M20-ysaj1 | WellMess_ae7a4652 | Linux |
This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system. | ae7a46529a0f74fb83beeb1ab2c68c5c | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198bSHA256: fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950SHA1: a57c896486564d7663a4dce6fbf723a1deb81378MD5: ae7a46529a0f74fb83beeb1ab2c68c5c |
M20-60oe1 | TinyBanker_3b97508b | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 3b97508b20857a70120a3ae571ce8abc | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 1be832d22e4a3c920076ff78eeb08e73d0077b04d29b29c2347c5de170b425d4SHA1: 0be8014136efed974c83cdad29cf22d023f95538MD5: 3b97508b20857a70120a3ae571ce8abc |
M20-ou7j1 | TinyBanker_02b612be | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 02b612be794b972b9aa5a3edf461680e | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 02f714d9530681ca2b5de1651c8e71a29c0bef9fc570a2d54eeb24d8ffcf02beSHA1: ed76f0d9db122bc079de1eb49e704e0d1be77a55MD5: 02b612be794b972b9aa5a3edf461680e |
M20-shxr1 | TinyBanker_1d646810 | Windows |
This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has a random section name renamed according to the PE format specification. | 1d646810d3fbc4b2e3f332481f160798 | https://arxiv.org/abs/1801.08917SHA256: b30c8bee53959b6c17a8838676b5a55716b63acfa5b69ad5d1e3b82cb0c289dcSHA1: bd8ad94876509125653bad3a5b513c2416c25551PARENTID: M20-ou7j1SSDEEP: 768:F/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtL:m4QUbHM3PC8Q1Hn417sNPy+LMD5: 1d646810d3fbc4b2e3f332481f160798 |
M20-mt3r1 | NetWire_01281973 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 012819731462ea2ad6234817a040d7af | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 005d4ba8835d3554bebf46c7910bbf3b8823c08abec4270b9096dd22ecf295a4SHA1: 575db9cf2121110f36fe934e56be71c49332426bMD5: 012819731462ea2ad6234817a040d7af |
M20-9qvu1 | NetWire_53abe793 | Windows |
This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has random strings (lorem ipsum) appended at the end of the file. | 53abe793f2805e7aabf5b6422a4e7ac5 | https://attack.mitre.org/techniques/T1009/SHA256: 9cae09583a2584c4e58bc67ed8f17b78f6e4b8f0470e1112ad56814fa8a2fa6dSHA1: 9afbfc8108f3af6e7d68b0c636d2c26e878aca34PARENTID: M20-mt3r1SSDEEP: 1536:3UEd6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JF+:3QT8svpbqFK6AVMD5: 53abe793f2805e7aabf5b6422a4e7ac5 |
M20-8ojj1 | WastedLocker_bceb4f44 | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | bceb4f44d73f1a784e0af50e233eb1b4 | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: 97a1e14988672f7381d54e70785994ed45c2efe3da37e07be251a627f25078a7SHA1: b99090009cf758fa7551b197990494768cd58687MD5: bceb4f44d73f1a784e0af50e233eb1b4 |
M20-zl9k1 | WellMess_e7caca72 | Windows |
This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random contents appended in one of the existing sections in the PE file format. | e7caca722341bff3e4fe32ac6609874b | https://arxiv.org/abs/1801.08917SHA256: f572ef4a9e7118f9c34196b769e6d627a106a5663199a2252439d30dd8408db4SHA1: e32c320359b6c29bcd01333a2f3b8a80eee60776PARENTID: M20-n8yw1SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4U:oc6qkt5vdU6ECe4UMD5: e7caca722341bff3e4fe32ac6609874b |
M20-e4431 | WastedLocker_d7eefcce | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | d7eefcce371e3deec178a2a1c12f2c22 | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: 9056ec1ee8d1b0124110e9798700e473fb7c31bc0656d9fc83ed0ac241746064SHA1: e13f75f25f5830008a4830a75c8ccacb22cebe7bMD5: d7eefcce371e3deec178a2a1c12f2c22 |
M20-bvxf1 | DarkComet_75a0a9c2 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 75a0a9c29a1af4867e318fa63c79b056 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 1899e0b8e3b986a5de287ba23c6e81b287078d7d17eecf30eb10b8013633f709SHA1: 24827e97f23017121572c363d515bf3f65bbb7ecMD5: 75a0a9c29a1af4867e318fa63c79b056 |
M20-amc21 | Emotet_86e76726 | Windows |
This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has the checksum removed in the PE file format. | 86e76726bffb79bf1ef261c8cea56510 | https://arxiv.org/abs/1801.08917SHA256: 337241ed419d172fd9aca0dbce8892307682de1ad2adff179d1f3b0525935e64SHA1: 83214658e8833682921a50f3bbf594366aaecf90PARENTID: M20-75mm1SSDEEP: 6144:JjNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2g5cvAtyKZD:JRX3wK9rybO3AlLBeTWi+eO6e23AtyKMD5: 86e76726bffb79bf1ef261c8cea56510 |
M20-cyes1 | SoreFang_01d322dc | Linux |
This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine. | 01d322dcac438d2bb6bce2bae8d613cb | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198aSHA256: 0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494SHA1: 8830e9d90c508adf9053e9803c64375bc9b5161aMD5: 01d322dcac438d2bb6bce2bae8d613cb |
M20-qcbv1 | DarkComet_de957930 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | de95793098522775a222b0b874bcacc9 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 152d31444542e5096b757127ed11c3aa8aa75869c7bed47c110251d6e4dc73deSHA1: e4058766d3b0d672b843840cd267dfd1246c0c18MD5: de95793098522775a222b0b874bcacc9 |
M20-3il91 | NetWire_4e05cb20 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 4e05cb209291091b7263c7d4f5c31103 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 83ab262d766c76a413251c5b7f7598eac14e6a273580ef388be2f1856baed52cSHA1: e36f2685995d242b593de10a7e70905c6ead90f7MD5: 4e05cb209291091b7263c7d4f5c31103 |
