1346f988767 | SHA1: 179ccf65842a6b7ea3a63028a3b392c44b79121aMD5: d628d2a9726b777961f2d1346f988767SHA256: dfe4222c135c369797b101929bcb8b7cb303fd446dee7a24fd312395842cd070https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/ |
M17-i0d01 | Win.Trojan.AutoIT-6333854-0_d2ec5278 | Windows | This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan. | d2ec5278d3554576f9187c7ca99a8a77 | SHA1: 393bfe994e8a0a34c2451e06568d549fedd6091cMD5: d2ec5278d3554576f9187c7ca99a8a77SHA256: f81a37d816c639fd977d7781f7fe54cc51e2e34aa3bb8bc877c74ae140025003http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-m1j01 | NukeBot_faf24fc7 | Windows | This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers. | faf24fc768c43b95c744dde551d1e191 | SHA1: 34a5fa75977333c35e161bd2e55c11fed4b4e4beMD5: faf24fc768c43b95c744dde551d1e191SHA256: d404ae1cc6821e18482fa16a8839c99541a9176b78bc4e45fb9bc4bc6177c818https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/ |
M17-b3g01 | Win.Virus.Virlock-6332874-0_bb0199b0 | Windows | This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus. | bb0199b0128def72d75b3f307c9c22d0 | SHA1: b9f8463ebc0a663bc890d071272ed236da33c56fMD5: bb0199b0128def72d75b3f307c9c22d0SHA256: 824eed3471a9f86836ac4bced8a5ce7f57df95048a995dc0219feab771404f28http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-mco01 | Doc.Macro.Obfuscation_ed54bfd0 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | ed54bfd08d039baf8d61f38e86be76c2 | SHA1: db3cd8192b24dbe4904dfda7465fc77cb536f67bMD5: ed54bfd08d039baf8d61f38e86be76c2SHA256: f04ce92cb9f190f8c06d444ac5431f637b6ea8ba864201a549903e3115968403http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-8gh01 | CopyCat_4b66e5f8 | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | 4b66e5f820a40e2ee6ab6bb4b09997d7 | SHA1: c7d1187caa6e0ceaa4b10e277332b1a3d70dca9aMD5: 4b66e5f820a40e2ee6ab6bb4b09997d7SHA256: da58b4519e52660f26c81d6fc2b8c0c6ba11262265597360d4de62023f5e5d90https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-vz701 | Win.Trojan.AutoIT-6333854-0_ff59bd24 | Windows | This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan. | ff59bd2423cd50288c6bee9cda102eed | SHA1: 16bfc7cf7459008846110fa4f6fdde7862624391MD5: ff59bd2423cd50288c6bee9cda102eedSHA256: 38dfdc80844d6f6b0d1a73843f1a4704d7bb12cf2ca61d98a54d1cdb5722ac66http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-03j01 | FlokiBot_624f84a9 | Mixed | This strike sends a malware sample known as FlokiBot. FlokiBot is a Zeus based banking trojan variant that uses C2 communication to perform DDoS and credit card scraping functionality. | 624f84a9d8979789c630327a6b08c7c6 | SHA1: f9484baf6f7194248a388d41dfd06543b3dc5d26MD5: 624f84a9d8979789c630327a6b08c7c6SHA256: a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fahttps://www.arbornetworks.com/blog/asert/flokibot-flock-bots/ |
M17-wyq01 | FlokiBot_2510953f | Windows | This strike sends a malware sample known as FlokiBot. FlokiBot is a Zeus based banking trojan variant that uses C2 communication to perform DDoS and credit card scraping functionality. | 2510953f05dcd2c758ad29160bbc3911 | SHA1: 9e0094cc8be1bbe494d7dac88a57a3db235f8a04MD5: 2510953f05dcd2c758ad29160bbc3911SHA256: fbf23b449db5ae1122c503756d9ad7f4d1c77ed367f0874ffe8dde5c578dd2c8https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/ |
M17-mgu01 | CopyCat_7282c48b | Android | This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues. | 7282c48bdad45f3861edd8244061c26e | SHA1: df579f335eb8be8b5403fcf85dd19a638452e573MD5: 7282c48bdad45f3861edd8244061c26eSHA256: 1dcce039352f4dcabc693fdc66121b61849767498fb68bb3b4e4b8f00757a359https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf |
M17-1sq01 | Doc.Macro.Obfuscation_69ffb531 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | 69ffb531e7dc45cabcef030626a397bf | SHA1: 93fdf068ed8f8f22a49d21be92e482b213b633f6MD5: 69ffb531e7dc45cabcef030626a397bfSHA256: 2611831b22f6b0df892e363d429a666b5a4bb9303a97b30c527fb4f43379a462http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-1iv01 | PoSeidon_767ae03a | Windows | This strike sends a malware sample known as PoSeidon. PoSeidon is a point of sale malware also known as FindPoS. This malware steals credit card information from point of sale devices and siphons it back to the remote attacker. | 767ae03a2f291121616815a9f47456e2 | SHA1: aeddf10827f063228aa20e034ccb9ca19cde3cb0MD5: 767ae03a2f291121616815a9f47456e2SHA256: 8b7252c0e7cc4b2311bda423f08cf62fdb75de591c62babd40693147ef022a7ahttps://krebsonsecurity.com/2017/07/self-service-food-kiosk-vendor-avanti-hacked/ |
M17-ts501 | Petya/NotPetya_7e37ab34 | Windows | This strike sends a malware sample known as Petya/NotPetya. Petya/NotPetya is a ransomware that has been tied to the Petya ransomware due to the nature of how encrypts files and displays them in the ransom note. However, further analysis has shown that it is very dissimilar from Petya and may be a different family of malware entirely. | 7e37ab34ecdcc3e77e24522ddfd4852d | SHA1: 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcfMD5: 7e37ab34ecdcc3e77e24522ddfd4852dSHA256: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9fhttps://www.carbonblack.com/2017/06/27/protect-organization-petya-ransomware-carbon-black/ |
M17-y4f01 | Win.Trojan.AutoIT-6333854-0_63a07f35 | Windows | This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan. | 63a07f352a5443a4b4e57cb69a69743f | SHA1: d7c69654d92aea7dfe4b0a134a8d5b8523f1952aMD5: 63a07f352a5443a4b4e57cb69a69743fSHA256: 2cd44a3204106c4fa3e11c310f21a3d0a89795ae90cad00117c779386ea619fdhttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-9bj01 | Win.Trojan.AutoIT-6333854-0_09301932 | Windows | This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan. | 09301932b011592585bb3560bc3a6ad7 | SHA1: a577f9caf8c481c38a31a6bd82abdf86e09b8357MD5: 09301932b011592585bb3560bc3a6ad7SHA256: 927bd28d825adc6569d1e307bd3709f73350b3ca2b0f98bbbdd2370526ae19b6http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-cub01 | Doc.Downloader.Agent-6333860-0_87865982 | Mixed | This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader. | 878659824c6dcb28edfbc8a8826adf22 | SHA1: 9e02e611f6d968a22580d49e2afb381ec30525b7MD5: 878659824c6dcb28edfbc8a8826adf22SHA256: 204ecc72a94c1d1ef60a08ccb132a5123d2e8dcfc16ef1cacebb20887049ec2dhttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-n3r01 | Win.Virus.Virlock-6332874-0_ea39c1c5 | Windows | This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus. | ea39c1c57c2446b2b71b8b7896269be8 | SHA1: 71e9f0e92dc95bff7e9b4cb134ce024c2363b6d5MD5: ea39c1c57c2446b2b71b8b7896269be8SHA256: 61012a5ae49bcfc6c31110b0117c9ed3d3f810cb8053857ef3017b403aeb4ad0http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-zij01 | Doc.Macro.Obfuscation_fe672cd7 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | fe672cd7a871b0a4dd2ca6300dbff515 | SHA1: ba3e2b5c42c12b5ef5ebba32cb13a3fb1ed5bb7cMD5: fe672cd7a871b0a4dd2ca6300dbff515SHA256: 341b86bd427dfca140ef6b3f47c7f269fe3ada974692237cc038f5910326d806http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-hay01 | Doc.Macro.Obfuscation_36f030f5 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | 36f030f5107843b382537768edd49254 | SHA1: 8ea2a18608f1bdbcfc956955893174d1ae96881fMD5: 36f030f5107843b382537768edd49254SHA256: f11534d903c19da7f9b951419fb31fc8027c27f7ed7e3fdb89a923004a838ca1http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-nr901 | Win.Virus.Virlock-6332874-0_8b969fdb | Windows | This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus. | 8b969fdb7154cf74b74243e82f8ae6fa | SHA1: fdc5dcb2c8f1a8f7ca6d2b68fa4e3c37afb4a3acMD5: 8b969fdb7154cf74b74243e82f8ae6faSHA256: db2415f2259b7ec9aaa6ab004a659753ad51dafccbc8696f0a5e906750304efchttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-23201 | Win.Virus.Virlock-6332874-0_f30ea2f3 | Windows | This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus. | f30ea2f3952e4dc32f4e193a7b47b7e1 | SHA1: de4ed67b32e3e8b3fd66e06c20066f1669c2e1efMD5: f30ea2f3952e4dc32f4e193a7b47b7e1SHA256: cacc1b16c233ad74c95b051edb5542a2824441314aba3f12e0397b857222c0a9http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-pdw01 | Doc.Macro.Obfuscation_b0ffc6d0 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | b0ffc6d0cdfd4f510ad3b3b703ffb773 | SHA1: 3be99b2039c69a41113527693394344d57c1ba72MD5: b0ffc6d0cdfd4f510ad3b3b703ffb773SHA256: 0dd337e3bef51dd39867317b47870076c8bda3efede772fc571b48d59ff79bcfhttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-88t01 | Doc.Macro.Obfuscation_cefd07f0 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | cefd07f03498b5baf3a2c7ca97872328 | SHA1: e523974da31af97cf08de7780e0a0d9c2d9a46e4MD5: cefd07f03498b5baf3a2c7ca97872328SHA256: 7ac2d7693119e8e07ee9ab0979a219f99763deb2b4134e8a6c18cec7aba1a76ahttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-lcu01 | Doc.Macro.Obfuscation_9d65ae5a | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | 9d65ae5a5015402e85d8694f684322ca | SHA1: a37ef548edfdf526b7274c0712f7967242aebc9fMD5: 9d65ae5a5015402e85d8694f684322caSHA256: 727d8957c910dd733b4960f22535e61375e417cc521b820ae8a917597af86295http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-6q801 | Win.Trojan.DelphiSpamDown-6333_e9f45c7a | Windows | This strike sends a malware sample known as Win.Trojan.DelphiSpamDown-6333. This malware sample is a Delphi downloader. It can be found in the wild, and is related to a spam campaign. The MD5 hash of this Win.Trojan. | e9f45c7a87e2535835c30dfeeb98d97b | SHA1: 6c0ca799263fa113fcd8c76ef700a5809f889c59MD5: e9f45c7a87e2535835c30dfeeb98d97bSHA256: 72464898f83126f1a89d76cf76b2867b58655b3b316c2000dd185f2c31a4d786http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-0jq01 | NukeBot_9831b109 | Windows | This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers. | 9831b1092d9acaeb30351e1db30e8521 | SHA1: 3b25a4553abced0c237198335fd967f92ad86756MD5: 9831b1092d9acaeb30351e1db30e8521SHA256: 916c68203f329eaf00e0dbf5a7571107708ce037935b5f51d7eed41ad581cdfdhttps://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/ |
M17-v0l01 | LockPoS_0ad35a56 | Windows | This strike sends a malware sample known as LockPoS. LockPoS is a point of sale malware that was first discovered targeting systems in Brazil. The malware utilizes HTTP to perform C2 communications and credit card data exfiltration. | 0ad35a566cfb60959576835ede75983b | SHA1: 2faa933c98cd21515b236d139476a6d09a3d624dMD5: 0ad35a566cfb60959576835ede75983bSHA256: 063f14091c811feb0b99de21d52dc55ca2ccb0c387b515e7407ea09a4337ceefhttps://www.arbornetworks.com/blog/asert/lockpos-joins-flock/ |
M17-4un01 | .Net | Mixed | This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this . | 2a07346045558f49cad9da0d249963f1 | SHA1: 08f2c18438296576c650ee2da713319ca9c9ca30MD5: 2a07346045558f49cad9da0d249963f1SHA256: b920e5f907caced96cebd946cbf6aad02b10676712c2663f2187a8a9fad5b311https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/ |
M17-7rx01 | LeakerLocker_0d780a9f | Android | This strike sends a malware sample known as LeakerLocker. This Android ransomware sample does not encrypt files, but instead collects personal and private information from the device, and threatens to share them if a ransom is not paid. | 0d780a9f05bed552d6450ff3bc791c04 | SHA1: afe2d4ec4ae8250f8d3131338b6158e9a3c6f3a2MD5: 0d780a9f05bed552d6450ff3bc791c04SHA256: cd903fc02f88e45d01333b17ad077d9062316f289fded74b5c8c1175fdcdb9d8https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-acts-without-encryption/http://thehackernews.com/2017/07/leakerlocker-android-ransomware.html |
M17-uxx01 | Doc.Macro.Obfuscation_a55c0e19 | Mixed | This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro. | a55c0e191e6754909a051d5fbf00bdea | SHA1: 18aed4a0b16f6eb97e337acbf29c96523bdd3bd3MD5: a55c0e191e6754909a051d5fbf00bdeaSHA256: 4c5f92378c3fe002163abb763ab30de3b167512255af8f90c0ab7ca85e15fe7fhttp://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more |
M17-iix01 | NukeBot_078aa893 | Windows | This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers. | 078aa893c6963aac76b63018ee4ecbd3 | SHA1: 640702a92e4281515e755649cc4c01db21881394MD5: 078aa893c6963aac76b63018ee4ecbd3SHA256: aaf4d39111ba8681cf2b501ec90b612b54a6feae817f37925e99739009f9d37bhttps://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/ |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M17-s2701 | Valyria_Doc_Macro_3e0c5a01 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 3e0c5a01e1c13b6066d561f152b28291 | SHA1: 6323db3ff1bc490a6b8ceb4447c5791543f17732MD5: 3e0c5a01e1c13b6066d561f152b28291SHA256: 7fcd49ea71363a666377a734b80c7608842a9acb868e1b35a3820a1eefd68975http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-9hj01 | Fireball_79abd4f5 | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 79abd4f5c79cd2eb0c0de0b4664652d5 | SHA1: da0ae02638e0f190f159a8a24b6d40ce80d1cdf0MD5: 79abd4f5c79cd2eb0c0de0b4664652d5SHA256: 656ceb29cf552689f2e3f1b10bbbd39ca74c0ce76451127aacf1851925e3c2cahttps://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf |
M17-q1m01 | Fadok_01d9a9d8 | Windows | This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru. | 01d9a9d87e38c06f7a17382477be414d | SHA1: f38a92520fbbbea0b1894084ca5df9c7ea407eebMD5: 01d9a9d87e38c06f7a17382477be414dSHA256: 0ab690ef09a14798b9deb6cd0c116b8e0ed906b6bac16a05a5ae4bc38cabf467http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-55501 | GenericMalware_377b5d0c | Windows | This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 377b5d0cb365a8a124126a57ba1103ce | SHA1: 614ab749f50a70faecfbcb54b442fb357f79f745MD5: 377b5d0cb365a8a124126a57ba1103ceSHA256: c97f4a5bee60b6c823abe53c28230df34026f49bc6fbdba5f1197caf7db47790 |
M17-wxd01 | Qakbot_4ac8b676 | Windows | This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. | 4ac8b6761e6504e1e96d2165f6038ced | SHA1: 107705a77990d78f63379bc3e498781a9477c6c8MD5: 4ac8b6761e6504e1e96d2165f6038cedSHA256: 4712cf80102b7886a946ab6454fb0978f9d94feacd52c5df18850dbefa0158echttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-0nv01 | Sivis_1de38c8f | Windows | This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself. | 1de38c8fb92851c60ec6019ac7924558 | SHA1: ba8326ba8e11e955ac99de4720dc629f592d6f14MD5: 1de38c8fb92851c60ec6019ac7924558SHA256: 38f441a14f81c370d0ac0934340d3d196bca832668ee6772ac88330614a91b2chttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-0bf01 | Fadok_a115b384 | Windows | This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru. | a115b384fa775472d82cfa8290551bcf | SHA1: 129c85d614eadacef177aed41aebd06033c2e184MD5: a115b384fa775472d82cfa8290551bcfSHA256: 03692f096e7fc9ab6bd470f7092ae80cc5dcfbf1dcb2a849dae2a2384e421315http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-xrt01 | Valyria_Doc_Macro_8d45f392 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 8d45f39227d5e8fd3bf9b270dc7d46ad | SHA1: e38a4ed2f3beb4722d5dbf1800334c678ec70374MD5: 8d45f39227d5e8fd3bf9b270dc7d46adSHA256: be53a9f3aeca760dfcea58b676db1f687f238e0c6996ec57e36fa6040f43e75ehttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-62401 | Valyria_Doc_Macro_12dca91f | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 12dca91f7b79b4bef4f408f042fcbda8 | SHA1: ec53f9456c433ea9a63c8404cf42836b992f102fMD5: 12dca91f7b79b4bef4f408f042fcbda8SHA256: 0cfe5dfa2b53c51076a5ea1aac89e7be91e83a70c6438b037dfd00ccd839ca6fhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-a3r01 | Qakbot_5838ce69 | Windows | This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. | 5838ce69e86bfd9f93e32746d73a779d | SHA1: 5ea507dca63035e969f4db6bff585896cf4bb096MD5: 5838ce69e86bfd9f93e32746d73a779dSHA256: 006b191a135afecf86bd4df2fbf619f8f019ab316d2edb33d053209384c7d4cdhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-d0k01 | Siggen_e3ab4a4a | Windows | This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed. | e3ab4a4a2f18c482e4add154f7ad5436 | SHA1: b852fc3e5bfb59978d905c064d0a79e526acb835MD5: e3ab4a4a2f18c482e4add154f7ad5436SHA256: 8998b35cd76f170e62275661c0f0256883ec2b8e34b9e5ff9530c9da4d07fb74http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-6qj01 | Gh0stRAT_47029c8d | Mixed | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 47029c8d9d652d45c15d8c0108f2c9ae | SHA1: 9d11b23989615d9c4c161fc833801c063c141d4aMD5: 47029c8d9d652d45c15d8c0108f2c9aeSHA256: b6915dd2a9ffae5c6a969247e4a3e2b739e094ed9f90516b41251185d9d301a5https://www.ixiacom.com/company/blog/state-eternalblue-exploitation-wild |
