M20-ybm01 | Cerber_58fcc751 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 58fcc751acce8ded997a7d2348e8a29b | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 0de40a567ebe34116450658eef3d6a81bf8fa350aa3b6a808f236a603202aa13SHA1: 0dc33a22227214fb816d0c6fb4d5b1c8efdaf0f7MD5: 58fcc751acce8ded997a7d2348e8a29b |
M20-wea01 | Chthonic_f2e342f0 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | f2e342f039eca55972cfa02b3564091f | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 7c9f6e39190124804994315278d5451dc80f0c59994778d7c1ee22d2f6903021SHA1: 8f89731df7d712435765e3cb4a44b93eba0d93d5MD5: f2e342f039eca55972cfa02b3564091f |
M20-mrh01 | Cerber_bcf1716e | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | bcf1716e2a2e75529bbf4de69b1159c2 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 15c5d4adfd697ea53278ad1cdc1128cbc96b808071fe06b8f5fdcbe847cd5fe5SHA1: e506a27a5af061b47918810cd1e081cbe31a7187MD5: bcf1716e2a2e75529bbf4de69b1159c2 |
M20-mge01 | GenericKidz_433e70f1 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | 433e70f1e417b54f3991c5480ba49629 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 0c9ca5ead3a092e8c36983821e2059b6107906467e3d74095780da026e53e1d5SHA1: c873cf6a7b717166cb2b8ea17b909ccdb783d00bMD5: 433e70f1e417b54f3991c5480ba49629 |
M20-7z801 | Ragnar | Windows |
This strike sends a polymorphic malware sample known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.The binary has random bytes appended at the end of the file. | 1e9104a4d587cd8483cda90b234a3780 | https://attack.mitre.org/techniques/T1009/SHA256: 5245f57c0cb21998d52b980fb326fd3ce73699772d85f7da0492d61fe7daced5SHA1: 5528f8b16ae06f546e28a5f99d0a796481fd6f55PARENTID: M20-kcc01SSDEEP: 768:BpBsvKMNyoq65co7Bjd/3oqab0k3R2pXlj+BnkP7Z:BpPM4o4qFoqaXC+6NMD5: 1e9104a4d587cd8483cda90b234a3780 |
M20-oud01 | Cerber_a6775e17 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | a6775e1725ee8b2ef02576bff56f2098 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 07265644f5a634d235c9c33eef1deaca73689d5d8123bfb22b31a662cc9e2643SHA1: 2aa77bc40bbafb4c0815d7e98b4aaf8e2c259f9cMD5: a6775e1725ee8b2ef02576bff56f2098 |
M20-76o01 | Chthonic_4491185a | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 4491185a608e1b581122f1f2ff31f80b | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 3c86595e1e7c456c182e0093475c5fce6656b44899ef23dff1badfa87a161468SHA1: 4ca6b3c39c097b89e4e95dff5f21e0e039eea13dMD5: 4491185a608e1b581122f1f2ff31f80b |
M20-gd301 | Ragnar | Windows |
This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware. | f7c48ee1f3ee1b18d255ad98703a5896 | https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/SHA256: c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6SHA1: 7c3a082237504d3bf36e47b986e02e014a2b8abcMD5: f7c48ee1f3ee1b18d255ad98703a5896 |
M20-6kb01 | Maze_064058cf | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 064058cf092063a5b69ed8fd2a1a04fe | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 24da3ccf131b8236d3c4a8cc29482709531232ef9c9cba38266b908439dea063SHA1: 92b44e52f13bcb097f412a6a61bdc46ac19584c6MD5: 064058cf092063a5b69ed8fd2a1a04fe |
M20-q5e01 | GenericKidz_47d43093 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | 47d430933b20724e741367fbc471ef4c | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 23af63321f9d1c310c14cc894f301d4c7dcb33fd06d4de84f2b3c8422fb83c06SHA1: 41537f088cdbd42e0b3d5e8c6613f1ca60c66336MD5: 47d430933b20724e741367fbc471ef4c |
M20-4m201 | Chthonic_f8b7320b | Windows |
This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has been packed using upx packer, with the default options. | f8b7320bd389415d399e4ea8a30af167 | https://attack.mitre.org/techniques/T1045/SHA256: 5cb82d40e5b47c2396319700877f43a9f2fee3b6e68330cf4e12a786d96e526aSHA1: 73875a6320d05d26b1dd4caf7c16b932821c898aPARENTID: M20-wea01SSDEEP: 3072:rhRPp1xigEkAJiUM9x5SAlYSzYrJTbCbK2jO8POnAWENw:rhJxisATM9x09iYrJTbCm2qE/WENwMD5: f8b7320bd389415d399e4ea8a30af167 |
M20-4jj01 | GenericKidz_4cc4db0e | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | 4cc4db0ea7cbf30b9401edbda75fcd55 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 1e0654a998adda2207a909a02f5f89e039ebbf107b16d77a6148f3caf23f07cdSHA1: 33c1d65f89dab800c20deb41cdb931daa6b1f7e3MD5: 4cc4db0ea7cbf30b9401edbda75fcd55 |
M20-f3k01 | Chthonic_aab84bb8 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | aab84bb852fafd609314abe64403d04c | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 73dbdd15d5aeba77d61b723e1f8eafc2b161679c61ca1aeb3de9e397faafcb6dSHA1: 2b28cd85d19b7b7cc63bfa999a14b3001434d64fMD5: aab84bb852fafd609314abe64403d04c |
M20-rr801 | Maze_80043a5b | Mixed |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 80043a5b285da88fb63d469243655751 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bedSHA1: 434e02e197cf7352ef01a8e44f1a64e0a49cd66eMD5: 80043a5b285da88fb63d469243655751 |