M20-g2pn1 | TinyBanker_038d0f48 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 038d0f48cf53443817f515263b5f4709 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: b853ec7bf8d69a2ea7203a8881c2671c8e2a546e7a9a299e6062275e52f10cb2SHA1: a944cb8530194a7fe293ea6faaddf912d1d2be83MD5: 038d0f48cf53443817f515263b5f4709 |
M20-v6ck1 | TinyBanker_02ef97cd | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 02ef97cd7f61f4dec5ea52276eb7d776 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 7b4bc90a5a8ebd89b6dd4b804257ec8c0c3b6bc2565a6c6f1e24f77f4b33fca5SHA1: f5b7f7401110a5304477042d816812d3c7d883baMD5: 02ef97cd7f61f4dec5ea52276eb7d776 |
M20-6gzv1 | SoreFang_c5d5cb99 | Windows |
This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine. | c5d5cb99291fa4b2a68b5ea3ff9d9f9a | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198aSHA256: 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75SHA1: a1b5d50fe87f9c69a0e4da447f8d56155ce59e47MD5: c5d5cb99291fa4b2a68b5ea3ff9d9f9a |
M20-bx2o1 | DarkComet_94450dbe | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 94450dbefcfdf11eb85fec5a2e9e79c4 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 3b765b6d85b21b8304c2287d2ede993082455f64d904529dd8eb03482b5cf3b3SHA1: 8bf0af36f38d01b3a8f4de82c1ce7ed18b2ad5aeMD5: 94450dbefcfdf11eb85fec5a2e9e79c4 |
M20-rt3f1 | NetWire_a297dff6 | Windows |
This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has random bytes appended at the end of the file. | a297dff6004ac5e1ce577f9b0474cb3b | https://attack.mitre.org/techniques/T1009/SHA256: e2bcc45e934d72f16d87d299278d1c507b0a7fe4b351df9943b8647bcb6f893dSHA1: 2db18eaa442052a0eb0d3b2936b391a5342b60e3PARENTID: M20-mt3r1SSDEEP: 1536:3UEd6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JFm:3QT8svpbqFK6AlMD5: a297dff6004ac5e1ce577f9b0474cb3b |
M20-9klw1 | Emotet_91fb4712 | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | 91fb471283081bd2960ad253d14aa2ab | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 338b14380a84844b2e8773ba6846e2a8a23fe266b5d079dc3efbb17f9473a250SHA1: b4aab2d7bcc50737276b1e89a18e19ec356a41c7MD5: 91fb471283081bd2960ad253d14aa2ab |
M20-flcr1 | NetWire_796cbb64 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 796cbb6400d4f1e1290374a0fcc8c4a0 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 11f841dcd0ffd44e32bbfaf6ee2e3e4c47efc0ae80ab95a4b4f6f0cd4f9fbb2aSHA1: 82959fc4042c193ab5afb7c1f15e3d410147bcc3MD5: 796cbb6400d4f1e1290374a0fcc8c4a0 |
M20-pk0z1 | WastedLocker_13e623cd | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | 13e623cdfb75d99ea7e04c6157ca8ae6 | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772SHA1: f25f0b369a355f30f5e11ac11a7f644bcfefd963MD5: 13e623cdfb75d99ea7e04c6157ca8ae6 |
M20-ekw01 | DarkComet_d96a9a72 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | d96a9a72a8e2b99d4d2674e849631db1 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 63935268c3fd6806fc5de779b5f72358721f7dd537de53f019f3baa1cbdb3451SHA1: ae8972c472806faa87599cae7fbea22ba0cf9d59MD5: d96a9a72a8e2b99d4d2674e849631db1 |
M20-zyb81 | WastedLocker_572fea5f | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | 572fea5f025df78f2d316216fbeee52e | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367SHA1: 91b2bf44b1f9282c09f07f16631deaa3ad9d956dMD5: 572fea5f025df78f2d316216fbeee52e |
M20-8m231 | WastedLocker_2000de39 | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | 2000de399f4c0ad50a26780700ed6cac | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144aSHA1: 70c0d6b0a8485df01ed893a7919009f099591083MD5: 2000de399f4c0ad50a26780700ed6cac |
M20-i6gz1 | Emotet_86ecac07 | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | 86ecac07b0e42617b45835cc31ad9af0 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 1dafb532cac149ced3cb5f6bcaef801208d8de38c3f6b7a8a69ba2277d90e5fbSHA1: 65c7fd2314fa8d8f3776f62d1e9409619340732fMD5: 86ecac07b0e42617b45835cc31ad9af0 |
M20-l8661 | WastedLocker_0ed2ca53 | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | 0ed2ca539a01cdb86c88a9a1604b2005 | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8SHA1: 4fed7eae00bfa21938e49f33b7c6794fd7d0750cMD5: 0ed2ca539a01cdb86c88a9a1604b2005 |
M20-h6ig1 | Emotet_d89d6736 | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | d89d673631c11ce32a05b1e36bcb6735 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: dd5048f55ce7d16e2cce8ba707b66ae2c8c7ae64549b98fdcdb0f3ecf2874f17SHA1: 5a1de3a9350a210999e84c305bfa03f40a2ae6e1MD5: d89d673631c11ce32a05b1e36bcb6735 |
M20-e6fw1 | Emotet_d9b152c6 | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | d9b152c6297363628706d37d3b85d8ed | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 1b1c8d35b6dff722f9439985f78da06098d5bad82e7d0b5d1fa41dcc6b3c432bSHA1: 651726ab4329a51e51babd5a9021f1de823b9c74MD5: d9b152c6297363628706d37d3b85d8ed |
M20-bf2g1 | WellMess_8f1e36bb | Windows |
This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random strings (lorem ipsum) appended at the end of the file. | 8f1e36bb3bc44914eb13465471400063 | https://attack.mitre.org/techniques/T1009/SHA256: 67c72f8eaff6c96b4b70be02cf0e571321fabb8bbe50d8f15f5eca8c73895e5fSHA1: e5f74991182ae58a09892cfe406b93da51a1944aPARENTID: M20-n8yw1SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4UL:oc6qkt5vdU6ECe4ULMD5: 8f1e36bb3bc44914eb13465471400063 |
M20-dzyd1 | DarkComet_a5361ce7 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | a5361ce78de87cfd962242da00f11662 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 3ee0145434048bb9dbff5a92a2083b3baae1c539a459668e34316bb75ad318deSHA1: c1b8bf7f8ab9fa35155497b7757482883e7074aaMD5: a5361ce78de87cfd962242da00f11662 |
