Malware Monthly Update June - 2020

Malware Strikes

Strike ID Malware Platform Info MD5 External References
M20-2ej01Cybergate_dbb05d12Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.dbb05d1214a55a1519b0ca816704452fhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1cc729e873bc0ccc68b2cef59562a5196793c0511b05f952a096ce87c27bb02f
SHA1: 9e9ea3f6ba4ecfa74c18ecd355e83f7e98dfb835
MD5: dbb05d1214a55a1519b0ca816704452f
M20-hdw11Fareit_12113af5Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.12113af567bb825035e81fd73ff83d0bhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 10d0eaec661c9ec08bc6b28810666956ac6a76b054de73c6b8de46dec6147de4
SHA1: 90732a9aac12e720eb2ca1b806398a4e0e94a794
MD5: 12113af567bb825035e81fd73ff83d0b
M20-wfai1Dridex_29ace502Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.29ace5025e0662d3c30e4ca96ec38eebhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: fe6fad62d3e63eed458d33cfec58e20468d685bc21f69161f5f036bd5eb3c926
SHA1: c84383a51034b045093c049b6d689ec9f37d75c9
MD5: 29ace5025e0662d3c30e4ca96ec38eeb
M20-oh6y1Cybergate_b5e64476Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.b5e64476b8c7ecfa37c3ec3374934018https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 3851caf965504e6d99ad2d541af43f8f4213c6ddaa460b8e7b812e2fdb299316
SHA1: e23f969c44621b3b29d18eabe323c68c873aaafb
MD5: b5e64476b8c7ecfa37c3ec3374934018
M20-09up1Zbot_dd17daf4Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.dd17daf4e28133d0fb052ba229b80342https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 476ce28be8b7576a3b0576e7dd8f90f2aa1cfc59ad90adb5abf14a9d5d866b84
SHA1: 89754b05c5a57b3ac78723a5ae394476beaededd
MD5: dd17daf4e28133d0fb052ba229b80342
M20-foy31Dridex_56afa171Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.56afa1715bfa03bdf47e45c9a12b9ddahttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 15c213fa11b0440a690133df83c63e7f2729eb1b41e7143291f98a4b9d29f7a5
SHA1: 10b13d36e90c92b4ecb80c96fae504d974372fa9
MD5: 56afa1715bfa03bdf47e45c9a12b9dda
M20-zj661Zbot_0b8b4771Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.0b8b477194321fb2547deae4afd052ebhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 5e15c7ef36f861bd967c4b7cf7b4476d37be287e3b1e18cc41168810b9e36f3f
SHA1: 93991b30b6587bb3ad740c3713947ba4662e8d25
MD5: 0b8b477194321fb2547deae4afd052eb
M20-dbms1Zbot_61bb1504Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.61bb1504fe867ab02734aaaa7683343fhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2240fb081176a4811088f5818d0b5d6a60a2ffd64a8202fdd46b4e05f694ac2d
SHA1: 8168c5aea69f349881944535695282e22b5b700a
MD5: 61bb1504fe867ab02734aaaa7683343f
M20-n2a51Dridex_b78246faWindows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.b78246fa73a6cc9b69cb41a2ca68fe4ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 9366c5124ceb956ef97059b5b649707c0732a85e6912232294d5e3bcb078dd7f
SHA1: d9290d34eed824e23b32418276c2e900063bddd3
MD5: b78246fa73a6cc9b69cb41a2ca68fe4a
M20-7b0c1Ramnit_d211c6baWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.d211c6bae76231b80b3ad3f80edd9dd3https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 6a793585958d4db348868417923c49a74d6b0e053c8a914669e980a9f06901c6
SHA1: 305ba2cdf7e78be0d63f76c31041825f5df53141
MD5: d211c6bae76231b80b3ad3f80edd9dd3
M20-0yl41Cybergate_8ba4005bWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.8ba4005b996edcb379796e9d70137847https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 21d5baf434ba1e61c0d24cc2c49d91e7bae8204d4a69a614dd81193ba2901a1d
SHA1: e386e51f52711b6a96c49c260e2fb6f9976bbcdb
MD5: 8ba4005b996edcb379796e9d70137847
M20-tycd1Ramnit_cef48a53Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.cef48a53f568fb3649dfc109541a5b42https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 151f0e9786d903c3831e7555a64b980ae7fb8514f58d1044017b82276aae0d08
SHA1: 30c9c0c2ddfb774f1069671821d24c953296dc51
MD5: cef48a53f568fb3649dfc109541a5b42
M20-n6pb1Cybergate_2c68199dWindows This strike sends a polymorphic malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.The binary has the timestamp field updated in the PE file header.2c68199d84a6acaea4a0924e338f70c8https://attack.mitre.org/techniques/T1099/
SHA256: a1dd7ddecbe9de6d58fb108b837a88967becbafb152e429197e56f047a9848d1
SHA1: 4f26f1f9fe04f48f41ab74b8d3988646729b3c91
PARENTID: M20-e7ik1
SSDEEP: 12288:haH6uGURWHTrbPq6US47zWfXkkctzkbpfPFNIKDGZfM/B35aI:0HbGMKT/Pq6USazkkkkopPFNI/fI5aI
MD5: 2c68199d84a6acaea4a0924e338f70c8
M20-1mpd1Zbot_fa39fd7bWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.fa39fd7b7bc3c8b3023c848ee4e6e8f0https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2760e4f5c5119988b6c83907da6a3cf60e62c2425456ebf1e06893a00c04b91b
SHA1: 0bcdffab5a6fb56b9877607a940319b597a16087
MD5: fa39fd7b7bc3c8b3023c848ee4e6e8f0
M20-cc0t1Zbot_63a63e4aWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.63a63e4afbcccea6f3d8a3adcdf012b5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 356b7cfcc87425f08c9ad492d272b5ac6e0476389193c20ebd37cf95e1215825
