Malware Update 2017 Release Notes

Malware Update 2017

Malware Monthly Strikes

Malware December

Malware November

Malware Strikes December - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M17-twn01	Doc.Dropper.Agent_e06c1e62	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	e06c1e623a45b69730da1d9b40c20a84	SHA1: 3276a2e939251f1a00dfcb3497b9b83fd2d17c2b MD5: e06c1e623a45b69730da1d9b40c20a84 SHA256: 3cc669528549cc7394074ac3ffbaa6cf3eed14436a1653d70f54ca2b3d5cdead http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-21l01	CeeInject_a21f47b6	Windows	This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.	a21f47b69edf6a886a2273a6e7bc9d4e	SHA1: 2f756597391b9d2a138be5599a92d48c567fa6b9 MD5: a21f47b69edf6a886a2273a6e7bc9d4e SHA256: d065ba2603790329d31e35cd45538b693c77f9870d98c4656e490c1a5034a8fa http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-t4101	CeeInject_aa9a551a	Windows	This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.	aa9a551a968b3a7831b82a34c926374e	SHA1: c5b7b26e7651b0f3229d244314951ede554c2309 MD5: aa9a551a968b3a7831b82a34c926374e SHA256: 62a22fb0f59578de3679f70a41c2971b384167aebb032dd782f1d23d27015aa3 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-b5501	Delf_b8845710	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	b8845710e4d48532a7e4426c93528bbf	SHA1: 7a6c0f696fc1d7bae9cbc6df7d8d6186ce8b7623 MD5: b8845710e4d48532a7e4426c93528bbf SHA256: c14055b23eb3a90e163962c9c70df3338bca68b67a615531ef40c6e8f8f6eabe http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-r4201	Delf_d9d5aabc	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	d9d5aabc90d5f8b978a84524e147680b	SHA1: b515808b145e9a1c642c05af1dba45e0804c5ca9 MD5: d9d5aabc90d5f8b978a84524e147680b SHA256: b17f8e85944768cc88c0a3b7103290c6eab820348103fa7a8a412af945e1d1dc http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-g0o01	Doc.Macro.Obfuscation_e3133b93	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.	e3133b936cb53af89b03b2db9c287bd0	SHA1: cba47111683347f13cb82ca01eed243e36322082 MD5: e3133b936cb53af89b03b2db9c287bd0 SHA256: 46217dc4ef9fcef981be9a931995008f56b71e3f510721c33ed4b58b577e8fbb http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-do701	Doc.Dropper.Agent_c575c947	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	c575c94767a7bd4d1164a590650ee560	SHA1: 017371a3fade367014af9fe2d5250ac51d8f3066 MD5: c575c94767a7bd4d1164a590650ee560 SHA256: 094842414f8029ea69cca6237b7758c2559dd553c98990cb4e8474e6653e0b9f http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-jzx01	Delf_89d87940	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	89d87940e1384c35b910be9604d15258	SHA1: d3db116df15a9f968b8bdc77f972a2c0512129f0 MD5: 89d87940e1384c35b910be9604d15258 SHA256: 44e27c54ae3dc4c4c228dc10389d2b28d1230a8933d61661271f4eaf65925b1f http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-u9001	Doc.Dropper.Agent_4574af0c	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	4574af0c85d983b5d495b7eb38e587eb	SHA1: af7c2982661c8e15e757708ea598ed5378f8db16 MD5: 4574af0c85d983b5d495b7eb38e587eb SHA256: 2e6523b856a9f40bf3cf851407f3003a6564a7fb5d86657781a03bbd30d63966 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-9xm01	Delf_18db1885	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	18db18858d8067c0c3053bfd2e44fcd8	SHA1: 2ae120eee658214f6cebe28394935dbefb8a6118 MD5: 18db18858d8067c0c3053bfd2e44fcd8 SHA256: 8486ba3a5d2ae2297118de5f39770fb89227752bbe3e59f951cd0ef0bab8c5b5 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-l4a01	Delf_fad656b7	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	fad656b709ddaccffb84570e67d0c686	SHA1: c77523d7ebae57ae158d83f57cd1a00894505a16 MD5: fad656b709ddaccffb84570e67d0c686 SHA256: f6bad3bc203c29350726c32d2aad744479de84bc72e1ffed0ad8392e5dde43d0 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-g2g01	Doc.Macro.Obfuscation_04aefa19	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.	04aefa199d4a542d6352f928ed744b4a	SHA1: 61cd96f61a3a4b58931dd3841200f2f2d45f6def MD5: 04aefa199d4a542d6352f928ed744b4a SHA256: 4519c2f4fc0bc43cace2e70e464c00e7302e003262d7e6f903672becaba9e8ed http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-43801	Doc.Macro.Obfuscation_c6bf3a7b	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.	c6bf3a7b5d4ec5203576c47a7f6e5ef0	SHA1: 96311baa66659e23d2ce8d749f9e68995bca4dbd MD5: c6bf3a7b5d4ec5203576c47a7f6e5ef0 SHA256: a44450c9b8514dd5647128f55d2704889c87e852e3eaceea80734ae7bf8d9f49 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-avd01	Doc.Dropper.Agent_1d62d6fa	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	1d62d6fad83ecdeb772e83f78fd69d4a	SHA1: 5e267220daf60ffc7c4411baf2da24f77ce38217 MD5: 1d62d6fad83ecdeb772e83f78fd69d4a SHA256: 0e9b2c7a5526c8d469c3e2183cd52a38d862773118d2401467c59472aaf17263 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-7yh01	CeeInject_a584c3c5	Windows	This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.	a584c3c54dba8eee4b0fc362e7e76db2	SHA1: 6536680a1ce032bac14475ae42d9ceadaae3093c MD5: a584c3c54dba8eee4b0fc362e7e76db2 SHA256: 36d4800fb0bed77e59468ae9b732eb806d59999ec2832a72e0209473069af5b1 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-jz101	Doc.Macro.Obfuscation_0e5d2902	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.	0e5d2902bbbb951f1ff03e46209701d0	SHA1: 8af2947eb8096ee4ceba2dc6c947e95080328716 MD5: 0e5d2902bbbb951f1ff03e46209701d0 SHA256: baf01275b874c04687f84d78451e41231b31bfc0e71995e124830ba63379fedd http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-d2h01	Doc.Dropper.Agent_4fb21661	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	4fb216617e7b7dea0da5bf86fed57ba4	SHA1: 540fa52a3d00e1abc974257888aeb6af46a9fab6 MD5: 4fb216617e7b7dea0da5bf86fed57ba4 SHA256: 3cae4325b4b559431dba511779feadeff19433aed194511e4ea8f4ef676ac6c7 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-09e01	CeeInject_ae76efc0	Windows	This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.	ae76efc074b73cd22161133e927d2c43	SHA1: fb1f9e9965aabd6f222f27b3cbc07c9ce42d0774 MD5: ae76efc074b73cd22161133e927d2c43 SHA256: 3507a76940a2e6c930882b5cde32d2f11ba48cc0e6bfd6e4771a973ebe9db5ab http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-v3m01	Delf_3e933209	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	3e933209d6aa9be6fe1d6152fb0248d2	SHA1: 235c3a7aed45b29cdd978fdfb7b030117cb65592 MD5: 3e933209d6aa9be6fe1d6152fb0248d2 SHA256: 3b221118a4c2716c6c76ddc1b6b01866fcc2643d7c29e38279d6aa2dd27d60a7 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-xgy01	Doc.Dropper.Agent_421b5937	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	421b5937b5e764795d9052f378001ebd	SHA1: af750e75e69d868c62b5ab4afb87444950580b15 MD5: 421b5937b5e764795d9052f378001ebd SHA256: 3ac9e97344506f3e443490eb6b0d5f877e0c8d4462ab9bf9544b5128aafc78bb http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-0kx01	GenCNs_349830be	Windows	This strike sends a malware sample known as GenCNs. These samples of malware are trojans that contain dropper and adware components. The malware contacts many remote Chinese websites and attempts to download and execute additional files.	349830bee2fefe24a51a9bc221e7c21c	SHA1: 07eb8ae1747a67a3086f40235ba2d35733f4113b MD5: 349830bee2fefe24a51a9bc221e7c21c SHA256: 354c9f630336cce0332558d73ae8000b62f61ca3eb7462e21183546f0da613b8 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-fpv01	Delf_fd56a259	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	fd56a2593d4a72e52ad367a24b74be5f	SHA1: ff352d3aaf8d6a6980f47ac359cc81e79bd97dd6 MD5: fd56a2593d4a72e52ad367a24b74be5f SHA256: 67ed3caf144d2b2dd0e8f0b6ed4de1e0ee4052e152cf32fdc22b9a3f8c935e67 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-kjp01	Delf_782c6921	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	782c69213cd06e9f38d2790bce8468cd	SHA1: 0c11455383ce954cb93a3710f52b4def2270b350 MD5: 782c69213cd06e9f38d2790bce8468cd SHA256: 7a41c90ba46f40af093491c1f03fa64b36c6a10603c29a9af78540cde8440d60 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-40t01	Delf_991bfd3e	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	991bfd3ed82b4ff45b645fa8b26dc5cd	SHA1: 8d3eb9f9dd1b5df31a3e72f9bb274704c2204d7e MD5: 991bfd3ed82b4ff45b645fa8b26dc5cd SHA256: c45fabfd7e6f52fa519d8215ac1d569ca385bb4552eae82e63da4befa319f1d9 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-o9s01	Delf_d3f52372	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	d3f523726090121c6b3e79d7d9f1275d	SHA1: 03c1af0b6e182bb77aca2da4a231d346abcf0c23 MD5: d3f523726090121c6b3e79d7d9f1275d SHA256: 4bdae37fe1f8dab61a16f406f08a3bbe1482cd1387351f23b29849e1de64875d http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-4yf01	Delf_e27abe5e	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	e27abe5e4316761071b481c24f8da33c	SHA1: ad0ea4e76d4da6688df72d3129a6a5f9d1e79872 MD5: e27abe5e4316761071b481c24f8da33c SHA256: 9b6087e9607aa0149beecd97709d27cf2e3703fded3f7d31dd613a6d3f23ccaf http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-m2w01	Delf_b8fa4e0f	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	b8fa4e0f817ec962d896aee21e7526ac	SHA1: a13cdf1fdab36970378ab85d177fadc6bd38f8d9 MD5: b8fa4e0f817ec962d896aee21e7526ac SHA256: 482142f886ed2ee2610e2740695435e0488b5c7d6081daaeffdc93c87b6e2f93 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-rql01	Delf_8f1ee3c9	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	8f1ee3c99c001da889fd425ca8654cfc	SHA1: 058a91440614455f581346cc943f1d53ab4adb50 MD5: 8f1ee3c99c001da889fd425ca8654cfc SHA256: 3dde0bb92308140701cb61711dc7e7298baff68668d96d2db9390e2b691efeb9 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-zi801	CeeInject_b156268f	Windows	This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.	b156268ffde83b0ee9938bd0d4c03842	SHA1: 13da902ef4c126fa463b8b668fedda3a285e75be MD5: b156268ffde83b0ee9938bd0d4c03842 SHA256: 58e226e02f8dded4b24ae60d2524497083c3d0dafb02436df5209fa9e1061085 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-ref01	Delf_b4abdea5	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	b4abdea5409282a09c29f0600eef8950	SHA1: f0062085a02ea2025fafd535df19e74ef0e50c7b MD5: b4abdea5409282a09c29f0600eef8950 SHA256: 75eecd86ca4cbc10e60a6b5dc85964374fd91b25f0ecf08dcb7cd96d726ec581 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-02j01	Doc.Dropper.Agent_0f25b221	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	0f25b2210b58010b4de329c6a01b50ea	SHA1: 7ea2638f582d3e540efee8c0e890a8fa908b9d7a MD5: 0f25b2210b58010b4de329c6a01b50ea SHA256: 0b81075cc3ef1121f3eca801d2f821719a7cfa31e5d95081ec3feb195f44d8c6 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-4s901	Doc.Dropper.Agent_b70b4b06	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	b70b4b067e9e68044b8f86a69de6bbe6	SHA1: b4348ada0f12083ebc7fe10ceccfc81f0d07b1bb MD5: b70b4b067e9e68044b8f86a69de6bbe6 SHA256: 0099b9221eb92408f0b8bead5d703b5c7ecb11962f49f5e67f60725427318236 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-fyx01	Delf_2b23f5b0	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	2b23f5b038fb291689d44384df65e9e8	SHA1: 050e8d256285b7fe52a44631c9a47e1e3ef104cf MD5: 2b23f5b038fb291689d44384df65e9e8 SHA256: f1db091fff240dd3d49f0d22d4809db237fda042cb7ddf7afc81a0430f5c4b8c http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-a3k01	Doc.Macro.Obfuscation_068777f3	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.	068777f3f9f62fefd51370d8490f47dd	SHA1: 09009a815366627d431838726bd77968ecea0db6 MD5: 068777f3f9f62fefd51370d8490f47dd SHA256: 0f236dccbbdb81b7724f71569eff462c6fb40658f1697331617a38074a99c6e8 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-2hv01	GenCNs_1e200f01	Windows	This strike sends a malware sample known as GenCNs. These samples of malware are trojans that contain dropper and adware components. The malware contacts many remote Chinese websites and attempts to download and execute additional files.	1e200f01c7326e1cdd15327d8a52b537	SHA1: 4fcf4bbcaaba19aaf506058ce89e06c5dda48b5b MD5: 1e200f01c7326e1cdd15327d8a52b537 SHA256: 093477fa334791163629386b655b01a8284cf9826760b2dd9c3046e370ce026b http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-3eu01	CeeInject_a50ec9ab	Windows	This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.	a50ec9ab44367eae2c1c278c66600944	SHA1: 636f5221cd21a03545fb15c11e6d38d89b8126e3 MD5: a50ec9ab44367eae2c1c278c66600944 SHA256: 1a7de2ac4b22ca77acef5afe8e8b45dcc5150deb3408c8934221cfbbaee0655e http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-axu01	Doc.Macro.Obfuscation_c064974a	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.	c064974ac92d98807829cdbe43420666	SHA1: 71ce210f1a99aaa92446d24e3a39219a582dc564 MD5: c064974ac92d98807829cdbe43420666 SHA256: 0a6d8c964286f1ec0173cde38caf3d5e36147945baaa83a0200e6f35f82446af http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-hsp01	Doc.Macro.Obfuscation_4346f550	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.	4346f5504d196b5155f98c8afb40eb09	SHA1: be94f0f43d05f019a6396d6c778f741a8310ca74 MD5: 4346f5504d196b5155f98c8afb40eb09 SHA256: 5dbf9dc9341bd506eb2cdf5ec294c6c3029535424aa0a42e9b045cbd95c6d3df http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-7zc01	Doc.Macro.Obfuscation_c2b856bb	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.	c2b856bb53d17d8175597a30904f7b83	SHA1: 5d5d2eb7060fe78b7273f24fceff046daa42312c MD5: c2b856bb53d17d8175597a30904f7b83 SHA256: d3e06e4d623b1bbf7b72ec709541c3b3fe66d09c4616c356cdc93240bd4b4c6a http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-36k01	CeeInject_b40e4e17	Windows	This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.	b40e4e17c4629638dc656008d312619e	SHA1: 5a1caa82ccf072576de8ad643d5699e81fef2e1e MD5: b40e4e17c4629638dc656008d312619e SHA256: fe33dc8941a6cd8ef4f64af295c2066eb0974966dfb355b5dd57e0c277261033 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-47t01	CeeInject_b0cc4e21	Windows	This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.	b0cc4e2114239943e8e896620596b684	SHA1: 1b52da03d5b443b34f79033126d82a632c8227f7 MD5: b0cc4e2114239943e8e896620596b684 SHA256: 952e29ae44bb49c78f2b3fcd8c13e22181bc0a610e36723e41b79f8c1147649f http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-pn601	Delf_c4f402ed	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	c4f402ed89253dc6d3a3c66a0f8107da	SHA1: 179f35392c1f954751f14400f5d6fedf028658e4 MD5: c4f402ed89253dc6d3a3c66a0f8107da SHA256: d44dff94eaf9ed08c7f4ef47e69e0a9b308ce49c8bc814b94b2c95c92ba53fc3 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-xkg01	GenCNs_00616fd2	Windows	This strike sends a malware sample known as GenCNs. These samples of malware are trojans that contain dropper and adware components. The malware contacts many remote Chinese websites and attempts to download and execute additional files.	00616fd29add2b97de09b7a457be4709	SHA1: 5a70be2e95529c920a9616b0c16ba5bffd5929b8 MD5: 00616fd29add2b97de09b7a457be4709 SHA256: 3e47b0d23d7e39af6759ca207d3307584862fe4181a6a4a54ea38cd45ce8c542 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-hgf01	Delf_ac3b43ed	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	ac3b43ed7be4b848aec8d123f10ea7cf	SHA1: 6f9f31b4d847a8f8c803345bb60cb5d99013d45d MD5: ac3b43ed7be4b848aec8d123f10ea7cf SHA256: 04c3a321d00b8f54ae242969ede062ae10b8906ba5d7071fd0aa4f3b3b4ef73e http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-i5m01	Doc.Dropper.Agent_858e801a	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	858e801a0dc4f3cddaec207fe1273e1b	SHA1: 25a803179857c7f6d8bad45105ead4483c822092 MD5: 858e801a0dc4f3cddaec207fe1273e1b SHA256: 14a415384df11be5271c58e66474cb4326aaeb4af0035afce1d61f75eaf53db3 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-7fo01	CeeInject_ae933938	Windows	This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.	ae933938d5a3ec9425fc5ef91dba7cc7	SHA1: c98d42a59c83f9cf4ff1e5be38d12cd08d6d3c77 MD5: ae933938d5a3ec9425fc5ef91dba7cc7 SHA256: b7ad41fbecce918894c0645aedbc60e4ac8daee24405b6a4957c98a728a14b9a http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-ar901	Delf_aeec7541	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	aeec754152015cb244aafd000cf0b1f2	SHA1: 7ba4f851bd04efd427a5437ae7e6f1ef410bdba7 MD5: aeec754152015cb244aafd000cf0b1f2 SHA256: cc1eadad7810c4c94cdeebd63b7e54604253c4651c3a31bdf27dc96c189baa10 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-ena01	Doc.Dropper.Agent_e0a7aed6	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	e0a7aed6203d6a5481231c75084f1ea2	SHA1: 1d59eb2140f1680bfc7362ea30a881c064b31750 MD5: e0a7aed6203d6a5481231c75084f1ea2 SHA256: 365d356b6d8d463ee4d6924b37acfecf16624a58d8d2e6a783a9ef289e74ace3 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-mzt01	Doc.Macro.Obfuscation_e4f24b19	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Emotet code uses VBA macro obfuscation to hide Powershell commands. The MD5 hash of this Doc.Macro.	e4f24b19e3d3a1c12dbcebacf0b71428	SHA1: fa02d680cc152fd74ff51cf613290a7d8cf42035 MD5: e4f24b19e3d3a1c12dbcebacf0b71428 SHA256: 93900a04e4d7c629e03f3d510d249f1c8497cf94d818e0ae5913b685e467be6b http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-il001	Delf_74d3b1c2	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	74d3b1c2ea2baa2a623cc9faa5f2a697	SHA1: 87ba051c8658112191ced987ea835897af075707 MD5: 74d3b1c2ea2baa2a623cc9faa5f2a697 SHA256: b7c8faa19fb394f42733df9c1bc7c5f0a5313ead7b0ec870c0db05f6e3baa910 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-kgd01	Delf_71a5947f	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	71a5947fe408ccf2790ad5cd7a333d89	SHA1: 16adf91243b33bbcba754b690ff2d2ed06c3014a MD5: 71a5947fe408ccf2790ad5cd7a333d89 SHA256: 248b6182fe5aaa120a6ad009595a93bf9431cbcd3e723ad711aef9b2d4562abf http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-kah01	Delf_00a0c1e8	Windows	This strike sends a malware sample known as Delf. This sample is an infostealer. It fakes updating Adobe Acrobat and gains access to the user clipboard allowing for data to be stolen.	00a0c1e82d42bcc7e433ac1694e04da7	SHA1: db8941a83a6cc5cad20d49591bb1e794acede3f0 MD5: 00a0c1e82d42bcc7e433ac1694e04da7 SHA256: db1181dbda2b6053b008568b8f2f7b8a98cc3bd30fbea83ac8f69900d657e56f http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html
M17-ho701	CeeInject_a0cda3e6	Windows	This strike sends a malware sample known as CeeInject. These trojan samples contain the PoSeidon malware that steal credit card information from Point of Sale systems.	a0cda3e60c2b34a6ffcff9cf81e472d9	SHA1: 830c3c07076262ae984668869e4fc8f432833451 MD5: a0cda3e60c2b34a6ffcff9cf81e472d9 SHA256: daee59ee955587d378dd6dc11af1a702d554c7926a9f42bac3752732c33e9317 http://blog.talosintelligence.com/2017/12/threat-round-up-1201-1208.html

Malware Strikes November - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M17-a0h01	Phisherly_141e78d1	Mixed	This strike sends a malware sample known as Phisherly. Phisherly steals a user's credentials from an infected system.	141e78d16456a072c9697454fc6d5f58	SHA1: eff5e2a3ac471a1b5ecdf51a72e003a82c350506 MD5: 141e78d16456a072c9697454fc6d5f58 SHA256: c272a2d96aefdef746f983e7f8720792e8a6dee97a766a651dc55f70f605b23d https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
M17-bqz01	BitCoinMiner_b81901a8	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	b81901a8a96a333737c01e4848ccf28d	SHA1: c89f96d6f201d52ca41f5b60b2be340eab69e588 MD5: b81901a8a96a333737c01e4848ccf28d SHA256: 7f783789ba87d344bf6450be97b0466c9b73e8cd1d320c08df8cb3636f09fbff http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-fto01	BitCoinMiner_f18d818e	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	f18d818e861b56da53deecd06c9db901	SHA1: 1d2db370b9c01417251adb550bb6bd0013b1d64d MD5: f18d818e861b56da53deecd06c9db901 SHA256: 7b4fbaabf1374e4f6c817f0ed5a359f65eabbda7cbd970cb427d57a8a44773d6 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-58001	MSILTrojan_33d4bdc3	Windows	This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.	33d4bdc3b0f88581cf6e6e8508845eba	SHA1: d01284e3b6a40c9aad311af45023902a323472ff MD5: 33d4bdc3b0f88581cf6e6e8508845eba SHA256: 365505f8969a04992e5e3d835dbb6987a368439b2c757c24e59dc6daa13d60e6 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-huj01	BitCoinMiner_90c80922	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	90c809221b14472eeb6f5a5fd3b72011	SHA1: 051582083980bc2fb18dffbfe5178dca3b99da08 MD5: 90c809221b14472eeb6f5a5fd3b72011 SHA256: ed78e63401ee4290fb334cb0b159b1e94d86de345706f4fc30a4c1df0bd606f7 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-hmx01	Win32.MainerLoader_a8d10ea1	Windows	This strike sends a malware sample known as Win32.MainerLoader. Win32.MainerLoader sends out system information to an attacker's server. It also download and execute other files on the infected computer. The MD5 hash of this Win32.	a8d10ea1b0ce99f23f6397b263290b9d	SHA1: 8cc314dbd1021caf074cd12acce06891d006ee4c MD5: a8d10ea1b0ce99f23f6397b263290b9d SHA256: 4f51485cbb20d8a807c10150e51d948d5fc41307920fb47fb6d332a7f6386270 https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_gen
M17-ym801	CryptoShuffler_50e52dbf	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	50e52dbf0e78fcddbc42657ed0661a3e	SHA1: a18c50258d0fd2db67848f43762851a6ec3a3298 MD5: 50e52dbf0e78fcddbc42657ed0661a3e SHA256: a4e7e5d9d03a420b1fbc51bf8bb6482fbf37247e7c673e01281e42ddd0838343 https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-m2r01	BitCoinMiner_a40990fc	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	a40990fce9e03100df3c05872940a22b	SHA1: 67051a38989bddb096a9283301c3a914e860f733 MD5: a40990fce9e03100df3c05872940a22b SHA256: bc9a756357e8a0d29931d1d9ec1747bb73855cdac99021abe99b444e5332a749 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-plg01	CryptoShuffler_7ec256d0	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	7ec256d0470b0755c952db122c6bdd0b	SHA1: a42142a5990ee7d7c6ddba2b5bb9b222ccb8c291 MD5: 7ec256d0470b0755c952db122c6bdd0b SHA256: 6014e29490c1bce7ed3837681432ebc3755574aa934fd00fd399476a0cab2e62 https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-rbl01	MSILTrojan_99262704	Windows	This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.	99262704560d9a7f91ff4ede923fb89c	SHA1: b02eb59d4e514d505f7bca1934d30809275a8613 MD5: 99262704560d9a7f91ff4ede923fb89c SHA256: c78b70c786d299ecb97021fa4b989455852084ec3afc45f6e348a8a0489263df http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-xdl02	Kovter_b8908bde	Windows	This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.	b8908bde35ba9583ca50269559ce1042	SHA1: ba2becd45f4f1a61563b457ec86d9a6e16146d2c MD5: b8908bde35ba9583ca50269559ce1042 SHA256: e0467fca9d07a69a53cb436d7962499bc25be34295dacf5a5d19ae9596ad2d98 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-9tf01	BitCoinMiner_bb5419da	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	bb5419da24e3322e89643e8a304b6b11	SHA1: 6a9d8fb1b31fe5f1f1dd6b5b65f7e3c6af0505f2 MD5: bb5419da24e3322e89643e8a304b6b11 SHA256: 0e92444bdc28dbd0e645cedb0c7f1d81708e2073b7c7567956b7bc665cb6b648 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-p4q01	BitCoinMiner_24d6a63c	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	24d6a63c35fa7d12b2f064416f3e2de3	SHA1: cabcb6eecf6f44bef039e8b3faa649b1f085cfcb MD5: 24d6a63c35fa7d12b2f064416f3e2de3 SHA256: 1814256a36032c226ddd8263395ecbe6fad92b4b11e62120ee4d35354cb670fe http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-1t101	CryptoShuffler_1a05f512	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	1a05f51212dea00c15b61e9c7b7e647b	SHA1: af0390b6c901cb7baad0b1cd12b1cabde666155e MD5: 1a05f51212dea00c15b61e9c7b7e647b SHA256: e8d189f83475c37631514925b5620957ba0528c2ec6fe2b41d70522f943827ee https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-crw01	BitCoinMiner_e63f6558	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	e63f6558922f168106676055cfdf42a2	SHA1: d819666f89c8f44af4dce69e4df4fc051406bfc0 MD5: e63f6558922f168106676055cfdf42a2 SHA256: 9dd467e34763c06e251c25d5c679e291030564a0b95b6a23a35bbe5a86889c01 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-6ka01	CryptoShuffler_6eb7202b	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	6eb7202bb156e6d90d4931054f9e3439	SHA1: ff3788e5482f0ee4f9e100bfd55302da5d00981b MD5: 6eb7202bb156e6d90d4931054f9e3439 SHA256: 652d68f69c01a54632b185b1005e2811df65f64e509385e786017f8d29aae77d https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-jwi01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.	61f796a5f81c329a665db9782c235891	SHA1: 635c6c57f901b8b5fe5fefed5394b824dc60c96a MD5: 61f796a5f81c329a665db9782c235891 SHA256: bac652b6a5cb65db95afdd9628c389f34c0e5609ed60d96f5598e43ebb151b73 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-bnr01	BitCoinMiner_de1865b7	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	de1865b7ecdcb7c58a87253e7630fa04	SHA1: c15d78b2dc7d55ef0c0af8f32c6cc4fb658f4f00 MD5: de1865b7ecdcb7c58a87253e7630fa04 SHA256: cc9e68134aab06089ec5b7404d5b54c572b56b04e61053d068cc8b4e67625cce http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-lho01	BitCoinMiner_9710aa0f	Mixed	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	9710aa0fc3583c64911e967e57988efa	SHA1: 228736959113b8cc9d7b7fe5b03236d04514c29e MD5: 9710aa0fc3583c64911e967e57988efa SHA256: 70de06f4911513162eb141787027f2cbe463e4382905e80724ad52ca6bae17bb http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-aw201	CryptoShuffler_25bf6a13	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	25bf6a132aae35a9d99e23794a41765f	SHA1: 7fa9fff6bc838689c9f360f08f35677f9801c360 MD5: 25bf6a132aae35a9d99e23794a41765f SHA256: d4125d1e48fb8b682cc108cc25e05fdc9a55a460d3be98de3f4657857300a8c6 https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-9ow01	Kovter_34ef4378	Windows	This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.	34ef4378ab88eaffd95a8fa0e18a6136	SHA1: 6b4e3e5fa351678e192936bf855d1a70c242f9e3 MD5: 34ef4378ab88eaffd95a8fa0e18a6136 SHA256: 468fdeeba11609d222b9554616dcb8b1ab10f565dcb6291bc5360dda3a97ab08 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-hmk01	BitCoinMiner_4db0c337	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	4db0c33744bdc72fdf35ecc5f0297010	SHA1: 6a3b664eaf9ad476467b04ed3a04f10226df1e54 MD5: 4db0c33744bdc72fdf35ecc5f0297010 SHA256: 84dd02debbf2b0c5ed7eebf813305543265e34ec98635139787bf8b882e7c7b4 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-o0r01	BitCoinMiner_bbd30233	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	bbd30233f78fc3e3161eac893160ed40	SHA1: 9a924c0561d02f7abb68f14c4255cb27d52b5801 MD5: bbd30233f78fc3e3161eac893160ed40 SHA256: e9a76ace7562d53aaa889caf517b827427162f8512c01ced0657cb08df4121f2 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-06o02	BitCoinMiner_f7878b68	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	f7878b6815e9f48d390b0c77ae1ab871	SHA1: dad734b20542638b170739a2bcdd81b7296861bf MD5: f7878b6815e9f48d390b0c77ae1ab871 SHA256: 0487114a1df2852b2f3ba69aaa49930055e04c81ffc1e68dad6b47bec7ba2faa http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-y3g01	BitCoinMiner_f5d00567	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	f5d005670dd61571af041f2260ecbf55	SHA1: 3412e1ea4d3856b790d9441c0d3437decea05351 MD5: f5d005670dd61571af041f2260ecbf55 SHA256: a3d46a4fb9c6fa286c5dec80dd70a43c9ad70770b5d1540dea13e16b15d2ad26 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-20q01	CryptoShuffler_d9a2cd86	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	d9a2cd869152f24b1a5294a1c82b7e85	SHA1: a84f8ddad371c0dc399a4c48eb5aeba99fb8ee93 MD5: d9a2cd869152f24b1a5294a1c82b7e85 SHA256: b84bed5c2c639dc68a20ba3a3f4aee6b4ee143249e2883399b6450888cb50f2a https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-fe201	CryptoShuffler_39569ef2	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	39569ef2c295d1392c3bc53e70bcf158	SHA1: ae45c72271f580053edc95991db3a05031c7ea68 MD5: 39569ef2c295d1392c3bc53e70bcf158 SHA256: 16e24d31e721ddb42841d1e408695f6af4ec74219488fe5ba97f4f5e5567c6e7 https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-gc201	Karagany_1560f684	Windows	This strike sends a malware sample known as Karagany. This sample is a trojan that downloads malicious files onto the targeted machine.	1560f68403c5a41e96b28d3f882de7f1	SHA1: 95db15c67b48945237af7de61f3dbab92c99edd1 MD5: 1560f68403c5a41e96b28d3f882de7f1 SHA256: 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0 https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
M17-23u01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.	d2673239608588792c223fd130e59260	SHA1: 053f5a39b3cd6996dd020dbed00d450085fb6d97 MD5: d2673239608588792c223fd130e59260 SHA256: 7372b2b16620b1a35fa83f4bd31af1f78fbb3fe7d3235b06c064c4d617461f69 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-tvq01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.	6d7b0cd6f24f2e7757c903fd5b4c9261	SHA1: 8b2c6cadf1e96606f8868b003cb9a4a0dbae501e MD5: 6d7b0cd6f24f2e7757c903fd5b4c9261 SHA256: f3fb2e9dcc0544751fb66d9325b5328d59298e7578c877924bc26944cbadb078 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-qfv01	Kovter_8cd89461	Windows	This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.	8cd894611c813ba38483ca4db05ec8a4	SHA1: fbfca6bd426236e91146fe9f09c6372cb0d8bef1 MD5: 8cd894611c813ba38483ca4db05ec8a4 SHA256: be11330dfb54a48734679f458381d69059c037bd45deb69f70148f9c2e36fc0d http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-oli01	Kovter_2853f41c	Windows	This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.	2853f41c7ca1acafcd49666ae9c6270a	SHA1: 1c9737989560a5e254cd8e197bfe7680a5d9b516 MD5: 2853f41c7ca1acafcd49666ae9c6270a SHA256: b0d41c21e5d8396f711e1224f190b3281bb04d3f797ceb9c77558a5f567e3fe4 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-bk201	Magniber_8a0244ee	Windows	This strike sends a malware sample known as Magniber. Magniber is a Windows ransomware Trojan.It encrypts files with specific extensions on the infected computer.	8a0244eedee8a26139bea287a7e419d9	SHA1: 93619242ed888edfa3871035e0668cffa3643420 MD5: 8a0244eedee8a26139bea287a7e419d9 SHA256: 8968c1b7a7aa95931fcd9b72cdde8416063da27565d5308c818fdaafddfa3b51 https://www.fireeye.com/blog/threat-research/2017/10/magniber-ransomware-infects-only-the-right-people.html
