Malware Monthly Update December - 2020

Malware Strikes

Strike ID Malware Platform Info MD5 External References
M20-72zh1Gh0stRAT_34a648b5Windows This strike sends a polymorphic malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.The binary has random bytes appended at the end of the file.34a648b57683dd4d48a4123aee6542behttps://attack.mitre.org/techniques/T1009/
SHA256: f423b11021ce9175c79881f2988516428e9e80659f41105ae037cdedd5e0da8c
SHA1: 9d7b304bd8a65f1f788ab5e8a788e0f5e1748061
PARENTID: M20-gt381
SSDEEP: 1536:MbuXXlyLMFM6NRjebOZewU/R4kY6WpsQEYzQI4wb9DprLElnY+fsrcNgF0f2bb3C:lFyLM/NR+O8wl6usKH9DRJUyMrAny
MD5: 34a648b57683dd4d48a4123aee6542be
M20-lblq1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.cf1ad0f6c0f7dfe7b5940008ed27bc28https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: ea27862bd01ee8882817067f19df1e61edca7364ce649ae4d09e1a1cae14f7cc
SHA1: 6599794ea40f54656c8ac0d7c2efe1362ec8414d
MD5: cf1ad0f6c0f7dfe7b5940008ed27bc28
M20-hywt1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.ab109ced41f9be476da69b671d4e28cehttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: b2b3a199291c3651b1d7413c7dba92566a893010a50e770e1802f173f1c2c7a4
SHA1: f6085a9c93fd2ea75c1843a2bfc7b1e85f919d7a
MD5: ab109ced41f9be476da69b671d4e28ce
M20-wde71VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.9935435529057201dac86957275a43e9https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 3cd581621d9a16ebe724e9ba7445aa82162307ff6b2a31be572e87dbce2aa8ad
SHA1: 2201ebb6e819f38c080b252f7ae48accd78159be
MD5: 9935435529057201dac86957275a43e9
M20-vs2i1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.3b8c4e9f27a265c2ba4c39ee94e135a2https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 56e96ce15ebd90c197a1638a91e8634dbc5b0b4d8ef28891dcf470ca28d08078
SHA1: fa7f4b931dda6ece05a23d552a96c757127c3e0e
MD5: 3b8c4e9f27a265c2ba4c39ee94e135a2
M20-w8jx1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.1955375a3ba47f2d293aad78e2478edfhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 78471db16d7bd484932c8eb72f7001db510f4643b3449d71d637567911ca363b
SHA1: 006513670374228a112e15ed03e24089515d085b
MD5: 1955375a3ba47f2d293aad78e2478edf
M20-qzdx1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.af27bf67e462bf5ef61b15a0e160ea84https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 5736e167e234e06b33e8d8d6bb80e13b1bacca8d7cd3271695220cdec2e4a79e
SHA1: f5849ee6ab9de4be3024775cd2bf809b742f4bf5
MD5: af27bf67e462bf5ef61b15a0e160ea84
M20-4dqj1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.dba03b64b963b77fe966238c261aace4https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: d50f28cf5012e1ffde1cd28655e07519dadcf94218b15c701c526ab0f6acb915
SHA1: 009d4a6ab775f4d8ac0a3343adf5e5910a8747ec
MD5: dba03b64b963b77fe966238c261aace4
M20-98eh1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.c7e84d5c86f51a349445ad126c42fd89https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 4d39782ccdb902e8e5348b8b3ce92f0834c713c565cca82be67a0a8eb6468df6
SHA1: 5b13441e82f6964164e05ea3c92145b70d400201
MD5: c7e84d5c86f51a349445ad126c42fd89
M20-bkbm1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.86d297b262fb1e9f8c1cee271ceea40ehttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: f80bcc60e79b387f63edfe0f1fc66492af4ff201ad5eb8080b1249ca43f6f30f
SHA1: 62493be40396091164113e76c289df62ffeec90b
MD5: 86d297b262fb1e9f8c1cee271ceea40e
M20-2fqg1Barys_6a191144Windows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random bytes appended at the end of the file.6a191144dc2744c0d803461b8b35336bhttps://attack.mitre.org/techniques/T1009/
SHA256: 0fadbc1a6cbbdcf8c6dfef369ca47881d562813e5e4de984d16001eaed83692b
SHA1: 1a13b6c282d8ac31996a79e3cca2e18194d2568c
PARENTID: M20-rmoa1
SSDEEP: 384:/DLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEJdxg15GMIScho9meh:/gbT8MlIcdk+odC41HjmzZJmr0jeyE
MD5: 6a191144dc2744c0d803461b8b35336b
M20-hsdz1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.039e75cdd8787394789d11ca6d2c7711https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: a50b58e24eb261157c4f85d02412d80911abe8501b011493c7b393c1905fc234
SHA1: d940407a48bc4e0481b2790e89e58aa020b8887f
MD5: 039e75cdd8787394789d11ca6d2c7711
M20-qla01PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.3d89a7dfd0984f23c4ebd1931d029108https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: d271569d5557087aecc340bb570179b73265b29bed2e774d9a2403546c7dd5ff
SHA1: 39c6484c0ca69f2e98adad292436fadf80c3c12a
MD5: 3d89a7dfd0984f23c4ebd1931d029108
M20-20vf1Defray777_210f47c8Linux This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering.210f47c8f47ded8525da927710abc6adhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/
SHA256: 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d
SHA1: 50f191f04aa6cff1d8688a3c5d6cce96739ab6b3