M17-s2h01 | Gh0stRAT_26d01a08 | Windows | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 26d01a08650fd21664748cd7446f3396 | SHA1: 116c2d8eab2d6cfdd0de59b622eefbc526d4b043MD5: 26d01a08650fd21664748cd7446f3396SHA256: b60d4093fe1a7aa545d22292bd2daafaa07bdcda335aa5e9f2c56e0c4f8668cf |
M17-49p01 | Valyria_Doc_Macro_5139ef78 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 5139ef78258da030fb38081cb48e6343 | SHA1: e5390594ab62a10d62a8377acee4fe28861a52d3MD5: 5139ef78258da030fb38081cb48e6343SHA256: 27a035174244dd347ee81cc932fccf414b1c32a0820fe6a55e242ee04e9c0686http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-xy701 | Fireball_bb2dec87 | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | bb2dec875c10abe72b645bd6376c1c0e | SHA1: b30d5b4fe6f11cb683c4daaf78dd337c1b94c8d9MD5: bb2dec875c10abe72b645bd6376c1c0eSHA256: 683d13ecc2c2faea61e7095a16f801ac2e00993de838b29042426498dbf92a01https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf |
M17-ay001 | Valyria_Doc_Macro_05080c76 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 05080c76008874c298f4011ea33190d5 | SHA1: f6be84cad04bdec852a669e514d3d99def9b1e19MD5: 05080c76008874c298f4011ea33190d5SHA256: d845e07f961afb0341e8d8da25fc08896bccd09ccc5136e74454308c9f95eff6http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-15601 | EternalRocks_0e83b186 | Windows | This strike sends a malware sample known as EternalRocks. EternalRocks is a network worm which uses the public (The Shadow Brokers NSA dump) SMB exploits: ETERNAL BLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY along with related programs DOUBLEPULSAR, ARCHITOUCH, and SMBTOUCH to spread. | 0e83b186a4d067299df2db817b724eb7 | SHA1: 1e24f6dfdcfac543d89e6e4ee8f2d9fc4321f264MD5: 0e83b186a4d067299df2db817b724eb7SHA256: 48b1024f599c3184a49c0d66c5600385265b9868d0936134185326e2db0ab441https://github.com/stamparm/EternalRockshttps://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27113/en_US/McAfee_Labs_Threat_Advisory-EternalRocks.pdf |
M17-58a01 | Crashoverride_11a67ff9 | Windows | This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids. | 11a67ff9ad6006bd44f08bcc125fb61e | SHA1: 8e39eca1e48240c01ee570631ae8f0c9a9637187MD5: 11a67ff9ad6006bd44f08bcc125fb61eSHA256: 3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571https://dragos.com/blog/crashoverride/CrashOverride-01.pdf |
M17-8ah01 | Fadok_ee28f9a8 | Windows | This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru. | ee28f9a8753c779b5c26f6271df09f00 | SHA1: 273ff949fda1d3d84259659fc29bedc40a85bc5aMD5: ee28f9a8753c779b5c26f6271df09f00SHA256: 06f89aa03b2e1f070b9fdfafd5356d0eaa1ea840f05ab7189d89f1cb1f70ff66http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-3mu01 | Valyria_Doc_Macro_24d4e462 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 24d4e462da6609e38a4b92b2674520af | SHA1: d2c6ad43986fef31e212f87b95a35ce2f82f98a6MD5: 24d4e462da6609e38a4b92b2674520afSHA256: bb4e1f338f6d5c46d7890aa7eabe929de1467d8760a463c74379d651600638e8http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-5l701 | Siggen_5ebfb9fe | Windows | This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed. | 5ebfb9fe30b274780c0f37a22fa88ba3 | SHA1: b92adf5db6e0c047f0706a427fed6dcf65e5c295MD5: 5ebfb9fe30b274780c0f37a22fa88ba3SHA256: 76cac7eac498813164dcb94ed0812163bc4d261ef80232ec528aa941e0622479http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-e0d01 | BackdoorTrojan_a1dcc833 | Windows | This strike sends a malware sample known as BackdoorTrojan. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | a1dcc83376ae59d6a156096b79c3c856 | SHA1: 0f876e85fa1b0e0449db420b8cac168d744829c7MD5: a1dcc83376ae59d6a156096b79c3c856SHA256: 65433c71ff7901c183d55bf42452e6b77c9554a2573cc983ff8ab31b0c4f29d6 |
M17-aq401 | Valyria_Doc_Macro_3dcc36e7 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 3dcc36e7164d4d1d2d2c8cdb93f8db46 | SHA1: b42cb2e11162a6a3876d4235398ba5d68d0f7bf4MD5: 3dcc36e7164d4d1d2d2c8cdb93f8db46SHA256: 38e71cd7dba75c6e6dbfa326843d10421d57ab3781c94c1174cfc260c86d4361http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-8uu01 | Qakbot_d0afd8df | Windows | This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. | d0afd8df9e7c9dad6d2e68d45a4f36c0 | SHA1: 4f1115d7f1da62b572c9dfa08c406a65efc0baf5MD5: d0afd8df9e7c9dad6d2e68d45a4f36c0SHA256: 02ad78b356cb9723b18122a2fad033e0487be7e367864d7481371bde0b0b8acfhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-ksv01 | Qakbot_8a3ab5d3 | Windows | This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. | 8a3ab5d3fa3644ec1829e7825b0a22a3 | SHA1: d3f484c3e7ff9fe0a639728ee78edc19b324560bMD5: 8a3ab5d3fa3644ec1829e7825b0a22a3SHA256: d52f95bb330930af7477604547dd33fdf3fe76e20301a67a7d490f6b1ebe5247http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-zma01 | Gh0stRAT_0fe309fe | Windows | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 0fe309fea26d8747faaa4a5b51f6baf9 | SHA1: 7b8f4552b3aeae03b5f55373f8d538753035b68bMD5: 0fe309fea26d8747faaa4a5b51f6baf9SHA256: e0740ca59b46de2c823593aaf6ac5a2deab7b5257b4ebd74ea962c0f4683a90c |
M17-e3g01 | Valyria_Doc_Macro_cd85a6c4 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | cd85a6c4130a6666261f583e0a66dea0 | SHA1: ec6db43027ba0e034d61348549832458fbce7666MD5: cd85a6c4130a6666261f583e0a66dea0SHA256: ff9b033e0f4d48b6f77ae849cf3a94ea411583ea8c232b1da6fd1bc99d5e40d4http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-k0501 | Siggen_3669fd09 | Windows | This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed. | 3669fd09ab7a14b79a324b5a729f4bd8 | SHA1: 873a65b0f441d8589e19463f1c807d888d6a1f21MD5: 3669fd09ab7a14b79a324b5a729f4bd8SHA256: 74a306f136aa3b098fe99f6e35a1163d808c996e7ca6f8cd03fc69ec0a2573c0http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-hyq01 | Dvmap_20d4b9eb | Android | This strike sends a malware sample known as Dvmap. Dvmap is believed to be the very first malware for Android to ever hide a malicious payload, and then unleash it and directly inject it into a device’s system files. | 20d4b9eb9377c499917c4d69bf4ccebe | SHA1: 7eaed59d6a166bc3ec8ce19a27eeb3d5e9c5802cMD5: 20d4b9eb9377c499917c4d69bf4ccebeSHA256: 183e069c563bd16219c205f7aa1d64fc7cb93c8205adf8de77c50367d56dfc2b |
M17-zvd01 | Dvmap_43680d19 | Android | This strike sends a malware sample known as Dvmap. Dvmap is believed to be the very first malware for Android to ever hide a malicious payload, and then unleash it and directly inject it into a device’s system files. | 43680d1914f28e14c90436e1d42984e2 | SHA1: 05b0513cb53b0c5ee4ed55ce68cd694e676d4d2bMD5: 43680d1914f28e14c90436e1d42984e2SHA256: 92f8bcd9e62047b380c76afe772ab0fe12ced53b9702d08c37e98424dbb590ae |
M17-84i01 | PonyVariant_Dropper_8a55ecad | Windows | This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process. | 8a55ecad10a7cf3dad3630ac40e420a1 | SHA1: c808faa7617fda487819622ac435cad5f90e929fMD5: 8a55ecad10a7cf3dad3630ac40e420a1SHA256: 47c916890c345a0588e52cc29e6488b5c709217823b0049a46b9a9e5e07a6efbhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-gu601 | Win32/Virut_b4e71b49 | Windows | This strike sends a malware sample known as Win32/Virut. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | b4e71b493e165eb0aa15e8d9b427ac3d | SHA1: 6d94a2b3fbdb70beafa49c4b653c6a8d0e2a99b6MD5: b4e71b493e165eb0aa15e8d9b427ac3dSHA256: 86a0383757ea9716facdc3cd71ebeaa4486ae87ff302a1217bbcf29a95a4003a |
M17-ogg01 | Valyria_Doc_Macro_9243540e | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 9243540e9c72aeacbbbb557045249bdb | SHA1: fa1fff26c23c168b6d4be1d64baa49885d6bb6b6MD5: 9243540e9c72aeacbbbb557045249bdbSHA256: 556556a774b187d2068e8d6e4cc2d098fd06fe146e0b4578b68a602d9b9c47f7http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-sme01 | Fireball_46ce735c | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 46ce735cacb3e63bd6c6b100918b25b0 | SHA1: 99e0d7dd87b3aa21cba43e6a853d2b1c9f726aabMD5: 46ce735cacb3e63bd6c6b100918b25b0SHA256: 8a7730de37028da75947da9dd008344c36536c5131b587ce64ba38ae53734944https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf |
M17-8kr01 | GenericMalware_6b1e19c6 | Windows | This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 6b1e19c656499a624b9319b9c9ba3f08 | SHA1: afcc00a2f4940cb5db74e5c5b1be951bccc48828MD5: 6b1e19c656499a624b9319b9c9ba3f08SHA256: c995fd44ce9ebe245c71e1768eeaa278e59247fc7002f870dd3c744940b8046d |
M17-6qq01 | Valyria_Doc_Macro_76928501 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 769285015391f1771e82d16de5325b6e | SHA1: e94f8b79adc5648b2b3bf31184d18eae3b16ed12MD5: 769285015391f1771e82d16de5325b6eSHA256: 3ea1c668e2b904c00f60d3bdd735a31261c49b29a39f2523c03271328a69c580http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-ojw01 | Valyria_Doc_Macro_d3adb534 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | d3adb534e7691d0f1efb12e649c171b5 | SHA1: 5c4530cd11ea1cedd8c5de64642c063b3097acc8MD5: d3adb534e7691d0f1efb12e649c171b5SHA256: 56e76f857ba0006ce64a71404b3a5e0166659e069c7d31d488de248e3e8a7af4http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-iw501 | Necurs_a9af7994 | Mixed | This strike sends a malware sample known as Necurs. Necurs is a large botnet and when active it distributes massive volumes of malicious spam. It tends to take breaks on weekends and it currently has an ongoing campaign using malicious PDFs to download Jaff ransomware. | a9af7994a9b1e0ba8a117eb64c31c926 | SHA1: d364eb043e01f61822c9d2906a36ad2f902c60d7MD5: a9af7994a9b1e0ba8a117eb64c31c926SHA256: 3d9728ec88afe74e3ad5bee49c5c64a771f6d39b5f4b16fab280175b989d79a6https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/ |
M17-d2m01 | GenericMalware_59dcde96 | Windows | This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 59dcde96ce99c4793a6c96d358921930 | SHA1: 79df1dc8bf60b9662ad045fbbf0769d5cea55edcMD5: 59dcde96ce99c4793a6c96d358921930SHA256: 260ebf8e4c489f80cc0f744f2d599810320792ac3bd318713f6e0062ddde366d |
M17-28f01 | Valyria_Doc_Macro_f5cf1855 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | f5cf1855746885e59348062ca0cedc05 | SHA1: 6aea27de5a0e9c48902be8d6b8be55e30bd0be59MD5: f5cf1855746885e59348062ca0cedc05SHA256: e618d44cf1e7d121c9e934b1d530ebc4e830d1dd7d8228ac5b53a455def791a9http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-fup01 | Fireball_960045ab | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 960045abfa2d230ab5d60fc992a08852 | SHA1: 95c7c5a3ff9c9e771c8369d81b6f09640469012aMD5: 960045abfa2d230ab5d60fc992a08852SHA256: d6c600ccacd3d37d6558333d6d8fed129d86fd028bb92ae5ea9da49fe6455b49https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf |
M17-avj01 | Crashoverride_7a7ace48 | Windows | This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids. | 7a7ace486dbb046f588331a08e869d58 | SHA1: b92149f046f00bb69de329b8457d32c24726ee00MD5: 7a7ace486dbb046f588331a08e869d58SHA256: ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910https://dragos.com/blog/crashoverride/CrashOverride-01.pdf |
M17-zv401 | Keybase_48987f1f | Windows | This strike sends a malware sample known as Keybase. KeyBase is a trojan that can be used to capture screenshots, keystrokes, and other pieces of system information. | 48987f1f272848cb3b188bbe26a9ce08 | SHA1: be11eabc8bc566b02737580f74314250e4ceb1c1MD5: 48987f1f272848cb3b188bbe26a9ce08SHA256: 8b1c64f993778c52906b8170cc6c16a07f4116e23661956a738323aca7b12c3ahttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-bic01 | Crashoverride_f67b65b9 | Windows | This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids. | f67b65b9346ee75a26f491b70bf6091b | SHA1: f6c21f8189ced6ae150f9ef2e82a3a57843b587dMD5: f67b65b9346ee75a26f491b70bf6091bSHA256: 37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4https://dragos.com/blog/crashoverride/CrashOverride-01.pdf |
M17-mqe01 | Valyria_Doc_Macro_b508df1d | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | b508df1db86363d813b21589a2f48531 | SHA1: af24bd58abb727cef7f6bba08d0926a36204254dMD5: b508df1db86363d813b21589a2f48531SHA256: c571b06649be9a8d07ae380a7131dd8deba1bee2aa7067557857fee8cbd2c130http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-oi801 | Valyria_Doc_Macro_bd93081f | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | bd93081f18c481680c05cb452ce59284 | SHA1: c15f37b5722862aa8addc2ceb9b32d3584748de0MD5: bd93081f18c481680c05cb452ce59284SHA256: fff62aadd6740b7c1a4b57758f95d5de0cc36e471e6d1ae40ca8141a5845a7ebhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-y8i01 | Valyria_Doc_Macro_d93a9a3b | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | d93a9a3b2a332fd69a3d0d7f1b64b5e7 | SHA1: fc1f0082257f9983c31c7b85c7efbd0ab4de98e6MD5: d93a9a3b2a332fd69a3d0d7f1b64b5e7SHA256: 2378d2f333b50cc341e08f574d300ebcf12ee7140cb897620bc9c35f93929854http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-t5x01 | Gh0stRAT_d5536e59 | Windows | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | d5536e59be24fd3ecfe07cdc8a1f8772 | SHA1: 4cfa4834b5278631e99ad3f5a3be9b3129889a34MD5: d5536e59be24fd3ecfe07cdc8a1f8772SHA256: 16c6a023ef62a69ae260972cd564e6e168ee656f4e751a6ee071c591b0aeddb1 |
M17-l8901 | Fireball_41e928af | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 41e928af129c0583d2eb8c13a6caee64 | SHA1: d7c6f623f941ff21d5e172ec599c9525e4bcf953MD5: 41e928af129c0583d2eb8c13a6caee64SHA256: 24f1b40015760028743e03f2e0dbd6333f07fa43bcbdb37bb33a1b6626eb0684https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf |
M17-aux01 | Valyria_Doc_Macro_1eb97d04 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 1eb97d04bcb26e07565ffe223a969507 | SHA1: b2b9f29e076dd260c5315011c3696242444d0d99MD5: 1eb97d04bcb26e07565ffe223a969507SHA256: 7ec2376443a777c789d853489ba4192ff21923ab95f4810660faad4dd93e0813http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-0nr01 | Crashoverride_a193184e | Windows | This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids. | a193184e61e34e2bc36289deaafdec37 | SHA1: 94488f214b165512d2fc0438a581f5c9e3bd4d4cMD5: a193184e61e34e2bc36289deaafdec37SHA256: 7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cadhttps://dragos.com/blog/crashoverride/CrashOverride-01.pdf |
M17-8op01 | Sivis_0a5d3828 | Windows | This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself. | 0a5d382821b9239d12f996bf6a623012 | SHA1: 712e446768496651dafd48725b5d7544e0a24ccfMD5: 0a5d382821b9239d12f996bf6a623012SHA256: 4e5297e0d0b8c702e6c97fbaeee1f329b2246a046790e0e8adb595f94accf47ehttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-qcr01 | Fadok_eea3c727 | Windows | This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru. | eea3c72780e07f805ffa1bb7bb76298a | SHA1: 9686299e7fe5ddcef27e3e051916f5bb339fe39eMD5: eea3c72780e07f805ffa1bb7bb76298aSHA256: 148c4618e14a3c30f73dd6f910df6999ea4be2e32818f3747bdae03c175b7c48http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-s9z01 | PonyVariant_Dropper_55babe51 | Windows | This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process. | 55babe5130c6b73b47fc48a46d0b0e16 | SHA1: a013f9e3652807743c366612f76c0435e874dbd3MD5: 55babe5130c6b73b47fc48a46d0b0e16SHA256: 24558ad4b3a745c24a2dd42c73800ccfcd0c10dc17c67d83f3dcb3a4e479d46chttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-xsv01 | BackdoorTrojan_82180b3d | Windows | This strike sends a malware sample known as BackdoorTrojan. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 82180b3dc79c71c15d10ce7f52c05db0 | SHA1: 66616825dbc92de5a12f75b188983bff971b2a7dMD5: 82180b3dc79c71c15d10ce7f52c05db0SHA256: a1f119908b935199ded134e9ff57ebf205e1d6c27e0c9562979634ddc1c5f9e5 |
M17-2fs01 | Valyria_Doc_Macro_674d849e | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 674d849e8fe0351d927e1262f13e8e17 | SHA1: f43ec260e655536519f41bdae66afc2ad3ec5a8bMD5: 674d849e8fe0351d927e1262f13e8e17SHA256: eaa3cb0af249967c7d9a66185db3cac7e93196da6281014206b6d0bc0fb7f34chttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-yma01 | Ursnif_23fb9126 | Windows | This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan. | 23fb91262a83aed54abcebbf86e2af96 | SHA1: 3bf342ec0a3aad1f4269c19eecf399be3afd4a94MD5: 23fb91262a83aed54abcebbf86e2af96SHA256: cbe692191547918894975784a02015b409923cfcda0ddb82b9331fecaa8e39f6https://www.trustwave.com/Resources/SpiderLabs-Blog/URSNIF-is-Back-Riding-a-New-Wave-of-Spam/ |