M17-n8m01	ANDROIDOS_JSMINER_628d47c8	Android	This strike sends a malware sample known as ANDROIDOS_JSMINER. ANDROIDOS_JSMINER has malicious cryptocurrency mining capabilities. It uses dynamic JavaScript loading and native code injection to avoid detection.	628d47c8d487baf8f59ea83c291dc4e7	SHA1: f85465431466ba2ae40cdb38367d2a8b52c593e8 MD5: 628d47c8d487baf8f59ea83c291dc4e7 SHA256: 440cc9913d623ed42563e90eec352da9438a9fdac331017af2ab9b87a5eee4af http://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/
M17-aqo01	Kovter_cf86c7b4	Windows	This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.	cf86c7b48ab5632d19316f17fb35b218	SHA1: cdb9798f09051d2ba91ad6f4122aabc4cd78b58a MD5: cf86c7b48ab5632d19316f17fb35b218 SHA256: 6e445be806032f4a73d17d73cb00639f632b23f2731ac0c2267a4bb34237fd32 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-67m01	BitCoinMiner_e9a20556	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	e9a20556ff2a4b5c5b3d9bbfac4d6697	SHA1: 4999c6864d56c6b6e8b19ef8c61d380a69777fbf MD5: e9a20556ff2a4b5c5b3d9bbfac4d6697 SHA256: a23bdb4e3973bc0a4e746038df90e5834efbd521a59df4d488f226a956144da5 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-afk01	CryptoShuffler_7ae273cd	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	7ae273cd2243c4afcc52fda6bf1c2833	SHA1: 94d09fbe0dbe265546c9b6e54b818ebf369aaaac MD5: 7ae273cd2243c4afcc52fda6bf1c2833 SHA256: 04e6837fba02b594996b121386b33132e1539aa3d373680b3768ed8c3b7438aa https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-0nk01	MSILTrojan_2e417156	Windows	This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.	2e41715629ffb2504dbbe476fc5cc7ca	SHA1: 5435766916e00decde56002437d8fcfd1371f121 MD5: 2e41715629ffb2504dbbe476fc5cc7ca SHA256: 6707d3ed970ced8091d64bbd0bc742e2d4d8f192e1e6c64ee9037451c04bca13 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-e5501	Win32.Gibon_5baed560	Windows	This strike sends a malware sample known as Win32.Gibon. This ransomware is distributed via malspam with an attached malicious document, which contain macros that will download and install the ransomware on a computer. The MD5 hash of this Win32.	5baed5607749deabddd1722f3c3bfa0f	SHA1: 11cdb444bb7453b65453d584815005e228a1fe5d MD5: 5baed5607749deabddd1722f3c3bfa0f SHA256: 30b5c4609eadafc1b4f97b906a4928a47231b525d6d5c9028c873c4421bf6f98 https://www.bleepingcomputer.com/news/security/gibon-ransomware-being-distributued-by-malspam/
M17-muq01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.	5a169af04c6b7b51a32bea36c24a5dcc	SHA1: ea19a62377acdeeac7c910442e4c74205cfdc047 MD5: 5a169af04c6b7b51a32bea36c24a5dcc SHA256: 7684aa4355b4992a8e168956e54424f03acca1cab32d0c62a4c87e6b5522d991 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-kdd01	BitCoinMiner_429cdb56	Mixed	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	429cdb5672313d8e2dff29fe3e68cd7a	SHA1: 8b5eab59d76eb42a59fee6aeac606154da0a3bce MD5: 429cdb5672313d8e2dff29fe3e68cd7a SHA256: 2888cc28bac5a432b2a819e08420e8f7e59f28d56ce8168c5865e6c3cd875776 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ws801	BitCoinMiner_02793535	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	027935353d8c8f8bd70efdb55592e8ed	SHA1: 9002922f9a14faf7dbffd4db23ad5a892e52d0ff MD5: 027935353d8c8f8bd70efdb55592e8ed SHA256: 3daa009acb66af54564e8dd02da9f2ec1fbebb8c86382c461600cca5ca63ce20 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-u9f01	AsiaHitGroup_60a71632	Android	This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.	60a71632004ee431abb28bf91c3a4982	SHA1: 18d99b25f0805c38737aeed025ecdf9cb4213eac MD5: 60a71632004ee431abb28bf91c3a4982 SHA256: 5650d33173ecf1979d7648ee2f3faeb2494de5969373838c6bc16fac68175b55 https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-9qp01	Kovter_83b2b7d7	Windows	This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.	83b2b7d72a697c0b67d7d4680ba5d9b1	SHA1: 3c234c10bc5d76b31ac2338d074338b59a9652af MD5: 83b2b7d72a697c0b67d7d4680ba5d9b1 SHA256: c4e37130cc1688d204ef34f8762d9c3182552622bbf61b127b22c0b733a3b700 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-wxl01	EMOTET_e3f53eb7	Mixed	This strike sends a malware sample known as EMOTET. Emotet is used as a banking Trojan that targeted users in Europe and the U.S.	e3f53eb751acc7eb18645753a15a1325	SHA1: b98d80994ef3f6a66ce37fabcb862752673de8d5 MD5: e3f53eb751acc7eb18645753a15a1325 SHA256: 455be9278594633944bfdada541725a55e5ef3b7189ae13be8b311848d473b53 http://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/
M17-zt901	Cosmic	Windows	This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server.	00064289cfe524823d92e59f9502d3c7	SHA1: 21b8e6a957e13b9eeea09d32462824eaaa3879fc MD5: 00064289cfe524823d92e59f9502d3c7 SHA256: 496220acf4b44f5564898533636dc3f19304d86ef7d223fbeedfb858e1570fd3 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-xcx01	BitCoinMiner_4de76e36	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	4de76e36b07903fb9edb4eb99178b9a3	SHA1: 76b5ef6b17be91a3cfa03ef81b3015e49edaed50 MD5: 4de76e36b07903fb9edb4eb99178b9a3 SHA256: f26e6efc015b0dc9982b88fa02e3f2b2601173aaa300feb558104ef453c94941 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-b5o01	CryptoShuffler_80df8640	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	80df8640893e2d7ccd6f66fff6216016	SHA1: f4553d85c2414e76fcf8fd29cb4ee72f8dc7fefb MD5: 80df8640893e2d7ccd6f66fff6216016 SHA256: 5a8910d46a33500f8aceb21022401a9f0f813aba816228374960f491b7ecdc0e https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-m5e01	CryptoShuffler_14461d5e	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	14461d5ea29b26bb88abf79a36c1e449	SHA1: 2cc7c759f20b53b9835b34b1ccb4f1023e45934e MD5: 14461d5ea29b26bb88abf79a36c1e449 SHA256: c22248719c19ca31d60370e9054c7866758d842547c65953e461138e4ce09788 https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-o6701	BitCoinMiner_20be1c12	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	20be1c1252b41cffd918ceabfcb7fc1c	SHA1: 4691fb23b0db41bd97effffd477173e3e437e705 MD5: 20be1c1252b41cffd918ceabfcb7fc1c SHA256: 314fa254bd1da034501300e8766d000aa0ab306bbd19f42e243f9d2370473712 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ui801	AsiaHitGroup_178e6737	Android	This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.	178e6737a779a845b8f2baf143fdea15	SHA1: 133e77bee8897052be054cbf238d64e858ee92ac MD5: 178e6737a779a845b8f2baf143fdea15 SHA256: e6d4d7c7ff21dd359d94089c095aec85936120007a2b20931ad0087a05fa9aa5 https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-1nk01	Cosmic	Windows	This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server.	0005a28a83a6767035ae2fa2bb9941e3	SHA1: a1f5ea21b314848fe5f42fecbf9745e5098fbd90 MD5: 0005a28a83a6767035ae2fa2bb9941e3 SHA256: eababe6f24e25622d795bde97ccfc32c51c1d0ee346a3c345f26b8e191d54664 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-zrz01	CryptoShuffler_0ad946c3	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	0ad946c351af8b53eac06c9b8526f8e4	SHA1: 18cc6c59074f782b94ca0c2065b1245073b7b427 MD5: 0ad946c351af8b53eac06c9b8526f8e4 SHA256: 56e564ca187f03ff851522e8df7d19fe4f23b7299ff158f0895a464654b71b33 https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-khj01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.	6090a7ec6b5b44a061e21b8583077509	SHA1: 9d3491bed9edde08ffc658f738efa2599102ebe5 MD5: 6090a7ec6b5b44a061e21b8583077509 SHA256: ecdeeda6b71b88d0367bfb63291afe5ab5e34a5a43244791604c28d43323f59a http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-rys01	Kovter_2dc0bc50	Windows	This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.	2dc0bc500df708a104cf9522acf28bdf	SHA1: 1bc5af673571c8e1c5204727dd31c7b93934d4d6 MD5: 2dc0bc500df708a104cf9522acf28bdf SHA256: da973bebb2c14bcd3f493ffc1cc2cd6225f3b49fe77c1189de35f2dcfa72bbf8 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-kdu01	Marcher_0fdff6b5	Android	This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts and they are being spread through SMS/MMS containing links to popular Android applications.	0fdff6b5dbe7c749720823b01bf03581	SHA1: 7272f999fd0ca9517befbd14f8dd020551a3d0c3 MD5: 0fdff6b5dbe7c749720823b01bf03581 SHA256: 22df438b3dd1ba417700abf998e4b24a666623e1ce7dc05b0388c695f78898cd https://info.phishlabs.com/blog/android.trojan.marcher-conclusion https://info.phishlabs.com/blog/technique-change-observed-in-malicious-android-application-marcher-banking-trojan
M17-xh601	Cosmic	Windows	This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server.	00012978bd7350d3348eaee157519f7b	SHA1: 0013b6b96094490b5b71d7428a66a5df9e6a9264 MD5: 00012978bd7350d3348eaee157519f7b SHA256: 792536894069dc265ae05a25f86a358a10011fa3d32ccf972e5867f862997925 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-baz01	CryptoShuffler_1e785429	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	1e785429526cc2621baf8bb05ed17d86	SHA1: da4247104540eb884f41780e675d8b3e1c116faa MD5: 1e785429526cc2621baf8bb05ed17d86 SHA256: 00e3bcfd0ef917c73c5a3818daf5bc0271fb3da53817df1215c20bfa5e4e91da https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-h9901	BitCoinMiner_884f4ad2	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	884f4ad2a0794df84686a171f2b537ec	SHA1: 2333de451a4c2f939bb4f8f474853589b92e280e MD5: 884f4ad2a0794df84686a171f2b537ec SHA256: 3bcd92e4b5d1961e6b85f140d83698c37f0eba71993e41fc62c80a32e1a091c2 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-tcs01	MSILTrojan_f5fba636	Windows	This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.	f5fba636088a87a397646070e33b2879	SHA1: ba7caa2338dcbaa3882226e3fbcb0dc3a6feb740 MD5: f5fba636088a87a397646070e33b2879 SHA256: 47c364ac3d539ac0874e66b3f7cb0c5a87e3c67323156b082575fc926d1ecb13 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-hjc01	BitCoinMiner_f316095a	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	f316095aaf3c80fc343826ce1b0fedf2	SHA1: fc367378558214aa1e23533c48b56e5cd43bf84c MD5: f316095aaf3c80fc343826ce1b0fedf2 SHA256: 82bbc279515e29a63b38752d3532e6f9e5e36ffb6b4f1dd783c370eb68667b76 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-se101	BitCoinMiner_cf67170f	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	cf67170f3aadc037c0244e3139d09ecb	SHA1: b65e6be09d3f9ddc3a3bc623a7f7e10fb0962a9b MD5: cf67170f3aadc037c0244e3139d09ecb SHA256: 714069902c8b82e636cda415148847f5867a32706eaf4a3a04fcb0efac7cc03a http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-qbr01	MSILTrojan_b4f78eed	Windows	This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.	b4f78eed0970b137295f3a2ef8822ade	SHA1: 8224b97eeba1a3a6d366854feb964360033097a0 MD5: b4f78eed0970b137295f3a2ef8822ade SHA256: db8c2fa78a2751bafd2d1a95f778a725735d42854c901e42976d1599f75deef5 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-zfb01	CryptoShuffler_aa46f95f	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	aa46f95f25c764a96f0fb3c75e1159f8	SHA1: 77d98d609236c1ea6c8336a4dff59366be4ab1b2 MD5: aa46f95f25c764a96f0fb3c75e1159f8 SHA256: a933d57549ed5250e1038db316baffb21291a8b4738d020d940adf61e0cfed53 https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-ent01	Marcher_084390d7	Android	This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts and they are being spread through SMS/MMS containing links to popular Android applications.	084390d758e66732645e8f51007f5ef1	SHA1: 97b581a81c7c9fe4b03393f0bd2a91588457ab40 MD5: 084390d758e66732645e8f51007f5ef1 SHA256: 663dd58fcd4ed84c097d0b4abf86a24613dd1fe49112d59d6bf3cbfb11acd5b5 https://info.phishlabs.com/blog/android.trojan.marcher-conclusion https://info.phishlabs.com/blog/technique-change-observed-in-malicious-android-application-marcher-banking-trojan
M17-t4n01	BitCoinMiner_207b4096	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	207b4096ea7dec575b14c6459d4df895	SHA1: be66427c06f87129c818ac61a904c7462167bdd5 MD5: 207b4096ea7dec575b14c6459d4df895 SHA256: de7d4019549e2f018789c902afe9552bd9127328dc439bbe59d8b79a8565569c http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-uth01	BitCoinMiner_3f67d5cd	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	3f67d5cd0cf42aa15aba7295741b5725	SHA1: 8c87c1e578caa47272ff56401c688e68be82eed6 MD5: 3f67d5cd0cf42aa15aba7295741b5725 SHA256: 293548f39cdaeac4d59fb55efbce7ac214349aa5ae46df0f905a0ab5cc1ae5ee http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ita01	MSILTrojan_88eb478d	Windows	This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.	88eb478d43bc41fdc3179151f1646d8e	SHA1: f7a63f0297c8c946e70e7ef34bb3357e7a7693a2 MD5: 88eb478d43bc41fdc3179151f1646d8e SHA256: b793ca990b4ebad46758253f8b3065334f923a7c077ce57c3b71308b6bd38422 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-k9001	Cosmic	Windows	This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server.	0003087a16dcd93b55fd9867fece6806	SHA1: fb56cb3dac0cb3e1e5c328f5b469623f9688c999 MD5: 0003087a16dcd93b55fd9867fece6806 SHA256: 98e5bc8b136f2aafc7b46308f71ceeb675f057f3220a44e90e7498e226d746d3 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-2pb01	CryptoShuffler_b7adc869	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	b7adc8699cdc02d0ab2d1bb8be1847f4	SHA1: 445d6cb81fe995e748026f1de9cbbeb3289fe91c MD5: b7adc8699cdc02d0ab2d1bb8be1847f4 SHA256: 7d1486e42dd9ce388ed1a04c6ae1c9233dfb00b151512141370d322ea2822b6e https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-w8e01	Cosmic	Windows	This strike sends a malware sample known as Cosmic Duke. This sample is part of a known family related to the MiniDuke APT. When executed it exfiltrates credentials stored on disk to a remote server.	00056cffa20df8ad95108490d2d1ebbb	SHA1: d7699d0329d7b0e88778d75fdea8631510e12f98 MD5: 00056cffa20df8ad95108490d2d1ebbb SHA256: 457bd4b9ad2c422f91fc5bcf74c52d392d32ace50f244d1beb624f42eebbaec8 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-knx01	Dorshel_b3b5d67f	Windows	This strike sends a malware sample known as Dorshel. Dorshel is a Trojan that opens a backdoor on the infected machine.	b3b5d67f5bbf5a043f5bf5d079dbcb56	SHA1: c7eae6cd08d0601223b641745f078dffce285066 MD5: b3b5d67f5bbf5a043f5bf5d079dbcb56 SHA256: cee4211af96df184236e816ab0b11d95d1075148299a29719fcd9675b2714426 https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
M17-qhi01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.	541c4ae0b75d2f4261ae69cda4722c76	SHA1: 6c8885233d34af040c69310d2435143643a1dd00 MD5: 541c4ae0b75d2f4261ae69cda4722c76 SHA256: 0b8bcc0c7281c9ad5e2c03b08c881b48015d064906deeccbe7bf944f4ef6d532 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-v7x01	AsiaHitGroup_b481ce9d	Android	This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.	b481ce9d0b7295cda33b15f9c7809b95	SHA1: 6e0dc1a6edffa26998b80a42c0773941d0cd36ca MD5: b481ce9d0b7295cda33b15f9c7809b95 SHA256: 9d07dd6f6266167edeb83e7eeac1d10a4c038f349e18ba2d65a2fff9c8a17099 https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-e8i01	CryptoShuffler_095536ca	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	095536ca531ae11a218789cf297e71ed	SHA1: 6fc487600cf7b89bb29828b46f090635e0b17654 MD5: 095536ca531ae11a218789cf297e71ed SHA256: e79733fb552d4c91268ec0f1d0bd4de6030123650ed8b4cf4d0bdbf9b48c2963 https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-ggm01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.	bb0c0d90c304ee48045db45bcb64d039	SHA1: aaeae71d40a14a4ebf520a08f70726f2f31c7556 MD5: bb0c0d90c304ee48045db45bcb64d039 SHA256: dd8bd175e95c9bdc963f6b7a188f9a0e4184411097123e2bb76111c9550b12dd http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-tnm01	BitCoinMiner_8dbb98a8	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	8dbb98a873ddd30eddd07fc0450dfb8c	SHA1: b226981f2f524b6b996398b08d919f53768d87ae MD5: 8dbb98a873ddd30eddd07fc0450dfb8c SHA256: 63544397a0cfbf53588ad8792a870e6b7ff2fa0cf16dc6a3796a3ea4805776d6 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-n0f01	EMOTET_c18a79a8	Mixed	This strike sends a malware sample known as EMOTET. Emotet is used as a banking Trojan that targeted users in Europe and the U.S.	c18a79a8cdb7a8dc8237d9fe4c654902	SHA1: 14db95d275bad7fe63fbdbacec967309b660240b MD5: c18a79a8cdb7a8dc8237d9fe4c654902 SHA256: 3f75ee07639bbcebf9b904debae1b40ae1e2f2cbfcef44caeda21a9dae71c982 http://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/
M17-4bw01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.	2f7d44061aa3ee95590a68a61281d41c	SHA1: 1290b9a58304df9f86ea502c6d1942d49f2c12c3 MD5: 2f7d44061aa3ee95590a68a61281d41c SHA256: f1231de08447a85356afedfdad5262e7ebba32bc68d23e73e5385164caf2182b http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-du501	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.	2e705bff61f210c1395890d90b54a921	SHA1: 5409ab136cb2261a71ed3e6af8a1b5900efa46ed MD5: 2e705bff61f210c1395890d90b54a921 SHA256: 7c056f1a930943cd3afcba96555185cb598210f96c1b098b321a6e7d087599a8 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-43v01	Kovter_9d0ef4a2	Windows	This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.	9d0ef4a2161f47a7ece488906e0ed983	SHA1: 30f8ed43aa45d75b330a6d9685086a4d90cb68d0 MD5: 9d0ef4a2161f47a7ece488906e0ed983 SHA256: fa0577e117929e21a3881b615a0a3cb087f5bbda6628b7612f036d0753c1b24b http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-8j701	BitCoinMiner_27d24809	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	27d2480941a8bce3205854b38a61f7af	SHA1: 63cb3988223961e2cb5063fcfb8f24c2aefc9db8 MD5: 27d2480941a8bce3205854b38a61f7af SHA256: 7a6d865285069c90fcf5b8b3671b6daa7c9e6a9e39a37d4854ab630c6f094178 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-zv402	EMOTET_d6c81263	Windows	This strike sends a malware sample known as EMOTET. Emotet is used as a banking Trojan that targeted users in Europe and the U.S.	d6c8126371d37ffe3100755db6aa22ed	SHA1: 294b381e200aa3f343989877c9ef5efdda25ca42 MD5: d6c8126371d37ffe3100755db6aa22ed SHA256: fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec http://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/
M17-lcj01	BitCoinMiner_39f7e72f	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	39f7e72f1749e4d76c0e7edd965e984f	SHA1: 3017a7e1f3e4014085f0f347dd463bb3281e3c48 MD5: 39f7e72f1749e4d76c0e7edd965e984f SHA256: aecfcd163d2665720b7b63288b6964dcab57960c2c3cd77e7674445c282c3188 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-28v01	Kovter_8dc86428	Windows	This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.	8dc864280742ac9c038522b33c40b6ec	SHA1: cb15e8d0dc0ae34889cb0ffc9d1efcf4f3d43d53 MD5: 8dc864280742ac9c038522b33c40b6ec SHA256: 36d5cee0fd6862ae64e0074e12ca1599be7953d7cdfa93ca3993c5f83c9cf1b2 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ghb01	BitCoinMiner_fb675e13	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	fb675e1398e9f6b8b6c43937c6e9e351	SHA1: 7c0884b56e5c40786f6cb8e4e42083116c36dfd4 MD5: fb675e1398e9f6b8b6c43937c6e9e351 SHA256: 019538248027b51c92cef1cc2e8cff4577c30508e0aa06a65adfdcc125c6846c http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ac801	Kovter_b24b8f5c	Windows	This strike sends a malware sample known as Kovter. These Kovter samples deliver ransomware to their targets.	b24b8f5cd81ba3968ecee4b95f310ad0	SHA1: 073b067a68e24e038ced211a7c343d8ca3379c62 MD5: b24b8f5cd81ba3968ecee4b95f310ad0 SHA256: cc714cbf5aac23f09bcc9eea1b8577d2e1673d9fe1433f5658eecc818a2f8469 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-5fw01	Win32.BioData_fec0ca20	Windows	This strike sends a malware sample known as Win32.BioData. This malware exploits a vulnerability in the InPage program. It can download and execute malicious files on the infected system. The MD5 hash of this Win32.	fec0ca2056d679a63ca18cb132223332	SHA1: 5bf9d07d06be22f999e2f94fd3dbca4dd2ef0be6 MD5: fec0ca2056d679a63ca18cb132223332 SHA256: 5716509e4cdbf8ffa5fbce02b8881320cb852d98e590215455986a5604a453f7 https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/
M17-01o01	AsiaHitGroup_995d5dc8	Android	This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.	995d5dc873104b5e42b3c0af805359db	SHA1: f2be8f0f3228fa225a33e1c03b2836e4b9bc2ff9 MD5: 995d5dc873104b5e42b3c0af805359db SHA256: 4629536b5c92fa3d7fb55c9dba87b255405c7224fe06d60c281edc13de21e754 https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-i8v01	CryptoShuffler_d45b0a25	Windows	This strike sends a malware sample known as CryptoShuffler. CryptoShuffler steals currency from a wallet by replacing the users legitimate address with its own in the device clipboard.	d45b0a257f8a0710c7b27980de22616e	SHA1: 565e71a83a99239ee32834ec2fc3620c6b039368 MD5: d45b0a257f8a0710c7b27980de22616e SHA256: 5ce1f20b6136523e3ce01361e77062a21279f7b95124c9640e8d5cb53a6c4d3e https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/
M17-rv201	MSILTrojan_9165ccce	Windows	This strike sends a malware sample known as MSILTrojan. MSIL observes the user's actions via screenshots and keyboard logging. It then will try to send outbound emails through services like smtp.live.com. These can be used to exfiltrate wanted data or further spread the malware.	9165cccee0c1248d2f906b8634a175a5	SHA1: 026708c4ecb7381392c430702cb08a1d07d7efae MD5: 9165cccee0c1248d2f906b8634a175a5 SHA256: 987cdbc17259f87a9e6b04c1d6c3c971f23c380f7da1a0d93ff79584230e5b7c http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-qv701	BitCoinMiner_91725ab4	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	91725ab4f5caf0154cc1eb424cee8c53	SHA1: 386658978699d3f095598ef5aa32b540e230943d MD5: 91725ab4f5caf0154cc1eb424cee8c53 SHA256: fdfe3ab063fd7dad96a6492cc1b7f43c169e270868a3541a89e177b8dacaf16b http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-0c001	ANDROIDOS_JSMINER_fc1e0818	Android	This strike sends a malware sample known as ANDROIDOS_JSMINER. ANDROIDOS_JSMINER has malicious cryptocurrency mining capabilities. It uses dynamic JavaScript loading and native code injection to avoid detection.	fc1e08187de3f4b7cb52bd09ea3c2594	SHA1: 6241e89839c4a15472c963c4cce57dd31017daf4 MD5: fc1e08187de3f4b7cb52bd09ea3c2594 SHA256: 22581e7e76a09d404d093ab755888743b4c908518c47af66225e2da991d112f0 http://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/
M17-da401	Win32.SunOrcald_8ea868f0	Windows	This strike sends a malware sample known as Win32.SunOrcald. This variant is used concurrently, with both Reaver and the traditional SunOrcal. It shares much of the same infrastructure. It downloads and executes DLL files on the infected system. It also adds a value to the RunOnce key in the Registry. The MD5 hash of this Win32.	8ea868f0655560fb7ec299305fbaefbe	SHA1: 9a62eac0757f2a056c7a9e0d8d971b61ef69362e MD5: 8ea868f0655560fb7ec299305fbaefbe SHA256: 67ef25b0708e6c268d2cbd78d03141acfc9cf895b8422da69beb2ca598f2fcc7 https://researchcenter.paloaltonetworks.com/2017/11/unit42-sunorcal-adds-github-steganography-repertoire-expands-vietnam-myanmar/
M17-d2j01	BitCoinMiner_ce2250c0	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	ce2250c00516d99151a4d76f75942311	SHA1: c4b3c4da5dd88e0dc561acd92afe9255f48d7ddc MD5: ce2250c00516d99151a4d76f75942311 SHA256: 459a5346ac350d03b7e5fd5b9882afee243f2d1f838ead99ab06a2cde783c522 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-ons01	AsiaHitGroup_3cc02e4f	Android	This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.	3cc02e4feceb488b084665e763968108	SHA1: d18f3c0c318fad791e6d07dcdf255da30adc9be0 MD5: 3cc02e4feceb488b084665e763968108 SHA256: 858543599b9a6d6d48c9243b9e330fcbe24a464b942e53020fac4535b4d440f3 https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-5dj01	AsiaHitGroup_7ceda121	Android	This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.	7ceda121f9d452e9a32b8088f50012b8	SHA1: bcc23e9ab5becc874c9c6ae1d891e25f8fe2a6ae MD5: 7ceda121f9d452e9a32b8088f50012b8 SHA256: d43b5384bf21006754322de96ce15b12d7bac75ad40e6ac30fbe45a78c98f85f https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-zwa01	Credrix_a4cf567f	Windows	This strike sends a malware sample known as Credrix. Credrix is a tool that gathers Windows credentials from memory.	a4cf567f27f3b2f8b73ae15e2e487f00	SHA1: 4f2faef3d65099c19d617df73af5119dd719240c MD5: a4cf567f27f3b2f8b73ae15e2e487f00 SHA256: 178348c14324bc0a3e57559a01a6ae6aa0cb4013aabbe324b51f906dcf5d537e https://www.symantec.com/security_response/writeup.jsp?docid=2017-071015-4148-99
M17-uz501	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. These document samples use obfuscated macros to launch Powershell to then execute malicious commands.	520f6ccab58564e448fc5dfade163d47	SHA1: 81b3ff18f520c546dac6e78a94172f8b2a07299a MD5: 520f6ccab58564e448fc5dfade163d47 SHA256: 4d9f3de7aeca86a1ba1a653e04994eb69d31c6afc5802691ee9178bf8d593ed5 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-jxl01	BitCoinMiner_ac11bc15	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	ac11bc15e3e6f4caa1c6f090659c397e	SHA1: cf7431f9ac3682d9c980ca2dfcd7885fe75e7220 MD5: ac11bc15e3e6f4caa1c6f090659c397e SHA256: 9d6b9fa1861b72f348a4fa8b209eb7f40f4a497bcf98204ba5fd389f7fa82b93 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html
M17-06o01	AsiaHitGroup_7eec1c26	Android	This strike sends a malware sample known as AsiaHitGroup. This mobile Android malware is disguised as an alarm clock app, a QR scanner app, a compass app, a photo editor app, an Internet speed test app, and a file explorer app on the Google Play store. Once downloaded and launched, the application will attempt to download a malicious apk. However, it appears as though you must be in Asia to make these outbound calls and download this apk.	7eec1c26e60fede7644187b0082b6ac4	SHA1: f43039b1fb54f0d292fc8e234d5021e041469687 MD5: 7eec1c26e60fede7644187b0082b6ac4 SHA256: e45cd99a664c5bb68ea7ab8e8f47f329bd01dc1193106e25962478b5259c0009 https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/
M17-1gc01	BitCoinMiner_331e9bff	Windows	This strike sends a malware sample known as BitCoinMiner. This sample is a Cryptocurrency miner. If the victim has a CUDA-enabled GPU the malware is able to execute.	331e9bff18d6d6394d2039a6ed22d295	SHA1: 0a506b6b26c6e04d03f5aff533f8da68c3899084 MD5: 331e9bff18d6d6394d2039a6ed22d295 SHA256: 1a736b816b476800c1adb87169100192e503a1737ebedef5b1f14d695a100011 http://blog.talosintelligence.com/2017/11/threat-round-up-1110-1117.html