MD5: 210f47c8f47ded8525da927710abc6ad
M20-yg4v1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.d0857462281df296b60a8814d4fa052fhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: b3c6f365819864340a8a8fe3076fb326c1debfdbbc826384cb2978aea82edc48
SHA1: 658c536d92c7b60e7c31bc4eeb43504c83204df7
MD5: d0857462281df296b60a8814d4fa052f
M20-mzle1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.440c46ace55eb539376c05dc03e98cd4https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 0da9e149ba324f20a390140e9d7913b13ababa07f5b65e4d25e3555c1119e768
SHA1: 038e505ed342a39766d034ffee1e87fdfc62930b
MD5: 440c46ace55eb539376c05dc03e98cd4
M20-exgu1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.0ea9b7a283e7d4601fb7dbd63493b342https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 56934547dcf0d7ecf61868ae2f620f60e94c094dbd5c3b5aaf3d3a904d20a693
SHA1: b655342769408e0bdd46449aa8968c4c362a222a
MD5: 0ea9b7a283e7d4601fb7dbd63493b342
M20-a54g1Chthonic_35e71926Windows This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has the timestamp field updated in the PE file header.35e7192617a5bfe4e3663f40610a7f11https://attack.mitre.org/techniques/T1099/
SHA256: 01785bc411c5f7c386ac0c155e9334a624750722911cb420bdd6ba9666c4a075
SHA1: e2363a3d1230c852837d19c13cc421ecfdd9f2af
PARENTID: M20-569e1
SSDEEP: 768:Ph1SGw0Nd6EF+MIi3hISRdJlDED1Anx3LScmjElP/Vc6+DxIamqtswYh/YY86AAx:iV0Nd6EF+eljbx3LSqt+GF82jco
MD5: 35e7192617a5bfe4e3663f40610a7f11
M20-keqo1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.6932dfcd3789f88e828d939174183446https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 5dc7f70a0d20f97c30c25bd927235deec713cde5d1c41916e23dd0c3431ffacd
SHA1: e289f6a347facc397402d63d36f70f58338d8ca8
MD5: 6932dfcd3789f88e828d939174183446
M20-jhm51VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.4ef817562dc042e616ae26a2c8773f23https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: a098b5455fd1e9d0dea067405cd891b94cc42a0067cbd21d385f9c1254c21fdd
SHA1: c1b9b376a54b08d5eae491f951b57d6bb04afa5a
MD5: 4ef817562dc042e616ae26a2c8773f23
M20-wlk11VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.b18ee982de606adc6715e7a52648b63chttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 8eef012c2eecb7f8a776464f52e12f62c466cfc85adf4eef0d2bc270e7a19212
SHA1: f3c97b56b85eb3a0009bf831e89a4cf57d4deb41
MD5: b18ee982de606adc6715e7a52648b63c
M20-vihm1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.aa64323c466ac0ae62ec6532bac30936https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 92a8b74cafa5eda3851cc494f26db70e5ef0259bc7926133902013e5d73fd285
SHA1: 007f198146686cf0bad9d8c5bb262f8e5c007706
MD5: aa64323c466ac0ae62ec6532bac30936
M20-75p01PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.5d2fd364769d12d26c83922e5e31e48ehttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 563dd5a95f439bc2b4170a74c8be565a1af076e6cbebd1d018b2809a1e8bc908
SHA1: 00263c910dcf67f7eaa37c48914c30b78261652c
MD5: 5d2fd364769d12d26c83922e5e31e48e
M20-o3n51VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.dcba8d6cf6b336ac96db500ad99b0013https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: fcdd72fd2e03badfac13eed5e2d17054bbdcea7c1743179095ce109bf40a7f0f
SHA1: 1bacc1afd4bd2d34279b39e9e2fc6099c49fa29f
MD5: dcba8d6cf6b336ac96db500ad99b0013
M20-4n511VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.31dc5267d3daf057baaa37f8d5d59229https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 608f34a79e5566593b284ef0d24f48ea89bc007e5654ae0969e6d9f92ec87d32
SHA1: 15c3985c14c98de4a7eabba3495b474f753923b7
MD5: 31dc5267d3daf057baaa37f8d5d59229
M20-727z1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.088d29b4a238a650e12f5ce97ec58289https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: e48e88542ec4cd6f1aa794abc846f336822b1104557c0dfe67cff63e5231c367
SHA1: 08a6b196e3a2d140314225ef8c88228aaea09ac5
MD5: 088d29b4a238a650e12f5ce97ec58289
M20-qxtk1Barys_2f511a1dWindows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random strings (lorem ipsum) appended at the end of the file.2f511a1df6582dea8340fd62e27c9f3ehttps://attack.mitre.org/techniques/T1009/
SHA256: 41a98f4a8ef76470d573c6daa9db027ee7cd76a957c669d7a30ebcfe01c5e1bd
SHA1: f812646cd54274420324b42801e6bca7dc128a88
PARENTID: M20-mxx31
SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMnL:MgbT8MlIcdk+odC41HjmzZX630nMnIU
MD5: 2f511a1df6582dea8340fd62e27c9f3e
M20-0xi41PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.f198217bafc00828a2f5bc7f816c8e1dhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 814357417aa8a57e43d50cb3347c9d287b99955b0b8aee4e53e12b463f7441a0
SHA1: 0342939f6ff3699c7528f4adfdad5a35d1353b88
MD5: f198217bafc00828a2f5bc7f816c8e1d
M20-129q1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.05d24dd80b9a39e2148e94c742f8f16bhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 350926c6bb7419330e55e687c9f00520a560c41f6013528cbb9ea42faeeb3201
