M20-72zh1 | Gh0stRAT_34a648b5 | Windows |
This strike sends a polymorphic malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.The binary has random bytes appended at the end of the file. | 34a648b57683dd4d48a4123aee6542be | https://attack.mitre.org/techniques/T1009/SHA256: f423b11021ce9175c79881f2988516428e9e80659f41105ae037cdedd5e0da8cSHA1: 9d7b304bd8a65f1f788ab5e8a788e0f5e1748061PARENTID: M20-gt381SSDEEP: 1536:MbuXXlyLMFM6NRjebOZewU/R4kY6WpsQEYzQI4wb9DprLElnY+fsrcNgF0f2bb3C:lFyLM/NR+O8wl6usKH9DRJUyMrAnyMD5: 34a648b57683dd4d48a4123aee6542be |
M20-lblq1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | cf1ad0f6c0f7dfe7b5940008ed27bc28 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: ea27862bd01ee8882817067f19df1e61edca7364ce649ae4d09e1a1cae14f7ccSHA1: 6599794ea40f54656c8ac0d7c2efe1362ec8414dMD5: cf1ad0f6c0f7dfe7b5940008ed27bc28 |
M20-hywt1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | ab109ced41f9be476da69b671d4e28ce | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: b2b3a199291c3651b1d7413c7dba92566a893010a50e770e1802f173f1c2c7a4SHA1: f6085a9c93fd2ea75c1843a2bfc7b1e85f919d7aMD5: ab109ced41f9be476da69b671d4e28ce |
M20-wde71 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 9935435529057201dac86957275a43e9 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 3cd581621d9a16ebe724e9ba7445aa82162307ff6b2a31be572e87dbce2aa8adSHA1: 2201ebb6e819f38c080b252f7ae48accd78159beMD5: 9935435529057201dac86957275a43e9 |
M20-vs2i1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 3b8c4e9f27a265c2ba4c39ee94e135a2 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: 56e96ce15ebd90c197a1638a91e8634dbc5b0b4d8ef28891dcf470ca28d08078SHA1: fa7f4b931dda6ece05a23d552a96c757127c3e0eMD5: 3b8c4e9f27a265c2ba4c39ee94e135a2 |
M20-w8jx1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 1955375a3ba47f2d293aad78e2478edf | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: 78471db16d7bd484932c8eb72f7001db510f4643b3449d71d637567911ca363bSHA1: 006513670374228a112e15ed03e24089515d085bMD5: 1955375a3ba47f2d293aad78e2478edf |
M20-qzdx1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | af27bf67e462bf5ef61b15a0e160ea84 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: 5736e167e234e06b33e8d8d6bb80e13b1bacca8d7cd3271695220cdec2e4a79eSHA1: f5849ee6ab9de4be3024775cd2bf809b742f4bf5MD5: af27bf67e462bf5ef61b15a0e160ea84 |
M20-4dqj1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | dba03b64b963b77fe966238c261aace4 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: d50f28cf5012e1ffde1cd28655e07519dadcf94218b15c701c526ab0f6acb915SHA1: 009d4a6ab775f4d8ac0a3343adf5e5910a8747ecMD5: dba03b64b963b77fe966238c261aace4 |
M20-98eh1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | c7e84d5c86f51a349445ad126c42fd89 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 4d39782ccdb902e8e5348b8b3ce92f0834c713c565cca82be67a0a8eb6468df6SHA1: 5b13441e82f6964164e05ea3c92145b70d400201MD5: c7e84d5c86f51a349445ad126c42fd89 |
M20-bkbm1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | 86d297b262fb1e9f8c1cee271ceea40e | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: f80bcc60e79b387f63edfe0f1fc66492af4ff201ad5eb8080b1249ca43f6f30fSHA1: 62493be40396091164113e76c289df62ffeec90bMD5: 86d297b262fb1e9f8c1cee271ceea40e |
M20-2fqg1 | Barys_6a191144 | Windows |
This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random bytes appended at the end of the file. | 6a191144dc2744c0d803461b8b35336b | https://attack.mitre.org/techniques/T1009/SHA256: 0fadbc1a6cbbdcf8c6dfef369ca47881d562813e5e4de984d16001eaed83692bSHA1: 1a13b6c282d8ac31996a79e3cca2e18194d2568cPARENTID: M20-rmoa1SSDEEP: 384:/DLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEJdxg15GMIScho9meh:/gbT8MlIcdk+odC41HjmzZJmr0jeyEMD5: 6a191144dc2744c0d803461b8b35336b |
M20-hsdz1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 039e75cdd8787394789d11ca6d2c7711 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: a50b58e24eb261157c4f85d02412d80911abe8501b011493c7b393c1905fc234SHA1: d940407a48bc4e0481b2790e89e58aa020b8887fMD5: 039e75cdd8787394789d11ca6d2c7711 |
M20-qla01 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 3d89a7dfd0984f23c4ebd1931d029108 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: d271569d5557087aecc340bb570179b73265b29bed2e774d9a2403546c7dd5ffSHA1: 39c6484c0ca69f2e98adad292436fadf80c3c12aMD5: 3d89a7dfd0984f23c4ebd1931d029108 |
M20-20vf1 | Defray777_210f47c8 | Linux |
This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering. | 210f47c8f47ded8525da927710abc6ad | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/SHA256: 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13dSHA1: 50f191f04aa6cff1d8688a3c5d6cce96739ab6b3MD5: 210f47c8f47ded8525da927710abc6ad |