M20-yewi1 | TinyBanker_729a37e0 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 729a37e05315e8179d16169168a667eb | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 4015c1917edbb2e1b9db30a3c02f3ae4e8f9ba7015f3c3c0a4274c281e508f7dSHA1: 8da80e6a453f89e0e2026660b1938aed69330c39MD5: 729a37e05315e8179d16169168a667eb |
M20-27lf1 | TinyBanker_31dc4cc0 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 31dc4cc040d13f9b06bae2bd61426372 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 47381ffb76fa60172fe273eba6dbb66ac6ebe05c1e6b6a7af863be2b990482c0SHA1: 84a16b9420bcf817a462700f5ef0be2f6947bbc5MD5: 31dc4cc040d13f9b06bae2bd61426372 |
M20-po0s1 | NetWire_350b809a | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 350b809a45dfe3dca55870d8f994333f | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 4be38ea855bd9088282cd6afbb6b2698aa45fc1f507a609a66af4894a8a3eaf3SHA1: 5f04765f73bdd55acf606e7acd65469449773845MD5: 350b809a45dfe3dca55870d8f994333f |
M20-eyn31 | NetWire_1b524f5d | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 1b524f5db5738143efbd54f6a5a56573 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 2e86be5c9c364bd944b4823b9191f217c181bb6c980e1708800be13dac953cd5SHA1: 1c096168f6db961ba445dd31004532a0684292ebMD5: 1b524f5db5738143efbd54f6a5a56573 |
M20-l4nx1 | Emotet_3292ce99 | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | 3292ce99235f89437fdf33c0227df4fa | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 4b953167cdee60b1fda17ce2293590c05b26db580e93ce93fb0ffee08527ac2aSHA1: 96dc6429f3432dec156030e0234ccb776b2d93ddMD5: 3292ce99235f89437fdf33c0227df4fa |
M20-b9xh1 | NetWire_9fd86daf | Windows |
This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has a random section name renamed according to the PE format specification. | 9fd86daf25d2498d84395bfc9ad5dcac | https://arxiv.org/abs/1801.08917SHA256: 67c92144dc4444d9a3c486fd9e3d0c8df2825dd96d5a74f87461c7987bf354f1SHA1: ffc6523cdb858118e0815e3f8846b279f32beb21PARENTID: M20-mt3r1SSDEEP: 1536:30Ed6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JF:3wT8svpbqFK6AMD5: 9fd86daf25d2498d84395bfc9ad5dcac |
M20-blce1 | WastedLocker_ecb00e9a | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | ecb00e9a61f99a7d4c90723294986bbc | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80SHA1: be59c867da75e2a66b8c2519e950254f817cd4adMD5: ecb00e9a61f99a7d4c90723294986bbc |
M20-ddcg1 | Emotet_74fb55f5 | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | 74fb55f5f7bbf504228af8e136c4b8e7 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: e66da3958ee12be370fb6e1e429611f98d575b21b5e555d9f8dee58eb2481defSHA1: 34228506df007ad3ec1672b01ce6abf7293598b7MD5: 74fb55f5f7bbf504228af8e136c4b8e7 |
M20-rils1 | TinyBanker_42d34ef5 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 42d34ef5b4a2e9637fa0b7cdfdbf7d2c | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 0ebaddef17527ae1f59121ac7ae05fcb2806fc36fd4ea5e3a8d63999d1ef8245SHA1: 2ada07cade8d09a3fdf74f3764542fe052ee523aMD5: 42d34ef5b4a2e9637fa0b7cdfdbf7d2c |
M20-e29i1 | TinyBanker_ea88c8a1 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | ea88c8a14f624a0069719a609bfb93b1 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 9d76af39b9de6fc9f58ca5d7a83798f37790d2193ff88a71cccad19092009a5cSHA1: 2f4786eef36db3cd34a569759ded38b94144cfcdMD5: ea88c8a14f624a0069719a609bfb93b1 |
M20-dazc1 | NetWire_86b2dc6b | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 86b2dc6b035832b396832ee96498b557 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 9d163b8e00e7574fb1609b2ee8db2b07d3b6aafa233f3add788dda1baf5b3322SHA1: 9a3e9da47404aa4817ba301976d0e5211b444eadMD5: 86b2dc6b035832b396832ee96498b557 |
M20-0rye1 | WastedLocker_edbf07ea | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | edbf07eaca4fff5f2d3f045567a9dc6f | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3SHA1: 9292fa66c917bfa47e8012d302a69bec48e9b98cMD5: edbf07eaca4fff5f2d3f045567a9dc6f |
M20-vnec1 | Emotet_3c0c754a | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | 3c0c754a38f8f750b53ebf2d81d5b897 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 539f218904629efd90df998b1704cdfc101543b74c6d8afab2204e325d1e8bb0SHA1: 7becb502bb543a46ef515e6037208b793a613af3MD5: 3c0c754a38f8f750b53ebf2d81d5b897 |
M20-72n11 | DarkComet_c3c2764d | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | c3c2764dbe9ec6f4d9207c84ca5b8201 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 0f6a595d6bfd0dc514dbde0b8be7cdb2aa1dba94a103f1c79205f0bcf9856e7fSHA1: 6e90e4c6a099f38a6810c37711cca2739cf22772MD5: c3c2764dbe9ec6f4d9207c84ca5b8201 |
M20-jxz11 | TinyBanker_4be2f390 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 4be2f39094acef6d9791f7604219d4f4 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 36d265d452dd91cfc0640b59f3184112c0e3e20f1c5f1e6409452881458083b5SHA1: b08f3a3326bb484322a6fbba16dd28db4c7bf7d7MD5: 4be2f39094acef6d9791f7604219d4f4 |
M20-8eet1 | TinyBanker_19edfc7f | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 19edfc7f229677c5cd9fd8327a197745 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 9a21d7ef4b6f50a4e4ce47791bf2231a523884cf58e4d94e2089464967fd6e25SHA1: 4b48bb99acd79c445f55b4d3eedccdb7cb2bc49aMD5: 19edfc7f229677c5cd9fd8327a197745 |
M20-p4zi1 | DarkComet_bd4b11b9 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | bd4b11b929ec3f25c1caf63bc889d5fc | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 8167bea409789e03d3483aa7497762f2c3f33ed25122fcd8b7e7b45cb9b3e919SHA1: f21c9217461452eab05e990e8b2ff20fde524c4aMD5: bd4b11b929ec3f25c1caf63bc889d5fc |