SHA1: 19080581f31ce285caa1df2160c16416755958a7
MD5: 63a63e4afbcccea6f3d8a3adcdf012b5
M20-lqct1Cybergate_3b77c273Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.3b77c27302c72442400739d02483d874https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 243344e8c4defcf6d918ac46233381c21f2530f162962e8bf8fb384c341035be
SHA1: 0216272dd6f1256f7fa68bef0843e2990f1cd083
MD5: 3b77c27302c72442400739d02483d874
M20-8j1p1Fareit_32468feaWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.32468feac377c04df3a3c8232b2d9a1ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 0264313435657e607a5edca952c8d6c6b49a067d889ea1b47861eca0c2151bc8
SHA1: 0c29d8ab76973553995de9600263bb6196ce16c4
MD5: 32468feac377c04df3a3c8232b2d9a1a
M20-rc2c1Fareit_2b3e69fcWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.2b3e69fccb583599f5c0a11ecb336cb4https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 9d5f6d8d0ed7cf4af9424f57c34d95ba7a59057cc525ac51698d81c85987855a
SHA1: 7a03cbfc9d1014f7cef67c600b6d4fb5e6a1e02c
MD5: 2b3e69fccb583599f5c0a11ecb336cb4
M20-68d21Cybergate_a7fcef42Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.a7fcef4218781bb5375871367d69a035https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2fd297ddc4fb433b09adb0894aa7752fc3433a360597e23c5025250cd062e801
SHA1: 6b4524aeea301e29fc9221814069530bde21bbf7
MD5: a7fcef4218781bb5375871367d69a035
M20-ad7l1Cybergate_86e26de8Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.86e26de88289bf179bdc51a9df320b6dhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 3b2a0d95b9643dcb1dfa555d9e79fbfbc27e98667014bdd79ff5b9e5c2f72c79
SHA1: 0ae0740bc781e5644b440df514e4fd5adafbf0ca
MD5: 86e26de88289bf179bdc51a9df320b6d
M20-4g0r1Fareit_3e7c67b6Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.3e7c67b6508b90cf7d85110d9a81e1c3https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 648bbe158a7dafc05b3ac0095ca3eec926970d11054f023c1a4c700069e43883
SHA1: a3348285010f66f1e25474833b436312e5b1a5e1
MD5: 3e7c67b6508b90cf7d85110d9a81e1c3
M20-3bm51Zbot_b22dbff3Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.b22dbff35d41d361434211f4def02bbahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 5c0c7d1e7e52685b82c1d170368db66fbfbe06ab3e05c7a8243d9bad5500a64c
SHA1: b3187b5d331c652924769220d62bda7a85c69d9f
MD5: b22dbff35d41d361434211f4def02bba
M20-nqke1Fareit_4a65c9c3Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.4a65c9c31cbe443d7fda091cfb29aacfhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 8e8933daed91bf2a385c9c49d572d9102ae959a582e3c6ea81219ef424951f58
SHA1: 24c85e09a8d8edd31c4609defe2da7341130bcab
MD5: 4a65c9c31cbe443d7fda091cfb29aacf
M20-aipe1Cybergate_accfb8ccWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.accfb8cc51a3e7447436e9f4d5f6584dhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 01b133f5e10b71f33f117a59e78836294341f26318747f5a504aa2bf2af7869c
SHA1: 31480c9ec31d176a4e7e2c3b00dbc02a862b453a
MD5: accfb8cc51a3e7447436e9f4d5f6584d
M20-m58m1Zbot_2d0f9799Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.2d0f9799daa391a41d43691582ff510ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 0649a007c9e7e7abc08fcfa53cfbc0a11c3119792b04d2ff6a47f8f53cdc5514
SHA1: e721b10afe61e65d2d3340741381b7c6789f5ad1
MD5: 2d0f9799daa391a41d43691582ff510a
M20-b6mw1Zbot_668a40a5Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.668a40a5c4156c6b784cd7abce595134https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 0b9297a648aba6ee27b8a96cc95974be328547141e1b5a3e13e544f71bc045e0
SHA1: 94954457060a1a6c9936f16b77113257451e5b17
MD5: 668a40a5c4156c6b784cd7abce595134
M20-wdo31Dridex_9659c150Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.9659c150b6e6dbb515fb5a7fe2fd38a5https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 846c29654222d6d540794abb5adff6da8aee5ecbc0f40ec9aec75610ff75f9d2
SHA1: 5f4004a4ea9f3401350efa8483b4a27fc89ed498
MD5: 9659c150b6e6dbb515fb5a7fe2fd38a5
M20-wyrp1Fareit_cf67ef85Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.cf67ef8577d94f3dde6bb03a178d77a2https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4fe440cf3713df731f2e7eb210eb70575978821b2862dc7161107d8de197824f
SHA1: f7b5ca9bef871300c43fd559533a26000933d408
MD5: cf67ef8577d94f3dde6bb03a178d77a2
M20-kybi1Ramnit_5c2f6dd1Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.5c2f6dd17f36c78511975c9bc90bac40https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: ab71e50d7620b1a0563f8a088d7bbc7c8bbe110ec067dc872ffabce155ba6060
SHA1: ad437bb752e1eb9039535065e9d70408b49ef0f9
MD5: 5c2f6dd17f36c78511975c9bc90bac40
M20-ea6i1Fareit_fed439b3Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.fed439b3cf045e7d40cb6bb3c2631c2ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: d90afab18a64702ce68aae194c7e73833ab8329e8e9f89013b0195b13123b2ec
SHA1: cdbc70b72e3efd0871977d7b3ebc098de4fcb6cd
MD5: fed439b3cf045e7d40cb6bb3c2631c2e
M20-zyb41Zbot_096e0ebaWindows This strike sends a polymorphic malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.The binary has random strings (lorem ipsum) appended at the end of the file.096e0eba8eb233f6bf5fbee0fb6cb093https://attack.mitre.org/techniques/T1009/