M20-yhz01 | Maze_f04d404d | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | f04d404d84be66e64a584d425844b926 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82SHA1: 34584e01a7208b6aa150cccd5d855ec37fd129eaMD5: f04d404d84be66e64a584d425844b926 |
M20-yry01 | Maze_ad30987a | Mixed |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | ad30987a53b1b0264d806805ce1a2561 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639SHA1: e7da9cac8fc6a30c2879ddb1ab97422e59979591MD5: ad30987a53b1b0264d806805ce1a2561 |
M20-1uc01 | Maze_d2dda72f | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | d2dda72ff2fbbb89bd871c5fc21ee96a | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2SHA1: 7c928fdd5954ba9da5788453ce43a0ff440bf281MD5: d2dda72ff2fbbb89bd871c5fc21ee96a |
M20-4qg01 | GenericKidz_4110f169 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | 4110f169b8e3525a0dec5faa7086d171 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: c07aa81c90d9e55f10cbc16f268b12cd1f2c2e4e65942221169398238b70ccb7SHA1: ad287121e708355b1e37b0b3f5fa6b81fc31a1a3MD5: 4110f169b8e3525a0dec5faa7086d171 |
M20-fds01 | Maze_ef95c48e | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | ef95c48e750c1a3b1af8f5446fa04f54 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0SHA1: 8ea5950ffefa2b7193a40682513e80a28d743175MD5: ef95c48e750c1a3b1af8f5446fa04f54 |
M20-25501 | Chthonic_8a4e14ed | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 8a4e14ed621b815a3233071ed247918a | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 58962d2b0dbb2d469a15ce8fb8695014c733c750d0a61ada0595189d64c769c0SHA1: 89ca538592113e753b6108cd791dc31a7efa7df7MD5: 8a4e14ed621b815a3233071ed247918a |
M20-hfw01 | Ragnar | Windows |
This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware. | 77e84f1baf2b6d0dba6ad7169dab07ad | https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/SHA256: 1472f5f559f90988f886d515f6d6c52e5d30283141ee2f13f92f7e1f7e6b8e9eSHA1: 5938b9900e0c1978802319dc1cbababd70abf597MD5: 77e84f1baf2b6d0dba6ad7169dab07ad |
M20-nbe01 | Chthonic_01c6db88 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 01c6db88b0aa86533073836d1bd8cf04 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 4d2c216c4ba2cec5e28324fbffc77479db4321862ef98fc2f6edbfa11c91b4beSHA1: 6be70b68b7af98d0d955e629d0bff83b153b0505MD5: 01c6db88b0aa86533073836d1bd8cf04 |
M20-o5001 | Cerber_9379c0cd | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 9379c0cd8e0b04c9326e9276be77e280 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 1abc5f123d1e92a151c9ffecd863cfaeaec589a4cb21c28b7667f9e6e62e2b21SHA1: a068cfb5165e5a8b81e7a674a82ed6226c9adc8eMD5: 9379c0cd8e0b04c9326e9276be77e280 |
M20-17d01 | Chthonic_1d4738a3 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 1d4738a31855c758963b3e4d8e192c2d | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 3780f9d56d95218a3a1e526c05aaf127d22d14093ee06bcf7fc9e3b78f87253eSHA1: f4006455e06ab52e3b5dd328726c9a6d3cef0d86MD5: 1d4738a31855c758963b3e4d8e192c2d |
M20-wvh01 | GenericKidz_962468eb | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | 962468eb7478581b08ac99444ab951ea | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 4044a3631fdbc686898028995532444f662d0a78be5a530d226239782445b4d8SHA1: b4370cef329747da2d266002c84491abf8364d1fMD5: 962468eb7478581b08ac99444ab951ea |
M20-jj001 | Maze_02c0ba2a | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 02c0ba2a97617497e7089bb900ffdc0c | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 04d006f5c8498cc5a987a5c9379a0a117342d654d639fbf19fb8e050e85abb7dSHA1: bb684e83eb3740cde6afa61cb926ce2bf4d0be7aMD5: 02c0ba2a97617497e7089bb900ffdc0c |
M20-umd01 | Maze_53d5bdc6 | Mixed |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 53d5bdc6bd7904b44078cf80e239d42b | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: cfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2aSHA1: 761910e01ca991434775bcbe40b56c2aa1fff029MD5: 53d5bdc6bd7904b44078cf80e239d42b |
M20-rug01 | Chthonic_fb6acc3d | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | fb6acc3da250c5db470492f2790dc221 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 311ce91b0bacedf64d500efe57c919eef18865107d73420bc59967d121077cc8SHA1: d514cfd7b0ff5221d12091a0810e78e4be245ba4MD5: fb6acc3da250c5db470492f2790dc221 |
M20-1os01 | Cerber_1295a615 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 1295a61551be8bb3fabd9403889eaac9 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 064579ef28c82acb6935b75fe3a2408b354a0d4d9004d3beb444045fb8ba1b9dSHA1: efd2175c782b5de133be6f7cb7245c60acd76016MD5: 1295a61551be8bb3fabd9403889eaac9 |
M20-3re01 | GenericKidz_988cd895 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | 988cd895960f21183c83c298c4bb007c | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 47bf9eeb164237e0fc322125052d65783fa809bd804c8a9dbd6b4db210b24f92SHA1: 4d468ea149bbe886b2602f2234e091cd2813665eMD5: 988cd895960f21183c83c298c4bb007c |