SHA1: 1ca072554f6aa3a320587bff3ec200e61310654c
MD5: 05d24dd80b9a39e2148e94c742f8f16b
M20-c38p1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.ddf9e95123d9b585fa9e164236bfd338https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 8373be56ddab97188a8606eb5f529187bfb819f5cb5a50c56f6a7878c94c7f86
SHA1: f87c2ce9936da536fa7e229adb6d79800a9961fe
MD5: ddf9e95123d9b585fa9e164236bfd338
M20-g0121PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.1856d7d2a60bfc2da5c36781294e5033https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: c3b3f46a5c850971e1269d09870db755391dcbe575dc7976f90ccb1f3812d5ea
SHA1: e2ac158c425965b639b1ec5949e3c8300c278310
MD5: 1856d7d2a60bfc2da5c36781294e5033
M20-lalu1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.eb885e485049ee4516bbdf6d9c5f202dhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: e5fede5eb43732c7f098acf7b68b1350c6524962215b476de571819b6e5a71fc
SHA1: 90851164d3452929fd2567de72153d1c018de994
MD5: eb885e485049ee4516bbdf6d9c5f202d
M20-vrn11PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.54c11dcb706996a76976211c3685153dhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: c9400b2fff71c401fe752aba967fa8e7009b64114c9c431e9e91ac39e8f79497
SHA1: 74ab88499a9b8d77cd9a8820e2884e617fa9245a
MD5: 54c11dcb706996a76976211c3685153d
M20-q8081PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.2aac141539e4bac0320ce3992e632d97https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: f9290cd938d134a480b41d99ac2c5513a964de001602ed34c6383dfeb577b8f7
SHA1: dc53f9f9f7dac4fa1ba748b2fa7e6819187f2f8e
MD5: 2aac141539e4bac0320ce3992e632d97
M20-75a91VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.68cb520d2084020638790187e34638eahttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: e1653fe62e8d90153557324ffe4470d9c9262fe3bddad2bf555680b6078cf66a
SHA1: 94c14074d879fd773a1c331210cc4c6e282b9185
MD5: 68cb520d2084020638790187e34638ea
M20-qwgb1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.127aa359a279cb299b63bb720f35ed1dhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 4d0176e2d6e30e31352f420a4dec79d26cb00f1e6c789b31e84cd05eb4d50956
SHA1: b826c09b4e6dd84c5d74ce4af5545f13eba64811
MD5: 127aa359a279cb299b63bb720f35ed1d
M20-0l931PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.d76837f88a8d62351e2d551be2fe9893https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: de44656b4a3dde6e0acdc6f59f73114ce6bb6342bec0dcd45da8676d78b0042e
SHA1: 1aad813f52a7627c94e236f15d2ac3b1d090c15a
MD5: d76837f88a8d62351e2d551be2fe9893
M20-m1mi1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.e2b15234dee641b74ee7959df2ae2e43https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 625c22b21277c8a7e1b701da9c1c21b64bfa02baef5d7a530a38f6d70a7a16d0
SHA1: 27fd1c79ce0f8459ed201886512f38af5e466bba
MD5: e2b15234dee641b74ee7959df2ae2e43
M20-dozu1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.8357b48174b91644012b7969d2ae9597https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 510cf6e1c55a190490e93d222ea606ed888d222ecedda18bfb2f32bb73f33cab
SHA1: eb17b9cdce04f77428499afbb950f48249492a2a
MD5: 8357b48174b91644012b7969d2ae9597
M20-0tvr1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.164b162f8cd59acf9d3da0bec7ea1c52https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: ccc162d3a3d6136a9c472d7d2d07acbae47f88a9a7d9b2c9b97b331e7ab7605d
SHA1: fdb3289f239a06023842d90c0e5cf6f8f0aa1c99
MD5: 164b162f8cd59acf9d3da0bec7ea1c52
M20-rp6s1Sunburst_846e27a6Windows This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.846e27a652a5e1bfbd0ddd38a16dc865https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
SHA256: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
SHA1: d130bd75645c2433f88ac03e73395fba172ef676
MD5: 846e27a652a5e1bfbd0ddd38a16dc865
M20-a1c21VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.225747a368357a5eafaac5337ee56c9ahttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 3a3b7b198769de3e5d81a92aa166f783b611a39a7fcea1b5ec762b54295dbc8d
SHA1: 49a8ab54ac1137b9fa2281a9fdbd1d7b50cf6cee
MD5: 225747a368357a5eafaac5337ee56c9a
M20-8etv1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.6f6a04e60af90862b2ced5864b6b23f9https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 95e5e83b10df32f06080bd6f8428592d81febbf55e72ec5f843dd6188bef25da
SHA1: ab96d796a4b394af911c5282446f61bcd94c1ae1
MD5: 6f6a04e60af90862b2ced5864b6b23f9
M20-rmoa1Barys_006a7221Windows This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.006a72219afabff2f56695f413ca43dbhttps://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: a98b443dab1373415ceefacf3be09bb209377827785a02e5f7d4a20c3badc01c
SHA1: 5e8f2e325a452ebfeeafeceb7ef6b1a8cbb186ad
MD5: 006a72219afabff2f56695f413ca43db
