Malware Monthly Update July - 2020

Malware Strikes

Strike ID Malware Platform Info MD5 External References
M20-ysaj1WellMess_ae7a4652Linux This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.ae7a46529a0f74fb83beeb1ab2c68c5chttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950
SHA1: a57c896486564d7663a4dce6fbf723a1deb81378
MD5: ae7a46529a0f74fb83beeb1ab2c68c5c
M20-60oe1TinyBanker_3b97508bWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.3b97508b20857a70120a3ae571ce8abchttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 1be832d22e4a3c920076ff78eeb08e73d0077b04d29b29c2347c5de170b425d4
SHA1: 0be8014136efed974c83cdad29cf22d023f95538
MD5: 3b97508b20857a70120a3ae571ce8abc
M20-ou7j1TinyBanker_02b612beWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.02b612be794b972b9aa5a3edf461680ehttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 02f714d9530681ca2b5de1651c8e71a29c0bef9fc570a2d54eeb24d8ffcf02be
SHA1: ed76f0d9db122bc079de1eb49e704e0d1be77a55
MD5: 02b612be794b972b9aa5a3edf461680e
M20-shxr1TinyBanker_1d646810Windows This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has a random section name renamed according to the PE format specification.1d646810d3fbc4b2e3f332481f160798https://arxiv.org/abs/1801.08917
SHA256: b30c8bee53959b6c17a8838676b5a55716b63acfa5b69ad5d1e3b82cb0c289dc
SHA1: bd8ad94876509125653bad3a5b513c2416c25551
PARENTID: M20-ou7j1
SSDEEP: 768:F/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtL:m4QUbHM3PC8Q1Hn417sNPy+L
MD5: 1d646810d3fbc4b2e3f332481f160798
M20-mt3r1NetWire_01281973Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.012819731462ea2ad6234817a040d7afhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 005d4ba8835d3554bebf46c7910bbf3b8823c08abec4270b9096dd22ecf295a4
SHA1: 575db9cf2121110f36fe934e56be71c49332426b
MD5: 012819731462ea2ad6234817a040d7af
M20-9qvu1NetWire_53abe793Windows This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has random strings (lorem ipsum) appended at the end of the file.53abe793f2805e7aabf5b6422a4e7ac5https://attack.mitre.org/techniques/T1009/
SHA256: 9cae09583a2584c4e58bc67ed8f17b78f6e4b8f0470e1112ad56814fa8a2fa6d
SHA1: 9afbfc8108f3af6e7d68b0c636d2c26e878aca34
PARENTID: M20-mt3r1
SSDEEP: 1536:3UEd6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JF+:3QT8svpbqFK6AV
MD5: 53abe793f2805e7aabf5b6422a4e7ac5
M20-8ojj1WastedLocker_bceb4f44Windows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.bceb4f44d73f1a784e0af50e233eb1b4https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 97a1e14988672f7381d54e70785994ed45c2efe3da37e07be251a627f25078a7
SHA1: b99090009cf758fa7551b197990494768cd58687
MD5: bceb4f44d73f1a784e0af50e233eb1b4
M20-zl9k1WellMess_e7caca72Windows This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random contents appended in one of the existing sections in the PE file format.e7caca722341bff3e4fe32ac6609874bhttps://arxiv.org/abs/1801.08917
SHA256: f572ef4a9e7118f9c34196b769e6d627a106a5663199a2252439d30dd8408db4
SHA1: e32c320359b6c29bcd01333a2f3b8a80eee60776
PARENTID: M20-n8yw1
SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4U:oc6qkt5vdU6ECe4U
MD5: e7caca722341bff3e4fe32ac6609874b
M20-e4431WastedLocker_d7eefcceWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.d7eefcce371e3deec178a2a1c12f2c22https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 9056ec1ee8d1b0124110e9798700e473fb7c31bc0656d9fc83ed0ac241746064
SHA1: e13f75f25f5830008a4830a75c8ccacb22cebe7b
MD5: d7eefcce371e3deec178a2a1c12f2c22
M20-bvxf1DarkComet_75a0a9c2Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.75a0a9c29a1af4867e318fa63c79b056https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 1899e0b8e3b986a5de287ba23c6e81b287078d7d17eecf30eb10b8013633f709
SHA1: 24827e97f23017121572c363d515bf3f65bbb7ec
MD5: 75a0a9c29a1af4867e318fa63c79b056
M20-amc21Emotet_86e76726Windows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has the checksum removed in the PE file format.86e76726bffb79bf1ef261c8cea56510https://arxiv.org/abs/1801.08917
SHA256: 337241ed419d172fd9aca0dbce8892307682de1ad2adff179d1f3b0525935e64
SHA1: 83214658e8833682921a50f3bbf594366aaecf90
PARENTID: M20-75mm1
SSDEEP: 6144:JjNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2g5cvAtyKZD:JRX3wK9rybO3AlLBeTWi+eO6e23AtyK
MD5: 86e76726bffb79bf1ef261c8cea56510
M20-cyes1SoreFang_01d322dcLinux This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine.01d322dcac438d2bb6bce2bae8d613cbhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a
SHA256: 0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494
SHA1: 8830e9d90c508adf9053e9803c64375bc9b5161a
MD5: 01d322dcac438d2bb6bce2bae8d613cb
M20-qcbv1DarkComet_de957930Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.de95793098522775a222b0b874bcacc9https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 152d31444542e5096b757127ed11c3aa8aa75869c7bed47c110251d6e4dc73de
SHA1: e4058766d3b0d672b843840cd267dfd1246c0c18
MD5: de95793098522775a222b0b874bcacc9
M20-3il91NetWire_4e05cb20Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.4e05cb209291091b7263c7d4f5c31103https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 83ab262d766c76a413251c5b7f7598eac14e6a273580ef388be2f1856baed52c
SHA1: e36f2685995d242b593de10a7e70905c6ead90f7
MD5: 4e05cb209291091b7263c7d4f5c31103