SHA256: 7fa7687c7509f526a9f4e96c3ed852ca4462097e5007c6515cf733b5f4eb814d
SHA1: 91c83f81dc16fae89aa424dfca901de2ca38c8a8
PARENTID: M20-qrni1
SSDEEP: 6144:5/IZqkiisqNuNWyD+lLo9lvh1GhI30EfNqyF:IqJXqNuNLDyLo9lvhI40S9F
MD5: 096e0eba8eb233f6bf5fbee0fb6cb093
M20-8buv1Cybergate_b450cc20Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.b450cc209f0e230ff9549c962dd6163ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 06dd14844f1219660dd4f18b30ff70289ece23be61938842299cbb0bdfe2cba6
SHA1: 72d522c9f2baa9c94ffb28e7a21311927668160e
MD5: b450cc209f0e230ff9549c962dd6163a
M20-jztn1Cybergate_0c689268Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.0c6892685ec8b806453a9ceb44335705https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 029d9e96045543dde92fcfc3e0850a1056bfe04f583d9d83c3f187d5db2d30a6
SHA1: c6b162774887cac646050e2ebf21913a92378eaf
MD5: 0c6892685ec8b806453a9ceb44335705
M20-pz4p1Ramnit_db4b4a6eWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.db4b4a6e729d1214ad33688f4167fffchttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: e1b4dc1a419e73795e791969e0a11770e52adb5ed58414b51ba9e16e46ce906b
SHA1: ca05c6f232f14433bb2a9dc63ef4b49d4cdbb2ec
MD5: db4b4a6e729d1214ad33688f4167fffc
M20-wtwy1Ramnit_f8ce6bd4Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.f8ce6bd44f51a7d11538d2d7c504ea68https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 7a77148fafd2bb5a47ccb12d800e9d9e190554c5cb774e62dd519d19639723b4
SHA1: bf8bbef654f89d7c2dddcc3bd0ce7c78a450cab6
MD5: f8ce6bd44f51a7d11538d2d7c504ea68
M20-e7ik1Cybergate_e30e91e2Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.e30e91e26dd5899759a809ffb26a390ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1e7963141202ea5535603b0239828a6e77613948e8e73b56f48a8d9e958c5744
SHA1: c3975ce610e8fd82efe4e6042749bf05667dda01
MD5: e30e91e26dd5899759a809ffb26a390a
M20-h4io1Fareit_5c696072Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.5c6960726c52dbd3ef4b88cdc8a5df79https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1312c2175d4037228e113c1cdb3893484396a4d5c399052543bcd3546908f342
SHA1: 8aa2e11f51e44b81fc9b0946374b83bc4c0cbfb8
MD5: 5c6960726c52dbd3ef4b88cdc8a5df79
M20-6y4i1Cybergate_9ad9aa84Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.9ad9aa8439043c07a84c18e7e0724c15https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4876314e5d223a296b8aa95fb5eb97859da5bcbf78da9e78674b28f4536cd591
SHA1: 333067aeca3842e1ae73b30c2f4799eb2dde68fb
MD5: 9ad9aa8439043c07a84c18e7e0724c15
M20-0nxd1Fareit_86a16f76Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.86a16f76020ed00029eed02a69156dd5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 78f418bcdd925f56eabedaae6e092d993a245fde048606a680539cff6bcc54c1
SHA1: f5f32175eaad230c51e2992fc825a4b30be7e118
MD5: 86a16f76020ed00029eed02a69156dd5
M20-canz1Ramnit_59c999dbWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.59c999dba2f22a75f73ce59cb9ce4b25https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: cf42f89f988611c1beb42230e001c0eb871322950ca10cd50fb1796cdf95920a
SHA1: a206ccabfa93a0568c6188783adbbb171379ae96
MD5: 59c999dba2f22a75f73ce59cb9ce4b25
M20-1ewp1Fareit_5aec2111Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.5aec2111cc64271fe58feb1a07ac20f5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 99b6a34cb8ad06ca530f7bde87b957c97c1526bb70f0540eba8da58a77b7f319
SHA1: 234c976c6aae3915dde5e9396738c875dbaae498
MD5: 5aec2111cc64271fe58feb1a07ac20f5
M20-gl0s1Dridex_d27a1214Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.d27a12141e0cf90f3db2b32d4f1832b4https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 031f4d2eb9e330adfbe2767c568c49a45f8feada9d466b2f09f5cfa6c321760a
SHA1: 7c34ab0c972128294d751e93d76190fa901bf4da
MD5: d27a12141e0cf90f3db2b32d4f1832b4
M20-pt8o1Dridex_b10d2503Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.b10d25034bb65fd14e70c3238a44412ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: d5f3c9eab2e825b6e670dd529d1bb2212baf54437bd56915ecd6932b1745328a
SHA1: 0b8cfefb16cf5eb0ce8cb6a2ba7572c2e7c73f91
MD5: b10d25034bb65fd14e70c3238a44412e
M20-u5x11Zbot_a498a3daWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.a498a3dad481b39e4197428e2fb80100https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 0e475d4c0f6ff5e453668f962c6a7d78d218582a46d3d2f7ab36b221face4631
SHA1: 81f3701d0627176edbf308ade9433cfabc1cc47b
MD5: a498a3dad481b39e4197428e2fb80100
M20-7jo71Zbot_cf2941daWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.cf2941da39524cfcbee3398736ad6e13https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 67187b9ebc578ae12c06cddff756160d741eafd53440efd6756c646e4d9e7594
SHA1: 9870afda75d0e59b720e2e11c46f28fa622f4962
MD5: cf2941da39524cfcbee3398736ad6e13
M20-gxuw1Ramnit_f3f4c192Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.f3f4c192482a755b8e4592e8577a3d29https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 9e8e5e20c1ac022c559a68d8ed67a7879ad68a917d4f97459bff72840bdba457