M17-ala01 | Siggen_396a1016 | Windows | This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed. | 396a1016606c2539873ec0467440ea0f | SHA1: 2bd4a382556d5ae7bc153cb8a7427250270b2d60MD5: 396a1016606c2539873ec0467440ea0fSHA256: 87701e501b48b94e9494bbda3f42a8b2a92a0e19d51d3e6023efae30b86f74a0http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-h8801 | Jaff_35eed9ca | Mixed | This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. | 35eed9cafb26975c42b7a621352565d2 | SHA1: 03b17da93cf91f61c9dbb4d25182016cefec0659MD5: 35eed9cafb26975c42b7a621352565d2SHA256: ddabbe9cac0a547105ba8ccf223c7bcadebd680e724bca39c9d17a998726f854 |
M17-1s101 | PonyVariant_Dropper_084b72fc | Windows | This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process. | 084b72fcf63d2628b157f4c7a9d9c00a | SHA1: e308935ab855d4c4513dc030b035cc703d823ad2MD5: 084b72fcf63d2628b157f4c7a9d9c00aSHA256: 4fe60f488f45f914edb650cc2e248d156ad8b257b610ad4848b1c245f38053e3http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-y7301 | Valyria_Doc_Macro_be6dd256 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | be6dd2561ed2258740306253b58e2b49 | SHA1: e8214a0a00f8261458157a44dfba335caecd85f1MD5: be6dd2561ed2258740306253b58e2b49SHA256: a57fe946d0e6d5324080ad9625ed5f4cc2720c53cfa8dfc4185cecc9320c8e45http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-dzm01 | VBS.CobaStriDldr.A_3a1dca21 | Mixed | This strike sends a malware sample known as VBS.CobaStriDldr.A. This malware has been reportedly used in a targeted attack campaign named as APT19. This phishing campaign targets global law and investment firms. The malware arrives on the infected system through a spear phishing email, containing a Microsoft Excel file or XLSM document. The MD5 hash of this VBS.CobaStriDldr. | 3a1dca21bfe72368f2dd46eb4d9b48c4 | SHA1: 3ddc3d2f40c64333adfafe508726344d90598c7bMD5: 3a1dca21bfe72368f2dd46eb4d9b48c4SHA256: 42ff4fa4a92fba9ec44371431997700195f22753d4ea16c0dda0a5c4116a61afhttps://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html |
M17-dod01 | Crashoverride_ab17f2b1 | Windows | This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids. | ab17f2b17c57b731cb930243589ab0cf | SHA1: 5a5fafbc3fec8d36fd57b075ebf34119ba3bff04MD5: ab17f2b17c57b731cb930243589ab0cfSHA256: 018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81https://dragos.com/blog/crashoverride/CrashOverride-01.pdf |
M17-1t601 | Valyria_Doc_Macro_788a6918 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 788a69180a4ad792e3798e4e50f61c1f | SHA1: 5e122e37318aa8fd3d8f88ed23d1685fcbcfbe81MD5: 788a69180a4ad792e3798e4e50f61c1fSHA256: 17b965a0cf6b0b316da2c659ec2c7bbe747819d09c1c1401d5a80272f47b813ahttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-28m01 | GenericMalware_4d621871 | Windows | This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 4d621871d5de77993f46353cbcb2c571 | SHA1: e097699803af2f9b690f2f4c6d35613a73eaa49eMD5: 4d621871d5de77993f46353cbcb2c571SHA256: 4996a9d19d17e8e436a188164e3c7725595a64edc8c45f611005f7f2832a8e2c |
M17-9p901 | Qakbot_24be8c46 | Windows | This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. | 24be8c4601fe3170a01166969f8213c6 | SHA1: 7c03395e543e6f7123437682c81c89936195af14MD5: 24be8c4601fe3170a01166969f8213c6SHA256: 0200b37385ee4b54572e9ff8f9dca6b20ef6a41feefeb9f5eaf14fa35fe82b87http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-xmu01 | Qakbot_55ba2a99 | Windows | This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. | 55ba2a99ee46c18e2d6f545bfb5ffff6 | SHA1: 5e384fafa16bf6c2103543d0d9bec3448aec7436MD5: 55ba2a99ee46c18e2d6f545bfb5ffff6SHA256: 0452810a21fc1207dc11a2a82127f30354fdc41aef95371b77a00b5592c11bb4http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-s7m01 | PonyVariant_Dropper_1dbf9a8e | Windows | This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process. | 1dbf9a8e3f11514aee40fcaab87a4794 | SHA1: 09647c9edd512adc143e449d58f789b02a527150MD5: 1dbf9a8e3f11514aee40fcaab87a4794SHA256: 50733aaab0b6ca4210df15017f51bb576c84fea2cbeb0912dd40a32056cd3c1bhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-hbu01 | Valyria_Doc_Macro_957d8224 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 957d8224e35c282d15b50b43257beb5d | SHA1: 598aa2cd6b85674801b00ad077cf076b4faeb60bMD5: 957d8224e35c282d15b50b43257beb5dSHA256: e90846bb4883914000462df105e679bc4ad05d3d1b0900363dd18eba1aca5c33http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-qtq01 | Valyria_Doc_Macro_d770c4ed | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | d770c4edfe83ea4b72336ccaf64422d3 | SHA1: e1e878411f2a6b7400ab963b12726c39d1259b69MD5: d770c4edfe83ea4b72336ccaf64422d3SHA256: 73b30d45b7f7a0893f8d8a1b3b55f10ff9d11e86619dccbb22a60d1f2462d5f6http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-yrt01 | Sivis_98f6a14b | Windows | This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself. | 98f6a14bc884609eb523b125be4a8ecd | SHA1: 75644ce47dc6f94a88390e9c2a0e2de2fb515c73MD5: 98f6a14bc884609eb523b125be4a8ecdSHA256: 7366a0faef62af909a1ef1da05e2cbd1fc9534cbb26e20e90538e043f4517d5chttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-qkr01 | Necurs_6686dec2 | Mixed | This strike sends a malware sample known as Necurs. Necurs is a large botnet and when active it distributes massive volumes of malicious spam. It tends to take breaks on weekends and it currently has an ongoing campaign using malicious PDFs to download Jaff ransomware. | 6686dec2e57b635f864ec0597512703e | SHA1: 2001971c7ddaa9b2550d1b870f5e377c56f15f70MD5: 6686dec2e57b635f864ec0597512703eSHA256: 778034b1c61ea7ab25a64bf49b5ae7d8c5dd2ce5f0ef3f8178adeee04f6a1e1fhttps://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/ |
M17-12k01 | Gh0stRAT_ec66f69e | Windows | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | ec66f69e6ee7facceb6cde1fdae46276 | SHA1: 2d1077b5698382c22683f35d37711e7228b55dd6MD5: ec66f69e6ee7facceb6cde1fdae46276SHA256: 986e68ea037df3e00aa78ba996d31da0233a46aeea2eaa77be3ee5e4bc008176 |
M17-i4s01 | Sivis_930c0d6e | Windows | This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself. | 930c0d6e81335a76ee13ebca9c78b9df | SHA1: b428f5be0fbe76595e86714bad964858cac7b98eMD5: 930c0d6e81335a76ee13ebca9c78b9dfSHA256: ccbf43a2ab8074ca4a27952f0f3c052435ffe38cfa4644f63b609f96c978c014http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-oeu01 | Sivis_6fbaf919 | Windows | This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself. | 6fbaf919f8cd2f44f077572418b390fa | SHA1: 99cfe8649d79d93be19bd32ea8ef99d197ce6fa4MD5: 6fbaf919f8cd2f44f077572418b390faSHA256: 0a08a78e10ffd4c2e176e089e092f3692b94da97457abcfc694082c525335fcfhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-55001 | Valyria_Doc_Macro_e65bf51b | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | e65bf51b842f903e2d8814f7c2973273 | SHA1: eecac6bd49051c53b67b0122161a39468a0cd9b6MD5: e65bf51b842f903e2d8814f7c2973273SHA256: 913b51d636924dc67655ac2bb69449858448f71363eafcd3cb7881da3fe12994http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-o6r01 | Valyria_Doc_Macro_50bdf5ca | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 50bdf5ca6bdee15865eb3e21b9a297b3 | SHA1: 589e0635f90ab6fdd9cddc920076502d992cab00MD5: 50bdf5ca6bdee15865eb3e21b9a297b3SHA256: ac1803de8dea5bca07b2eb654f0ce9b013285686014483e6c81ae7235b68e1aahttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-c5h01 | Qakbot_08bacffc | Windows | This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. | 08bacffcc1e4df896670047790373497 | SHA1: 34b74953be0071c8a1d41115b3555664e085b0fcMD5: 08bacffcc1e4df896670047790373497SHA256: 5b7a5a58e4af312cd23e1f28597f2818953dd23abdeedb52adb882958e2766cbhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-76n01 | Crashoverride_497de9d3 | Windows | This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids. | 497de9d388d23bf8ae7230d80652af69 | SHA1: b335163e6eb854df5e08e85026b2c3518891eda8MD5: 497de9d388d23bf8ae7230d80652af69SHA256: 893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3fhttps://dragos.com/blog/crashoverride/CrashOverride-01.pdf |
M17-tng01 | Valyria_Doc_Macro_2cff60d4 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 2cff60d45d124f27874d2ea0fe4195e2 | SHA1: d4ea353cc42ffe2337af79baf50e542bc7cb2e76MD5: 2cff60d45d124f27874d2ea0fe4195e2SHA256: 097de8a240500e67ed2b1b0d8d95a4bcd8f07764c5abdcf7eceb17d15c592611http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-8as01 | Fireball_fab40a7b | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | fab40a7bde5250a6bc8644f4d6b9c28f | SHA1: 8b6388810047db449d3699333eca9091568a094cMD5: fab40a7bde5250a6bc8644f4d6b9c28fSHA256: 9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022 |
M17-bxd01 | Fireball_94e46b45 | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 94e46b4519ef0610a6a7d91d01584192 | SHA1: 8a8c9c2e6401a5d11883d0459be32e435317dd2eMD5: 94e46b4519ef0610a6a7d91d01584192SHA256: d6b51900305241cc5a7ba26858f3f55e5b7ddcff101e8f5c7060cead328bc7c4https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf |
M17-xfr01 | Fireball_66e4d7c4 | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 66e4d7c44d23abf72069e745e6b617ed | SHA1: 7d9d44a8e33a7dd21d5f240eaa0fbc6e8de2e185MD5: 66e4d7c44d23abf72069e745e6b617edSHA256: 8f2e624dd9e77d0e2e74b01e271faace40f13a4f51fab61a585fbf0779bea627 |
M17-we401 | Qakbot_142aaa6c | Windows | This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. | 142aaa6c5fcb885e211039ccb6b0f5d4 | SHA1: 66094ebc324bd90422bb4074ff204b92c594d07cMD5: 142aaa6c5fcb885e211039ccb6b0f5d4SHA256: 007f9ee2441329fe8c8ebf6f597c84eb1e4fea764dd228cfae9bed400c8af53bhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-zjq01 | Fadok_cd6a252f | Windows | This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru. | cd6a252f9e59da13b3f199419ed3ece8 | SHA1: 2d9d1e148fe5bfed0a4cb90cb055705f5affefeaMD5: cd6a252f9e59da13b3f199419ed3ece8SHA256: 056b0bc81124cf9ad6c094092e1f16f2aa96bf7efebcaeaf3830a8a228464a9bhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-p3f01 | Siggen_90d18c3c | Windows | This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed. | 90d18c3c4bf09f1c6d0dba8f4c638f2c | SHA1: 2d3ffffa9286881ae0113aa19c444bb4e0677137MD5: 90d18c3c4bf09f1c6d0dba8f4c638f2cSHA256: 745d8d433cba5315749dc61810d9bf4eb1864fb9737c4a2fc3718eda75917d6fhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-qd401 | Valyria_Doc_Macro_fe6304e4 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | fe6304e4297dbeda72cd5afdbae8d7b2 | SHA1: ac0930e02103970658fc20eae0869c7088b8cfe0MD5: fe6304e4297dbeda72cd5afdbae8d7b2SHA256: 2669d31701a90345db7492bc3de46db51af6a9137ce1bafdab2fd3122d2e040ehttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-u6u01 | Keybase_04311370 | Windows | This strike sends a malware sample known as Keybase. KeyBase is a trojan that can be used to capture screenshots, keystrokes, and other pieces of system information. | 0431137025391490648c9b8334fbf092 | SHA1: 6ddf8c1c6d747553977e51cd685240c1aff7a61bMD5: 0431137025391490648c9b8334fbf092SHA256: 7d22f93bea6e24c11497a826e692216861bb5710e0e6a9842ed9c30463a11b24http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-85r01 | Gh0stRAT_88b8f7aa | Windows | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 88b8f7aadeb8c5d5f0a5b182e0f6fc28 | SHA1: 407f4eda279c43c2e70e0fe2382524a6843a7843MD5: 88b8f7aadeb8c5d5f0a5b182e0f6fc28SHA256: e6bd0d021069df585eb281fd3206ecda655c40e6d4021a8ed0b6a7d4bd13776a |
M17-w4301 | Valyria_Doc_Macro_526ba8e6 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 526ba8e6f3dd094439202fdafda0f024 | SHA1: f853532ac65154d37dad9328d1ecf1970731dfa7MD5: 526ba8e6f3dd094439202fdafda0f024SHA256: ceb3fd6d517aaff2a122df2f9e8ab368cbf1efc8644344d4f228198e90c56399http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-4mu01 | Fireball_2b307e28 | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 2b307e28ce531157611825eb0854c15f | SHA1: f7df2b019b5640c66e40b1cecbb327d1c9192560MD5: 2b307e28ce531157611825eb0854c15fSHA256: 7d68386554e514f38f98f24e8056c11c0a227602ed179d54ed08f2251dc9ea93 |
M17-tj401 | Siggen_61b2d117 | Windows | This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed. | 61b2d117272fde42efef918cecc6031c | SHA1: b83a665772d11018cce2e72f24ca90aa27f3f298MD5: 61b2d117272fde42efef918cecc6031cSHA256: dd249e28e052a2e7747886a0596e7faf7e447fbef7260198509fc6e08c294bbbhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-qf801 | Fireball_7b2868fa | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 7b2868faa915a7fc6e2d7cc5a965b1e7 | SHA1: 250a8bd174403e32ad77f7e710e7165e7df40a47MD5: 7b2868faa915a7fc6e2d7cc5a965b1e7SHA256: e4d4f6fbfbbbf3904ca45d296dc565138a17484c54aebbb00ba9d57f80dfe7e5 |
M17-30z01 | VBS.CobaStriDldr.A_bae0b391 | Windows | This strike sends a malware sample known as VBS.CobaStriDldr.A. This malware has been reportedly used in a targeted attack campaign named as APT19. This phishing campaign targets global law and investment firms. The malware arrives on the infected system through a spear phishing email, containing a Microsoft Excel file or XLSM document. The MD5 hash of this VBS.CobaStriDldr. | bae0b39197a1ac9e24bdf9a9483b18ea | SHA1: 7b0d8394b32cb59c59e4ac9471dba676678fd91aMD5: bae0b39197a1ac9e24bdf9a9483b18eaSHA256: e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html |
M17-ryl01 | Carbanak_13a5fab5 | Windows | This strike sends a malware sample known as Carbanak. Carbanak is a a Backdoor that targets the Windows platform. It sends out system information to a remote server and could accept commands that may provide an attacker with the ability to download/execute files, steal cookies, inject code. | 13a5fab598763ae4141955f2903d66f9 | SHA1: cf5b30e6ada0d6ee7449d6bde9986a35df6f2986MD5: 13a5fab598763ae4141955f2903d66f9SHA256: 6224efee6665118fe4b5bfbc0c4b1dbe611a43a4b385f61ae33b0a0af230da4ehttps://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/ |
M17-i2301 | Valyria_Doc_Macro_0b54f5ac | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 0b54f5ac562cda7def5470b2d4612067 | SHA1: 714f80b2c610ab1899f2e550d8ca68dfcbf30eaeMD5: 0b54f5ac562cda7def5470b2d4612067SHA256: ef6269b66111c365ef251e4128a286e16c972359ca406a02b6f81fa8b55b1cdahttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-3bk01 | Siggen_e2ad0f4e | Windows | This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed. | e2ad0f4efa073582e3bafbef550c3c81 | SHA1: eaf6a846b4b1a34d091d5a4baf940c1a099dd80aMD5: e2ad0f4efa073582e3bafbef550c3c81SHA256: 4a1b26fd16f985e1da3f1b5619b55f6170584ac51923bd6d6c4c455fc86d44dahttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-doq01 | Qakbot_74881c46 | Windows | This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. | 74881c460b8a9227e3dc74f36f77b226 | SHA1: 3e68003a07b62f848e3051ea1766a04b2d14179eMD5: 74881c460b8a9227e3dc74f36f77b226SHA256: 00141f6303dd960c61a4fdb06e686ccc972c0e0f092adaf823444e4b7e32ae09http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-g9x01 | BackdoorTrojan_e93124fe | Windows | This strike sends a malware sample known as BackdoorTrojan. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | e93124fef0a3ac7869f3ae6ee696beec | SHA1: 03d4275dee52ef1b70e558abf9c2fef82a76339dMD5: e93124fef0a3ac7869f3ae6ee696beecSHA256: 926ed977382f409409d912cfb04191d3c375c9dc0b30a487510d3d83ab7cfc01 |
M17-vwg01 | Fireball_69ffdf99 | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 69ffdf99149d19be7dc1c52f33aaa651 | SHA1: b6bbe04238834126043610115c253788f0cb8a39MD5: 69ffdf99149d19be7dc1c52f33aaa651SHA256: e3f69a1fb6fcaf9fd93386b6ba1d86731cd9e5648f7cff5242763188129cd158 |
M17-soi01 | PonyVariant_Dropper_8b998ddd | Windows | This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process. | 8b998dddd5a658fc1f9f6e3adc9c6f12 | SHA1: 57200ec3b13d5ca0e3e632aa3bd0d7a163265736MD5: 8b998dddd5a658fc1f9f6e3adc9c6f12SHA256: 416d71ce82336aa2dda064e6ba93a555ccf46c7ae2ad1faba379513965d9d485http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-4qr01 | Crashoverride_f9005f8e | Windows | This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids. | f9005f8e9d9b854491eb2fbbd06a16e0 | SHA1: 79ca89711cdaedb16b0ccccfdcfbd6aa7e57120aMD5: f9005f8e9d9b854491eb2fbbd06a16e0SHA256: 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561https://dragos.com/blog/crashoverride/CrashOverride-01.pdf |