M20-z9p41 | NetWire_83f66181 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 83f66181010a41f2a47d4c7bd7d6296b | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 79dbd028f2768d0874fce30c00b227e6af46080727503918bc09ef965949edc4SHA1: 5af13ebbc629d1dc062933a75577272c5016b1f3MD5: 83f66181010a41f2a47d4c7bd7d6296b |
M20-1dr31 | NetWire_f74d7e56 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | f74d7e560926fdb7802e4b13d0c10e7a | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 9648d53a1276cdd0d3d170ba0c13a9c140b13c4ef3d3d4790164ca98f8f71a5dSHA1: 1fdaba3131e83a0e5b22d0a312dbb8f0c0d35bb2MD5: f74d7e560926fdb7802e4b13d0c10e7a |
M20-x2o41 | TinyBanker_2752e633 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 2752e6339bbbbbc032826808cedc5d32 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 14398c45f2dc4d5c6d4c16ba9f276888eee4eb396863a355d059b55795d606e3SHA1: 597850e0f0162bcbd571ab892fc3652d87c1de5cMD5: 2752e6339bbbbbc032826808cedc5d32 |
M20-gan91 | Emotet_cfa658c9 | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | cfa658c993fd56dd81a370e286163770 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: cb8a434442b33d664405f2191c9f57d7e04f97bb3a98116000d82a5967bd2868SHA1: 897e9c21c02952020f9f3ef56f3154ab4b1afe38MD5: cfa658c993fd56dd81a370e286163770 |
M20-980h1 | DarkComet_03183a1a | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 03183a1a2b8381ecfdb47ba4cc824191 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 08039ef764c01600b0b21b33fb9c45031fecacfbc62ac1400a2604783c513e4dSHA1: 03787807f2e0b449abd3ebaf2d9945d738f2f130MD5: 03183a1a2b8381ecfdb47ba4cc824191 |
M20-l83m1 | DarkComet_12976937 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 12976937fbeef378e9b64d237991c45a | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 6557faee4a706e851f0aa28785e38dc56bfd422c4d8864c754c884163ab8ab3dSHA1: 29d586610d388065debc1f88cd19a8bc393431f4MD5: 12976937fbeef378e9b64d237991c45a |
M20-ands1 | NetWire_edc2afa3 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | edc2afa36a416f93aa4e763e8660f933 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 51164673a792e1f214b69b1f21bf714ce289ddf8d898f7499f07aafb7a692e9aSHA1: c362a783af0b84241c16ef22eebf2811f8a57c1aMD5: edc2afa36a416f93aa4e763e8660f933 |
M20-tlrb1 | SoreFang_861879f4 | Linux |
This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine. | 861879f402fe3080ab058c0c88536be4 | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198aSHA256: 14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2SHA1: db4f07ecefd1e290d727379ded4f15a0d4a59f88MD5: 861879f402fe3080ab058c0c88536be4 |
M20-tk1k1 | Emotet_6aa9aaed | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | 6aa9aaed9e0281f98c4d178d9388b9af | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: ab87b202217c59a3d0346f4bdaa549813191ff25df57ad8a616b40647cb4c028SHA1: 273a09c6320a70961371fba4cce6bf98f72c6ae6MD5: 6aa9aaed9e0281f98c4d178d9388b9af |
M20-ykkn1 | TinyBanker_494744ed | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 494744ed921005e57d1495d1b3f23260 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 40c0d24f854db3548f0d9ef8fef3cfc7463fae25e690f426e044042e35f46a48SHA1: 46fc9fdd01ce7b0cc2a9a7d3fa4f73d9a2c2faadMD5: 494744ed921005e57d1495d1b3f23260 |
M20-z1so1 | NetWire_c5c68c05 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | c5c68c052096dd76f2dd85c322d950f1 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 1e7b37a04208f94239a05244352ae5bf45793f83bdcb4aaadbfa7ef4c48d805dSHA1: 4c7b85c0dfc53e3cc9cb79add07b4bf95c40fcdaMD5: c5c68c052096dd76f2dd85c322d950f1 |
M20-jy701 | NetWire_1d030db3 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 1d030db358ba16c4ea8ba4a928eb583b | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 255c6efe9551fd5b6381adb440b94af65aee2286465c76c8fdb596c6e7a90b1aSHA1: 321487b8c7827cc87d3a8bfacb912e0fb519d3a1MD5: 1d030db358ba16c4ea8ba4a928eb583b |
M20-ajbu1 | DarkComet_d65fc205 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | d65fc2053dd33571ebb55a1b49bb03bd | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 57f94f852f1a625bebfe96a57be5c6cbcb17016f786ebe1991265c442dc42103SHA1: 5de1d9dc4cd3fb5b3370cd8303a16838c0a97c39MD5: d65fc2053dd33571ebb55a1b49bb03bd |
M20-8r8e1 | NetWire_9b7a4904 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 9b7a4904810d28f35158bb99cbd5df6b | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 7e6898b47574bbdb8b7c27bc392eab836bcd810e048fdc6b880537e3c7fb701dSHA1: 864a414d4d11cb57994e9efefbf494ef0b072a1eMD5: 9b7a4904810d28f35158bb99cbd5df6b |
M20-uod41 | NetWire_1a085a8f | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 1a085a8f86d2a2ed0e9f81c67f696d2e | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 62b6d90b250056d556971b7066e827eb03bbe2cb0b70848a98cb21fadc27d500SHA1: fd065edaaec8a6d57cc225674249e03d6f65f5c5MD5: 1a085a8f86d2a2ed0e9f81c67f696d2e |
M20-h5qb1 | Emotet_62f09a7e | Windows |
This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has been packed using upx packer, with the default options. | 62f09a7e9cbfeae4335ebeaa40b1358a | https://attack.mitre.org/techniques/T1045/SHA256: cf2d015be5779753daceaab47e8745bb9deef81b646aa59313a365bf383ec6cfSHA1: dc28fb3e20309a27641d88acf8e9b0c459f9e363PARENTID: M20-8ev91SSDEEP: 3072:J61oDDSj+vIq7SELcPrra8pB87lTAEYE1u3MJSAt1TKjUMK6x08Uj:JZGj+vIq7SEIPfws79AtyKZDMD5: 62f09a7e9cbfeae4335ebeaa40b1358a |
M20-jvax1 | WellMess_967fcf18 | Windows |