M20-4pvo1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.b90fbb7ae572eca2f64d14c0e0dc4a21https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: cb2619b7aab52d612012386d88a0d983c270d9346169b75d2a55010564efc55c
SHA1: 39289138cd3d75cbffe41172772cb40acde3972a
MD5: b90fbb7ae572eca2f64d14c0e0dc4a21
M20-bhso1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.2f6340654f5d07c7a5d19b9d228dabb1https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 80c9d6cf4e8119dc2d0e263f3f4d5c3bf4221715117505d9d6a02e3671337bf8
SHA1: 40e314bef8a7fb314b8dfb8b641fa2426d198488
MD5: 2f6340654f5d07c7a5d19b9d228dabb1
M20-r1rf1Barys_3c11a2bdWindows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random contents appended in one of the existing sections in the PE file format.3c11a2bd2d5f1c68588dd60b742008f1https://arxiv.org/abs/1801.08917
SHA256: e6ad8931d16e75beccc55f4706194876b6b13aaac6c291d453a981ccb20ff198
SHA1: 50b5f6ed2ab9c18b04ec24a6651ffbb7e162bcc7
PARENTID: M20-mxx31
SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMn:MgbT8MlIcdk+odC41HjmzZX630nMn
MD5: 3c11a2bd2d5f1c68588dd60b742008f1
M20-wnyb2VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.1d191d54cdd3adb4621b5c3a13d1ea91https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 01011bb45dec3b520ea09e5d9d3c9fb4acce74de72261f68ff1011f9ea6ccebb
SHA1: 3e6868e7359df4bddfdbd7575052431360c57dd9
MD5: 1d191d54cdd3adb4621b5c3a13d1ea91
M20-039f1Barys_d1365296Windows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has a random section name renamed according to the PE format specification.d1365296a329a50b6d389373aa50fa01https://arxiv.org/abs/1801.08917
SHA256: e30a372793ba1181082bb313a63f3c88e4075645d6fa30f84666e8feacb858eb
SHA1: 17525859a1efb97ad394092c0c561d43386ce9e1
PARENTID: M20-mxx31
SSDEEP: 384:ODLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMn:WgbT8MlIcdk+odC41HjmzZX630nMn
MD5: d1365296a329a50b6d389373aa50fa01
M20-19el1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.aa03fbbd932b6f57d26c53cf7a01ef1bhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: a765df03fffa343aa7a420a0a57d4b5c64366392ab6162c3561ff9f7b0ad5623
SHA1: ed495940c14db3067e841b1e1cd29724b4f8989c
MD5: aa03fbbd932b6f57d26c53cf7a01ef1b
M20-7twy1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.13cc74a4168aab6c63b5e44358f47604https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: c5ca45581da0bbb3e4d0c6e51d602512fa52833cd16eebed351397a9a0326518
SHA1: 74b9f153234306a4e0f5c0cfa7bebb68eb0d3890
MD5: 13cc74a4168aab6c63b5e44358f47604
M20-p6nd1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.9d4c4af4b600bb90e92a5c0b86551507https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: edecfdd2a26b4579ecacf453b9dff073233fb66d53c498632464bca8b3084dc5
SHA1: fb49d70aa78dae091a7fdf31d28a83d270e377bd
MD5: 9d4c4af4b600bb90e92a5c0b86551507
M20-kkm31VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.77e9031a6ba4afeecda915e914a352dfhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 840985b782648d57de302936257ba3d537d21616cb81f9dce000eaf1f76a56c8
SHA1: adcdeb818c9dfc9f1c17bf3af5ba9523927ca643
MD5: 77e9031a6ba4afeecda915e914a352df
M20-pmq11VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.e0d2c9aac9a8489a2154aff6e0abcb6ehttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 3928bd8f2fd2db4891b320fa85b37c2598706d27283818ad33a0eeac16d59192
SHA1: 2e489ff43e12c708430f3ea07024970a4d1ba737
MD5: e0d2c9aac9a8489a2154aff6e0abcb6e
M20-jzoq1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.988b54d62c2163cdb5398ff6571e3c80https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 75728bc96c934c1521ae08e03ec916e20628e000b056c55b6ee04ccc18c602f6
SHA1: e741885b90a4d6b4699948b9184cf38bf838b890
MD5: 988b54d62c2163cdb5398ff6571e3c80
M20-mynx1Chthonic_39a1430cWindows This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has a random section name renamed according to the PE format specification.39a1430c7d0bf12a9b42dad4e6b49ac6https://arxiv.org/abs/1801.08917
SHA256: 28dacb33875c738c866f6d41b16074f6ca48dee3aee14e8899f845912d02a50e
SHA1: eae617ce1247de24ce7caed9b13be5a2934f3c7c
PARENTID: M20-569e1
SSDEEP: 768:jh1SGw0Nd6EF+MIi3hISRdJlDED1Anx3LScmjElP/Vc6+DxIamqtswYh/YY86AAx:GV0Nd6EF+eljbx3LSqt+GF82jco
MD5: 39a1430c7d0bf12a9b42dad4e6b49ac6
M20-jyxn1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.a76db545952dcb01bdb966e656c3bacahttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: fe564fb38a99dbb94cc8a66d8955b0b7f8e67bf0a5eb820c4a5d0c3efb96c1e5
SHA1: 5b231d4361da177cfe4c3343a1ba75fb099db547
MD5: a76db545952dcb01bdb966e656c3baca
M20-qgfs1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.ed784123007890e3df70b2348779b007https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 61b9b7e1329eb540dd751d1db6c00cc45d91b6f58db75ab0212976d4ec4c848e
SHA1: 9512a8aa4835c0aab0999a9ba17b60b1b976aeae