M17-j7i01 | Gh0stRAT_233f31c1 | Windows | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 233f31c12bc5305cb4186469c17b7e4a | SHA1: 03a288cc2cbd2cbe331a54c2afc5dd90761a82a9MD5: 233f31c12bc5305cb4186469c17b7e4aSHA256: 45aedb18335d58aee6bad2888038bfa16e12460f89e7d181495101267be76b07 |
M17-0e801 | Gh0stRAT_49e2f935 | Mixed | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 49e2f935dd760b81c8979d429b51264e | SHA1: 5376a271f8f5d644ca1fb457b1c98a258d83b586MD5: 49e2f935dd760b81c8979d429b51264eSHA256: e2d31ee0a4b6209fffa3eb52066c23db851777b0cc9b974f3ce3af7b69c62655https://www.ixiacom.com/company/blog/state-eternalblue-exploitation-wild |
M17-tju01 | Qakbot_5ac1917c | Windows | This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. | 5ac1917cf9a1a814bf39d01200127b40 | SHA1: 62067adb0fe0b2e4a8357ea005fa7981523fd759MD5: 5ac1917cf9a1a814bf39d01200127b40SHA256: 9a238c95de1ba5bc414aa0fd45297bf79f02b1de03d93a65ad74e91e37eb9ae9http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-k4w01 | Siggen_0894a86f | Windows | This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed. | 0894a86f8416bee1a519b438bb23ee83 | SHA1: 3d1610c412404f7c0b87dbccd3f1c05cd09f867fMD5: 0894a86f8416bee1a519b438bb23ee83SHA256: 5527923be2a750415d9565fcfc38550bf292206cee0e415278e8e08d3f3cdbdchttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-zz201 | Gh0stRAT_5c1a8b3e | Windows | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 5c1a8b3ecfd936e3cb9128eb5063ece6 | SHA1: f181d60a82fe94e7f4bd892b1cc1e7e08b8e9193MD5: 5c1a8b3ecfd936e3cb9128eb5063ece6SHA256: 90a1737f38c52f92aa0fb49f2104f81481c77044817f04a231dc5dbe95bbb215 |
M17-e3801 | Fireball_8c61a693 | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 8c61a6937963507dc87d8bf00385c0bc | SHA1: 0312325d31072afaac87f3aafff58261b549db5dMD5: 8c61a6937963507dc87d8bf00385c0bcSHA256: 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3 |
M17-y7x01 | Fireball_b56d1d35 | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | b56d1d35d46630335e03af9add84b488 | SHA1: cc725869679e5c8c4b7fcdffe98bcd4d612a909aMD5: b56d1d35d46630335e03af9add84b488SHA256: c7244d139ef9ea431a5b9cc6a2176a6a9908710892c74e215431b99cd5228359 |
M17-2q701 | Fireball_84dcb96b | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 84dcb96bdd84389d4449f13eac750986 | SHA1: 3c812ea95aa6a2234548814b5447c2ac786daa30MD5: 84dcb96bdd84389d4449f13eac750986SHA256: f964a4b95d5c518fd56f06044af39a146d84b801d9472e022de4c929a5b8fdcc |
M17-98p01 | Crashoverride_ff69615e | Windows | This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids. | ff69615e3a8d7ddcdc4b7bf94d6c7ffb | SHA1: 2cb8230281b86fa944d3043ae906016c8b5984d9MD5: ff69615e3a8d7ddcdc4b7bf94d6c7ffbSHA256: ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77https://dragos.com/blog/crashoverride/CrashOverride-01.pdf |
M17-wrk01 | Valyria_Doc_Macro_508cefdf | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 508cefdf3010539f2149f5c302026177 | SHA1: 7294eb013e53992a37239051e9c462e5925134d7MD5: 508cefdf3010539f2149f5c302026177SHA256: a3905f5dd2e106d19e260b36d9bdc7946cc8aae0f4343e8d6c7f671d0bdc7921http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-ohn01 | Valyria_Doc_Macro_678f87e5 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 678f87e5ef02699daad6da0da7d2d8be | SHA1: ceab7dcc360a479c8955e1f2e9e14d0e7129cacbMD5: 678f87e5ef02699daad6da0da7d2d8beSHA256: 67e2d24be65f338f944eda6cffdda8013147088a8173e771795b399c3c182771http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-p3i01 | Fireball_7adb7f56 | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 7adb7f56e81456f3b421c01ab19b1900 | SHA1: 30a176dde7aff87ee73c967d4f70d1b834a62dd4MD5: 7adb7f56e81456f3b421c01ab19b1900SHA256: fff2818caa9040486a634896f329b8aebaec9121bdf9982841f0646763a1686b |
M17-z1o01 | Fadok_dfa89d72 | Windows | This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru. | dfa89d72ef517428ce552bc8afc1a7ae | SHA1: ea2325b643cf653ffa9b20dbe5fd25e6eb562afaMD5: dfa89d72ef517428ce552bc8afc1a7aeSHA256: 0fffda2d0105f10690d1989859deae3d50287474534649605a320f078616d658http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-7qg01 | Necurs_4d128c93 | Mixed | This strike sends a malware sample known as Necurs. Necurs is a large botnet and when active it distributes massive volumes of malicious spam. It tends to take breaks on weekends and it currently has an ongoing campaign using malicious PDFs to download Jaff ransomware. | 4d128c93c03605be2460e0e6767603c1 | SHA1: 8e4f36e0710aee26f125acc69b14cac44467238fMD5: 4d128c93c03605be2460e0e6767603c1SHA256: 5da7c8bf86dc71531b2cd34e565385dae7b080cde104e5abe29577ed03787a71https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/ |
M17-yee01 | Cerber_ae5a348b | Windows | This strike sends a malware sample known as Cerber. The Cerber family started to emerge during the 1st quarter of 2016 and has been seen being distributed via Neutrino or Magnitude exploit kits and spam emails using VBScript files. | ae5a348b9dd0ac3a6a46e70c82fa9c38 | SHA1: f440edc4fe35452d0fbec35a5c352295f3e3bf0cMD5: ae5a348b9dd0ac3a6a46e70c82fa9c38SHA256: 73a7497c8fa283b444242259ae061d5cbb705be04b5f531f1096a2c236bb5204https://www.trustwave.com/Resources/SpiderLabs-Blog/FakeGlobe-and-Cerber-Ransomware--Sneaking-under-the-radar-while-WeCry/ |
M17-mzy01 | Valyria_Doc_Macro_b4fb36c4 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | b4fb36c43f91d10ce9bd284fff4c7925 | SHA1: c3ceae4d0b9b288bac70dbb563ef6b4eba39fb78MD5: b4fb36c43f91d10ce9bd284fff4c7925SHA256: 95fd8ea6a9b5778a75b76804ae8c1da2514239598edd1c324f25eb30a93fd715http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-lum01 | Valyria_Doc_Macro_13f8df4a | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 13f8df4aea556dcd6d72f923faa24f3d | SHA1: b31c34f428fda8e02d4b684555b3bb3ebf17a74cMD5: 13f8df4aea556dcd6d72f923faa24f3dSHA256: 6b6221926ec36c928f0d0eef2d254766f30342714c3e791645d97c6c86cec31fhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-y0901 | Gh0stRAT_b0424941 | Windows | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | b0424941ef8e58bf9db2fefcd53cb459 | SHA1: be347ce22989919d81bb5b2c1ef392b5282e7113MD5: b0424941ef8e58bf9db2fefcd53cb459SHA256: ed4b40578f0ddbfeb851835048cdadae0c1a9f8c8e67c6b00a9a1534c17b6252 |
M17-kso01 | Siggen_006ae6cd | Windows | This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed. | 006ae6cd35f486808f3125eca11557f0 | SHA1: bd265c7cdac416b95078755e9f340fb1381130c5MD5: 006ae6cd35f486808f3125eca11557f0SHA256: 2dd6b33d9e07c68b79b6674e0972f28ee316548c5e53b28331d88c739d1a5b8fhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-66d01 | Valyria_Doc_Macro_1fac3695 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 1fac3695445d7f62094c5f25c856d91a | SHA1: 586e4bedbe58e0f1b6fc923225f60ff2d46e7f77MD5: 1fac3695445d7f62094c5f25c856d91aSHA256: f6650409983332866425e807dedc231b28a7cd3a468fe9e17be029fda17efe15http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-2dk01 | Carbanak_36f36696 | Windows | This strike sends a malware sample known as Carbanak. Carbanak is a a Backdoor that targets the Windows platform. It sends out system information to a remote server and could accept commands that may provide an attacker with the ability to download/execute files, steal cookies, inject code. | 36f36696b948b550ad4afe4b0bc53fbd | SHA1: 83d0964f06e5f53d882f759e4933a6511730e07bMD5: 36f36696b948b550ad4afe4b0bc53fbdSHA256: 91ff7b9c4cdcaa61b01f0783dacdbbed3f848fb01013c635bc9d87a85183ebc0https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/ |
M17-41901 | Valyria_Doc_Macro_eb9c35b3 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | eb9c35b3190fcb1e478028b24d2ec585 | SHA1: 7221fbfea71e10535005ea6ab1f13a8110afcda6MD5: eb9c35b3190fcb1e478028b24d2ec585SHA256: d6d05984c0d493eb75861c7d56c2cf649fcc912134e7df2894fc8bb3eec8980fhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-fan01 | Valyria_Doc_Macro_4f169840 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 4f169840bd08c25d9477a4ae9c31caec | SHA1: cc7935cf02d42672c90903034b3abaeee6c3fc0bMD5: 4f169840bd08c25d9477a4ae9c31caecSHA256: 2de9f4f8df35ca71c1738d22bfb6a147670c25dcbe2014cfd0870a53e33f385ahttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-w9m01 | Valyria_Doc_Macro_2250018f | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 2250018f91f2c6841f163e14874592eb | SHA1: f5543f426cec914da878070d41836e506b298ea5MD5: 2250018f91f2c6841f163e14874592ebSHA256: 3d93b69809ad4d6cb2866583c7fc0144aa0db167fd4940ab17b3252c809bf1d1http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-jan01 | Win32/Virut_825e3522 | Windows | This strike sends a malware sample known as Win32/Virut. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 825e3522037eab1da5bafc09a195ab92 | SHA1: d0a111636b10b02f599278220247f8fb82490c5cMD5: 825e3522037eab1da5bafc09a195ab92SHA256: d76818d5ac2a4ceec907bc6246862d64399f67cc954d66e31897afa414feda27 |
M17-dya01 | Valyria_Doc_Macro_42ea2531 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 42ea2531137994b6531f656b35bbe845 | SHA1: fb290b19c57e4e0fa70a14de3f8d705fcaa6e7afMD5: 42ea2531137994b6531f656b35bbe845SHA256: 5cc180f858ed3148aad169790640664280c4b908867256f7b1a0718575192c78http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-8ib01 | Fireball_5bce955c | Windows | This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine. | 5bce955cf12af3417f055dadc0212920 | SHA1: 720ef2a0fbc262a3acedc05b12cc884a9e3cd2a5MD5: 5bce955cf12af3417f055dadc0212920SHA256: adcf6b8aa633286cd3a2ce7c79befab207802dec0e705ed3c74c043dabfc604c |
M17-ou501 | GenericMalware_93d48870 | Windows | This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 93d48870d5b55c1611f01261a37f25ed | SHA1: 9a766bd82a4dc8a016ff25292ad50f4573b04dadMD5: 93d48870d5b55c1611f01261a37f25edSHA256: 6dc964d2c112fe3eab072f890e91b1bc9f79b340cf6bbb479c7d3c8ed096938a |
M17-7u301 | Valyria_Doc_Macro_189f1358 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 189f13580169be011b73ba17a6dc051f | SHA1: 48f334eb52c19d56f3f37bfc4b60460bc453ce61MD5: 189f13580169be011b73ba17a6dc051fSHA256: 900f2319a95ec33f4c42a4ceac088f0ab940aa0cde64c4da186b0322746d3e36http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-yzu01 | Valyria_Doc_Macro_be4d6281 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | be4d6281c8ecb2a008ed007fdc8b904f | SHA1: 74a4325d9595f6f603cdbbfe02e8538c4eda2f4cMD5: be4d6281c8ecb2a008ed007fdc8b904fSHA256: b08b5eb8f5ab0a2fa8acebaf86bf48653f38b7efed83d88ba6076f0da4af9acehttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-ber01 | Valyria_Doc_Macro_bcec1085 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | bcec10859b916d1017a72c5a39f8961c | SHA1: 6cb5d156e33d66361730e49f4d49c2f38f34e156MD5: bcec10859b916d1017a72c5a39f8961cSHA256: 3f3adeed33a1a057f697c49f9d776c27c7fb9afb7cfa62eec2936ac24ae0d19dhttp://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-4e001 | Gh0stRAT_1778fc96 | Windows | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | 1778fc969d29bb3e8537d24402ccb44a | SHA1: eb036fb0c50c1d95f5c009f4987bcea384e5f504MD5: 1778fc969d29bb3e8537d24402ccb44aSHA256: dd023467cb90438086802cbe16bd80547e52e81fc21d05d6a92b0d268fa65f8b |
M17-0qd01 | Fadok_1bcc4df9 | Windows | This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru. | 1bcc4df972bb5784a2cb05295db25b0a | SHA1: 11a9062c8522e7746f702b52d88bf4081f9f9f35MD5: 1bcc4df972bb5784a2cb05295db25b0aSHA256: 0cac66a5a16efe52e2e878f5e8f6e34749e049c547ecf18f54955141e13e7058http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-20w01 | Valyria_Doc_Macro_86fe38f9 | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 86fe38f913c7a296760db0af0a5eb2f6 | SHA1: f194d570c17f05d9d7a5987fe8bc312051785c39MD5: 86fe38f913c7a296760db0af0a5eb2f6SHA256: fbdee3574019ef790ca4609c0414bf63da402c051351552e3a24f4e325e494e2http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-cxm01 | Jaff_192b829b | Mixed | This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. | 192b829bf7f6829549519168c173c931 | SHA1: 551f953db4ba48452a4f7de9f5f7149c98ddf52fMD5: 192b829bf7f6829549519168c173c931SHA256: e0573ec5a6ed61a6f38ab209e3d0d309b0c15af9dacc253240476c6899b5690bhttps://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/ |
M17-sk901 | Valyria_Doc_Macro_4903486e | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 4903486e2676500014cd644ece03300d | SHA1: ed4f1cf48929316eef12652507af82b11f3d7b4dMD5: 4903486e2676500014cd644ece03300dSHA256: 24384267829131c7158c50c109afea6026d327c65a66ef559a6540c2c8863094http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-m3h01 | Gh0stRAT_acf5eae7 | Windows | This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. | acf5eae7273613c791ea665569935cf4 | SHA1: 78cccddcbd9db5db9e1445b9e16140043c3eef73MD5: acf5eae7273613c791ea665569935cf4SHA256: eb1f2d077482e389c3bbe8d93f01d47af63eb68b1cac2586ce43c3f1ecff1555 |
M17-kj501 | Siggen_86778a4e | Windows | This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed. | 86778a4e35d9dd30a1f110ec40c6426c | SHA1: 0f4f07d8de2d580866715c50832909294b915e48MD5: 86778a4e35d9dd30a1f110ec40c6426cSHA256: f20ef69203c8bd06da68071ccf38001fcd411de5c951bb38bb46a15e6d205458http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-18201 | Valyria_Doc_Macro_112d36da | Mixed | This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files. | 112d36da54ca80a330239cd0d42b99fb | SHA1: 7a46a0dced16dac0dade93b0584490992e757770MD5: 112d36da54ca80a330239cd0d42b99fbSHA256: 4914a3125bf4d54a07ade2109325a324f813c500a5b6e8a2781b7c1876671455http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html |
M17-99b01 | Win32.Trojan.Nitol_79d54d06 | Windows | This strike sends a malware sample known as Win32.Trojan.Nitol. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. The MD5 hash of this Win32.Trojan. | 79d54d066efe6691b606d8977a126258 | SHA1: d1f88097e99cc5b1821686050d1290dea4a0035bMD5: 79d54d066efe6691b606d8977a126258SHA256: f63e678fbf20ac431ff9f4ff6e3456d78aa2497cfb6b15e8adab0e7cf25fee63 |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M17-as601 | Jaff_a88358eb | Windows | This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. | a88358eb5e1efc92c74b35850ab6f2af | SHA1: 8385a34d752d8e2c4fbbfa45a4cd3698210abd58MD5: a88358eb5e1efc92c74b35850ab6f2afSHA256: 341267f4794a49e566c9697c77e974a99e41445cf41d8387040049ee1b8b2f3bhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html |
M17-eh301 | EternalRocks_496131b9 | Windows | This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol. | 496131b90f83e8278462d2dd21213646 | SHA1: f1c027679d5009da067b12af258adc8afaade178MD5: 496131b90f83e8278462d2dd21213646SHA256: 94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97http://thehackernews.com/2017/05/smb-windows-hacking-tools.html |
M17-yr301 | EternalRocks_b7cf3852 | Windows | This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol. | b7cf3852a0168777f8856e6565d8fe2e | SHA1: 1cbc9d531ba0e5e67a1ada95cff19bf0020f88f8MD5: b7cf3852a0168777f8856e6565d8fe2eSHA256: 9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1bhttp://thehackernews.com/2017/05/smb-windows-hacking-tools.html |
M17-jm101 | Jaff_ef87cec0 | Windows | This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. | ef87cec0cd8407f2be2e7c715fa5080b | SHA1: e2b666ac2d90c9f03ea9ee068f29858129c2c97eMD5: ef87cec0cd8407f2be2e7c715fa5080bSHA256: 9f159fc971a397f8bc560f56a34c5de3626cfa4906408228c33730e2fe6c1c43http://blog.talosintelligence.com/2017/05/jaff-ransomware.html |
M17-ltz01 | WannaCry_7f7ccaa1 | Windows | This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. | 7f7ccaa16fb15eb1c7399d422f8363e8 | SHA1: bd44d0ab543bf814d93b719c24e90d8dd7111234MD5: 7f7ccaa16fb15eb1c7399d422f8363e8SHA256: 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41ddhttps://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/ |
M17-9zl01 | EternalRocks_198f27f5 | Windows | This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol. | 198f27f5ab972bfd99e89802e40d6ba7 | SHA1: e8b40f35af4d5bb24d73faa5a4babb86191b5310MD5: 198f27f5ab972bfd99e89802e40d6ba7SHA256: a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0http://thehackernews.com/2017/05/smb-windows-hacking-tools.html |
M17-68201 | WannaCry_d5dcd286 | Windows | This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. | d5dcd28612f4d6ffca0cfeaefd606bcf | SHA1: cf60fa60d2f461dddfdfcebf16368e6b539cd9baMD5: d5dcd28612f4d6ffca0cfeaefd606bcfSHA256: 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cfhttps://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/ |
