Malware Monthly Update March - 2020 Release Notes

Malware Monthly Update March - 2020

Malware Strikes

Strike ID	Malware	Platform	Info	MD5	External References
M20-9r501	Nymaim_3613236c	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	3613236c5516bd3695b6715b415d7bff	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 7a081e847f783ca398362fb4172a266e8387fef4d860ce25c4bc2986a25ce690 SHA1: 685cf25785aab6989f4e8421cfba87226809972c MD5: 3613236c5516bd3695b6715b415d7bff
M20-qzv01	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	4f0428160556354f0ac8f18b8d843d3b	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: 1c98a36229b878bae15985c1ae0ff96e42f36fa06359323f205e18431d780a3b SHA1: cde40c325fcf179242831a145fd918ca7288d9dc MD5: 4f0428160556354f0ac8f18b8d843d3b
M20-cma01	Bifrost_2762e48d	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	2762e48d7118558a160fe3c6782df63c	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 97dc870dd36389d74e9f77c725f513654c62b7152a5f18387dfb8e6c300e2415 SHA1: aedc1b9d5c8e01c9795b9577bfda05b8dacd8c2a MD5: 2762e48d7118558a160fe3c6782df63c
M20-q3r01	Nymaim_d13bb913	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	d13bb913cf315a83fbc465a297cf81d7	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 813a531f48400ae896114791fdb0dc1f5783da5824311f5ea6bce8593213e393 SHA1: 22d5a8e80b730e2a4474c66910feca1366610c7c MD5: d13bb913cf315a83fbc465a297cf81d7
M20-nlo01	Emotet_a8c3ddba	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	a8c3ddba4932673ee0c26768a8eb3021	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 0e4056035379093c420b6d84d9bcd77d2789c80d7729eb7e8635e489cfb0b9c0 SHA1: 5fd8fccf086b810444307b65debd10b07d2d83ea MD5: a8c3ddba4932673ee0c26768a8eb3021
M20-s0g01	Bifrost_8b0bc579	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	8b0bc579dcdb028197b4489758af4bc5	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: b81853affa6b46779eb7024f5bc388ed406d337a1913f4b15788e6e54e969dc1 SHA1: 4529556a402a29b5641575fc9490310692332120 MD5: 8b0bc579dcdb028197b4489758af4bc5
M20-fg501	Nymaim_35959b06	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	35959b060a106dc96f82062b090f5439	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 2cac77ac4a68039f57b6da94ff827ccf592d6b391762a010ba1d798461ad780c SHA1: 2f77c836bd972e32f5ca345c594ed068af3f8524 MD5: 35959b060a106dc96f82062b090f5439
M20-bcz01	Gh0stRAT_4d628f05	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	4d628f05c99b447eee04f5a382276267	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: da7cd6233482da9114bf51bd6fb42825d4f4a044c4239a6e267d2134eb21282b SHA1: e4573a9d0d7116092e76aca2a58c0bd52f99c9d6 MD5: 4d628f05c99b447eee04f5a382276267
M20-igc01	Nymaim_dceef661	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	dceef661d6f57274384b9ef5b1d30127	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 2524bf4a82f9eb9a2acdd291ef82068667566c54155f3669b5fdef61ad0c859e SHA1: 93578e8e8e0e84bc707ec577e3ab1e2d1b0c5de1 MD5: dceef661d6f57274384b9ef5b1d30127
M20-fub01	Nymaim_5f7a458b	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	5f7a458b412f7076a7cc4081c0af9ea4	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 109bd3f040c9077b74e75416e4b133098143bc40ebba6456624e8869cf1619cf SHA1: 635941f1ca3fdbe5906496132eb8ed49ddea1730 MD5: 5f7a458b412f7076a7cc4081c0af9ea4
M20-cyq01	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	70ab82bfdc09ef5c5bc07e55c504a496	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: 80392bebe21245128e3353eec7f499bdc5550e67501eceebf21985644d146768 SHA1: 5560644578a6bcf1ba79f380ca8bdb2f9a4b40b7 MD5: 70ab82bfdc09ef5c5bc07e55c504a496
M20-5bl01	Ursu_945fe831	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	945fe8315a2fe93b1f8556c4b3ea3439	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 6d5c50c1be5dd9c3b83c39f4a0d7cdd20026cccb5c1c86a067f35f3896cb160d SHA1: 8c24b1f52afbb99afbf2031f37342acf41d916c0 MD5: 945fe8315a2fe93b1f8556c4b3ea3439
M20-gu201	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	c91268989ede3ab737fdcd71cea19d60	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: e9621840e1bfaf16eaee37e2d1e9d1f0032158a09e638eaebff6d8626d47c95a SHA1: 5ff9ecc1184c9952a16b9941b311d1a038fcab56 MD5: c91268989ede3ab737fdcd71cea19d60
M20-1tt01	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	8b75bb1d547cf6af3569ff836379145b	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: 215c72df44fe8e564d24f4d9930c27409e7f76e2045c67940cdcecdbdbd3b04f SHA1: 207477076d069999533e0150be06a20ba74d5378 MD5: 8b75bb1d547cf6af3569ff836379145b
M20-mye01	Nymaim_5386de05	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	5386de0551e62797537d2f53fd4a3ada	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 6283c33ad5cb1fa29ccef34b58b6cf84ed3b5fb5d69940abc7cf88b2d5091937 SHA1: a230bbc239625ae821a6aeb414109b3b3958f327 MD5: 5386de0551e62797537d2f53fd4a3ada