MD5: ed784123007890e3df70b2348779b007
M20-luhr1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.fa8a1311b6488e40de471cc183ce50ebhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 1d970f2e7af9962ae6786c35fcd6bc48bb860e2c8ca74d3b81899c0d3a978b2b
SHA1: c7e544de0ca082cb13e68265914dc3bd7d22ed55
MD5: fa8a1311b6488e40de471cc183ce50eb
M20-910a1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.643fbcda0041c2b57a2740bb02e16db0https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: b1f54b88c9b7680877981f6bebde6aea9effbc38a0a8b27a565fb35331094680
SHA1: e90b6b2edb9171d28cac4f437b1fa6a03b39e546
MD5: 643fbcda0041c2b57a2740bb02e16db0
M20-aei21PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.9d3e12893fae7eb6c33682b5bbea6d93https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: edd1480fe3d83dc4dc59992fc8436bc1f33bc065504dccf4b14670e9e2c57a89
SHA1: 08868d9b1a31b59ab8e3f4ac38f210ac8e080106
MD5: 9d3e12893fae7eb6c33682b5bbea6d93
M20-w0u91VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.1f937cbae354345087860c7d33e0e61dhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: d7641089fd5d0474b835a633d6d852028b3481c18b3574023b021bfa1e3c1cc1
SHA1: 52c1795326e7704395450b07332c766fb0d1acc7
MD5: 1f937cbae354345087860c7d33e0e61d
M20-yp8y1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.fc2fefb951bfbfdb1e337c9019968c8dhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: bec5a3cfd7332241e3a7463d951b8f9a9e771d4f436d7776a426074a82d19a7d
SHA1: 1291b32719aef4f71732010263339e59726aaa90
MD5: fc2fefb951bfbfdb1e337c9019968c8d
M20-9ybb1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.81ba4107943bb4ad2ec351ba2417f987https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 2b13dae3c35eb3958253dbf945f6609e59978c2aedbd163608f03920d7d3623b
SHA1: 974dc36f9342391724f1e911e6fd92fccce7ef1a
MD5: 81ba4107943bb4ad2ec351ba2417f987
M20-xxco1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.a7da167512ae0077122e349e1cf54085https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: e0f22863c84ee634b2650b322e6def6e5bb74460952f72556715272c6c18fe8e
SHA1: a0c913a04254c65154013904d99ea90d574ab3a2
MD5: a7da167512ae0077122e349e1cf54085
M20-5r9z1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.e843170e564321228fc88b9291a4265chttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: ecf3f4ba8dd16551908488cfbf2afd18a55584dbf81c28623026a29b9fa4a62d
SHA1: 100baeffdf9be3002d4ff15785a28ed75c6c0f7e
MD5: e843170e564321228fc88b9291a4265c
M20-xmrm1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.615292e183cf11759b672148998bfa18https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: ddf83c02effea8ae9ec2c833bf40187bed23ec33c6b828af49632ef98004ea82
SHA1: 3a98e49010e7720abc5d5af43c6c1f665fe3dc0d
MD5: 615292e183cf11759b672148998bfa18
M20-oh7j1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.ca4682a32cdaaf2c0357a2a79e32ee9bhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: bd7da341a28a19618b53e649a27740dfeac13444ce0e0d505704b56335cc55bd
SHA1: 2418b3bb9690ff1f3b0ffbe3a7895800ba335903
MD5: ca4682a32cdaaf2c0357a2a79e32ee9b
M20-nbpl2PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.4eab40382656af8fa25fb23b6e6473a0https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 7330fa1ca4e40cdfea9492134636ef06cd999efb71f510074d185840ac16675d
SHA1: 64f0b82b09081cb1782f9f5dc5011306764cd8a9
MD5: 4eab40382656af8fa25fb23b6e6473a0
M20-wfqq1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.4201d7681dbbde038de0e5d3568363dahttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 3aa746bb94acee94c86a34cb0b355317de8404c91de3f00b40e8257b80c64741
SHA1: 54a06b7ec2dbf0db1976be14875ba8be0947fe70
MD5: 4201d7681dbbde038de0e5d3568363da
M20-qmya1Gh0stRAT_a5d16fe0Windows This strike sends a polymorphic malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.The binary has the timestamp field updated in the PE file header.a5d16fe034462a43c0ddb0b62a52121ehttps://attack.mitre.org/techniques/T1099/
SHA256: 004882c756bd37bc9fc49085b9fb6b1496a7deeabbf5849ff2e8a24dc519d7c7
SHA1: ade07b3275a20e1b42186e5563d1b32818b9874c
PARENTID: M20-gt381
SSDEEP: 1536:zbuXXlyLMFM6NRjebOZewU/R4kY6WpsQEYzQI4wb9DprLElnY+fsrcNgF0f2bb3X:WFyLM/NR+O8wl6usKH9DRJUyMrAn
MD5: a5d16fe034462a43c0ddb0b62a52121e
M20-zw841PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.a07761d3be0749c5ba7da3d8222f1d86https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: e03680e0af40a6fa1a12bed2f701c6137335d28b3d222579552658e951cbd13c
SHA1: dc3cf5372363cb5a0f5b8124386e548f38da24d4
MD5: a07761d3be0749c5ba7da3d8222f1d86
M20-w2oz1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.8041965231306e1c2dff3695d6327524https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 5aec2fa9e954473d9c6b5233512f833e63541965e2d2e4af2419a457676c440d
SHA1: d1df2aa545c341d512668fe82dfd067240d7d459