M20-yg4v1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | d0857462281df296b60a8814d4fa052f | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: b3c6f365819864340a8a8fe3076fb326c1debfdbbc826384cb2978aea82edc48SHA1: 658c536d92c7b60e7c31bc4eeb43504c83204df7MD5: d0857462281df296b60a8814d4fa052f |
M20-mzle1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 440c46ace55eb539376c05dc03e98cd4 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: 0da9e149ba324f20a390140e9d7913b13ababa07f5b65e4d25e3555c1119e768SHA1: 038e505ed342a39766d034ffee1e87fdfc62930bMD5: 440c46ace55eb539376c05dc03e98cd4 |
M20-exgu1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 0ea9b7a283e7d4601fb7dbd63493b342 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 56934547dcf0d7ecf61868ae2f620f60e94c094dbd5c3b5aaf3d3a904d20a693SHA1: b655342769408e0bdd46449aa8968c4c362a222aMD5: 0ea9b7a283e7d4601fb7dbd63493b342 |
M20-a54g1 | Chthonic_35e71926 | Windows |
This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has the timestamp field updated in the PE file header. | 35e7192617a5bfe4e3663f40610a7f11 | https://attack.mitre.org/techniques/T1099/SHA256: 01785bc411c5f7c386ac0c155e9334a624750722911cb420bdd6ba9666c4a075SHA1: e2363a3d1230c852837d19c13cc421ecfdd9f2afPARENTID: M20-569e1SSDEEP: 768:Ph1SGw0Nd6EF+MIi3hISRdJlDED1Anx3LScmjElP/Vc6+DxIamqtswYh/YY86AAx:iV0Nd6EF+eljbx3LSqt+GF82jcoMD5: 35e7192617a5bfe4e3663f40610a7f11 |
M20-keqo1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 6932dfcd3789f88e828d939174183446 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 5dc7f70a0d20f97c30c25bd927235deec713cde5d1c41916e23dd0c3431ffacdSHA1: e289f6a347facc397402d63d36f70f58338d8ca8MD5: 6932dfcd3789f88e828d939174183446 |
M20-jhm51 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 4ef817562dc042e616ae26a2c8773f23 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: a098b5455fd1e9d0dea067405cd891b94cc42a0067cbd21d385f9c1254c21fddSHA1: c1b9b376a54b08d5eae491f951b57d6bb04afa5aMD5: 4ef817562dc042e616ae26a2c8773f23 |
M20-wlk11 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | b18ee982de606adc6715e7a52648b63c | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 8eef012c2eecb7f8a776464f52e12f62c466cfc85adf4eef0d2bc270e7a19212SHA1: f3c97b56b85eb3a0009bf831e89a4cf57d4deb41MD5: b18ee982de606adc6715e7a52648b63c |
M20-vihm1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | aa64323c466ac0ae62ec6532bac30936 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: 92a8b74cafa5eda3851cc494f26db70e5ef0259bc7926133902013e5d73fd285SHA1: 007f198146686cf0bad9d8c5bb262f8e5c007706MD5: aa64323c466ac0ae62ec6532bac30936 |
M20-75p01 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 5d2fd364769d12d26c83922e5e31e48e | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: 563dd5a95f439bc2b4170a74c8be565a1af076e6cbebd1d018b2809a1e8bc908SHA1: 00263c910dcf67f7eaa37c48914c30b78261652cMD5: 5d2fd364769d12d26c83922e5e31e48e |
M20-o3n51 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | dcba8d6cf6b336ac96db500ad99b0013 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: fcdd72fd2e03badfac13eed5e2d17054bbdcea7c1743179095ce109bf40a7f0fSHA1: 1bacc1afd4bd2d34279b39e9e2fc6099c49fa29fMD5: dcba8d6cf6b336ac96db500ad99b0013 |
M20-4n511 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 31dc5267d3daf057baaa37f8d5d59229 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 608f34a79e5566593b284ef0d24f48ea89bc007e5654ae0969e6d9f92ec87d32SHA1: 15c3985c14c98de4a7eabba3495b474f753923b7MD5: 31dc5267d3daf057baaa37f8d5d59229 |
M20-727z1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 088d29b4a238a650e12f5ce97ec58289 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: e48e88542ec4cd6f1aa794abc846f336822b1104557c0dfe67cff63e5231c367SHA1: 08a6b196e3a2d140314225ef8c88228aaea09ac5MD5: 088d29b4a238a650e12f5ce97ec58289 |
M20-qxtk1 | Barys_2f511a1d | Windows |
This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random strings (lorem ipsum) appended at the end of the file. | 2f511a1df6582dea8340fd62e27c9f3e | https://attack.mitre.org/techniques/T1009/SHA256: 41a98f4a8ef76470d573c6daa9db027ee7cd76a957c669d7a30ebcfe01c5e1bdSHA1: f812646cd54274420324b42801e6bca7dc128a88PARENTID: M20-mxx31SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMnL:MgbT8MlIcdk+odC41HjmzZX630nMnIUMD5: 2f511a1df6582dea8340fd62e27c9f3e |
M20-0xi41 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | f198217bafc00828a2f5bc7f816c8e1d | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: 814357417aa8a57e43d50cb3347c9d287b99955b0b8aee4e53e12b463f7441a0SHA1: 0342939f6ff3699c7528f4adfdad5a35d1353b88MD5: f198217bafc00828a2f5bc7f816c8e1d |
M20-129q1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 05d24dd80b9a39e2148e94c742f8f16b | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 350926c6bb7419330e55e687c9f00520a560c41f6013528cbb9ea42faeeb3201SHA1: 1ca072554f6aa3a320587bff3ec200e61310654cMD5: 05d24dd80b9a39e2148e94c742f8f16b |