M20-zlm08	Emotet_7cdeba81	Windows	This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has random contents appended in one of the existing sections in the PE file format.	7cdeba810ae413f1502d0f1a8450de2f	https://arxiv.org/abs/1801.08917 SHA256: e40d6b2bf2f9d73152a8f01090f835c06a4d91a8c625ac0075744a7a73ab5231 SHA1: 0d2fd4c4f9a3fa2eddd6edabacefdd60f20fe4aa MD5: 7cdeba810ae413f1502d0f1a8450de2f PARENTID: M20-nlo01 SSDEEP: 6144:kpRRcuzo+xna3R6RpognmeeQ4tlw/hLDww8A:0RLzo6URXCehtlw/5U
M20-ysa01	Gh0stRAT_ea88894e	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	ea88894e8fc76e902aed8a49463e06ed	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: d8b1847f025c2d48f775099421979c788816a1ea2c527f3c16f28aad1bc12d81 SHA1: 3f60fb7377665890b7f368bdf9070fadafc5874c MD5: ea88894e8fc76e902aed8a49463e06ed
M20-w3b01	Nymaim_1d312119	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	1d312119275f676acac889b69e991905	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 63011ace1ebac398e71d65bb5a0d0c4896a41d64c462f46a8c1380594cdfabfc SHA1: 61c3be8ed0eb8e7ce612a9e0306e88fad989df87 MD5: 1d312119275f676acac889b69e991905
M20-w9301	Ursu_61975ebb	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	61975ebb2c40ffdd082794f7fb49deeb	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 8e8c18e99f0f891984fc158ed482a000b760290f3f4f020a4dfa42a32321a279 SHA1: 1c52fdd18299dec58f85be32f12884fed9837061 MD5: 61975ebb2c40ffdd082794f7fb49deeb
M20-zlm04	Vicous_Panda_f22c632d	Windows	This strike sends a polymorphic malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality. The binary has random strings (lorem ipsum) appended at the end of the file.	f22c632dbc64a28486b9bc57902f506b	https://attack.mitre.org/techniques/T1009/ SHA256: ecf99f23f557d41b50555172fde8c13f362ad68a15fed453c66d3779daa899a4 SHA1: 2ccbadd3bd91cf35218b9e04c8ac063f2a09c514 MD5: f22c632dbc64a28486b9bc57902f506b PARENTID: M20-zoa01 SSDEEP: 3072:xoUwdZI5xUHoDxy4BPuX2CN7aTBiSid5rWlvq18cpX:efZI7Ua3GmC1atiSidOU8cd
M20-tme01	Nymaim_0794557a	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	0794557abc20195e5d364a1f20b9fc85	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 3f2e085857d5c5b94e2adcdf7a9d199e4105439fe2f55dfe53ec8428297bedf4 SHA1: 4271b2e8d763c09230f8ebc95695730a540887a4 MD5: 0794557abc20195e5d364a1f20b9fc85
M20-2ll01	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	73b097c610daf7136b9b4ea945c0fa44	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: 9e12094c15f59d68ad17e5ed42ebb85e5b41f4258823b7b5c7472bdff21e6cee SHA1: cf5fb4017483cdf1d5eb659ebc9cd7d19588d935 MD5: 73b097c610daf7136b9b4ea945c0fa44
M20-vfr01	Gh0stRAT_16629f7e	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	16629f7ebd0d1f1d80f819b7e2014fc6	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 550d6397943cd525439a0d62c79459519d29438f1b1fcfddbbf2eb4a48660e63 SHA1: 271fbb0273cb128a0d7e70d6dcd558f4cffcba33 MD5: 16629f7ebd0d1f1d80f819b7e2014fc6
M20-vtr01	Gh0stRAT_d5f6d068	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	d5f6d0688f666092ec5edbdb5e8d54e6	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 8f3642fef8a0f84c1615efd6e3b90e26fcb8907d9a6e4904d2587dacd741932b SHA1: ce8794bd8144ffdf9f43c3dafa1dc74f1190541c MD5: d5f6d0688f666092ec5edbdb5e8d54e6
M20-71201	Nymaim_2a1302db	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	2a1302dbf84169bb6c0f5ed9a605029d	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 18c22cdb43d3095d980b31a98c069f5511648b447d65834a1a004be6587e4062 SHA1: 82c8c378defdb5c8d8039977364e7dd0f1106012 MD5: 2a1302dbf84169bb6c0f5ed9a605029d
M20-s6901	Ursu_528d9683	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	528d96831046f069001d93e24716b97f	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 5732fe839b0157b0e1da1c03eea1bab091e04899a3bc7b70a23dcb97467fe0fc SHA1: 146d5f0f15cc932fe7d420c74df57787c273c214 MD5: 528d96831046f069001d93e24716b97f
M20-c5n01	Emotet_092f16ba	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	092f16ba5c4a382b518b89367eaa6174	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 0eabba5e6d29aadd3551715bab5279a1a2faf19f90a24f0168b8d903acee0d26 SHA1: aaef999a71d4ed72e85c7d82874cfa11706a1a1f MD5: 092f16ba5c4a382b518b89367eaa6174
M20-vai01	Emotet_3bcba502	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	3bcba502867552705f0a82a0a9320912	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 8257c2e631751a8a6114d4463debb0dfc2021a2630a7f463a928a4fe6c3bc211 SHA1: b34dee0395bb1430b28f5214b61e7a26ab800428 MD5: 3bcba502867552705f0a82a0a9320912
M20-vcj01	Emotet_7b6f5565	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	7b6f5565ea6982e18a25741a0e58c9bf	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: de54dc917bcc60957bf16bc876080e485d5d2939c542057afc5aa5c098c2bc7e SHA1: 7a76356c1d4c9f34dc2ef8116060f17284b2b65c MD5: 7b6f5565ea6982e18a25741a0e58c9bf