M20-g2pn1TinyBanker_038d0f48Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.038d0f48cf53443817f515263b5f4709https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: b853ec7bf8d69a2ea7203a8881c2671c8e2a546e7a9a299e6062275e52f10cb2
SHA1: a944cb8530194a7fe293ea6faaddf912d1d2be83
MD5: 038d0f48cf53443817f515263b5f4709
M20-v6ck1TinyBanker_02ef97cdWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.02ef97cd7f61f4dec5ea52276eb7d776https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 7b4bc90a5a8ebd89b6dd4b804257ec8c0c3b6bc2565a6c6f1e24f77f4b33fca5
SHA1: f5b7f7401110a5304477042d816812d3c7d883ba
MD5: 02ef97cd7f61f4dec5ea52276eb7d776
M20-6gzv1SoreFang_c5d5cb99Windows This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine.c5d5cb99291fa4b2a68b5ea3ff9d9f9ahttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a
SHA256: 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75
SHA1: a1b5d50fe87f9c69a0e4da447f8d56155ce59e47
MD5: c5d5cb99291fa4b2a68b5ea3ff9d9f9a
M20-bx2o1DarkComet_94450dbeWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.94450dbefcfdf11eb85fec5a2e9e79c4https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 3b765b6d85b21b8304c2287d2ede993082455f64d904529dd8eb03482b5cf3b3
SHA1: 8bf0af36f38d01b3a8f4de82c1ce7ed18b2ad5ae
MD5: 94450dbefcfdf11eb85fec5a2e9e79c4
M20-rt3f1NetWire_a297dff6Windows This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has random bytes appended at the end of the file.a297dff6004ac5e1ce577f9b0474cb3bhttps://attack.mitre.org/techniques/T1009/
SHA256: e2bcc45e934d72f16d87d299278d1c507b0a7fe4b351df9943b8647bcb6f893d
SHA1: 2db18eaa442052a0eb0d3b2936b391a5342b60e3
PARENTID: M20-mt3r1
SSDEEP: 1536:3UEd6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JFm:3QT8svpbqFK6Al
MD5: a297dff6004ac5e1ce577f9b0474cb3b
M20-9klw1Emotet_91fb4712Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.91fb471283081bd2960ad253d14aa2abhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 338b14380a84844b2e8773ba6846e2a8a23fe266b5d079dc3efbb17f9473a250
SHA1: b4aab2d7bcc50737276b1e89a18e19ec356a41c7
MD5: 91fb471283081bd2960ad253d14aa2ab
M20-flcr1NetWire_796cbb64Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.796cbb6400d4f1e1290374a0fcc8c4a0https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 11f841dcd0ffd44e32bbfaf6ee2e3e4c47efc0ae80ab95a4b4f6f0cd4f9fbb2a
SHA1: 82959fc4042c193ab5afb7c1f15e3d410147bcc3
MD5: 796cbb6400d4f1e1290374a0fcc8c4a0
M20-pk0z1WastedLocker_13e623cdWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.13e623cdfb75d99ea7e04c6157ca8ae6https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772
SHA1: f25f0b369a355f30f5e11ac11a7f644bcfefd963
MD5: 13e623cdfb75d99ea7e04c6157ca8ae6
M20-ekw01DarkComet_d96a9a72Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.d96a9a72a8e2b99d4d2674e849631db1https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 63935268c3fd6806fc5de779b5f72358721f7dd537de53f019f3baa1cbdb3451
SHA1: ae8972c472806faa87599cae7fbea22ba0cf9d59
MD5: d96a9a72a8e2b99d4d2674e849631db1
M20-zyb81WastedLocker_572fea5fWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.572fea5f025df78f2d316216fbeee52ehttps://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
SHA1: 91b2bf44b1f9282c09f07f16631deaa3ad9d956d
MD5: 572fea5f025df78f2d316216fbeee52e
M20-8m231WastedLocker_2000de39Windows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.2000de399f4c0ad50a26780700ed6cachttps://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA1: 70c0d6b0a8485df01ed893a7919009f099591083
MD5: 2000de399f4c0ad50a26780700ed6cac
M20-i6gz1Emotet_86ecac07Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.86ecac07b0e42617b45835cc31ad9af0https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 1dafb532cac149ced3cb5f6bcaef801208d8de38c3f6b7a8a69ba2277d90e5fb
SHA1: 65c7fd2314fa8d8f3776f62d1e9409619340732f
MD5: 86ecac07b0e42617b45835cc31ad9af0
M20-l8661WastedLocker_0ed2ca53Windows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.0ed2ca539a01cdb86c88a9a1604b2005https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
SHA1: 4fed7eae00bfa21938e49f33b7c6794fd7d0750c
MD5: 0ed2ca539a01cdb86c88a9a1604b2005
M20-h6ig1Emotet_d89d6736Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.d89d673631c11ce32a05b1e36bcb6735https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: dd5048f55ce7d16e2cce8ba707b66ae2c8c7ae64549b98fdcdb0f3ecf2874f17
SHA1: 5a1de3a9350a210999e84c305bfa03f40a2ae6e1
MD5: d89d673631c11ce32a05b1e36bcb6735
M20-e6fw1Emotet_d9b152c6Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.d9b152c6297363628706d37d3b85d8edhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 1b1c8d35b6dff722f9439985f78da06098d5bad82e7d0b5d1fa41dcc6b3c432b
SHA1: 651726ab4329a51e51babd5a9021f1de823b9c74
MD5: d9b152c6297363628706d37d3b85d8ed
M20-bf2g1WellMess_8f1e36bbWindows This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random strings (lorem ipsum) appended at the end of the file.8f1e36bb3bc44914eb13465471400063https://attack.mitre.org/techniques/T1009/
SHA256: 67c72f8eaff6c96b4b70be02cf0e571321fabb8bbe50d8f15f5eca8c73895e5f
SHA1: e5f74991182ae58a09892cfe406b93da51a1944a
PARENTID: M20-n8yw1
SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4UL:oc6qkt5vdU6ECe4UL
MD5: 8f1e36bb3bc44914eb13465471400063
M20-dzyd1DarkComet_a5361ce7Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.a5361ce78de87cfd962242da00f11662https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 3ee0145434048bb9dbff5a92a2083b3baae1c539a459668e34316bb75ad318de