M20-vc901 | Maze_ee26e337 | Mixed |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | ee26e33725b14850b1776a67bd8f2d0a | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: d617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8SHA1: 7e4b1fd3a82448e9dd3422487aa8d2488f95bf26MD5: ee26e33725b14850b1776a67bd8f2d0a |
M20-m4t01 | Cerber_177b8bca | Windows |
This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber".The binary file has one more imports added in the import table. | 177b8bcaa38f1fc024b2b02203ce3278 | https://arxiv.org/abs/1702.05983SHA256: 9b8c28c7bd3d3c643a9f56d7f9e8cd6b277cb42f75471ebabd12136a92d70be2SHA1: e9a21d3a8a0e65c380f2d9540f31af00e5139339PARENTID: M20-qcm01SSDEEP: 6144:aPvsAaRn+h+/qM5gEZGmJ4swsCTUrHvHP/jvHbfbUsRtwI5Mg8QC1N1e:uGRn+4d57ZGy4D32wcMgileMD5: 177b8bcaa38f1fc024b2b02203ce3278 |
M20-yqt01 | Cerber_af672b3d | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | af672b3d1f4c6f019e0e17d227087607 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 11018a64eeae53e33d66193676705e49ab658d04f5e2f8471ab896fbda96b1d5SHA1: d0052224dd0a116507a60887ace1a55ae708df84MD5: af672b3d1f4c6f019e0e17d227087607 |
M20-0vw01 | Maze_d6e2396d | Windows |
This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has a random section name renamed according to the PE format specification. | d6e2396df72ada10e2bbf0f48cb70462 | https://arxiv.org/abs/1801.08917SHA256: 18f03c65bf58549e8e230b8ef8595287fe51db0e5e411adfeaf261f87574543eSHA1: 27b1fa00a1a1edce9d2aa976aff216466042c930PARENTID: M20-igj01SSDEEP: 6144:kx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErNNg/ydlb4fQ6wFMvMK:EMAwmlDYNg6dNoQl+vDMD5: d6e2396df72ada10e2bbf0f48cb70462 |
M20-h0j01 | Chthonic_35bc4e7e | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 35bc4e7e59b96ba08e6fde8a805868a0 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 356e8479fb35f301fe0f578726fe072ecec12d2d1074d20bafd9b107a0f2fa62SHA1: 1444678488bd4463b196ada2e729a89986302120MD5: 35bc4e7e59b96ba08e6fde8a805868a0 |
M20-vf301 | GenericKidz_f27a8207 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | f27a8207eab1b5be953da9cde9e504ee | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 68fb0d69411cceecd15f52ab04953034ef20310d46df3fcb3afa01ef9815dfdaSHA1: b687bef3d7452273ad42918629b24da1ffc89ad9MD5: f27a8207eab1b5be953da9cde9e504ee |
M20-acp01 | Cerber_1c0de3d5 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 1c0de3d521d3fd02949cdb53d3b5334a | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 0e446d8cb2f076a30441b95278c77badff0a2814ed16ca59e5767795aff0729eSHA1: 0f0d261d3c3470bbb2eca065a9685a9b62ef7110MD5: 1c0de3d521d3fd02949cdb53d3b5334a |
M20-t7b01 | Maze_1ffecd46 | Mixed |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 1ffecd461b3d4b65e44faff8537f68d6 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4SHA1: 8e6df1166afaae4aa5335aaee6a63f98a4613024MD5: 1ffecd461b3d4b65e44faff8537f68d6 |
M20-tqc01 | Ragnar | Windows |
This strike sends a polymorphic malware sample known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.The binary has the debug flag removed in the PE file format. | 453b78931f1856b9295117ef3b9db30e | https://arxiv.org/abs/1801.08917SHA256: dc1c31a0e2ff3b048a875e2c1373e9836baa96250db547c7270a4bf4f599a5d6SHA1: 85278411ede936ce43602f8a36abb10d97aea6f9PARENTID: M20-kcc01SSDEEP: 768:KpBsvKMNyoq65co7Bjd/3oqab0k3R2pXlj+Bnk:KpPM4o4qFoqaXC+6MD5: 453b78931f1856b9295117ef3b9db30e |
M20-sb501 | Chthonic_06683c12 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 06683c12ede3b376d05d461be84a48ad | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 49f30782a139a159f630022bffa0cd2aef80149efa80436791807270954dda51SHA1: 4bd1845860073e6aeb791e1d617b68690c140d04MD5: 06683c12ede3b376d05d461be84a48ad |
M20-8r101 | GenericKidz_f12dd048 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | f12dd048ef5d97a4fdc97c983a8d1478 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 4004df1bf42ff674d7cb4a526e3af694302d6d8bdaceeee88dc8b4135fc7594cSHA1: 6deb902ed6d6da53f983d71bcb32c4e670ab45b7MD5: f12dd048ef5d97a4fdc97c983a8d1478 |
M20-b4z01 | GenericKidz_bd742339 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | bd742339bb527c17f0a07c19ec36cea3 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 78ab5f5da002769f5104e87bf633930d4218f9c764699427a01384d15e7ed43fSHA1: ebc728c74a1f63ebd370a8693d069afdc3c234e7MD5: bd742339bb527c17f0a07c19ec36cea3 |
M20-9az01 | Chthonic_c7844c3f | Windows |
This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has a random section name renamed according to the PE format specification. | c7844c3f89c00041a31a6704ef8a4ef5 | https://arxiv.org/abs/1801.08917SHA256: 1a178c2abeb207f1c9b4ae5bb52e3a4d2b8d5c3953622c7721c6d7a7e7c8d30dSHA1: aaf1bd5308ba0592e2c7bb2aef4fd8987749935cPARENTID: M20-9l601SSDEEP: 3072:DAUvnyA6tx3W7c4iFyLN1oGpVOfZaIHmmC8J26HuJzCc0:Nvn0xz4bB1trYmmCI2U2mjMD5: c7844c3f89c00041a31a6704ef8a4ef5 |