This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system. | 967fcf185634def5177f74b0f703bdc0 | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198bSHA256: 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2SHA1: 152189b62c546d6297a7083778fba62dcec576beMD5: 967fcf185634def5177f74b0f703bdc0 |
M20-4c7z2 | NetWire_234465ef | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 234465efb8b8e3341f6d5736cb81cde2 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 28181484a3ef4f4f3ab8fc07388aa109b49f2e02bcfe65b819a4341369e5b4fcSHA1: 59bfeacd950b124ee4e30a6d2e5f41351b00f6b0MD5: 234465efb8b8e3341f6d5736cb81cde2 |
M20-0nw31 | DarkComet_aabfef70 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | aabfef7012a8afef5a38e48a2ecc3e66 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 73e47ae090f62b5723ccc7a1b452e8c8b305f22734f7efac6402c9edbd49bc5cSHA1: 0afdc73e16c8f8c3a84af9edc0cb710afc7929f6MD5: aabfef7012a8afef5a38e48a2ecc3e66 |
M20-y1mn1 | DarkComet_fd6af5f9 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | fd6af5f98b2b68add91fd43c0e9e2aae | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 50e76d4936b183bf0c03761a38bf0d74e037ce72b59df8a28764b7f446675f51SHA1: 68a6a226909396bb31d2b88fdc0c1513514b1a2aMD5: fd6af5f98b2b68add91fd43c0e9e2aae |
M20-wl4k1 | WellMess_f18ced87 | Windows |
This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system. | f18ced8772e9d1a640b8b4a731dfb6e0 | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198bSHA256: 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9aSHA1: 92f7b470c5a2c95a4df04c2c5cd50780f6dbdda1MD5: f18ced8772e9d1a640b8b4a731dfb6e0 |
M20-k1gk1 | Emotet_15cbe4fd | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | 15cbe4fdac2c40d14c0e5cc325a46c26 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 019cb08d08f8512b3a6af74bf8f1f4c99c8a9691af2775183c95e67c10388e74SHA1: 1e7967ff30f173c2f990a1d3052a8acfc42f9733MD5: 15cbe4fdac2c40d14c0e5cc325a46c26 |
M20-8ue71 | NetWire_06008156 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 06008156d85ad3dfeea6abdb65eea5c3 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 22c07b60b192d882381a9e4e5c1cefff80c7bdcf12efa66d19765625b9ea7d00SHA1: cfa7fca227843cff5c7d5c12e591cb8669da452dMD5: 06008156d85ad3dfeea6abdb65eea5c3 |
M20-obtk1 | NetWire_ad08c13a | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | ad08c13afea59519ec36163c9942c44d | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 483b6c1fc090a248beb40574446a998c3af6a8f3c42df5f0e95a162fd4b9b534SHA1: 4d0e8803552159d436ed5d4264aa58644a4542f7MD5: ad08c13afea59519ec36163c9942c44d |
M20-4n931 | TinyBanker_0f1da9b6 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 0f1da9b6fffc07884725e9eec9dbe85c | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: b47214f748eef3fdd27388c1d59b4a308910d442f78cead2dee6895169ae9e76SHA1: 8f67bb887c3e84f063dcd402614495198f9e538fMD5: 0f1da9b6fffc07884725e9eec9dbe85c |
M20-7osy1 | DarkComet_9faa5a31 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 9faa5a3166dc6fbc745d085d154ddd93 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 5d0671d8aa8a4c3eaeca7d73c197f20fa5e3698f97d9f99abf50b4e43ab1d113SHA1: 9d424326bd59695cd59295f06a861a01fc5e4839MD5: 9faa5a3166dc6fbc745d085d154ddd93 |
M20-9xaa1 | TinyBanker_13d1b1f5 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 13d1b1f5afe9d95a5d3a67243b15bbf6 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 3c21cb07d0391719918fa40c59ac02b1d0444813bff01aa57ed0173ea17907feSHA1: fc4680ad54ce3dbb7e382467f3795c97da4470deMD5: 13d1b1f5afe9d95a5d3a67243b15bbf6 |
M20-5ge01 | DarkComet_0d3a2129 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 0d3a2129a486493974d845cbb5ff41e4 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 31535bfd8856f9497076a79fc6bac118901275a4928e9c31bfd42641aa624a98SHA1: eb72bc690b2be5033faca68820ecc0388c89df26MD5: 0d3a2129a486493974d845cbb5ff41e4 |
M20-n44n1 | TinyBanker_e20a97a6 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | e20a97a65ec439978dba244cb67a9a48 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 43b909534495841ca1ca6d5a16b4a8ced3c611ae84114d150731c9606cb1b574SHA1: f86353352ebd92bb10bfab1fd694e8966502261fMD5: e20a97a65ec439978dba244cb67a9a48 |
M20-9oew1 | NetWire_f17dc7f4 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | f17dc7f4fe64200ef073b064ee74a4eb | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 400dc0e03ffdbe53b008300711d2490e94f7b9eab93ac16ae49b39abd28a48acSHA1: 574a1e1c54a143915983aa45e525ebad612bbca2MD5: f17dc7f4fe64200ef073b064ee74a4eb |
M20-2i2a1 | TinyBanker_290ba91b | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 290ba91b81e92f59bb9174cce41d97d3 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 4d060e479439e757e3472f81a15da6ae38c7cbf9155c7de9817bf30552088b22SHA1: fa84aa97a4e15d4ad4435ade518538942c227a6dMD5: 290ba91b81e92f59bb9174cce41d97d3 |
M20-ndtq1 | Emotet_07d8ff0a | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | 07d8ff0ad28c47ecce6cd3a7b1f86bbd | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: bdb054e3f565c5bf244417609322ccebcab26fdbc74c31516ce66ffd2aed2268SHA1: beed57f3be93af3b49a3c905299e856e788e4622MD5: 07d8ff0ad28c47ecce6cd3a7b1f86bbd |
M20-i5ni1 | DarkComet_2b04df87 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 2b04df87d237933c7e71774904fc6e0c | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 1be1d57117ab25b16d4d17176062dc0cb469e25dcf2ec8c751c2104365697ae6SHA1: bd7199a08b3aebe0a080965a517fb6599ff500d2MD5: 2b04df87d237933c7e71774904fc6e0c |