M20-c38p1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | ddf9e95123d9b585fa9e164236bfd338 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 8373be56ddab97188a8606eb5f529187bfb819f5cb5a50c56f6a7878c94c7f86SHA1: f87c2ce9936da536fa7e229adb6d79800a9961feMD5: ddf9e95123d9b585fa9e164236bfd338 |
M20-g0121 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 1856d7d2a60bfc2da5c36781294e5033 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: c3b3f46a5c850971e1269d09870db755391dcbe575dc7976f90ccb1f3812d5eaSHA1: e2ac158c425965b639b1ec5949e3c8300c278310MD5: 1856d7d2a60bfc2da5c36781294e5033 |
M20-lalu1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | eb885e485049ee4516bbdf6d9c5f202d | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: e5fede5eb43732c7f098acf7b68b1350c6524962215b476de571819b6e5a71fcSHA1: 90851164d3452929fd2567de72153d1c018de994MD5: eb885e485049ee4516bbdf6d9c5f202d |
M20-vrn11 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 54c11dcb706996a76976211c3685153d | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: c9400b2fff71c401fe752aba967fa8e7009b64114c9c431e9e91ac39e8f79497SHA1: 74ab88499a9b8d77cd9a8820e2884e617fa9245aMD5: 54c11dcb706996a76976211c3685153d |
M20-q8081 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 2aac141539e4bac0320ce3992e632d97 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: f9290cd938d134a480b41d99ac2c5513a964de001602ed34c6383dfeb577b8f7SHA1: dc53f9f9f7dac4fa1ba748b2fa7e6819187f2f8eMD5: 2aac141539e4bac0320ce3992e632d97 |
M20-75a91 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 68cb520d2084020638790187e34638ea | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: e1653fe62e8d90153557324ffe4470d9c9262fe3bddad2bf555680b6078cf66aSHA1: 94c14074d879fd773a1c331210cc4c6e282b9185MD5: 68cb520d2084020638790187e34638ea |
M20-qwgb1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | 127aa359a279cb299b63bb720f35ed1d | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: 4d0176e2d6e30e31352f420a4dec79d26cb00f1e6c789b31e84cd05eb4d50956SHA1: b826c09b4e6dd84c5d74ce4af5545f13eba64811MD5: 127aa359a279cb299b63bb720f35ed1d |
M20-0l931 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | d76837f88a8d62351e2d551be2fe9893 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: de44656b4a3dde6e0acdc6f59f73114ce6bb6342bec0dcd45da8676d78b0042eSHA1: 1aad813f52a7627c94e236f15d2ac3b1d090c15aMD5: d76837f88a8d62351e2d551be2fe9893 |
M20-m1mi1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | e2b15234dee641b74ee7959df2ae2e43 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 625c22b21277c8a7e1b701da9c1c21b64bfa02baef5d7a530a38f6d70a7a16d0SHA1: 27fd1c79ce0f8459ed201886512f38af5e466bbaMD5: e2b15234dee641b74ee7959df2ae2e43 |
M20-dozu1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | 8357b48174b91644012b7969d2ae9597 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: 510cf6e1c55a190490e93d222ea606ed888d222ecedda18bfb2f32bb73f33cabSHA1: eb17b9cdce04f77428499afbb950f48249492a2aMD5: 8357b48174b91644012b7969d2ae9597 |
M20-0tvr1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 164b162f8cd59acf9d3da0bec7ea1c52 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: ccc162d3a3d6136a9c472d7d2d07acbae47f88a9a7d9b2c9b97b331e7ab7605dSHA1: fdb3289f239a06023842d90c0e5cf6f8f0aa1c99MD5: 164b162f8cd59acf9d3da0bec7ea1c52 |
M20-rp6s1 | Sunburst_846e27a6 | Windows |
This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services. | 846e27a652a5e1bfbd0ddd38a16dc865 | https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.htmlSHA256: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6SHA1: d130bd75645c2433f88ac03e73395fba172ef676MD5: 846e27a652a5e1bfbd0ddd38a16dc865 |
M20-a1c21 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 225747a368357a5eafaac5337ee56c9a | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 3a3b7b198769de3e5d81a92aa166f783b611a39a7fcea1b5ec762b54295dbc8dSHA1: 49a8ab54ac1137b9fa2281a9fdbd1d7b50cf6ceeMD5: 225747a368357a5eafaac5337ee56c9a |
M20-8etv1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 6f6a04e60af90862b2ced5864b6b23f9 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 95e5e83b10df32f06080bd6f8428592d81febbf55e72ec5f843dd6188bef25daSHA1: ab96d796a4b394af911c5282446f61bcd94c1ae1MD5: 6f6a04e60af90862b2ced5864b6b23f9 |
M20-rmoa1 | Barys_006a7221 | Windows |
This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine. | 006a72219afabff2f56695f413ca43db | https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.htmlSHA256: a98b443dab1373415ceefacf3be09bb209377827785a02e5f7d4a20c3badc01cSHA1: 5e8f2e325a452ebfeeafeceb7ef6b1a8cbb186adMD5: 006a72219afabff2f56695f413ca43db |
M20-4pvo1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | b90fbb7ae572eca2f64d14c0e0dc4a21 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: cb2619b7aab52d612012386d88a0d983c270d9346169b75d2a55010564efc55cSHA1: 39289138cd3d75cbffe41172772cb40acde3972aMD5: b90fbb7ae572eca2f64d14c0e0dc4a21 |