SHA1: c1b8bf7f8ab9fa35155497b7757482883e7074aa
MD5: a5361ce78de87cfd962242da00f11662
M20-yewi1TinyBanker_729a37e0Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.729a37e05315e8179d16169168a667ebhttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 4015c1917edbb2e1b9db30a3c02f3ae4e8f9ba7015f3c3c0a4274c281e508f7d
SHA1: 8da80e6a453f89e0e2026660b1938aed69330c39
MD5: 729a37e05315e8179d16169168a667eb
M20-27lf1TinyBanker_31dc4cc0Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.31dc4cc040d13f9b06bae2bd61426372https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 47381ffb76fa60172fe273eba6dbb66ac6ebe05c1e6b6a7af863be2b990482c0
SHA1: 84a16b9420bcf817a462700f5ef0be2f6947bbc5
MD5: 31dc4cc040d13f9b06bae2bd61426372
M20-po0s1NetWire_350b809aWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.350b809a45dfe3dca55870d8f994333fhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 4be38ea855bd9088282cd6afbb6b2698aa45fc1f507a609a66af4894a8a3eaf3
SHA1: 5f04765f73bdd55acf606e7acd65469449773845
MD5: 350b809a45dfe3dca55870d8f994333f
M20-eyn31NetWire_1b524f5dWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.1b524f5db5738143efbd54f6a5a56573https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 2e86be5c9c364bd944b4823b9191f217c181bb6c980e1708800be13dac953cd5
SHA1: 1c096168f6db961ba445dd31004532a0684292eb
MD5: 1b524f5db5738143efbd54f6a5a56573
M20-l4nx1Emotet_3292ce99Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.3292ce99235f89437fdf33c0227df4fahttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 4b953167cdee60b1fda17ce2293590c05b26db580e93ce93fb0ffee08527ac2a
SHA1: 96dc6429f3432dec156030e0234ccb776b2d93dd
MD5: 3292ce99235f89437fdf33c0227df4fa
M20-b9xh1NetWire_9fd86dafWindows This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has a random section name renamed according to the PE format specification.9fd86daf25d2498d84395bfc9ad5dcachttps://arxiv.org/abs/1801.08917
SHA256: 67c92144dc4444d9a3c486fd9e3d0c8df2825dd96d5a74f87461c7987bf354f1
SHA1: ffc6523cdb858118e0815e3f8846b279f32beb21
PARENTID: M20-mt3r1
SSDEEP: 1536:30Ed6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JF:3wT8svpbqFK6A
MD5: 9fd86daf25d2498d84395bfc9ad5dcac
M20-blce1WastedLocker_ecb00e9aWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.ecb00e9a61f99a7d4c90723294986bbchttps://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
SHA1: be59c867da75e2a66b8c2519e950254f817cd4ad
MD5: ecb00e9a61f99a7d4c90723294986bbc
M20-ddcg1Emotet_74fb55f5Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.74fb55f5f7bbf504228af8e136c4b8e7https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: e66da3958ee12be370fb6e1e429611f98d575b21b5e555d9f8dee58eb2481def
SHA1: 34228506df007ad3ec1672b01ce6abf7293598b7
MD5: 74fb55f5f7bbf504228af8e136c4b8e7
M20-rils1TinyBanker_42d34ef5Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.42d34ef5b4a2e9637fa0b7cdfdbf7d2chttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 0ebaddef17527ae1f59121ac7ae05fcb2806fc36fd4ea5e3a8d63999d1ef8245
SHA1: 2ada07cade8d09a3fdf74f3764542fe052ee523a
MD5: 42d34ef5b4a2e9637fa0b7cdfdbf7d2c
M20-e29i1TinyBanker_ea88c8a1Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.ea88c8a14f624a0069719a609bfb93b1https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 9d76af39b9de6fc9f58ca5d7a83798f37790d2193ff88a71cccad19092009a5c
SHA1: 2f4786eef36db3cd34a569759ded38b94144cfcd
MD5: ea88c8a14f624a0069719a609bfb93b1
M20-dazc1NetWire_86b2dc6bWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.86b2dc6b035832b396832ee96498b557https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 9d163b8e00e7574fb1609b2ee8db2b07d3b6aafa233f3add788dda1baf5b3322
SHA1: 9a3e9da47404aa4817ba301976d0e5211b444ead
MD5: 86b2dc6b035832b396832ee96498b557
M20-0rye1WastedLocker_edbf07eaWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.edbf07eaca4fff5f2d3f045567a9dc6fhttps://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
SHA1: 9292fa66c917bfa47e8012d302a69bec48e9b98c
MD5: edbf07eaca4fff5f2d3f045567a9dc6f
M20-vnec1Emotet_3c0c754aWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.3c0c754a38f8f750b53ebf2d81d5b897https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 539f218904629efd90df998b1704cdfc101543b74c6d8afab2204e325d1e8bb0
SHA1: 7becb502bb543a46ef515e6037208b793a613af3
MD5: 3c0c754a38f8f750b53ebf2d81d5b897
M20-72n11DarkComet_c3c2764dWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.c3c2764dbe9ec6f4d9207c84ca5b8201https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 0f6a595d6bfd0dc514dbde0b8be7cdb2aa1dba94a103f1c79205f0bcf9856e7f
SHA1: 6e90e4c6a099f38a6810c37711cca2739cf22772
MD5: c3c2764dbe9ec6f4d9207c84ca5b8201
M20-jxz11TinyBanker_4be2f390Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.4be2f39094acef6d9791f7604219d4f4https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 36d265d452dd91cfc0640b59f3184112c0e3e20f1c5f1e6409452881458083b5
SHA1: b08f3a3326bb484322a6fbba16dd28db4c7bf7d7
MD5: 4be2f39094acef6d9791f7604219d4f4
M20-8eet1TinyBanker_19edfc7fWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.19edfc7f229677c5cd9fd8327a197745https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 9a21d7ef4b6f50a4e4ce47791bf2231a523884cf58e4d94e2089464967fd6e25
SHA1: 4b48bb99acd79c445f55b4d3eedccdb7cb2bc49a