Malware Strikes October - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M17-evu01	CCleaner_384ca346	Windows	This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	384ca346f00feb0e361c0f081f56ddf3	SHA1: a21403e47a1eddffefa3dd9dd1bd8fb77be9fe6f MD5: 384ca346f00feb0e361c0f081f56ddf3 SHA256: 30b1dfd6eae2e473464c7d744a094627e5a70a89b62916457e30e3e773761c48 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-ma601	Office	Windows	This strike sends a malware sample known as Office DDE Vortex Payload PE. This sample is a payload associated with the Microsoft Office DDE attacks. Specifically this payload disguises itself as a NVIDIA service and communicates with beer-ranking.pl. The sample grabs a crypto key and is in fact the ransomware Vortex.	09d71f068d2bbca9fac090bde74e762b	SHA1: a0d537e6093561e003648a756c9f9138386c4c00 MD5: 09d71f068d2bbca9fac090bde74e762b SHA256: fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 http://pedramamini.postach.io/ https://www.peerlyst.com/posts/microsoft-office-dde-vortex-ransomware-targeting-poland-inquest-net http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-vy101	TorrentLocker_1fbf4f38	Windows	This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.	1fbf4f38b0d853e9fff54f92a204a064	SHA1: 337690de61d7a7aa45f94306b522558ce5e83df3 MD5: 1fbf4f38b0d853e9fff54f92a204a064 SHA256: cc07ae7275b177c6882cffce894389383ca2c76af5dc75094453699252c9c831 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-en301	TrickBot_6e5209d1	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	6e5209d1bc0a6815913b242c27709f30	SHA1: b47a0d2b81a34e67ba32f473cf1ba9823b37afbe MD5: 6e5209d1bc0a6815913b242c27709f30 SHA256: e6bd4d23467ee8df96837140695de5689cc7f7b73cffd9a9d40e33444766496a http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-bvc01	BadRabbit_1d724f95	Windows	This strike sends a malware sample known as BadRabbit. This sample included with BadRabbit is named infpub.dat. It is executed via run32 and contains a list of credentials that are used in brute force attempts to get the scheduled tasks to execute the ransomware.	1d724f95c61f1055f0d02c2154bbccd3	SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907 MD5: 1d724f95c61f1055f0d02c2154bbccd3 SHA256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 https://securingtomorrow.mcafee.com/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/ http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-xo001	Tofsee_acad9e88	Windows	This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.	acad9e88923eb9702c24ff3fa8a068ff	SHA1: 9d51bcc4860db3acf3c994fae9fa7b20290d6efa MD5: acad9e88923eb9702c24ff3fa8a068ff SHA256: 6cbb53ee5485e756bd8680944961b6c27d59c1a610c5f93c1788a2dafd1f5706 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-41n01	Tofsee_732773ce	Windows	This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.	732773ce4e83a4ad7ce41617a7d4cad6	SHA1: fb01078080a10537f0e4a479df42252693742480 MD5: 732773ce4e83a4ad7ce41617a7d4cad6 SHA256: 5ecce618b7b65cac1a5930608aa939241f4312a54a3efbfaf8c3bb5e27056b91 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-m8601	RevengeRat_2031d7a4	Windows	This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.	2031d7a4f5f2aba56b2f7c5186c70fcd	SHA1: 280277d0218f4eb5a2bf46c8e7a0ab5b2f9ac6b5 MD5: 2031d7a4f5f2aba56b2f7c5186c70fcd SHA256: fdb99a0527be797fc7d7b7f48088c21d034bce6a5c848ede43714d86d3266661 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-zzl01	Jrat_396adbc1	Mixed	This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.	396adbc1de0d0748baf3fb6bbe912e4f	SHA1: 14503f8fe1f22d6cb256f3bd16dfe90394f752d6 MD5: 396adbc1de0d0748baf3fb6bbe912e4f SHA256: bb4793538712834408cd9b3b58c1edf8da81906ffc12e25766fb40ddabe1c383 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-xl301	Beeldeb_7eba8802	Windows	This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.	7eba88026a13a88d2e68bce88fff9d2f	SHA1: 710fe6d8aee660eb4e8652787c85ff8b475e15e2 MD5: 7eba88026a13a88d2e68bce88fff9d2f SHA256: ca07844200067101a91d23604a7fb425ee8b47a66567a953103a9949f66d74cc http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-q6401	Jrat_2071f755	Mixed	This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.	2071f755c30a63b0a73791156f273c02	SHA1: 8d9f5af4a548abd03550702dbb53a0e0428ca12c MD5: 2071f755c30a63b0a73791156f273c02 SHA256: fff6555400d65b28590cdde1a1f1a8731f02e8c21c1a9f167d53dc1054cc865a http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-psn01	Emotet_9646fbee	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	9646fbeeb768f431f5440ab2c2259ed4	SHA1: d95826fd488a873e866ee0793daa602ee90bede5 MD5: 9646fbeeb768f431f5440ab2c2259ed4 SHA256: f7972ab6d27883f9c1a0fb6b0e54466eb6305eaa1bfb6c09da82e1539bbe7fc4 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-qcz01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	5bac0670f7baf2ead07145303a9ddcbb	SHA1: 268fbf5dcb1486166925b76af3b73a129104298d MD5: 5bac0670f7baf2ead07145303a9ddcbb SHA256: 4abacdd4177a4446dedc00992c7d33538fd0046ba99971c2dcbdff49d51a7664 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-2vg01	TorrentLocker_03f3e0bc	Windows	This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.	03f3e0bc4d0e3d9817610eb7761f8041	SHA1: 0f15149fb8e6a085cbfb2d076f6e859e495da457 MD5: 03f3e0bc4d0e3d9817610eb7761f8041 SHA256: bf795a1676a6dd795fb6915ecfbfdc200687907cae8769c55b9e26328b026f88 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-oik01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	7526bd6675aa6ad84f1fa760d17f3cb9	SHA1: 3bdd523ad094b923f8ceb9f8986d9ae8a1ebbe68 MD5: 7526bd6675aa6ad84f1fa760d17f3cb9 SHA256: 85fe7541480ab4165d31d0d83a020068a3de0f673e50b3aefa4be22f51f47704 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-46t01	Vilsel_d9bf36e7	Windows	This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name.	d9bf36e74781a10a154144b2da587723	SHA1: 49ea899396b52dc2ba48ce3237f1dad91d517fbe MD5: d9bf36e74781a10a154144b2da587723 SHA256: 89782f35fef2dad9aadcad63b07fb6ed39077c9edfdccd0716facac53293f872 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-pje01	Office	Mixed	This strike sends a malware sample known as Office DDE Powershell Payload. This sample is a Powershell payload script associated with the Microsoft Office DDE attacks, and it is from citycarpark.my/components/com_admintools/mscorier.	bba246f7ff0519dd89e980233cc3c927	SHA1: 6c151176212c597cebb1b278be3cd6daf7bc6593 MD5: bba246f7ff0519dd89e980233cc3c927 SHA256: 2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-58u01	TrickBot_b3bc6e96	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	b3bc6e96c1775d26b4336d42428dc24e	SHA1: 0fc7bd58126e7969b1d3c013a60a2e2a51288f7f MD5: b3bc6e96c1775d26b4336d42428dc24e SHA256: a3355d8e3e5f21b84072993032341bf1edee8dd6b28a9aece5cc6ffe0e123621 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-h4701	TrickBot_c5900370	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	c5900370760d126e5a7c2f24a704a191	SHA1: 0fb6b9079d8721f2b7e6f3db69c50725988aedf0 MD5: c5900370760d126e5a7c2f24a704a191 SHA256: f45334629dc79665d85cd4748e97b876de4330094759dc4c227da19ffbbd2a34 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-qxl01	Jrat_a2ccf1c3	Mixed	This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.	a2ccf1c3e98c0eed0126061a6f35afba	SHA1: 59c990f519f97056fd13b80cd82b1ff6c49258b7 MD5: a2ccf1c3e98c0eed0126061a6f35afba SHA256: db4d85d172b31413c1f93162053032a9a2e26b273dfdea8b7506ee8ca982e32f http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-bea01	Emotet_517d9598	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	517d9598ac8aa0ef0cb7145ffd64805e	SHA1: 82519982e32708e94c54ffce3c652714049a04f6 MD5: 517d9598ac8aa0ef0cb7145ffd64805e SHA256: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-o8e01	TrickBot_bd427dd1	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	bd427dd15a2dc5695fbeab5519595d30	SHA1: 7a571716fe3fb54e50e79d9e1032354c192ed4a5 MD5: bd427dd15a2dc5695fbeab5519595d30 SHA256: 38748c33121e51307108ca9711c4a5109223d86565f8902268e902f83a202fbd http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-45801	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	3124f76cabc753b93b212f228bf7d407	SHA1: 650d41813ab9b22bcd30583ff9481d2336bd91bd MD5: 3124f76cabc753b93b212f228bf7d407 SHA256: 0b2799af3a38a865c37fe534c3f2f67d085757b09f5e489025037a1ed90f9b98 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-87b01	CCleaner_ec1b25ed	Windows	This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	ec1b25ed79331115f202f8ac6b309107	SHA1: abcfd38b53e04dd36cd8a75acece03b691417d40 MD5: ec1b25ed79331115f202f8ac6b309107 SHA256: 04622bcbeb45a2bd360fa0adc55a2526eac32e4ce8f522eaeb5bee1f501a7d3d http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-1tk01	Emotet_c0ef4f02	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	c0ef4f029f8947b2d8f66196cd2b041e	SHA1: 6968938c35b0cff739c31899764a295ad2fd2a80 MD5: c0ef4f029f8947b2d8f66196cd2b041e SHA256: 0c34b872ba2266c2028e27c9fc9bed8fe9c6f04221695e19c5194200a9638d6e http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-pds01	BadRabbit_b4e6d97d	Windows	This strike sends a malware sample known as BadRabbit. This sample included with the BadRabbit ransomware is a legitimate Diskcryptor driver. Diskcryptor is an open source disk encryption software.	b4e6d97dafd9224ed9a547d52c26ce02	SHA1: 59cd4907a438b8300a467cee1c6fc31135757039 MD5: b4e6d97dafd9224ed9a547d52c26ce02 SHA256: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806 http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-fun01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	85e1c384120de66b721849b88255c5e0	SHA1: 61e4a7c5241f07cf3bcc24377452b53ca44b499a MD5: 85e1c384120de66b721849b88255c5e0 SHA256: 81bcde515e51332cd4b92996655fb28448c2b3a83b6a63443ee680ad63acdce1 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-wnv01	DollarShell_0fc095f4	Mixed	This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro.	0fc095f4868450c4339b700ac49c32a0	SHA1: 2af8df8ffa31ced85d0ff3f5bbb19b54501dd7b5 MD5: 0fc095f4868450c4339b700ac49c32a0 SHA256: bb1a67049f2f65ce40d68a111becaf0f772754c024013b8d8a869d59472af9eb http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-0bo01	TrickBot_0acc6a1e	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	0acc6a1ec80acd4ee150255b7fe6187d	SHA1: 60eaaa3ad6cfa4d3c46a274afc00e2d2cb2f775e MD5: 0acc6a1ec80acd4ee150255b7fe6187d SHA256: 5619eeb7b8702693f78b452a0ca3df99a23b858d2b4d181bcd5588878411284e http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-hlg01	Emotet_cfb0a91a	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	cfb0a91a53aae5356c0ac9007a706c4f	SHA1: 9fe298dd844a0a522fbcde12b3917d0e53be84bf MD5: cfb0a91a53aae5356c0ac9007a706c4f SHA256: ee69976d53e2f0ee0d502f416ac54cb795059005f82989e095bdc7e5e299acbe http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-tac01	TorrentLocker_d080c988	Windows	This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.	d080c988772068811e1955af91185f9b	SHA1: 1da4c4f74568fe19c57ee68307b673405a0b0232 MD5: d080c988772068811e1955af91185f9b SHA256: ae7a23e9b4c2645c26dce4a83a97953fa5ca008570aa9ac32e0826369593a099 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-ya201	Emotet_3f4296e6	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	3f4296e6b95436242fe4355c258bbecd	SHA1: 92cf0e6b2d366f33e2618cfe427ed319ea04b077 MD5: 3f4296e6b95436242fe4355c258bbecd SHA256: 4a5d8769935f5126bca4ccfd5f0c658fb6e7d41a34475d9b7712d51b3884e2f3 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-zqc01	Emotet_3647353c	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	3647353cdbdb77ea002616f4c02fe762	SHA1: 17803b316214b1ba0889aabc2b33ff473aac454b MD5: 3647353cdbdb77ea002616f4c02fe762 SHA256: ef38926f1932b370abe835b38c51b806d4282e420ee06b312d9a2a25c446cf44 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-4yi01	Beeldeb_814c9c27	Windows	This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.	814c9c27a6b69f7a81372db1bba90375	SHA1: 8ad0f9caf2afdb07ffbd392b1ff9419d5d08266a MD5: 814c9c27a6b69f7a81372db1bba90375 SHA256: 36e92852d67e66cb3c99312f107f83080605c2badf787108f619d6b54e6c85fc http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-nf601	Vilsel_6a085b16	Windows	This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name.	6a085b165438169d518740feb6432fce	SHA1: a00b111f3e47986d87cf5c518920d5b948ef632c MD5: 6a085b165438169d518740feb6432fce SHA256: eff9dcc0bebee521ebc2cb48a4398c3fe55e878fe127fda6f2ac02208e135325 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-v5k01	DollarShell_1c29fbfe	Mixed	This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro.	1c29fbfe17b495cb4d313fd2d8bf6180	SHA1: 8920146ae70741dd75ffed38c8a5e3487e655653 MD5: 1c29fbfe17b495cb4d313fd2d8bf6180 SHA256: 26582ff0d7d9578d564bedc4f3add7d0d2326be6959039b7dc2372458390e810 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-qzr01	MS	Mixed	This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.	a40958399bcabff1d3d45152c4235b11	SHA1: c194fc6750a6133d36d9d9f4660e872330c50e9b MD5: a40958399bcabff1d3d45152c4235b11 SHA256: e95c8bf136de1cd79bfd3811072e7d02441aa5e8f57ab60e2b1478a4d4ca5678 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-kl801	Jrat_e019728b	Mixed	This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.	e019728b34270f1b334be69d26f7c3f3	SHA1: 54aa2ce08b90ae01338527f761326ddf5266af4e MD5: e019728b34270f1b334be69d26f7c3f3 SHA256: d29a6afc4b35eef25811664369471688a0ecd89fc2a5eb676de9c5518c9914f2 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-1hx01	MS	Mixed	This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.	676ce727ae0dfb8822852e4fd0c86d39	SHA1: 7f060a247ba188933dd18b2b41d12919f2f8dcda MD5: 676ce727ae0dfb8822852e4fd0c86d39 SHA256: 9949dccece62023379790e8b563d8a93bae156be13e7698f851a3804b72fa1c3 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-6zs01	Microsoft	Mixed	This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's filename is SBNG20171010.docx.	8be9633d5023699746936a2b073d2d67	SHA1: 07e2eaf420ea974ac99ea7b17c1b491ca1ada1ea MD5: 8be9633d5023699746936a2b073d2d67 SHA256: 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-nwn01	Microsoft	Mixed	This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is Auto_mal.docx.	aee33500f28791f91c278abb3fcdd942	SHA1: e82fb48a7b4dc02efe0d8779f29017f5e06ab66c MD5: aee33500f28791f91c278abb3fcdd942 SHA256: 7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280 http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-yeu01	Emotet_38b60d63	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	38b60d6365d2b73cc8db79ef5cebd106	SHA1: 0efee5f307bfe3153a53f7d57fc0a9eb94be091a MD5: 38b60d6365d2b73cc8db79ef5cebd106 SHA256: 5b060682f0a97793797856af8c37265825d2c6769d9e69bc14833a98672e004a http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-7lk01	CCleaner_74dca8f8	Windows	This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	74dca8f8ad273f6a5b095c14dfd2f4d3	SHA1: 80746f984b50b9127a15773db42204123c2e0c59 MD5: 74dca8f8ad273f6a5b095c14dfd2f4d3 SHA256: 53c6ad85a6b0db342ce07910d355dad53765767b4b9142912611ec81bee0f322 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-wfe01	CCleaner_748aa5fc	Windows	This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	748aa5fcfa2af451c76039faf6a8684d	SHA1: e7cca2da5161a313161a81a38a8b5773310a6801 MD5: 748aa5fcfa2af451c76039faf6a8684d SHA256: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-nka01	TorrentLocker_dddde9f8	Windows	This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.	dddde9f8a2459e18583434b1421bb509	SHA1: a927adc32cdc315702a903e4de522a4ca79adb57 MD5: dddde9f8a2459e18583434b1421bb509 SHA256: 4312486eb32d7edc49d437a598d7e0453e8c9d1222b8b9ba429c73e0598db1a9 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-flu01	TorrentLocker_f661a576	Windows	This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.	f661a5769a6969eeb262e6c471dd1b35	SHA1: bf019ba422f96f251adea5a9c79bcf3b6f028e42 MD5: f661a5769a6969eeb262e6c471dd1b35 SHA256: 5c66755aeeed65c21c8d9774baebd79c962311a57b733cb19d4d2bb6a0eb52c3 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-jw501	Tofsee_a8c123a8	Windows	This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.	a8c123a8e47f93b5631e94fa20d88321	SHA1: 69ed2a5de0be259c228c06dbdbb20433d10be701 MD5: a8c123a8e47f93b5631e94fa20d88321 SHA256: 94cab1cdda2cdf19e077add232b00de9b141f981f6def5c7309521613f6423cb http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-qa201	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	0ee3d7d618bf806fe66ca97da1fb78d0	SHA1: 063fdba12a10422820c623d79cbb328d47d70f87 MD5: 0ee3d7d618bf806fe66ca97da1fb78d0 SHA256: b2c8a5be4249b5eb4b4a28cffaa3ef247589e0eb5ce0b7a914f8c1704b7f6cb4 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-t1901	CCleaner_b3947a26	Windows	This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	b3947a26d4d5f98b82f8d8afacf403f0	SHA1: 0c23449c86895b97ecbdb9fc0ae747b1b3d2a8a5 MD5: b3947a26d4d5f98b82f8d8afacf403f0 SHA256: 8562c9bb71391ab40d4e6986836795bcf742afdaff9a936374256056415c5e25 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-iwr01	RevengeRat_179e16ae	Windows	This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.	179e16ae9eb6e1726d1660c1c6907a18	SHA1: 35dac8b3c4b0bf366ca78a4f1ec48b25d00d9803 MD5: 179e16ae9eb6e1726d1660c1c6907a18 SHA256: e60613e2453d6568cb04ad8e09ac64b6652318079be2444156293f092cc9ff52 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-z4g01	Tofsee_040e3b7e	Windows	This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.	040e3b7e2d2eb7420537446324a3bda9	SHA1: 37c3a3c6ea9e76ea87a83f57516d3b7804f7f91d MD5: 040e3b7e2d2eb7420537446324a3bda9 SHA256: d02cd223f8284826a4dd1d51ecb61cc39e2588c534c0e6b848f6fbfd772fc02a http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-f4y01	TrickBot_bed6c109	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	bed6c109e1ce4ec3e0673c4445b1a043	SHA1: 3ab49d6e009c2b97a6f23ef97f8642d3f828e900 MD5: bed6c109e1ce4ec3e0673c4445b1a043 SHA256: 0d92b1656112ed73fe98fd6c714d7959dd8ecc85759b87a6b01747a2ab0f8335 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-iip01	BadRabbit_347ac3b6	Windows	This strike sends a malware sample known as BadRabbit. This is 1 of 2 samples included with BadRabbit that has similar functionality to Mimikatz. Mimikiatz is a tool known for its ability to retrieve user credentials from computer memory using different techniques.	347ac3b6b791054de3e5720a7144a977	SHA1: 413eba3973a15c1a6429d9f170f3e8287f98c21c MD5: 347ac3b6b791054de3e5720a7144a977 SHA256: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-74g01	TrickBot_5e5727ac	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	5e5727ac12a2bf5fbef68f550317fd14	SHA1: 8c37a2f1bfc13ae34861f6c699746a1692a43705 MD5: 5e5727ac12a2bf5fbef68f550317fd14 SHA256: 3ac1c23c28d19111e254649153b2cf0c03782f7523ce2062200a5ecd1c24f210 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ozb01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	5bfe4be6ee3b7e74dce3510659f33568	SHA1: 9e8f55fd2c9575cac2b177e35d20f7f084f70c30 MD5: 5bfe4be6ee3b7e74dce3510659f33568 SHA256: 1e85b7f0d09e6a43cd83a66c287c1d34125ab9ee8e2f81d86a6c46ef44e37c20 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ric01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	593a477c7099b171fb214fec4288e46b	SHA1: b5840987462a7fb007f074ef3c6179270eb642c6 MD5: 593a477c7099b171fb214fec4288e46b SHA256: fd5c9b1ea6c9c76f3282634f8d7b02e0dba6e9813ae0143c7073ecdd925ee2f8 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-taw01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	5961a6cce9f77280d321f4579735cbcc	SHA1: d83c01e5ea84c93f5e9a03a8e706e02b3853a864 MD5: 5961a6cce9f77280d321f4579735cbcc SHA256: c1a87f71d9f51cbbc82c03b58b75bdd6feb7d1be1d9d292c4a6a107b78a64efc http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-iiv01	Microsoft	Mixed	This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is InformesFINAL.docx.	78f07a1860ae99c093cc80d31b8bef14	SHA1: 5b1bbf4f3f6c21829719543de7b262e0073403c7 MD5: 78f07a1860ae99c093cc80d31b8bef14 SHA256: 9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862 http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-zn401	Microsoft	Mixed	This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is EDGAR_Rules.docx.	0bcadcf65bcf8940fff6fc776dd56563	SHA1: 8d650fccdf3497112708a3f4832240905bc6b0c3 MD5: 0bcadcf65bcf8940fff6fc776dd56563 SHA256: bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-1c501	Jrat_926d057d	Mixed	This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.	926d057d2dac94b1bd4203b5cbc1c7c3	SHA1: c147fe65bda2672248d0afd75805864e7a59e3d4 MD5: 926d057d2dac94b1bd4203b5cbc1c7c3 SHA256: 522a804aeee581c63049d0a5983a558c2a3225c4b14814cf0acb8912b79260d6 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-r8a01	Emotet_82a6b105	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	82a6b1051f9bff80c5b0ae7e89baa979	SHA1: ca7f2d187a9ea3603a7bb28d50faa8fb868ef338 MD5: 82a6b1051f9bff80c5b0ae7e89baa979 SHA256: 4beabf7a352c6dc30a2273392f4daa5793e43412c3eba3724e2ed9e5631c41c2 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-c6z01	Beeldeb_8ee52b53	Windows	This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.	8ee52b537cebe88a7dcf9027e68216e0	SHA1: 724a32dcdd091b51cff5d47ee20842ed9f2d4a6c MD5: 8ee52b537cebe88a7dcf9027e68216e0 SHA256: 07de12cf4c78151a0bdd6d8dcf8b5d0b91f51b606fd8ec0774e54fcb16e3440a http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-39701	TrickBot_b41f2f58	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	b41f2f58ae888fa1fa0b2cb5d6b09c1b	SHA1: 5506e526adae964a95389967d4b16a91f65d5200 MD5: b41f2f58ae888fa1fa0b2cb5d6b09c1b SHA256: 5351019f9879a285561e72acae1024e8a86a822f33b7bbb95c795a6bc465ff53 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-x5101	Beeldeb_93242553	Windows	This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.	93242553da82490acca7b7e7ae267f2e	SHA1: e465e0f5f3cbde6c61370dfc0112ec8256215ec3 MD5: 93242553da82490acca7b7e7ae267f2e SHA256: eea366f807de6e4a0834e9fcf8dc0847b7ab4707314191448950a22cc0dbfa76 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-yzi01	MS	Mixed	This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.	4529961cd564ac79e8e38105bd8ec3c2	SHA1: 189e7c614ca9419029c691c89db757eb2b4de8c0 MD5: 4529961cd564ac79e8e38105bd8ec3c2 SHA256: a6026baa4f4062b2bbf66dc3a3707f965e34271cdd3f00cae45f771e4b4b9013 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-lnm01	RevengeRat_ce4a2f2d	Windows	This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.	ce4a2f2d4b839854048dd9c3ed392fdc	SHA1: 276faf04fa87982665e2e534e87404c7676ef9a1 MD5: ce4a2f2d4b839854048dd9c3ed392fdc SHA256: d06ffdfe71bd471b8ba5c2c9fd1191e661c6a9d2332243bc4f93f3838cbff75b http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-bpi01	CCleaner_06e485d3	Windows	This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	06e485d323110b76a0da9b3d063a0c9a	SHA1: cfdcd830ba34d2ee02017999a672608e0e82cbf3 MD5: 06e485d323110b76a0da9b3d063a0c9a SHA256: 8a8485d2ba00eafaad2dbad5fad741a4c6af7a1eedd3010ad3693d128d94afab http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-qcp01	DollarShell_4147656d	Mixed	This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro.	4147656d10dd24d2f531dfd9c1409103	SHA1: 8cf69e901c06a4699754910e931a72ce5e7b7455 MD5: 4147656d10dd24d2f531dfd9c1409103 SHA256: 5c3fff626f931fff80d79e53fdbf41a591f8dc048df2c7b636aa2d7a388d8e63 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-eac01	BadRabbit_fbbdc39a	Windows	This strike sends a malware sample known as BadRabbit. This sample of BadRabbit is the dropper. It contains the BadRabbit ransomware. It requires user interaction to facilitate the infection and does not utilize and exploit to infect the system in any way.	fbbdc39af1139aebba4da004475e8839	SHA1: de5c8d858e6e41da715dca1c019df0bfb92d32c0 MD5: fbbdc39af1139aebba4da004475e8839 SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-lh801	TorrentLocker_1392ca8c	Windows	This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.	1392ca8c92d5e729f8f34813f966ef97	SHA1: 39d0bfbe04fbbc9bd43fd61f9f3f606d59c942fe MD5: 1392ca8c92d5e729f8f34813f966ef97 SHA256: 58f36594d9502e3e8e135d0a449e5c07a62ae6fcd34a32c5c4d9243cb28d958b http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-y6n01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	34de33d32fed9a72c142b138d667a5d4	SHA1: 1854457d5d71892c6299e20bf09a62950dacdc8b MD5: 34de33d32fed9a72c142b138d667a5d4 SHA256: 6f7b63d2f5be6d7ada5c8146e076af21acd4273d538d46c1dddf6bed222a6d4d http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-4kl01	Emotet_2da06ce1	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	2da06ce1cdcc98cc531cbb71e14fb105	SHA1: 4aba63873f914ea5317a065cf7f21e5a6bc967b7 MD5: 2da06ce1cdcc98cc531cbb71e14fb105 SHA256: d91e08ac9c92e97acc03c87aeb20383150f17a26946e74eb450f48ddf612d5dc http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-nco01	BadRabbit_37945c44	Windows	This strike sends a malware sample known as BadRabbit. This is 1 of 2 samples included with BadRabbit that has similar functionality to Mimikatz. Mimikiatz is a tool known for its ability to retrieve user credentials from computer memory using different techniques.	37945c44a897aa42a66adcab68f560e0	SHA1: 16605a4a29a101208457c47ebfde788487be788d MD5: 37945c44a897aa42a66adcab68f560e0 SHA256: 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-lpv01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	e55a4eab9bc17d81febf152e98ae2eb7	SHA1: 4fdb7c7e7b24d50ddbccd3feaf863b4411a260c9 MD5: e55a4eab9bc17d81febf152e98ae2eb7 SHA256: 7cdeb17d6bfa95e937868b7761be87ded361ec49cf6be88286a1c2cb22f3976a http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-wwf01	DollarShell_a4548556	Mixed	This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro.	a454855668408ffa0732fe835b7b1508	SHA1: 1ae8809cf30ca33478043a2464323d91204cc2db MD5: a454855668408ffa0732fe835b7b1508 SHA256: 25948723a1ed54e5d7994639b0002f5074ff60b0bbd61a78c1e59dd80ebb4c54 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-kss01	Microsoft	Mixed	This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is ~WRD0003.tmp.	d78ae3b9650328524c3150bef2224460	SHA1: 9cbc4333230c73578e469ed21b9c54674404b1a4 MD5: d78ae3b9650328524c3150bef2224460 SHA256: 11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13 http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-vph01	RevengeRat_5eee3b34	Windows	This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.	5eee3b343a6e5818716e1a9f3425410b	SHA1: 608357a6a6d1304b6dbe1bece5e37bf9c35f02dc MD5: 5eee3b343a6e5818716e1a9f3425410b SHA256: bd3bcfecf479bd347540d6305001b068583696aa81279739ee8b32eb34f2a0df http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-5w601	TrickBot_53affce6	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	53affce6c64deda07f05deda966471e0	SHA1: 863ec7b034527bcdef66fdb6503b7220e84a2012 MD5: 53affce6c64deda07f05deda966471e0 SHA256: ae860de508c56045b39679b72b570028f820d9523f7e5d6ddb326c9a757c5c77 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-18k01	TrickBot_a65305be	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	a65305bec3b9b5e5b38245cd735880f0	SHA1: 6e4a2e0340e72d21ea3f4ebb1cedec1a9661ca26 MD5: a65305bec3b9b5e5b38245cd735880f0 SHA256: 27bc34902437285c3f4fe0a0e3446314baecb7ee002fcd1060b91543c27b9369 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-zrl01	RevengeRat_a7eabbac	Windows	This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.	a7eabbac8906f141b1790cbb606c1d4e	SHA1: 4bf46eb61b8fe9da528ab376b6de4e0511006ad8 MD5: a7eabbac8906f141b1790cbb606c1d4e SHA256: 6fe71c4b59fba4e0200f2e71e308a791eadc3e6518ab87acb66db4c79df66985 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-za801	CCleaner_52dda1e6	Windows	This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	52dda1e6ac12c24f2997cf05e0ea42c9	SHA1: 82691bf5d8ca1c760e0dbc67c99f89ecd890de08 MD5: 52dda1e6ac12c24f2997cf05e0ea42c9 SHA256: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-rqq01	Beeldeb_252bbf14	Windows	This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.	252bbf14eee52b2e33e265d2fd07d4fe	SHA1: d1d32cf0916a423f754405c66aac6ae90f8ec85f MD5: 252bbf14eee52b2e33e265d2fd07d4fe SHA256: c4cf29d4e6a6b905e08534108ab07318d5704d91df50c9d5477b998a19395eff http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-ff001	Microsoft	Mixed	This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is DanePrzesylki17016.doc.	5786dbcbe1959b2978e979bf1c5cb450	SHA1: 0dd5a58e89036beaa7a63c9f5541bf1402c9c4d4 MD5: 5786dbcbe1959b2978e979bf1c5cb450 SHA256: bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-2s401	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	c452d8d53f32fba1828f9d5cb56dc56d	SHA1: e7a4cb5f77f88d4f88105bbb2ab1b28769f3c19f MD5: c452d8d53f32fba1828f9d5cb56dc56d SHA256: 6adbd32b36470178e4cbc4bf7c757e4338457cac8c53fc5f8a86b3bcfec2fa6d http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-3i401	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	ff321f7b270167136be7f584ce693f42	SHA1: aeaf65ac3b5f8de831b989d86ef85be2cb011854 MD5: ff321f7b270167136be7f584ce693f42 SHA256: e0d0d55c04eb477c6becda415eed279895c56e4468df63ae302be7d389c95741 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ico01	DollarShell_3f4735a1	Mixed	This strike sends a malware sample known as DollarShell. This sample is an obfuscated Office Macro downloader. It uses both the VBA.Shell$ as well as the auto-open macro.	3f4735a16a8d46d65e0cf2dfc9536499	SHA1: c3b76e8ef1973d6ad9d4ec4dcb8e44b22784a519 MD5: 3f4735a16a8d46d65e0cf2dfc9536499 SHA256: 2c34d5de4bfbca74b4a782a221c44311fba086f876af6020f16c36b8759dcd24 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-v3z01	Vilsel_0bdda5b2	Windows	This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name.	0bdda5b203548929ce49ca0a47e51730	SHA1: ab9a3f79859d3bd587317945136c053c8d08ae9d MD5: 0bdda5b203548929ce49ca0a47e51730 SHA256: 51b411f1c6b10e8ee9bea405e66fc2f1f8f84d29106f119b2423de59101bbbd8 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-58601	TrickBot_eed13f83	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	eed13f831889481bd6f8f9875ac6fd9e	SHA1: 1d30abdb2d6f7acbce158293c77f45e07ad0677e MD5: eed13f831889481bd6f8f9875ac6fd9e SHA256: 721c1d648a245bc350d1ace7537db518162f725f2dab14bd4a149d8165144962 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-f8b01	MS	Mixed	This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.	579702e392a78e07695353691e1e482e	SHA1: 49d8c84b9a6c560ffd9570030546e370a1ed6ce9 MD5: 579702e392a78e07695353691e1e482e SHA256: 4bc6d7e5960831476f33ac3d9f632ebae9c2a22aa975d20fffb0830b94bf3143 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-a5h01	Jrat_2aa5b591	Mixed	This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.	2aa5b591ce3ef5894729e4c80289bb3b	SHA1: cf4439ea97f0880cf118efca8a7bb41a3adce7a9 MD5: 2aa5b591ce3ef5894729e4c80289bb3b SHA256: 1508a8ab14c4639853c9f2e598a142756517bd078f505274b5783ddda8fed0a0 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-vbe01	TorrentLocker_e4997fd3	Windows	This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.	e4997fd30092248f2e4de8e5f8223e5e	SHA1: a53ff63cc5745a6d6da6b97b55b9c05ec53e4520 MD5: e4997fd30092248f2e4de8e5f8223e5e SHA256: 1a78a5c1c4ebb8a0047cbb4a8a27782212603d71cae2aeb033bceab76795a294 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-emo01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	aef86a60e907b7f5e8540643ad7a8c48	SHA1: 2fddab183182d926349a4fe546c4dbfa54610d86 MD5: aef86a60e907b7f5e8540643ad7a8c48 SHA256: 7ba4b97d8ef2eb865b6d6e76c77446657eb39269b5d276e77f458fa3fd639e2c http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-0wi01	MS	Mixed	This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.	37a146d0ee31b358fa92b1726abf028f	SHA1: 8cd3a6594a2b289ecc514305606ee4f651fd1f77 MD5: 37a146d0ee31b358fa92b1726abf028f SHA256: 195cb14fade7c435e10d673170dd975ee9b3f1c15fd932dc5c9d2663b4a7af10 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-pr501	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	035e632c7164f593dd9b592d25335721	SHA1: b980506e2ab625480bff8dd88be3934f97dfe096 MD5: 035e632c7164f593dd9b592d25335721 SHA256: 25210b1abea142ae5d2fa21e2a2ea836f1eb3a62cc7118f2188bf63904c9523a http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-pzc01	MS	Mixed	This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.	d9ba9684df6ec50d76eb54aa16a0e0f3	SHA1: a66a51c776ed96671bfa7a10f5ba3bee304b9c69 MD5: d9ba9684df6ec50d76eb54aa16a0e0f3 SHA256: 4b9703f52464b8025e0146ae4792400f7c077194b0007b3d2ae31eb80642c517 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-4qi01	TrickBot_fe309ae2	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	fe309ae2b5be60ca6e242fa1453d674e	SHA1: 03e65781dc8baa1c554b696c67f802c684b0f335 MD5: fe309ae2b5be60ca6e242fa1453d674e SHA256: 3a4ea7d6ce3bf31398f34e831249aaccc3a6c123eae239bca37ab1dd57749c19 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-l1h01	MS	Mixed	This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.	