M17-y9401 | EternalRocks_ba629216 | Mixed | This strike sends a malware sample known as exma-1.dll used by the EternalRocks malware. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol. | ba629216db6cf7c0c720054b0c9a13f3 | SHA1: 37bb800b2bb812d4430e2510f14b5b717099abaaMD5: ba629216db6cf7c0c720054b0c9a13f3SHA256: 15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9http://thehackernews.com/2017/05/smb-windows-hacking-tools.htmlhttps://www.metadefender.com/?_escaped_fragment_=/results/file/aceebfc33b88455d9aa096456615447b/regular#!/results/file/aceebfc33b88455d9aa096456615447b/regular |
M17-wlj01 | EternalRocks_c52f20a8 | Windows | This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol. | c52f20a854efb013a0a1248fd84aaa95 | SHA1: 8a2cfe220eebde096c17266f1ba597a1065211abMD5: c52f20a854efb013a0a1248fd84aaa95SHA256: cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30http://thehackernews.com/2017/05/smb-windows-hacking-tools.html |
M17-ckc01 | Jaff_924c8441 | Windows | This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. | 924c84415b775af12a10366469d3df69 | SHA1: 8ab568db2bc914e3e6af048666eb0bc4ba2e414dMD5: 924c84415b775af12a10366469d3df69SHA256: 0746594fc3e49975d3d94bac8e80c0cdaa96d90ede3b271e6f372f55b20bac2fhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html |
M17-5r901 | WannaCry_db349b97 | Mixed | This strike sends a malware sample known as WannaCry. A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'. The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet. | db349b97c37d22f5ea1d1841e3c89eb4 | SHA1: e889544aff85ffaf8b0d0da705105dee7c97fe26MD5: db349b97c37d22f5ea1d1841e3c89eb4SHA256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022chttp://blog.talosintelligence.com/2017/05/wannacry.html |
M17-w9p01 | BondNet_e685219f | Windows | This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016. | e685219f5704bd854d5ed6668b0e9146 | SHA1: a645b3f5956aba168437ed7368c6584db130b6bbMD5: e685219f5704bd854d5ed6668b0e9146SHA256: c1fee6f3375b891081fa9815c620ad8c1a80e3c62dccc7f24c5afee72cf3ddcdhttps://www.guardicore.com/2017/05/the-bondnet-army/http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html |
M17-15o01 | WannaCrypt_d724d8cc | Windows | This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. | d724d8cc6420f06e8a48752f0da11c66 | SHA1: 3b669778698972c402f7c149fc844d0ddb3a00e8MD5: d724d8cc6420f06e8a48752f0da11c66SHA256: 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cdhttps://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ |
M17-yqs01 | EternalRocks_3771b975 | Windows | This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol. | 3771b97552810a0ed107730b718f6fe1 | SHA1: f57f71ae1e52f25ec9f643760551e1b6cfb9c7ffMD5: 3771b97552810a0ed107730b718f6fe1SHA256: 64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15http://thehackernews.com/2017/05/smb-windows-hacking-tools.html |
M17-dfi01 | WannaCry_4287e15a | Windows | This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. | 4287e15af6191f5cab1c92ff7be8dcc3 | SHA1: cd79b536868efb8b2edd2db4e4100f0bd2f69e28MD5: 4287e15af6191f5cab1c92ff7be8dcc3SHA256: b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06https://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/ |
M17-g4v01 | Jaff_ab5f5327 | Windows | This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. | ab5f53278c24077be9bba7c7af9951e9 | SHA1: d148f8f990efcba6c49d73d33fc438185f61d6f2MD5: ab5f53278c24077be9bba7c7af9951e9SHA256: 03363f9f6938f430a58f3f417829aa3e98875703eb4c2ae12feccc07fff6ba47http://blog.talosintelligence.com/2017/05/jaff-ransomware.html |
M17-doy01 | WannaCry_4fef5e34 | Windows | This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. | 4fef5e34143e646dbf9907c4374276f5 | SHA1: 47a9ad4125b6bd7c55e4e7da251e23f089407b8fMD5: 4fef5e34143e646dbf9907c4374276f5SHA256: 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ |
M17-1kd01 | BondNet_37e2490d | Windows | This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016. | 37e2490d6c9391fe81043eeb7cfa637a | SHA1: 6cdbd359838b7213f2958717b914b1ac4157408cMD5: 37e2490d6c9391fe81043eeb7cfa637aSHA256: 18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178https://www.guardicore.com/2017/05/the-bondnet-army/http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html |
M17-lvk01 | Jaff_3f6c1a27 | Mixed | This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. | 3f6c1a2735a8595cb1b03260bec9cb1b | SHA1: be968fea50dea7568d19e79b1fe667d36f11ab13MD5: 3f6c1a2735a8595cb1b03260bec9cb1bSHA256: 9e16ad6391fa20ec5f59c8790ade437b495a344979bb5e22df3c6706b4380b0bhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html |
M17-0k701 | EternalRocks_2d540860 | Windows | This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol. | 2d540860d91cd25cc8d61555523c76ff | SHA1: 822db2fd78b39b49547cce2f7fb92b276c74bcefMD5: 2d540860d91cd25cc8d61555523c76ffSHA256: ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fahttp://thehackernews.com/2017/05/smb-windows-hacking-tools.html |
M17-n4j01 | Gh0stRAT_4dbd1730 | Windows | This strike sends a malware sample known as Gh0stRAT. The sample has been observed being spread by EternalBlue/DoublePulsar in-the-wild. | 4dbd1730fc1d9ee7dafe0cd19f2910f1 | SHA1: a1c6ea9579ab8376ec4173a86b71ba716524aa9aMD5: 4dbd1730fc1d9ee7dafe0cd19f2910f1SHA256: 86b6178314c57c51c67d91ae45ee25fad1fb6d6e37d35bc4307fa5c49bde2910 |
M17-syt01 | WannaCry_509c41ec | Windows | This strike sends a malware sample known as WannaCry. A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'. The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet. | 509c41ec97bb81b0567b059aa2f50fe8 | SHA1: 87420a2791d18dad3f18be436045280a4cc16fc4MD5: 509c41ec97bb81b0567b059aa2f50fe8SHA256: 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafahttp://blog.talosintelligence.com/2017/05/wannacry.html |
M17-dyn01 | WannaCrypt_84c82835 | Windows | This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. | 84c82835a5d21bbcf75a61706d8ab549 | SHA1: 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467MD5: 84c82835a5d21bbcf75a61706d8ab549SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aahttps://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ |
M17-5tw01 | BondNet_8b11325f | Windows | This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016. | 8b11325f4b729b7072c050035b454759 | SHA1: a5a5cf1910339490ec429b605a324b74a92edb38MD5: 8b11325f4b729b7072c050035b454759SHA256: 785d97c2c215c3c0b76c11610680f04236ef1a5c7fbcf4a86fb5f89996858b78https://www.guardicore.com/2017/05/the-bondnet-army/http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html |
M17-a3m01 | Adylkuzz_f2e1d236 | Windows | This strike sends a malware sample known as Adylkuzz. Adylkuzz is a Windows malware which installs a cryptocurrency miner on compromised machines. | f2e1d236c5d2c009e1749fc6479a9ede | SHA1: 262c22ffd66c33da641558f3da23f7584881a782MD5: f2e1d236c5d2c009e1749fc6479a9edeSHA256: 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar |
M17-2eu01 | WannaCry_8495400f | Windows | This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. | 8495400f199ac77853c53b5a3f278f3e | SHA1: be5d6279874da315e3080b06083757aad9b32c23MD5: 8495400f199ac77853c53b5a3f278f3eSHA256: 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00dhttps://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/ |
M17-6q201 | WannaCrypt_a44964a7 | Windows | This strike sends a malware sample known as WannaCrypt. This sample uses the exploit known as EternalBlue. It spreads by using CVE-2017-0145. Once infected, a host will encrypt all files and then search for others hosts to infected via SMB both on the local network and across the Internet. | a44964a7be94072cdfe085bc43e7dc95 | SHA1: 507409fb6d519580efe81756ca49172f33bcd388MD5: a44964a7be94072cdfe085bc43e7dc95SHA256: f470fbf340e5ad8be24b29712f565eaff0c67564a4872e0cedb05a1876a838d0https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ |
M17-bcd01 | Adylkuzz_71b0279f | Windows | This strike sends a malware sample known as Adylkuzz. Adylkuzz is a Windows malware which installs a cryptocurrency miner on compromised machines. | 71b0279ff6b5f1dddac59a0704070e28 | SHA1: ff50f7d7e1d09298ff5a37351a682f83c5df8c87MD5: 71b0279ff6b5f1dddac59a0704070e28SHA256: fab31a2d44e38e733e1002286e5df164509afe18149a8a2f527ec6dc5e71cb00https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar |
M17-n1f01 | EternalRocks_994bd0b2 | Windows | This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol. | 994bd0b23cce98b86e58218b9032ffab | SHA1: b05f2d07d0af1184066f766bc78d1b680236c1b3MD5: 994bd0b23cce98b86e58218b9032ffabSHA256: e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dchttp://thehackernews.com/2017/05/smb-windows-hacking-tools.html |
M17-1ap01 | WannaCrypt_c65f526f | Windows | This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. | c65f526f7a2868f9dcd9150c1ad1a0fc | SHA1: 098e0ad1ff79ece7c514155bb4b9ef643848ff6bMD5: c65f526f7a2868f9dcd9150c1ad1a0fcSHA256: 00c3ddb3a4bccb0577041f0a4fc536a0a9fbc29aadc68e92359ec20373b94edehttps://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ |
M17-zn801 | DDoSBot_154c03c6 | Windows | This strike sends a malware sample known as DDoSBot. The sample has been observed being spread by EternalBlue/DoublePulsar in-the-wild. | 154c03c6d02d443898cddb6a6001a3d3 | SHA1: ca6af34d30067ee45c7671a4e4e70abbf36f4e85MD5: 154c03c6d02d443898cddb6a6001a3d3SHA256: 3ec21d093edc24aa7ffaff014cfa9ee2d5ea165f1434590bc0d1b0c31845c2a1 |
M17-aar01 | Jaff_f115d1fe | Mixed | This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. | f115d1fe4f579841c054b03d1ba29c97 | SHA1: 65f36039af8c1f74de0d998965f22988a0fc4ef5MD5: f115d1fe4f579841c054b03d1ba29c97SHA256: 4028f165d9465df0541c431b8ec815e4b0208ac505b9101b8e8e4bfd558ee778http://blog.talosintelligence.com/2017/05/jaff-ransomware.html |
M17-8qf01 | EternalRocks_7f9596b3 | Windows | This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol. | 7f9596b332134a60f9f6b85ab616b141 | SHA1: 9f993f080b2708ece0d8d42df2c19dc77aaa80f1MD5: 7f9596b332134a60f9f6b85ab616b141SHA256: e77306d2e3d656fa04856f658885803243aef204760889ca2c09fbe9ba36581dhttp://thehackernews.com/2017/05/smb-windows-hacking-tools.html |
M17-x7v01 | EternalRocks_5f714b56 | Windows | This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol. | 5f714b563aafef8574f6825ad9b5a0bf | SHA1: 03f3901595438c7c3878fa6cf1c24ae3d06bd9e0MD5: 5f714b563aafef8574f6825ad9b5a0bfSHA256: 20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1http://thehackernews.com/2017/05/smb-windows-hacking-tools.html |
M17-ui301 | BondNet_e3427d9f | Windows | This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016. | e3427d9f439aebefa3d9c299e2a94af3 | SHA1: ffff4672790378677ec30d3634fc593c10dfd37eMD5: e3427d9f439aebefa3d9c299e2a94af3SHA256: 7374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6abahttps://www.guardicore.com/2017/05/the-bondnet-army/http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html |
M17-n0201 | WannaCrypt_f107a717 | Windows | This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. | f107a717f76f4f910ae9cb4dc5290594 | SHA1: 51e4307093f8ca8854359c0ac882ddca427a813cMD5: f107a717f76f4f910ae9cb4dc5290594SHA256: f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ |
M17-4lg01 | WannaCry_7bf2b57f | Windows | This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. | 7bf2b57f2a205768755c07f238fb32cc | SHA1: 45356a9dd616ed7161a3b9192e2f318d0ab5ad10MD5: 7bf2b57f2a205768755c07f238fb32ccSHA256: b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ |
M17-8ku01 | WannaCrypt_465333f9 | Mixed | This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. | 465333f97e486c74906464105320c5b2 | SHA1: bba61e561a4cfa3ba7929eae2395d99298043ed3MD5: 465333f97e486c74906464105320c5b2SHA256: 3abe4af565974df6727007ea63742289403477a85ce897d71b4612dd26950fdehttps://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ |
M17-ov601 | EternalRocks_67ef79ee | Windows | This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol. | 67ef79ee308b8625d5f20ea3e5379436 | SHA1: 7d0a8cef28518f9be8ad083dcbd719ac4c85d89cMD5: 67ef79ee308b8625d5f20ea3e5379436SHA256: a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392http://thehackernews.com/2017/05/smb-windows-hacking-tools.html |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M17-4g501 | Locky_385e0361 | Mixed | This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017. | 385e0361652c51b07cf73d670536a9a3 | SHA1: e2caed21a8d7a96f3c56a0b33c2e6bf4695101beMD5: 385e0361652c51b07cf73d670536a9a3SHA256: 52db4cca867773fdce9cd8d6d4e9b8ea66c2c0c4067f33fd4aaf6bfa0c5e4d62http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html |
M17-gv901 | LATENTBOT_c10dabb0 | Mixed | This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. | c10dabb05a38edd8a9a0ddda1c9af10e | SHA1: 9aed05edab5d0200eb509ed22c8c30f19652814cMD5: c10dabb05a38edd8a9a0ddda1c9af10eSHA256: f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.htmlhttps://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html |
M17-2kr01 | Dimnie_555363dd | Windows | This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features. | 555363ddd1dc30b1f1dc2399fc404a5c | SHA1: ba4f86a7f7d4a09c938600f057be58eaa8b9f425MD5: 555363ddd1dc30b1f1dc2399fc404a5cSHA256: f3a1fb80a5c79d3735ddc4328b915a4b034526ae96345c9b2465c16582ab54behttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html |
M17-twk01 | Dimnie_72fe42ff | Windows | This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features. | 72fe42ff160524017760de177243518d | SHA1: d52a7fa6d4dab80eacf95513139b9abb69e6dc9fMD5: 72fe42ff160524017760de177243518dSHA256: 3bb134617af6f7b0f0c483b315f7ea45b2ed2c4a91005b453c9ec9e86ef0d70bhttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html |
M17-gx401 | Dimnie_7853b5f8 | Windows | This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features. | 7853b5f8407c70dfaa9bb5e8dc983e90 | SHA1: fae17a413c0418bb5439c209ae5764b150bd2efdMD5: 7853b5f8407c70dfaa9bb5e8dc983e90SHA256: 210024ece45a6935da89ab7c5ae3293616679414e96e2157e49f9f607c831bdchttp://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html |
M17-2hq01 | cerber_eb94cadf | Windows | This strike sends a malware sample known as cerber. This ransomware sample was collected while analyzing exploits for CVE-2017-5638 during April 6th 2017. | eb94cadf5b25feda33888b7ac35e04e9 | SHA1: d4c5e130a0ac94120fd68ecd988df12b5a25f0c2MD5: eb94cadf5b25feda33888b7ac35e04e9SHA256: 5952963708e4cf2e13c29ced6451a52284afb3f45a11ba4087c3c438dad2427d |
M17-3vi01 | Dimnie_d03eb7fb | Windows | This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features. | d03eb7fb350abc68de35fa9dc6cd22aa | SHA1: 879dad113a572ebae9022eecc84c5cae0495d800MD5: d03eb7fb350abc68de35fa9dc6cd22aaSHA256: cbb7c2fedc753f62fa1bf47f2e0c6aa487eecfd27d867789764dbde97a8b9449http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html |
M17-w3d01 | Locky_7fe902d6 | Mixed | This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017. | 7fe902d6f42089267ea7ae60d9a4df01 | SHA1: 60584a00bcc2941376600d98d7d30f8c95e7224dMD5: 7fe902d6f42089267ea7ae60d9a4df01SHA256: 10ce87f33381989373c519e2ff539f86c2a0a2a4cab0b791e82d4afece0367e6http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html |
M17-7xo01 | Cerber_1fdcd604 | Windows | This strike sends a malware sample known as Cerber. This sample of Cerber ransomware was discovered while analyzing drive by exploits abusing Apache Struts CVE-2017-5638. | 1fdcd6045c7e69f05fb7b4e497f813cf | SHA1: 5f80cf741d7a8fac10e269d7b085d69558483c64MD5: 1fdcd6045c7e69f05fb7b4e497f813cfSHA256: 89e5cd34fc349ba0791ee42fc68b84c69f8b579bcb2207b2925762e14b36048e |
M17-hik01 | LATENTBOT_025b6fb2 | Mixed | This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. | 025b6fb24dc9dc6c93aeaf6e5baec2aa | SHA1: 88357af86c5984cca1b34150e7be08d5db58be03MD5: 025b6fb24dc9dc6c93aeaf6e5baec2aaSHA256: e9339747b31f576e6d4049696a4f4bd7053bcd29dafb0a7f2e55b8aab1539b67https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.htmlhttps://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html |