MD5: 8041965231306e1c2dff3695d6327524
M20-pceb1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.808c956808d1a47b50f51df08d45f391https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: b7fbbbdf7e8795022a41f4e6a94be1de432ae1911e49625f73555e01a5fdc719
SHA1: 631722e3bb67297c0d0af1e5390a0390a16cd99d
MD5: 808c956808d1a47b50f51df08d45f391
M20-gjhy1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.4f2c11ee45ce87eeee7789b43cc91ac3https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 3259dd0efed1d28a149d4e8c4f980a19199d9bead951ee1231e3a26521185f2f
SHA1: 5de46e1ae70c456d867c7807a7dab337d11a03f0
MD5: 4f2c11ee45ce87eeee7789b43cc91ac3
M20-y21h2VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.b5d6214c223b3f6bc4a77c47e0e2a864https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 6f1e8f91773609087a417cb34887f292a0be5c246dab667195854f979a45349a
SHA1: 61f4e7dff34352fd8d065e57abaa60b149ebaae3
MD5: b5d6214c223b3f6bc4a77c47e0e2a864
M20-p3ko1Gh0stRAT_58db1853Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.58db185381561f59c85b0f5eccb428afhttps://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: ad85f99b2d8de491c472aa7526dd02c4e788c2c7fbda519eb2e967c1419d3ec9
SHA1: ae744ee69906bc719a2db679f44ba288b9e9416d
MD5: 58db185381561f59c85b0f5eccb428af
M20-2wgr1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.571425452e7fa287ce283a4a4b479ff1https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 9847cea40cec394c947de06010ad1f3033316903b5c822ba16f9574acb30f0cd
SHA1: 518feab46fd17e85d685fe1b26bb3ff3eb7f499f
MD5: 571425452e7fa287ce283a4a4b479ff1
M20-adie1Sunburst_56ceb6d0Windows This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.56ceb6d0011d87b6e4d7023d7ef85676https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
SHA256: c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
SHA1: 75af292f34789a1c782ea36c7127bf6106f595e8
MD5: 56ceb6d0011d87b6e4d7023d7ef85676
M20-4h8j1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.49819f0eee4399ea309d83fea14acb69https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 6485bec374f255831b7ddbfed9925e988dcd7e893f610842809dd7cd1988cffc
SHA1: 6c0bc83620d82967d75bcfb64196cc89a5a8ac11
MD5: 49819f0eee4399ea309d83fea14acb69
M20-08jw1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.78038fcb760ec0d4a446e243f496f026https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: c7ddbc24a57d1353d73533c47a65e5e3a74e3b666c1fed685fc90de1f089c72b
SHA1: 427c91fe58a5b05e0c1e164e0c1cddff651f96da
MD5: 78038fcb760ec0d4a446e243f496f026
M20-k9va1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.7031a1138e1892fb09bfbdf518dba07bhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 2ceb5de547ad250140c7eb3c3d73e4331c94cf5a472e2806f93bf0d9df09d886
SHA1: fe14ed259e1125d6bec4d920af804cf0f6acf94b
MD5: 7031a1138e1892fb09bfbdf518dba07b
M20-46m51Barys_c594feb4Windows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random bytes appended at the end of the file.c594feb41863cd0726eadf0e1c376ee6https://attack.mitre.org/techniques/T1009/
SHA256: b09f5955b5e0e1bdbe2e21af580b6d48baecf8362bbc9ca02010605b28ce4078
SHA1: a74fd87caf08b2e5710340312e19d5ccbdbdb8a1
PARENTID: M20-mxx31
SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMnw:MgbT8MlIcdk+odC41HjmzZX630nMnw
MD5: c594feb41863cd0726eadf0e1c376ee6
M20-ybbq1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.e5b622b9864d3a2e31a4edac46c1cb0chttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: e07dd37c92d24ac20b94a183e1f0a22a4eec0f950f441761c065faf0afd2abdd
SHA1: e01af7b18c432fa352fea4a166e56c60e6895d0a
MD5: e5b622b9864d3a2e31a4edac46c1cb0c
M20-xo5t1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.38bb2a242823592548a6c6539d69e72ahttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: c58f5b3f7300a13fd9a0a61757e20399fc5e86544befdafae15e8809a02c2db0
SHA1: aaed6ef09b54137cb62bb55ec20f73407739537f
MD5: 38bb2a242823592548a6c6539d69e72a
M20-gt381Gh0stRAT_d2a67090Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.d2a67090e3a8b6d1ca55ff3f3f00c768https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: c10af0e4b2e6dd378d5c69d44cd61657dc96fa8facf5b61f45c9b49071208811
SHA1: e8cc4081e07c07c593424ccde149cd8782dd27e6
MD5: d2a67090e3a8b6d1ca55ff3f3f00c768
M20-f6xg1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.94b27b9de692308cdb07aa6cc31391f1https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 66c2038c6d86333cbc51726bc54d3b8a00162493b2c92ca7f839b50435eaa314
SHA1: 500719895a31db2d1a3e81b3c798e39a89f3dee2
MD5: 94b27b9de692308cdb07aa6cc31391f1
M20-lise1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.41eff4cd049a8b5debf437b229e7c044https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 91c62841844bde653e0357193a881a42c0bc9fcc798a69f451511c6e4c46fd18
SHA1: 0491a3d718b76aae5f81bb8dfac49eb0c427f8a2