0137c8f7dbc6b64a1b4c8ab9d16773c2	SHA1: 7c25b065d753e31c6097b6708b89831a8dce6f7e MD5: 0137c8f7dbc6b64a1b4c8ab9d16773c2 SHA256: db1ba6f50f367209db4733b94e8d22c8703665bf5b90716bfc754b3639d4c76a http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-y6z01	Emotet_3d3b3030	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	3d3b30300206c5df413797e360bb49e0	SHA1: 8f086f4c54d6c724cd5fc34a5abba45f28d49c7b MD5: 3d3b30300206c5df413797e360bb49e0 SHA256: 73ca04dd07cefa6bc4fc68714e0f2ec98f251833ff48eb8276f8cea09526fa89 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ae501	CCleaner_04c940f8	Windows	This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	04c940f8755ecfd89472dec010a27980	SHA1: 794c6899961dbb0c55c864271e89aaf981d5f5fc MD5: 04c940f8755ecfd89472dec010a27980 SHA256: 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-2df01	Microsoft	Mixed	This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's filename is EDGAR_Rules_2017.docx.	2c0cfdc5b5653cb3e8b0f8eeef55fc32	SHA1: 3a7956ac437c87fc6ca594c59d4de086ed6c8865 MD5: 2c0cfdc5b5653cb3e8b0f8eeef55fc32 SHA256: 1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428 http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-i1q01	Emotet_17550aae	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	17550aae49290ff9cf99137f2a8d6d2b	SHA1: ae88296d6394c6d7a248a31e8dffb4eb47bbff8d MD5: 17550aae49290ff9cf99137f2a8d6d2b SHA256: a38563a27a75eab4ddc5d76a99a1e8589775add35fce1e20d0b2bc6b64bf2cfb http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-2ng01	MS	Mixed	This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.	9afb2a93e3426f8add62145e93187344	SHA1: 43377fcac1b50b6cb80680982f66a4b745431dae MD5: 9afb2a93e3426f8add62145e93187344 SHA256: ca38154915f53ec6c2793e94639e2ce9701de8236e41064cba35fe7e6387af70 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-r4z01	Tofsee_a06a4691	Windows	This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.	a06a4691a360c7e5d02d2caddd1a8da2	SHA1: 44cd1bfade1c63a5ca4fdad6a537d30b6c4d9f07 MD5: a06a4691a360c7e5d02d2caddd1a8da2 SHA256: fa1645ec20a84fd16d9d5eb2960b1caafb168f4456c7a14c8b8e5219bd15b29c http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-akj01	Cossta_73ba6fd6	Windows	This strike sends a malware sample known as Cossta. This sample is a trojan that downloads more malicious code and commands in order to execute additional functionality.	73ba6fd61e41c274c3236ffa4ce493d0	SHA1: 08225137bf178ff7fcf0879f10c114dc31023ae2 MD5: 73ba6fd61e41c274c3236ffa4ce493d0 SHA256: 424e36fd9975a43f25fad06e0282833d1280bcd9e6d5ef8221dc322fd16fbaa0 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-14f01	RevengeRat_82216a2f	Windows	This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.	82216a2f1e20a67f7ecfe60cd271aa55	SHA1: 4e3b51f644f9a8453001fd065ccfbe785072a8a8 MD5: 82216a2f1e20a67f7ecfe60cd271aa55 SHA256: 7d0474c514e78deac6f690006546bf92c029836c60d547504ceebdd21bf6130c http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-o9l01	TrickBot_2187fd87	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	2187fd870f1f8f01b21db7eaf21cf4aa	SHA1: ddbebdce1b672dc16dc5e508bb0052cd45cbe6b7 MD5: 2187fd870f1f8f01b21db7eaf21cf4aa SHA256: 8c937c4364f8c5c003f35771dd7983def26a073a9ad5dda9fca302f762dd4c83 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-blt01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	f174ae37eb7f20af733053975a6d05cc	SHA1: cd7072e306c8710b10761215711e521027a3e162 MD5: f174ae37eb7f20af733053975a6d05cc SHA256: 1da8eda0545dbe5a53d41fb1b9ed71c7129cf14b2395acffd601056b7d6765fd http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-k1a01	Emotet_02e3887d	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	02e3887db869113cb223d9ebd9c6117f	SHA1: 6c43c961756dbcffce0e26e09f97de6775b217ed MD5: 02e3887db869113cb223d9ebd9c6117f SHA256: e77ff24ea71560ffcb9b6e63e9920787d858865ba09f5d63a7e44cb86a569a6e http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-dlj01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	750e0859d26265725906ce6d69f975ea	SHA1: 76de96ea0cbdbebdc38c752c22b8ddda39cf06b1 MD5: 750e0859d26265725906ce6d69f975ea SHA256: 0ff727f106fecde4e4292f0e35092376786cf8a9097da064623ffa912db7e9bf http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-lux01	RevengeRat_b9840247	Windows	This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.	b984024785d559801b952cd08e50e68b	SHA1: b8317c8992240b3cf5324b0ecad8d906cd171c24 MD5: b984024785d559801b952cd08e50e68b SHA256: e422cc0f5bb2d56d1def4063ac21cb8e18f97dfc48287e8b47ba07863704a8af http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-tpz01	Office	Mixed	This strike sends a malware sample known as Office DDE Powershell Payload. This sample is a stage 2 Powershell script that has been associated with Microsoft Office DDE attacks.	1ced468b2f59063f0575c8b2409d8efb	SHA1: 185d5476f0e908a9022eabaae48bbf8767079e2d MD5: 1ced468b2f59063f0575c8b2409d8efb SHA256: 8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-3gc01	Vilsel_60d248d4	Windows	This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name.	60d248d41b06518e3a0df48c3b3f495e	SHA1: b2303ba54eec80d0d42d86b56af06204c020886a MD5: 60d248d41b06518e3a0df48c3b3f495e SHA256: c3ff4ab8815d9934a5a2bb5e02de372e20d70ef2ea519bf96bd3188187ab8a63 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-qo701	TrickBot_3bc3e105	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	3bc3e1051501cd45858d8802a67f10e2	SHA1: 38432c9b2a8b181bac9c2ced078f5bfbdb2dd048 MD5: 3bc3e1051501cd45858d8802a67f10e2 SHA256: 28df3fd75d3c3748b26931a449229f585f4e4543aa25a0caf37367444bb7a7c2 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-adl01	CCleaner_4c339080	Windows	This strike sends a malware sample known as CCleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	4c3390800de3bf59c8187d7f3d056ed6	SHA1: 4e2ffcf1508af2f6e5ab8bd2c34d6b888acd8554 MD5: 4c3390800de3bf59c8187d7f3d056ed6 SHA256: dbf648e5522c693a87a76657e93f4d44bfd8031c0b7587f8b751c110d3a6e09f http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-gg301	Beeldeb_dd49d79e	Windows	This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.	dd49d79e92a0785fddd2af6badd2d8c6	SHA1: 7feb92fd77af91d5631d77f39010a1ae71523002 MD5: dd49d79e92a0785fddd2af6badd2d8c6 SHA256: e15dc2879dccd3c62d77169fe77d869455e61e2706006da829013d55b42107ba http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-9zr01	Tofsee_ee5b4403	Windows	This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.	ee5b4403f1854620ff45955657310554	SHA1: 59492294c94d974c4cb6ecaacd26ebcbacc590db MD5: ee5b4403f1854620ff45955657310554 SHA256: b637127d56d4b02c131bfdeaa8a42d95210bdd33285ef5788249ba8f631a0abf http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-2eg01	Microsoft	Mixed	This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is Giveaway.docx.	507784c0796ffebaef7c6fc53f321cd6	SHA1: ea8d91434705af3766fb4d6e7435b43c92546995 MD5: 507784c0796ffebaef7c6fc53f321cd6 SHA256: 313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065 http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-88n01	Jrat_bd2fe03a	Mixed	This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.	bd2fe03a6ca8049998bba6d8a6e0c8c1	SHA1: 70bdde14a8fe71f328a91f017adccb4c2696a194 MD5: bd2fe03a6ca8049998bba6d8a6e0c8c1 SHA256: 1570586012e23a7de3a8fd965bdc2d3a96175fd8a77d284827c1ed6d58944a7e http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-q6u01	Tofsee_c8ae48a5	Windows	This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.	c8ae48a597b5d3b859a1e59580063a5b	SHA1: d2713d694de53d7f9779e8ede146d2f58b3b1069 MD5: c8ae48a597b5d3b859a1e59580063a5b SHA256: baaf07eff95de3672affcae2e00aca57540b8bfcb1c6010ee359213d8700bd0e http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-99x01	Tofsee_5ddcb7eb	Windows	This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.	5ddcb7eb1592c47d3989721fa825de6b	SHA1: 3b633face0ab1f10b76cd5a6bee0d17def57f845 MD5: 5ddcb7eb1592c47d3989721fa825de6b SHA256: 0f4d468818d80d3048879c26546dc5b413956ca2a5ec5261fa54a00d03e0b393 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-o7a01	Microsoft	Mixed	This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is Filings_and_Forms.docx.	47111e9854db533c328ddbe6e962602a	SHA1: e8b6b61b3c882cca895673c23a0168268c6926c7 MD5: 47111e9854db533c328ddbe6e962602a SHA256: 9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-91t01	TrickBot_1d017e8f	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	1d017e8f2dcbc1b4746b104ffa92c6fc	SHA1: 02f59e1595b32dd0f29a1f37b4b446a8b5d4d204 MD5: 1d017e8f2dcbc1b4746b104ffa92c6fc SHA256: 99714908dc8d8316bcad7089c8d100755cd25f77c52bce91af0ed3a9a44db1bf http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-r3v01	Emotet_6e6118f6	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	6e6118f6e06d8cff7fdf5ff86417e326	SHA1: ca90c4c4a0d5869bb82e9c83b91c89a0680dc055 MD5: 6e6118f6e06d8cff7fdf5ff86417e326 SHA256: b160f7e0036a12a9b7b499249950aaeec569484ff0d50122c4d32d72c75aaf49 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-a6z01	Beeldeb_5ff9e9b0	Windows	This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.	5ff9e9b08389b3680a87f8bde3bbde41	SHA1: 49f18e00751bf463cecd38b56d8962e32716a32b MD5: 5ff9e9b08389b3680a87f8bde3bbde41 SHA256: 2c89cbab497a1a5219b5d66f1ba39473b6ffc15ec4f53a2bb09c070a15a537e8 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-m4k01	Beeldeb_91c456af	Windows	This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.	91c456af934c996615971350abe59d9b	SHA1: c7c42ceca41ffefd1c06f742fafbe5ec5a28cc37 MD5: 91c456af934c996615971350abe59d9b SHA256: 1e76a00a1e6e4265ad5ff364d3139a62013a9628d90edd7e6a155e7f0a8193e8 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-xf301	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	41b3b3891b2ff0f02fc37722814b2e44	SHA1: a3f656592d267c7228223fb89729ce169b6f949a MD5: 41b3b3891b2ff0f02fc37722814b2e44 SHA256: 9e316bc8edd80e260d8ef24accfd2f1c1561665171d0721f4a36585e9b1cbe99 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-d5u01	BadRabbit_edb72f4a	Windows	This strike sends a malware sample known as BadRabbit. This sample included with the BadRabbit ransomware is a legitimate Diskcryptor driver. Diskcryptor is an open source disk encryption software.	edb72f4a46c39452d1a5414f7d26454a	SHA1: 08f94684e83a27f2414f439975b7f8a6d61fc056 MD5: edb72f4a46c39452d1a5414f7d26454a SHA256: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-bmh01	Emotet_2718d8af	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	2718d8af5a07402f52c0de6e41abb99a	SHA1: 84dd202e55479bc3a751685e3d6567d4bc811a6f MD5: 2718d8af5a07402f52c0de6e41abb99a SHA256: 24b041585da64a03245c460805f68dbac94b63d19aba6f1bbf7f7d6fa3a26033 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-p1q01	Vilsel_33a4a3bd	Windows	This strike sends a malware sample known as Vilsel. This sample is an older trojan that copies itself to the victim's startup folder to obtain persistence. It has been observed copying itself to several locations on the target system, with each copy appending random bytes to the end of its name.	33a4a3bd945302e799b90c250f9de22f	SHA1: dd484940a55ec3240f65185a2bb77acc9190b850 MD5: 33a4a3bd945302e799b90c250f9de22f SHA256: 1b8ba3bde52f7c979d427a03d636c9658b010724b8b93fd98c31a888bcc3123c http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-aee01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	30be88192aa73ae0120f5e225204b108	SHA1: 9fba5890634f229b7145f17686f70d48c5e5f897 MD5: 30be88192aa73ae0120f5e225204b108 SHA256: a7b7a582248f4ed47c8816c9436e7a49f2c02a83d18014509d0215e217f19e9e http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-nev01	TrickBot_466187a5	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	466187a5d3cc9e941dc2c7274b1c6709	SHA1: 94a7e837ff4577f555ee7ab1f6532df7d846d716 MD5: 466187a5d3cc9e941dc2c7274b1c6709 SHA256: 37e7afe3da64064dacbc53b5cac88972662a181aa864e094b4a45ce88318d7f3 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-w3b01	MS	Windows	This strike sends a malware sample known as MS Office DDE Payload PE. This sample is a dropped payload associated with the Microsoft Office DDE attacks. The filename is Citibk_MT103_Ref71943.exe.	3a4d0c6957d8727c0612c37f27480f1e	SHA1: 705de08f2a4b939b406f496e7c21afbdb7436215 MD5: 3a4d0c6957d8727c0612c37f27480f1e SHA256: 316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-eit01	MS	Mixed	This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.	1a4471c427c7b4d87f3edf0c150e4c89	SHA1: 3c41291459807bfbe05fe9b7c1c40e6a2ab97cd7 MD5: 1a4471c427c7b4d87f3edf0c150e4c89 SHA256: 2747932c56b816aae80ace812975e868b3227ab651903c1dc01e987231cccc96 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-tx001	MS	Mixed	This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.	1549333bbc2ca45390d73c7876ef7704	SHA1: 0a456e5f7f7fb43b0d017ec752af986330cceebe MD5: 1549333bbc2ca45390d73c7876ef7704 SHA256: 57794867310c0c673a34eccea666780b09287f8ca42e4c5aadd21abec43d8168 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-7u401	Beeldeb_83642fc3	Windows	This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.	83642fc30d69a624f5b5c3c6dbef590f	SHA1: dca5899ec909dcf5c29212c4a7cf969a51b154d6 MD5: 83642fc30d69a624f5b5c3c6dbef590f SHA256: a864f592f8fd01a57cf8302056a413e4a688f6cfa2beae8c5e136a40384f7b56 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-8fv01	MS	Windows	This strike sends a malware sample known as MS Office DDE Payload PE. This sample is the final dropped payload in an Microsoft Office DDE attack targeting Freddie Mac employees.	4f3a6e16950b92bf9bd4efe8bbff9a1e	SHA1: 9f09b4e99e7fd50d53d9df67236a0dfd0a22acc6 MD5: 4f3a6e16950b92bf9bd4efe8bbff9a1e SHA256: 5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f http://pedramamini.postach.io/ http://blog.inquest.net/blog/2017/10/14/02-microsoft-office-dde-freddie-mac-targeted-lure/ http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-sex01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	3cc8af9aed58a99c5c1884ed17e0daa7	SHA1: 904c859e56bc6a6f59e1ac7335c9b59502ca86f3 MD5: 3cc8af9aed58a99c5c1884ed17e0daa7 SHA256: 9de97b64e55209d946f21d8e1be015932f0df9df1acc0c282b8aaf6885b5d254 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ipj01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	ffc42a752bc20745f0f20a112a416a8e	SHA1: d9a065c5ca4fd19e571af5a12492dcb9a39ef1f3 MD5: ffc42a752bc20745f0f20a112a416a8e SHA256: ee787d5959e57fe1787b36a3bfa3fd4d90e4a0b1705f96f4a90a06d0bdd75cab http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-b8601	MS	Mixed	This strike sends a malware sample known as MS Office VBS Downloader. This sample attempts to evade detection by splitting the word "powershell" and inserting characters in between.	9e76e0aa0bbc164c35d34641194ab0be	SHA1: 2264c10d35c17626f9ad94c63071be9382182bdc MD5: 9e76e0aa0bbc164c35d34641194ab0be SHA256: 2374d35b524259f14a3cd41eca49417c69fafdab226a4d00788c014b3c2c922c http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-nof01	TrickBot_9e2a44f5	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	9e2a44f56e89d074ff8b4ccc49d8eecf	SHA1: a5dcb49bd204a916cf8fe27e509a41e7d15ba8bd MD5: 9e2a44f56e89d074ff8b4ccc49d8eecf SHA256: b4492030182ee0e7c3257f417fe98d4e52d301230e31491a4563cb41fa6b3343 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-y8l01	TrickBot_adbf41e8	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	adbf41e8d5cc1f2ace5410439bc02784	SHA1: 3d69c7a7e963d1b63b696ccba8b51b5159b7c8fe MD5: adbf41e8d5cc1f2ace5410439bc02784 SHA256: 6acd175a2971b370ae7413bad180f8f745a4b391b0fa4f3e70ef660f5e3bee75 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-xsw01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	5544f6c63933909929da0e907546c42f	SHA1: 7a844dc2045c002a6224597ed7a9d93c738a6527 MD5: 5544f6c63933909929da0e907546c42f SHA256: b49adc35b4a6add49bc0accfc9ce9b6d2f8c093af0c2ee6dd05750aba2c75503 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-hnf01	Cossta_a72550cc	Windows	This strike sends a malware sample known as Cossta. This sample is a trojan that downloads more malicious code and commands in order to execute additional functionality.	a72550cc54425d5660f2913a6b7f240e	SHA1: 0fc84405183a9f1af5db4c6e911d2f3059e17620 MD5: a72550cc54425d5660f2913a6b7f240e SHA256: 2e3b79c0bc90f46218700afba5d5a55cb00832969a00f254ec113d342d76a992 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-w3t01	TerrorEK_6ea344d0	Windows	This strike sends a malware sample known as TerrorEK. Terror EK is an exploit kit that uses adult web site traffic malvertising for distribution. It can fingerprint its target to determine which exploits to deliver.	6ea344d0db80ab6e5cabdc9dcecd5ad4	SHA1: b19796bdd0e86b7f754900950465c1b3b054483e MD5: 6ea344d0db80ab6e5cabdc9dcecd5ad4 SHA256: cf51ef5c787407e343c132febde8cba563015165b37e7824078baebe1bf20109 https://threatpost.com/malvertising-campaign-redirects-browsers-to-terror-exploit-kit/128596/
M17-qfe01	BadRabbit_b14d8faf	Windows	This strike sends a malware sample known as BadRabbit. This sample included with the BadRabbit ransomware is a legitimate Diskcryptor client. Diskcryptor is an open source disk encryption software.	b14d8faf7f0cbcfad051cefe5f39645f	SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add MD5: b14d8faf7f0cbcfad051cefe5f39645f SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 http://blog.talosintelligence.com/2017/10/bad-rabbit.html
M17-3dz01	TrickBot_f1c5db30	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	f1c5db30b092fdbc27892ce4ccf67eeb	SHA1: 461306e3b6f95d791e0185b919ee02e40a946d76 MD5: f1c5db30b092fdbc27892ce4ccf67eeb SHA256: 08a5a27b430bdc6d157ebdbf5dd0e7c648d7fc0e9e3e52baf54f5b770f72e919 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-9mh01	RevengeRat_f8e91818	Windows	This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.	f8e91818df8255195ffa3700a8a91020	SHA1: 6ca5c2f79c431717033f244f95ee223287f53d73 MD5: f8e91818df8255195ffa3700a8a91020 SHA256: b110def3771963078f3ce54d13d23a6f751ea6dc41e5177e242208791a0a8342 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-llu01	Jrat_ae95cb1c	Mixed	This strike sends a malware sample known as Jrat. This sample is a document that contains an embedded OLE object that attempts to contact external domains to download additional malicious code.	ae95cb1ce2361ee8a243a165a30671ea	SHA1: d4913dc755088d1e3d129c6b9c9458a62a514c81 MD5: ae95cb1ce2361ee8a243a165a30671ea SHA256: 50c1020efca0698519c89b468fc25926d1bad2eeb421482d9c17b6ab24535217 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-yya01	Emotet_de42982a	Mixed	This strike sends a malware sample known as Emotet. This document sample has been identified in the Emotet banking trojan. It contains obfuscated code, and uses Powershell to download payloads.	de42982a6a16c1bdf40f2baad8e72511	SHA1: b1049b482ad0a4745fac3455e11005ec2568a421 MD5: de42982a6a16c1bdf40f2baad8e72511 SHA256: 56aa0e876398efcb1ba2e8465e8bd91109e700147eff81acac5ad2514e2f011a http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-5zk01	TorrentLocker_4111ff07	Windows	This strike sends a malware sample known as TorrentLocker. This sample of ransomware uses AES encryption to encrypt files on the victim's machine before demanding a Bitcoin ransom.	4111ff07e1f54723cc323c0a0ed88080	SHA1: dc9605648dadaa9cc463acd711a1ee9908328f54 MD5: 4111ff07e1f54723cc323c0a0ed88080 SHA256: ba4fe6e91aae42e7a12747422443a361201898a4a5d2454472cf8d42b8d5cc52 http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-xag01	Beeldeb_39c16536	Windows	This strike sends a malware sample known as Beeldeb. This sample is a trojan that gets added to the startup folder for persistence. It's a self-executing AutoIT script, and the malware payload is injected into a dropped executable.	39c165367e163aad7a384c3f565a9875	SHA1: 8a90d33befcc9c9c28439bde56215378d8a189b9 MD5: 39c165367e163aad7a384c3f565a9875 SHA256: bb8e4aec824aa052fdda739abb8472caf2bd6c34d1773248ea3072e5c024140a http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html
M17-ees01	Tofsee_3b8d76c2	Windows	This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.	3b8d76c2886b2deeec94060f1353e35b	SHA1: 7a3388475aa5a955619dd11d1d09c2b242ebc5f2 MD5: 3b8d76c2886b2deeec94060f1353e35b SHA256: b29d5908edaa7a98e7b7aca5614e0dbbcbaa5e15e93540f037451db52905ebdf http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-z7801	RevengeRat_0ab4672f	Windows	This strike sends a malware sample known as RevengeRat. This sample is a Remote Access Tool that allows for the attacker to perform a variety of malicious covert functions on the target system. Some of these capabilities include but are not limited to, spying on the user, and ex-filtrating data.	0ab4672ff9298e2bdd1ad12966fba880	SHA1: 51fcd86363149c3c164bfa31219b76eef3f97eea MD5: 0ab4672ff9298e2bdd1ad12966fba880 SHA256: 0d576038349acf0892cbb0124b9558bb4b80c070875017c320dd12bdc0c21f9a http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-ry101	Tofsee_66fbf228	Windows	This strike sends a malware sample known as Tofsee. This sample has been tied to other malicious malware like the Zeus botnet. It is contains several layers of encryption, and exhibits ransomware behavior as well as sends spam.	66fbf2288948d8f39516bfcf772df514	SHA1: de1c9685c1a12acf3fca5a5f958afc75c379bb05 MD5: 66fbf2288948d8f39516bfcf772df514 SHA256: 9f33ee45c11c52f6c6a38bb004457046f5743d51bde77282b2dc1847e9c6cbe9 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-5ec01	TrickBot_f8fda0ca	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	f8fda0ca1102b83e8848f7b678a4d52f	SHA1: 09696e0cfaf65d7be27167586563d23c3851d2e2 MD5: f8fda0ca1102b83e8848f7b678a4d52f SHA256: 793c3af7a30ca9cbb1a9f33b1986b8628af45ec1c2a04c1dd98a5cfa376f55be http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-odh01	TrickBot_15a86455	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	15a86455f789404d6a0f499b2349abf7	SHA1: 3c425cb3d7cc2dedc522ac1316b39ce401355437 MD5: 15a86455f789404d6a0f499b2349abf7 SHA256: dcfcc1a702447925e8826cf1b15a79db9ceee264c46e0447f62856c52be76c9a http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-zku01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	3971be2d09be971e83bb783bf15e496b	SHA1: a9c8c15cead43c25929c28ff4d8a0d8499553d9f MD5: 3971be2d09be971e83bb783bf15e496b SHA256: 485ac8f15a1ed8005940365da1dd1031244eb9b18b86cc97a001483d23983e01 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html
M17-nw901	Microsoft	Mixed	This strike sends a malware sample known as Microsoft Office DDE. This sample is the original lure associated with the Microsoft Office DDE attacks. The sample's name is ~WRD0000.tmp.	42027846162fe156e1bb8da39c6b7288	SHA1: 280a0697c5aa33d79d482df8614b6b044747ee8d MD5: 42027846162fe156e1bb8da39c6b7288 SHA256: 8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184 http://contagiodump.blogspot.com/2017/10/dde-command-execution-malware-samples.html
M17-sxi01	Document	Mixed	This strike sends a malware sample known as Document Macro Obfuscation. This sample uses obfuscation to bypass detection and adds useless code to misdirect analysis.	ec15f34b51e13bd70b558ba54be82597	SHA1: d88cb8e80bc03c1dbd5b63943741d5ee4ab49efd MD5: ec15f34b51e13bd70b558ba54be82597 SHA256: 984730d87bc7df01d890f8719f83712c7eaf7af05de5cb9a49d3132dc6251751 http://blog.talosintelligence.com/2017/10/threat-round-up-1006-1013.html

Malware Strikes September - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M17-p5w01	Symmi_4533f3cf	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	4533f3cf126bea0971299bfcb664fd8f	SHA1: 7f38b9f01390d0e7be186d6d9e3780d4354cbcea MD5: 4533f3cf126bea0971299bfcb664fd8f SHA256: e76a23d8d8e16a6e1cd78e28ad875f5ca61221f3d0c44dddf750e5920dc5acc2 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-q1o01	Doc.Macro.Obfuscation_481bb264	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.	481bb264685f1fd953c2e4902e33b9ba	SHA1: 37c9df70788833508a1b5c51720d25300f4a02c0 MD5: 481bb264685f1fd953c2e4902e33b9ba SHA256: 0dd881a73d020780715e7a4ee943288fe5174ff27ae3ae90405785e8f584c225 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-r1401	Symmi_b6181cea	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	b6181cea5538d1d990f01175005bc1c5	SHA1: ecf8926e36e844179c85c4fbcf131591204b567f MD5: b6181cea5538d1d990f01175005bc1c5 SHA256: 17ae6bd9e77a9a783caf5bc398f03ff47691134f9a6c5600a903159057c78b17 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-5i701	Valyria_558a6786	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	558a6786fadce8649252cf4f3548c0b0	SHA1: 60956c5bcc5c91205c7024055ebb47ed1cd0c460 MD5: 558a6786fadce8649252cf4f3548c0b0 SHA256: f543e6e17ca16d883f3da521b9c8e0070ab7a1ee6c83eb8bca701bea7af6385f http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ub901	AlmanCloud_307a4d25	Windows	This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers.	307a4d25ee4bbdfe53aea2a0d400508f	SHA1: fb568c00d9971caf90a87cf8c0f85aded90dd6bb MD5: 307a4d25ee4bbdfe53aea2a0d400508f SHA256: 5e0fcf513867bb834af4ebb405a328d66838e528e32e420a89eab7b8619f1830 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-epd01	Symmi_a7bf3e40	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	a7bf3e40fc8366e973b2794bd021c594	SHA1: 0df167157518e2b46d1f197c881d915525a67615 MD5: a7bf3e40fc8366e973b2794bd021c594 SHA256: 2a6794ad2014b95abca5512d85f748aaaf08a1d1f9a7be3583987bd1523f5f1b http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-2rx01	Symmi_0333b1aa	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	0333b1aa179d9685137aa394e99f4524	SHA1: 6ba0790ed9d8d1d158db8e27f3e5d68fc7b1b4fb MD5: 0333b1aa179d9685137aa394e99f4524 SHA256: 7156221c0787b78866de2621828fa2ea48ebdba2b06219576337db8bf342c6cf http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-cot01	TrickBot_c2d71afe	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	c2d71afecb3afab088f8f72e38643555	SHA1: 1194c6e068f7d9fe94269a4f32f3799a2ffb0ad2 MD5: c2d71afecb3afab088f8f72e38643555 SHA256: 2419210bdd20b352b357573e72eb82bafa801b078f25517546bd348e2e93a505 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-xdl01	Cmig_395c0336	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	395c03366c6b4ad8579441cf87050fe7	SHA1: 8aceacc6a915e27d220d5ff2a0b7b0ae1d277173 MD5: 395c03366c6b4ad8579441cf87050fe7 SHA256: 359c0c9d53f14552ede1a37f73b4554f8fa8004ec0a25a6b6741dfd4f2df5682 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-acy01	Valyria_2f432869	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	2f432869c66584e0761325a8e43d10c5	SHA1: e8b9c8fec8d1a3b26c79163ee46a387776853b53 MD5: 2f432869c66584e0761325a8e43d10c5 SHA256: e9d062f1b899f805c95b79165873b6c4e7eb6ec3185347ec0d67e2d30caff67b http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-py101	Symmi_32583c0b	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	32583c0b33172fdd8291ae201e0f9f4b	SHA1: 6e433f11a9a44100a2c90af7db766600c4c5506a MD5: 32583c0b33172fdd8291ae201e0f9f4b SHA256: a94ef67587dde19950297b9b69e90254f16cd5e6653fc596524044377a2e1193 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-wnu01	Symmi_c45a851a	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	c45a851a0948b30997d95c789a7a487a	SHA1: f08536521390087d5a4776c8dc19f75cb99c6934 MD5: c45a851a0948b30997d95c789a7a487a SHA256: d778483fb3f3afdc4efd06ae0f605a53d7ee4e512459aa3b287cc246cc6097b5 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-a5101	Ursnif_c04e0926	Windows	This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.	c04e0926efec768033d5458210c80dea	SHA1: 680a208f2459a369fe7f9c9b73a5b9c440464947 MD5: c04e0926efec768033d5458210c80dea SHA256: 6f2af5771522f2ce3843f57c2a72a2451e0b73a71505cd50abad031267915be3 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-g7f01	Valyria_e602fa89	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	e602fa89e592d87673b1ee21ba781962	SHA1: 491cc002b8c3cdf49b6b53806539ffe6f93893e1 MD5: e602fa89e592d87673b1ee21ba781962 SHA256: 59400bc70eab4810a1b7a5c8556879315cdc2233b51e812587fe259a3dde69a6 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-8ds01	Cmig_c08bae3d	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	c08bae3d02bc5c866b97f4cdaa92a423	SHA1: ebba2f3676d211e4784d86f26f83b89cda35e8e2 MD5: c08bae3d02bc5c866b97f4cdaa92a423 SHA256: 251984e04c9654cab912e5ab74f510c808a3fd34bc10d81f20eef7350dc51339 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-wyj01	CC	Windows	This strike sends a malware sample known as CC Cleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	75735db7291a19329190757437bdb847	SHA1: c705c0b0210ebda6a3301c6ca9c6091b2ee11d5b MD5: 75735db7291a19329190757437bdb847 SHA256: 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