SHA1: d6ccf3e395f6a9687aefefe2920ad75df58c5019
MD5: f3f4c192482a755b8e4592e8577a3d29
M20-no5b1Cybergate_bd8ea22bWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.bd8ea22bf277db93ce8113c27b217ab3https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4dcb2bd6dc558fb9290f40656e630190658787f29455d5c73d459f0dee312c15
SHA1: e2ec17612da8210c4bdd16b01bc09d511908522f
MD5: bd8ea22bf277db93ce8113c27b217ab3
M20-wah41Zbot_f34d5023Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.f34d50230ee7e2db4899a6a88d40dc6ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 498438a69aa744934cd33f6219709b3fb1531e3e89e95cef805f494ba8be938b
SHA1: 24775b083870bd350025ae9d20b977e0afeab155
MD5: f34d50230ee7e2db4899a6a88d40dc6a
M20-yztx1Fareit_bf975fa9Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.bf975fa90aa5cfa21b9f13e83138a605https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: bdf44a59073f52b5b4bada6afbeccd9410ce8ca0a46441149b66d4b97b305572
SHA1: 0f7abd44fce1da85112d9aaec189496eaa21651c
MD5: bf975fa90aa5cfa21b9f13e83138a605
M20-60d01Ramnit_d0f5c342Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.d0f5c342434f34b55eabccc6564a378bhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 7dec40a48b029de50868b1a85573fd1d566084d0ee4935acfb30887e30d1de06
SHA1: ce6049fb88ae1c6c2fd4a3c490d678360aaf04fd
MD5: d0f5c342434f34b55eabccc6564a378b
M20-x9nv1Ramnit_f0f74c6fWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.f0f74c6f873a9c19994af1c8b9af9775https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 11f697b19a583973236c5deacfc31dd9ff441045d495a68857373b14e95f449e
SHA1: 478037ddbcaf904c6dc77146014cc8cd5c29eebd
MD5: f0f74c6f873a9c19994af1c8b9af9775
M20-28yf1Ramnit_d831b191Windows This strike sends a polymorphic malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.The binary has been packed using upx packer, with the default options.d831b1911812a9093cf646871b9e5130https://attack.mitre.org/techniques/T1045/
SHA256: 3d96c032b11bef9a4e67536d129f06f7b3063fb005cde1a425280641c1b04602
SHA1: 59ab94ae07b7671eed559e8670efe03ed490edc3
PARENTID: M20-668s1
SSDEEP: 1536:GlfMUc1eJMiSosL8/Zu+2fH/bRFz64KqPikiucOw4ZOryejmqn3BjtQM:GfQj4AhXm4KqPiY44ZgjT3Jz
MD5: d831b1911812a9093cf646871b9e5130
M20-tp6r1Fareit_cf2e03ecWindows This strike sends a polymorphic malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.The binary has random bytes appended at the end of the file.cf2e03ec985d204a054788269665cfe0https://attack.mitre.org/techniques/T1009/
SHA256: 1058a78aa8a27121459344f6c9fc70a6946af062abad30ba06f9a3a2b3a03a36
SHA1: abcc5eae47bd9bbc19b527d2c10acccf63e875bb
PARENTID: M20-yztx1
SSDEEP: 3072:YyqX75fvyv3gYq7fhvFGErUVAMhqalOR/aukQ:f45fvigYqbhBrUVThqaqau5
MD5: cf2e03ec985d204a054788269665cfe0
M20-x9901Fareit_64c39dd5Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.64c39dd59e30e965b6650bc5cb517675https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 9b54a9a9fde24c8634c47c950dcb7218d4e1ae1d7c4771f4abd3b92a12e9c686
SHA1: 93a02c721463fc26015d469a4f465b7ece2cb9d1
MD5: 64c39dd59e30e965b6650bc5cb517675
M20-7uax1Dridex_224eac52Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.224eac52bf474257192ab18869dd7aabhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: a098e6f2a14908c4220bcc59c872d331841b3d7beaaea945717439be15778a23
SHA1: 8b32bc110b4e0a113b6a78877a9d5dfd770168cd
MD5: 224eac52bf474257192ab18869dd7aab
M20-pnek1Zbot_f9317eabWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.f9317eab06ef5c50754003c89b7f311dhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 058051ccc05ed076f17535e744f385290eda9c2e0912ed7c460e5b571b3e26dc
SHA1: 269cca202ce7af7875e7fe9802a6a37854a209f9
MD5: f9317eab06ef5c50754003c89b7f311d
M20-3y2b1Ramnit_6d9e71cfWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.6d9e71cf42d1e2afc45b2f0c3d4cd599https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 75d9881c6670d6e23fc962532a6c4ae2d23f816f59f88d93131d81400dcea15b
SHA1: 9e88ef8ecb97fb2ef7ad74d73c647e15ebb9b5bf
MD5: 6d9e71cf42d1e2afc45b2f0c3d4cd599
M20-ovf71Fareit_cbecde1eWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.cbecde1ed1427e330fb19878a13c064chttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: b02eaf95b97c81f56eaddded473b0c66668ff4f55bb84c929c28af1b502b3b7d
SHA1: f91c19abe19bfd4b1709e0441bb4f7d2288fdbd0
MD5: cbecde1ed1427e330fb19878a13c064c
M20-h66j1Ramnit_3388c00aWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.3388c00abcea3960d9bd561627508021https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 7fe04f0111eebfeb1d602a42d78c80a48c2d4e9f139a1b432822ce2e549eb2ba
SHA1: 41cba0d3b58bcd8de65e8476311a934301f7c6b2
MD5: 3388c00abcea3960d9bd561627508021
M20-u2u11Cybergate_7c80cf1fWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.7c80cf1f754e32d3ca703e59cb8c8aa5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 36806975e01188ab35484d5b3e119fa74fc8feebf99d400ed5fa9ac9fbf250f6
SHA1: 046d75ad03662cd3fe9780f3bf324b17849f3c9d
MD5: 7c80cf1f754e32d3ca703e59cb8c8aa5