M20-7kl01	Gh0stRAT_a5740955	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	a574095521980653f09841a1fb659d68	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: b927b88cb9fb216b54b307fbf9d90fe6189af102d6b2b65a6e82ec1ee8cb7d7b SHA1: 2d57bd421c23d6218facb98e17582d0dd9036f6d MD5: a574095521980653f09841a1fb659d68
M20-4am01	Nymaim_ead69941	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	ead69941904247e387bed803be2a6184	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 6057c88112b275c6d47589fd10f863987010804dd01be8b2c8b449a7ed08d9da SHA1: 23d445dbce921c6fcb203d28df6a038ad5203301 MD5: ead69941904247e387bed803be2a6184
M20-sp101	Emotet_744d8741	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	744d87417af40b21ac6d1ab92f52d056	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 45bb0185b3b111814469ce0ec2d2e03e4c7e469170d42ae9733402c63f804431 SHA1: 258e91d6839eaaa9e49d213c0ccbe74088e19e52 MD5: 744d87417af40b21ac6d1ab92f52d056
M20-tt001	Netwalker	Windows	This strike sends a malware sample known as Netwalker (Mailto). This malware sample is known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. This sample emulates the Sticky Password software.	d60d91c24570770af42816602ac19c97	https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/ SHA256: 416556c9f085ae56e13f32d7c8c99f03efc6974b2897070f46ef5f9736443e8e SHA1: 0d17845f19dc2fc1e38934864424c23d8bcc7644 MD5: d60d91c24570770af42816602ac19c97
M20-w8d01	Nymaim_234c17db	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	234c17db37ebd0efc5d044018b393a4e	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 42a971335515a1ed31e629c0faf85b5d2cd51eada6e1c0c4659c0d0322b62a27 SHA1: 5ec7e5f5f2c6b651439a2585e16813ad61e70cec MD5: 234c17db37ebd0efc5d044018b393a4e
M20-zlm011	Bifrost_872fd0f0	Windows	This strike sends a polymorphic malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging. The binary has been packed using upx packer, with the default options.	872fd0f0bde3f0723e37f204dc5081bc	https://attack.mitre.org/techniques/T1045/ SHA256: 46436ed4173c825402ee174579b2e224c0a35c4c09c385cd88485206a3d00d10 SHA1: ab4e5ea0c0316406871de225827502585ad2299c MD5: 872fd0f0bde3f0723e37f204dc5081bc PARENTID: M20-3yg01 SSDEEP: 3072:zHjjIUngDLj2wdux6WZ0tf2L2Tw2sfqxzXUvRvpR0teQK:zDJoj2wX20tf2L2TwRqxzY4e3
M20-c2r01	Nymaim_b69912ee	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	b69912eef5040c0a580de570c1080751	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 68a44b6a3401677da55c3a42713bcaab7ef02b2f54bac56c2a8d671157d6e228 SHA1: 8b1b6ee2be95af9faefb6674b10cd14b4e71f5c5 MD5: b69912eef5040c0a580de570c1080751
M20-3wk01	Nymaim_656642ba	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	656642baa452d4dc6884c75f80cc5ac7	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 683d2ec46c5bf2a8cb5a18e807283e23eeff66af8e6274fddee6058c170da90a SHA1: da282254ff1f56075bbf780bb16d00009ab0bd04 MD5: 656642baa452d4dc6884c75f80cc5ac7
M20-0g401	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	07328ad6efcf16b532499cbb8daa7633	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: 2a42f500d019a64970e1c63d48eefa27727f80fe0a5b13625e0e72a6ec98b968 SHA1: 2f80f51188dc9aea697868864d88925d64c26abc MD5: 07328ad6efcf16b532499cbb8daa7633
M20-gud01	Gh0stRAT_a9a512ee	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	a9a512eeafc3e19e503636af435aa695	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 9d2c079618d2b3cbaa4c022048da451ecf0148fbae4cf41f8f19c363e9c23736 SHA1: a15130ba187320c06de97d1440ec822e6e104bd6 MD5: a9a512eeafc3e19e503636af435aa695
M20-es801	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	3009db32ca8895a0f15f724ba12a6711	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: e9766b6129d9e1d59b92c4313d704e8cdc1a9b38905021efcac334cdd451e617 SHA1: 92de0a807cfb1a332aa0d886a6981e7dee16d621 MD5: 3009db32ca8895a0f15f724ba12a6711
M20-47501	Nymaim_eca8e6ba	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	eca8e6ba7edb3a1fcd0ff99514f3529c	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 88ef4262d2cb80330e3aced7a7bf6409668333f42c41915f2e64f334ea25693c SHA1: de553845955f1b528e0c2d4afc71d902505bf925 MD5: eca8e6ba7edb3a1fcd0ff99514f3529c
M20-zlm07	Gh0stRAT_c3c457fd	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks. The binary has the timestamp field updated in the PE file header.	c3c457fdc4804cc64f88b626df3f2316	https://attack.mitre.org/techniques/T1099/ SHA256: 59dbbdf7c467e92ecce9ca31fd5a04413f2c133a732198cbb99822a253b02174 SHA1: 2e236a3dd7c6782293b417eb769ecf1e973ad665 MD5: c3c457fdc4804cc64f88b626df3f2316 PARENTID: M20-wau01 SSDEEP: 12288:h+QWC4NI8MoHJKiNucw0JYM4kb5HPrEixXgvmkaHiw9gR:cQWC4NI8M61Fqvmka9gR