M20-4ik01 | Chthonic_2306b513 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 2306b513b6283cf5c017dbf7240a7c19 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 3fa1d611262596bc923fc1e6ac7f44b5ad1c3d574270e588041f379c1b38b679SHA1: bfd9403ec23512e453bad0ed0ceac99fcc1b75d9MD5: 2306b513b6283cf5c017dbf7240a7c19 |
M20-o8301 | Maze_be537a66 | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | be537a66d01c67076c8491b05866c894 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1SHA1: 8614c5aa7abe3b91ffbc5637dd53bdff886aa1c1MD5: be537a66d01c67076c8491b05866c894 |
M20-yle01 | Cerber_3feda6e4 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 3feda6e4ba4db978fe9b8533df206722 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 1177ecb326246585b0b1a3f3664969325eb3017d6ae93e8340fd04497391f41dSHA1: c5c7ed08900d9973f258097b0594c2da8f45d707MD5: 3feda6e4ba4db978fe9b8533df206722 |
M20-af201 | Cerber_b6ddcba9 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | b6ddcba95312ff109ba53049dd3df5af | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 15bcfa2a7f4a8446b9044b31ac577e75ceca42d8d47b7441f86e97610df7fb30SHA1: c177741641cf582b05b9470d62830af1f2943e01MD5: b6ddcba95312ff109ba53049dd3df5af |
M20-7vn01 | Chthonic_c663f470 | Windows |
This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has random bytes appended at the end of the file. | c663f470475adcec85d53ae121a28bef | https://attack.mitre.org/techniques/T1009/SHA256: c26f64f5b77ff1aebb388055e18376e36b5795444dd3efc524b95d96a0d11b2eSHA1: 4f4e40f9283332d7c497c449157c86f5bf09d494PARENTID: M20-9l601SSDEEP: 3072:5AUvnyA6tx3W7c4iFyLN1oGpVOfZaIHmmC8J26HuJzCc9F:rvn0xz4bB1trYmmCI2U2mEFMD5: c663f470475adcec85d53ae121a28bef |
M20-g3c01 | Ragnar | Windows |
This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware. | 9b2a874de86f10ff992a30febdb6f9e8 | https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/SHA256: a8ee0fafbd7b84417c0fb31709b2d9c25b2b8a16381b36756ca94609e2a6fcf6SHA1: 01fff32c5e016bfd3692072ef0ef5b943f2da110MD5: 9b2a874de86f10ff992a30febdb6f9e8 |
M20-rh201 | Chthonic_ed8b7d43 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | ed8b7d43f752748610116d9c2ec2ad17 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 706c37e3dbf83e01206b37a4c3fc1f39611cd05b7f8df8ebe2456efd8a6970acSHA1: 872b6e77f28602bd4af0b22f9ebe2d02b3429480MD5: ed8b7d43f752748610116d9c2ec2ad17 |
M20-igj01 | Maze_57e3d794 | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 57e3d794b333f6ba4d2a968a54c7f7d8 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 78fb8d34cf3e034fbbaefd8f7587bd364a000a1e12c4a6fa45e192d56b93a25aSHA1: e850e2963deaea7e6d43c1390f4d69b20ed62a67MD5: 57e3d794b333f6ba4d2a968a54c7f7d8 |
M20-kcc01 | Ragnar | Windows |
This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware. | 3ca359f5085bb96a7950d4735b089ffe | https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/SHA256: 7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929SHA1: 60747604d54a18c4e4dc1a2c209e77a793e64ddeMD5: 3ca359f5085bb96a7950d4735b089ffe |
M20-g7601 | Cerber_d9456755 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | d9456755be7622b653eeb66cbe992c30 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 1263a68800e384bee88a29156b3240a4f5bd7c207d7bb3994ee42d9f8e3104b0SHA1: 4ed16dcd3ff7d91cf073fcb091137a9ba3d26decMD5: d9456755be7622b653eeb66cbe992c30 |
M20-r4901 | Chthonic_5dc71fc5 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 5dc71fc5408d7749d25459cacc54c4d6 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 6e6d5dbe3d497750383b5b50ceb17a8cdb67eeb2c923af97219ef25f0d3f8274SHA1: 04ce1a31b804ca5e100f2ddc6340c706a55df726MD5: 5dc71fc5408d7749d25459cacc54c4d6 |
M20-f5p01 | Maze_1d746808 | Windows |
This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has random strings (lorem ipsum) appended at the end of the file. | 1d74680891b4955ff98287f689d23016 | https://attack.mitre.org/techniques/T1009/SHA256: fda037a68cb707b4609ae9d9f609ac73a3a2a53f279840983d1131eb04b5da9fSHA1: 7a297b8a73f34d9600e0942b9e79ea03825d43bcPARENTID: M20-igj01SSDEEP: 6144:Sx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErNNg/ydlb4fQ6wFMvMD:mMAwmlDYNg6dNoQl+vCMD5: 1d74680891b4955ff98287f689d23016 |
M20-zlj01 | Cerber_97c2f3bb | Windows |
This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber".The binary has been packed using upx packer, with the default options. | 97c2f3bb7328316b257cc6f319b32bd9 | https://attack.mitre.org/techniques/T1045/SHA256: 89c08b1ee24e19d5697f09bd3c1f6b8d146ab2b43b6d1949f367fb2a91f60b24SHA1: 637c8a7737c59f7e2cfb3dc2ea48f4cfb7a3961ePARENTID: M20-qcm01SSDEEP: 6144:QtHxDeGTNkEm3tLP09Kt1Y1yBnFi1Jg7q5EPQf2ZZBZvHZuV:QtR1R0tLF7B8g7q549ZZHvHZuVMD5: 97c2f3bb7328316b257cc6f319b32bd9 |