M20-wer81Fareit_6ba7111fWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.6ba7111f3090b7449e50a10829b42ce6https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 887cbd08236e1dcdc582789a9fd1122cfe3a2729010a79efd9b48e50d0a290d5
SHA1: 387df9942e31049f1ea9448aa14fcadc11f145b3
MD5: 6ba7111f3090b7449e50a10829b42ce6
M20-ze9b1Cybergate_0285f99bWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.0285f99b75d249de405ee6c97da381b8https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 497cebdc6a2b1b3a3948f94871de8ef1c2ac64e14a4d35c73e136b1f9ed12405
SHA1: c78a87c7e7ba0c73a8129112ee4332caf8fb5bd5
MD5: 0285f99b75d249de405ee6c97da381b8
M20-jhtf1Dridex_26459aa8Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.26459aa8286195619b2345fe66cce7dbhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 6dde7661cbe3990f93ec05bfbd95f587bc857d576e79144f8c65cf9a36ae6c0c
SHA1: 356c9cb6e9ba8d64c0c9810d1e50b0418e12f6b3
MD5: 26459aa8286195619b2345fe66cce7db
M20-3sz41Dridex_98f3f103Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.98f3f1033cf5e4381f0052d5fd9df795https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 5978e277d535ae6803d988ec03a5bb068a9930f4daf85ab966ac92278f59dabc
SHA1: 13082431a67f99bbb9cba24cb1eb46e84943ab37
MD5: 98f3f1033cf5e4381f0052d5fd9df795
M20-p3dp1Cybergate_33c634edWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.33c634ed9e170734fef2d6344e25519chttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1fc80523bb4a2290e683303ddad3f413079a320c0f23e055531b6ea543dcfc9c
SHA1: d24e73de61e7e480563b04f87362fa5222612ff5
MD5: 33c634ed9e170734fef2d6344e25519c
M20-noos1Dridex_42af089aWindows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.42af089ac1e30ee892aab97a952bbeb4https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 24770b17a0dff8ff2f9f2e593b7268a7626908c4753fa2dcae27535dc58442c3
SHA1: 5d2be766137505a3c545e1d9f51b4a95e717bae4
MD5: 42af089ac1e30ee892aab97a952bbeb4
M20-5i5u1Zbot_8d845fadWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.8d845fade3fee728e50265a0c9ef7b2dhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4de13fa0580a6f7f315652cfe448493336db4cbcbcc31fa15caf5016ce11aa72
SHA1: 825ae2fd158e6feec06d7f09a031ce30c9a21e6d
MD5: 8d845fade3fee728e50265a0c9ef7b2d
M20-g0kb1Fareit_8303126eWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.8303126e1baff7096a62462273a43b7chttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1f22e636178472cd432cf834efadd3f231d868030c640d45bc7b319095f280f9
SHA1: c476963e37e0c05a4b31801ca82787dcad7ba8e4
MD5: 8303126e1baff7096a62462273a43b7c
M20-za8o1Zbot_b02da2d3Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.b02da2d36283a5588c57da2f0753812ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 29561a21de4d716de129ff67f4504feee5232e932dc7925d8acf2fd6220b7ba6
SHA1: 43fac469a5f19ca8b5c472714d636acfefdb78f0
MD5: b02da2d36283a5588c57da2f0753812a
M20-bgrl1Zbot_108af110Windows This strike sends a polymorphic malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.The binary has a random section name renamed according to the PE format specification.108af11013d29a29c7f8e374032b5eadhttps://arxiv.org/abs/1801.08917
SHA256: 7a3fcddf51d036f5747cd050d6d93465f18558b45fb94908cc3c13f070bde408
SHA1: 73df8df6593ec5d07a0843272de4ac6f83c74f09
PARENTID: M20-qrni1
SSDEEP: 6144:O/IZqkiisqNuNWyD+lLo9lvh1GhI30EfNqy0:RqJXqNuNLDyLo9lvhI40S90
MD5: 108af11013d29a29c7f8e374032b5ead
M20-668s1Ramnit_f0a3e4ecWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.f0a3e4eca113df7d09bbff6c3678ff27https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: d1cabff331de0b05c7ca7deae3f63eb272dfdd9e1a343c87c7f197eec40b218d
SHA1: 913f7be2e737da1c2e6afdb239e2cc28808b1058
MD5: f0a3e4eca113df7d09bbff6c3678ff27
M20-xadb1Fareit_e4a83956Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.e4a8395660df09d4e5855fe98d4e10e5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 073eca66e8a691e4feb067ea9be6be2f860a37a16c0e4e2d82cbe0d9d6bcf626
SHA1: d2e5e9f9ee8b0d8d91304551cc547017769bf64c
MD5: e4a8395660df09d4e5855fe98d4e10e5
M20-ypf51Dridex_bb919215Windows This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary has random bytes appended at the end of the file.bb919215a7a8d6b9dd58fe14ddbd2914https://attack.mitre.org/techniques/T1009/
SHA256: 5ccebf9594479c285fe17ed737654992981e74f54cc2105c4cbcc593d9c0692e
SHA1: bcd7696f083166022174882dd917665f5c4f9a29
PARENTID: M20-noos1
SSDEEP: 12288:7vT0ZFbuLSXE3SokMYdwfpM7S4hfs3TJRdQZ:WFCLSXNbMYyRMko
MD5: bb919215a7a8d6b9dd58fe14ddbd2914
M20-oexa1Ramnit_aab389b4Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.aab389b44733084ec9ab58b7f7f13a04https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 21925ad39855bfa10ffc15fb35dcbfaf652ceb2b72d247b3d04e17a370bb5124
SHA1: 25b317a85530aa31dc4cf8f328bd49758021f883
MD5: aab389b44733084ec9ab58b7f7f13a04
M20-c9sp1Dridex_2794388cWindows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.2794388cf801e19b2e67e1e05565962bhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 43704d85c99c81841be1ecef92ad63d70050dda717ae6e176b62fa3133c52de2
SHA1: bf0e3772ec9f91b139eed6f71a8d88ecbfdf8006
MD5: 2794388cf801e19b2e67e1e05565962b