M20-zlm10	Emotet_cb43b829	Windows	This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has random strings (lorem ipsum) appended at the end of the file.	cb43b8295fff2bbd059048bf62d60264	https://attack.mitre.org/techniques/T1009/ SHA256: 7b4e407712223169934f12f59de0508bc5eebcf942026e151420ca5986d8d9b7 SHA1: fc277452218afd43ef07ffe58d8fef9f9fb6d8a8 MD5: cb43b8295fff2bbd059048bf62d60264 PARENTID: M20-c5n01 SSDEEP: 6144:lpRRcuzo+xna3R6RpognmeeQ4tlw/hLDww8AK:tRLzo6URXCehtlw/5Un
M20-tib01	Nymaim_1743c5f7	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	1743c5f7d796f67b97404e6d2b8e7b86	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 836f598e59d30233a42d0ec25f4ac237f3d7d12f52646ed400244d4539fbb3c3 SHA1: 1249baed894378166b6d54259b3d706ed51e2246 MD5: 1743c5f7d796f67b97404e6d2b8e7b86
M20-3rd01	Nymaim_5bb48afd	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	5bb48afd456eb3f2aef4566ab1924b0f	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 029369003b1fb6b4b0191a54b330673685e059d390b3393d4f58ebccb3fa0a04 SHA1: 9aea755ad644d5528a5fb51e345910643c17804a MD5: 5bb48afd456eb3f2aef4566ab1924b0f
M20-bai01	Gh0stRAT_f7d52055	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	f7d520556eeba44dfa562c9494a54667	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: e1ce464fd9c93969082c215d2358e6fb3e84e173fdaf36b1b1ddf6918a949109 SHA1: 345feea6eb4f029d6ddf86fbc56b4bef42d48fda MD5: f7d520556eeba44dfa562c9494a54667
M20-1au01	Ursu_6be09dcc	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	6be09dccd66345cf0fb522a80e69cf29	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 5795d3b441fba24cd5eea9d63283363cc301c947fc9c1490e8c342eaaabcfa2f SHA1: 822b8222c450ce97407476c4474f21368ba39b69 MD5: 6be09dccd66345cf0fb522a80e69cf29
M20-jes02	Emotet_58a85e79	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	58a85e790720044c753166bc090fc5a8	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: bae886d7885453947e93c457f93b18c50cede1b7e17daebd2c934d32917d8d13 SHA1: e18fba578ea57c7b82eec1fb50841b0cf66f83e1 MD5: 58a85e790720044c753166bc090fc5a8
M20-zlm06	Gh0stRAT_efaebde8	Windows	This strike sends a polymorphic malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks. The binary file has one more imports added in the import table.	efaebde8e0150b73c9123a6e5ac11955	https://arxiv.org/abs/1702.05983 SHA256: 6214d2a4a5e6d6a10911643560e67a8aabfb38bf81660deddec39bb7a3aea363 SHA1: bd4d33851873548f7b7df3f61c27a92d3c90a180 MD5: efaebde8e0150b73c9123a6e5ac11955 PARENTID: M20-u9y01 SSDEEP: 12288:u+QWC4NI8MoHJKiNuJ9ZvfB1bDi0BF9vBd:LQWC4NI8M6qB1/i0vD
M20-zlm01	Netwalker_58c42638	Windows	This strike sends a polymorphic malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. This sample emulates the Sticky Password software. The binary has random strings (lorem ipsum) appended at the end of the file.	58c42638e97a515f47feccc914746a0b	https://attack.mitre.org/techniques/T1009/ SHA256: d31f7c07dd1f468e3930421f5e393689fe144313e281f37646682197b0fe69f2 SHA1: 4a0f1213c8d096efac7aac0a306a0b21ece03760 MD5: 58c42638e97a515f47feccc914746a0b PARENTID: M20-tt001 SSDEEP: 3072:tuJ99SJdnwT3EPBWEGyc9RdxZEZExFWBhdgQVNCB:tjJq3EJWEA9VyZiFadZVNA
M20-zoa01	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	a4f695d4f912f27a193bdaed6f073128	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: 238fa49ed966cb746bffee3e7ca95b4a9db3bb0f897b8fd8ae560f9080749a82 SHA1: 0e0b006e85e905555c90dfc0c00b306bca062e7b MD5: a4f695d4f912f27a193bdaed6f073128
M20-8oo01	Vicious	Windows	This strike sends a malware sample known as Vicious Panda RTF. This malware sample is called Vicious Panda. This sample is a malicious RTF document that targets the Mongolian Public sector during the Coronavirus scare in 2020. These documents exploit Equation Editor vulnerabilities in Microsoft Word and were weaponized with the RoyalRoad tool.	a6cce77325e4465c78c7b7b3610e2787	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: d7f15f750cceeb9e28e412f278949f183f98aeb65fe99731b2340c8f1c008465 SHA1: 234a10e432e0939820b2f40bf612eda9229db720 MD5: a6cce77325e4465c78c7b7b3610e2787
M20-zlm03	Netwalker_fec593cc	Windows	This strike sends a polymorphic malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. This sample emulates the Sticky Password software.The binary has the timestamp field updated in the PE file header.	fec593ccbe9f68d904dd1153cc03a5eb	https://attack.mitre.org/techniques/T1099/ SHA256: c251a9601c6542333cb3a6ca2604add84ca5e8cc81380986c607927669b75ae7 SHA1: ba112f23e158e3a47dd1df80819de33c6db450d4 MD5: fec593ccbe9f68d904dd1153cc03a5eb PARENTID: M20-tt001 SSDEEP: 3072:BuJ99SJdnwT3EPBWEGyc9RdxZEZExFWBhdgQVNC:BjJq3EJWEA9VyZiFadZVN
M20-z6r01	Emotet_811d8361	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	811d83616f8d9e9afb1360bcbdd85e65	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 94a354a98259a0d92248531bd3c8ee59ebad766bc7c3cff4a4739bd467b1d244 SHA1: fc3579a782cc6c2300dcb31d218d26a88e00acbc MD5: 811d83616f8d9e9afb1360bcbdd85e65