M20-7a801 | Cerber_3507a8e8 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 3507a8e8633d46b72971e691189a62d1 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 03f07c9b09741428f840403a193a1dd7f0216371e3f8d159ccabdf7a4629bb9eSHA1: a987fab8c3dea79c4e37c24658a5a84297803ba9MD5: 3507a8e8633d46b72971e691189a62d1 |
M20-z7h01 | Chthonic_029263b3 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 029263b342d655892fee9634dc699c50 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 4bd6b56bad8e51cf3187d822dfdd6919382d338999df524dbb99c32495c20d7bSHA1: 3d48854abd5494e72fb77eac64b63d4a31b9ab0dMD5: 029263b342d655892fee9634dc699c50 |
M20-bg501 | Maze_35a4ba50 | Windows |
This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has random bytes appended at the end of the file. | 35a4ba50a7d6aac61fc36980a6153df2 | https://attack.mitre.org/techniques/T1009/SHA256: 33d489bbcc6f10df8c67eae9712d07c45ae7ca3d6405aa5814fa6edd7ae58181SHA1: e51368fbd2c00cb84b84ef65aad179848d9bd564PARENTID: M20-igj01SSDEEP: 6144:Sx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErNNg/ydlb4fQ6wFMvMO:mMAwmlDYNg6dNoQl+vPMD5: 35a4ba50a7d6aac61fc36980a6153df2 |
M20-m1n01 | Maze_4cdd275b | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 4cdd275bc7d6bf28c5691c1ee1b37eac | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 0b9c99276ed36110afc58b3fb59ada135146180189c25d99618ca5897537ee21SHA1: b908dfc77cd01a03f1be1270e7ae570bef6b89f3MD5: 4cdd275bc7d6bf28c5691c1ee1b37eac |
M20-zb301 | Chthonic_66f43845 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 66f43845fdd3fa7414b5d772806e7e26 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 2e434122795ce60847385431e28d8e96e0a63ced780a48d9acdbad149c262074SHA1: 1d88592c20f7b850e61461ac9c64a728e41c14d5MD5: 66f43845fdd3fa7414b5d772806e7e26 |
M20-6xe01 | Maze_b9078b6d | Windows |
This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has random contents appended in one of the existing sections in the PE file format. | b9078b6db33deb83201c8d2cbb3ced4e | https://arxiv.org/abs/1801.08917SHA256: 8e2e8b266bf451bce36445ef9fe0284f2d171518b61ed4dc2e025799c7949e6eSHA1: f4767c509c5c6b5b0ba97931f810bbf8a4d3e02bPARENTID: M20-igj01SSDEEP: 6144:Sx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErjNg/ydlb4fQ6wFMvMK:mMAwmlD2Ng6dNoQl+vDMD5: b9078b6db33deb83201c8d2cbb3ced4e |
M20-3o801 | Chthonic_d39d63cd | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | d39d63cdd5965a342f6465585fcf3bd4 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 4b255914b1ee12886e4dee4745799d21fcefcf2c95466d2ee5c4af056a280809SHA1: 8782804d58d23f1c1c15783f29b1f6bb94ba78c8MD5: d39d63cdd5965a342f6465585fcf3bd4 |
M20-7xg01 | Chthonic_79a423d4 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 79a423d4b36a9f38cafd7402d3bf6708 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 6f22d50967bd631b8cf5fa77b96267817ae25c4f1de75998ce5a6046c74aee01SHA1: 9effc7a23f15569d250d3ce3f21f556bb3204eafMD5: 79a423d4b36a9f38cafd7402d3bf6708 |
M20-zwj01 | Cerber_7a9698cc | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 7a9698cc75dc079ec4186faae460d4ca | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 17d48b5318fc9d45eb21d19793e3a699c5c95bd67bb8ca8cc240db9d69f6c770SHA1: 3b82fd1201a89500c86b457e416a21446df90032MD5: 7a9698cc75dc079ec4186faae460d4ca |
M20-4th01 | Chthonic_b678aff5 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | b678aff5be1fff867d80ca4a0c8309f7 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 031a584697feeecc9014a8d021576b1964545a96bf652a4102179b405aa4cf5cSHA1: ef8965cfb68984a1c3544ac758af8ee357be3d3bMD5: b678aff5be1fff867d80ca4a0c8309f7 |
M20-nuu01 | Maze_5a568b2a | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 5a568b2a5e62e7889f1a8dfaf64d3a7c | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 0d8b74e1e9eb07e3e0c1c480153cc138ffb13fb0e2bb417b20f7ba9b5186e571SHA1: 31fd982ba7e08d81e9c59b91afb7c023958dbdecMD5: 5a568b2a5e62e7889f1a8dfaf64d3a7c |
M20-qqx01 | GenericKidz_1faca9c8 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | 1faca9c8ed5d600cc1972c17943507b7 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-057SHA256: 2ce6928f41662856507bed0a7073b80e8504b7760f3c8b787543d25db7d5c1edSHA1: 6bd30b6d6dc44d2881f87f200776e09a260dfdb0MD5: 1faca9c8ed5d600cc1972c17943507b7 |
M20-b0501 | Cerber_3441dcf7 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 3441dcf7cae2b362ed94147259d95977 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 09029946caf0de395b14a26364354dd32679aee7c7eb22c5e8c04775c0d3d538SHA1: 31ab7d939d7eac34b658146e9a02c002dd6fe3f3MD5: 3441dcf7cae2b362ed94147259d95977 |
M20-2iv01 | Cerber_14dea99a | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 14dea99adcd67477f247c9dd1a8189c3 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 1b10ca8a96db74c1748019566edeca9b8967665c12264f5969ee30bd11ef1504SHA1: 6fc55c7d36c0b714f00d946d5b8f050671addbf5MD5: 14dea99adcd67477f247c9dd1a8189c3 |