M17-i3p01	Cmig_094735c4	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	094735c41e4f4779c5a1503b2b4c2645	SHA1: de032fc317e8cbe2827d1ee35516e442c4552428 MD5: 094735c41e4f4779c5a1503b2b4c2645 SHA256: 12b2c3dd430777d50966f542668eb022b2871a3c2ec77003911080fa90c32c5b http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-nl101	Cmig_b922cf0e	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	b922cf0ed1f18434326e6ed940fdc1df	SHA1: c139a4fe693eff29239c71ccb5c30d6ae003914f MD5: b922cf0ed1f18434326e6ed940fdc1df SHA256: 2fe55bd75831905bd35b0928ecd70f064330311ec0749bda01cff595b9af6b27 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-71x01	Dinwood_003acd74	Windows	This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.	003acd74e09cda434d08a9f5ba2ea538	SHA1: e373f234220294da1f556e02353ff9d6521a3af0 MD5: 003acd74e09cda434d08a9f5ba2ea538 SHA256: 06ebf78a7f2f3cbc7a8961051f3bfe9211b8dc8fd255be6f9df7b96f261a46ad http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-laa01	Cmig_37e3b74c	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	37e3b74c24f4928d098b526738945eee	SHA1: 4f5fc5eb1766ece68e8f4e486093f7a3d34f7771 MD5: 37e3b74c24f4928d098b526738945eee SHA256: 3d3d7e837aafbd8f42ade61f867114cc28af14c5d4ace788f351df0ad58cadf1 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-xqy01	Doc.Macro.Obfuscation_abf1049b	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro.	abf1049b698b8bffbfc936ef383a374b	SHA1: 5e03b849d2311d922a8dfaf7e283e06eaff2513a MD5: abf1049b698b8bffbfc936ef383a374b SHA256: 6ff2121b359d8a2776c25293aa96b823759b0796e559e70bc6d2e8adaf208fd7 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-3l401	Doc.Macro.Obfuscation_62bb7e2b	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.	62bb7e2b0a31bbfa624e95023863dfa2	SHA1: ba30dceb90f9b65ecb869d00e2debf533000dca8 MD5: 62bb7e2b0a31bbfa624e95023863dfa2 SHA256: 51e75edc5abe46280a4ef590047bb0bf4ab0d409da07711cbd2917b4ce103c59 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-crq01	Cmig_c69a6d7c	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	c69a6d7c64c8642ecf7bc06c97f8bd66	SHA1: e19c844ee754e3a3f4b62f155e4a747138c3d613 MD5: c69a6d7c64c8642ecf7bc06c97f8bd66 SHA256: 3706c1b476c5a7093dbf71f51daa053d817668b854b99ef8ab939f2498fe253f http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-fmi01	Cmig_112f97d8	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	112f97d822db7cc0782ebdaf58826fc1	SHA1: 26b7e9e0192d46a8e280c4933bae646591cc1f74 MD5: 112f97d822db7cc0782ebdaf58826fc1 SHA256: 14eeda627d8c65edea9e8c7b3a02f381079f1c28be3f1408a0f6f4f0968da27c http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-xo501	Cmig_5f54bada	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	5f54bada97635cafb076e08f1a9247bd	SHA1: a0834384f03048f77b3f86b29d82f9498ff1c9c5 MD5: 5f54bada97635cafb076e08f1a9247bd SHA256: 05baa0dc22cf5b14b5a8e70c4a0183c50f366da7916fdee0f1b26835f48e43c1 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-uqf01	Cmig_ee102894	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	ee102894e4fae149d39e2054a7155729	SHA1: a607a8d6337bf95978e312b0e93e3f4907ac1759 MD5: ee102894e4fae149d39e2054a7155729 SHA256: 28c5bd99d92cf80443f93cb12344cade4e9685a89e936d490b9e04edd6207f1a http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-msb01	Valyria_8b136d7f	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	8b136d7fb8f2306fc0530115a2ad891d	SHA1: 201c1162a5eb5c9ed85f4418dcbdcad71a6862f4 MD5: 8b136d7fb8f2306fc0530115a2ad891d SHA256: 8263c8ab8cf63264e39de0c237e26c7f08e36427ec47e0699f7ff8726af40db5 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-3f701	Cmig_80526918	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	805269188a5c032767af7bf00024b25a	SHA1: bf664be50eac27f4b90ed77ff7a705f6552a8408 MD5: 805269188a5c032767af7bf00024b25a SHA256: 2b9d669d44fb21199c4ad9f51566d641cb1613907c1a8f66c49c3a0766fbd386 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-8si01	Dinwood_00089c7c	Windows	This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.	00089c7c29ceb806e122292d3756c42f	SHA1: 6eceaa806237afe891d51d4fa60ac653b1b0dba5 MD5: 00089c7c29ceb806e122292d3756c42f SHA256: 076e08eb3eae357b4ee75f9bc1e9fe8a9ea3b3e3ddafe244e0583e320a0bfd26 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-ytd01	Symmi_ec22cff1	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	ec22cff1b6aa42743366097b32d6f5f0	SHA1: 2ae525cbce103e15c5e14d885e83cc5cc4eba0de MD5: ec22cff1b6aa42743366097b32d6f5f0 SHA256: 2c0f383fcc3b07a893fa0ce0cfbe025d31c6ebfe46979b129bd8090712256c42 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-kzb01	Symmi_a5cdff79	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	a5cdff796de0034b8c95eb71b00545ec	SHA1: 57433dd0843146de661b9eb9c24ca54c90a8c3fc MD5: a5cdff796de0034b8c95eb71b00545ec SHA256: 10e8f34991079b2c40f2e72babdbd3d0fd97703870552061752b341b704153b3 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ynk01	KHRAT_404518f4	Windows	This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing.	404518f469a0ca85017136b6b5166ae3	SHA1: 8fff5fe410927095bd13fa15d84e69df0b0754fe MD5: 404518f469a0ca85017136b6b5166ae3 SHA256: 53e27fd13f26462a58fa5587ecd244cab4da23aa80cf0ed6eb5ee9f9de2688c1 https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/
M17-85z01	Cmig_48a2a59b	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	48a2a59bb81bc15069fbed23fe5efcca	SHA1: 79aa73d369fa48076d8be68aeeb84c795543c724 MD5: 48a2a59bb81bc15069fbed23fe5efcca SHA256: 1828387d77ccd498e318dc2bdf580a51ef8161dfda186651cb4c6300aea6ecf5 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-g6w01	Dinwood_004492f8	Windows	This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.	004492f8f78e65c80cb6b2f64f7b6b11	SHA1: 3543b278d9e3742ab1fa787e38b6b09c467b7f51 MD5: 004492f8f78e65c80cb6b2f64f7b6b11 SHA256: 07ab8a56baed7f7014781b275e8324e8bb7974360ac05d017c65d40ed05e1869 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-v5101	Symmi_e36ff9cc	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	e36ff9ccc5c93bdac286622763efb74b	SHA1: a06a976e0c33842faadb66b50881066f2431ea00 MD5: e36ff9ccc5c93bdac286622763efb74b SHA256: 4763992ecb0dc5bbda30d2d00dd99927fb8aa2be759c9058f2dafb691ccf0f0b http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-g2u01	Cmig_0fede0a4	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	0fede0a4e3ac69d30fdc862175fee7fd	SHA1: 3529763feeddb6bea3ac7ba85e9788dce36bcf68 MD5: 0fede0a4e3ac69d30fdc862175fee7fd SHA256: 0898ded2110056e9bc720860640282384f08d4064918322cf99c6e79554208f6 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-yqv01	Dinwood_00415f0e	Windows	This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.	00415f0eeae6c54c5a5242c3264d5bca	SHA1: f5ca077ee489067b4fc5f8bcec8c177142b78f29 MD5: 00415f0eeae6c54c5a5242c3264d5bca SHA256: 07b5361cde1a670a587bd7d58160c97282415a025b4b9d1efa806a121e577027 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-oed01	Symmi_d86e6e58	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	d86e6e58e4ffa7ef3bd0d870c54f6bfd	SHA1: 97d1e8df0d79b1e90523900fe02d0d01a91c3d14 MD5: d86e6e58e4ffa7ef3bd0d870c54f6bfd SHA256: d6d82c71a400735446318832a57f7a2573cfa4073aa31ec6a8b742d43f93e9dd http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-zwj01	Symmi_c0b45967	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	c0b4596717367eb8577f0cf5af9642fa	SHA1: 1f50d8e3518505b761467ea0674da3430a8adb76 MD5: c0b4596717367eb8577f0cf5af9642fa SHA256: c7fc560bff6d3fbc3a72355463836eaf9b3d7d18ade95ce72436926568626edc http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-fh701	Cmig_e3cb47c1	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	e3cb47c1910e2390ba15727b60a9fee1	SHA1: 283d0b36d87c1b19ab1f456f34a6a66fe1869599 MD5: e3cb47c1910e2390ba15727b60a9fee1 SHA256: 3ee7edf180cc44da6f2f79f90cc965dddb0eee97e32d9e340e873c71ce3d57e0 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-c5u01	Rtf.Exploit.CVE_2017_0199_447823c9	Mixed	This strike sends a malware sample known as Rtf.Exploit.CVE_2017_0199. This sample is an RTF document that contains an embedded OLE2 object. The OLE2 object contains links to other existing documents. If that file is an .hta file, it will download and then execute it. The MD5 hash of this Rtf.Exploit.	447823c9c915a90b834da8380ec25711	SHA1: 5f6e438aec4386f4bee4f24b67112b4232e140cc MD5: 447823c9c915a90b834da8380ec25711 SHA256: 9b366a6ab581517c6d62c5195e606eba6cb764ff813df7c247f34455af7db567 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-m8a01	Valyria_57b41a86	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	57b41a867d18839dea702dd8b902fa6e	SHA1: c4f00588756c1fe3d445871a9d544a7323bd56ac MD5: 57b41a867d18839dea702dd8b902fa6e SHA256: 7eed89f56f776f61421242f428edc4a93bd250e8b98fe44b6f71a67ec8a3fb08 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ls101	Symmi_d842d35d	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	d842d35de8665b2f7d0c29cee667899c	SHA1: 5da812069fb7b28a3c86154c15f48cf86edce1c5 MD5: d842d35de8665b2f7d0c29cee667899c SHA256: fc30aafd75f5bcf3d4a73a6336ba1f2fb150a410712e32f5887d2afe8504f717 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-2i501	Valyria_283be610	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	283be61009f20a86bfcd9690343b23f3	SHA1: 04d37de141fea4a0cf590942f0438ee9f103f6e6 MD5: 283be61009f20a86bfcd9690343b23f3 SHA256: af2229c42175b9c6591427f82619564c8a8a1fcb1fa3f912502b098563c12643 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-52401	Win.Trojan.Agent_0099daaa	Windows	This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.	0099daaa9f5180e143527683df94d3ea	SHA1: f9eed5ad4c15bbb9861f4fd87ef25ceefef6d421 MD5: 0099daaa9f5180e143527683df94d3ea SHA256: 55acc591f5c6c0d2313ddd4ba47c25fe3b81bbcb64b4ad77c4668dfcc559748c http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-shq01	KHRAT_1bdee062	Mixed	This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing.	1bdee0623bb85e64057c80ca5dd69722	SHA1: 56cae3ae7ded838b6909be92eb17231ca67ea2df MD5: 1bdee0623bb85e64057c80ca5dd69722 SHA256: c51fab0fc5bfdee1d4e34efcc1eaf4c7898f65176fd31fd8479c916fa0bcc7cc https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/
M17-87n01	Symmi_d8dfbb2c	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	d8dfbb2ce28e59995052ce16d768d3c2	SHA1: e33e2485ebbd9b34b9e36e15cc9a666f0a49fa23 MD5: d8dfbb2ce28e59995052ce16d768d3c2 SHA256: 983f1a853f5f7f1c7aa2e687761ae736d2a4397884dfd455685bbc5ae1d0b2ef http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-w3901	Symmi_c05699e0	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	c05699e0fb2a98e1b045fef3003dda3d	SHA1: d79c18351b5cd83a7f1fd4aeb7fc9e5db136ce59 MD5: c05699e0fb2a98e1b045fef3003dda3d SHA256: 6c51d2e568f033b8a8c6764d54583da5af6fcec7a21d283e536063861c156ff4 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-1u901	Symmi_bafe3514	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	bafe3514816d56106c209ae5e4687d40	SHA1: fceb3ce8123228655c3e9f29965056e5cf88f138 MD5: bafe3514816d56106c209ae5e4687d40 SHA256: a6099ef0093736c0757c589890df229b39e4efbb38ebc63d460ea06186e09f69 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-kze01	Doc.Macro.Obfuscation_65747d8f	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.	65747d8f5f0ed59db0e70505745fb988	SHA1: e0f3ece5d671f6d56f4a1ee188c21a5b650031eb MD5: 65747d8f5f0ed59db0e70505745fb988 SHA256: 4c45540ba41c37f6c4cc0c4385139b63e56e58798c1c3ac94ea9cfca15ab8a98 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-hm601	Valyria_c7d7bab1	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	c7d7bab1b1d627dd32d4b62a72dfbb02	SHA1: c0a1213cac601819c36d2f15e000e213efaf95ee MD5: c7d7bab1b1d627dd32d4b62a72dfbb02 SHA256: 02a384b45673cf0c1e7dbe129fa397d92d43add25b22b080b4308def418e7927 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-jwe01	Doc.Macro.Obfuscation_1eeea25f	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.	1eeea25fb11b3337fe810f635eb4aa64	SHA1: 9231ac029e93e1da22db9b0d8949eba8aae60378 MD5: 1eeea25fb11b3337fe810f635eb4aa64 SHA256: 6891e0c2fe9c3b7bf9c02fbd81950c60118df47cf8e7d80ca92853fae72d9178 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-8oo01	Dinwood_003a976b	Windows	This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.	003a976b169928872492c2ee4e089e2e	SHA1: 3329b14e18f66fd11881ba23b626dfb1d58c7e4f MD5: 003a976b169928872492c2ee4e089e2e SHA256: 04d8c0fd0f85b534c8a225be38e7bda9dc7edc248b1f6419fb64a99fde5b4b11 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-ggl01	Doc.Dropper.Agent_cfe30780	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	cfe307803873c0271adb73f63141ab38	SHA1: 751f91321c835d15d9c644da0cead19035d1c6ab MD5: cfe307803873c0271adb73f63141ab38 SHA256: aecf2b9c77b76f08c6a240cd5b0782f3abba0a872caea783f5105b3b3f42851a http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-hza01	Doc.Dropper.Agent_06e5c6e4	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	06e5c6e4ea1d9fcc89dad6fc6e96c306	SHA1: cdb34592b1b0e4bfa9e239a5b4e82e05f37406df MD5: 06e5c6e4ea1d9fcc89dad6fc6e96c306 SHA256: d6ece69e9f8035de573411d57ea11e0bb22d243e0d47b620b9cb99793218b121 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-wzu01	Doc.Macro.Obfuscation_576b8fff	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.	576b8fff45897ff4997de4f454e95bb8	SHA1: cfd97986965f90150e655b5c164fefd7a67db9ef MD5: 576b8fff45897ff4997de4f454e95bb8 SHA256: b980586f7fe22ae71badba8d2b202115f98821b743593ca36e15387fbda4f361 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-6bn01	Valyria_d2808446	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	d2808446ec0f9f213b0a78aa6d1bd88d	SHA1: 14607f94d3f421a917690ce96d895eb3f7fc8165 MD5: d2808446ec0f9f213b0a78aa6d1bd88d SHA256: 4c16cda58dbd96b74579eafe2a73740c6d98d588bdebee6a3830140d1326aafd http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-wdd01	Valyria_964666e5	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	964666e54eb5923a1425d090521df401	SHA1: b560d1d4744e069dc7de058d37974a9b068fc98a MD5: 964666e54eb5923a1425d090521df401 SHA256: 7291b9989f4ef506f1792dd4bae6d7f8b1d4f7c770295552a05acf38a41c0b26 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-xlw01	Doc.Macro.Obfuscation_e4bc58de	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.	e4bc58de75d4f80ee90cf233aa99f39c	SHA1: 013e2d8cdee0f81666fb3b962b0887dd3d5e83a0 MD5: e4bc58de75d4f80ee90cf233aa99f39c SHA256: d0b4b36c3c50c58869ae58f34c9d05c4ae8333e20d29b6c35d85cc85a5d7e38c http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-v9k01	Dinwood_0040cde3	Windows	This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.	0040cde3982b41cac39c6230b454a3ed	SHA1: 895b1fdf006bb36216b1d117670e440937269f70 MD5: 0040cde3982b41cac39c6230b454a3ed SHA256: 01b538e451a390f7cfcdc263355dca070ea1a578d083fa94762912cff36b226b http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-id401	Doc.Macro.Obfuscation_26ca2f0b	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro.	26ca2f0b5f96b970aa8e73ea283856b4	SHA1: 103b85c1597d23e24938e057658fa6100363a978 MD5: 26ca2f0b5f96b970aa8e73ea283856b4 SHA256: 029923c7508a27907e2c88baf9cc2effa2f78e81f4728eae2c185935f2a51fbd http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-cu101	Symmi_c77921e9	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	c77921e9d76e20f3388888545ebef11f	SHA1: 85ab9b47ab73a138a9df2a862792dc96cbbaa4d1 MD5: c77921e9d76e20f3388888545ebef11f SHA256: 54ac75db11197dc919f3574eefb88fe8b653de92ee5a6ed99cf00eb1b373d622 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ice01	Symmi_d26cbc38	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	d26cbc382a8ce77063a1875819b079d6	SHA1: 84e292bac73e1cd04057de41b7faf7d8b7bbe68c MD5: d26cbc382a8ce77063a1875819b079d6 SHA256: 89c9a8a7f47bb27a175632ad48317b93fe8a2b59502c73371df48982168a70db http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-a6g01	TrickBot_2d6507ea	Mixed	This strike sends a malware sample known as TrickBot. TrickBot is a banking trojan which shares similarities with Dyre banking trojan. It is used by crooks to target customers of Australian banks.	2d6507eae46601952ee210566b902755	SHA1: fed75c646669a3468304cb6887d4c8e49c62a09f MD5: 2d6507eae46601952ee210566b902755 SHA256: 14ab690a2f5d4fd74f280804a1b59f5c5442c1280e79ee861e68a421cac80ce3 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-fky01	Doc.Macro.Obfuscation_996cfaca	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.	996cfaca2a0ceedea80355f8cae186c8	SHA1: 72114534b7418f66aa68db021c871afc437fd3d5 MD5: 996cfaca2a0ceedea80355f8cae186c8 SHA256: 179d8ad5e80d814aa8d04633ac9c624b60f2273e50dcd6ae5fd7441522ea714e http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-6ir01	Doc.Dropper.Agent_c5a6a2d9	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	c5a6a2d9d381f6b9313af4171dc76cbe	SHA1: 71884c5c04383624da142a7f87865e7a7c844e79 MD5: c5a6a2d9d381f6b9313af4171dc76cbe SHA256: 220128b685d4e96e793756636e32257b8fd22e038890d8f194d1681343bea923 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-kol01	Win.Trojan.Agent_0050d19b	Windows	This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.	0050d19bd0e7d076fb5d7a0c12f6daeb	SHA1: 5361d96b95a35a230cb58b144b784460cdc90d51 MD5: 0050d19bd0e7d076fb5d7a0c12f6daeb SHA256: 8b20f9e78855218c693ade8a89b9c74487304df9bfdbcdbe8c65b05bfaa5b71b http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-9b401	AlmanCloud_077a70b6	Windows	This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers.	077a70b6d6c784098d87fa1592173ac0	SHA1: 529f5229d94d1c4a86f0e03effc64fb6485d5aec MD5: 077a70b6d6c784098d87fa1592173ac0 SHA256: 64091a671d00602e4f81f987207ac2b16f5c3e86f98add903bf369b528db2d38 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-53o01	Win.Trojan.Agent_005e3024	Windows	This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.	005e30242048a0b9fbbe189b50850039	SHA1: c7c9feb8eb06f08080f097fa25de1384e86ce011 MD5: 005e30242048a0b9fbbe189b50850039 SHA256: b001932b6938223033229e9d5bfbb5754680ab786c927396bb540e1a6db1ba7a http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-mwd01	KHRAT_c50ac000	Windows	This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing.	c50ac000a2cf07fc1d7892cd4ab33fe5	SHA1: 289172d8467432b331aac9d2b76ec2e7ba9eadec MD5: c50ac000a2cf07fc1d7892cd4ab33fe5 SHA256: c0baa57cbb66b8a86aac7d4eeab7a0dc1ecfb528d8e92a45bdb987d1cd5cb9b2 https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/
M17-gyh01	Symmi_790c7428	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	790c7428b271a1ef2d37eaf8d961990a	SHA1: 2ad2cb9b04ad87ab8c2a2919a971ceb9e405fe5b MD5: 790c7428b271a1ef2d37eaf8d961990a SHA256: 5917eb033004f3a29a3ac843f9c90844cab3cf0520e78e8739cc8cbfff83ef02 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-lyo01	Valyria_f8072467	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	f8072467999b75efb18a49ef75d6ef35	SHA1: 412b4ac24667820944ba7ed0a1925d5e863ef9b4 MD5: f8072467999b75efb18a49ef75d6ef35 SHA256: 764b5f6e36f12e80dd801db166f6c1357745a1c7a5526c00e1a1eb057624f56c http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-41a01	Win.Trojan.Agent_00949032	Windows	This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.	00949032460ac6c050a200e46cd0e219	SHA1: bd17866c89a1285bf44dab8a88dab6280273e274 MD5: 00949032460ac6c050a200e46cd0e219 SHA256: 0e9eeedbc7e293a83b9ebc3929b033e8c2061bdbacd8f17cd29b12505d2e777b http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-fr101	Dinwood_002c356e	Windows	This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.	002c356ee05f789cad320ce2952e0645	SHA1: 91de512ade8f2c816d386f9ab884981c685f6827 MD5: 002c356ee05f789cad320ce2952e0645 SHA256: 07509506034c49b52314ee53984af6556396da7070c9d0069324f555f722db6d http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-6nt01	Win.Trojan.Agent_00277552	Windows	This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.	002775524c9dc7c02bbcd1edd1b54551	SHA1: 99315ede38132d55042a997fdef55e193bedcff4 MD5: 002775524c9dc7c02bbcd1edd1b54551 SHA256: 5554e16e209aec408f7f7ba49caff85e568de76a05ebe41cf74002a7ca35d973 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-rgg01	CC	Windows	This strike sends a malware sample known as CC Cleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	d488e4b61c233293bec2ee09553d3a2f	SHA1: 7e9cfa3cca5000fe56e4cf5c660f7939487e531a MD5: d488e4b61c233293bec2ee09553d3a2f SHA256: 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
M17-9cs01	Ursnif_a542cadf	Windows	This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.	a542cadf7596c079aaa8af466ad6420d	SHA1: 54a32630e976945efb06847d24353007414e711c MD5: a542cadf7596c079aaa8af466ad6420d SHA256: 46da8289c027a187b14826f3648d61c187398ad170ef60ec3311b5dae3b52d61 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ujc01	Symmi_c5c51ada	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	c5c51adaf9772caa52caefdc53316ea1	SHA1: 67b8cf72c62bc230bf2e3d1b9ef6ab4c4d0c1b14 MD5: c5c51adaf9772caa52caefdc53316ea1 SHA256: 90e0adc73ca753d91fe32b1d3761c3f6f6e7216f3b77a87fdbe2a8e7f5e889fc http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-8rs01	Doc.Dropper.Agent_dd9a5d67	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	dd9a5d67b7eb01fee1d59ffa4b3ffab9	SHA1: 55d7c07048b67b3f222e0e25c7ad5636ed043976 MD5: dd9a5d67b7eb01fee1d59ffa4b3ffab9 SHA256: 946def9e50a762ef29de5b56086d976f26446f0bcb5f2590c0354eae1318e0fb http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-9mn01	AlmanCloud_22eadb47	Windows	This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers.	22eadb476b05c6651d0f4d749d3fa12c	SHA1: f64ea56b8d17c4f74014b334f6ccf22479ee007e MD5: 22eadb476b05c6651d0f4d749d3fa12c SHA256: f095ae655db18fb27667ece1c168b97d42b1b164991cda154022d6f8e270cd49 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-i2601	AlmanCloud_01826241	Windows	This strike sends a malware sample known as AlmanCloud. This trojan implements many anti-debugging techniques. It is also able to infect USB drives, function as a keylogger, and ex-filtrate collected information by contacting remote servers.	0182624172186eb3dafb5d7ed0498d2d	SHA1: 646852a14508e66dfb233fd2aeeaf24b0b9c219c MD5: 0182624172186eb3dafb5d7ed0498d2d SHA256: 9727223d176381c88f6f5f17a2e7f99981eaba31282a41c1ceb3158bccbe08f4 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-9jc01	CC	Windows	This strike sends a malware sample known as CC Cleaner. This sample of CCleaner being distributed by Avast contains a malicious payload that features a domain generation algorithm and hard coded C2 functionality. The malicious payload may attempt to elevate privileges, or send an HTTP request to a remote controller in hopes to retrieve another stage payload.	ef694b89ad7addb9a16bb6f26f1efaf7	SHA1: 8983a49172af96178458266f93d65fa193eaaef2 MD5: ef694b89ad7addb9a16bb6f26f1efaf7 SHA256: 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
M17-w7x01	Valyria_ecf099eb	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	ecf099eb816d2213cab3275fef9c1f36	SHA1: c2a1202fffba49db6bd61416426f8ce1210927e7 MD5: ecf099eb816d2213cab3275fef9c1f36 SHA256: c9210ef989809971703aea1b0d12b83aa85fcc7e0547b877b6645456d4945051 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-xyd01	Symmi_17f82b7e	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	17f82b7e4d2ccf2961723b618718b6b1	SHA1: bf85eaa67e3d9a245ce8007f48431a680b510acd MD5: 17f82b7e4d2ccf2961723b618718b6b1 SHA256: e7eb60dd2d0830ae2d42a913afc5db98392a3d5846ef85ac32ec6fdd08b67fae http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-yfn01	Win.Trojan.Agent_00c2bc5d	Windows	This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.	00c2bc5d80f45c3b8037e836f1b5bd05	SHA1: f2d4cef0eacb04916145c516b54b21976fb029c4 MD5: 00c2bc5d80f45c3b8037e836f1b5bd05 SHA256: e26c807c8e5d5ba8b41de497a24da81b8db0325a0a2c64bb04ee7beaae12904b http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-r7z01	Doc.Macro.Obfuscation_31ce45bf	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.	31ce45bf6918f47021883ab2504aca92	SHA1: c5ba18668ba3ed15dff5aca4db3df65e7936f2f2 MD5: 31ce45bf6918f47021883ab2504aca92 SHA256: e9e03d8cf474e69197beefecdb5db453740cb4349535dffe4476febee8e5fc8b http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-2qk01	Ursnif_abd41cab	Windows	This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.	abd41cabaa8f3fe7226fba448bc45475	SHA1: 1849bd805c912020813a716f35c6397ea9badcaa MD5: abd41cabaa8f3fe7226fba448bc45475 SHA256: a753a288318dd38709ac1c26374cdc1fdb930b8476788d2868a1cae79cc8f352 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-hnt01	Symmi_f909499e	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	f909499e19691eb9ede4181e826a7111	SHA1: 071120745948d256e4414fde30e48ba6741f5959 MD5: f909499e19691eb9ede4181e826a7111 SHA256: 848993b12b05369d0873975aded55f837dc0a583c3839c05abe96bc4c3b68408 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-z0z01	Dinwood_000d8fb3	Windows	This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.	000d8fb3bc12e893c8ad4afbfbdcc882	SHA1: f95b1b440de794740afa37265cec6b4015c82143 MD5: 000d8fb3bc12e893c8ad4afbfbdcc882 SHA256: 026a7284b6420e06f20e683054e0ed01a0afa14321fe4094c14bdb63a46ee17f http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-azg01	Symmi_c4244e71	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	c4244e71742e40a6017c9445fd52196f	SHA1: df0ca4092c9340c70305ec2c747e025f88b56743 MD5: c4244e71742e40a6017c9445fd52196f SHA256: e5a8eba740a5acc1a6b5e11bb64be0be88a8556e48d78c292732048fa2c56003 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-wvg01	Symmi_cf599f0b	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	cf599f0bc92301b76e8ba08448dfae4f	SHA1: 61de01da90610855570a8a6bc23e040f87988187 MD5: cf599f0bc92301b76e8ba08448dfae4f SHA256: d8a3df456b94acea22b8ebeb4f7f860687dd6ab4ac2b687631b63342f7cbf927 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-adj01	Dinwood_000bf3ec	Windows	This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.	000bf3eca7e8fe285670e4aefbe855fc	SHA1: 6ca9d250b3418f26a6c197ace6552913ea0531f1 MD5: 000bf3eca7e8fe285670e4aefbe855fc SHA256: 002eb4fddf6e8f9165e28694da6f368626282bd7e99c11f1eaeb365339c2331a http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-k7n01	Cmig_b830f976	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	b830f976ffac2770008c63aaf5641b87	SHA1: 075d2de8b270726c5a64ea8b20dffe69251c0586 MD5: b830f976ffac2770008c63aaf5641b87 SHA256: 01f78108dacea6db392dfc6700e987754cb15aaab6f8ff85ae9349f4fcef1044 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-tzt01	Valyria_ac6e83a2	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	ac6e83a24b2fd4de9b814e69fd6870ef	SHA1: 56f1ac2c336a9a0f9d1dc9954d21379255cdfa22 MD5: ac6e83a24b2fd4de9b814e69fd6870ef SHA256: 68edb052cd861ebe7dad58a9923723c1ed711ec4d965ba13a3cf10d70a90d11f http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-lql01	Doc.Macro.Obfuscation_5299474f	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro.	5299474fafb2174b2801c89fe031b6ee	SHA1: b3397dad810ba72830b64d4119547e840118ecf8 MD5: 5299474fafb2174b2801c89fe031b6ee SHA256: 0009657099e7e3f555a68ae39827099905339f5dafe648585175de089a75ba6b http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-y4901	Cmig_b66821a4	Windows	This strike sends a malware sample known as Cmig. This sample is a packer that has been known to obfuscate malicious banking trojans.	b66821a4cb87c0ed62ad555b3c584940	SHA1: d7f10540662be4519820502b85c5be815bf8441d MD5: b66821a4cb87c0ed62ad555b3c584940 SHA256: 09e7612bce428fb51593cfc286d7e9904a1c372771a7ad1870538a4a72046d15 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-hcq01	Symmi_c9bf66c3	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	c9bf66c360c0ae03ddeb0de5b7a14195	SHA1: 3b57a2cecaad3a9f076a23e9341d51ca2ae5f419 MD5: c9bf66c360c0ae03ddeb0de5b7a14195 SHA256: 4395a481c0e8afbc60cd6bf4eef233bb2067485581a47e56ff310cb7466ee681 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-p9801	Symmi_b0ccbd7d	Windows	This strike sends a malware sample known as Symmi. This sample creates binaries and then gains persistence by creating a scheduled task. It then adds a registry value that can be loaded into the user-mode processes on the system.	b0ccbd7d8de4c43519a83698d2333619	SHA1: a7e63a2ecc47b32c1badc3c9db5d931d1a963ecf MD5: b0ccbd7d8de4c43519a83698d2333619 SHA256: 5542e1e52c63ceea56446d3c2f1f9c12adc60033d92289bb5d3450a40e02acd5 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-3il01	Doc.Dropper.Agent_ab44534b	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	ab44534b2475aaabd212812a65b0ed4c	SHA1: c411b88ef70806cd541faffed736c15a569f8283 MD5: ab44534b2475aaabd212812a65b0ed4c SHA256: a4ad5629d490b466e4e62bf9048968ff45466c73849609b64d6617bf32e5cc5f http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-ix501	Doc.Dropper.Agent_1e5612c8	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	1e5612c8d23ad7985db786a559902484	SHA1: d92280da11d8187bafdfba9b3986faaaee1378ce MD5: 1e5612c8d23ad7985db786a559902484 SHA256: 56ef4bb6608968653af98649fddf204933134038b6b27b118ebedcdc5ec5af0e http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-6kv01	Doc.Macro.Obfuscation_0c2a84a0	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of Office Macro documents employ the same defensive techniques to prevent easy investigation. Much of the code is unused or not malicious in order to distract or slow the de-obfuscation process. The MD5 hash of this Doc.Macro.	0c2a84a0ecf34bb63e4a4a847816a5d5	SHA1: 341bbc3fe0c86f0ea43bc61b039306e52d3870ab MD5: 0c2a84a0ecf34bb63e4a4a847816a5d5 SHA256: 9416f466a01d60b4bccaf8658b0a78bbe84a8de3a1bc1abb77e541e224a6c197 http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-ufp01	Doc.Macro.Obfuscation_e24e5f44	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This sample of malware uses obfuscation in attempt to make quick code analysis difficult. Much of the code found in this sample is junk code that does not evaluate to a malicious function or purpose. The MD5 hash of this Doc.Macro.	e24e5f4477ee3b4f77e951b0b99b359b	SHA1: de4347bf6488b7db3c250e707d6c88a0d283a8a5 MD5: e24e5f4477ee3b4f77e951b0b99b359b SHA256: 9ef470811ceaab0d47bb4b8e0abdf7d783902c208fedda35f8292b60af7f6870 http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-kro01	Win.Trojan.Agent_0084b3b7	Windows	This strike sends a malware sample known as Win.Trojan.Agent. This sample is a packed trojan that implements anti-VM defensive checks. It attempts to contact many external domains including VirusTotal. The MD5 hash of this Win.Trojan.	0084b3b7ac8f9daccbc9bc6cc4b119ae	SHA1: a0ff2c9d5a5eed9ff045f15febf20660d279e067 MD5: 0084b3b7ac8f9daccbc9bc6cc4b119ae SHA256: 768ef3bae40d69715d2cfe3948fe3e9b0adb047525e8fa6d067269e859d0832b http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-5yj01	Valyria_bc958404	Mixed	This strike sends a malware sample known as Valyria. This sample is a downloader that uses obfuscation in VBA to create a powershell download command and execute it with VBA shell.	bc95840460783481f560e5d18e33e11e	SHA1: 50ad996b1252fb59d7b167e37c2ea1c4b8ea0e8d MD5: bc95840460783481f560e5d18e33e11e SHA256: 568f8b461fe97728ebca0231b5b8b00bc85de9909ab83c7d2fc60d134739819f http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html
M17-9cx01	Dinwood_003066e7	Windows	This strike sends a malware sample known as Dinwood. Dinwood is a polymorphic dropper that copies itself to the root directory, and then removes itself. The modified versions drop the payload on a Windows system and then run it via dll injection.	003066e75cffbd470f01f06d60f16a71	SHA1: 28ffad992e26cfc2125a2fbbacc72789bf67e61c MD5: 003066e75cffbd470f01f06d60f16a71 SHA256: 050e9daae7c0778e00b17a71d70f34a9ec60c7ac1d309d53ffd23e7a74f81b2e http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html
M17-oow01	KHRAT_2ef97f48	Windows	This strike sends a malware sample known as KHRAT. KHRAT is a remote access trojan that registers the target using the infected system's information (username, system language and IP). KHRAT also includes many features found in RATs like keylogging, remote access, and screenshot grabbing.	2ef97f487c288d71f26d433b7e9196f8	SHA1: 4203c2934882a070599f6c0a1cefe1afd5721462 MD5: 2ef97f487c288d71f26d433b7e9196f8 SHA256: de4ab35a2de67832298f5eb99a9b626a69d1beca78aaffb1ce62ff54b45c096a https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/