M20-3a101	Ursu_443b0852	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	443b0852d90cb0cc574c30ea71b91880	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 728475baa6296537c166911468e3b22068e016a9e51171b1d9ab3e5426c60f41 SHA1: 24e4ed0a0d1000994a2232da615842c8db006fa0 MD5: 443b0852d90cb0cc574c30ea71b91880
M20-jw301	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda.This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	76acda3c0dc603df216bde4778460134	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: 679a8519587909f655bacea438168cbb4c03434aede9913d9a3a637c55a0eae7 SHA1: 9ef97f90dcdfe123ccb7d9b45e6fa9eceb2446f0 MD5: 76acda3c0dc603df216bde4778460134
M20-d0x01	Bifrost_3c1400fa	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	3c1400faf23a2401933b42c760ea4496	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 8e95da958f0e5beae769d9adf0bd523a4cba0a97abebee99d51642a0c484a193 SHA1: 753bffeb817ea0b29f9f9676ef00c9e296395050 MD5: 3c1400faf23a2401933b42c760ea4496
M20-elq01	Nymaim_2fb0ed70	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	2fb0ed70ccf5d30b3745863df248f3c4	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 0a99f500898952fcc6ac124ec1bdbe697ef2c9de93bd829f6d0ba8ce438236ff SHA1: e755b63731ce72c83c9254a1c9496734b615bdfa MD5: 2fb0ed70ccf5d30b3745863df248f3c4
M20-p1y01	Emotet_702921ea	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	702921ea6f0539a786b68fa1e387c18d	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 486d1ab587964c3783faf01d9fb9b72c0719b512826984f17fb4b42553d2ad29 SHA1: 4b1bd854bb4e5de9acd0130e428b205310af60f9 MD5: 702921ea6f0539a786b68fa1e387c18d
M20-85h01	Ursu_8375ca8f	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	8375ca8f7f32a5ca94cea0afb36e9400	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: c57c12e9658458a407392b510316bc134946a2af1a6bc8720f1a8f785a8e15c5 SHA1: 8ee9b4724c61c626655a05a714bffae6c28a670f MD5: 8375ca8f7f32a5ca94cea0afb36e9400
M20-2pc01	Gh0stRAT_92f79a3b	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	92f79a3be71f63824e94a72005c63e7b	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: ac1807117ea4b5221dad637a8891e567849473d15cdfe49856d38877e1463019 SHA1: ea9167c69a0a1567312e770415d75ceb26a15292 MD5: 92f79a3be71f63824e94a72005c63e7b
M20-zlm05	Vicous_Panda_6bd76a08	Windows	This strike sends a polymorphic malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality. The binary has random bytes appended at the end of the file.	6bd76a08f1405524c2298a24fd5d809b	https://attack.mitre.org/techniques/T1009/ SHA256: e1900699b2231b46b7541dc75ce2e4f380900081de97ec94c34621146c3e18fe SHA1: f96977a00a1567de033df292197f28138b503f83 MD5: 6bd76a08f1405524c2298a24fd5d809b PARENTID: M20-zoa01 SSDEEP: 3072:xoUwdZI5xUHoDxy4BPuX2CN7aTBiSid5rWlvq18cpoS:efZI7Ua3GmC1atiSidOU8cWS
M20-0in01	Emotet_4ba1e1c5	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	4ba1e1c53e7f72b9a7cd776e20a9ac43	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 67baea8bd29156a72ecbf6d75c2abe452cf428aaa0503e3de41c93445f1bc163 SHA1: 4737d033acfcaa1c2e62ea41843bf27fee540851 MD5: 4ba1e1c53e7f72b9a7cd776e20a9ac43
M20-32l01	Nymaim_0de2ac48	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	0de2ac483c4f8f039a56affe4f162b71	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 0f85f19794584741038a9a8d51761315dce953aa2383ef92c4493f1fb02c7a1d SHA1: ad8d96797fad6c3c979d960477d3eccc4df5ece9 MD5: 0de2ac483c4f8f039a56affe4f162b71
M20-e8a01	Vicious	Windows	This strike sends a malware sample known as Vicious Panda RTF. This malware sample is called Vicious Panda. This sample is a malicious RTF document that targets the Mongolian Public sector during the Coronavirus scare in 2020. These documents exploit Equation Editor vulnerabilities in Microsoft Word and were weaponized with the RoyalRoad tool.	23dad71a3a55208d944c822c627d1a56	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: 5187c9a84f5e69ba4b08538c3f5e7432e7b45ac84dec456ea07325ff5e94319a SHA1: ae042ec91ac661fdc0230bdddaafdc386fb442a3 MD5: 23dad71a3a55208d944c822c627d1a56
M20-tb201	Gh0stRAT_2aa52099	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	2aa5209909fe46a67653434b9a3aae25	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: b49b9e9f1457c63665a8e58d4f09a4811b0fa7733f650d163b87d686f4326203 SHA1: 4131ccfe887c4d771053f5261e1ca73970b9533d MD5: 2aa5209909fe46a67653434b9a3aae25
M20-b3601	Bifrost_d2ae2a01	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	d2ae2a016f08193fb2074f436c5c114a	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 9b8f14dea7b8f6f88606f2451fe8c0e51dd029aa95180e2e08e4f7833405e104 SHA1: e0fe19c34054743e73e92a83fd0213cbb55a4c6b MD5: d2ae2a016f08193fb2074f436c5c114a