M17-60z01 | Locky_32093440 | Mixed | This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017. | 3209344017e6ebf524ad7cba9951dbed | SHA1: bd91035775b260b1f48924bc8c0a2ebd71b71760MD5: 3209344017e6ebf524ad7cba9951dbedSHA256: eb822fb0d99a0b8aefcf70e484b997979a4a4c22325dfd52c4bec492e9937a03http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html |
M17-b4v01 | Dimnie_adc75bc4 | Windows | This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features. | adc75bc411a3b5e7d806606f09925f86 | SHA1: 356d5e07ca3157d6523c9878bc20b99935f6a897MD5: adc75bc411a3b5e7d806606f09925f86SHA256: 4b373c2d50e600fdae5259bbd3e989d002a776c443869b92afeb5d53b73bd1c0http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html |
M17-byx01 | Locky_5636bb84 | Mixed | This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017. | 5636bb8497a75a3fc676c9a0a0964c77 | SHA1: 12893670db1a209af2bd90e8acbee291120927f9MD5: 5636bb8497a75a3fc676c9a0a0964c77SHA256: 026fa1191fcf895ce375ad8f8f2bda47aa8b1cb27e6be490399a1ad47d452b68http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html |
M17-9qt01 | Locky_34a811ae | Mixed | This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017. | 34a811ae4390bc9529ec79844e2a7edd | SHA1: f235463d86aac9a2dc0b6a8d9eb985dc4ad5e0bcMD5: 34a811ae4390bc9529ec79844e2a7eddSHA256: 2665260758371f88ca4e49dd577e885fc138651a0e2b3564309b892eea36f7afhttp://blog.talosintelligence.com/2017/04/locky-returns-necurs.html |
M17-zqx01 | Chrysaor_3a69bfbe | Android | This strike sends a malware sample known as Chrysaor. Chrysaor is an Android surveillance malware. | 3a69bfbe5bc83c4df938177e05cd7c7c | SHA1: b6850881561265d89597d0d245b33dba3d7d3f47MD5: 3a69bfbe5bc83c4df938177e05cd7c7cSHA256: 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86http://securityaffairs.co/wordpress/57702/malware/android-chrysaor-spyware.htmlhttps://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html |
M17-pti01 | Cradlecore_53f6f9a0 | Windows | This strike sends a malware sample known as Cradlecore. Cradlecore is a Windows ransomware. | 53f6f9a0d0867c10841b815a1eea1468 | SHA1: a2a164a4a535c5542accb45d1268ac072b48ff1aMD5: 53f6f9a0d0867c10841b815a1eea1468SHA256: 47d02763457fe39edd3b84f59e145330ffd455547da7cbf67c3f0cb3ddf10542http://securityaffairs.co/wordpress/58089/malware/cradlecore-ransomware-source-code.htmlhttps://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale |
M17-h5y01 | Cerber_7daecdce | Windows | This strike sends a malware sample known as Cerber. This sample of Cerber malware was collected by ATI's honeypot network on 4/7/2017. | 7daecdcec1739285f99e86e46f5dbd01 | SHA1: 16c95612c45351caadfeaac333a3625daa40b4dbMD5: 7daecdcec1739285f99e86e46f5dbd01SHA256: 4570fd53f92d28fefb8c8c437ed7cd85f52e643921afd197c332707a45c08326 |
M17-cq401 | Philadelphia_0a380f78 | Windows | This strike sends a malware sample known as Philadelphia. Philadelphia is a variant of Stampado ransomware. Philadelphia targets healthcare industry and it is distributed via phishing emails sent to hospitals. | 0a380f789a882f7c4e11a1b4f87bb4fd | SHA1: 448c93e79bf0741798ed99bb3108d1ceb90b6901MD5: 0a380f789a882f7c4e11a1b4f87bb4fdSHA256: 2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3chttps://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sectorhttp://securityaffairs.co/wordpress/57795/malware/philadelphia-ransomware.html |
M17-gp301 | Rokrat_c909ca40 | Windows | This strike sends a malware sample known as Rokrat. Rokrat is a Remote Access Tool (RAT) delivered via malicious Hangul Word Processor (HWP) document. | c909ca40d1124fc86662a12d72e0fb78 | SHA1: 75d7f88e010e5c7d9a4617157034cff16da0733fMD5: c909ca40d1124fc86662a12d72e0fb78SHA256: 051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00http://securityaffairs.co/wordpress/57709/malware/rokrat-rat-south-koread.htmlhttp://blog.talosintelligence.com/2017/04/introducing-rokrat.html |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M16-ew201 | PowerShellMalware_2abad0ae | Mixed | This strike sends a malware sample known as PowerShellMalware. PowerShellMalware is a malware based on PowerShell scripts that communicates with the Command and Control through DNS messages. | 2abad0ae32dd72bac5da0af1e580a2eb | SHA1: d00225d485c597bea712e7c7baa4fba7d7f281e3MD5: 2abad0ae32dd72bac5da0af1e580a2ebSHA256: 340795d1f2c2bdab1f2382188a7b5c838e0a79d3f059d2db9eb274b0205f6981http://blog.talosintelligence.com/2017/03/dnsmessenger.htmlhttp://securityaffairs.co/wordpress/56856/malware/dns-txt-malware.html |
M16-1pn01 | BugDrop_1a6986fe | Windows | This strike sends a malware sample known as BugDrop. BugDrop is a data stealer malware that downloads other data stealing plugins on the infected machine. BugDrop uploads all the stolen data on to Dropbox. | 1a6986fe9e1ba213dd738054118fcfdd | SHA1: 0f42a1ee54b0137f5d22741524e5361880a83973MD5: 1a6986fe9e1ba213dd738054118fcfddSHA256: f778ca5942d3b762367be1fd85cf7add557d26794fad187c4511b3318aff5cfdhttps://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/http://thehackernews.com/2017/02/ukraine-russia-hacking_20.html |
M16-g3f01 | Vortex_31329543 | Windows | This strike sends a malware sample known as Vortex. Vortex is a ransomware based on a freeware encryption and decryption utility hosted on GitHub (AESxWin). | 31329543947f1ee13ce020c826fb4af5 | SHA1: 10fcf2dee3fa68c7676076623c0be570c67698a6MD5: 31329543947f1ee13ce020c826fb4af5SHA256: fd218e093741316782ec4ec89f520d2962a4f3850cb5b04f9c2c9fde567dc23bhttps://www.bleepingcomputer.com/news/security/the-polski-vortex-flotera-ransomware-connection/ |
M16-gt101 | Disttrack_6a7bff61 | Windows | This strike sends a malware sample known as Disttrack. Disttrack or Shamoon is a malware that's been around since 2012. In November 2016 security experts detected Disttrack in a new wave of attacks against a Saudi company. Disttrack's main focus is data destruction and system damage through a wiper component. Other components of which Disttrack is composed are the dropper and the communications components. | 6a7bff614a1c2fd2901a5bd1d878be59 | SHA1: 88fd8b5b6837f5b0342a4494d6491ef0e2e780c5MD5: 6a7bff614a1c2fd2901a5bd1d878be59SHA256: 7b589d45825c096d42bdf341193d3fd8fd9a0bd612a6ebd7466c26a753304df9https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ |
M16-u9r01 | StoneDrill_0ccc9ec8 | Windows | This strike sends a malware sample known as StoneDrill. StoneDrill is a disk wiping malware targeting European petroleum companies. It is similar to another disk wiping malware called Shamoon (Disttrack). | 0ccc9ec82f1d44c243329014b82d3125 | SHA1: 279ff728023eeaa1715403ec823801bf3493f5caMD5: 0ccc9ec82f1d44c243329014b82d3125SHA256: 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260http://usa.kaspersky.com/about-us/press-center/press-releases/2017/From_Shamoon_to_StoneDrill-Advanced_New_Destructive_Malware_Discovered_in_the_Wild_by_Kaspersky_Labhttps://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/http://thehackernews.com/2017/03/stonedrill-data-wiping-malware.html |
M16-74a01 | SwearingTrojan_25c2e013 | Android | This strike sends a malware sample known as SwearingTrojan. SwearingTrojan is mobile banking malware that targets Chinese Android users. SwearingTrojan steals personal data and sends it to the attacker using SMS or email. SwearingTrojan spreads through infected apps or through phishing SMS messages impersonating Chinese telecom service providers. | 25c2e0139354ac8eb7ddcc7df361ccfb | SHA1: d59e452d1535059cad3dae41fd6497c36ca000ffMD5: 25c2e0139354ac8eb7ddcc7df361ccfbSHA256: 7a7bef9d7bbbabc1bb16d1d8476fd0d48faffde0257f400bd5bd720736f8d207http://blog.checkpoint.com/2017/03/21/swearing-trojan-continues-rage-even-authors-arrest/http://securityaffairs.co/wordpress/57354/malware/rogue-cellphone-towers-spread-malware.html |
M16-1pd01 | RozaLocker_8ea7224f | Windows | This strike sends a malware sample known as RozaLocker. RozaLocker is a ransomware that requests 10000 Rubles for decryption. It appends .ENC extension to encrypted files. | 8ea7224f71b5d248e9ec1b9cc56b33d4 | SHA1: aac3914f728626bfc7ea14a31ea20595ed78dcabMD5: 8ea7224f71b5d248e9ec1b9cc56b33d4SHA256: dfbea7de7c3e015eae2b121ff77133608cd5408e565bfe41bfe81ef82fb97426https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/ |
M16-yno01 | Disttrack_aae531a9 | Windows | This strike sends a malware sample known as Disttrack. Disttrack or Shamoon is a malware that's been around since 2012. In November 2016 security experts detected Disttrack in a new wave of attacks against a Saudi company. Disttrack's main focus is data destruction and system damage through a wiper component. Other components of which Disttrack is composed are the dropper and the communications components. | aae531a922d9cca9ddca3d98be09f9df | SHA1: d3fec4559eff85b42d8fd56ed8b403e95e211e07MD5: aae531a922d9cca9ddca3d98be09f9dfSHA256: 25a3497d69604baf4be4d80b6824c06f1b7120144f98eeb0a13d57d6f72eb8e9https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ |
M16-3yk01 | ELF_IMEIJ_a16a281c | Linux | This strike sends a malware sample known as ELF_IMEIJ. ELF_IMEIJ is a Linux malware targeting products from company AVTech. | a16a281cbe544af40f8463c7f5186496 | SHA1: 931321a4e6fb126f83bb6a0ff8ad4ffd260b9438MD5: a16a281cbe544af40f8463c7f5186496SHA256: 8040422762138d28aa411d8bb2307a93432416f72b292bf884fb7c7efde9f3f5http://blog.trendmicro.com/trendlabs-security-intelligence/new-linux-malware-exploits-cgi-vulnerability/http://securityaffairs.co/wordpress/57067/malware/elf_imeij.html |
M16-ss301 | xorddos_cdc45763 | Linux | This strike sends a malware sample known as xorddos. This ELF32 binary is detected as XORDDoS. This sample was collected while analyzing attacks leveraging CVE-2017-5638 on Ixia honeypots. | cdc457633178e845bb4b306531a4588b | SHA1: f4bb1cbdab37e0107a9c9927f57b091c9a0f09bdMD5: cdc457633178e845bb4b306531a4588bSHA256: 98bd48f1574a891b5ae8dff726671255e10b4b30c2f562f3edc5f6f89f35804dhttps://www.ixiacom.com/company/blog/apache-struts-honeypot-scanning |
M16-g4w01 | BugDrop_38dfded4 | Mixed | This strike sends a malware sample known as BugDrop. BugDrop is a data stealer malware that downloads other data stealing plugins on the infected machine. BugDrop uploads all the stolen data on to Dropbox. | 38dfded491a1d8d3792669cb8e41e31c | SHA1: fff1e050f85d7b182e34e3737fc4808882d9f05bMD5: 38dfded491a1d8d3792669cb8e41e31cSHA256: 997841515222dbfa65d1aea79e9e6a89a0142819eaeec3467c31fa169e57076ahttps://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/http://thehackernews.com/2017/02/ukraine-russia-hacking_20.html |
M16-xoo01 | Artemis!A70475EF2B22_a70475ef | Windows | This strike sends a malware sample known as Artemis!A70475EF2B22. This sample of Artemis was discovered in a drive by exploit and download of CVE-2017-5638. It was intended to be dropped on Windows based servers running a vulnerable version of Apache Struts. | a70475ef2b228c3edd2ade65ba3c6382 | SHA1: 9024e4be85ba673995e869241f5977ad55b7dd68MD5: a70475ef2b228c3edd2ade65ba3c6382SHA256: 39178b53f41b34e250957af3198a9744f5d5675e4502884e8a45c860a44d46c7 |
M16-nyo01 | StoneDrill_fb21f3ce | Windows | This strike sends a malware sample known as StoneDrill. StoneDrill is a disk wiping malware targeting European petroleum companies. It is similar to another disk wiping malware called Shamoon (Disttrack). | fb21f3cea1aa051ba2a45e75d46b98b8 | SHA1: 0a4ffce8f301546100d7b00ba017f5e24d1b2d9bMD5: fb21f3cea1aa051ba2a45e75d46b98b8SHA256: 2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83http://usa.kaspersky.com/about-us/press-center/press-releases/2017/From_Shamoon_to_StoneDrill-Advanced_New_Destructive_Malware_Discovered_in_the_Wild_by_Kaspersky_Labhttps://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/http://thehackernews.com/2017/03/stonedrill-data-wiping-malware.html |
M16-o6p01 | Word_Document_Dropper_a2a01354 | Mixed | This strike sends a malware sample known as Word_Document_Dropper. Word_Document_Dropper is a dropper malware that spreads malware by executing VBA code. It targets both Apple Mac OS X and Microsoft Windows systems. | a2a01354f9184d7fad24f37c93d77f67 | SHA1: 115e69cc9b405d783d7cdd4cc91c1798a2a46270MD5: a2a01354f9184d7fad24f37c93d77f67SHA256: 06a134a63ccae0f5654c15601d818ef44fba578d0fdf325cadfa9b089cf48a74http://blog.fortinet.com/2017/03/22/microsoft-word-file-spreads-malware-targeting-both-apple-mac-os-x-and-microsoft-windowshttp://securityaffairs.co/wordpress/57393/malware/malware-microsoft-apple-os.html |
M16-bl601 | Kirk_78117f7a | Windows | This strike sends a malware sample known as Kirk. Kirk is a ransomware written in Python that appends .kirk extension to encrypted files. | 78117f7acc8b385e9b29fe711436d16d | SHA1: 0d4dfe880f8ec4b394f49f1a2608200dd06ba8a6MD5: 78117f7acc8b385e9b29fe711436d16dSHA256: 39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cchttps://www.bleepingcomputer.com/news/security/star-trek-themed-kirk-ransomware-brings-us-monero-and-a-spock-decryptor/http://securityaffairs.co/wordpress/57261/malware/kirk-ransomware-star-trek.html |
M16-63z01 | DiamondFox_08f3ed2e | Windows | This strike sends a malware sample known as DiamondFox. DiamondFox is an infostealer malware written in Visual Basic that has been around for several years. | 08f3ed2e71f71c6a700db2249cfeb4ad | SHA1: ee8132046d37baf3f25dec56f928611e56318ec3MD5: 08f3ed2e71f71c6a700db2249cfeb4adSHA256: 858d3c7fb4953a2f2e98993826a4e95ceca25bc358ccbde732f0b85189158697https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/ |
M16-n8601 | MajikPOS_8d37a246 | Windows | This strike sends a malware sample known as MajikPOS. MajikPOS is a PoS malware targeting business in North America and Canada. MajikPOS is designed to steal information and send it to its Command and Control servers. | 8d37a2465daa53e8a507e7892be00dde | SHA1: 470726700027ef51a1e2036932935660bb083582MD5: 8d37a2465daa53e8a507e7892be00ddeSHA256: 283d1780fbd96325b19b7f273343ba8f8a034bd59f92dbf9b35e3a000840a3b4http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/http://securityaffairs.co/wordpress/57176/malware/majikpos-malware.html |
M16-bvf01 | DiamondFox_05ce3284 | Windows | This strike sends a malware sample known as DiamondFox. DiamondFox is an infostealer malware written in Visual Basic that has been around for several years. | 05ce32843c7271464b48283fe8f179cc | SHA1: c9e40a931298402a82ddda29579d374a2fc19558MD5: 05ce32843c7271464b48283fe8f179ccSHA256: 81af849b00fdaa2e504a750e028dba24dbd2f9db3f53ff8df851ec5ea46f0c2ahttps://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/ |
M16-1kk01 | Lick_43b1a4cf | Windows | This strike sends a malware sample known as Lick. Lick ransomware is a variant of Kirk ransomware. Lick encrypts various files and appends filenames with the extension ". | 43b1a4cf9ded9370d1daf5c3b96c6786 | SHA1: 1fef19eb03c6f06279a7ba558f4ba8056455b203MD5: 43b1a4cf9ded9370d1daf5c3b96c6786SHA256: db01302b012161d8b6e6a2a9be582c3d4100eaf09099c4e009685719a5c09d52https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/ |
M16-84b01 | DiamondFox_6e9373d1 | Windows | This strike sends a malware sample known as DiamondFox. DiamondFox is an infostealer malware written in Visual Basic that has been around for several years. | 6e9373d18182d1ac6d027636de666aef | SHA1: 4a011a0e5c4558c36cdbe841711494f55976f856MD5: 6e9373d18182d1ac6d027636de666aefSHA256: 179e71f74bbdbb3a00401c4efb0b08c637c26f38c06c8348e01bd74c4c5d70c2https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/ |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M16-r1k01 | Mirai_91a12a4c | Windows | This strike sends a malware sample known as Mirai. Mirai or Linux/Mirai ELF is a trojan backdoor which is targeting IoT devices. A Mirai Windows variant has recently been spotted. | 91a12a4cf437589ba70b1687f5acad19 | SHA1: 938715263e1e24f3e3d82d72b4e1d2b60ab187b8MD5: 91a12a4cf437589ba70b1687f5acad19SHA256: 2d8cd23e33e56ab396960a0d426c232f6d8905e2ac5833f37c412b699135f6cehttps://www.bleepingcomputer.com/news/security/mirai-gets-a-windows-version-to-boost-distribution-efforts/http://securityaffairs.co/wordpress/56103/malware/windows-mirai-bot.html |
M16-s1t01 | TeamSpy_67c81b63 | Windows | This strike sends a malware sample known as TeamSpy. TeamSpy is a malware that uses TeamViewer to steal private data from victims. A TeamViewer session started by the attackers will be invisible to the victim. This can lead to numerous forms of abuse against the services. | 67c81b63a5ba984396bd4e9ff5befade | SHA1: ecc8b7d5568eba6f75055ee4ffc4e95c0cfc577dMD5: 67c81b63a5ba984396bd4e9ff5befadeSHA256: baef7e6b044bea15fba7970c768d0bba7ef3ccfe559981bc5444a8e56c7c781dhttps://heimdalsecurity.com/blog/security-alert-teamspy-turn-teamviewer-into-spying-tool/http://securityaffairs.co/wordpress/56490/malware/teamspy-malware.html |