MD5: 19edfc7f229677c5cd9fd8327a197745
M20-p4zi1DarkComet_bd4b11b9Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.bd4b11b929ec3f25c1caf63bc889d5fchttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 8167bea409789e03d3483aa7497762f2c3f33ed25122fcd8b7e7b45cb9b3e919
SHA1: f21c9217461452eab05e990e8b2ff20fde524c4a
MD5: bd4b11b929ec3f25c1caf63bc889d5fc
M20-z9p41NetWire_83f66181Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.83f66181010a41f2a47d4c7bd7d6296bhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 79dbd028f2768d0874fce30c00b227e6af46080727503918bc09ef965949edc4
SHA1: 5af13ebbc629d1dc062933a75577272c5016b1f3
MD5: 83f66181010a41f2a47d4c7bd7d6296b
M20-1dr31NetWire_f74d7e56Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.f74d7e560926fdb7802e4b13d0c10e7ahttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 9648d53a1276cdd0d3d170ba0c13a9c140b13c4ef3d3d4790164ca98f8f71a5d
SHA1: 1fdaba3131e83a0e5b22d0a312dbb8f0c0d35bb2
MD5: f74d7e560926fdb7802e4b13d0c10e7a
M20-x2o41TinyBanker_2752e633Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.2752e6339bbbbbc032826808cedc5d32https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 14398c45f2dc4d5c6d4c16ba9f276888eee4eb396863a355d059b55795d606e3
SHA1: 597850e0f0162bcbd571ab892fc3652d87c1de5c
MD5: 2752e6339bbbbbc032826808cedc5d32
M20-gan91Emotet_cfa658c9Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.cfa658c993fd56dd81a370e286163770https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: cb8a434442b33d664405f2191c9f57d7e04f97bb3a98116000d82a5967bd2868
SHA1: 897e9c21c02952020f9f3ef56f3154ab4b1afe38
MD5: cfa658c993fd56dd81a370e286163770
M20-980h1DarkComet_03183a1aWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.03183a1a2b8381ecfdb47ba4cc824191https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 08039ef764c01600b0b21b33fb9c45031fecacfbc62ac1400a2604783c513e4d
SHA1: 03787807f2e0b449abd3ebaf2d9945d738f2f130
MD5: 03183a1a2b8381ecfdb47ba4cc824191
M20-l83m1DarkComet_12976937Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.12976937fbeef378e9b64d237991c45ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 6557faee4a706e851f0aa28785e38dc56bfd422c4d8864c754c884163ab8ab3d
SHA1: 29d586610d388065debc1f88cd19a8bc393431f4
MD5: 12976937fbeef378e9b64d237991c45a
M20-ands1NetWire_edc2afa3Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.edc2afa36a416f93aa4e763e8660f933https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 51164673a792e1f214b69b1f21bf714ce289ddf8d898f7499f07aafb7a692e9a
SHA1: c362a783af0b84241c16ef22eebf2811f8a57c1a
MD5: edc2afa36a416f93aa4e763e8660f933
M20-tlrb1SoreFang_861879f4Linux This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine.861879f402fe3080ab058c0c88536be4https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a
SHA256: 14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2
SHA1: db4f07ecefd1e290d727379ded4f15a0d4a59f88
MD5: 861879f402fe3080ab058c0c88536be4
M20-tk1k1Emotet_6aa9aaedWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.6aa9aaed9e0281f98c4d178d9388b9afhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: ab87b202217c59a3d0346f4bdaa549813191ff25df57ad8a616b40647cb4c028
SHA1: 273a09c6320a70961371fba4cce6bf98f72c6ae6
MD5: 6aa9aaed9e0281f98c4d178d9388b9af
M20-ykkn1TinyBanker_494744edWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.494744ed921005e57d1495d1b3f23260https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 40c0d24f854db3548f0d9ef8fef3cfc7463fae25e690f426e044042e35f46a48
SHA1: 46fc9fdd01ce7b0cc2a9a7d3fa4f73d9a2c2faad
MD5: 494744ed921005e57d1495d1b3f23260
M20-z1so1NetWire_c5c68c05Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.c5c68c052096dd76f2dd85c322d950f1https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 1e7b37a04208f94239a05244352ae5bf45793f83bdcb4aaadbfa7ef4c48d805d
SHA1: 4c7b85c0dfc53e3cc9cb79add07b4bf95c40fcda
MD5: c5c68c052096dd76f2dd85c322d950f1
M20-jy701NetWire_1d030db3Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.1d030db358ba16c4ea8ba4a928eb583bhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 255c6efe9551fd5b6381adb440b94af65aee2286465c76c8fdb596c6e7a90b1a
SHA1: 321487b8c7827cc87d3a8bfacb912e0fb519d3a1
MD5: 1d030db358ba16c4ea8ba4a928eb583b
M20-ajbu1DarkComet_d65fc205Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.d65fc2053dd33571ebb55a1b49bb03bdhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 57f94f852f1a625bebfe96a57be5c6cbcb17016f786ebe1991265c442dc42103
SHA1: 5de1d9dc4cd3fb5b3370cd8303a16838c0a97c39
MD5: d65fc2053dd33571ebb55a1b49bb03bd
M20-8r8e1NetWire_9b7a4904Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.9b7a4904810d28f35158bb99cbd5df6bhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 7e6898b47574bbdb8b7c27bc392eab836bcd810e048fdc6b880537e3c7fb701d
SHA1: 864a414d4d11cb57994e9efefbf494ef0b072a1e
MD5: 9b7a4904810d28f35158bb99cbd5df6b
M20-uod41NetWire_1a085a8fWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.1a085a8f86d2a2ed0e9f81c67f696d2ehttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 62b6d90b250056d556971b7066e827eb03bbe2cb0b70848a98cb21fadc27d500
SHA1: fd065edaaec8a6d57cc225674249e03d6f65f5c5
MD5: 1a085a8f86d2a2ed0e9f81c67f696d2e
M20-h5qb1Emotet_62f09a7eWindows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has been packed using upx packer, with the default options.62f09a7e9cbfeae4335ebeaa40b1358ahttps://attack.mitre.org/techniques/T1045/