M20-bhso1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 2f6340654f5d07c7a5d19b9d228dabb1 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 80c9d6cf4e8119dc2d0e263f3f4d5c3bf4221715117505d9d6a02e3671337bf8SHA1: 40e314bef8a7fb314b8dfb8b641fa2426d198488MD5: 2f6340654f5d07c7a5d19b9d228dabb1 |
M20-r1rf1 | Barys_3c11a2bd | Windows |
This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random contents appended in one of the existing sections in the PE file format. | 3c11a2bd2d5f1c68588dd60b742008f1 | https://arxiv.org/abs/1801.08917SHA256: e6ad8931d16e75beccc55f4706194876b6b13aaac6c291d453a981ccb20ff198SHA1: 50b5f6ed2ab9c18b04ec24a6651ffbb7e162bcc7PARENTID: M20-mxx31SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMn:MgbT8MlIcdk+odC41HjmzZX630nMnMD5: 3c11a2bd2d5f1c68588dd60b742008f1 |
M20-wnyb2 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 1d191d54cdd3adb4621b5c3a13d1ea91 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 01011bb45dec3b520ea09e5d9d3c9fb4acce74de72261f68ff1011f9ea6ccebbSHA1: 3e6868e7359df4bddfdbd7575052431360c57dd9MD5: 1d191d54cdd3adb4621b5c3a13d1ea91 |
M20-039f1 | Barys_d1365296 | Windows |
This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has a random section name renamed according to the PE format specification. | d1365296a329a50b6d389373aa50fa01 | https://arxiv.org/abs/1801.08917SHA256: e30a372793ba1181082bb313a63f3c88e4075645d6fa30f84666e8feacb858ebSHA1: 17525859a1efb97ad394092c0c561d43386ce9e1PARENTID: M20-mxx31SSDEEP: 384:ODLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMn:WgbT8MlIcdk+odC41HjmzZX630nMnMD5: d1365296a329a50b6d389373aa50fa01 |
M20-19el1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | aa03fbbd932b6f57d26c53cf7a01ef1b | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: a765df03fffa343aa7a420a0a57d4b5c64366392ab6162c3561ff9f7b0ad5623SHA1: ed495940c14db3067e841b1e1cd29724b4f8989cMD5: aa03fbbd932b6f57d26c53cf7a01ef1b |
M20-7twy1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 13cc74a4168aab6c63b5e44358f47604 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: c5ca45581da0bbb3e4d0c6e51d602512fa52833cd16eebed351397a9a0326518SHA1: 74b9f153234306a4e0f5c0cfa7bebb68eb0d3890MD5: 13cc74a4168aab6c63b5e44358f47604 |
M20-p6nd1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 9d4c4af4b600bb90e92a5c0b86551507 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: edecfdd2a26b4579ecacf453b9dff073233fb66d53c498632464bca8b3084dc5SHA1: fb49d70aa78dae091a7fdf31d28a83d270e377bdMD5: 9d4c4af4b600bb90e92a5c0b86551507 |
M20-kkm31 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 77e9031a6ba4afeecda915e914a352df | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 840985b782648d57de302936257ba3d537d21616cb81f9dce000eaf1f76a56c8SHA1: adcdeb818c9dfc9f1c17bf3af5ba9523927ca643MD5: 77e9031a6ba4afeecda915e914a352df |
M20-pmq11 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | e0d2c9aac9a8489a2154aff6e0abcb6e | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 3928bd8f2fd2db4891b320fa85b37c2598706d27283818ad33a0eeac16d59192SHA1: 2e489ff43e12c708430f3ea07024970a4d1ba737MD5: e0d2c9aac9a8489a2154aff6e0abcb6e |
M20-jzoq1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 988b54d62c2163cdb5398ff6571e3c80 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 75728bc96c934c1521ae08e03ec916e20628e000b056c55b6ee04ccc18c602f6SHA1: e741885b90a4d6b4699948b9184cf38bf838b890MD5: 988b54d62c2163cdb5398ff6571e3c80 |
M20-mynx1 | Chthonic_39a1430c | Windows |
This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has a random section name renamed according to the PE format specification. | 39a1430c7d0bf12a9b42dad4e6b49ac6 | https://arxiv.org/abs/1801.08917SHA256: 28dacb33875c738c866f6d41b16074f6ca48dee3aee14e8899f845912d02a50eSHA1: eae617ce1247de24ce7caed9b13be5a2934f3c7cPARENTID: M20-569e1SSDEEP: 768:jh1SGw0Nd6EF+MIi3hISRdJlDED1Anx3LScmjElP/Vc6+DxIamqtswYh/YY86AAx:GV0Nd6EF+eljbx3LSqt+GF82jcoMD5: 39a1430c7d0bf12a9b42dad4e6b49ac6 |
M20-jyxn1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | a76db545952dcb01bdb966e656c3baca | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: fe564fb38a99dbb94cc8a66d8955b0b7f8e67bf0a5eb820c4a5d0c3efb96c1e5SHA1: 5b231d4361da177cfe4c3343a1ba75fb099db547MD5: a76db545952dcb01bdb966e656c3baca |
M20-qgfs1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | ed784123007890e3df70b2348779b007 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: 61b9b7e1329eb540dd751d1db6c00cc45d91b6f58db75ab0212976d4ec4c848eSHA1: 9512a8aa4835c0aab0999a9ba17b60b1b976aeaeMD5: ed784123007890e3df70b2348779b007 |
M20-luhr1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | fa8a1311b6488e40de471cc183ce50eb | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: 1d970f2e7af9962ae6786c35fcd6bc48bb860e2c8ca74d3b81899c0d3a978b2bSHA1: c7e544de0ca082cb13e68265914dc3bd7d22ed55MD5: fa8a1311b6488e40de471cc183ce50eb |