MD5: 41eff4cd049a8b5debf437b229e7c044
M20-p32m1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.4b3064c24cb16361027233138fd539dchttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 87210d6f1773473d28b51de21ed55ecfb6a9bd34f56d2d37f483ed05a1d7efd8
SHA1: 8b1da0482b98f77f86f35e830a4a94b3d884e3a0
MD5: 4b3064c24cb16361027233138fd539dc
M20-569e1Chthonic_eda8ab97Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.eda8ab9741ff7b166c04d59e4c778a45https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: d999dc87b0d9c537f3182f9ec8b1b2e781f1690f08ab69be141404f9ee9b1ce3
SHA1: 6b07119eb7943251d43fbeb07195065189bc0dcd
MD5: eda8ab9741ff7b166c04d59e4c778a45
M20-m3881Defray777_aa1ddf0cLinux This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering.aa1ddf0c8312349be614ff43e80a262fhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/
SHA256: cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849
SHA1: 91ad089f5259845141dfb10145271553aa711a2b
MD5: aa1ddf0c8312349be614ff43e80a262f
M20-c9oj1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.23dae47577cda08dfc82e65e1217cbeehttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 47d6cc0a05218d0c1078dabf8d0ca7b7b424cdd73eaf3bf6261fa1b42f92fe0b
SHA1: 89372b60bcee0329e442e601a81766f88baf89e9
MD5: 23dae47577cda08dfc82e65e1217cbee
M20-p1491VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.23594ad0ba8ec37ad5eaec84aee9cecdhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 73609f8ebd14c6970d9162ec8d7786f5264e910573dff73881f85b03163bd40e
SHA1: 41ec57139e036ccbc7feb2d6485bc4456317cd7e
MD5: 23594ad0ba8ec37ad5eaec84aee9cecd
M20-r3of1Sunburst_2c4a910aWindows This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.2c4a910a1299cdae2a4e55988a2f102ehttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
SHA256: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
SHA1: 2f1a5a7411d015d01aaee4535835400191645023
MD5: 2c4a910a1299cdae2a4e55988a2f102e
M20-bu5m1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.2133b1c7bb6145cdd121eb8c423d35a7https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 1309b052618c6301901ec75cf552e7b49f93d66fb47d4de59b82d37d6ac39039
SHA1: 15fdcf02b66f83c11f6d256e37ff9a901685e354
MD5: 2133b1c7bb6145cdd121eb8c423d35a7
M20-p99v1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.ae07f0b180bc52b39000f50353e4e97dhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 88565b4c707230eac34d4528205056264cd70d797b6b4eb7d891821b00187a69
SHA1: 682e5f116a0aea2b097f05c9a6009d6d499b71bc
MD5: ae07f0b180bc52b39000f50353e4e97d
M20-fvau1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.36ae75fd0c0afc7d6503f66880d6acf8https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 5e90a331bafd98e41bcf36419c44bd7ff8296ac18cce652e944ae22db15a5366
SHA1: d2aca69c9060161cfa20c4e3aa92d3633f1cf8ba
MD5: 36ae75fd0c0afc7d6503f66880d6acf8
M20-vrpk1Chthonic_7e665259Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.7e665259f4178cfc254d809d3acfc2b2https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: d5ed9e42ec45ed31455433272ab28baa6392ffbca83d787b272aae011ef5db13
SHA1: b55ca4aec4a079dc23f8b1842a743d201536bf8c
MD5: 7e665259f4178cfc254d809d3acfc2b2
M20-ziag1Barys_2775ccd0Windows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has a new section added in the PE file format with random contents.2775ccd010831c057c8d3c822adf7fc3https://arxiv.org/abs/1801.08917
SHA256: c76b574047bf0fd21da5256ba787faea64ad816d2d1af16a23548a101d449be0
SHA1: d551a54045ed0eeb686284f2cd3b9adb28431e2b
PARENTID: M20-rmoa1
SSDEEP: 384:DDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEJdxg15GMIScho9me:jgbT8MlIcdk+odC41HjmzZJmr0je
MD5: 2775ccd010831c057c8d3c822adf7fc3
M20-runn1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.aa0bf0045c4faa988815117cebcacdebhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: c7f96f8b15c324bd6bf1aa16f6697d6d407f91ad2d7628a14d70f146334d34be
SHA1: e744a577e52d594342bb727ef268796553f2c0d3
MD5: aa0bf0045c4faa988815117cebcacdeb
M20-g4s61VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.4bee85530d15be0a9e6c8672e355ddc6https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: ce0936366976f07ea24e86733888e97e421393829ecfd0fde66bd943d4b992ab
SHA1: 69111b86feb35bc38f22f9cd3797144c3a154d2a
MD5: 4bee85530d15be0a9e6c8672e355ddc6
M20-mxx31Barys_f815281eWindows This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.f815281ed4b16169e0b474dbac612bbchttps://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: c88f7682caa26ce756341a27d45f3c6507641249b3b26e2381decf768930e43f
SHA1: 69174275cdef661c88060872d16f559726e391aa
MD5: f815281ed4b16169e0b474dbac612bbc
M20-bgsm1Chthonic_4ad3b625Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.4ad3b625ebadf92523edc1b0730dba9ahttps://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: ae2261cf8620e125ea3f5ca178ed304858db9aba288d8db81c066ba3e9b6b470