M20-gxx01 | Chthonic_c1d322b8 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | c1d322b838b40a2f040e3f22e1fb4f41 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 1fbb6393e4cf576e0f11b615e0990a8b2134b0ea0e9ec58374f7e7f49125d6f4SHA1: b1245503bd123de66e2a1183b6c08010f2a03194MD5: c1d322b838b40a2f040e3f22e1fb4f41 |
M20-5sp01 | Cerber_a968db00 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | a968db00332971d364e7a17386ce7ad8 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 10ab9740564dc471636c8006f6bd36c3f6762e87859f912e337709b26dab6c15SHA1: 09ca57c61961025212d4219986b4e3639410f517MD5: a968db00332971d364e7a17386ce7ad8 |
M20-shy01 | Ragnar | Windows |
This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware. | 1ee5456c1226affd7b72bcdf3db443b7 | https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/SHA256: dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4SHA1: e22344a92c91b567a6cba7eb66686c438d479462MD5: 1ee5456c1226affd7b72bcdf3db443b7 |
M20-hxt01 | Ragnar | Windows |
This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware. | 6d122b4bfab5e75f3ae903805cbbc641 | https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/SHA256: 68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3SHA1: 5197d1b54494f8cb043759b35e097c660a9e09acMD5: 6d122b4bfab5e75f3ae903805cbbc641 |
M20-zsv01 | Ragnar | Windows |
This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware. | 00fb3f27bccef7c5658ff9f5ce487cec | https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/SHA256: b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186SHA1: c24fedb9b8a592722d5a9adb34d276fc3b329d6fMD5: 00fb3f27bccef7c5658ff9f5ce487cec |
M20-c3c01 | Maze_8bb9bf4b | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 8bb9bf4b8be1141c4cdc4d435bfe7d0e | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 0fb01d846e2682ed2507367d2d4537c45800304410b270a13e94f1ca778d161eSHA1: dfc77a86fb58c2aa04b6b0399eea6dd0d642baa0MD5: 8bb9bf4b8be1141c4cdc4d435bfe7d0e |
M20-lx201 | Maze_8540030a | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 8540030a0ea3e18e84af7ce026ab9cad | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: a6ac82fc87e552476a77c8d22e2d1d64fa17cc3dea9f428a53776354c97825b2SHA1: 4ccfe4cf5839024e768520c63e3a1982eee092f0MD5: 8540030a0ea3e18e84af7ce026ab9cad |
M20-nwz01 | Maze_2fbd1097 | Mixed |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | 2fbd10975ee65845a18af6b7488a5236 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695aSHA1: 9806dfc1cf337f4f27c3469ba40f6c189b6d20c8MD5: 2fbd10975ee65845a18af6b7488a5236 |
M20-69e01 | GenericKidz_c2896bc7 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | c2896bc7bc97a3d4b93539403649fa9d | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: ce44dd760f7ac7402279368416c194c993f454ddb2e88a72bb73354f454c4d40SHA1: 5b3c86aa0cc8431f583885933db61c13c4e35b69MD5: c2896bc7bc97a3d4b93539403649fa9d |
M20-2bn01 | Cerber_690b5684 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 690b5684c5a82b42b22d54e3691903d4 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 15c3a3254008702641bdf20c7e32bd5afd317bde685c21a38a6e00eabd9d91a7SHA1: 717bd79ba156d417694c95a8570174a615a601d2MD5: 690b5684c5a82b42b22d54e3691903d4 |
M20-5uy01 | Cerber_694d096a | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 694d096af90e04bf409c0633179789f7 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 072a4c4b5d8d97d3d9c678aacf7d9a73609e346ae563b330098ac20c4dd3945dSHA1: 4c4c0bd798b9556ebb18e2248f37284dc71438a2MD5: 694d096af90e04bf409c0633179789f7 |
M20-dys01 | Cerber_f3b921b7 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | f3b921b7d63f3f99bef732169ed4dfde | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 0b4eaa008cf3fa9b5b9e2413d520fc8e20c9f826976a1c48040644148a9d176aSHA1: c1b39c48d31fa2cc8401a9bf8aa79890217bc6b9MD5: f3b921b7d63f3f99bef732169ed4dfde |
M20-u2w01 | Cerber_fffc65ba | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | fffc65baf12eaa1897d15d4cb99dd885 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 081992320357213e05b0c14f914f85dc108ccd96c442ed01c2e0a929c28081baSHA1: 4ff489628198bb7380b3dfd365a4e9672c0b58b8MD5: fffc65baf12eaa1897d15d4cb99dd885 |
M20-dkg01 | Maze_c09af442 | Mixed |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | c09af442e8c808c953f4fa461956a30f | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506SHA1: 7b0b06069aca88f8d13176be5b285194f546904aMD5: c09af442e8c808c953f4fa461956a30f |
M20-uv601 | Maze_e5f4b224 | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | e5f4b2242a57b3f00c2c4feee2df9671 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 042273f30363405ee416ca4dae6f0279668dfc5ea742c0e265b9553798a90ae5SHA1: a62d4bf7b4d0e04b681f18ffaa2b904caf47920dMD5: e5f4b2242a57b3f00c2c4feee2df9671 |