M20-910a1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 643fbcda0041c2b57a2740bb02e16db0 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: b1f54b88c9b7680877981f6bebde6aea9effbc38a0a8b27a565fb35331094680SHA1: e90b6b2edb9171d28cac4f437b1fa6a03b39e546MD5: 643fbcda0041c2b57a2740bb02e16db0 |
M20-aei21 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 9d3e12893fae7eb6c33682b5bbea6d93 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: edd1480fe3d83dc4dc59992fc8436bc1f33bc065504dccf4b14670e9e2c57a89SHA1: 08868d9b1a31b59ab8e3f4ac38f210ac8e080106MD5: 9d3e12893fae7eb6c33682b5bbea6d93 |
M20-w0u91 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 1f937cbae354345087860c7d33e0e61d | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: d7641089fd5d0474b835a633d6d852028b3481c18b3574023b021bfa1e3c1cc1SHA1: 52c1795326e7704395450b07332c766fb0d1acc7MD5: 1f937cbae354345087860c7d33e0e61d |
M20-yp8y1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | fc2fefb951bfbfdb1e337c9019968c8d | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: bec5a3cfd7332241e3a7463d951b8f9a9e771d4f436d7776a426074a82d19a7dSHA1: 1291b32719aef4f71732010263339e59726aaa90MD5: fc2fefb951bfbfdb1e337c9019968c8d |
M20-9ybb1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 81ba4107943bb4ad2ec351ba2417f987 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 2b13dae3c35eb3958253dbf945f6609e59978c2aedbd163608f03920d7d3623bSHA1: 974dc36f9342391724f1e911e6fd92fccce7ef1aMD5: 81ba4107943bb4ad2ec351ba2417f987 |
M20-xxco1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | a7da167512ae0077122e349e1cf54085 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: e0f22863c84ee634b2650b322e6def6e5bb74460952f72556715272c6c18fe8eSHA1: a0c913a04254c65154013904d99ea90d574ab3a2MD5: a7da167512ae0077122e349e1cf54085 |
M20-5r9z1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | e843170e564321228fc88b9291a4265c | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: ecf3f4ba8dd16551908488cfbf2afd18a55584dbf81c28623026a29b9fa4a62dSHA1: 100baeffdf9be3002d4ff15785a28ed75c6c0f7eMD5: e843170e564321228fc88b9291a4265c |
M20-xmrm1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 615292e183cf11759b672148998bfa18 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: ddf83c02effea8ae9ec2c833bf40187bed23ec33c6b828af49632ef98004ea82SHA1: 3a98e49010e7720abc5d5af43c6c1f665fe3dc0dMD5: 615292e183cf11759b672148998bfa18 |
M20-oh7j1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | ca4682a32cdaaf2c0357a2a79e32ee9b | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: bd7da341a28a19618b53e649a27740dfeac13444ce0e0d505704b56335cc55bdSHA1: 2418b3bb9690ff1f3b0ffbe3a7895800ba335903MD5: ca4682a32cdaaf2c0357a2a79e32ee9b |
M20-nbpl2 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 4eab40382656af8fa25fb23b6e6473a0 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: 7330fa1ca4e40cdfea9492134636ef06cd999efb71f510074d185840ac16675dSHA1: 64f0b82b09081cb1782f9f5dc5011306764cd8a9MD5: 4eab40382656af8fa25fb23b6e6473a0 |
M20-wfqq1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 4201d7681dbbde038de0e5d3568363da | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: 3aa746bb94acee94c86a34cb0b355317de8404c91de3f00b40e8257b80c64741SHA1: 54a06b7ec2dbf0db1976be14875ba8be0947fe70MD5: 4201d7681dbbde038de0e5d3568363da |
M20-qmya1 | Gh0stRAT_a5d16fe0 | Windows |
This strike sends a polymorphic malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.The binary has the timestamp field updated in the PE file header. | a5d16fe034462a43c0ddb0b62a52121e | https://attack.mitre.org/techniques/T1099/SHA256: 004882c756bd37bc9fc49085b9fb6b1496a7deeabbf5849ff2e8a24dc519d7c7SHA1: ade07b3275a20e1b42186e5563d1b32818b9874cPARENTID: M20-gt381SSDEEP: 1536:zbuXXlyLMFM6NRjebOZewU/R4kY6WpsQEYzQI4wb9DprLElnY+fsrcNgF0f2bb3X:WFyLM/NR+O8wl6usKH9DRJUyMrAnMD5: a5d16fe034462a43c0ddb0b62a52121e |
M20-zw841 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | a07761d3be0749c5ba7da3d8222f1d86 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: e03680e0af40a6fa1a12bed2f701c6137335d28b3d222579552658e951cbd13cSHA1: dc3cf5372363cb5a0f5b8124386e548f38da24d4MD5: a07761d3be0749c5ba7da3d8222f1d86 |
M20-w2oz1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 8041965231306e1c2dff3695d6327524 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 5aec2fa9e954473d9c6b5233512f833e63541965e2d2e4af2419a457676c440dSHA1: d1df2aa545c341d512668fe82dfd067240d7d459MD5: 8041965231306e1c2dff3695d6327524 |
M20-pceb1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 808c956808d1a47b50f51df08d45f391 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: b7fbbbdf7e8795022a41f4e6a94be1de432ae1911e49625f73555e01a5fdc719SHA1: 631722e3bb67297c0d0af1e5390a0390a16cd99dMD5: 808c956808d1a47b50f51df08d45f391 |