M20-sarj1Ramnit_6a9c5deaWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.6a9c5dea5eed27a993cd13041c567fe2https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: b3636289fe8f2f0879c295edc278595c6b881a594c247504fa3f83ff8bbf6592
SHA1: e01dc036b738181582a558c8727838c9db6c4a2d
MD5: 6a9c5dea5eed27a993cd13041c567fe2
M20-9grz1Cybergate_67129895Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.671298951b1620412c95092891cf9f1ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 612f9221336c5c7673f1fa6ae3e720d154089cb01a5c15265645bb89cc2b038a
SHA1: 7d8d4de499ef0c13deee151fc97c18777cfb229a
MD5: 671298951b1620412c95092891cf9f1e
M20-od361Ramnit_091e4a66Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.091e4a6652bc3b65c5b03c36253a917fhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: c59dcd9cbd7ed3580a1172d749b6b9559b9cc68cd254741efba5b89ac4943db7
SHA1: 94dc381f6df4cd0861543fc12342fdd8d5f0c260
MD5: 091e4a6652bc3b65c5b03c36253a917f
M20-gci31Zbot_c6a0593aWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.c6a0593a78d89a28044fc87f0986539ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 07905ece0c4747aad1bf4b7f11693e319140a4e55f1b40308209f4ccf3c16dfb
SHA1: 0dda24d77d4e7055f0065289104cce047f3c4050
MD5: c6a0593a78d89a28044fc87f0986539a
M20-jfox1Cybergate_74c167beWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.74c167be7228f444eee933d7fca4001chttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 5b3adb4375bd0075be28205ca71ddbf4276b83bbca9b66cdb9ee82bed8682891
SHA1: eaf5f5f28b9da7bc8c1523e03a0ddedec3a06f25
MD5: 74c167be7228f444eee933d7fca4001c
M20-ew4h1Dridex_f528adceWindows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.f528adce9b5cc0d37984d27682080241https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 9f0ab6f0b08a40138b4de3be8cd9c40333c4a5e30f476e632bfd715c20e7e1ba
SHA1: 13fcbae9a26eecd20676d45fba349d6281450e35
MD5: f528adce9b5cc0d37984d27682080241
M20-00pn1Cybergate_192d1422Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.192d142254d76a2b78d11c0be27d9998https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 6b53e1a9fb4188b1440725ffa1f282fdf9676942729324a33870461c1cfa1915
SHA1: 4465a0be53715f42007a51a6c46d78c868b9a237
MD5: 192d142254d76a2b78d11c0be27d9998
M20-5i131Fareit_5566bf3cWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.5566bf3c6508e9b23603ba5442a8102ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2a4dab5fa66737060a150cdab44506efcd2c33651cbe10a383d5a19e41e0ceb2
SHA1: cc11fc9c842ad9458702c66ade9f75c78800c0a1
MD5: 5566bf3c6508e9b23603ba5442a8102e
M20-uxkw1Cybergate_2131e30bWindows This strike sends a polymorphic malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.The binary has random contents appended in one of the existing sections in the PE file format.2131e30be3c45b6605db9341528f6d20https://arxiv.org/abs/1801.08917
SHA256: 3b9660a4e1e9f2e6f9cd991a2550559a21e1598ecb2280d9474d904cd18130b7
SHA1: 6603276352dcec90b2b4cf30fd2a46f8a56bc96c
PARENTID: M20-lqct1
SSDEEP: 12288:KaH6uGURWHTrbPq6US47zWfXkkctzkbpfPFNIKDGZfM/B35aQ:5HbGMKT/Pq6USazkkkkopPFNI/fI5aQ
MD5: 2131e30be3c45b6605db9341528f6d20
M20-aw8m1Zbot_51f30b00Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.51f30b009f64c9f8a6f9dba91ab58676https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 01f24045d18c966d195d0934ac6bc801652a5908a9ef50124c0557f6d03d42c3
SHA1: eadacf5cc009dd7a682e9a0feb55e91a8bdd3d81
MD5: 51f30b009f64c9f8a6f9dba91ab58676
M20-lyjh1Ramnit_e06e8adcWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.e06e8adcd544f9cec8abb63e0ff34544https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 84ec757a84f0b5da11955b24486d1be60e7c6eeb2f5b8b4de656a2e498e9184b
SHA1: 061bd0536a38f253c3a46a640d80ba64ad9a9d57
MD5: e06e8adcd544f9cec8abb63e0ff34544
M20-g3mn1Fareit_142e6397Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.142e6397c9f16295e4075416f3bb8c93https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1f1dccb65ab0390f7c11c5d022b19d2a082b7602f09273a7022a9cfaadf703f4
SHA1: d4e789b4a827364b460d3909b74d8b12cec1179d
MD5: 142e6397c9f16295e4075416f3bb8c93
M20-846e1Cybergate_d92780efWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.d92780efdd7560ff9ab6fc4eaa7b12cdhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1a6c0121d371ad7225ec0fd2c524979e30a57b3eef24676781cf631d704f0ec4
SHA1: e49dacf721f2c3b7db6312eaecdb4586fe799855
MD5: d92780efdd7560ff9ab6fc4eaa7b12cd
M20-e0an1Dridex_0638b38cWindows This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary has random strings (lorem ipsum) appended at the end of the file.0638b38ce1a6c57e05724a06af1d7fbehttps://attack.mitre.org/techniques/T1009/
SHA256: 66cb646f096d32ec982762055397f999b615949529e3ffbbade0f94778764767
SHA1: 2a00153bc737272d72d20643b28e6ebe4defe255
PARENTID: M20-n2a51
SSDEEP: 12288:7vT0kFbuLSXE3SokMYdwfpM7S4hfs3TJRdH:rFCLSXNbMYyRMkx
MD5: 0638b38ce1a6c57e05724a06af1d7fbe
M20-zbur1Ramnit_5beccf1aWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.5beccf1ad7af841b8a677c0de6a1a6fahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2e95a39f9ecc3f8c22b7fe785393eccc37326ccb84f984eaca9f06c51120ab1d