M20-0qk01 | Cerber_57a5aaec | Windows |
This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber".The binary has random contents appended in one of the existing sections in the PE file format. | 57a5aaecd4fd8261c9d527599d42a9b0 | https://arxiv.org/abs/1801.08917SHA256: 710a4e7339bbe22a8cf32d5eb626846893f6900ff508e2c883cde8ab6a92edcfSHA1: a0e198df945392f5ec4d38436fa422322bb61ecaPARENTID: M20-qcm01SSDEEP: 6144:qPvsAaRn+h+/qM5gEZGmJ4swsCTUrHvHP/jvHbfbU4RtwI5Mg8QC1N1u:eGRn+4d57ZGy4D3KwcMgiluMD5: 57a5aaecd4fd8261c9d527599d42a9b0 |
M20-a6d01 | Cerber_2fc84f19 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 2fc84f19ff76dbd2eb9ea2a66167ed29 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 18f9701f2516d860384b0796815c163f2c7b2dd5cde6d8d1b479a3d68d65a194SHA1: 1e202a09cc2f384e14bae9ca44b739ed273d5e00MD5: 2fc84f19ff76dbd2eb9ea2a66167ed29 |
M20-ey101 | Maze_b02be7a3 | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | b02be7a336dcc6635172e0d6ec24c554 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: 0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881fSHA1: a58b45f6ac4c4fbcf938de01ee1e585fe3715fd6MD5: b02be7a336dcc6635172e0d6ec24c554 |
M20-9l601 | Chthonic_431bae5b | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 431bae5bc5941c98f202be23a406a073 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 781a3db07da4ed20bbcfa7c481c525cf6282b0f9eb3fbdfff0baa2356294bb34SHA1: 2c68a36590f77ef2c3a8f46e95faff59f58225eaMD5: 431bae5bc5941c98f202be23a406a073 |
M20-rgm01 | Ragnar | Windows |
This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware. | 6171000983cf3896d167e0d8aa9b94ba | https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/SHA256: 9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376SHA1: b155264bbfbad7226b5eb3be2ab38c3ecd9f3e18MD5: 6171000983cf3896d167e0d8aa9b94ba |
M20-wlr01 | GenericKidz_3c885353 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | 3c885353717f05e99153623439feda5e | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 47083ad7c0c9741e69eb4575f4b89b999519e80e044839edf3cc3fb228b9733bSHA1: a1dba065907f493429ee9e62f85eaed8ba57a654MD5: 3c885353717f05e99153623439feda5e |
M20-8lt01 | GenericKidz_7bb5c3fe | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | 7bb5c3fed88c6e84f6d6f731d4de6210 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 7902a68c192bef55edd8429d07c6bbcbe30c601a3fc41d35186eb4cb0592f1f1SHA1: a4897fa9bd44e46e1415c77a0e0fa54ebb93455eMD5: 7bb5c3fed88c6e84f6d6f731d4de6210 |
M20-hji01 | SNAKE_3d1cc4ef | Windows |
This strike sends a malware sample known as SNAKE. SNAKE, also known as EKANS, is a ransomware that encrypts all processes related to SCADA Systems, Virtual Machines, Industrial Control Systems, Remote Management Tools, and other various Network Software on a system. The purpose of this ransomware is to go after all devices that are connected to the target and not one speciifc machine. The malware is written in GOLANG and contains a higher level of obfuscation than typically seen in ransomware. | 3d1cc4ef33bad0e39c757fce317ef82a | https://www.tripwire.com/state-of-security/security-data-protection/massive-spike-in-snake-ransomware-activity-attributed-to-new-campaign/https://twitter.com/VK_Intel/status/1214333066245812224SHA256: e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60SHA1: f34e4b7080aa2ee5cfee2dac38ec0c306203b4acMD5: 3d1cc4ef33bad0e39c757fce317ef82a |
M20-uy601 | Maze_b6786f14 | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | b6786f141148925010122819047d1882 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: c84b2c7ec20dd835ece13d5ae42b30e02a9e67cc13c831ae81d85b49518387b9SHA1: 9e6e19c145cbf359c0a151b38d17e30ccbad6f4bMD5: b6786f141148925010122819047d1882 |
M20-p4x01 | Ragnar | Windows |
This strike sends a polymorphic malware sample known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.The binary has random contents appended in one of the existing sections in the PE file format. | f64a645f4d106e30cfbf076d43b40528 | https://arxiv.org/abs/1801.08917SHA256: f462c3d2797b8d9b580a5749cae74c92f5841e6bf80100fdaaad976cf60c2aadSHA1: c584c9a6ade80fd1f890b70fd288c9365487f0bdPARENTID: M20-kcc01SSDEEP: 768:BpBsvKMNyoq65co7Bjd/3oqab0k3R2pXlj+Cnk:BpPM4o4qFoqaXC+LMD5: f64a645f4d106e30cfbf076d43b40528 |
M20-her01 | Cerber_f53c055c | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | f53c055c2838d768ef530df3825188e2 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 078398933742904fe3bf5aeb856505bac9a255a1c1eeddf9705c29d411a7bee8SHA1: 3303ae2218362ad4012d24369eda1e35e066f604MD5: f53c055c2838d768ef530df3825188e2 |
M20-0i501 | Maze_c9ea6430 | Windows |