M20-gjhy1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 4f2c11ee45ce87eeee7789b43cc91ac3 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 3259dd0efed1d28a149d4e8c4f980a19199d9bead951ee1231e3a26521185f2fSHA1: 5de46e1ae70c456d867c7807a7dab337d11a03f0MD5: 4f2c11ee45ce87eeee7789b43cc91ac3 |
M20-y21h2 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | b5d6214c223b3f6bc4a77c47e0e2a864 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 6f1e8f91773609087a417cb34887f292a0be5c246dab667195854f979a45349aSHA1: 61f4e7dff34352fd8d065e57abaa60b149ebaae3MD5: b5d6214c223b3f6bc4a77c47e0e2a864 |
M20-p3ko1 | Gh0stRAT_58db1853 | Windows |
This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads. | 58db185381561f59c85b0f5eccb428af | https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.htmlSHA256: ad85f99b2d8de491c472aa7526dd02c4e788c2c7fbda519eb2e967c1419d3ec9SHA1: ae744ee69906bc719a2db679f44ba288b9e9416dMD5: 58db185381561f59c85b0f5eccb428af |
M20-2wgr1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | 571425452e7fa287ce283a4a4b479ff1 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: 9847cea40cec394c947de06010ad1f3033316903b5c822ba16f9574acb30f0cdSHA1: 518feab46fd17e85d685fe1b26bb3ff3eb7f499fMD5: 571425452e7fa287ce283a4a4b479ff1 |
M20-adie1 | Sunburst_56ceb6d0 | Windows |
This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services. | 56ceb6d0011d87b6e4d7023d7ef85676 | https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.htmlSHA256: c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71SHA1: 75af292f34789a1c782ea36c7127bf6106f595e8MD5: 56ceb6d0011d87b6e4d7023d7ef85676 |
M20-4h8j1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | 49819f0eee4399ea309d83fea14acb69 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: 6485bec374f255831b7ddbfed9925e988dcd7e893f610842809dd7cd1988cffcSHA1: 6c0bc83620d82967d75bcfb64196cc89a5a8ac11MD5: 49819f0eee4399ea309d83fea14acb69 |
M20-08jw1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | 78038fcb760ec0d4a446e243f496f026 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: c7ddbc24a57d1353d73533c47a65e5e3a74e3b666c1fed685fc90de1f089c72bSHA1: 427c91fe58a5b05e0c1e164e0c1cddff651f96daMD5: 78038fcb760ec0d4a446e243f496f026 |
M20-k9va1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 7031a1138e1892fb09bfbdf518dba07b | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 2ceb5de547ad250140c7eb3c3d73e4331c94cf5a472e2806f93bf0d9df09d886SHA1: fe14ed259e1125d6bec4d920af804cf0f6acf94bMD5: 7031a1138e1892fb09bfbdf518dba07b |
M20-46m51 | Barys_c594feb4 | Windows |
This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random bytes appended at the end of the file. | c594feb41863cd0726eadf0e1c376ee6 | https://attack.mitre.org/techniques/T1009/SHA256: b09f5955b5e0e1bdbe2e21af580b6d48baecf8362bbc9ca02010605b28ce4078SHA1: a74fd87caf08b2e5710340312e19d5ccbdbdb8a1PARENTID: M20-mxx31SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMnw:MgbT8MlIcdk+odC41HjmzZX630nMnwMD5: c594feb41863cd0726eadf0e1c376ee6 |
M20-ybbq1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | e5b622b9864d3a2e31a4edac46c1cb0c | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: e07dd37c92d24ac20b94a183e1f0a22a4eec0f950f441761c065faf0afd2abddSHA1: e01af7b18c432fa352fea4a166e56c60e6895d0aMD5: e5b622b9864d3a2e31a4edac46c1cb0c |
M20-xo5t1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | 38bb2a242823592548a6c6539d69e72a | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: c58f5b3f7300a13fd9a0a61757e20399fc5e86544befdafae15e8809a02c2db0SHA1: aaed6ef09b54137cb62bb55ec20f73407739537fMD5: 38bb2a242823592548a6c6539d69e72a |
M20-gt381 | Gh0stRAT_d2a67090 | Windows |
This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads. | d2a67090e3a8b6d1ca55ff3f3f00c768 | https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.htmlSHA256: c10af0e4b2e6dd378d5c69d44cd61657dc96fa8facf5b61f45c9b49071208811SHA1: e8cc4081e07c07c593424ccde149cd8782dd27e6MD5: d2a67090e3a8b6d1ca55ff3f3f00c768 |
M20-f6xg1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 94b27b9de692308cdb07aa6cc31391f1 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 66c2038c6d86333cbc51726bc54d3b8a00162493b2c92ca7f839b50435eaa314SHA1: 500719895a31db2d1a3e81b3c798e39a89f3dee2MD5: 94b27b9de692308cdb07aa6cc31391f1 |
M20-lise1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 41eff4cd049a8b5debf437b229e7c044 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 91c62841844bde653e0357193a881a42c0bc9fcc798a69f451511c6e4c46fd18SHA1: 0491a3d718b76aae5f81bb8dfac49eb0c427f8a2MD5: 41eff4cd049a8b5debf437b229e7c044 |
M20-p32m1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 4b3064c24cb16361027233138fd539dc | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 87210d6f1773473d28b51de21ed55ecfb6a9bd34f56d2d37f483ed05a1d7efd8SHA1: 8b1da0482b98f77f86f35e830a4a94b3d884e3a0MD5: 4b3064c24cb16361027233138fd539dc |