M20-vy0h1 | TinyBanker_3bb35a94 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 3bb35a94356e2fc3083256ad8ef0ff0f | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 200a2c5eaa6ce90cc3f825ec4f4f3d8de444282dbd558a9dd0698a9520db2a58SHA1: 65abe6f5a75658e03e43529c65092e8da386d813MD5: 3bb35a94356e2fc3083256ad8ef0ff0f |
M20-kz851 | WastedLocker_2cc4534b | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | 2cc4534b0dd0e1c8d5b89644274a10c1 | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288aSHA1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653MD5: 2cc4534b0dd0e1c8d5b89644274a10c1 |
M20-tiib1 | TinyBanker_28f303b6 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 28f303b61050866816ddde0597134e83 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 40789d2be55ca929fe9e9ebdf084b84a42ec88d166744d06bbda41e24bb98e39SHA1: 90ef73f984ae4cf09e19f0a69138d75544e5d9feMD5: 28f303b61050866816ddde0597134e83 |
M20-i6tl1 | Emotet_daca8565 | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | daca8565d4e8c131ad95e2ed744f7e46 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 887226f61b841051a606edd1ced5ad1c1919e71fae4583afea1d995fd027ad08SHA1: d1fdd23ec6d48d9718c23104c02725dc45473193MD5: daca8565d4e8c131ad95e2ed744f7e46 |
M20-0yd11 | TinyBanker_958dd51e | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 958dd51e24b8d9f1df8470f971ef5726 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 645dafa65eec41b157e7dd205b07df97148105950dea2d0722f02f53f449e2a0SHA1: c4e3d6b2ee15d4cbffc5c8266df9304ad1dc4a8dMD5: 958dd51e24b8d9f1df8470f971ef5726 |
M20-k6al1 | NetWire_bbb734f7 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | bbb734f7ac43646319d4148e58a2dcf4 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 045ed6c11f72b1a11803a205abcd7ea82b2ad478a8a795984c322f540d159a79SHA1: 2490ce8e8266b559e3b0b0c54dd35f3b33e8ae2bMD5: bbb734f7ac43646319d4148e58a2dcf4 |
M20-ww611 | NetWire_5479b76d | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 5479b76dc7294f003d4e793c80f22311 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 492c1e4ae807107b8792e9e4a0c619f92dbb9f0a1fd457ac79fa0e07292354b0SHA1: ce4fe8c69974ac451aa03cb2e3d95a8530334258MD5: 5479b76dc7294f003d4e793c80f22311 |
M20-kvrs1 | NetWire_c92888b3 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | c92888b389f779e39804aef0244ff8e4 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 387109054b3a59071d6ca8af6656eaa223fa4d1825efbcc4213bd192c5d6e29eSHA1: 62961686c78694a227c04b867dd343fe5bea25caMD5: c92888b389f779e39804aef0244ff8e4 |
M20-ifta1 | DarkComet_07b77b6d | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 07b77b6d48e99b5c94040411f2f42d06 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 70ba4783c12ca57a129c5f3ab9d85ee34f5dc753952d15b49f5c54c6f067909eSHA1: 319d8c6e96c8df82943367186359bbdd364cf2eeMD5: 07b77b6d48e99b5c94040411f2f42d06 |
M20-ksew1 | NetWire_68cd8d68 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 68cd8d68115f9d46805a4aaccee773fd | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 229d7221c71a16c1b2d8bd1f74dded37d27dec2dcc713150d7657837c6c67be0SHA1: ddfead21af149214c0eaa128e56b0bf7aae279b7MD5: 68cd8d68115f9d46805a4aaccee773fd |
M20-n8yw1 | WellMess_a32e1202 | Windows |
This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system. | a32e1202257a2945bf0f878c58490af8 | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198bSHA256: a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064SHA1: 416df2d22338f412571cdaedb40ab33eb38977afMD5: a32e1202257a2945bf0f878c58490af8 |
M20-lmfw1 | NetWire_41f2edd9 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | 41f2edd93e423aa2c29c97de03e63fed | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 523e3d1fda9eb37098ae774b20f87e5552c5f38228dcf311298caf4bc5c2d086SHA1: 70925ffb54be19c5e82d4abceba592f5a3f91be6MD5: 41f2edd93e423aa2c29c97de03e63fed |
M20-96d71 | DarkComet_e0034c04 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | e0034c046f1581fb729c4ddd2a91cd5e | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 5e59a550cc3f18a66b663286b2ad08a5612fdd34e8e1667f5229c05e3053d48dSHA1: 64058e220af6fb681b9a47519de2cf3b7ef5fd68MD5: e0034c046f1581fb729c4ddd2a91cd5e |
M20-6u8y1 | DarkComet_a98f3960 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | a98f3960268e9543cc989dade3f4242b | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 833d572bc5d010513b2db0ddf8585146717626ca0b1ed31afcf2c060a85532fcSHA1: bbace94ff7787114a74cd015637dd75fa4960e1dMD5: a98f3960268e9543cc989dade3f4242b |
M20-thb61 | WellMail_8777a979 | Linux |
This strike sends a malware sample known as WellMail. This sample of malware has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It provides encrypted channels for the attacker to communicate with c2 servers, and the ability to dynamically run scripts on the infected machines. | 8777a9796565effa01b03cf1cea9d24d | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198cSHA256: 83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18SHA1: 53098b025a3f469ebc3e522f7b0999011cafb943MD5: 8777a9796565effa01b03cf1cea9d24d |
M20-8ev91 | Emotet_12a8067a | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | 12a8067a952be3e9264d69b401b3628e | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 1d225e3a3c3f52cadbf07a4ed069b4467c4618310d2f41678584f3704f95d19cSHA1: f442314dc8a12391233a24a6625cff6f046b9ef5MD5: 12a8067a952be3e9264d69b401b3628e |