Malware Strikes August - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M17-rf601	Cryptocurrency	Windows	This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is part of the Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. This sample downloads the actual coin mining payload. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components.	c0602223c09e444c537b0445d6563304	SHA1: c7c374073b9631c2ce0345a9ff79bb353bd507c1 MD5: c0602223c09e444c537b0445d6563304 SHA256: 674f2df2cdadab5be61271550605163a731a2df8f4c79732481cad532f00525d http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-q7k01	Ovidiy_781e41b5	Windows	This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries.	781e41b558870a28624b892ff028102d	SHA1: 83449bf8ae20e93de938a1c9b42a46e831737c04 MD5: 781e41b558870a28624b892ff028102d SHA256: 062bd1d88e7b5c08444de559961f68694a445bc69807f57aa4ac581c377bc432 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ovt01	Doc.Dropper.Agent_158e958e	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	158e958e488b5ba8404c87e34816de66	SHA1: 597aed9722e33e86431415bb81e8b15929d0354b MD5: 158e958e488b5ba8404c87e34816de66 SHA256: 3ca148e6d17868544170351c7e0dbef38e58de9435a2f33fe174c83ea9a5a7f5 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-eea01	Doc.Dropper.Agent_b7ae96ba	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	b7ae96ba7a0518bb197d404d0ec6352a	SHA1: 77404b76af23551c9fdad5fbc4bfab161517f0b0 MD5: b7ae96ba7a0518bb197d404d0ec6352a SHA256: 9859e621b4d259798b2813377f9cd1736497f51cb501c6b3ea44ccae57d4e4fa http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-y3401	Doc.Dropper.Agent_852fe2e7	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	852fe2e75d4131cd0de58ad6d623c0f8	SHA1: c406fa3b4b71c624ad39505fdd6a1b0254a9f961 MD5: 852fe2e75d4131cd0de58ad6d623c0f8 SHA256: 0419cd8e5884e2918c5f0746d54efe2e2d9f0385523ecdbc395200df4004d87a http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-cum01	Tinba_a0793f80	Windows	This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.	a0793f809380a045902330de7f5ed36e	SHA1: 6f6cf5bd484222ba1cd61855e7b46221e4bf9ae4 MD5: a0793f809380a045902330de7f5ed36e SHA256: e2776a037dcad9e2c752ac4f07dfae0412312ba9b1b748a48922ed572f83eb9c http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-zxo01	Doc.Dropper.Agent_e7de7c5b	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	e7de7c5b0623ee1e9d7bf10a597d6aab	SHA1: 9418fdb83b346e32af734e3f734c884d463ab75b MD5: e7de7c5b0623ee1e9d7bf10a597d6aab SHA256: c7cab605153ac4718af23d87c506e46b8f62ee2bc7e7a3e6140210c0aeb83d48 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-p0m01	Doc.Dropper.Agent_7820df79	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	7820df7937afbc1ef18b3a18abcc7d9c	SHA1: ef81f57b49d5c3a54d6a15c7ae54e7a9e02b28e2 MD5: 7820df7937afbc1ef18b3a18abcc7d9c SHA256: 190cda0ade0c0348786652b7ee12fde595e12ab561d893224cfdafbd58ec7b75 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-3gm01	Nitol_2adf8db9	Windows	This strike sends a malware sample known as Nitol. The Nitol malware performs DDoS attacks. It is placed into a Windows directory and then creates a registry key to maintain persistence on the system.	2adf8db977ce00b903b2a43cf1f4be66	SHA1: 26d5b5bc60fd7ce5c5a5c7719fe0ec2be480dbb6 MD5: 2adf8db977ce00b903b2a43cf1f4be66 SHA256: e018f2cb152ab5c9bedef63a760b223eb91e965703a691877550ca390e46ea84 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-vsa01	Doc.Dropper.Agent_36a2704a	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	36a2704a797a519a59c3ee18795323e9	SHA1: 6c2ae5ce67260fb509749dc9a54df9040ab036fb MD5: 36a2704a797a519a59c3ee18795323e9 SHA256: 1c364ed502fa3710d9fa3c5a4a2ac6688bea3610acee2a6f958220d8ffca908b http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-29j01	Doc.Dropper.Agent_3b11cbc5	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	3b11cbc51f04dceee2bcf42e62a312e5	SHA1: a9a1e738d1d5895e45c61570c8163170c04ff61e MD5: 3b11cbc51f04dceee2bcf42e62a312e5 SHA256: 4e812653205426b75038ce2796be5b254b61ee02da376462f3ad1ac23d898282 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-wg401	Doc.Dropper.Agent_ae811c13	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	ae811c137b5531cd1c375447160de2a2	SHA1: 85d46dd184ef2ad4432e57056622d5d7156bee44 MD5: ae811c137b5531cd1c375447160de2a2 SHA256: 9f404502e944f4cd76b902abf67717054732528a9399e23b3d90e2825316818d http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-16a01	Madangel_c70d2230	Windows	This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables.	c70d2230d3c03574f1a18cda499fa139	SHA1: d4f5364e4e9009d1bd305b8b24b1517c0e290bed MD5: c70d2230d3c03574f1a18cda499fa139 SHA256: 4080076d8016be14b7493a4fd365b03073ae90cba70590b25039ef76b2d36aea http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-sh001	Doc.Dropper.Agent_eeb40d0c	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	eeb40d0c6f5e98c31f51fde1f08a50ac	SHA1: be8d00132821f6fcc2d3e7378dde12f9ef93d35d MD5: eeb40d0c6f5e98c31f51fde1f08a50ac SHA256: c3e6a58e8a68518ffb43ee9026508b6520016e8d7096bf94ec2d1ed5cd328d76 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-a5701	Doc.Dropper.Agent_916a67bb	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	916a67bb0988d5b2681883a6a0a8d8bb	SHA1: c1ccd6edf3187b883a8f484cd1294c8ed5570549 MD5: 916a67bb0988d5b2681883a6a0a8d8bb SHA256: a31cbc1ce4abaa2ba7cab9ff97e1f647c3b1264c9cb7db0e20c74d151db2634d http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-k5w01	Doc.Dropper.Agent_333b1bfc	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	333b1bfc685eac9c35aba5786e63d996	SHA1: 95a2432922cb25bfe6ae608bbac49f0bdefcdf94 MD5: 333b1bfc685eac9c35aba5786e63d996 SHA256: d52318c1f83d086fcb94b8ae7288f2acb85f6e441c66a3f1d09365a1018c80bd http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-g8n01	Upatre_877e2c25	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	877e2c25a545d334aea454f8a3b17530	SHA1: 7640ea6e303d93dc08c107040cde76e69a4bbfa1 MD5: 877e2c25a545d334aea454f8a3b17530 SHA256: ec439a41172d7683ee803e336e4b175b8baebc8d4ceed40c6b63b5649d7855ff http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-rm101	Doc.Dropper.Agent_98e2266b	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	98e2266bd624e77261d0383fa149a0d3	SHA1: 4a731838e923d397f25f11bb7d779c6da877f905 MD5: 98e2266bd624e77261d0383fa149a0d3 SHA256: 712a907f98efa76de2b349c90084fbef6d40d9df32a41df98fc62e19fab5329d http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-hwe01	Doc.Dropper.Agent_2e05637a	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	2e05637abc17d9dda037ed9ee0c4f5c4	SHA1: edc746ef3e467ef639bac38621b3711db774789a MD5: 2e05637abc17d9dda037ed9ee0c4f5c4 SHA256: 09f89667dbbd0f72478f317aed5196f743693190aa3afe1f1cfccc67dad88fb6 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-jqq01	Cryptocurrency	Mixed	This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is a Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components.	830b8dc142f16aa928ada0e271a58572	SHA1: 53267b43122ed52aba6ec9faa50397f311a295e8 MD5: 830b8dc142f16aa928ada0e271a58572 SHA256: 6315657fd523118f51e294e35158f6bd89d032b26fe7749a4de985edc81e5f86 http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-r6w01	Upatre_3882bc98	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	3882bc98466ecdda4864bba0dea11815	SHA1: e47bc8a49aef6b42912740ad165c6b2a477234d0 MD5: 3882bc98466ecdda4864bba0dea11815 SHA256: 5f2c8ac317bf4d58610c803c01c95d358cb25600f632644e01d5c31a74fd2554 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-ykc01	Doc.Dropper.Agent_372f877c	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	372f877c900f6fdd3d14c9d451972eea	SHA1: bc8cbb4da5b16d8dbcc36dc38d0e5be8761dace3 MD5: 372f877c900f6fdd3d14c9d451972eea SHA256: 366f1f331e940a462447e2b4abe9196ae7b977d281c2b9fe5e19bb0c2927b705 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-lhl01	Doc.Dropper.Agent_867c1b3d	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	867c1b3d8fbede2e4d888330a624abdd	SHA1: 8f6cc7dfcc105a47df2d8a269dae86410d1b2eae MD5: 867c1b3d8fbede2e4d888330a624abdd SHA256: bf958c7ba44b9dfdcba50eeb6f7b59fe3bd2948f1ab1a7c8ee0f162b7cac3b2c http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-vwh01	Upatre_12c5301e	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	12c5301ef9525dc629dfd839d35b8edf	SHA1: 5f54f8a1b198c5f16db41c9b919e054e4b565c23 MD5: 12c5301ef9525dc629dfd839d35b8edf SHA256: 9d4effa16fa83e12179a674966af8a49bb592fa58de53ee2866f5ceda8206733 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-yth01	Doc.Dropper.Agent_ca8d0bce	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	ca8d0bce7c253674c7351b4d5180d593	SHA1: af9a3b26e6ece959cdd4ede2bc9b57369d7f033d MD5: ca8d0bce7c253674c7351b4d5180d593 SHA256: bec41e3e8d3093b58170d743ca905af81ed745a4828a42a9d39cd3373252a84d http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-pn201	Doc.Dropper.Agent_09c2547f	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	09c2547faec5def76969da50521e3dda	SHA1: f07cee0b7c61098b95091e47d0b663347c1683a7 MD5: 09c2547faec5def76969da50521e3dda SHA256: 5dd873a5cd07c4ac6edc7bfad7c92e1111cbddab5e72de96291e2990e0ab62e0 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-xfw01	Doc.Dropper.Agent_6f23cef1	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	6f23cef17d1f1a9f1b2972f1e86aa7e6	SHA1: b752f94dcf23d8aab927985875c425beb1f1db18 MD5: 6f23cef17d1f1a9f1b2972f1e86aa7e6 SHA256: cad134945e7f20e99efed18650d4a7c573f8902b32c10ae89639518f94e646d0 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-iir01	Upatre_e27f5105	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	e27f5105a7a08cbd93412bf625d7ea2e	SHA1: cf7b20862f86fe0d1c6fb7e8e1667f5f3ff240ac MD5: e27f5105a7a08cbd93412bf625d7ea2e SHA256: 75309ff6942162fa19e4c7d430456a699cbee26106afeffc71f02325c9ab37c4 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-fk501	Upatre_0155d835	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	0155d835f1376b33091549bba14ae9a2	SHA1: 55df4b36cb8812baef77f451e7e357d5effe2530 MD5: 0155d835f1376b33091549bba14ae9a2 SHA256: c9975f106e8e0e7ceee70bd285159226e7687076a0e3b84c525a953657f6b1ff http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-f5601	Tinba_b3b81927	Windows	This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.	b3b819273aae385b7c2595406848d286	SHA1: 582b67bdd458d904a2e4d9b5943492ffe8850c27 MD5: b3b819273aae385b7c2595406848d286 SHA256: 0ce6189ecd16fbf2f885a8516836c7bb9d0685f6ff2c4a3df80e236ef5d0d803 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-upd01	Expiro_d553e02a	Windows	This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute.	d553e02a4a7d3840c8fc361ae5f1be31	SHA1: b5170b5fa1067ca043cb0eac7cae0a3a99253a78 MD5: d553e02a4a7d3840c8fc361ae5f1be31 SHA256: 5ffa0097ebcba0e1921c6607a644e2649532ae07b1c7d6533a3cbef52ee51620 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-eb701	Doc.Dropper.Agent_1c90b3ba	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	1c90b3ba01aca0d7b8665046713a8bec	SHA1: f951e821cf06d1c6aa1a5daa4fdaa34a7e8a0f8e MD5: 1c90b3ba01aca0d7b8665046713a8bec SHA256: d076c672bdb9bd3b738edb882560482bebde469d02acd1ccda11e9c9cb6feaeb http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-35q01	Doc.Dropper.Agent_cd213d4d	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	cd213d4d9aceca22a36b16b6557ca3fe	SHA1: 21c66b0e787f728c259accc05a5c6dc699629232 MD5: cd213d4d9aceca22a36b16b6557ca3fe SHA256: 3d081fe6a220b546af09139fda7deceb5e7f16b52fb47d15ff4e69bab9175734 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-tvs01	Tinba_a710326a	Windows	This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.	a710326a2b1b0a9a8c8f5d8832c57774	SHA1: 4101db06545b0353212a5652e0150220f8f76274 MD5: a710326a2b1b0a9a8c8f5d8832c57774 SHA256: 7bbd6d3d6bf6e991e023395e3cb31c18b2a106eef036ad175736a17fb1099b39 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-n1401	Doc.Dropper.Agent_891cf7a1	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	891cf7a1cb04a6f1e4dabe62240936c7	SHA1: 9e244e7dbe98eee7a8e3cbf4dec1b1679ef7e15b MD5: 891cf7a1cb04a6f1e4dabe62240936c7 SHA256: 94395a2b7bd0a120b55e39b3107f934f9b76faa9e2679dbae1237f69f2c3f1b9 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-rtf01	Nitol_af18639b	Windows	This strike sends a malware sample known as Nitol. The Nitol malware performs DDoS attacks. It is placed into a Windows directory and then creates a registry key to maintain persistence on the system.	af18639bcb54e3b8994f64afebe1df75	SHA1: de57bed4cc85493ad73cd029b0b78b7bb25f1990 MD5: af18639bcb54e3b8994f64afebe1df75 SHA256: 2136e6be115617349992b506aced588dced1f5496e97443dfcc31344873f624d http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-8m701	Doc.Dropper.Agent_5d458bd7	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	5d458bd72860af93a84d85b80aef6670	SHA1: 696bcd52db26baac027288287320c3be85e11d09 MD5: 5d458bd72860af93a84d85b80aef6670 SHA256: 0e5240bf70e304781511de29a000c308f675d6209735c118cd0054b519eaa096 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-o7301	Tinba_af05ee63	Windows	This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.	af05ee6361a30887457d465697a5c047	SHA1: 6f665e285b07b77f887ecef080debd77a9b3a1b8 MD5: af05ee6361a30887457d465697a5c047 SHA256: 856ed534a7c32ab7799756c33f7ee104718c89add001428a41dc57e8449167c8 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-osn01	Cryptocurrency	Mixed	This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is a Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components.	98d615c222293ca937ab4b1b4a7c8118	SHA1: bec02c55c98612ee716bb5956f68e0dd27cf0afc MD5: 98d615c222293ca937ab4b1b4a7c8118 SHA256: 8c5bb89596cd732af59693b8da021a872fee9b3696927b61d4387b427834c461 http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-iqw01	Tinba_ac897bac	Windows	This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.	ac897bac2fc6250d3813fc402acaa13a	SHA1: 5b2a89c30b63f07ff6cedef84a2a603597237b07 MD5: ac897bac2fc6250d3813fc402acaa13a SHA256: 7607a0e1be2a8f50959ef42b78edd156aa76741fdc8ee2be9d375610c0b130b2 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-zfy01	Doc.Dropper.Agent_41ce3241	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	41ce32415f50b38285f84283eb66260a	SHA1: 9c7f6e6fa1a894ce156447326634e0ba4dbab121 MD5: 41ce32415f50b38285f84283eb66260a SHA256: bbe5988f2470a296186ca43a76636fceb523b45273a32e83aa14a8cc1f4e3a8e http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-igp01	Doc.Dropper.Agent_e2a9dd67	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	e2a9dd6751a2b8e81e78b0bfffd2881d	SHA1: 9db713fed68aff0bbe895ca04dbf6d2e101ddd15 MD5: e2a9dd6751a2b8e81e78b0bfffd2881d SHA256: 45112ef00b7d34a471655f3a7318fd2b69de1ade1889647839ff897c6e6f1c67 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ldh01	Doc.Dropper.Agent_624320b1	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	624320b15af74da84a68d477343457ea	SHA1: 26be2fb6d263434fbfb1605915e69bfbc3ae840d MD5: 624320b15af74da84a68d477343457ea SHA256: de0e7aae207f7a7a1f242d849bb61c7f4e98d84f74b228439d296e6a46b2f812 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-c7c01	Doc.Dropper.Agent_3afc0911	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	3afc0911b32f240a4589a902e204a945	SHA1: 612a2a5ec1ac66d686b8cfbd35c6ad7a3dfd9a61 MD5: 3afc0911b32f240a4589a902e204a945 SHA256: 5624e26cace481fa4144f5ccd5bdcc7b5c3d42c035c88250312833041cf55807 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-fux01	Doc.Dropper.Agent_b1c2aabc	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	b1c2aabced51d7fa1a7769a3456e8dc7	SHA1: 733747432c630017dfd149a6569a8adf7a479f4f MD5: b1c2aabced51d7fa1a7769a3456e8dc7 SHA256: dcfddf26b9699622bde12c6b64a78e5446172e57c5a29c3ea0267a0df85bc1e3 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-j6l01	Expiro_0132bc93	Windows	This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute.	0132bc9325db31ad1a4e2a92d1019b71	SHA1: 275561f1155d95ad3ad283027e0a2a60a6a8a401 MD5: 0132bc9325db31ad1a4e2a92d1019b71 SHA256: 5fe205ea4f5f975703e242e8079dc471a5363538535d76584e7138ed3fb67546 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-u6e01	Doc.Dropper.Agent_280175d3	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	280175d3d1f1710fb023454323ee56d2	SHA1: 2660fc4e77fb7a7c27955bcc79a524afe58738cb MD5: 280175d3d1f1710fb023454323ee56d2 SHA256: acdae0dde63863e8be98935254c901439b5fc36fb45f974fd7ce7c298e3ca0ca http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-f6q01	Upatre_da1126f9	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	da1126f91d0989e65c7315278060c72f	SHA1: a4fac9bd9c6a00989663dc8478e29b391ef88ab9 MD5: da1126f91d0989e65c7315278060c72f SHA256: 8978bcef1799a5ea3324ce88b9a848e85987958b8ea7dcc0ba511120e6602aa0 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-oe001	Doc.Dropper.Agent_4377385b	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	4377385b36ee38c3c7189a62bb5637fe	SHA1: d50a114b7f843a2a35a16d95d1e723ae4d65621c MD5: 4377385b36ee38c3c7189a62bb5637fe SHA256: 3728cecd2be075b09a3a6d8d8c5923fe14cf381e3070266cf05fa51585def305 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-94d01	Doc.Dropper.Agent_2cff6bff	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	2cff6bff7ad585b9e6e0b79fdc40edbd	SHA1: f7fcc6118eac486a388de009887a13fcb0fd0368 MD5: 2cff6bff7ad585b9e6e0b79fdc40edbd SHA256: 0db7513e4ec8cea44afdce2d37991f5f9cbde0bb779856c10d9ffa75bed53d0f http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-idx01	Tinba_aaeec015	Windows	This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.	aaeec015fcf1fccea28f194a9a7ef145	SHA1: dd39546082787a9197163f4b27aa64aaeaeffb98 MD5: aaeec015fcf1fccea28f194a9a7ef145 SHA256: 6fd80f8da071c3dc482314cbc994b22f105bce22acdad9e9bd86bae5abed53d9 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-0zm01	Doc.Dropper.Agent_2ab698b7	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	2ab698b733ab810f49f1986144a666e6	SHA1: 67be5562a9188d7a180cfdc24d9334219093271f MD5: 2ab698b733ab810f49f1986144a666e6 SHA256: 056bce922fab367aabfd43f5e85bb5397755db08afcc8c38d992ffb4fe8f766f http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-9wb01	Doc.Dropper.Agent_a071f7f6	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	a071f7f613da5ae0a5f0f83febae64c2	SHA1: 2f8bac775f7b16e6ae60c216c2978b2424e8464a MD5: a071f7f613da5ae0a5f0f83febae64c2 SHA256: e631b1dd070f71e53dd7b5c36a1921c027257f0c79bc7964551f27d0f4ece78b http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ssu01	Upatre_9d460f7f	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	9d460f7f267f86cd01f786bf536ed220	SHA1: a32d114627189854513c6843825d7bcbc120086c MD5: 9d460f7f267f86cd01f786bf536ed220 SHA256: eb0601efd61b34a2fac8468b613913983c2b1968b77aec8848c2dddf4443e952 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-9d601	Doc.Dropper.Agent_9b91d292	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	9b91d2925dd7e4471101fc61dd5fc46d	SHA1: 7426ef6922c9719d868a18e9ffb7da8dbd1137a7 MD5: 9b91d2925dd7e4471101fc61dd5fc46d SHA256: 6ea7a564a6a7ba8f4c97e2eaefbedafab6dd1424d56716f1255b03f8b5879161 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-8lv01	Doc.Dropper.Agent_0f66aece	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	0f66aece479cecc416c1888db9d1cd17	SHA1: 6e8729fa8aba8165479973f2f9fa799f766bed3e MD5: 0f66aece479cecc416c1888db9d1cd17 SHA256: 37e79b45ee53bc266d3602ec2cb79762a3c6360b5c173e89da045491150dbfb1 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-kxt01	Ovidiy_88c61b86	Windows	This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries.	88c61b86e30c3d185d041278c14e0b39	SHA1: af22d0f090a4f196b80e99fb4c60011b6c1114cd MD5: 88c61b86e30c3d185d041278c14e0b39 SHA256: 8f6939ac776dac54c2433b33386169b4d45cfea9b8eb59fef3b922d994313b71 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-yr302	Doc.Dropper.Agent_88119880	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	881198803b04ec52cbd3423a2578c244	SHA1: 7e0b2cdd9684161e4b559022dcf981db2d37918f MD5: 881198803b04ec52cbd3423a2578c244 SHA256: 1496ddfb94f11120267fe9d6bf233ba4726754bebf3075340496a144777a6539 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-odf01	Doc.Dropper.Agent_6ef85716	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	6ef85716cfc24a424c4de5bbab0cb50f	SHA1: 71915e84e4a2122281f8eb13351f9c993aac4c3f MD5: 6ef85716cfc24a424c4de5bbab0cb50f SHA256: ffc6c04d292e6618826bb09c8c63a06af3993e7b6b14171c45c7b44619b4421a http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ly901	Doc.Dropper.Agent_7a38982e	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	7a38982ee737b7ee829f67d7000a2b00	SHA1: c8e682ed4bbf3bd8307b8828b97359b2faba27de MD5: 7a38982ee737b7ee829f67d7000a2b00 SHA256: 7a703a5e7f30a1621e204669ffefe91f22a1619814c4ef40872cd750cffb9125 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-dns01	Doc.Dropper.Agent_5c4cde05	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	5c4cde05b083f94e7af8623038cbcbde	SHA1: eb6c29bd72fc3bb628e28551616d8aaf7b06dc02 MD5: 5c4cde05b083f94e7af8623038cbcbde SHA256: 4cf480e7bab22fdd7d64c43d8f18c3c5358c25fbd063bc2d2855885b886718ac http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-wbz01	Doc.Dropper.Agent_f7be7a1d	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	f7be7a1dd9c78b40e3785e5cce5aceb3	SHA1: da2421ca0771355d5e6f66993864af4aa0e7146c MD5: f7be7a1dd9c78b40e3785e5cce5aceb3 SHA256: c685f1c782e6b9250035f922ebc80400f2d6515e5f343a933c6c12920eb89e92 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-fi601	Doc.Dropper.Agent_039b52b4	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	039b52b4638a8088c47214fdec37bbf7	SHA1: bb032753e6aefe431ab8cb6855362a02978bc4a3 MD5: 039b52b4638a8088c47214fdec37bbf7 SHA256: 425e004b3c9034aa17071b137ca1d4ae7a35dde5f588c05295e491b716125e2a http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-km501	Forshare	Windows	This strike sends a malware sample known as Forshare Backdoor. This sample is a backdoor used in coinminer malware. The backdoor installs and executes scripts in WMI System Classes and is detected as JS_COINMINER.QO.	b6b68faa706f7740dafd8941c4c5e35a	SHA1: 806027db01b4997f71aefde8a5dbee5b8d9dbe98 MD5: b6b68faa706f7740dafd8941c4c5e35a SHA256: a095f60ff79470c99752b73f8286b78926bc46eb2168b3ecd4783505a204a3b0 http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-v3w01	Ovidiy_6838bce2	Windows	This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries.	6838bce2f6c831414df831040fc14287	SHA1: d03b5ba006986ea5f980468bcec1f245eb92b685 MD5: 6838bce2f6c831414df831040fc14287 SHA256: c16408967de0ca4d3a1d28530453e1c395a5166b469893f14c47fc6683033cb3 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-qf601	Doc.Dropper.Agent_02522b84	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	02522b84e5c8757aaea14c65627b3f7f	SHA1: c679d26f98969738489dd65c41cfce78b0e0997f MD5: 02522b84e5c8757aaea14c65627b3f7f SHA256: f2fbac0942b08720073373536520b471229c918474cabb63fd19c3d006caaa1b http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-v0q01	Doc.Dropper.Agent_9d4f149d	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	9d4f149dc213d5cbbc6065c6c39f978c	SHA1: 2d83ec7e08817a1ac6ab1495e9a563da485ab0dd MD5: 9d4f149dc213d5cbbc6065c6c39f978c SHA256: db8ee4755c2b30756abb68e14e30b7c10d283b2f989fc7f3556f92389a2c32b9 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-utj01	Doc.Dropper.Agent_2f7441e9	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	2f7441e9c30fae211c738c76293c2e25	SHA1: e3651c3de8f11dc2ddd176da0bb95ead946f59ff MD5: 2f7441e9c30fae211c738c76293c2e25 SHA256: 0752a00c66125520f78673e70af10123cb5b78fe4786d368f7beb586d5ce3531 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-e7c01	Doc.Dropper.Agent_e15e6ec9	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	e15e6ec956e484b71ed1d38bb0aaa3bf	SHA1: 4d581ca02833554440ea709085d02f3fa865f255 MD5: e15e6ec956e484b71ed1d38bb0aaa3bf SHA256: cccb32f7f0408b32f3ad7f5a75adf1b955ba83a712e59c64f16b07713a6b44b8 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ehz01	Expiro_77468f8f	Windows	This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute.	77468f8f46838cf5d8f2fa7e2068c1ca	SHA1: abe8c5978c790a1e126bd3d86711f02e5dcd3ef1 MD5: 77468f8f46838cf5d8f2fa7e2068c1ca SHA256: 60d2422af917cb8aa58c14b8b78d4af112c9c78343da8f7aa3fbcb87be1a4de0 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-g8j01	Upatre_2920dca3	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	2920dca3bca5ed300468b86dfeccf88a	SHA1: 77cac1356b4a02789ace4c49b6f9ea88a1a89358 MD5: 2920dca3bca5ed300468b86dfeccf88a SHA256: c75bc2341ed612c8e5154cb88e7110544e3ff59fed30af28e441c0d31d088da8 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-4q001	Tinba_adbd1f4e	Windows	This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.	adbd1f4ea401fa99ff71adb5f4399cd2	SHA1: fa8b9ad32327028b075778ff762eb31b81b0365a MD5: adbd1f4ea401fa99ff71adb5f4399cd2 SHA256: 51769c916a89522975cb1babb4c9c7b18f3530286c66f3d735751cbdac02a160 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-uwn01	Doc.Dropper.Agent_9dce5f03	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	9dce5f03b45f332a44ac411379cc31a3	SHA1: d5615e91f1ada91ec77b06ff0ddf1c0cbf34eb7c MD5: 9dce5f03b45f332a44ac411379cc31a3 SHA256: 31b34ac21405f6450bef3c18249e83a7bc464dea5cd4fb239becfe0a800875a2 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-oei01	Upatre_6d8b1e33	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	6d8b1e334303ddcc93b4a7ec6373bcf5	SHA1: f259b1ceb58216298a0e5c6be9e455a2f2ea6c06 MD5: 6d8b1e334303ddcc93b4a7ec6373bcf5 SHA256: c707645487cd7d7c8001fa40cfa2475c23705f65048c3831eefb5580e39b3845 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-zoa01	Doc.Dropper.Agent_e7b2b379	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	e7b2b379f6c18c23cb6e2efce2c2aa10	SHA1: a2fb8cf5f7fffd76d9f8ae1283d403c9f5a1b9aa MD5: e7b2b379f6c18c23cb6e2efce2c2aa10 SHA256: 5df3016ba1cfd870d1d72e75ab9ec1d0a08a7e11d9fe7ec6b32fa0ce468206e7 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-rdq01	Doc.Dropper.Agent_3078afd6	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	3078afd65e9b691dd070c17fe981b280	SHA1: fd00dc09d74efb31ab13af8ad87cd3cf052607be MD5: 3078afd65e9b691dd070c17fe981b280 SHA256: 9b6d3e01584f4d1238a55050c7ffad0e14299e911db8497b81529bd58afa4bc7 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-zik01	Doc.Dropper.Agent_de30c6ff	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	de30c6ff05f944c0a9487451f69b9abb	SHA1: 1788092a01feab6cf35672942974618b59b34df7 MD5: de30c6ff05f944c0a9487451f69b9abb SHA256: 8c4813043fa78b4aec7ada10556ddbe06eedbc81b115e4ff08371d8ee132d645 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-j9e01	Ovidiy_727ae120	Windows	This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries.	727ae120f5afe39bf9736a43bef17be2	SHA1: e0d4ed2d470808f33b1384d8b9cec6e16142a17c MD5: 727ae120f5afe39bf9736a43bef17be2 SHA256: 22fc445798cd3481018c66b308af8545821b2f8f7f5a86133f562b362fc17a05 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ass01	Doc.Dropper.Agent_dc412d59	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	dc412d59bbf9e8393326141a3be9b4ea	SHA1: 903ef0c1a668a18a39b7c58dd13a40edce16c95a MD5: dc412d59bbf9e8393326141a3be9b4ea SHA256: f0b670afe4781d3e8899bf742fbd613636424681f56c4388168acea84ea344af http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-lyh01	Expiro_b739ddb5	Windows	This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute.	b739ddb5dda521fb061ef4121d909c21	SHA1: 7b53cf4d52c2a6974124a4ab624c337ab1da38ad MD5: b739ddb5dda521fb061ef4121d909c21 SHA256: 5fd134b6abe1473fd5a7f96c711a4270fbc364bc6e3b10b5b344e0a1bfb0e4d8 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-7ax01	Doc.Dropper.Agent_c9841f71	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	c9841f716752e0b751da6737002e2e18	SHA1: 13aaa0dbe1b9234f4973131c033e8bdc5f9db5d2 MD5: c9841f716752e0b751da6737002e2e18 SHA256: 168c49c8207019008bdf746d0fa4ab33a154277c5fe50fd4900e9d77ec6a2e7d http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-wtp01	Cryptocurrency	Windows	This strike sends a malware sample known as Cryptocurrency Coinminer Troja. This sample is a Cryptocurrency miner malware that utilizes WMI scripts and the EternalBlue MS17-010 exploit to compromise a system. The malware uses the vulnerability to drop a FORSHARE backdoor on the system, and then proceeds to use the WMI scripts to connect to the C2 servers to retrieve instructions along with various other components.	