M20-569e1 | Chthonic_eda8ab97 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | eda8ab9741ff7b166c04d59e4c778a45 | https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.htmlSHA256: d999dc87b0d9c537f3182f9ec8b1b2e781f1690f08ab69be141404f9ee9b1ce3SHA1: 6b07119eb7943251d43fbeb07195065189bc0dcdMD5: eda8ab9741ff7b166c04d59e4c778a45 |
M20-m3881 | Defray777_aa1ddf0c | Linux |
This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering. | aa1ddf0c8312349be614ff43e80a262f | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/SHA256: cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849SHA1: 91ad089f5259845141dfb10145271553aa711a2bMD5: aa1ddf0c8312349be614ff43e80a262f |
M20-c9oj1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 23dae47577cda08dfc82e65e1217cbee | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 47d6cc0a05218d0c1078dabf8d0ca7b7b424cdd73eaf3bf6261fa1b42f92fe0bSHA1: 89372b60bcee0329e442e601a81766f88baf89e9MD5: 23dae47577cda08dfc82e65e1217cbee |
M20-p1491 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 23594ad0ba8ec37ad5eaec84aee9cecd | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 73609f8ebd14c6970d9162ec8d7786f5264e910573dff73881f85b03163bd40eSHA1: 41ec57139e036ccbc7feb2d6485bc4456317cd7eMD5: 23594ad0ba8ec37ad5eaec84aee9cecd |
M20-r3of1 | Sunburst_2c4a910a | Windows |
This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services. | 2c4a910a1299cdae2a4e55988a2f102e | https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.htmlSHA256: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134SHA1: 2f1a5a7411d015d01aaee4535835400191645023MD5: 2c4a910a1299cdae2a4e55988a2f102e |
M20-bu5m1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 2133b1c7bb6145cdd121eb8c423d35a7 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 1309b052618c6301901ec75cf552e7b49f93d66fb47d4de59b82d37d6ac39039SHA1: 15fdcf02b66f83c11f6d256e37ff9a901685e354MD5: 2133b1c7bb6145cdd121eb8c423d35a7 |
M20-p99v1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | ae07f0b180bc52b39000f50353e4e97d | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 88565b4c707230eac34d4528205056264cd70d797b6b4eb7d891821b00187a69SHA1: 682e5f116a0aea2b097f05c9a6009d6d499b71bcMD5: ae07f0b180bc52b39000f50353e4e97d |
M20-fvau1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | 36ae75fd0c0afc7d6503f66880d6acf8 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: 5e90a331bafd98e41bcf36419c44bd7ff8296ac18cce652e944ae22db15a5366SHA1: d2aca69c9060161cfa20c4e3aa92d3633f1cf8baMD5: 36ae75fd0c0afc7d6503f66880d6acf8 |
M20-vrpk1 | Chthonic_7e665259 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 7e665259f4178cfc254d809d3acfc2b2 | https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.htmlSHA256: d5ed9e42ec45ed31455433272ab28baa6392ffbca83d787b272aae011ef5db13SHA1: b55ca4aec4a079dc23f8b1842a743d201536bf8cMD5: 7e665259f4178cfc254d809d3acfc2b2 |
M20-ziag1 | Barys_2775ccd0 | Windows |
This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has a new section added in the PE file format with random contents. | 2775ccd010831c057c8d3c822adf7fc3 | https://arxiv.org/abs/1801.08917SHA256: c76b574047bf0fd21da5256ba787faea64ad816d2d1af16a23548a101d449be0SHA1: d551a54045ed0eeb686284f2cd3b9adb28431e2bPARENTID: M20-rmoa1SSDEEP: 384:DDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEJdxg15GMIScho9me:jgbT8MlIcdk+odC41HjmzZJmr0jeMD5: 2775ccd010831c057c8d3c822adf7fc3 |
M20-runn1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | aa0bf0045c4faa988815117cebcacdeb | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: c7f96f8b15c324bd6bf1aa16f6697d6d407f91ad2d7628a14d70f146334d34beSHA1: e744a577e52d594342bb727ef268796553f2c0d3MD5: aa0bf0045c4faa988815117cebcacdeb |
M20-g4s61 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 4bee85530d15be0a9e6c8672e355ddc6 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: ce0936366976f07ea24e86733888e97e421393829ecfd0fde66bd943d4b992abSHA1: 69111b86feb35bc38f22f9cd3797144c3a154d2aMD5: 4bee85530d15be0a9e6c8672e355ddc6 |
M20-mxx31 | Barys_f815281e | Windows |
This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine. | f815281ed4b16169e0b474dbac612bbc | https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.htmlSHA256: c88f7682caa26ce756341a27d45f3c6507641249b3b26e2381decf768930e43fSHA1: 69174275cdef661c88060872d16f559726e391aaMD5: f815281ed4b16169e0b474dbac612bbc |
M20-bgsm1 | Chthonic_4ad3b625 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 4ad3b625ebadf92523edc1b0730dba9a | https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.htmlSHA256: ae2261cf8620e125ea3f5ca178ed304858db9aba288d8db81c066ba3e9b6b470SHA1: 490e553b0a1697935d32489d30bf4b4c97939cc8MD5: 4ad3b625ebadf92523edc1b0730dba9a |