M16-8sh01 | KINS_20f7189c | Windows | This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye. | 20f7189c2989305e03e730fcdc8bd9e1 | SHA1: 6aad1224f3ee26de0f0a06de01e834057b1bc440MD5: 20f7189c2989305e03e730fcdc8bd9e1SHA256: 786e347d5de0b2461049964b382ec2d93db62ad2541519c2f1be423fbde3e632http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-nqp01 | Pushdo_638940ea | Windows | This strike sends a malware sample known as Pushdo. Pushdo is a downloader trojan. When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver. | 638940eacb4cf341bf586909c9a62419 | SHA1: 2c285799b4911e1361718d38d09e141d583a2acbMD5: 638940eacb4cf341bf586909c9a62419SHA256: f0c85788f33916c6d2f811860d5e1d6bdc44a44ada980aad7a65039757cae6c7http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-4ll01 | MacMacroMalware_1de4838f | Mixed | This strike sends a malware sample known as MacMacroMalware. MacMacroMalware is the first macro malware detected in the wild. It uses malicious macros in Word documents in order to install malware on Mac computers. | 1de4838f13c49d9f959d04b363326ac1 | SHA1: 598ebb19bf9fbc17c0bf85ce4ece91fa061f74a6MD5: 1de4838f13c49d9f959d04b363326ac1SHA256: 07adb8253ccc6fee20940de04c1bf4a54a4455525b2ac33f9c95713a8a102f3dhttp://securityaffairs.co/wordpress/56226/breaking-news/apple-mac-malware.htmlhttp://thehackernews.com/2017/02/mac-osx-macro-malware.htmlhttps://objective-see.com/blog/blog_0x17.html |
M16-hbg01 | HummingWhale_5ee2367f | Android | This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HmmingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store. | 5ee2367fa2c4f8dc79a9d466148b3819 | SHA1: c26ad7e5aa53649d10c83d2e762afca737bb99a3MD5: 5ee2367fa2c4f8dc79a9d466148b3819SHA256: 952acb85c7763fbd5c5d6632b29dd4f8339e327bb71b421530c93e88d2f986f8http://blog.checkpoint.com/2017/01/23/hummingbad-returns/http://thehackernews.com/2017/01/hummingbad-android-malware.html |
M16-roh01 | HummingWhale_e59c7891 | Android | This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HmmingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store. | e59c78910796699ec6ef63643605bf69 | SHA1: 8cf73cad9e229c7827a0d3a0c4ec6ca9fe176988MD5: e59c78910796699ec6ef63643605bf69SHA256: c86d7680332b074af05a022f22229bbe0bc45126fdbbb24ea4e96b1fa13dbdd5http://blog.checkpoint.com/2017/01/23/hummingbad-returns/http://thehackernews.com/2017/01/hummingbad-android-malware.html |
M16-i8h01 | Tinba_9cd27525 | Windows | This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack. | 9cd27525e69ad4559c907539ea1464ab | SHA1: d6845a4815a869ff73508383e3e2eee8569904acMD5: 9cd27525e69ad4559c907539ea1464abSHA256: 3026114a699e5f50a49c2a4ee0844c8a6ac217f8e9185d1735b79a13379e8fd8http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-w5101 | Tinba_8ca23d7b | Windows | This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack. | 8ca23d7bdf520c3e7ac538c1ceb7b555 | SHA1: 3b798dc89140abb59bcc92338fbda7ca8a76c6bcMD5: 8ca23d7bdf520c3e7ac538c1ceb7b555SHA256: a8c8b1fd20d79235fd74f7c3722453412ad5ff589bbd8e3ce300e364e3495c2ehttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-hb801 | Tinba_1fc3ea4a | Windows | This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack. | 1fc3ea4a9bf2b6e546a25dd5601517f0 | SHA1: 6ac08d546363cb0fb60cde9798730b7f815b08c0MD5: 1fc3ea4a9bf2b6e546a25dd5601517f0SHA256: 43740f3254084090f5d9dc5e74af184b8021a3e07c4d0e645f227852eccb0020http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-usr01 | Shiotob_16efcafb | Windows | This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms. Shiotob is a banking Trojan also known as URLZone and Bebloh. | 16efcafb19deb49f5c48df2a7297e4f7 | SHA1: 0fe15ab3bad991ae46d649550aed79bda9e7aafaMD5: 16efcafb19deb49f5c48df2a7297e4f7SHA256: fed5de3f9dbc37cf404e3a530d3358e6c1fbaf1a7d4833d19184b492a6f0da6bhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-mmk01 | Pushdo_4f01c4a9 | Windows | This strike sends a malware sample known as Pushdo. Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver. | 4f01c4a93ac21fb89869674414ccfed5 | SHA1: d4a58f72a0331e5d8b990ef5fe43a82e68d1af3fMD5: 4f01c4a93ac21fb89869674414ccfed5SHA256: 676a14cda7ff14af9d944326ec4635facf9eb999208f5a7badbeff76d55321e4http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-4bi01 | Ursnif_79f01039 | Windows | This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan. | 79f010394a2504472449d9c2c4ea8f64 | SHA1: 84d6eeb4ad34d7ac0089bcb557930830b6381708MD5: 79f010394a2504472449d9c2c4ea8f64SHA256: 1f739f3f90382fb729401085388e2142d12fac724684c5b3dcf367b645781695http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniqueshttp://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.htmlhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-w1w01 | Marcher_80c797ac | Android | This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts and they are being spread through SMS/MMS containing links to popular Android applications. | 80c797acf9bdbe225e877520275e15f5 | SHA1: f255de54ffbff87067cfa7bc30d6d87a00aded8fMD5: 80c797acf9bdbe225e877520275e15f5SHA256: fcd18a2b174a9ef22cd74bb3b727a11b4c072fcef316aefbb989267d21d8bf7dhttp://securityaffairs.co/wordpress/56258/malware/marcher-android-banking-trojan.htmlhttps://www.securify.nl/blog/SFY20170202/marcher___android_banking_trojan_on_the_rise.html |
M16-9r901 | Marcher_9ddeda87 | Android | This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts, and they are being spread through SMS/MMS containing links to popular Android applications. | 9ddeda87e85a17f25ac9ed86190b018e | SHA1: c2569b8206a9bd74b13b36ea7e2ebaac3a7626cbMD5: 9ddeda87e85a17f25ac9ed86190b018eSHA256: b087728f732ebb11c4a0f06e02c6f8748d621b776522e8c1ed3fb59a3af69729http://securityaffairs.co/wordpress/56258/malware/marcher-android-banking-trojan.htmlhttps://www.securify.nl/blog/SFY20170202/marcher___android_banking_trojan_on_the_rise.html |
M16-76j01 | StegBaus_ab818477 | Windows | This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families. | ab8184779f32477f7b965299e0ed2119 | SHA1: 3f443529ec7994ff5b5c57e489b906f7fae19281MD5: ab8184779f32477f7b965299e0ed2119SHA256: 669e80679707bd00bf48994cf9d4fee5b58f6b87534cf7da5aefe71c0bee3d34http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/ |
M16-3e401 | Locky_5384149b | Mixed | This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. | 5384149bb0fc79d8b1c1042764ae34b9 | SHA1: 972ba459d35bf413e28fe37de327dc75d930d108MD5: 5384149bb0fc79d8b1c1042764ae34b9SHA256: 0822a63725345e6b8921877367e43ee23696d75f712a9c54d5442dbc0d5f2056http://blog.talosintel.com/2017/01/locky-struggles.htmlhttps://continuum.cisco.com/2017/01/20/talos-locky-takes-a-break-and-returns-with-new-tricks/http://securityaffairs.co/wordpress/55514/cyber-crime/necurs-botnet-returns.html |
M16-frf01 | FireCrypt_d8e99fca | Windows | This strike sends a malware sample known as FireCrypt. FireCrypt is a ransomware that appends .firecrypt to the encrypted files. | d8e99fcae9a469c2081e7ff01675c361 | SHA1: ef7c4358717ec9d04b9adc8e40b1eb928885ebf0MD5: d8e99fcae9a469c2081e7ff01675c361SHA256: 757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/http://securityaffairs.co/wordpress/55081/malware/firecrypt-ransomware.html |
M16-19901 | KINS_2f9cdc2a | Windows | This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye. | 2f9cdc2a7ce846fe626e47451f7fd63e | SHA1: b8fcbf49aac665f338f1d3f8dd2120a2d987006eMD5: 2f9cdc2a7ce846fe626e47451f7fd63eSHA256: bd6b9940e87be866fd8cb893769c51a3e4266452f97270a97bc13685b420d308http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-3hi01 | Shiotob_863bd784 | Windows | This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms. | 863bd784a74ccf76afc69ba099185ba9 | SHA1: 07bb89d6a8c16c6d91147702e3f7b8b4c013c3e1MD5: 863bd784a74ccf76afc69ba099185ba9SHA256: e0bdde6336208df8807c299ef8157ec7fd9e777dfd1cc1d49534c19e1a44f811http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-wsw01 | StegBaus_9eeb3a21 | Windows | This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families. | 9eeb3a21ffe751bda6f708072ea8a74b | SHA1: 84b177a20e13f719d22090a40cbf70f747ea4052MD5: 9eeb3a21ffe751bda6f708072ea8a74bSHA256: 7a457ced31004aeccbbdc169b66a02a55a38bd1934c0ed54d97a69980945f487http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/ |
M16-31t01 | Shiotob_6db1e83f | Windows | This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms. | 6db1e83ff48abcf6906a6711b40d5e82 | SHA1: 87c924139c6871d77c4a86f0b323d1b5749f7093MD5: 6db1e83ff48abcf6906a6711b40d5e82SHA256: 0733779b99ccced9808136088e08bed6518097fd892c51c150a5d7e99b755562http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-p2601 | StegBaus_9f34374a | Windows | This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families. | 9f34374aecde06cc5b3c8474bcc2b367 | SHA1: 4321b67966538f1fe66e25e3a04df5b123bf5885MD5: 9f34374aecde06cc5b3c8474bcc2b367SHA256: b97c36f7d7118ab964ac7e7337dd3de0ab86cb286e724f3787b358aef5f2a5f1http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/ |
M16-x7k01 | HummingWhale_0a533a3f | Android | This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HmmingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store. | 0a533a3f76496e57d11a9d6c3ed3258b | SHA1: 8c6ce6029d4646fdadb4fc262c7863a3da809f07MD5: 0a533a3f76496e57d11a9d6c3ed3258bSHA256: d644444e6a8c7033df94fbc4fb7303441067933dcb085fd47c60903055c33f98http://blog.checkpoint.com/2017/01/23/hummingbad-returns/http://thehackernews.com/2017/01/hummingbad-android-malware.html |
M16-klw01 | KINS_27ef0d56 | Windows | This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye. | 27ef0d565b8a125806fc0811c8eddd48 | SHA1: e023d169ae10e19f24a260ff2e8d0b7b8c1ba2e2MD5: 27ef0d565b8a125806fc0811c8eddd48SHA256: ea05b0aff29ff657a578eed301f79a2ae7a469cda10030151426eff85b2390eahttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-uy101 | HummingWhale_baad5914 | Android | This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. | baad591455367c2682c16336ff5769e9 | SHA1: 8b41f9ab61ebead1e2a40282210742e0a3692169MD5: baad591455367c2682c16336ff5769e9SHA256: c752d601de41b08d1a94eb719584ce7813984217c7417b27c4b2adaedaf760bchttp://blog.checkpoint.com/2017/01/23/hummingbad-returns/http://thehackernews.com/2017/01/hummingbad-android-malware.html |
M16-ufp01 | Ursnif_f3c82e20 | Windows | This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan. | f3c82e209d94b592b30acd740ea145e1 | SHA1: 449caf7925e874087a7005c7aa8862e434a6972aMD5: f3c82e209d94b592b30acd740ea145e1SHA256: c7a2bc376d6ddfc678e7c7b3324b021edf19c896a80ab1ec7c2f36bc004ef29ehttp://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniqueshttp://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.htmlhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-vn201 | Shiotob_c46e6aee | Windows | This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms. | c46e6aee8bd512fdedbee688e105df16 | SHA1: cd34148a1ce37b13389647674653e981cfacd522MD5: c46e6aee8bd512fdedbee688e105df16SHA256: 124e6d6d3da321ad04e7f3aa9ae1b29fea2f382e8903a72ce48091cce47127cehttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-yos01 | Spora_fbc7d35f | Windows | This strike sends a malware sample known as Spora. Spora is a ransomware written in C that has a ransom note written in Russian. Spora does not rename the files after it encrypts them. | fbc7d35f452a291cf4aba1f56fd787e5 | SHA1: 236ca7ced117da12a3873f28c458cc6427702ba4MD5: fbc7d35f452a291cf4aba1f56fd787e5SHA256: 3a8067a03ed287888b90cf706b60ae12dc2881fe859fb1d42714ccd7dd7e16ed https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/ |
M16-qvo01 | Locky_5c79eab9 | Windows | This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. | 5c79eab9b160e423f32e52fc3477e0ab | SHA1: 13d379790ae8bdde0820e17521bf8217368fde97MD5: 5c79eab9b160e423f32e52fc3477e0abSHA256: ec9c06a7cf810b07c342033588d2e7f5741e7acbea5f0c8e7009f6cc7087e1f7http://blog.talosintel.com/2017/01/locky-struggles.htmlhttps://continuum.cisco.com/2017/01/20/talos-locky-takes-a-break-and-returns-with-new-tricks/http://securityaffairs.co/wordpress/55514/cyber-crime/necurs-botnet-returns.html |
M16-t4g01 | Ursnif_4da11c82 | Windows | This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan. | 4da11c829f8fea1b690f317837af8387 | SHA1: 00c6ce1031f88b5276a5335e68fba663e769daddMD5: 4da11c829f8fea1b690f317837af8387SHA256: 3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniqueshttp://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.htmlhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-67f01 | Zeus_30e8ddf1 | Windows | This strike sends a malware sample known as Zeus. ZeuS performs stolen data exfiltration and remote commands via encrypted HTTP POST requests to a Command and Control web server. The encryption ZeuS uses is RC4, with a key that is embedded in the binary. While the primary function of this malware is to commit financial fraud, its general information stealing behaviors make it a threat to all enterprises. | 30e8ddf16279b6dacc6f9d47186b58f3 | SHA1: 5ead66a3ee3f3bab0dc6a87ee6f935028ae23ebbMD5: 30e8ddf16279b6dacc6f9d47186b58f3SHA256: 4b66d77bd775c7695f7211b95808e14c5cbef8c6d69e3749b21868bad296f22ehttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-wx401 | Pushdo_c7bebfb8 | Windows | This strike sends a malware sample known as Pushdo. Pushdo is a downloader trojan. When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver. | c7bebfb87ebea9eea43eeb681f7ff59b | SHA1: fa1e574e9fd240e27f4f1b7449e4dac555bebe0aMD5: c7bebfb87ebea9eea43eeb681f7ff59bSHA256: 59a512bcd4af8aef4769ce8b4f31c5116c2e9b6bd09e76f4824a073072ea822ehttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-sec01 | Tinba_7b9227f9 | Windows | This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack. | 7b9227f98eea65ad3cab1e755cc825a0 | SHA1: afb49223eafa9a12edc77f490c7270d6ae290da1MD5: 7b9227f98eea65ad3cab1e755cc825a0SHA256: 0482ac285c4e941a82de2425c3572ef2b951f90423d85627a282147fb3b95d14http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-hn501 | Pushdo_ef9eb44e | Windows | This strike sends a malware sample known as Pushdo. Pushdo is a downloader trojan. When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver. | ef9eb44ef708237cde29d841279e5371 | SHA1: 43ab4c6809505a47c0c63b4d46d455f4fb28528aMD5: ef9eb44ef708237cde29d841279e5371SHA256: e061a37cef414f8943972bf0fd2a990f7283a07b460aa2c9292c00323432f3b4http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-vr301 | StegBaus_ee4165ed | Windows | This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families. | ee4165edd514e03664e32b1ca162f99a | SHA1: 048ae25b235d203c01f82ea73bbccb7bf73dfd61MD5: ee4165edd514e03664e32b1ca162f99aSHA256: e1fdd18455a4b256616f450af719721596804987a5fed0f8ef8fb0a96ab3b45ehttp://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/ |
M16-vtv01 | KINS_ed09632e | Windows | This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye. | ed09632e3d549edb8f31eaac5562df7c | SHA1: d78f465ffb433d4f2c9382e22e028709567c7ebaMD5: ed09632e3d549edb8f31eaac5562df7cSHA256: 62989ab56f11701b109cddf0eb20e995c833078bb40942a8c931589497c25948http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-7ie01 | Ursnif_4d5abd97 | Windows | This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan. | 4d5abd974d213339274581a49e9c2780 | SHA1: 84d211bdd139ac61f760a3d396c7e19680163313MD5: 4d5abd974d213339274581a49e9c2780SHA256: 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniqueshttp://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.htmlhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-r2201 | JobCrypter_5d4076d6 | Windows | This strike sends a malware sample known as JobCrypter. JobCrypter is a ransomware that has recently been seen in the wild. The JobCrypter Ransomware drops TXT files on the victim's computer with information about the ransom payment. | 5d4076d6ca3391330504b9496c5d325c | SHA1: ba1117865e17966bb90be636a256dfe03a0646c6MD5: 5d4076d6ca3391330504b9496c5d325cSHA256: d3ffc11e941727382d24f252d9627d126aabd9a0fc859436a74c06d31e6f5d2ehttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/ |