M20-cik01	Ursu_ea559afd	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	ea559afd4fa9acff7316c4d4a5bef4c5	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 0540a6fd5a8d8b711724dd99e9dbd29896684503ae458094ac77caa0a3191841 SHA1: 8eb333b28532b0dff506652283bfc69e1661cb26 MD5: ea559afd4fa9acff7316c4d4a5bef4c5
M20-5ov01	Ursu_0b40a95b	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	0b40a95bf44c5447be2ee27badc2c665	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 982bcdf19c39c6125771d12a007e9a723d3ea651f0cde4ee03777bd177e5792c SHA1: 44ce19326f1d8ae43728e83a4fde3964754a840f MD5: 0b40a95bf44c5447be2ee27badc2c665
M20-7dz01	Bifrost_4ba0db1b	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	4ba0db1bda5682f55701839e3185c622	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: a51c89aa132abce4937e32d57a2d9903e507a89a1c696767164d6a33ce3eb28e SHA1: d212c300cca8e047588de4825b7fe1289f0904fc MD5: 4ba0db1bda5682f55701839e3185c622
M20-7t901	Emotet_82edb0d5	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	82edb0d5564d5ff232f94e77f86d0288	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 6a1b89dc82ca6fe2944fb21d89e2e9cd50e18d7c102cef1986d9aebbb080b852 SHA1: 7078242ccaa1c82031bb27528d341dfa2ee0bb04 MD5: 82edb0d5564d5ff232f94e77f86d0288
M20-62901	Bifrost_c78cf5d0	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	c78cf5d06be12c87cff123eb4b822169	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 68fa9c845333388e4f2f44aa79db05c0fc10c91ebcce819f6959feec7a3ccce3 SHA1: e9413fe5b2f33944e528029eb83d58422527b7a0 MD5: c78cf5d06be12c87cff123eb4b822169
M20-z9401	Bifrost_b96778a4	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	b96778a40be8d0fc61fce919f1031c5e	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 9620adde046b1ad8291d817e5b06c7eaeda4b5db457e5c5541cfac83806c049d SHA1: 3da109884d8536e23e5d88799cda28803f6848eb MD5: b96778a40be8d0fc61fce919f1031c5e
M20-otn01	Emotet_703d90dc	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	703d90dce7d53e0552d75845866194d3	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 83605486c96943d2a8a30a40b43c38dc588e86a05a667842132d69c5a0d7cac1 SHA1: 3ba92de8452f4aa29e703cd2f2e4afabb8dfd3a8 MD5: 703d90dce7d53e0552d75845866194d3
M20-pmm01	Nymaim_93727065	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	93727065a00376b700671c8220332fd5	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 69848c2d721dc6e96085bd8d2e7f0a9e9b34c5d00a9dbd71e5823272c55da027 SHA1: 52f4a581bd4a414f3694d2bfb344c5391d5b4150 MD5: 93727065a00376b700671c8220332fd5
M20-f1302	Nymaim_8a373095	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	8a3730954963028960fdf6ccec4e1042	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 1dc86f9ff40d164a384ee34879dbe58ee1717f51e7316bac351cae3b60cbf509 SHA1: 96704b4fd10319d20d79cd55f4f4e563d45556ea MD5: 8a3730954963028960fdf6ccec4e1042
M20-4ih02	Vicious	Windows	This strike sends a malware sample known as Vicious Panda RTF. This malware sample is called Vicious Panda. This sample is a malicious RTF document that targets the Mongolian Public sector during the Coronavirus scare in 2020. These documents exploit Equation Editor vulnerabilities in Microsoft Word and were weaponized with the RoyalRoad tool.	0d28743f8cbae195a81e437720866965	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: c51658ed15a09e9d8759c9fbf24665d6f0101a19a2a147e06d58571d05266d0a SHA1: dba2fa756263549948fac6935911c3e0d4d1fa1f MD5: 0d28743f8cbae195a81e437720866965
M20-mxq01	Gh0stRAT_4ee2394e	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	4ee2394ee048e55120e4ef742efa6f0a	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: ac0ad4dc0abc6563b1ed7dc14703d2b77dfc606cffe875776c1167a95d6faba8 SHA1: 28500d03b05aae5309a77643509da81c8b5b06f7 MD5: 4ee2394ee048e55120e4ef742efa6f0a
M20-2t301	Bifrost_de448e7b	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	de448e7b9120aa0c019615830fbc5b25	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 61071881d3e077cbb87783faf73532e7dbca80c3252d1a398d96da0818dacc2a SHA1: a27ae5312bc497dfc36e870c73ede8ab49170d0f MD5: de448e7b9120aa0c019615830fbc5b25
M20-ezn01	Emotet_0af5ef5c	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	0af5ef5caa8863951da486c051407d44	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 1afd9903eb0ba0b06fd05672c52a361551848d94215cf4071a329c3cd2743634 SHA1: 15dc79d66e2edfad9bb1b93eeabdd2d54d0fcd26 MD5: 0af5ef5caa8863951da486c051407d44
M20-u9y01	Gh0stRAT_be698a37	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	be698a37a1507ac001134bd14c2acc75	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 2737d0c8ab41b5bf6abf457fb940b7a4f8f90c7688600a4df87fbdb654623779 SHA1: 562a918a103f7b9695399267913359a545f74d83 MD5: be698a37a1507ac001134bd14c2acc75