SHA256: cf2d015be5779753daceaab47e8745bb9deef81b646aa59313a365bf383ec6cf
SHA1: dc28fb3e20309a27641d88acf8e9b0c459f9e363
PARENTID: M20-8ev91
SSDEEP: 3072:J61oDDSj+vIq7SELcPrra8pB87lTAEYE1u3MJSAt1TKjUMK6x08Uj:JZGj+vIq7SEIPfws79AtyKZD
MD5: 62f09a7e9cbfeae4335ebeaa40b1358a
M20-jvax1WellMess_967fcf18Windows This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.967fcf185634def5177f74b0f703bdc0https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
SHA1: 152189b62c546d6297a7083778fba62dcec576be
MD5: 967fcf185634def5177f74b0f703bdc0
M20-4c7z2NetWire_234465efWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.234465efb8b8e3341f6d5736cb81cde2https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 28181484a3ef4f4f3ab8fc07388aa109b49f2e02bcfe65b819a4341369e5b4fc
SHA1: 59bfeacd950b124ee4e30a6d2e5f41351b00f6b0
MD5: 234465efb8b8e3341f6d5736cb81cde2
M20-0nw31DarkComet_aabfef70Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.aabfef7012a8afef5a38e48a2ecc3e66https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 73e47ae090f62b5723ccc7a1b452e8c8b305f22734f7efac6402c9edbd49bc5c
SHA1: 0afdc73e16c8f8c3a84af9edc0cb710afc7929f6
MD5: aabfef7012a8afef5a38e48a2ecc3e66
M20-y1mn1DarkComet_fd6af5f9Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.fd6af5f98b2b68add91fd43c0e9e2aaehttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 50e76d4936b183bf0c03761a38bf0d74e037ce72b59df8a28764b7f446675f51
SHA1: 68a6a226909396bb31d2b88fdc0c1513514b1a2a
MD5: fd6af5f98b2b68add91fd43c0e9e2aae
M20-wl4k1WellMess_f18ced87Windows This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.f18ced8772e9d1a640b8b4a731dfb6e0https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a
SHA1: 92f7b470c5a2c95a4df04c2c5cd50780f6dbdda1
MD5: f18ced8772e9d1a640b8b4a731dfb6e0
M20-k1gk1Emotet_15cbe4fdWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.15cbe4fdac2c40d14c0e5cc325a46c26https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 019cb08d08f8512b3a6af74bf8f1f4c99c8a9691af2775183c95e67c10388e74
SHA1: 1e7967ff30f173c2f990a1d3052a8acfc42f9733
MD5: 15cbe4fdac2c40d14c0e5cc325a46c26
M20-8ue71NetWire_06008156Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.06008156d85ad3dfeea6abdb65eea5c3https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 22c07b60b192d882381a9e4e5c1cefff80c7bdcf12efa66d19765625b9ea7d00
SHA1: cfa7fca227843cff5c7d5c12e591cb8669da452d
MD5: 06008156d85ad3dfeea6abdb65eea5c3
M20-obtk1NetWire_ad08c13aWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.ad08c13afea59519ec36163c9942c44dhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 483b6c1fc090a248beb40574446a998c3af6a8f3c42df5f0e95a162fd4b9b534
SHA1: 4d0e8803552159d436ed5d4264aa58644a4542f7
MD5: ad08c13afea59519ec36163c9942c44d
M20-4n931TinyBanker_0f1da9b6Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.0f1da9b6fffc07884725e9eec9dbe85chttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: b47214f748eef3fdd27388c1d59b4a308910d442f78cead2dee6895169ae9e76
SHA1: 8f67bb887c3e84f063dcd402614495198f9e538f
MD5: 0f1da9b6fffc07884725e9eec9dbe85c
M20-7osy1DarkComet_9faa5a31Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.9faa5a3166dc6fbc745d085d154ddd93https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 5d0671d8aa8a4c3eaeca7d73c197f20fa5e3698f97d9f99abf50b4e43ab1d113
SHA1: 9d424326bd59695cd59295f06a861a01fc5e4839
MD5: 9faa5a3166dc6fbc745d085d154ddd93
M20-9xaa1TinyBanker_13d1b1f5Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.13d1b1f5afe9d95a5d3a67243b15bbf6https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 3c21cb07d0391719918fa40c59ac02b1d0444813bff01aa57ed0173ea17907fe
SHA1: fc4680ad54ce3dbb7e382467f3795c97da4470de
MD5: 13d1b1f5afe9d95a5d3a67243b15bbf6
M20-5ge01DarkComet_0d3a2129Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.0d3a2129a486493974d845cbb5ff41e4https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 31535bfd8856f9497076a79fc6bac118901275a4928e9c31bfd42641aa624a98
SHA1: eb72bc690b2be5033faca68820ecc0388c89df26
MD5: 0d3a2129a486493974d845cbb5ff41e4
M20-n44n1TinyBanker_e20a97a6Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.e20a97a65ec439978dba244cb67a9a48https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 43b909534495841ca1ca6d5a16b4a8ced3c611ae84114d150731c9606cb1b574
SHA1: f86353352ebd92bb10bfab1fd694e8966502261f
MD5: e20a97a65ec439978dba244cb67a9a48
M20-9oew1NetWire_f17dc7f4Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.f17dc7f4fe64200ef073b064ee74a4ebhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 400dc0e03ffdbe53b008300711d2490e94f7b9eab93ac16ae49b39abd28a48ac
SHA1: 574a1e1c54a143915983aa45e525ebad612bbca2
MD5: f17dc7f4fe64200ef073b064ee74a4eb
M20-2i2a1TinyBanker_290ba91bWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.290ba91b81e92f59bb9174cce41d97d3https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 4d060e479439e757e3472f81a15da6ae38c7cbf9155c7de9817bf30552088b22
SHA1: fa84aa97a4e15d4ad4435ade518538942c227a6d
MD5: 290ba91b81e92f59bb9174cce41d97d3
M20-ndtq1Emotet_07d8ff0aWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.07d8ff0ad28c47ecce6cd3a7b1f86bbdhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: bdb054e3f565c5bf244417609322ccebcab26fdbc74c31516ce66ffd2aed2268
SHA1: beed57f3be93af3b49a3c905299e856e788e4622
MD5: 07d8ff0ad28c47ecce6cd3a7b1f86bbd