M16-xj001 | Spora_570e9cf4 | Windows | This strike sends a malware sample known as Spora. Spora is a ransomware written in C that has a ransom note written in Russian. Spora does not rename the files after it encrypts them. | 570e9cf484050e21346bcdcb99824d77 | SHA1: f889cbfd2f25e65fae443c9f70192bd310a04b51MD5: 570e9cf484050e21346bcdcb99824d77SHA256: 2637247ad66e6e57a68093528bb137c959cdbb438764318f09326fc8a79bdaafhttps://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/ |
M16-ja801 | Rovnix_af2016cf | Windows | This strike sends a malware sample known as Rovnix. ROVNIX writes malicious rootkit drivers to an unpartitioned space of the NTFS drive. This effectively hides the driver since this unpartitioned space cannot be seen by the operating system and security products. To load the malicious driver, ROVNIX modifies the contents of the IPL. This code is modified so that the malicious rootkit driver is loaded before the operating system. | af2016cf2b5d04543a94d83447103fc3 | SHA1: 172f38ad7a33e0c393863d0cd75b4a9ce8508fbcMD5: af2016cf2b5d04543a94d83447103fc3SHA256: fdca8fa4368763899eff263d472850273ac9df672e0867d4aa3546bb439be291http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-y1u01 | KINS_9fa264ba | Windows | This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye. | 9fa264baf6f92a626949352923fb679d | SHA1: e8c636eee1ad5ec3384a0eb61ad4759c76ad11ceMD5: 9fa264baf6f92a626949352923fb679dSHA256: f3bf1e6cfd4a21f6f6907833bfbd9d44a9499eea4e27c0e4415f7e3975fa559fhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-wym01 | Shiotob_4a8b8eb2 | Windows | This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms. | 4a8b8eb2afd717b679ffc800740b3bd2 | SHA1: 26866a6d392db1f8a0c8d25a1746bd268be96d6bMD5: 4a8b8eb2afd717b679ffc800740b3bd2SHA256: dbe42c50bfa0dd6fe0b236fe5371bc294f43d48bbf1243d4f3b2a98041f0d3abhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-4wa01 | Tinba_1fa127ce | Windows | This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack. | 1fa127ced06dac4a7f1b422dd4955327 | SHA1: c2a11ce032de364c6edb0a2716d4542ad0b8ec84MD5: 1fa127ced06dac4a7f1b422dd4955327SHA256: 94c12b0de0e28a5c88d9b3242793f1d1cd4ff4a86a4bce991e68f3d2e04c56a6http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-ebh01 | PortugueseRansomware_8a3a3256 | Windows | This strike sends a malware sample known as PortugueseRansomware. PortugueseRansomware is a new ransomware that has its ransom note written in Portuguese. | 8a3a3256e0a6916812d559f745775a89 | SHA1: 9c1cb81a9e715f0b031db7b289946c5fab87f1c2MD5: 8a3a3256e0a6916812d559f745775a89SHA256: cab632fca64fc77a1f55168ad94561a8e98e47a6b27adcb5419e81fee90c959bhttps://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/ |
M16-h8901 | KINS_39f5ace4 | Windows | This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye. | 39f5ace4ec18e8b7c6de54e6fc6d86f3 | SHA1: 74f4211bf2b352bbdb308ffd85ad70cb60c50a11MD5: 39f5ace4ec18e8b7c6de54e6fc6d86f3SHA256: 0f300996a5d57c43b90bf97f158fed23709284b1fe4bbcabc6b843538f4fe961http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-nn401 | Shiotob_69be1e62 | Windows | This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms. | 69be1e62b00ba27cc4ae0e3b41720d41 | SHA1: afc6f64765529ba12da69f3ea536fca661ae4610MD5: 69be1e62b00ba27cc4ae0e3b41720d41SHA256: 164eab81c9ef0b14b4f93f7f5b60b0111d9eb3de3131c35f2f388837e0309b9ehttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-s8z01 | Tinba_d7669dd5 | Windows | This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack. | d7669dd586396502b25c9ebf37b10db4 | SHA1: 11ed83c66bd226a52915327bebc3cb073d579505MD5: d7669dd586396502b25c9ebf37b10db4SHA256: fcee667cb6900ddf55029f1f806995f73cd5be75912f1c94c905a6d177353e1fhttp://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-hb501 | Pushdo_6f58a94b | Windows | This strike sends a malware sample known as Pushdo. Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver. | 6f58a94b52aae9f0fe5c1256a4ce19a8 | SHA1: 1e147caade60277be732659a33878b3ff44d7b6aMD5: 6f58a94b52aae9f0fe5c1256a4ce19a8SHA256: 242f192b9e985864ba5e3f6b0cb15efc280980e2b097d2ebaabd1d8de7117663http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ |
M16-7iu01 | Cerber_208a394b | Windows | This strike sends a malware sample known as Cerber. Cerber is a ransomware-type malware that infiltrates systems and encrypting various file types. After encrypting files, Cerber ransomware changes the desktop wallpaper with one that provides instructions of what to do and how much to pay in order to get your files decrypted. | 208a394b211726ac07d668ac28ad7ec1 | SHA1: e89fb7405e242e359b652e5dd1276d4ba20c5aedMD5: 208a394b211726ac07d668ac28ad7ec1SHA256: 547d791a4d8847926b250648898925ffe5ee41d636adc36aa3c1134cf43322dehttp://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/ |
Strike ID | Malware | Platform | Info | MD5 | External References |
---|---|---|---|---|---|
M16-xku01 | Sage_b1bfa47e | Windows | This strike sends a malware sample known as Sage. Sage is a ransomware. It is considered to be a variant of CryLocker ransomware. Sage is distributed through Sundown and RIG exploit kits. | b1bfa47e9776793c4d83f0c6fdad379c | SHA1: 5b1428cce7ef22e6d9da05da79a4e3d9bb872bbaMD5: b1bfa47e9776793c4d83f0c6fdad379cSHA256: 362baeb80b854c201c4e7a1cfd3332fd58201e845f6aebe7def05ff0e00bf339https://isc.sans.edu/diary/Sage%2B2.0%2BRansomware/21959http://securityaffairs.co/wordpress/55650/malware/sage-2-0-ransomware.html |
M16-icm01 | EyePyramid_14db577a | Windows | This strike sends a malware sample known as EyePyramid. EyePyramid is a malware that targets politicians, bankers and law enforcement personalities in Italy. It is spread via phishing emails and after infection it grants access to all resources on the infected machine. | 14db577a9b0bfc62f3a25a9a51765bc5 | SHA1: 6b3e554e28b74343eee12fd801b166f7ac2f8234MD5: 14db577a9b0bfc62f3a25a9a51765bc5SHA256: 3b86409c26889be4fef9f3c4718193e1ea4d0e6551ec09eb55831dba761aecaahttp://securityaffairs.co/wordpress/55285/cyber-crime/eyepyramid-espionage-campaign.htmlhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/ |
M16-p6y01 | Cerber_6f0b1c63 | Mixed | This strike sends a malware sample known as Cerber. Cerber is a ransomware-type malware that infiltrates systems and encrypts various file types. After encrypting the files, Cerber changes the desktop wallpaper with one that provides instructions of what to do and how much to pay in order to get your files decrypted. | 6f0b1c63aa8e3ab57fe308d6c67c8413 | SHA1: 71fa6f482f001922d75a2fba5eea6a36338aa2a3MD5: 6f0b1c63aa8e3ab57fe308d6c67c8413SHA256: 40f70b1e12dcabba4303a98a324d421e69c9ae60746cbf2f026f1d9da2d8cd70http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/ |
M16-qb701 | Ploutus_5af1f928 | Windows | This strike sends a malware sample known as Ploutus. Ploutus is an ATM malware that was discovered in 2013. Ploutus' main purpose is to empty an ATM without the requirement of an ATM card. | 5af1f92832378772a7e3b07a0cad4fc5 | SHA1: dadf8493072a479950af004a58fa774f83fc984cMD5: 5af1f92832378772a7e3b07a0cad4fc5SHA256: aee97881d3e45ba0cae91f471db78aded16bcff1468d9e66edf9d3c0223d238fhttp://securityaffairs.co/wordpress/55334/cyber-crime/ploutus-d.htmlhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html |
M16-9g701 | BleedGreen_c82617e2 | Windows | This strike sends a malware sample known as BleedGreen. BleedGreen is the FileCrupy malware builder. | c82617e2ea031d93d5c2ea8165656753 | SHA1: 62e495b8e7bf597cb5fac48828f808d46f064930MD5: c82617e2ea031d93d5c2ea8165656753SHA256: e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032dhttp://securityaffairs.co/wordpress/55081/malware/firecrypt-ransomware.htmlhttps://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/ |
M16-2uz01 | MerryXmas_887b35a8 | Windows | This strike sends a malware sample known as MerryXmas. MerryXmas is a ransomware distributed as malicious spams disguised as customer complaints. This ransomware adds .RMCM1 extension to all encrypted files. | 887b35a87fb75e2d889694143e3c9014 | SHA1: c8be4500127bfce10ab38152a8a5003b75613603MD5: 887b35a87fb75e2d889694143e3c9014SHA256: 78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3faehttp://www.infosecurity-magazine.com/news/merry-christmas-ransomware-hangs/https://isc.sans.edu/forums/diary/Merry+XMas+ransomware+from+Sunday+20170108/21905 |
M16-3tc01 | Marlboro_48629562 | Windows | This strike sends a malware sample known as Marlboro. Marlboro is a ransomware that appends ".oops" extension to the encrypted files. | 4862956228816276ab2b1baaa019d4f8 | SHA1: 99911950e0d1fd1728d5b80da43a16d90e41ec45MD5: 4862956228816276ab2b1baaa019d4f8SHA256: b5c37f3cf90026a815925aa4d53882823221c97127a378f0beb1b8276686caadhttps://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/ |
M16-kw601 | HummingWhale_4c635fcc | Android | This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HummingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store. | 4c635fcce49743de86d8f9cc58d2de8b | SHA1: a87e15abc1b15443275e4d12d08d8070b793cec2MD5: 4c635fcce49743de86d8f9cc58d2de8bSHA256: 0908a85853e1c472e9fe02b787c5e3bee4f42a448185a6e033797b5a0ee00f54http://blog.checkpoint.com/2017/01/23/hummingbad-returns/http://thehackernews.com/2017/01/hummingbad-android-malware.html |
M16-bzi01 | HummingWhale_700b2e0f | Android | This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HummingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store. | 700b2e0fb8f6fc866599255347ddde76 | SHA1: 5a747c5cd2f36b9731b097321a956001afe7c8ebMD5: 700b2e0fb8f6fc866599255347ddde76SHA256: 32d9c801ffccad7d95f3eb256ca23c585329863a19d0316f7bedc556b5d59d8fhttp://blog.checkpoint.com/2017/01/23/hummingbad-returns/http://thehackernews.com/2017/01/hummingbad-android-malware.html |
M16-6e701 | Marlboro_52d66a72 | Mixed | This strike sends a malware sample known as Marlboro. Marlboro is a ransomware that appends ".oops" extension to the encrypted files. | 52d66a72a492ef85bff1ea562fedf490 | SHA1: 91902bd2e95502d12cc8c00b8ef289e2b01e84a1MD5: 52d66a72a492ef85bff1ea562fedf490SHA256: a2cf2ccc1d4a71ead386156b8c39a4f6240068cf9af485513284bf98662ae9b3https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/ |
M16-k7m01 | Cerber_7d181574 | Windows | This strike sends a malware sample known as Cerber. Cerber is a ransomware-type malware that infiltrates systems and encrypts various file types. After encrypting the files, Cerber changes the desktop wallpaper with one that provides instructions of what to do and how much to pay in order to get your files decrypted. | 7d181574893ec9cb2795166623f8e531 | SHA1: 79440d8b1e4b8fa222f1be78435f43f86796f6dcMD5: 7d181574893ec9cb2795166623f8e531SHA256: a098c20dd46c6afa031bb653cd6d6eede4260a5a6244cf8c1dffcb4d8565b404http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/ |
M16-m6n01 | Satan_c50deba5 | Windows | This strike sends a malware sample known as Satan. Satan is a Ransomware as a Service (RaaS) which enables any criminal to create their own variant of Satan ransomware. | c50deba5542672ce85086c6ad747a1e4 | SHA1: 25bb2935f75e15b4117779b93d064367049b5fa9MD5: c50deba5542672ce85086c6ad747a1e4SHA256: c04836696d715c544382713eebf468aeff73c15616e1cd8248ca8c4c7e931505http://securityaffairs.co/wordpress/55487/malware/satan-raas.htmlhttps://www.pcrisk.com/removal-guides/10854-satan-ransomware |
M16-2vc01 | MerryXmas_1a7d5e0f | Mixed | This strike sends a malware sample known as MerryXmas. MerryXmas is a ransomware distributed as malicious spams disguised as customer complaints. This ransomware adds .RMCM1 extension to all encrypted files. | 1a7d5e0fe2288a2fd4910c685b9142b3 | SHA1: 63a5e7851c9146554e2e5cef467f7d78c734169aMD5: 1a7d5e0fe2288a2fd4910c685b9142b3SHA256: 244b4205acb416700bec459c8b36be379c0b7e3d2a21a57c4a121ba95d229bc4http://www.infosecurity-magazine.com/news/merry-christmas-ransomware-hangs/https://isc.sans.edu/forums/diary/Merry+XMas+ransomware+from+Sunday+20170108/21905 |
M16-79x01 | Spora_312445d2 | Windows | This strike sends a malware sample known as Spora. Spora is a ransomware written in C that has a ransom note written in Russian. Spora does not rename the files after it encrypts them. | 312445d2cca1cf82406af567596b9d8c | SHA1: d3c89ccaf190890fc0583ea24396b1a2cd8317c4MD5: 312445d2cca1cf82406af567596b9d8cSHA256: dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbfhttp://securityaffairs.co/wordpress/55260/malware/spora-ransomware.htmlhttp://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/ |
M16-uw401 | Sharik_727cbccb | Windows | This strike sends a malware sample known as Sharik. Sharik is a trojan loader. It is distributed via emails with the sender impersonating a telecommunications company. The emails contain a zip pdf attachment which, when opened, infect a victim machine with Sharik. | 727cbccb80206ebe6a989fc6386f222e | SHA1: 21bacd8c51fab29c15c1df8f25f7e91697d3bba1MD5: 727cbccb80206ebe6a989fc6386f222eSHA256: 906d2ecdbc2b306ce7061b94d3d8cd64a9336fcfbc46f95d1a3bcddfdfbff7bbhttp://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/ |
M16-xnu01 | EyePyramid_b39a673a | Windows | This strike sends a malware sample known as EyePyramid. EyePyramid is a malware that targets politicians, bankers and law enforcement personalities in Italy. It is spread via phishing emails and after infection it grants access to all resources on the infected machine. | b39a673a5d2ceaa1fb5571769097ca77 | SHA1: b61633975206c58df648df144c78bb3e20051d93MD5: b39a673a5d2ceaa1fb5571769097ca77SHA256: d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74chttp://securityaffairs.co/wordpress/55285/cyber-crime/eyepyramid-espionage-campaign.htmlhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/ |
M16-n7i01 | Marlboro_9c7a41fb | Windows | This strike sends a malware sample known as Marlboro. Marlboro is a ransomware that appends ".oops" extension to the encrypted files. | 9c7a41fbe431a41bfdf933436c846858 | SHA1: 15fd4e3c2aeffba55b9469820e9838e0062c72fbMD5: 9c7a41fbe431a41bfdf933436c846858SHA256: a95d7606d17b221bca0960d04bffdc5ff1585ca13a2511bbf5347a732a3a025chttps://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/ |
M16-dfb01 | KillDisk_5cc42c3d | Windows | This strike sends a malware sample known as KillDisk. KillDisk is a data wiping malware that was used as a component in the BlackEnergy attacks against the Ukranian power grid. | 5cc42c3d67099d361c1c37750ae5ff04 | SHA1: 2379a29b4c137afb7c0fd80a58020f5e09716437MD5: 5cc42c3d67099d361c1c37750ae5ff04SHA256: a6a167e214acd34b4084237ba7f6476d2e999849281aa5b1b3f92138c7d91c7ahttp://thehackernews.com/2017/01/linux-ransomware-malware.htmlhttp://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ |
M16-3hv01 | Locky_afed9062 | Windows | This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. | afed90629bb84de0ce8e7c6d2231e9c3 | SHA1: 4e7fa838280b7ab7f70afd5e73c461639a1f0b5eMD5: afed90629bb84de0ce8e7c6d2231e9c3SHA256: 79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086dbhttp://blog.talosintel.com/2017/01/locky-struggles.htmlhttps://continuum.cisco.com/2017/01/20/talos-locky-takes-a-break-and-returns-with-new-tricks/http://securityaffairs.co/wordpress/55514/cyber-crime/necurs-botnet-returns.html |
M16-eiv01 | EyePyramid_a41c5374 | Windows | This strike sends a malware sample known as EyePyramid. EyePyramid is a malware that targets politicians, bankers and law enforcement personalities in Italy. It is spread via phishing emails and after infection it grants access to all resources on the infected machine. | a41c5374a14a2c7cbe093ff6b075e8ac | SHA1: b25222b289cb3a8e7877c46a8840e560d1ab375bMD5: a41c5374a14a2c7cbe093ff6b075e8acSHA256: 137846f698de9b30fe0fb81af20f175f36cf7c6297e3f920996e607cf80f518ahttp://securityaffairs.co/wordpress/55285/cyber-crime/eyepyramid-espionage-campaign.htmlhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/ |
M16-y5g01 | Ploutus_c04a7cb9 | Windows | This strike sends a malware sample known as Ploutus. Ploutus is an ATM malware that was discovered in 2013. Ploutus' main purpose is to empty an ATM without the requirement of an ATM card. | c04a7cb926ccbf829d0a36a91ebf91bd | SHA1: 66adf3ab1913e92be7f34adcd9be1b6eda677d59MD5: c04a7cb926ccbf829d0a36a91ebf91bdSHA256: 04db39463012add2eece6dfe6f311ad46b76dae55460eea30dec02d3d3f1c00ahttp://securityaffairs.co/wordpress/55334/cyber-crime/ploutus-d.htmlhttps://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html |