SHA1: ab933176b3066273e776c44d59bd46df095a8e4d
MD5: 5beccf1ad7af841b8a677c0de6a1a6fa
M20-jtet1Dridex_a95370f4Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.a95370f484d8b485e874d860ee6b0e4ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: f9db0f7f33191a91a6a4acc1593d696b62c2a6c927c1144937e58793e2249f78
SHA1: 2d01191bc8d7c9d0e9d44acac5d65baa86a9eb9e
MD5: a95370f484d8b485e874d860ee6b0e4e
M20-mnok1Zbot_aa126de1Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.aa126de1618733ecf610e28d875b9c29https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2e8882116694efbb6b57355f7f3e6b79b77cfbae42b5204b3d3172497f7e327d
SHA1: 81ba23af6ab955ccb583f4deadd56ff0cb9c6e49
MD5: aa126de1618733ecf610e28d875b9c29
M20-qrni1Zbot_2be7af03Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.2be7af03eae4214b068bd65ae62f8e70https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 29114a3a6b05e119245d93373f8776a086a9018016238a3300ed93700d7f2f32
SHA1: fa8c2f9fc61a8f6752d0cf5cd4cfc6c443d86648
MD5: 2be7af03eae4214b068bd65ae62f8e70
M20-kxgs1Dridex_ea6c06f1Windows This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary has the checksum removed in the PE file format.ea6c06f15c61e2bed4d1aa3fee5c5914https://arxiv.org/abs/1801.08917
SHA256: d8b27b6d492af215ed496e54d71447fad2d03017d3d81b8a21115e2bac61336e
SHA1: 85a5cbeaab2d0ae5f74fbd64f3d1bb9268c02284
PARENTID: M20-n2a51
SSDEEP: 12288:7vT0kFbuLSXE3SokMYdwfpM7S4hfs3TJRd:rFCLSXNbMYyRMk
MD5: ea6c06f15c61e2bed4d1aa3fee5c5914
M20-zrhw1Fareit_a02acdb9Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.a02acdb96532b76691d5b1aafd9d2164https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 3fd16c2e53560649e0b1c79be0e86403887d50588700e66bac1dabbb2b99b753
SHA1: 7373ebe1342d377ff23f034d40ca9aca56239372
MD5: a02acdb96532b76691d5b1aafd9d2164
M20-64im1Fareit_a87ec883Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.a87ec883548bd0e72239fe2953ffec20https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 8096baab22457c9fc3087dd93e90a0f4db9be9ecebead32f0f33c965e4b153dc
SHA1: 1f84aca57eacfee5667a22b9eacbe982cb5e3a39
MD5: a87ec883548bd0e72239fe2953ffec20
M20-jdau1Ramnit_d9ab842cWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.d9ab842ce16ca8f14fae8f075d8bdb1fhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: c052401b1d61a37fad733e4e178ac084ae44067c7e88ef834d35a09c70ca39e4
SHA1: ac86b0a61de7ca956a2f744248bd462ffc45c668
MD5: d9ab842ce16ca8f14fae8f075d8bdb1f
M20-nafe1Ramnit_698ce9c2Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.698ce9c280a4f25f37d443b056ec3f97https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: a8ccbc5df926b0a2afdeab0344b55c93b5469237350634a4f8b170d3cc40e44e
SHA1: 3cf455039f1621c7b0c9f2dbd24555406e37c034
MD5: 698ce9c280a4f25f37d443b056ec3f97
M20-keng1Zbot_cf646bf9Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.cf646bf9541e8f6a394a6dbbfb10e3aahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4ea79444f67c2c5ef753e785887a9181ae17eb984c7f37a3113cad6a2b2e6ccd
SHA1: 0864a1c222eaf8487ac9b2d2ee5237a4c3941ea8
MD5: cf646bf9541e8f6a394a6dbbfb10e3aa
M20-jeyj1Dridex_179b0e16Windows This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary file has one more imports added in the import table.179b0e16cc2dab63398de7b890da23f9https://arxiv.org/abs/1702.05983
SHA256: 7e80399a12479a3f12db97ad30dd2f8c0bd8edb8405061ad38a36496c5df3601
SHA1: e2bd57e065a8522acc8c7381c0dc9b2c5f8619ea
PARENTID: M20-noos1
SSDEEP: 12288:uvT0ZFbuLSXE3SokMYdwfpM7S4hfs3TJRd:5FCLSXNbMYyRMk
MD5: 179b0e16cc2dab63398de7b890da23f9
M20-yft61Fareit_1d226204Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.1d226204037b664cc2130ce6aab28830https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2cf78102a3bc75a331abf49f6b46fa27546b0a33f4e937e05fed54d53499073c
SHA1: 84d7b1748d4b293d6bbdf9d03d79ed5f1130097d
MD5: 1d226204037b664cc2130ce6aab28830
M20-5imw1Ramnit_8f11eb4cWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.8f11eb4c5d64f69d1eadabec2d9238d0https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 75350b7659af658758e04bf2d15172e405e8cc2158dfda64bcd6a513aeee9269
SHA1: 26d1a1461ec328888e75c12a01e28a91f9438b40
MD5: 8f11eb4c5d64f69d1eadabec2d9238d0
M20-3zrs1Fareit_ab194d87Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.ab194d8704ff74eb3b6a7e3a72861ab1https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 3a3502534442c75174835e423e8571477269145b153c77b492156a06e9c47f05
SHA1: 404f354b11f5482c50d325b869e79ea19285e527
MD5: ab194d8704ff74eb3b6a7e3a72861ab1
M20-lxtx1Dridex_03970801Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.039708012057689e82f5e51fcb1f7ea8https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: d63b9fcd6e2a3da9965cd991c2280c0297f0ddf9b38000eda95181e4f02736f7
SHA1: c63a876ffdde033ec6e1b374e8bc8121c6c9b29a
MD5: 039708012057689e82f5e51fcb1f7ea8
M20-gun81Fareit_9e4c920bWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.9e4c920b2480b5383e3ecf70d8f44ca5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1f816d531d333287dfd5728657cbb223f891addd28e628fb1cd9bfcfb3216825