SHA1: 490e553b0a1697935d32489d30bf4b4c97939cc8
MD5: 4ad3b625ebadf92523edc1b0730dba9a
M20-ug9n1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.4d1b52e30629477a12dcf2bbbc196e88https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: d7d28af8af5be22ecca267bdc7e142667f584550cf8a3bbebdb1368725bb6469
SHA1: 2ff4fb871acd8e48b549a3c00df91c014ef1c0f7
MD5: 4d1b52e30629477a12dcf2bbbc196e88
M20-neon1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.4d9e184b5e67c83a4a9901ee43232934https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: e2faf6586f8ac70cd98e4ec648f79435bfabaf84d440044aedce0c5c59b662e8
SHA1: 2b2aeeda9282e1b924e228bae316d265d1eeacc9
MD5: 4d9e184b5e67c83a4a9901ee43232934
M20-qz1e1Defray777_fcd21c6fWindows This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering.fcd21c6fca3b9378961aa1865bee7ecbhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/
SHA256: 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
SHA1: 0abaa05da2a05977e0baf68838cff1712f1789e0
MD5: fcd21c6fca3b9378961aa1865bee7ecb
M20-5upn1Sunburst_b91ce2faWindows This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.b91ce2fa41029f6955bff20079468448https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
SHA256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
SHA1: 76640508b1e7759e548771a5359eaed353bf1eec
MD5: b91ce2fa41029f6955bff20079468448
M20-c3ej1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.111019f2333c79cd320b3acc474df34chttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 84428ece8efcb6298435b15d3c4ea281592accf0990cc840ef3a7a0644191061
SHA1: 690e6e0067ca394b0f5177b398fe0e5563963adc
MD5: 111019f2333c79cd320b3acc474df34c
M20-aoa01Gh0stRAT_52729f8bWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.52729f8b7185d792be872d0821a251a0https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: b2bf5993d399a91c2ef2d3629a201c8f97702b9359c0bef119e3391eaf47acab
SHA1: 3f9087791230f65247e353f499d6a156dfc77ae6
MD5: 52729f8b7185d792be872d0821a251a0
M20-gl0j1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.1cae93d1e1ab2e6bb1db8b65d374b785https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: ed675db1e7c93526141d40ba969bdc5bbdfd013932aaf1e644c66db66ff008e0
SHA1: 6a0a7e3a21888b87fde3323e0dc4fc085e71a8b7
MD5: 1cae93d1e1ab2e6bb1db8b65d374b785
M20-2de21VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.26e4a7443332461d330e6dc4e9a22f5bhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: a50a25a312adb9103e52e94018013ebdb6dbfe792a34122cacd53cfa3bbb26ac
SHA1: 9f98147977ce4afd45be30b05e6169ed3522a66e
MD5: 26e4a7443332461d330e6dc4e9a22f5b
M20-iilb1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.fe180737bfb5436a592581de52ed9368https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 0d14a1b5574dc12f6286d37d0a624232fb63079416b98c2e1cb5c61f8c2b66ff
SHA1: 4c8e2a76a08060d0bc727cb92962263d356d0e63
MD5: fe180737bfb5436a592581de52ed9368
M20-4zuy1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.e4940335c81b5bcd4713ad929027077ehttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: a7affc0d93e27165ce44c55ae28189e8b55967443f9e464232f230ab4ba175ca
SHA1: f0f9bd7a786f3ea78ceada0749d36d802b20298f
MD5: e4940335c81b5bcd4713ad929027077e
M20-bkym1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.25e8d46d27e0a1034804aba00ba75d38https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: d612144c1f6d4a063530ba5bfae7ef4e4ae134bc55dcf067439471934b841b00
SHA1: c42bb245cddbaaeb80fe1b178600ca353161b9f0
MD5: 25e8d46d27e0a1034804aba00ba75d38
M20-mqub1Barys_1aeb9636Windows This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.1aeb9636011a15736fa535f7d3ba7f9dhttps://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: a404215539b7bc308e112222493ba4d59a41adeb5204e59ad14cd7836dd6a545
SHA1: 062caa4e2bda8b359cb6ff2ec160918b37ef1dcb
MD5: 1aeb9636011a15736fa535f7d3ba7f9d
M20-q0yy1Sunburst_d5aad0d2Windows This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.d5aad0d248c237360cf39c054b654d69https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
SHA256: abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417
SHA1: b485953ed77caefe81bff0d9b349a33c5cea4cde
MD5: d5aad0d248c237360cf39c054b654d69
M20-fibd1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.837dda0135b0aa7628874b451c66b50fhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 3a47e59c37dce42304b345a16ba6a3d78fc44b21c4d0e3a0332eee21f1d13845
SHA1: 3a196669ea458c4e9e3bc4272c7046c688fd63b3
MD5: 837dda0135b0aa7628874b451c66b50f
M20-npvg1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.6363cba1430bf8a617d789b49e275975https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 7ad92c9d63bd9ed305acbe217c40f9945deb98ed5ecced8b92b93332dc27d3c6
SHA1: 0f0966c832dcb143be60ce1f296f8b177e4f0220
MD5: 6363cba1430bf8a617d789b49e275975