M20-i5ni1DarkComet_2b04df87Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.2b04df87d237933c7e71774904fc6e0chttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 1be1d57117ab25b16d4d17176062dc0cb469e25dcf2ec8c751c2104365697ae6
SHA1: bd7199a08b3aebe0a080965a517fb6599ff500d2
MD5: 2b04df87d237933c7e71774904fc6e0c
M20-vy0h1TinyBanker_3bb35a94Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.3bb35a94356e2fc3083256ad8ef0ff0fhttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 200a2c5eaa6ce90cc3f825ec4f4f3d8de444282dbd558a9dd0698a9520db2a58
SHA1: 65abe6f5a75658e03e43529c65092e8da386d813
MD5: 3bb35a94356e2fc3083256ad8ef0ff0f
M20-kz851WastedLocker_2cc4534bWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.2cc4534b0dd0e1c8d5b89644274a10c1https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653
MD5: 2cc4534b0dd0e1c8d5b89644274a10c1
M20-tiib1TinyBanker_28f303b6Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.28f303b61050866816ddde0597134e83https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 40789d2be55ca929fe9e9ebdf084b84a42ec88d166744d06bbda41e24bb98e39
SHA1: 90ef73f984ae4cf09e19f0a69138d75544e5d9fe
MD5: 28f303b61050866816ddde0597134e83
M20-i6tl1Emotet_daca8565Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.daca8565d4e8c131ad95e2ed744f7e46https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 887226f61b841051a606edd1ced5ad1c1919e71fae4583afea1d995fd027ad08
SHA1: d1fdd23ec6d48d9718c23104c02725dc45473193
MD5: daca8565d4e8c131ad95e2ed744f7e46
M20-0yd11TinyBanker_958dd51eWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.958dd51e24b8d9f1df8470f971ef5726https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 645dafa65eec41b157e7dd205b07df97148105950dea2d0722f02f53f449e2a0
SHA1: c4e3d6b2ee15d4cbffc5c8266df9304ad1dc4a8d
MD5: 958dd51e24b8d9f1df8470f971ef5726
M20-k6al1NetWire_bbb734f7Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.bbb734f7ac43646319d4148e58a2dcf4https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 045ed6c11f72b1a11803a205abcd7ea82b2ad478a8a795984c322f540d159a79
SHA1: 2490ce8e8266b559e3b0b0c54dd35f3b33e8ae2b
MD5: bbb734f7ac43646319d4148e58a2dcf4
M20-ww611NetWire_5479b76dWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.5479b76dc7294f003d4e793c80f22311https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 492c1e4ae807107b8792e9e4a0c619f92dbb9f0a1fd457ac79fa0e07292354b0
SHA1: ce4fe8c69974ac451aa03cb2e3d95a8530334258
MD5: 5479b76dc7294f003d4e793c80f22311
M20-kvrs1NetWire_c92888b3Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.c92888b389f779e39804aef0244ff8e4https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 387109054b3a59071d6ca8af6656eaa223fa4d1825efbcc4213bd192c5d6e29e
SHA1: 62961686c78694a227c04b867dd343fe5bea25ca
MD5: c92888b389f779e39804aef0244ff8e4
M20-ifta1DarkComet_07b77b6dWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.07b77b6d48e99b5c94040411f2f42d06https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 70ba4783c12ca57a129c5f3ab9d85ee34f5dc753952d15b49f5c54c6f067909e
SHA1: 319d8c6e96c8df82943367186359bbdd364cf2ee
MD5: 07b77b6d48e99b5c94040411f2f42d06
M20-ksew1NetWire_68cd8d68Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.68cd8d68115f9d46805a4aaccee773fdhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 229d7221c71a16c1b2d8bd1f74dded37d27dec2dcc713150d7657837c6c67be0
SHA1: ddfead21af149214c0eaa128e56b0bf7aae279b7
MD5: 68cd8d68115f9d46805a4aaccee773fd
M20-n8yw1WellMess_a32e1202Windows This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.a32e1202257a2945bf0f878c58490af8https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064
SHA1: 416df2d22338f412571cdaedb40ab33eb38977af
MD5: a32e1202257a2945bf0f878c58490af8
M20-lmfw1NetWire_41f2edd9Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.41f2edd93e423aa2c29c97de03e63fedhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 523e3d1fda9eb37098ae774b20f87e5552c5f38228dcf311298caf4bc5c2d086
SHA1: 70925ffb54be19c5e82d4abceba592f5a3f91be6
MD5: 41f2edd93e423aa2c29c97de03e63fed
M20-96d71DarkComet_e0034c04Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.e0034c046f1581fb729c4ddd2a91cd5ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 5e59a550cc3f18a66b663286b2ad08a5612fdd34e8e1667f5229c05e3053d48d
SHA1: 64058e220af6fb681b9a47519de2cf3b7ef5fd68
MD5: e0034c046f1581fb729c4ddd2a91cd5e
M20-6u8y1DarkComet_a98f3960Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.a98f3960268e9543cc989dade3f4242bhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 833d572bc5d010513b2db0ddf8585146717626ca0b1ed31afcf2c060a85532fc
SHA1: bbace94ff7787114a74cd015637dd75fa4960e1d
MD5: a98f3960268e9543cc989dade3f4242b
M20-thb61WellMail_8777a979Linux This strike sends a malware sample known as WellMail. This sample of malware has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It provides encrypted channels for the attacker to communicate with c2 servers, and the ability to dynamically run scripts on the infected machines.8777a9796565effa01b03cf1cea9d24dhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
SHA256: 83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18
SHA1: 53098b025a3f469ebc3e522f7b0999011cafb943
MD5: 8777a9796565effa01b03cf1cea9d24d
M20-8ev91Emotet_12a8067aWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.12a8067a952be3e9264d69b401b3628ehttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 1d225e3a3c3f52cadbf07a4ed069b4467c4618310d2f41678584f3704f95d19c