010a7fa751f4a64c989eacabf58c8fbf	SHA1: 2db34fb90ec273120afa831cde91a5a7158b8fe6 MD5: 010a7fa751f4a64c989eacabf58c8fbf SHA256: f37a0d5f11078ef296a7c032b787f8fa485d73b0115cbd24d62cdf2c1a810625 http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-kv501	Doc.Dropper.Agent_3be1c2f0	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	3be1c2f0af0c149b05091ff6d3cd1d58	SHA1: a5f1d3be379d94c2fa53e46ee5a381183ef53054 MD5: 3be1c2f0af0c149b05091ff6d3cd1d58 SHA256: 29a7f99f81dd37bcbd196d635837c01d2aa48045ce4efd999a6d0da92bfbe917 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-8u301	Doc.Dropper.Agent_05a9858c	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	05a9858cd9b89b725006963d773fa1ae	SHA1: 1fc4aa7f4e315021e6849d5ae72789c9fe1b2d03 MD5: 05a9858cd9b89b725006963d773fa1ae SHA256: e8290589cab3707f80ada754a31263e239b870dac5bdece15bf2e331cae5acf1 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-i2201	Upatre_4cf5364a	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	4cf5364a2637143c96646a554f4f256f	SHA1: d3b2edb7cb97c20cf7bbdef3f071a0afbf471329 MD5: 4cf5364a2637143c96646a554f4f256f SHA256: 0f6325d3fd6177cee19770b12d97efa8da46cb23a7173e227efc2291e59034d3 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-3nx01	Doc.Dropper.Agent_3659c8b2	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	3659c8b26c8bf4b9feefbfc100bd9656	SHA1: 353a4a6775544748c3101466b7e067276c8a3838 MD5: 3659c8b26c8bf4b9feefbfc100bd9656 SHA256: 4b495c54056aa68e91fd481168a7ddc5d5a6cae713ab359777340f1ba901ae65 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-pew01	Doc.Dropper.Agent_34f86b2d	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	34f86b2da35c647a5e01aa44057ca5f6	SHA1: bb4021b575c7611babd35e48556a953759788b57 MD5: 34f86b2da35c647a5e01aa44057ca5f6 SHA256: 947ec2662ab377aca91f9ccb5b2a0e823ab5b814be719494c5cb8f0e7e228252 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-kxk01	Upatre_1f9c87cb	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	1f9c87cb98f8df3df00874507f5aa354	SHA1: 6f05eedf798c03a7a189e8fa88880bde3b9b004f MD5: 1f9c87cb98f8df3df00874507f5aa354 SHA256: f6ae56489c1063a48079b1cf5c1252a8f1f3af70918c58fed90ce453bd6cec9e http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-87301	Doc.Dropper.Agent_481a76f0	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	481a76f09eeef4cd68da96efa5321a60	SHA1: 6d7f413da9dd32f471e2e533e19c1b11b4b94979 MD5: 481a76f09eeef4cd68da96efa5321a60 SHA256: d08c719c8ea6e5d7546e6449e6aed748ce74359e7c0dbd1f9bd08e2e8b795c68 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-oel01	Upatre_29fa856d	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	29fa856d838b45f851414ee9847341e5	SHA1: 82feb051efb1d474ec2bda7fdd68a83bbb97ec5b MD5: 29fa856d838b45f851414ee9847341e5 SHA256: 19a4c65bc812eb74df5b41c058f345c5a4fbc838de59e4127e4cf784770a63df http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-kvr01	Doc.Dropper.Agent_a838f93f	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	a838f93f7a6f35ce04bef4aabf5044e0	SHA1: 0af4904f63eb4c99b74b10ff43a310a21e354de2 MD5: a838f93f7a6f35ce04bef4aabf5044e0 SHA256: 4808a9fc9a33cf5df06d5a56f85b6e2dfdb8fc5fbb4cbd2ede05488dd566f6f5 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ugo01	Tinba_a1a4ea05	Windows	This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.	a1a4ea059e2d1350cea94e056eeeea41	SHA1: 35669a1eb529176931c7f670f58dd233822f79bd MD5: a1a4ea059e2d1350cea94e056eeeea41 SHA256: 968ff771eab9d14d1847f489f425e44532522c7b9fe7407b09d7cc594da0eb84 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-14l01	Doc.Dropper.Agent_e23f2ebf	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	e23f2ebf0d6a32b7d061b04fefd831a3	SHA1: 2728f3e77cfbb5c07528ba895cd2ab9fb129dda5 MD5: e23f2ebf0d6a32b7d061b04fefd831a3 SHA256: 5edbc08d4e919f7186aa2b8a6e3d49ef38035c2a55b6e226910fcc60fe26a335 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-8l801	Doc.Dropper.Agent_c17c9d18	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	c17c9d18b0d2c390d317f22078714e38	SHA1: ab4cb1ce4fd96fdabdb703dfb9a037e236516efb MD5: c17c9d18b0d2c390d317f22078714e38 SHA256: 36472a674c751c65c15cbaab276c0fba8f3f1709750473b24e5d3c21e468617f http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ov101	Ovidiy_cd671a72	Windows	This strike sends a malware sample known as Ovidiy. Ovidiy is a modular Windows credentials stealer trojan that targets web browser credentials. The Ovidiy trojan samples have been associated with .NET packers and binaries.	cd671a726a8498a8fd70c6c76069fb54	SHA1: 6b2e2ff345e0001a047d461e8a91ee34b3693617 MD5: cd671a726a8498a8fd70c6c76069fb54 SHA256: 80d450ca5b01a086806855356611405b2c87b3822c0c1c38a118bca57d87c410 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-9b301	Doc.Dropper.Agent_ab210c06	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	ab210c06ffac47325abc1dacebbd2a43	SHA1: 8f3c1518b12636a937f0afb28040511dec05858f MD5: ab210c06ffac47325abc1dacebbd2a43 SHA256: 6dc6070451995a7dae4d5b741e291ce525aec2cf3144d9fdb8484f39079ef9e2 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-kjg01	Doc.Dropper.Agent_fab13a88	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	fab13a887c0ab39d971099cf40c3398f	SHA1: 77a1e05ab6038f621e5c9af9c52b95c798c836aa MD5: fab13a887c0ab39d971099cf40c3398f SHA256: bd7ed9514afabc723da282f32ad1dcfe81796a83555b7b4a6738dd0254c06ccd http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-uq201	Doc.Dropper.Agent_f0a39d78	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	f0a39d788b53d8c6ee03dc67c4e2d9be	SHA1: 5c3e0a8128099f5174b6209a4d87c8eb057dabb0 MD5: f0a39d788b53d8c6ee03dc67c4e2d9be SHA256: 0524147db311dedc4631e0749bb79865ac673763bd5ebc576855fcb9431de98b http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-6mc01	Upatre_637170ca	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	637170ca0e32ed7e2c283fa2370e5a18	SHA1: 2ed47485e5e08b58005a9446c7e6ce1284fcdfaf MD5: 637170ca0e32ed7e2c283fa2370e5a18 SHA256: a67638a9940841bc5222a160b0d28930c5244be769e6091122cfc7aaefa71335 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-g4h01	Doc.Dropper.Agent_578a44de	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	578a44dec0e58d9545ce53453c205328	SHA1: 2de64dc8e000141128f8a97eb20f77f4ff6d6965 MD5: 578a44dec0e58d9545ce53453c205328 SHA256: e92710c582f71c4a9cb127774fa4cce0d8abb837a38d50d22d17ef7061646c92 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-8f201	Doc.Dropper.Agent_e0ebcdd2	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	e0ebcdd2f7274c1d5737c21de737c44f	SHA1: 9738e192b00fb5353ca8bf04e70073d14697a540 MD5: e0ebcdd2f7274c1d5737c21de737c44f SHA256: 6250f069e1268801cb3afaee2523df1aca628fa791a666f1d05b6cb981913461 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-f0x01	Doc.Dropper.Agent_5f4cca2c	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	5f4cca2cad48595d3300d9f2fce4d3d8	SHA1: 2ecb1d4d95b1c642bf70131bd23d9bb7b5fb8323 MD5: 5f4cca2cad48595d3300d9f2fce4d3d8 SHA256: 4111dc9ca29508aa89caf873ac9359ad579270c3b3025ab0ba8098dea9c3c459 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-hys01	Upatre_90c7f61a	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	90c7f61a4cb3c7af757d56659290bfff	SHA1: 5e63eb42af94c89e0fdf34d796e1a5cadc34b429 MD5: 90c7f61a4cb3c7af757d56659290bfff SHA256: 23da35463015938e649624b1e606507fc1c36998a3cdb730f02309055609bd2f http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-1fn01	Upatre_3f84e89a	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	3f84e89a99fa5a07c70b234ac1be7952	SHA1: d91b929536314be2a2df8d806da150c7efe16635 MD5: 3f84e89a99fa5a07c70b234ac1be7952 SHA256: fc0f51ffddad995a4588fbc28d10d0037cc36708e4875a057629bd5a2d975a43 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-lpr01	Doc.Dropper.Agent_b656b353	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	b656b353955bf30289570727ab032cd8	SHA1: 03bba9de2bff6f5c917a324962b570d1b6b46a77 MD5: b656b353955bf30289570727ab032cd8 SHA256: 31755c56408a13f44d620971a60342bb0170ad78217c923c518fe4b58b4da365 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-vqb01	Doc.Dropper.Agent_a6fd9939	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	a6fd99393b519c8acde3d7e2c92edd17	SHA1: ed996dfc599e65398b6845b6e08390edf9a0e86b MD5: a6fd99393b519c8acde3d7e2c92edd17 SHA256: b3fffd7e92a3bb920456b149717c353c8779e45a947c0e756889956c6bc48d7a http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-4vm01	Doc.Dropper.Agent_cd3a6a2d	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	cd3a6a2d3915a64ea6f1a1e11b5646a1	SHA1: cc4ef105245df2b176365cfc401277040fdec5e5 MD5: cd3a6a2d3915a64ea6f1a1e11b5646a1 SHA256: eb99cecc433a5134414024c98c227f52bae7660343a36469ccf0e6a8f5af4a6d http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-gw201	Doc.Dropper.Agent_95a095a0	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	95a095a00455bc303387d2df6c44d4f1	SHA1: d2df019b8fa837aec31bac9a2e3406a3e0b04bd1 MD5: 95a095a00455bc303387d2df6c44d4f1 SHA256: 27772ef48d027d7e23e1f78d8ea86cb1bbcf4240cd59a8dc7ebc82f8a3a8b6dd http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-13g01	Expiro_694a024a	Windows	This strike sends a malware sample known as Expiro. Expiro is a trojan that implements anti-debugging techniques, and this sample needs a correct sandbox environment in order to execute.	694a024a80fd829dd08c1159bf9ead57	SHA1: be6beb1c805d33f3388d510f5e5a6e04c5dd57ae MD5: 694a024a80fd829dd08c1159bf9ead57 SHA256: 5f5e9e5952765887211883b42e508b4b14c62a1685092978f98c6619229796b5 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-fr301	Doc.Dropper.Agent_b2dc50ec	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	b2dc50ecc318d6ebcba1a518105593a9	SHA1: eddd2ba7ff3d23b2f5891cbaeea48fdbf0fd0728 MD5: b2dc50ecc318d6ebcba1a518105593a9 SHA256: b05c34ffdc8c82862b408a1f628b21bb08362de4340d768a08c511132ce7d34d http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-6b801	Doc.Dropper.Agent_c2ad9bdd	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	c2ad9bdd89be2719d7fb7d9f77ee9ee7	SHA1: 6e9fc299719596ed5d0fd2589856567af077518c MD5: c2ad9bdd89be2719d7fb7d9f77ee9ee7 SHA256: f8913513ec19ea386cb812e5e7249d44a4e4a3092fbfcea23fce692d7ed88970 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-5ex01	Doc.Dropper.Agent_0e27fc6e	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	0e27fc6e52b599e151a9eb0223b2ce6e	SHA1: 7acd905f7f85259c9045bbb2025cdc224b9ee21d MD5: 0e27fc6e52b599e151a9eb0223b2ce6e SHA256: b0610f20ce7be29f5864a02d72bcfa54e215d3159bf381d05fac58d2fa703f0d http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-f6001	Doc.Dropper.Agent_06d15dd3	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	06d15dd3999ecc88ed062d6e04073c2a	SHA1: 6e04eb861091a601fb85904cc8db3229d4e2e91d MD5: 06d15dd3999ecc88ed062d6e04073c2a SHA256: e342cae3c710674f0e73ea2ed1e72085d790a653e249e1b5e4d8e6696e110041 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-3s801	Madangel_c76a7118	Windows	This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables.	c76a7118fd76a9ea44908cb338311600	SHA1: 7bd6319a1fff7a9b57753b40deb647c78febaeac MD5: c76a7118fd76a9ea44908cb338311600 SHA256: fbf9d40bc0abe116c19404298d324fcb5a2ddd19d2d97dc31418446be3637a22 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-hey01	Doc.Dropper.Agent_67969a29	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	67969a2971e05dd27eb1ee86e8aa2184	SHA1: 0fb8d22c3d5386967e70a5fda985b95894a756d5 MD5: 67969a2971e05dd27eb1ee86e8aa2184 SHA256: f20256df607a29ef83bd035ee27fc424307712e59298f54803150a88ea5c5ece http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-y9a01	Madangel_c711312e	Windows	This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables.	c711312e1f07a9b6c37fea8ff62a8132	SHA1: cb124507f769a63f5e4671c17922a5106bf280d7 MD5: c711312e1f07a9b6c37fea8ff62a8132 SHA256: 7ad3924efe8802153b9dadc5bc055b329ec8c2850b91dc5f5a1bba42533a8758 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-9ay01	Doc.Dropper.Agent_7025dd3b	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	7025dd3b7cff6adb5083701cf00a25be	SHA1: 53e2c82ced38ad23223a4557555eeb24f0ae72d9 MD5: 7025dd3b7cff6adb5083701cf00a25be SHA256: 758a4e1ea1fc0c9846d21f643013fd934fd23b187ca1fd32c90334ff48a60372 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-fsf01	Doc.Dropper.Agent_f3e19146	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	f3e19146696752674c78ddb3b21cb8d2	SHA1: 49a5f32b3138218bb16ba1e95c166dc1a94ab6b5 MD5: f3e19146696752674c78ddb3b21cb8d2 SHA256: d526ffe1710b4b39866bebceb3660e1386e41df17b13a6055078b0ce7db74fbe http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-qmg01	Tinba_a40bb152	Windows	This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.	a40bb152eaded8ef9c6e1226dddc4c13	SHA1: b567005e063ce04ffb8c33877916f7bac829a731 MD5: a40bb152eaded8ef9c6e1226dddc4c13 SHA256: 33fd66f4cee5bdd9f30eb2e5bd7a65367e10f55495c1122430685a8ff0d90fcc http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-3kg01	Madangel_c72f49d9	Windows	This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables.	c72f49d97ea8e0440c8310747517f1c8	SHA1: c8948449da2756d6cbd4c5c501b65dd0f573b3ef MD5: c72f49d97ea8e0440c8310747517f1c8 SHA256: a010da80c2d35d420958b858fc1e5e700fab866799aa786e1feab4fba5ee6dbb http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-bk001	Upatre_8775e784	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	8775e784d51dd71768aa1f231b39815e	SHA1: 47f4fb4e5e0ede7d8f2840ebaf67024c994dcb4a MD5: 8775e784d51dd71768aa1f231b39815e SHA256: 6c44efb2baabb7b66849e69567c8b3394919efdb2491a1392ff237090c380f1f http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-hep01	Avast	Windows	This strike sends a malware sample known as Avast Signed Dropper. This malicious executable is signed by Avast as their SafeZone Browser. The file generates a PowerShell script that modifies Windows firewall rules and adds registry keys for persistence.	5fd9e7a51f49eae4d722cabd84999ef5	SHA1: da7d5d84ec06da830330601077f5d01075de2ed5 MD5: 5fd9e7a51f49eae4d722cabd84999ef5 SHA256: 6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7 https://isc.sans.edu/forums/diary/Malicious+script+dropping+an+executable+signed+by+Avast/22748/
M17-jz901	Doc.Dropper.Agent_fd086e90	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	fd086e90e4980be48055912c8d12f00c	SHA1: ba40d953c299f7d708150fe7bb5bbafca26451b2 MD5: fd086e90e4980be48055912c8d12f00c SHA256: 8c43427b886d65c06a43f823511f0927b85dc5956dc7bd1bd16c59af548db6b8 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-3rx01	Doc.Dropper.Agent_f094271e	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	f094271e6c8a722492774a22b420749e	SHA1: 60929619ddc37dbeac968fa6e93209c9136473be MD5: f094271e6c8a722492774a22b420749e SHA256: 454ed2ca7a116ad34864d4e8b232dcb50c063ffbd70f23753262aabb6b34d24e http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-xjf01	Madangel_c75b1ec2	Windows	This strike sends a malware sample known as Madangel. Madangel is a trojan that replicates through network shares and eventually connects to a command and control server to download other malicious executables.	c75b1ec23a96fd1e8b997d26ddad20fa	SHA1: 781bdad48d3dd49947d01b4e2f80e59c100b82cb MD5: c75b1ec23a96fd1e8b997d26ddad20fa SHA256: 3ad3d18277238e0a6e0a84a6e901395ad647466a0e68275a7426203216b05025 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-sj801	Doc.Dropper.Agent_86724060	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	867240603ed0748450be2b1b2d7a87d3	SHA1: d08e8e29031f1720204cfc47d28755831e2038ca MD5: 867240603ed0748450be2b1b2d7a87d3 SHA256: 717f927b9c0b01a60eb94254d39ac5eeee24a2c10d0c59266252630202a36323 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-j2c01	Doc.Dropper.Agent_f12ce0b9	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	f12ce0b9a92aabf66f1c11c22283d3b5	SHA1: a97e917364186994b78556fd172d8d4e6ec930c0 MD5: f12ce0b9a92aabf66f1c11c22283d3b5 SHA256: 6451b45a4f8bdccdbce6bcd14e5fda1f976c81efed2c4dfd028386cce31250d1 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-mhb01	Forshare	Windows	This strike sends a malware sample known as Forshare Backdoor. This sample is a backdoor used in coinminer malware. The backdoor installs and executes scripts in WMI System Classes and is detected as JS_COINMINER.QO.	a206d9e633c7d74a735190299b125271	SHA1: 2b10fc7ebad4eb93d1a907cc6f5211be6cf73d5e MD5: a206d9e633c7d74a735190299b125271 SHA256: e6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
M17-zqr01	Doc.Dropper.Agent_59b4e709	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	59b4e709c6e85a978b8c9d15b05b7b49	SHA1: 142b05761c150df687c09c2f835869ca81386a47 MD5: 59b4e709c6e85a978b8c9d15b05b7b49 SHA256: 44b6060a5406112556049bd3efef8d876fe335bb4aa0f0a6f7d0210184918c71 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-lkb01	Doc.Dropper.Agent_0d0541ab	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	0d0541abecae2601c01e070198ab7d6f	SHA1: 2e82936395906e7f3e556f125742c4c13efb3cf4 MD5: 0d0541abecae2601c01e070198ab7d6f SHA256: 976c6ce6c484aef7d0d801c2f5ee31c984136d91636656a7e5425fbc4e848029 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-2zx01	Doc.Dropper.Agent_d92e56e0	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	d92e56e06ba9a6af62661ca60b14b94a	SHA1: 9af416ce66dd4c76742c900c9028a7d98e94943f MD5: d92e56e06ba9a6af62661ca60b14b94a SHA256: e14472604877ad85c119703225fb6086053bcaa2ebae60d38762bbdd192e2244 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-py001	Doc.Dropper.Agent_b56f9163	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	b56f91631190e6024dd3136ee0d4f289	SHA1: 9d37e56d4b470bd46739b20c20d00f83f569dfa6 MD5: b56f91631190e6024dd3136ee0d4f289 SHA256: d26ebbc2bdf6a6b59d805f7f1e9a9b505b6ff6e8b99e254f9c5c36413142d3f8 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-uej01	Upatre_3978a6db	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	3978a6db3a1c56ab376ef1356a335a2a	SHA1: 5d39294b88264e2164976255256a577da4712806 MD5: 3978a6db3a1c56ab376ef1356a335a2a SHA256: 249698d153aec8b19f511529aae5efc852cacbbc4f45020e4b9a3bdea933a6fa http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-n8t01	Upatre_2303e7f5	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	2303e7f512925fa15023e257738fb23d	SHA1: 5dc69b519e8bfba8effae680986a6e5202ae3f67 MD5: 2303e7f512925fa15023e257738fb23d SHA256: 5f3a9efa98d7acfb0793292b2475eba2d547632c63f3b4ca5d1958731d264506 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-9rd01	Doc.Dropper.Agent_b68fab03	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	b68fab0356e9b5412aaf20717f7c9a8a	SHA1: a370905b8f30f7040b7720d53add12fb7cf5f44e MD5: b68fab0356e9b5412aaf20717f7c9a8a SHA256: 5f1827ab138eb25289a1a76910f5dc9c96aed87dd8aa2db7e3b0d310267a5a67 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-rt001	Doc.Dropper.Agent_cb354f22	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	cb354f22c0c835ab81a48bee0c639ef5	SHA1: 4a4537bd0990b5a68f87e973a9da5f5def1c8ed9 MD5: cb354f22c0c835ab81a48bee0c639ef5 SHA256: 2aaf7791ed0a57e48c3d363b46ba5247e78a2290549bfd7f98793e9bee4c3e55 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-2fg01	Avast	Windows	This strike sends a malware sample known as Avast Signed Dropper. This malicious executable is signed by Avast as their SafeZone Browser. The file generates a PowerShell script that modifies Windows firewall rules and adds registry keys for persistence.	8129efe8afe6aeaa9793356300b2d8d8	SHA1: de045c4d74cb3eb6804f8fc1114aa58fc31c7609 MD5: 8129efe8afe6aeaa9793356300b2d8d8 SHA256: 2ee0c761a25310e34c9d3c9d3e810192d8bbd10d4051522e3eefdc1bd71a17bb https://isc.sans.edu/forums/diary/Malicious+script+dropping+an+executable+signed+by+Avast/22748/
M17-mmm01	Upatre_1ffe648f	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	1ffe648f92602af0e297abb8e73ecdf0	SHA1: ca419874bc65acace2aba98293a017958f05ad89 MD5: 1ffe648f92602af0e297abb8e73ecdf0 SHA256: ad54d0d8d9b80aff216cc9097849efc52b2990a6b8f9d6a24f9a22709be35267 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-ili01	Doc.Dropper.Agent_e972a0ba	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	e972a0ba3cc4c131c36d2ed910199076	SHA1: 2afc5fa213b6c2a5046353c13787e0686346051a MD5: e972a0ba3cc4c131c36d2ed910199076 SHA256: a4692d62273960b017d80e2b3ee9befe9b186d0609dbf4aedd1dcaf6d3aef671 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-osh01	Doc.Dropper.Agent_93a6182a	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	93a6182a6d48455bc911294cb461a379	SHA1: c05ac2ca24373440332b137306a5727f4063edfd MD5: 93a6182a6d48455bc911294cb461a379 SHA256: b588aa1d5901e2ded7dfc9fe8efbd13304f2bed37086b5c9aa498fdffaed48ba http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ymt01	Upatre_11b19e9f	Windows	This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute.	11b19e9f954304116631d772d507ef40	SHA1: ab5c4f5f4c3b00683e42d1344a33a6b4bf01fd3d MD5: 11b19e9f954304116631d772d507ef40 SHA256: 570323e1150fe8e0802b03eb7848452c89ea1247512365bdb8621ecac4d15507 http://blog.talosintelligence.com/2017/08/threat-roundup-0728-0804.html
M17-ea101	Doc.Dropper.Agent_6926a83c	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	6926a83c4ad890e8e4b5d47273849ba4	SHA1: f8bbce1362d00d4078036587150ba855f2bcc934 MD5: 6926a83c4ad890e8e4b5d47273849ba4 SHA256: b3dc9a164f1548ca0fd4618dbaae44c6a9ea05f66aafcf67758d9985b1409cb0 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-yqi01	Doc.Dropper.Agent_287c2bb9	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	287c2bb9c1ced63562cc45a4560c4e77	SHA1: 3a78de80158174bcd111de44fedbb5c73dfc0ab1 MD5: 287c2bb9c1ced63562cc45a4560c4e77 SHA256: b1e4e3be5dd686424763f39f8930e28044a9cda7a48d8962ba6e8978ef532fa0 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-dfv01	Doc.Dropper.Agent_893490aa	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	893490aaed99e679ca5570b7bce8b85d	SHA1: 350c4b7cbad4ad87f9f127734f772346953d5226 MD5: 893490aaed99e679ca5570b7bce8b85d SHA256: f6c2aea9dbc12ff2dbf77637560093234465cdae03c40ee4f0afcf8365ebfab7 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-ljq01	Doc.Dropper.Agent_19caf486	Mixed	This strike sends a malware sample known as Doc.Dropper.Agent. This sample is an obfuscated Microsoft Office Macro downloader that will download a payload executable. The MD5 hash of this Doc.Dropper.	19caf486adadf70038b8205f2778ea99	SHA1: 51d4a1a196a04cca8798da647157910e7042c72a MD5: 19caf486adadf70038b8205f2778ea99 SHA256: 9d52dd2437d0408e5971598b44c5dc1e1475004241bb5928d1eaee9a9aea51e1 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html
M17-rqm01	Tinba_a1aeef75	Windows	This strike sends a malware sample known as Tinba. Tinba is a banking trojan that steals information via Javascript injected into web browsers.	a1aeef758711b5db8670ecb655c5d1c0	SHA1: 5728e5d6246ebca4d6a2f4698a1fa2c179f50c37 MD5: a1aeef758711b5db8670ecb655c5d1c0 SHA256: 56f91537753491cd32a250428b146d7685362c762c7e8f39703b4cf6cd92c020 http://blog.talosintelligence.com/2017/08/threat-round-up-0811-0818.html

Malware Strikes July - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M17-twg01	CopyCat_d44cda7f	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	d44cda7feb8e37d7373fbca2199c6820	SHA1: b68f5bf6e2280f2cda96b7dcacea9f90815731ff MD5: d44cda7feb8e37d7373fbca2199c6820 SHA256: e5091cf03936db47dea112c4588a8818a483de06c15a8c717eda5886209f2d4b https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-tl001	CopyCat_065c8960	Android	This strike sends a malware sample known as CopyCat.	065c8960a0338eb64845721687478d8b	SHA1: fb1b2a0063004f71f6ca5a5141128d43640a239d MD5: 065c8960a0338eb64845721687478d8b SHA256: 1fe8af825d232bf55bd1d535ebdb0ebb88ba39e21914e40d33274b29d32680f7
M17-2ef01	Doc.Downloader.Agent-6333860-0_dc20ea04	Mixed	This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.	dc20ea0463f1956f2e4c658984a2a17d	SHA1: 346eebaa4b09dfab368397b958a20262f1211e95 MD5: dc20ea0463f1956f2e4c658984a2a17d SHA256: 13fd575d1474ae579f55615733f75fa50231447b8653e6eb58678103ee82e99e http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-qip01	CopyCat_9a031f2f	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	9a031f2f5022fae13849b566a1b89579	SHA1: 67cec2e8784219774e8500064113caa535d3a41a MD5: 9a031f2f5022fae13849b566a1b89579 SHA256: 4cbcb8f8eafb3d475362bdb7eddc4cb255c89926e03813ff0efa7652bb696e97 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-wpp01	Win.Trojan.DelphiSpamDown-6333_0c4f0ad1	Windows	This strike sends a malware sample known as Win.Trojan.DelphiSpamDown-6333. This malware sample is a Delphi downloader. It can be found in the wild, and is related to a spam campaign. The MD5 hash of this Win.Trojan.	0c4f0ad10c18a15bf78f5840155540d4	SHA1: bd6afe5b786c9feca58949e36a63503fdfe07a18 MD5: 0c4f0ad10c18a15bf78f5840155540d4 SHA256: f23220f487d021aed897deee04e7aaada2521d096406517cd3adcacf4754beac http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-dfo01	CopyCat_2172a6e2	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	2172a6e20ee9f121606c4bd47311074b	SHA1: a5fcede7a2d3925478955281e6a3388e387037f7 MD5: 2172a6e20ee9f121606c4bd47311074b SHA256: 51dc097980b46d053085ff079b153f107d866a27dc19670b79928ec55ab336d7 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-apt01	.Net	Windows	This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .	9c9f9b127becf7667df4ff9726420ccb	SHA1: 5a5ada4e68f7e2964868b6435a6dc5dda0e86999 MD5: 9c9f9b127becf7667df4ff9726420ccb SHA256: 5981576009cd18282cad4eed8dbc33d8f2e7c7a7222c1de31ac6c1f4b8f3aff2 https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-h9q01	Nitol_a2326cd7	Windows	This strike sends a malware sample known as Nitol. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	a2326cd780697d756d0fd9cd0323f410	SHA1: 5fc41e1775bb81e3d11b6a0e93d385bcef3897c7 MD5: a2326cd780697d756d0fd9cd0323f410 SHA256: a28cc443757838e979bf2bb178f5d5c1408c043ba2537fbd194eac7b5ee04d0d
M17-7qi01	Win.Virus.Virlock-6332874-0_bbe0914f	Windows	This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.	bbe0914f4441e2b65d50e46fa26e9bf0	SHA1: 2c558318fea7fa6adb326fcd99f5f242bb26d74a MD5: bbe0914f4441e2b65d50e46fa26e9bf0 SHA256: 94549c01f4ca88d7169141b7a8aaa0a79a28e2770811ef84febd639af70c7a74 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-fxv01	CopyCat_a14e9bfc	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	a14e9bfc6dfdfa6fca36a7aefe7590d1	SHA1: e7781b298b4c41d858d0cbbc7c1f41e23362cac8 MD5: a14e9bfc6dfdfa6fca36a7aefe7590d1 SHA256: d77d9242bbf4594277b96ed9af5f2fa721b82c578d0e0c640f42928ec8002257 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-np001	.Net	Windows	This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .	85d35dd33f898a1f03ffb3b2ec111132	SHA1: 5c68c117772b59705af63ecfcbae3711537ec49e MD5: 85d35dd33f898a1f03ffb3b2ec111132 SHA256: 52a481fda8d5d674beb46faddfdec6329c1c63f1ef00f439aaa7e8ef947d7512 https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-2s001	CopyCat_6797aebf	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	6797aebf0ff789fbf37f543acc126a98	SHA1: 97e7d60c53b409b06acdf5088e9b2b0452084d6b MD5: 6797aebf0ff789fbf37f543acc126a98 SHA256: ca44d2f261c3404a303f46afd6819ed2c077f724032bd0f550cff9b450270706 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-b7i01	Doc.Downloader.Agent-6333860-0_6002bbb0	Mixed	This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.	6002bbb0ca96b698af3e64d2ce8295d4	SHA1: 1208966ff8079169bfbbf260f5268c1c877c6c57 MD5: 6002bbb0ca96b698af3e64d2ce8295d4 SHA256: 0fc8af1a3deb4d2895b9bb202278299369a16950239288577472bc06fbf07e4b http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-fj601	CopyCat_87fb37f2	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	87fb37f226bcb7effe755b9ef9c94d4f	SHA1: 4ceca867c1f769f5e2d4b7f71ac5e21f0c074456 MD5: 87fb37f226bcb7effe755b9ef9c94d4f SHA256: 5a7a908733b71f71bd8f103d9ad2f8c229282d42a50bea2d080b942541b8c93d https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-jsi01	.Net	Windows	This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .	049af19db6ddd998ac94be3147050217	SHA1: c291c2a9d32bb5eff1c1bbdae3edf1df48a2cefe MD5: 049af19db6ddd998ac94be3147050217 SHA256: 91df20cfd25c140da8728f67e004dc42277922aac62b8dce7589ee82f84ca52a https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-di701	Petya/NotPetya_a1d5895f	Windows	This strike sends a malware sample known as Petya/NotPetya. Petya/NotPetya is a ransomware that has been tied to the Petya ransomware due to the nature of how encrypts files and displays them in the ransom note. However, further analysis has shown that it is very dissimilar from Petya and may be a different family of malware entirely.	a1d5895f85751dfe67d19cccb51b051a	SHA1: 9288fb8e96d419586fc8c595dd95353d48e8a060 MD5: a1d5895f85751dfe67d19cccb51b051a SHA256: 17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd https://www.carbonblack.com/2017/06/27/protect-organization-petya-ransomware-carbon-black/
M17-b2101	Doc.Downloader.Agent-6333860-0_df15ea72	Mixed	This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.	df15ea72c114910ef7fb07bccfc16d2e	SHA1: a7cf768944a59e6402daced81bab4f87cd3f726c MD5: df15ea72c114910ef7fb07bccfc16d2e SHA256: 1b01632e1a44445124165ed61592527fe649a32ed889ee75fdb73d07bf396812 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-t5a01	Doc.Downloader.Agent-6333860-0_1b044fa9	Mixed	This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.	1b044fa9aed5c94ee4a4ad77800bd8ba	SHA1: 978402697c7f5e6fba8ae34478f982ed2711d09f MD5: 1b044fa9aed5c94ee4a4ad77800bd8ba SHA256: 2248f89b848781c0405cc0cead60172ec75e035aca12e8c147818192fde2266d http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-lc201	NukeBot_9e469e1a	Windows	This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.	9e469e1adf9aae06bae6017a392b4aa9	SHA1: 12a7a1d90ab72e83fa8308ca5ae08dac9dc17e00 MD5: 9e469e1adf9aae06bae6017a392b4aa9 SHA256: ba27dced648485cd81f117dbf1eb67ac75cf9c54899f5a7f69906f3044cff737 https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-7ha01	Win.Trojan.AutoIT-6333854-0_029a44e2	Windows	This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.	029a44e2935d5268cb551ef67f3a2bac	SHA1: 581ba698ace559658486844d745ee4d35fe6989e MD5: 029a44e2935d5268cb551ef67f3a2bac SHA256: 62f72450c470bd01096766ac25e8b6ca4edb79683c2ee5b2cc89ec2234983c44 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-uoi01	Doc.Downloader.Agent-6333860-0_e8d7d75d	Mixed	This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.	e8d7d75d94314d0af1919a6f2bb2edb9	SHA1: 8c8cb1fa0f687604f2e4e37e28c9dac8c745178f MD5: e8d7d75d94314d0af1919a6f2bb2edb9 SHA256: 07aa3365d733098e11e91ece1628130217414488d3fce0e2e261bfb29ab6fed9 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-tk601	CopyCat_ee1bcb0d	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	ee1bcb0d5036b4ba72036f79c538c8b1	SHA1: 0520045a2acae640cb3b70b5425d2bcc57721e99 MD5: ee1bcb0d5036b4ba72036f79c538c8b1 SHA256: 3e9274183426e5b6986d0534f3331e3761daa800da1e68acdbbd50cdffed5b77 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-17h01	Doc.Downloader.Agent-6333860-0_bd17aa6b	Mixed	This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.	bd17aa6b70c0907497aa6242fb1acc37	SHA1: ab6e993bfa7e53e35d811bd24021eeef99a0f700 MD5: bd17aa6b70c0907497aa6242fb1acc37 SHA256: 01c4f96c8117df219cf9f50723454ace242edcf2d22b09e8e72c5d0c92aad540 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-f7s01	Doc.Downloader.Agent-6333860-0_fe4fb002	Mixed	This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.	fe4fb002ec991c7f2a431ac1cb9c2f83	SHA1: 9b2c14275adf709fa45c53654c88c4df93f581c6 MD5: fe4fb002ec991c7f2a431ac1cb9c2f83 SHA256: 070e56e7170fc63c1c42c3b0b37df5a25f5c7e2e0a5fd454e8e8e63de2b71bdf http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-zk401	Win.Trojan.AutoIT-6333854-0_5d2d24b7	Windows	This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.	5d2d24b74349f16c857536f96f2d3526	SHA1: 2723f6aea64851703ab7f70d6bcea9bcf150bde7 MD5: 5d2d24b74349f16c857536f96f2d3526 SHA256: ea047fca20938acaeaf82d7753a86bdf9c6ed1bcb6573634d8f515d15b6ddd13 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-hzp01	Win.Trojan.DelphiSpamDown-6333_44b21e02	Windows	This strike sends a malware sample known as Win.Trojan.DelphiSpamDown-6333. This malware sample is a Delphi downloader. It can be found in the wild, and is related to a spam campaign. The MD5 hash of this Win.Trojan.	44b21e02e76c20916ad6ba762d8e4e0a	SHA1: 689ea54b12ab63ce3347a88f77a91d8b72a0679f MD5: 44b21e02e76c20916ad6ba762d8e4e0a SHA256: d603a19fb425aa77308ee7d3527f03e0a455667aed2030b4fc2c46388a230dad http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-3wz01	Doc.Macro.Obfuscation_78b61795	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	78b61795bf73ccc31fadeb04090c9cd5	SHA1: 0c77388f55d27b4357303b92851ce1af269f979f MD5: 78b61795bf73ccc31fadeb04090c9cd5 SHA256: a84e3659977948b8f14cb2bfacef19d997463e779fed8750fa2d44b4342584b4 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-g4p01	TerrorEK_cd580370	Windows	This strike sends a malware sample known as TerrorEK. Terror EK is an exploit kit that uses adult web site traffic malvertising for distribution. It can fingerprint its target to determine which exploits to deliver.	cd580370d94103205cc1e1e196205840	SHA1: b7315fabb56e19cef664cc61a6267c7e317bb9f9 MD5: cd580370d94103205cc1e1e196205840 SHA256: 404108a0066f6df22bfb4abcec849c214eed089c69b115f5300a2ac631863b1a https://blog.malwarebytes.com/cybercrime/2017/07/terror-ek-actor-experiments-with-url-shortener-fraud/