M20-cbm01	Gh0stRAT_deefc13d	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	deefc13df22619da8eac771e6ca9b654	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: cc2f2e01b07ea319cf4d5953bcf96c2c58ec218a4d0090b968291977d2e5b5f3 SHA1: ccd67f8e257c8b40aeab4e651a5cb49382d93119 MD5: deefc13df22619da8eac771e6ca9b654
M20-wau01	Gh0stRAT_068918e4	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	068918e49533f2a6a2701cde644ad733	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 60d7cae08475fb78cab77e09df43468cc0f6d2f01f847fc7582f56731672b0e8 SHA1: 9385421d82f4ba395778d53a4a43f985aa3e5821 MD5: 068918e49533f2a6a2701cde644ad733
M20-k4m01	Nymaim_0136a659	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	0136a6598c9c9fb036f059d125f9b72f	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 4e7045fa64fc0de40a22f9bddbbe7f4f2b9ce531f17b009378c7b8eb26bd1a2f SHA1: d5626d76557a6c5b6dbb7cd1b5a73a3c557c3ea2 MD5: 0136a6598c9c9fb036f059d125f9b72f
M20-zgy01	Emotet_8b8279f1	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	8b8279f1479cbf0088bc5b3744d544e4	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: bd2e823604e511efa9b864d6e40d93b8d1f38d600c4ae6302e19078bd4ff0d0f SHA1: c84d62e0a9a8131dad13d5138587b1d4ac540bce MD5: 8b8279f1479cbf0088bc5b3744d544e4
M20-bcl01	Ursu_226077c5	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	226077c51edb282c0e931a2b2fc93e23	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 2a0cb867ebb8e219fd317f3602812b7e3d2b73aa10b52f434266379861709d09 SHA1: f134c6ef2a41913ffad53848c5f1d4fee89f986d MD5: 226077c51edb282c0e931a2b2fc93e23
M20-vjq01	Bifrost_5f8f6e54	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	5f8f6e546d9d99d0a8b2a6806dd4ab36	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 76d71fad336a1082358567a0c5ef949bc4748397ab1258327673c316e1820c84 SHA1: 10632bcaf432a420ba52c55d49f1a08e6e20d542 MD5: 5f8f6e546d9d99d0a8b2a6806dd4ab36
M20-lx101	Gh0stRAT_912679e6	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	912679e6392160670e8a4735fb9aa963	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: fede423fee4e77f708b95fb3e6efc2262e333fc295b1576f7f5b3163b053b565 SHA1: 89c4dc009f53a9860a0fb0fb255b66359a31320f MD5: 912679e6392160670e8a4735fb9aa963
M20-3yg01	Bifrost_40d5eb51	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	40d5eb51034891b9a55de0eb297789db	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 4d94d1641c75b880e31dbb5948c8727f82858c56480a8ed1832bedebc0cceb1a SHA1: c4db8e6f64a78f42042d3597b3bdb73c390505c6 MD5: 40d5eb51034891b9a55de0eb297789db
M20-cg701	Nymaim_0d3cbed5	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	0d3cbed59772b9c36ce0ea8968a0e9a5	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 4da003af544afeb34668f0a1343632a7953a6219ff2ad62b8d391e1b4bb305db SHA1: 3107c824808dc30b7d0118340a6e2cccec5b2795 MD5: 0d3cbed59772b9c36ce0ea8968a0e9a5
M20-6v601	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	9de7863f2fab2296dda74d1bf838e620	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: 3c756d761e89a0ea1216e2b7e57250ac76a80d5fe4f072e3b4b372e609ece74e SHA1: 2e50c075343ab20228a8c0c094722bbff71c4a2a MD5: 9de7863f2fab2296dda74d1bf838e620
M20-76u01	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	4a13d87f18af155998308590e3a488e6	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: c322d10ef3aa532d4625f1c2589eae0f723208db37a7c7e81e4f07e36c3a537e SHA1: 9eda00aae384b2f9509fa48945ae820903912a90 MD5: 4a13d87f18af155998308590e3a488e6
M20-e9x01	Bifrost_f050335e	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	f050335e496f2ac41ee588055926c947	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 54b54ca691dde91cf1f3e1db60eea375ea280d100dc6a5f5ea1c3b39cc4ef7f1 SHA1: 974bf9b0361ad7f8b13716538b6469ed5e305cfc MD5: f050335e496f2ac41ee588055926c947
M20-nx201	Gh0stRAT_2526c279	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.	2526c279cd5b94a84e59b805202b4dde	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: a9722843aa8d6b1b5a5e5400556c57b9cc31bf5a216bb5b458ce9241e818469d SHA1: 6565fe50a0d7c2ebdfce413b3ddde1249188ff80 MD5: 2526c279cd5b94a84e59b805202b4dde
M20-qwp01	Bifrost_111d32c0	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	111d32c0cf412cf8813c86e1a9cb23d6	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 3ee1fa6daec1659e53d238dda830f6c344f65b32ea3c90c9b441a92b5d4b8b78 SHA1: 10b47b7bdd4f06f904301c6347c37e1779e7e97a MD5: 111d32c0cf412cf8813c86e1a9cb23d6
M20-69601	Nymaim_e0144664	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	e0144664089ddb02d4dbea84c5f76db9	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 7560cadc3a05dc897e5d6e512a35325cad6142458cbab6bb4d2b5ba0387bbd4f SHA1: 9c74873ee5cf1e5ce14cc121911355ca14239dce MD5: e0144664089ddb02d4dbea84c5f76db9
M20-jbd01	Nymaim_0871c919	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	0871c919a63df7fc1bb1778de0821116	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 043ae03261bd31cf86ca5c6c1910e4436d4b9f82e1bcecb8039d326ca271393b SHA1: d04bb3fd80aa4586fed743e70ea2389b7a691607 MD5: 0871c919a63df7fc1bb1778de0821116