M20-ug9n1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 4d1b52e30629477a12dcf2bbbc196e88 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: d7d28af8af5be22ecca267bdc7e142667f584550cf8a3bbebdb1368725bb6469SHA1: 2ff4fb871acd8e48b549a3c00df91c014ef1c0f7MD5: 4d1b52e30629477a12dcf2bbbc196e88 |
M20-neon1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 4d9e184b5e67c83a4a9901ee43232934 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: e2faf6586f8ac70cd98e4ec648f79435bfabaf84d440044aedce0c5c59b662e8SHA1: 2b2aeeda9282e1b924e228bae316d265d1eeacc9MD5: 4d9e184b5e67c83a4a9901ee43232934 |
M20-qz1e1 | Defray777_fcd21c6f | Windows |
This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering. | fcd21c6fca3b9378961aa1865bee7ecb | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/SHA256: 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458SHA1: 0abaa05da2a05977e0baf68838cff1712f1789e0MD5: fcd21c6fca3b9378961aa1865bee7ecb |
M20-5upn1 | Sunburst_b91ce2fa | Windows |
This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services. | b91ce2fa41029f6955bff20079468448 | https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.htmlSHA256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77SHA1: 76640508b1e7759e548771a5359eaed353bf1eecMD5: b91ce2fa41029f6955bff20079468448 |
M20-c3ej1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | 111019f2333c79cd320b3acc474df34c | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: 84428ece8efcb6298435b15d3c4ea281592accf0990cc840ef3a7a0644191061SHA1: 690e6e0067ca394b0f5177b398fe0e5563963adcMD5: 111019f2333c79cd320b3acc474df34c |
M20-aoa01 | Gh0stRAT_52729f8b | Windows |
This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads. | 52729f8b7185d792be872d0821a251a0 | https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.htmlSHA256: b2bf5993d399a91c2ef2d3629a201c8f97702b9359c0bef119e3391eaf47acabSHA1: 3f9087791230f65247e353f499d6a156dfc77ae6MD5: 52729f8b7185d792be872d0821a251a0 |
M20-gl0j1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 1cae93d1e1ab2e6bb1db8b65d374b785 | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: ed675db1e7c93526141d40ba969bdc5bbdfd013932aaf1e644c66db66ff008e0SHA1: 6a0a7e3a21888b87fde3323e0dc4fc085e71a8b7MD5: 1cae93d1e1ab2e6bb1db8b65d374b785 |
M20-2de21 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 26e4a7443332461d330e6dc4e9a22f5b | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: a50a25a312adb9103e52e94018013ebdb6dbfe792a34122cacd53cfa3bbb26acSHA1: 9f98147977ce4afd45be30b05e6169ed3522a66eMD5: 26e4a7443332461d330e6dc4e9a22f5b |
M20-iilb1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | fe180737bfb5436a592581de52ed9368 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 0d14a1b5574dc12f6286d37d0a624232fb63079416b98c2e1cb5c61f8c2b66ffSHA1: 4c8e2a76a08060d0bc727cb92962263d356d0e63MD5: fe180737bfb5436a592581de52ed9368 |
M20-4zuy1 | PyXie | Windows |
This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance. | e4940335c81b5bcd4713ad929027077e | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/SHA256: a7affc0d93e27165ce44c55ae28189e8b55967443f9e464232f230ab4ba175caSHA1: f0f9bd7a786f3ea78ceada0749d36d802b20298fMD5: e4940335c81b5bcd4713ad929027077e |
M20-bkym1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 25e8d46d27e0a1034804aba00ba75d38 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: d612144c1f6d4a063530ba5bfae7ef4e4ae134bc55dcf067439471934b841b00SHA1: c42bb245cddbaaeb80fe1b178600ca353161b9f0MD5: 25e8d46d27e0a1034804aba00ba75d38 |
M20-mqub1 | Barys_1aeb9636 | Windows |
This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine. | 1aeb9636011a15736fa535f7d3ba7f9d | https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.htmlSHA256: a404215539b7bc308e112222493ba4d59a41adeb5204e59ad14cd7836dd6a545SHA1: 062caa4e2bda8b359cb6ff2ec160918b37ef1dcbMD5: 1aeb9636011a15736fa535f7d3ba7f9d |
M20-q0yy1 | Sunburst_d5aad0d2 | Windows |
This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services. | d5aad0d248c237360cf39c054b654d69 | https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.htmlSHA256: abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417SHA1: b485953ed77caefe81bff0d9b349a33c5cea4cdeMD5: d5aad0d248c237360cf39c054b654d69 |
M20-fibd1 | PyXie | Windows |
This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries. | 837dda0135b0aa7628874b451c66b50f | https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-ratSHA256: 3a47e59c37dce42304b345a16ba6a3d78fc44b21c4d0e3a0332eee21f1d13845SHA1: 3a196669ea458c4e9e3bc4272c7046c688fd63b3MD5: 837dda0135b0aa7628874b451c66b50f |
M20-npvg1 | Vatet | Windows |
This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack. | 6363cba1430bf8a617d789b49e275975 | https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/SHA256: 7ad92c9d63bd9ed305acbe217c40f9945deb98ed5ecced8b92b93332dc27d3c6SHA1: 0f0966c832dcb143be60ce1f296f8b177e4f0220MD5: 6363cba1430bf8a617d789b49e275975 |