SHA1: f442314dc8a12391233a24a6625cff6f046b9ef5
MD5: 12a8067a952be3e9264d69b401b3628e
M20-fo301TinyBanker_38edfc34Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.38edfc343314d3f858e2e02cd2144461https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 292daa2b85d6423471ab688bf3dcaa91661f9e930ecdf88d9ae8cefdfe8e76fb
SHA1: 37e26707457e8d82fd385c9a5a0348fbd2bd7721
MD5: 38edfc343314d3f858e2e02cd2144461
M20-tkow1Emotet_ae09fceeWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.ae09fceed70fd9b510641b63be5a6502https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: d8e201ed2ca53622f1ca4cd4b794879ab2b6dc6d52e5e4e12540da1c3d588e0c
SHA1: 9a73530f8671914be4b317080e0b7b559ac267e8
MD5: ae09fceed70fd9b510641b63be5a6502
M20-xhwd1NetWire_c3925b82Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.c3925b82df0463c9329a0557f457540dhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 542d5b4e9100882a16a6ce60c6ff8532b1f0a22a7bdcda84c35cd7a1b49df664
SHA1: 6b89b78ce1d4b4dfb49386425ba2dc9ccb9e5211
MD5: c3925b82df0463c9329a0557f457540d
M20-qqc01WellMess_7b9a439cWindows This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has a random section name renamed according to the PE format specification.7b9a439ca58e3f76cbd60dcc60f77446https://arxiv.org/abs/1801.08917
SHA256: 8ec45abe4179a22a739bcd48325ac1dd148c2d8c8a501c73dc8b7d2c28cb1b77
SHA1: ab974869f02a8f3e400e24955c7375bcf154a7b2
PARENTID: M20-n8yw1
SSDEEP: 6144:Yt4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4U:Ic6qkt5vdU6ECe4U
MD5: 7b9a439ca58e3f76cbd60dcc60f77446
M20-efew1TinyBanker_f77992ebWindows This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has a random section name renamed according to the PE format specification.f77992eb5a494bdcd8dcda9bf5652937https://arxiv.org/abs/1801.08917
SHA256: b30fb527393d891d28ccd413e119ea309a13749c38e5b661a21c519323febd29
SHA1: 0f177e999846f3fbfaa1591c139977d78ad31816
PARENTID: M20-cbuc1
SSDEEP: 768:r/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtL:44QUbHM3PC8Q1Hn417sNPy+L
MD5: f77992eb5a494bdcd8dcda9bf5652937
M20-hks71Emotet_7fba0b9aWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.7fba0b9afbf7a224224b3ce6be675f0dhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 633bed3b02759cc36b1e72c124d298607e68697a75f61f221b5b59decde14ecb
SHA1: 6bb10b0e1a416ad0b66bd90ad6f3e472a10922d0
MD5: 7fba0b9afbf7a224224b3ce6be675f0d
M20-vws91TinyBanker_0ed39328Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.0ed39328beae48e12b4dc877064b30d1https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 8cf7d553e27a5c642812bb040f97bc92746d64b9909bddbb38916d36fbeb8c0f
SHA1: 89048b155b57f9824f6e20fad4e6b2a09d851441
MD5: 0ed39328beae48e12b4dc877064b30d1
M20-ifi31DarkComet_8e003595Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.8e003595d3f489e4776c97c8aabfa7b9https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 0e473f4bdc3a37ef888a4f44616e0c09c38b8d7fcdb617736aa8f294dd99e920
SHA1: 94afe765dcabc9b2d0b5edef418d6f7caa8cc3ec
MD5: 8e003595d3f489e4776c97c8aabfa7b9
M20-yzp81WastedLocker_6b20ef8fWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.6b20ef8fb494cc6e455220356de298d0https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d
SHA1: 763d356d30e81d1cd15f6bc6a31f96181edb0b8f
MD5: 6b20ef8fb494cc6e455220356de298d0
M20-c9tb1WastedLocker_f67ea8e4Windows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.f67ea8e471e827e4b7b65b65647d1d46https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
SHA1: e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07
MD5: f67ea8e471e827e4b7b65b65647d1d46
M20-7cqt1Emotet_2ed2b0d2Windows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has the timestamp field updated in the PE file header.2ed2b0d2f3f9662f99381c5bd18118f0https://attack.mitre.org/techniques/T1099/
SHA256: 16e03f284d8a56db4fa112d46edd50537e35125c91086d68362ab8892e4f5a62
SHA1: bdcb584762443fee90ce2582a03750cd9408f5fd
PARENTID: M20-75mm1
SSDEEP: 6144:QjNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2gFcvAtyKZDG:QRX3wK9rybO3AlLBeTWi+eO6e2zAtyKI
MD5: 2ed2b0d2f3f9662f99381c5bd18118f0
M20-75mm1Emotet_88e9eabcWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.88e9eabc35088da3b3b31d5134dc1b49https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 0622420430e3559c1a5175e77584feebbeac977922c0a5b72d52d996e8ba6707
SHA1: 03cfa8f152e83166b76db5ebafcd8211d92fe31c
MD5: 88e9eabc35088da3b3b31d5134dc1b49
M20-k6mq1Emotet_b612a63cWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.b612a63c45a0bbd1370572e19382bb18https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: c4339507d79d74a6260ee7769b98c58d3b5289a470bee7c5a87f96c78efc3851
SHA1: 089c8fa399a89bc7668c956f1dca854131ea2617
MD5: b612a63c45a0bbd1370572e19382bb18
M20-ekjm1TinyBanker_2b2ac146Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.2b2ac1463040f9809c34d776e7fb5e6ahttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: b43794417fec9191f8700df446b20875bb753c9380c70e0c7c6869502fa16282
SHA1: 98e69cb347d4966573ee9b3295251f51ca3c8e37
MD5: 2b2ac1463040f9809c34d776e7fb5e6a
M20-2wjp1WastedLocker_3208a14cWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.3208a14c9bad334e331febe00f1e9734https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb
SHA1: 809fbd450e1a484a5af4ec05c345b2a7072723e7
MD5: 3208a14c9bad334e331febe00f1e9734
M20-evht1TinyBanker_0c0b91dfWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.0c0b91df5d347924d0efa649e9f7ca63https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 15b502a449d911c76cce06cd378d291e8039619a06ace593abbdd2cebe3add27
SHA1: 23070b82c6a5fb619a3e8f38f96f4fda366ef24b
MD5: 0c0b91df5d347924d0efa649e9f7ca63
M20-cbuc1TinyBanker_13c2cce6Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.13c2cce63f1e8ae54c4b2f15770e69f3https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 141731282c5378b959ee12a97d564b58bacae43a50ffbca289a5df8ba8d0771d
SHA1: 89a90ff4f2fb186cff3d691998cd9ba461ffb05b
MD5: 13c2cce63f1e8ae54c4b2f15770e69f3
M20-zeeo1TinyBanker_40ad77d0Windows This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has random strings (lorem ipsum) appended at the end of the file.40ad77d0de2dae24d1c942ba7f5e7c2ehttps://attack.mitre.org/techniques/T1009/
SHA256: 4fe168b7028b1ad9985943474862f09b093915de233836d49e5a661c010af344
SHA1: a8577e727471ef1d6e239dd3c7ebc39af79f3bb6
PARENTID: M20-cbuc1
SSDEEP: 768:D/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtNU:w4QUbHM3PC8Q1Hn417sNPy+a
MD5: 40ad77d0de2dae24d1c942ba7f5e7c2e
M20-6vdo1WellMess_a2f5614fWindows This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random bytes appended at the end of the file.a2f5614fa377753a02eed40056aa2459https://attack.mitre.org/techniques/T1009/
SHA256: b67d856656e58e34b41086f4b0be823dd56b75af60485cc563c01b95711286be
SHA1: 143ca415e9321b8b89e162fa9f06cfd6de33ce2d
PARENTID: M20-n8yw1
SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4Ufa:oc6qkt5vdU6ECe4Ufa
MD5: a2f5614fa377753a02eed40056aa2459
M20-j2ia1NetWire_bf8079deWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.bf8079de4a89e0a0ebd154d99d05b91ehttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 26fe99cf61903d3dd464b96e87bc8640dd1d1ba9df2c795e2f27db6dfb74522d
SHA1: da92d8768be7a4a977802495f67f96b8ee591218
MD5: bf8079de4a89e0a0ebd154d99d05b91e
M20-0uff1DarkComet_848fc1faWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.848fc1fa772f49d8f4563f38b3f4f002https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 18bc76cc05f305549fbee7757c01f897110effac971738af751815589036d5dc
SHA1: 200be1cad6d7234ce468d6743ff27c79f490ec92
MD5: 848fc1fa772f49d8f4563f38b3f4f002
M20-rhxa1Emotet_932a3448Windows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has random contents appended in one of the existing sections in the PE file format.932a344809bbabf777916b63e4e4e9cahttps://arxiv.org/abs/1801.08917
SHA256: 8add6324ff072fa544e73a8a300c9d8c20b251b8af6d449f2d9e3a1c11509311
SHA1: 6a98e51d8fb40ffcf73c815d9d537294a373e1b0
PARENTID: M20-8ev91
SSDEEP: 6144:+jNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2g5cvAtyKZD:+RX3wK9rybO3AlLBeTWi+eO6e23AtyK
MD5: 932a344809bbabf777916b63e4e4e9ca
M20-ekzf1WellMess_4d38ac33Linux This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.4d38ac3319b167f6c8acb16b70297111https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: 7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee
SHA1: 01a71390892fad77987aa09a630b04ff72e37d5d
MD5: 4d38ac3319b167f6c8acb16b70297111
M20-i73r1Emotet_8b14c2ffWindows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary file has one more imports added in the import table.8b14c2ffbe2dd64f0a1937148e73c836https://arxiv.org/abs/1702.05983
SHA256: 76accf214074a7c84309e275fa7d7fa18a22bdf6ddbcc86885e197a6bb647ff3
SHA1: f7b990444fb49812622fb675116e3a7b267a319c
PARENTID: M20-75mm1
SSDEEP: 6144:njNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qL205cvAtyKZDZ:nRX3wK9rybO3AlLBeTWi+eO6K2rAtyK
MD5: 8b14c2ffbe2dd64f0a1937148e73c836
M20-7x081NetWire_c4166c5fWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.c4166c5f4bd570cd999f41474b664e4bhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 44fd21ec687bfbecc1002f1a5e640f0d782b9aa9beff7e4822704fe1a09907b5
SHA1: 79090473cfdb6953da7fa188f4382e9a85ae5070
MD5: c4166c5f4bd570cd999f41474b664e4b
M20-jv5u1TinyBanker_a862c24dWindows This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has random bytes appended at the end of the file.a862c24d8824f88826ed42e5654a6088https://attack.mitre.org/techniques/T1009/
SHA256: 2c94212a010e8fc70c1c52fa64eded136f09964713a82ef9cf73802f5e1314d4
SHA1: 70c7e8f13e4442332029f87a422e2445e16f7234
PARENTID: M20-ou7j1
SSDEEP: 768:V/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtf:24QUbHM3PC8Q1Hn417sNPy+f
MD5: a862c24d8824f88826ed42e5654a6088
M20-o7xc1Emotet_f1a41902Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.f1a419027bbe163301f856c793e8dc48https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: f21aaec6dab4428d5462f0a917908556054093fa9b94f386c94abc572c9d9e0e
SHA1: 1468f82412c45be51b51619d9788b2a55bfe4e4f
MD5: f1a419027bbe163301f856c793e8dc48
M20-vvs51WellMess_3a9cdd8aLinux This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.3a9cdd8a5cbc3ab10ad64c4bb641b41fhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb
SHA1: e45f89c923d0361ce8f9c64a63031860a76b2d10
MD5: 3a9cdd8a5cbc3ab10ad64c4bb641b41f
M20-3lhg1WellMess_2f9f4f2aLinux This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.2f9f4f2a9d438cdc944f79bdf44a18f8https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09
SHA1: 709878e13633e44b45ad1ab569ad34e3dc1efd3b
MD5: 2f9f4f2a9d438cdc944f79bdf44a18f8