This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult. | c9ea6430da4e72b672ce29e56ecad603 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/SHA256: dee863ffa251717b8e56a96e2f9f0b41b09897d3c7cb2e8159fcb0ac0783611bSHA1: 31c3f7b523e1e406d330958e28882227765c3c5eMD5: c9ea6430da4e72b672ce29e56ecad603 |
M20-bnh01 | GenericKidz_f70fe9f1 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | f70fe9f15d99e75b4151878b2a529d7c | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 1844b3b59e94ea263279fe882a6652fe936a0b0b13bbd21f1d3cd609aacf9b07SHA1: b82f782be065a159f6fe77b374071635a9ddfe0cMD5: f70fe9f15d99e75b4151878b2a529d7c |
M20-onw01 | Ragnar | Windows |
This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware. | 0fbbc59d4fe280a55c1fb6f5502c1e73 | https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/SHA256: 63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059SHA1: af53890ed1d4753e7493d48862bdd7d18a2b11f6MD5: 0fbbc59d4fe280a55c1fb6f5502c1e73 |
M20-qsb01 | Ragnar | Windows |
This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware. | 7529e3c83618f5e3a4cc6dbf3a8534a6 | https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/SHA256: ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597SHA1: 0f944504eebfca5466b6113853b0d83e38cf885aMD5: 7529e3c83618f5e3a4cc6dbf3a8534a6 |
M20-bc001 | Cerber_608b841c | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 608b841c52758d52facc067c443706fc | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 0a280fb6afce1778478df3f8b1f962ea46aa865b27c88d7ca75368029580773eSHA1: 767621b4d4c9d31074a670ed747becfce0cfc386MD5: 608b841c52758d52facc067c443706fc |
M20-a3d01 | GenericKidz_5a99a2dd | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | 5a99a2dd0525714396061c7504ea20fe | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: ab5d820fc7e40a39109653d0601d337487ed8b329a9a98fef128d29dd86d0a02SHA1: 272d1ba756bff3795113d6d8c09fabb184b34667MD5: 5a99a2dd0525714396061c7504ea20fe |
M20-u9801 | Chthonic_c8bba81e | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | c8bba81ea0611dbc891c3758147b6fae | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 5dd350e1e1f1ed234d2c90e8b5f67e5e101362e03ae00f10b824c7f00f8660cdSHA1: c741bd252b54ea2f4cf485777c19acfc74e8792aMD5: c8bba81ea0611dbc891c3758147b6fae |
M20-gie01 | Chthonic_502b1b65 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 502b1b65f1c1a4fd2361d099e974a898 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 7e5bc9f6c66a319309e81857b8232fc05acc203522d9114b9e3cc5f54c1b9986SHA1: c31e6f03bfe79598958b22c773d621104a89bd64MD5: 502b1b65f1c1a4fd2361d099e974a898 |
M20-tw901 | Chthonic_370baeff | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | 370baeff15dcd74c3ed1b9fd1128a962 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 63394c768a993b74c0e06aabda3fee9a9a67571764ffe60353347b0315e6c87cSHA1: e1f7316b11a02b3bea58d02fe05a53bc8a903e36MD5: 370baeff15dcd74c3ed1b9fd1128a962 |
M20-dw101 | GenericKidz_e3c0bf52 | Windows |
This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot. | e3c0bf52abab62e7f6427d7984a30509 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 454100af51eec868d71d2994dc370aad164375d4b640bfddce831ee3fa940b8fSHA1: 40c5576699e1c003a3a9c12da8a173729d31af07MD5: e3c0bf52abab62e7f6427d7984a30509 |
M20-daf01 | Cerber_af3cc204 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | af3cc2049b1c06a001a456e2bb2caf66 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 0230d78c972d399f627b228776f2d8e96b717da068a128ace4b69067419708d6SHA1: b1f164a36fab8cde80f2dc3fa04554558e27519dMD5: af3cc2049b1c06a001a456e2bb2caf66 |
M20-m2h01 | Chthonic_bb5fbb93 | Windows |
This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality. | bb5fbb9372ad0247b0bbdff420a0a477 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 2ff4747e01031d470d5feae7e5073aa34aff489f29cbed18502960baf7dcfebeSHA1: bdf60ae370120d75a827ea8e85833cab106b9d34MD5: bb5fbb9372ad0247b0bbdff420a0a477 |
M20-qcm01 | Cerber_a209900f | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | a209900fe0ec106ab8c651a7cbc99aa5 | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 1ba1f09c7e2fd18f2577a62a3103461c1f09610304571e1eb055687a65b03faeSHA1: 11a4e53f43e2f5a3fc3596862822b9e527f99990MD5: a209900fe0ec106ab8c651a7cbc99aa5 |
M20-dk201 | Cerber_3af67275 | Windows |
This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber. | 3af672751c54a91f1175397ee62e536d | https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.htmlSHA256: 11bc5389a0c2d2f5a5fd68630cd8e46f3fdcb3ba434492e7ee71544a70986930SHA1: ea6cc3dfb1248ba82d270a5024f416fb322cb95aMD5: 3af672751c54a91f1175397ee62e536d |
M20-ogi01 | Ragnar | Windows |
This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware. | 5b06303cdf191dae161e849841f8aff4 | https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/SHA256: 5fc6f4cfb0d11e99c439a13b6c247ec3202a9a343df63576ce9f31cffcdbaf76SHA1: 64b99b55f0a1ec4f8f30897a460c574300a8acbdMD5: 5b06303cdf191dae161e849841f8aff4 |