M20-fo301 | TinyBanker_38edfc34 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 38edfc343314d3f858e2e02cd2144461 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 292daa2b85d6423471ab688bf3dcaa91661f9e930ecdf88d9ae8cefdfe8e76fbSHA1: 37e26707457e8d82fd385c9a5a0348fbd2bd7721MD5: 38edfc343314d3f858e2e02cd2144461 |
M20-tkow1 | Emotet_ae09fcee | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | ae09fceed70fd9b510641b63be5a6502 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: d8e201ed2ca53622f1ca4cd4b794879ab2b6dc6d52e5e4e12540da1c3d588e0cSHA1: 9a73530f8671914be4b317080e0b7b559ac267e8MD5: ae09fceed70fd9b510641b63be5a6502 |
M20-xhwd1 | NetWire_c3925b82 | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | c3925b82df0463c9329a0557f457540d | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 542d5b4e9100882a16a6ce60c6ff8532b1f0a22a7bdcda84c35cd7a1b49df664SHA1: 6b89b78ce1d4b4dfb49386425ba2dc9ccb9e5211MD5: c3925b82df0463c9329a0557f457540d |
M20-qqc01 | WellMess_7b9a439c | Windows |
This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has a random section name renamed according to the PE format specification. | 7b9a439ca58e3f76cbd60dcc60f77446 | https://arxiv.org/abs/1801.08917SHA256: 8ec45abe4179a22a739bcd48325ac1dd148c2d8c8a501c73dc8b7d2c28cb1b77SHA1: ab974869f02a8f3e400e24955c7375bcf154a7b2PARENTID: M20-n8yw1SSDEEP: 6144:Yt4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4U:Ic6qkt5vdU6ECe4UMD5: 7b9a439ca58e3f76cbd60dcc60f77446 |
M20-efew1 | TinyBanker_f77992eb | Windows |
This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has a random section name renamed according to the PE format specification. | f77992eb5a494bdcd8dcda9bf5652937 | https://arxiv.org/abs/1801.08917SHA256: b30fb527393d891d28ccd413e119ea309a13749c38e5b661a21c519323febd29SHA1: 0f177e999846f3fbfaa1591c139977d78ad31816PARENTID: M20-cbuc1SSDEEP: 768:r/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtL:44QUbHM3PC8Q1Hn417sNPy+LMD5: f77992eb5a494bdcd8dcda9bf5652937 |
M20-hks71 | Emotet_7fba0b9a | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | 7fba0b9afbf7a224224b3ce6be675f0d | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 633bed3b02759cc36b1e72c124d298607e68697a75f61f221b5b59decde14ecbSHA1: 6bb10b0e1a416ad0b66bd90ad6f3e472a10922d0MD5: 7fba0b9afbf7a224224b3ce6be675f0d |
M20-vws91 | TinyBanker_0ed39328 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 0ed39328beae48e12b4dc877064b30d1 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 8cf7d553e27a5c642812bb040f97bc92746d64b9909bddbb38916d36fbeb8c0fSHA1: 89048b155b57f9824f6e20fad4e6b2a09d851441MD5: 0ed39328beae48e12b4dc877064b30d1 |
M20-ifi31 | DarkComet_8e003595 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 8e003595d3f489e4776c97c8aabfa7b9 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 0e473f4bdc3a37ef888a4f44616e0c09c38b8d7fcdb617736aa8f294dd99e920SHA1: 94afe765dcabc9b2d0b5edef418d6f7caa8cc3ecMD5: 8e003595d3f489e4776c97c8aabfa7b9 |
M20-yzp81 | WastedLocker_6b20ef8f | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | 6b20ef8fb494cc6e455220356de298d0 | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9dSHA1: 763d356d30e81d1cd15f6bc6a31f96181edb0b8fMD5: 6b20ef8fb494cc6e455220356de298d0 |
M20-c9tb1 | WastedLocker_f67ea8e4 | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | f67ea8e471e827e4b7b65b65647d1d46 | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8ebSHA1: e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07MD5: f67ea8e471e827e4b7b65b65647d1d46 |
M20-7cqt1 | Emotet_2ed2b0d2 | Windows |
This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has the timestamp field updated in the PE file header. | 2ed2b0d2f3f9662f99381c5bd18118f0 | https://attack.mitre.org/techniques/T1099/SHA256: 16e03f284d8a56db4fa112d46edd50537e35125c91086d68362ab8892e4f5a62SHA1: bdcb584762443fee90ce2582a03750cd9408f5fdPARENTID: M20-75mm1SSDEEP: 6144:QjNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2gFcvAtyKZDG:QRX3wK9rybO3AlLBeTWi+eO6e2zAtyKIMD5: 2ed2b0d2f3f9662f99381c5bd18118f0 |
M20-75mm1 | Emotet_88e9eabc | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | 88e9eabc35088da3b3b31d5134dc1b49 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 0622420430e3559c1a5175e77584feebbeac977922c0a5b72d52d996e8ba6707SHA1: 03cfa8f152e83166b76db5ebafcd8211d92fe31cMD5: 88e9eabc35088da3b3b31d5134dc1b49 |
M20-k6mq1 | Emotet_b612a63c | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | b612a63c45a0bbd1370572e19382bb18 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: c4339507d79d74a6260ee7769b98c58d3b5289a470bee7c5a87f96c78efc3851SHA1: 089c8fa399a89bc7668c956f1dca854131ea2617MD5: b612a63c45a0bbd1370572e19382bb18 |
M20-ekjm1 | TinyBanker_2b2ac146 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 2b2ac1463040f9809c34d776e7fb5e6a | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: b43794417fec9191f8700df446b20875bb753c9380c70e0c7c6869502fa16282SHA1: 98e69cb347d4966573ee9b3295251f51ca3c8e37MD5: 2b2ac1463040f9809c34d776e7fb5e6a |
M20-2wjp1 | WastedLocker_3208a14c | Windows |
This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note. | 3208a14c9bad334e331febe00f1e9734 | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/SHA256: 85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9ebSHA1: 809fbd450e1a484a5af4ec05c345b2a7072723e7MD5: 3208a14c9bad334e331febe00f1e9734 |
M20-evht1 | TinyBanker_0c0b91df | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 0c0b91df5d347924d0efa649e9f7ca63 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 15b502a449d911c76cce06cd378d291e8039619a06ace593abbdd2cebe3add27SHA1: 23070b82c6a5fb619a3e8f38f96f4fda366ef24bMD5: 0c0b91df5d347924d0efa649e9f7ca63 |