M20-u4z01	Ursu_fa8f1bd1	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	fa8f1bd185cac293a7fdccedc93474d0	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 6f9126661fc692a55b8a1511d90646b550f0dd4d083c06cb1d8759516ce0e80f SHA1: cb058fcdd0a104fa326de49fef97fbe8e6d185ff MD5: fa8f1bd185cac293a7fdccedc93474d0
M20-mf102	Ursu_5fea01fd	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	5fea01fd8854981a4987d3cd41b10abe	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 373f0152bfa9d4489b824883dbb7d33d9d3df334400f7c235afe83e0268db0d6 SHA1: fc460f35d05df0d04813bd371fa99a5420e6c08d MD5: 5fea01fd8854981a4987d3cd41b10abe
M20-uu401	Emotet_a79d06f4	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	a79d06f447ed7cbe693dbc05ff07d50d	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 96d43323599a68012b79990a2d2b861f6266a7c48ae3409f6f92aee912cb6fd4 SHA1: 8782dc3b30bb02c3248018898f6a1b389ffe7df5 MD5: a79d06f447ed7cbe693dbc05ff07d50d
M20-zlm02	Netwalker_0fdfcd7b	Windows	This strike sends a polymorphic malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. This sample emulates the Sticky Password software.The binary has a new section added in the PE file format with random contents.	0fdfcd7b16477533c26cdd6bf4f2933e	https://arxiv.org/abs/1801.08917 SHA256: 5868cac872e7bfdaa8d22e14350f3117b383b63835796c8ffad56db639fed982 SHA1: f6e53e8fc94caf96a82543aee26712840f7d9a2a MD5: 0fdfcd7b16477533c26cdd6bf4f2933e PARENTID: M20-tt001 SSDEEP: 3072:1uJ99SJdnwT3EPBWEGyc9RdxZEZExFWBhdgQVNC:1jJq3EJWEA9VyZiFadZVN
M20-42j01	Emotet_549f1a5b	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	549f1a5b06a18e67e2e7ecde49cb8dc3	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 77110ce382c087ef3b89f354e0ff2362da40500c425e97e34c2e297d8ce83970 SHA1: 7f9e1aba26b6c84b70f6573ae5c67dfb6f1537ff MD5: 549f1a5b06a18e67e2e7ecde49cb8dc3
M20-fku01	Ursu_9114084a	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	9114084a85d94d9dbee710a2a955db5a	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 1c54ab51ea01e775972504739fe8d1a6af74c3c342027a0f731f66cf3d63e01d SHA1: ee348df7cd93e18d007e477027a1060ad9c4bce7 MD5: 9114084a85d94d9dbee710a2a955db5a
M20-ttf01	Ursu_160d56ab	Windows	This strike sends a malware sample known as Ursu. This malware sample is known as Ursu. Ursu is a generic Windows malware that has numerous functions. Ursu infects victim machines via email and proceeds to contact C2 servers for additional functionality. It also injects itself into system processes and maintains persistence.	160d56ab1870bad747bf091562dbf79f	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 95e153e75af1f9fcf7d255863b5ce7aa77536e5a4d4b007f594c2ea47a39e7a1 SHA1: fcaa02fb736fac6bb6edacc545cabfc98e56689b MD5: 160d56ab1870bad747bf091562dbf79f
M20-xcb01	Bifrost_c6e3ce13	Windows	This strike sends a malware sample known as Bifrost. This sample of malware is known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including a screenshots, camera monitoring, and keylogging.	c6e3ce135c02408352fd180dde836294	https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html SHA256: 83f1bd6ff8de246bdf3b8e5a7549f26eed7a5dbcce9156ca12601ff7f7b0db55 SHA1: 3a06681229675f58bf8c03d838c9e8ea4385d46d MD5: c6e3ce135c02408352fd180dde836294
M20-1ux01	Vicious	Windows	This strike sends a malware sample known as Vicious Panda RTF. This malware sample is called Vicious Panda. This sample is a malicious RTF document that targets the Mongolian Public sector during the Coronavirus scare in 2020. These documents exploit Equation Editor vulnerabilities in Microsoft Word and were weaponized with the RoyalRoad tool.	7c986cfdf3fa28f560f2c63801424e1a	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: ddb24e0a38ba9194fe299e351e54facb2cca9e6011db2f5242210284df91f900 SHA1: d7f69f7bd7fc96d842fcac054e8768fd1ecaa88a MD5: 7c986cfdf3fa28f560f2c63801424e1a
M20-zlm09	Emotet_279ed417	Windows	This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has a new section added in the PE file format with random contents.	279ed417cd84fa10068d5f77e2a30215	https://arxiv.org/abs/1801.08917 SHA256: a0285bb9eba14159b31c119cde7e629dedf34f2e0fd4c62d67a8dddcbadc81be SHA1: de3f36ea16471d9b48bf10fffdc0f670540ce19c MD5: 279ed417cd84fa10068d5f77e2a30215 PARENTID: M20-c5n01 SSDEEP: 6144:upRRcuzo+xna3R6RpognmeeQ4tlw/hLDww8A:+RLzo6URXCehtlw/5U
M20-ekt01	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather additional functionality.	d744b176835cd0093ee54a687eb80f3a	https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ SHA256: 69724a9bd8033bd16647bc9aea41d5fe9fb7f7a83c5d6fbfb439d21b7b9f53f6 SHA1: b942e1d1a0b5f0e66da3aa9bbd0fb46b8e16d71d MD5: d744b176835cd0093ee54a687eb80f3a