SHA1: 72e55ba6323b6757d1db8287cda36e5c593d1eac
MD5: 9e4c920b2480b5383e3ecf70d8f44ca5
M20-nurb1Cybergate_6135e514Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.6135e51450700ceda22f9b729975d521https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 11cd8e3e83744af76e4e3906f7f06a549fe7e49a6ec61a14678f25d7d01509be
SHA1: b7b615cfa3cf28726c14ff1f21ad0f1a74dab923
MD5: 6135e51450700ceda22f9b729975d521
M20-bq071Fareit_d59b4589Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.d59b4589b612901efb782f8043871bb6https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: b8dd63abc6d1dee062cf5f5b68e8e91f748e29c354e19b66d119e04849f51083
SHA1: 3d402c2a72268973b9bb5fc399a773a2672fe107
MD5: d59b4589b612901efb782f8043871bb6
M20-pg911Cybergate_d2378c47Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.d2378c479458df3f17211d4c272f2d94https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 6d0ce22174d45918ad313403aaeba8d38bbe59df1af2c09d8abb00d549251458
SHA1: 26e87f6e1ad2fd3142b270332fe3ea8fa2e76b07
MD5: d2378c479458df3f17211d4c272f2d94
M20-ge1m1Cybergate_6fcde4d9Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.6fcde4d947efe58c76af4e816cac33bbhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 5a18e22eefd2d2492491d9001ea3d258f56cb8735576b021bc1e5bc2e6a0f3da
SHA1: 866bb7f3a21dec50c98eb9129f618ea5eb3e1013
MD5: 6fcde4d947efe58c76af4e816cac33bb
M20-ljgk1Zbot_edafffe2Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.edafffe2b082e31de90dd3fb83a220fchttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 115dd57d8c7887820eba732e628879f34693791da1cc8f4b270ef954e8a56b2b
SHA1: 3164612cd3595b8cdc376fed133d4fd2f51c1989
MD5: edafffe2b082e31de90dd3fb83a220fc
M20-2rt71Cybergate_9ffdc603Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.9ffdc6033e95cecd90f932c06a46d77ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 64fa90ed57415dc00be6733a81c531f028324e897bc17e8b4de16f8085c4a113
SHA1: 2c279820e064d767a4a46bb3a4b8e705affbc7ed
MD5: 9ffdc6033e95cecd90f932c06a46d77e
M20-mt621Ramnit_4df42fbaWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.4df42fba00af749db9a9be1e9d13ba5fhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: a9ea99bbe80da5f7c8bd97eadc8630831812480afdf2827d57a6620589f67ce1
SHA1: 83f12d8fade8c6f3a572800188290e7db9305682
MD5: 4df42fba00af749db9a9be1e9d13ba5f
M20-ahea1Ramnit_0de235f0Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.0de235f06a9908d37b440a714bc83e4dhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 6c3e1a2ae98ec30890ef5a8640f0130fa0ead136852ed5a9fe452f6ac3c01dba
SHA1: 1a1c46edae72fe36efc05e0507e5d3647c3ea0f2
MD5: 0de235f06a9908d37b440a714bc83e4d
M20-33zo1Fareit_dbd0c574Windows This strike sends a polymorphic malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.The binary has the timestamp field updated in the PE file header.dbd0c5748695321c966793651fc92702https://attack.mitre.org/techniques/T1099/
SHA256: a3215c5eb44752feceeb3e301a7184c59508554dd34def23da1b4d5d414c7308
SHA1: d884b62adb2dbc736f18041d41b06949a195aa6b
PARENTID: M20-yztx1
SSDEEP: 3072:8yqX75fvyv3gYq7fhvFGErUVAMhqalOR/aukG:L45fvigYqbhBrUVThqaqauj
MD5: dbd0c5748695321c966793651fc92702
M20-gtjj1Fareit_a2cbaa32Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.a2cbaa320fce0eaf8618816f522b0988https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 6e51b6e88a1962263b754210c4eaf76a422575d1b9c8495fa2885f3ccd164a7c
SHA1: 66793e8c57d6bf787b986ba98cab3787778d9263
MD5: a2cbaa320fce0eaf8618816f522b0988
M20-fugs1Ramnit_e15c3c1dWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.e15c3c1db02ac76fb3ef4cc3da611411https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 7952e478a1c6df2378e2174e83c69608401c46526efff974484c719ba44f19dc
SHA1: 2ce19d82c3aba2b9f61e83171c5b17f18d51d653
MD5: e15c3c1db02ac76fb3ef4cc3da611411
M20-luni1Cybergate_5103ceacWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.5103ceacc2fcd2ef558292edc98df7cdhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 06c9eeaf4b22ccc75f29da153dfa87ca1c3759a5bfb3b688813a07c78cf9cf5a
SHA1: a8d88b9b7237ead3751800caa83d4eb95251ec58
MD5: 5103ceacc2fcd2ef558292edc98df7cd
M20-ysrp1Ramnit_a5729a0dWindows This strike sends a polymorphic malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.The binary has random bytes appended at the end of the file.a5729a0deb510677662e26c3e4cd288dhttps://attack.mitre.org/techniques/T1009/
SHA256: 4bcc84f50103644d8412f28302b264151588db1be40a2172f919ba32a6a4708f
SHA1: 84e3e2314b5c457b5d9480f4110fce52c4be1c97
PARENTID: M20-3y2b1
SSDEEP: 1536:04OfRSikTjHw8/VhTqi4EqjCrCKfrSL2TtpdhJ/b+RuA6Tj1qNQaeIiYqpb11CT0:Jmi4VCrHXT1bfA6uFqpb1ys+Y
MD5: a5729a0deb510677662e26c3e4cd288d
M20-y2io2Zbot_8b1c2ad3Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.8b1c2ad3137857f1cd122d5ac9db86c9https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4fbf3416adf96620028b3f92f661d24708aff0c83651868dddbbddae11110b9d
SHA1: c0c6fa972e1a49dec5513c21f0ffca78a93bf528
MD5: 8b1c2ad3137857f1cd122d5ac9db86c9