M20-cbuc1 | TinyBanker_13c2cce6 | Windows |
This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe. | 13c2cce63f1e8ae54c4b2f15770e69f3 | https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.htmlSHA256: 141731282c5378b959ee12a97d564b58bacae43a50ffbca289a5df8ba8d0771dSHA1: 89a90ff4f2fb186cff3d691998cd9ba461ffb05bMD5: 13c2cce63f1e8ae54c4b2f15770e69f3 |
M20-zeeo1 | TinyBanker_40ad77d0 | Windows |
This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has random strings (lorem ipsum) appended at the end of the file. | 40ad77d0de2dae24d1c942ba7f5e7c2e | https://attack.mitre.org/techniques/T1009/SHA256: 4fe168b7028b1ad9985943474862f09b093915de233836d49e5a661c010af344SHA1: a8577e727471ef1d6e239dd3c7ebc39af79f3bb6PARENTID: M20-cbuc1SSDEEP: 768:D/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtNU:w4QUbHM3PC8Q1Hn417sNPy+aMD5: 40ad77d0de2dae24d1c942ba7f5e7c2e |
M20-6vdo1 | WellMess_a2f5614f | Windows |
This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random bytes appended at the end of the file. | a2f5614fa377753a02eed40056aa2459 | https://attack.mitre.org/techniques/T1009/SHA256: b67d856656e58e34b41086f4b0be823dd56b75af60485cc563c01b95711286beSHA1: 143ca415e9321b8b89e162fa9f06cfd6de33ce2dPARENTID: M20-n8yw1SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4Ufa:oc6qkt5vdU6ECe4UfaMD5: a2f5614fa377753a02eed40056aa2459 |
M20-j2ia1 | NetWire_bf8079de | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | bf8079de4a89e0a0ebd154d99d05b91e | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 26fe99cf61903d3dd464b96e87bc8640dd1d1ba9df2c795e2f27db6dfb74522dSHA1: da92d8768be7a4a977802495f67f96b8ee591218MD5: bf8079de4a89e0a0ebd154d99d05b91e |
M20-0uff1 | DarkComet_848fc1fa | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 848fc1fa772f49d8f4563f38b3f4f002 | https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.htmlSHA256: 18bc76cc05f305549fbee7757c01f897110effac971738af751815589036d5dcSHA1: 200be1cad6d7234ce468d6743ff27c79f490ec92MD5: 848fc1fa772f49d8f4563f38b3f4f002 |
M20-rhxa1 | Emotet_932a3448 | Windows |
This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has random contents appended in one of the existing sections in the PE file format. | 932a344809bbabf777916b63e4e4e9ca | https://arxiv.org/abs/1801.08917SHA256: 8add6324ff072fa544e73a8a300c9d8c20b251b8af6d449f2d9e3a1c11509311SHA1: 6a98e51d8fb40ffcf73c815d9d537294a373e1b0PARENTID: M20-8ev91SSDEEP: 6144:+jNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2g5cvAtyKZD:+RX3wK9rybO3AlLBeTWi+eO6e23AtyKMD5: 932a344809bbabf777916b63e4e4e9ca |
M20-ekzf1 | WellMess_4d38ac33 | Linux |
This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system. | 4d38ac3319b167f6c8acb16b70297111 | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198bSHA256: 7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147eeSHA1: 01a71390892fad77987aa09a630b04ff72e37d5dMD5: 4d38ac3319b167f6c8acb16b70297111 |
M20-i73r1 | Emotet_8b14c2ff | Windows |
This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary file has one more imports added in the import table. | 8b14c2ffbe2dd64f0a1937148e73c836 | https://arxiv.org/abs/1702.05983SHA256: 76accf214074a7c84309e275fa7d7fa18a22bdf6ddbcc86885e197a6bb647ff3SHA1: f7b990444fb49812622fb675116e3a7b267a319cPARENTID: M20-75mm1SSDEEP: 6144:njNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qL205cvAtyKZDZ:nRX3wK9rybO3AlLBeTWi+eO6K2rAtyKMD5: 8b14c2ffbe2dd64f0a1937148e73c836 |
M20-7x081 | NetWire_c4166c5f | Windows |
This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host. | c4166c5f4bd570cd999f41474b664e4b | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: 44fd21ec687bfbecc1002f1a5e640f0d782b9aa9beff7e4822704fe1a09907b5SHA1: 79090473cfdb6953da7fa188f4382e9a85ae5070MD5: c4166c5f4bd570cd999f41474b664e4b |
M20-jv5u1 | TinyBanker_a862c24d | Windows |
This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has random bytes appended at the end of the file. | a862c24d8824f88826ed42e5654a6088 | https://attack.mitre.org/techniques/T1009/SHA256: 2c94212a010e8fc70c1c52fa64eded136f09964713a82ef9cf73802f5e1314d4SHA1: 70c7e8f13e4442332029f87a422e2445e16f7234PARENTID: M20-ou7j1SSDEEP: 768:V/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtf:24QUbHM3PC8Q1Hn417sNPy+fMD5: a862c24d8824f88826ed42e5654a6088 |
M20-o7xc1 | Emotet_f1a41902 | Windows |
This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. | f1a419027bbe163301f856c793e8dc48 | https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.htmlSHA256: f21aaec6dab4428d5462f0a917908556054093fa9b94f386c94abc572c9d9e0eSHA1: 1468f82412c45be51b51619d9788b2a55bfe4e4fMD5: f1a419027bbe163301f856c793e8dc48 |
M20-vvs51 | WellMess_3a9cdd8a | Linux |
This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system. | 3a9cdd8a5cbc3ab10ad64c4bb641b41f | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198bSHA256: 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fbSHA1: e45f89c923d0361ce8f9c64a63031860a76b2d10MD5: 3a9cdd8a5cbc3ab10ad64c4bb641b41f |
M20-3lhg1 | WellMess_2f9f4f2a | Linux |
This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system. | 2f9f4f2a9d438cdc944f79bdf44a18f8 | https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198bSHA256: e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09SHA1: 709878e13633e44b45ad1ab569ad34e3dc1efd3bMD5: 2f9f4f2a9d438cdc944f79bdf44a18f8 |