M17-q9301	LockPoS_3d0f6367	Windows	This strike sends a malware sample known as LockPoS. LockPoS is a point of sale malware that was first discovered targeting systems in Brazil. The malware utilizes HTTP to perform C2 communications and credit card data exfiltration.	3d0f6367f1fedfc08734b35200c7abf9	SHA1: 419311da2ef6b2a9ca27dba3241a0d62a4e25848 MD5: 3d0f6367f1fedfc08734b35200c7abf9 SHA256: 93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488 https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/
M17-s2301	CopyCat_99e77c51	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	99e77c51b74ec18adf2e3d63871f087b	SHA1: 9c33df5ea05e73c5e4a5f8dc7ac28baed8705ca2 MD5: 99e77c51b74ec18adf2e3d63871f087b SHA256: cea1a2984bd529d5451e1108e8f83cfe485350b43b51f754ccbe467ebcc1a429 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-70a01	LeakerLocker_7ed5e8f3	Android	This strike sends a malware sample known as LeakerLocker. This Android ransomware sample does not encrypt files, but instead collects personal and private information from the device, and threatens to share them if a ransom is not paid.	7ed5e8f3de77bf3d88896fbc756f4ee4	SHA1: bda4483bc6b999618a1ff637d380ce253ac79a0e MD5: 7ed5e8f3de77bf3d88896fbc756f4ee4 SHA256: cb0a777e79bcef4990159e1b6577649e1fca632bfca82cb619eea0e4d7257e7b https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-acts-without-encryption/ http://thehackernews.com/2017/07/leakerlocker-android-ransomware.html
M17-yn801	Doc.Macro.Obfuscation_1ec50c62	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	1ec50c62b67bc6efabde292238cf3dec	SHA1: 065a6e0c9279b76709d27b279002981772e1a347 MD5: 1ec50c62b67bc6efabde292238cf3dec SHA256: 29015d08a221749ca7cd1b9526ae4c434457199ac3226236f9e57fdb01b21213 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-fcj01	Win.Trojan.AutoIT-6333854-0_5a7bf360	Windows	This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.	5a7bf36062b7715b2fea57d3094306c9	SHA1: 1813e1a8cc0b39cf2bfc48a2acad053bcebe7925 MD5: 5a7bf36062b7715b2fea57d3094306c9 SHA256: a831d5503c549917d333d45c72532f0407ed306ca5c95478dad11cb34342ca60 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-n9k01	NukeBot_06330241	Windows	This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.	0633024162d9096794324094935c62c0	SHA1: eebfd8fb539c500e7cc398232fb85fe18cafd379 MD5: 0633024162d9096794324094935c62c0 SHA256: cde50cd8d7b86425f1fea457cba17321bc4f82ff90df8169d4c8091d2c3cb275 https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-g9001	TrojanDropper_1431649f	Windows	This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	1431649fe7eb8e764a12b13f73d5ef3e	SHA1: 939a7f5a55995940aceefdc41a2e191a9dc390c1 MD5: 1431649fe7eb8e764a12b13f73d5ef3e SHA256: f4dadbc88510393f6ea05a3e78fc4ced3e44a227168e449fb83e010d52c1d3fd
M17-y6m01	CopyCat_d7de0ee8	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	d7de0ee80aa16beca37ccbbc30031995	SHA1: 55793c9680b8f3cbd84e7210d3250a0a4cabe62e MD5: d7de0ee80aa16beca37ccbbc30031995 SHA256: 1ba7ad1ad23f58e8004ac874a4317e289870e192d2d518c75e0587df1c592719 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-xcg01	Win.Trojan.AutoIT-6333854-0_ef659b99	Windows	This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.	ef659b991298558a0c8abb4bc4052dd6	SHA1: 9df6f40ed879244a4cf1d19cba8e1af69afae6e0 MD5: ef659b991298558a0c8abb4bc4052dd6 SHA256: f8305d63f8d4ebc4b4c4bea7c3dd75b3d3c3f53aa2f28cc789a2573d55b83613 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-9nb01	NukeBot_a06a16bd	Windows	This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.	a06a16bd77a0fcb95c2c4321be0d2b26	SHA1: 296563d57efc1c5dc40bb0f872ea1aa42161cc94 MD5: a06a16bd77a0fcb95c2c4321be0d2b26 SHA256: 99f68d773b32e33136c33029f9276af5a526370be7ceadb013c5eac16ade1d38 https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-lrw01	sPowerShell_a7200cd7	Mixed	This strike sends a malware sample known as sPowerShell. This sample is a JavaScript dropper for ransomware and information stealers.	a7200cd7778c40292b17736184dcd2ae	SHA1: 5367459f0405e7bae545b13223a11b7b01f2cef2 MD5: a7200cd7778c40292b17736184dcd2ae SHA256: cce0da7814b5966ffacfecacec0e87aec83989889b56e4dc37eed7873b51617f http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-g9c01	Cerber_0771f009	Windows	This strike sends a malware sample known as Cerber. The Cerber family started to emerge during the 1st quarter of 2016 and has been seen being distributed via Neutrino or Magnitude exploit kits and spam emails using VBScript files.	0771f00985f1e0ce93740281da8752fe	SHA1: 46c7ac1b3ed05b10cde72c77b10418e18d09e1e0 MD5: 0771f00985f1e0ce93740281da8752fe SHA256: 56f41afc8f025597659f11f59b191e66bd6c6525313cf3c0356c40490722b7c5 https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/
M17-6gk01	NukeBot_93b14905	Windows	This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.	93b14905d3b8fe67c2d552a85f06dec9	SHA1: dfd6e7e6ef67339df85136c203be19b7b443a1ff MD5: 93b14905d3b8fe67c2d552a85f06dec9 SHA256: 94129dc33aef44c4b20fce185e9dc877b6cd7f3785e011caec2979a66254e6a6 https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-cio01	NukeBot_44230db0	Windows	This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.	44230db078d5f1aeb7ad844590ddc13e	SHA1: 66d8aaf4defa0fcc6c5ec319504ae15df2daf8af MD5: 44230db078d5f1aeb7ad844590ddc13e SHA256: 1ad1c47a0cbcdf08e45b8d93864eec32fdff16037acaef40562a8966e46ddd87 https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-ron01	Doc.Macro.Obfuscation_986d7c12	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	986d7c1268664329565a12cef882abb7	SHA1: 29c835641e68c333ccc956a6c2a667b3a4ba98fc MD5: 986d7c1268664329565a12cef882abb7 SHA256: 41b9c93fed52bffe68d03abbcbe42086a9baf743d56f9262abd5b4c7fcbff951 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-m7101	Win.Virus.Virlock-6332874-0_c3018da7	Windows	This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.	c3018da794cafcfaf3528feaca1bb810	SHA1: a367586015e9f804f3d04a582b3eb9b5f1bdfad7 MD5: c3018da794cafcfaf3528feaca1bb810 SHA256: d49a98d35bcb6ff16206c6d1e1495d4ddf9f1911f785bccda24c2b1e0bfe3d03 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-bjr01	NukeBot_697a7037	Windows	This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.	697a7037d30d8412df6a796a3297f37e	SHA1: 205f65ee47935edd01ead4ac6bcfb808008b8857 MD5: 697a7037d30d8412df6a796a3297f37e SHA256: 845cf83b9fd613d20b3d54a211300a7a04fd3fed2861d156f354bd186d975455 https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-jgh01	CopyCat_0dec8b83	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	0dec8b83592db8fe690d8935d95c42f7	SHA1: 0107327e7604d673e074c2729117b156c43ebd68 MD5: 0dec8b83592db8fe690d8935d95c42f7 SHA256: b0475da7c2934b24cc5830e0a03dec195f997af0132c8493635240f90d5bc15a https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-ujt01	TrojanDropper_8e5948ec	Windows	This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	8e5948ec85ca0d6dce18411721e92c0a	SHA1: 40583041b97ef429716a1fc72b78ad0c1da9aa3f MD5: 8e5948ec85ca0d6dce18411721e92c0a SHA256: f9a686680a20a8aeaaaa154ae9eb8c8fd018f109350c4bce2ce3bd4b3a33f1d2
M17-2rw01	.Net	Windows	This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .	e907ebeda7d6fd7f0017a6fb048c4d23	SHA1: 8b2c012b2355e0c3c56d328ed532d0aa4225713b MD5: e907ebeda7d6fd7f0017a6fb048c4d23 SHA256: 7d822d00cd31f4e3bc7bad3535a6590e2f838cc575b8128e716db59b37eb6fb5 https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-f7601	Doc.Downloader.Agent-6333860-0_c6199a46	Mixed	This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.	c6199a46d8326b08bc2114ff64a4af63	SHA1: 6b9d533a7ce64c3452b9975d722180695be3b51e MD5: c6199a46d8326b08bc2114ff64a4af63 SHA256: 01ed6302a7ea8d4c54d439b7016b99b6dca275f85d22611811bac8c135309d41 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-n2901	CopyCat_f25e3352	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	f25e3352735aa210906527adf1140980	SHA1: 5f161882b681f801b836f6ce8591cdf9716382f0 MD5: f25e3352735aa210906527adf1140980 SHA256: 2f83e80ad23c0aa5d0962c8846cf199842179d806ebec6d4d5ba10e797576101 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-93401	CopyCat_d6de304c	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	d6de304ca960f4e948ef59f144de29aa	SHA1: 4bb0503e1784cbe97e8e7d81d92899bbbe5fa33a MD5: d6de304ca960f4e948ef59f144de29aa SHA256: 934d2ce9e35ab01b2362c2dbbb6b08b77de5b16145e4debee41bb6780cf8848f https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-zss01	CopyCat_f3f44065	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	f3f4406564543f7f471b4139b5f7d06b	SHA1: 9e33853d5c0edee9900f3a71b61fb1f4fd286d9b MD5: f3f4406564543f7f471b4139b5f7d06b SHA256: 824119e6dc4fe6f236f9f248abffb77723b0da4632047c7f4edc336208b27b54 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-x3601	Doc.Downloader.Agent-6333860-0_c67e57d2	Mixed	This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.	c67e57d24c97e1966177924db6a42636	SHA1: 7995d0f190cf28dba3d0d7ece974b505d77e9b58 MD5: c67e57d24c97e1966177924db6a42636 SHA256: 0634216b34baf0fdc293002632932312293fc4854701b143c6f4735e8cd98b45 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-t0501	Doc.Macro.Obfuscation_f8ba8dbd	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	f8ba8dbdfb0d819dc77b14ce33571fe3	SHA1: ebb49ca6fca45a004ff203957190e175ecc43bae MD5: f8ba8dbdfb0d819dc77b14ce33571fe3 SHA256: a4e076bdea2bdc1028d232079b0bcf42a9b4997fb43e78fbda745f6bb047612c http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-03301	Win.Trojan.AutoIT-6333854-0_ee622d9b	Windows	This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.	ee622d9ba9a819cb7579b24d162e9f1d	SHA1: 13f0ea1243856c65fad230392925a9c8f5328836 MD5: ee622d9ba9a819cb7579b24d162e9f1d SHA256: bb51a0200e84137fb1c07e39fbd7f0ded1eda78d3c95cfa1e16887f0762ab665 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-jfv01	Win.Virus.Virlock-6332874-0_30906e51	Windows	This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.	30906e516b55ed0ee41e5c7575a8add2	SHA1: d504db93625d2938ea71b7bde04080cd5dfb5f46 MD5: 30906e516b55ed0ee41e5c7575a8add2 SHA256: 7cd99c34887ea6213f18347720d7b1d257969f821bc78f6ad128f55ff137096c http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-c0k01	PoSeidon_0c7631f7	Windows	This strike sends a malware sample known as PoSeidon. PoSeidon is a point of sale malware also known as FindPoS. This malware steals credit card information from point of sale devices and siphons it back to the remote attacker.	0c7631f791c60f79faa1d879056c2e18	SHA1: 5274255aa6032528360fc222b8aeb911caa35e40 MD5: 0c7631f791c60f79faa1d879056c2e18 SHA256: 66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75 https://krebsonsecurity.com/2017/07/self-service-food-kiosk-vendor-avanti-hacked/
M17-cl901	NukeBot_031a8139	Windows	This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.	031a8139f1e0f8802ff55bace423284f	SHA1: a5f7867ea057690c4f3a58ea6ecb0c70a65088df MD5: 031a8139f1e0f8802ff55bace423284f SHA256: 8533d6ff4557a0870ccd0ed6268f7f4589f144ba9367bd4665e7239a99e8dcef https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/
M17-3gj01	CopyCat_e368fb1d	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	e368fb1d80bbf24fdfb4ebae7806c885	SHA1: d44dbd5f953ef6fa338081ba707a35d385e48514 MD5: e368fb1d80bbf24fdfb4ebae7806c885 SHA256: 23520f0f96669fd4c57f2ce08bb35e2d3be62df2454743d997bc519e66d894b8 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-6q501	LeakerLocker_531882c3	Android	This strike sends a malware sample known as LeakerLocker. This Android ransomware sample does not encrypt files, but instead collects personal and private information from the device, and threatens to share them if a ransom is not paid.	531882c30198ae24329563a64e3199cd	SHA1: e0bf48c49bde950e93e8bae186b813048a9d1132 MD5: 531882c30198ae24329563a64e3199cd SHA256: 486f80edfb1dea13cde87827b14491e93c189c26830b5350e31b07c787b29387 https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-acts-without-encryption/ http://thehackernews.com/2017/07/leakerlocker-android-ransomware.html
M17-0sw01	Doc.Macro.Obfuscation_3603129e	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	3603129e01b2a6cf35257c82b90166c4	SHA1: 614c261e2208dd353ee80a6b0a3df5ac8bca540a MD5: 3603129e01b2a6cf35257c82b90166c4 SHA256: 5702fa93b08399d8f8d7d1ef1eb2902e7f37a9bbaaf5d9aa6b85a2844224662e http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-es901	Doc.Macro.Obfuscation_af92fbed	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	af92fbedc07a81efa7b7515545056ac9	SHA1: 844379215865225dff948022ae8f4dae7bd07c38 MD5: af92fbedc07a81efa7b7515545056ac9 SHA256: 5d91e7426fb87e5f2c9a5aa575d8bc0e98b7e1a09947dcb4e4943c5c047933d9 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-avv01	Petya/NotPetya_08828daf	Windows	This strike sends a malware sample known as Petya/NotPetya. Petya/NotPetya is a ransomware that has been tied to the Petya ransomware due to the nature of how encrypts files and displays them in the ransom note. However, further analysis has shown that it is very dissimilar from Petya and may be a different family of malware entirely.	08828daf9a027e97fee2421ac6cbc868	SHA1: ad1b006e99b9faded1a2dd4ec98cd3818cf245e3 MD5: 08828daf9a027e97fee2421ac6cbc868 SHA256: 4ee2ae805c31ec4f11f3f6ecf56e9c6e2f59dcd517a5a73210b5e5015f63beea https://www.carbonblack.com/2017/06/27/protect-organization-petya-ransomware-carbon-black/
M17-9d401	Win.Virus.Virlock-6332874-0_bce40383	Windows	This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.	bce40383d98f77cfbe9257730d574ef0	SHA1: 4f61f3a40507f6765ebe6a69063666cbe4cdca15 MD5: bce40383d98f77cfbe9257730d574ef0 SHA256: 6cff1fdde90a5708301b2d3c48729ebf3be7bb4a8f0e6992406affe034ad0a0f http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-vz702	CopyCat_29e2f738	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	29e2f7388788c93f47f832cf9f6b00cb	SHA1: 9ee904a51c848dabc5eb72895809fa1d4f716621 MD5: 29e2f7388788c93f47f832cf9f6b00cb SHA256: 25942d57f2188c2a0181d15af7a5628e75376f1d1ce1dcf70930f80a781b418d https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-etz01	Win.Virus.Virlock-6332874-0_a2b2f2b7	Windows	This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.	a2b2f2b74a07b64de247c3f2ceaaa929	SHA1: a81523d7d5936fae8a99f5299ccc530c8949ef38 MD5: a2b2f2b74a07b64de247c3f2ceaaa929 SHA256: 81bec8df30db0bd694ecf01d3950fbe91823854ab017c0cb176d32c9ada3f202 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-qc401	Win.Trojan.AutoIT-6333854-0_995b5c4e	Windows	This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.	995b5c4eb698bcf47e69729dee6a797c	SHA1: 20c0604298c2d7f9b12704032b3dafdc9a83372a MD5: 995b5c4eb698bcf47e69729dee6a797c SHA256: 83a482b1771474915838db7251d00cf12ae5171c04966621bba82c5829e57b4a http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-b0701	CopyCat_fe514fc5	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	fe514fc594c4f5248031ae1ab5111ec2	SHA1: efaa96c0159a242a27e3abf6765ff789184e7d5e MD5: fe514fc594c4f5248031ae1ab5111ec2 SHA256: a0cf53bf42cd59016a6ec86747f066db62a7a9461fd903d38fd692e8c23bb5a8 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-jgu01	Win.Virus.Virlock-6332874-0_0717e99b	Windows	This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.	0717e99b914fb74bafa67fe0c0c49a7d	SHA1: cbdf94cc63ee85dd69c20a1907c6bbb37c2ebaa5 MD5: 0717e99b914fb74bafa67fe0c0c49a7d SHA256: faaa74146e151d525e94e536ee2605a76c8a0d1699024979181712a03b249f25 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-uy701	CopyCat_6d6fb0e4	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	6d6fb0e4bde18b65453fcd639ba24d6a	SHA1: 97934510fd6e4c7c39789b32acb150613d66d4b5 MD5: 6d6fb0e4bde18b65453fcd639ba24d6a SHA256: f3f71bbed9e9db95ada278aacb3d5fd53f481d785048a6fe8dbb2babc601baa3 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-v4701	sPowerShell_d243b08c	Mixed	This strike sends a malware sample known as sPowerShell. This sample is a JavaScript dropper for ransomware and information stealers.	d243b08c672e6b8c0bc065458369fe78	SHA1: 018189057dcd9fb02449c131ff592010d73b637a MD5: d243b08c672e6b8c0bc065458369fe78 SHA256: 7a6d5ae7d7bc2849ea40907912a27e8aa6c83fafd952168f9e2d43f76881300c http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-4t401	Gh0stRat_7365383f	Windows	This strike sends a malware sample known as Gh0stRat. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	7365383ff0368f8b6ff1d6f0157a14e0	SHA1: 4dabb411ba0c75fc98e7d0624cf0b170e3c3e2d2 MD5: 7365383ff0368f8b6ff1d6f0157a14e0 SHA256: 153383b05a484845b3eb39915098fa6c8d68fcb639ade54215cda7fcbdeda14a
M17-mfm01	Win.Virus.Virlock-6332874-0_f29adc89	Windows	This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.	f29adc8991371b8b2c8b1bd19cc39a79	SHA1: 68c540ed0bec4b91cce3a9d72013fb4a8195dc3c MD5: f29adc8991371b8b2c8b1bd19cc39a79 SHA256: 6161ca5b2cd218ae1c277e6fcc509f571cc409ae4b2aba007d0e1ef28057fd7d http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-5v901	TrojanDropper_8801cbc4	Windows	This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	8801cbc42062184ffa0440a136de2117	SHA1: afed24723e3ee241a3cea34e009297c8afd87a63 MD5: 8801cbc42062184ffa0440a136de2117 SHA256: 8f1f7b271182f105f3f55815f4493e5b1ab103b9b555876c0854ec4a2935a8ad
M17-cgq01	CopyCat_cc2bf64f	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	cc2bf64f2fb1330ab2acbfb783a68d1e	SHA1: bfbb33c65fb8d73fb227524786a82dd9c9ed24f2 MD5: cc2bf64f2fb1330ab2acbfb783a68d1e SHA256: 0db037e7a2d1357228e9e03cee5d65b22266a017d55b72570e615f07fc22cc2d https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-5uz01	TrojanDropper_b1fcf154	Windows	This strike sends a malware sample known as TrojanDropper. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	b1fcf154622b4274ad3044e8e0f68096	SHA1: 98e1b55fda3a096d33b73505eb04e49f641d2ed0 MD5: b1fcf154622b4274ad3044e8e0f68096 SHA256: 188e15739ed2a33954b3166722f816d4bb3532ea7b633532dd2a4671f6ff4eaf
M17-ewn01	NukeBot_8ebec289	Windows	This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.	8ebec2892d033da58a8082c0c949c718	SHA1: e7557d738fdb92798708f8b52131a00c9d8e9ce8 MD5: 8ebec2892d033da58a8082c0c949c718 SHA256: 6c8320e18721d4024290a33d8b610572180c4747d2ca8a50351d7adb0b83c5ed https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-5d101	.Net	Windows	This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .	d628d2a9726b777961f2d1346f988767	SHA1: 179ccf65842a6b7ea3a63028a3b392c44b79121a MD5: d628d2a9726b777961f2d1346f988767 SHA256: dfe4222c135c369797b101929bcb8b7cb303fd446dee7a24fd312395842cd070 https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-i0d01	Win.Trojan.AutoIT-6333854-0_d2ec5278	Windows	This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.	d2ec5278d3554576f9187c7ca99a8a77	SHA1: 393bfe994e8a0a34c2451e06568d549fedd6091c MD5: d2ec5278d3554576f9187c7ca99a8a77 SHA256: f81a37d816c639fd977d7781f7fe54cc51e2e34aa3bb8bc877c74ae140025003 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-m1j01	NukeBot_faf24fc7	Windows	This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.	faf24fc768c43b95c744dde551d1e191	SHA1: 34a5fa75977333c35e161bd2e55c11fed4b4e4be MD5: faf24fc768c43b95c744dde551d1e191 SHA256: d404ae1cc6821e18482fa16a8839c99541a9176b78bc4e45fb9bc4bc6177c818 https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-b3g01	Win.Virus.Virlock-6332874-0_bb0199b0	Windows	This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.	bb0199b0128def72d75b3f307c9c22d0	SHA1: b9f8463ebc0a663bc890d071272ed236da33c56f MD5: bb0199b0128def72d75b3f307c9c22d0 SHA256: 824eed3471a9f86836ac4bced8a5ce7f57df95048a995dc0219feab771404f28 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-mco01	Doc.Macro.Obfuscation_ed54bfd0	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	ed54bfd08d039baf8d61f38e86be76c2	SHA1: db3cd8192b24dbe4904dfda7465fc77cb536f67b MD5: ed54bfd08d039baf8d61f38e86be76c2 SHA256: f04ce92cb9f190f8c06d444ac5431f637b6ea8ba864201a549903e3115968403 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-8gh01	CopyCat_4b66e5f8	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	4b66e5f820a40e2ee6ab6bb4b09997d7	SHA1: c7d1187caa6e0ceaa4b10e277332b1a3d70dca9a MD5: 4b66e5f820a40e2ee6ab6bb4b09997d7 SHA256: da58b4519e52660f26c81d6fc2b8c0c6ba11262265597360d4de62023f5e5d90 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-vz701	Win.Trojan.AutoIT-6333854-0_ff59bd24	Windows	This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.	ff59bd2423cd50288c6bee9cda102eed	SHA1: 16bfc7cf7459008846110fa4f6fdde7862624391 MD5: ff59bd2423cd50288c6bee9cda102eed SHA256: 38dfdc80844d6f6b0d1a73843f1a4704d7bb12cf2ca61d98a54d1cdb5722ac66 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-03j01	FlokiBot_624f84a9	Mixed	This strike sends a malware sample known as FlokiBot. FlokiBot is a Zeus based banking trojan variant that uses C2 communication to perform DDoS and credit card scraping functionality.	624f84a9d8979789c630327a6b08c7c6	SHA1: f9484baf6f7194248a388d41dfd06543b3dc5d26 MD5: 624f84a9d8979789c630327a6b08c7c6 SHA256: a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/
M17-wyq01	FlokiBot_2510953f	Windows	This strike sends a malware sample known as FlokiBot. FlokiBot is a Zeus based banking trojan variant that uses C2 communication to perform DDoS and credit card scraping functionality.	2510953f05dcd2c758ad29160bbc3911	SHA1: 9e0094cc8be1bbe494d7dac88a57a3db235f8a04 MD5: 2510953f05dcd2c758ad29160bbc3911 SHA256: fbf23b449db5ae1122c503756d9ad7f4d1c77ed367f0874ffe8dde5c578dd2c8 https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/
M17-mgu01	CopyCat_7282c48b	Android	This strike sends a malware sample known as CopyCat. CopyCat is a family of Android mobile malware that infected over 14 million devices while gaining root privileges on over half of them. This malware has many capabilities but its main purpose is to generate and steal ad revenues.	7282c48bdad45f3861edd8244061c26e	SHA1: df579f335eb8be8b5403fcf85dd19a638452e573 MD5: 7282c48bdad45f3861edd8244061c26e SHA256: 1dcce039352f4dcabc693fdc66121b61849767498fb68bb3b4e4b8f00757a359 https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf
M17-1sq01	Doc.Macro.Obfuscation_69ffb531	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	69ffb531e7dc45cabcef030626a397bf	SHA1: 93fdf068ed8f8f22a49d21be92e482b213b633f6 MD5: 69ffb531e7dc45cabcef030626a397bf SHA256: 2611831b22f6b0df892e363d429a666b5a4bb9303a97b30c527fb4f43379a462 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-1iv01	PoSeidon_767ae03a	Windows	This strike sends a malware sample known as PoSeidon. PoSeidon is a point of sale malware also known as FindPoS. This malware steals credit card information from point of sale devices and siphons it back to the remote attacker.	767ae03a2f291121616815a9f47456e2	SHA1: aeddf10827f063228aa20e034ccb9ca19cde3cb0 MD5: 767ae03a2f291121616815a9f47456e2 SHA256: 8b7252c0e7cc4b2311bda423f08cf62fdb75de591c62babd40693147ef022a7a https://krebsonsecurity.com/2017/07/self-service-food-kiosk-vendor-avanti-hacked/
M17-ts501	Petya/NotPetya_7e37ab34	Windows	This strike sends a malware sample known as Petya/NotPetya. Petya/NotPetya is a ransomware that has been tied to the Petya ransomware due to the nature of how encrypts files and displays them in the ransom note. However, further analysis has shown that it is very dissimilar from Petya and may be a different family of malware entirely.	7e37ab34ecdcc3e77e24522ddfd4852d	SHA1: 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf MD5: 7e37ab34ecdcc3e77e24522ddfd4852d SHA256: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f https://www.carbonblack.com/2017/06/27/protect-organization-petya-ransomware-carbon-black/
M17-y4f01	Win.Trojan.AutoIT-6333854-0_63a07f35	Windows	This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.	63a07f352a5443a4b4e57cb69a69743f	SHA1: d7c69654d92aea7dfe4b0a134a8d5b8523f1952a MD5: 63a07f352a5443a4b4e57cb69a69743f SHA256: 2cd44a3204106c4fa3e11c310f21a3d0a89795ae90cad00117c779386ea619fd http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-9bj01	Win.Trojan.AutoIT-6333854-0_09301932	Windows	This strike sends a malware sample known as Win.Trojan.AutoIT-6333854-0. This AutoIT malware is packed in a RAR archive that executes itself. It includes several features like anti-debugging, Firefox web browser password stealing and persistence. The MD5 hash of this Win.Trojan.	09301932b011592585bb3560bc3a6ad7	SHA1: a577f9caf8c481c38a31a6bd82abdf86e09b8357 MD5: 09301932b011592585bb3560bc3a6ad7 SHA256: 927bd28d825adc6569d1e307bd3709f73350b3ca2b0f98bbbdd2370526ae19b6 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-cub01	Doc.Downloader.Agent-6333860-0_87865982	Mixed	This strike sends a malware sample known as Doc.Downloader.Agent-6333860-0. This malware sample is a document downloader, that uses Microsoft Excel worksheets that include macros to trigger Shell functions. The MD5 hash of this Doc.Downloader.	878659824c6dcb28edfbc8a8826adf22	SHA1: 9e02e611f6d968a22580d49e2afb381ec30525b7 MD5: 878659824c6dcb28edfbc8a8826adf22 SHA256: 204ecc72a94c1d1ef60a08ccb132a5123d2e8dcfc16ef1cacebb20887049ec2d http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-n3r01	Win.Virus.Virlock-6332874-0_ea39c1c5	Windows	This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.	ea39c1c57c2446b2b71b8b7896269be8	SHA1: 71e9f0e92dc95bff7e9b4cb134ce024c2363b6d5 MD5: ea39c1c57c2446b2b71b8b7896269be8 SHA256: 61012a5ae49bcfc6c31110b0117c9ed3d3f810cb8053857ef3017b403aeb4ad0 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-zij01	Doc.Macro.Obfuscation_fe672cd7	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	fe672cd7a871b0a4dd2ca6300dbff515	SHA1: ba3e2b5c42c12b5ef5ebba32cb13a3fb1ed5bb7c MD5: fe672cd7a871b0a4dd2ca6300dbff515 SHA256: 341b86bd427dfca140ef6b3f47c7f269fe3ada974692237cc038f5910326d806 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-hay01	Doc.Macro.Obfuscation_36f030f5	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	36f030f5107843b382537768edd49254	SHA1: 8ea2a18608f1bdbcfc956955893174d1ae96881f MD5: 36f030f5107843b382537768edd49254 SHA256: f11534d903c19da7f9b951419fb31fc8027c27f7ed7e3fdb89a923004a838ca1 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-nr901	Win.Virus.Virlock-6332874-0_8b969fdb	Windows	This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.	8b969fdb7154cf74b74243e82f8ae6fa	SHA1: fdc5dcb2c8f1a8f7ca6d2b68fa4e3c37afb4a3ac MD5: 8b969fdb7154cf74b74243e82f8ae6fa SHA256: db2415f2259b7ec9aaa6ab004a659753ad51dafccbc8696f0a5e906750304efc http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-23201	Win.Virus.Virlock-6332874-0_f30ea2f3	Windows	This strike sends a malware sample known as Win.Virus.Virlock-6332874-0. VirLock is a polymorphic ransomware that encrypts the files on the target system, and also inserts a modified version of its own code at the beginning of each file. After execution it locks the screen and asks the user to pay a ransom. The MD5 hash of this Win.Virus.	f30ea2f3952e4dc32f4e193a7b47b7e1	SHA1: de4ed67b32e3e8b3fd66e06c20066f1669c2e1ef MD5: f30ea2f3952e4dc32f4e193a7b47b7e1 SHA256: cacc1b16c233ad74c95b051edb5542a2824441314aba3f12e0397b857222c0a9 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-pdw01	Doc.Macro.Obfuscation_b0ffc6d0	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	b0ffc6d0cdfd4f510ad3b3b703ffb773	SHA1: 3be99b2039c69a41113527693394344d57c1ba72 MD5: b0ffc6d0cdfd4f510ad3b3b703ffb773 SHA256: 0dd337e3bef51dd39867317b47870076c8bda3efede772fc571b48d59ff79bcf http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-88t01	Doc.Macro.Obfuscation_cefd07f0	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	cefd07f03498b5baf3a2c7ca97872328	SHA1: e523974da31af97cf08de7780e0a0d9c2d9a46e4 MD5: cefd07f03498b5baf3a2c7ca97872328 SHA256: 7ac2d7693119e8e07ee9ab0979a219f99763deb2b4134e8a6c18cec7aba1a76a http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-lcu01	Doc.Macro.Obfuscation_9d65ae5a	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	9d65ae5a5015402e85d8694f684322ca	SHA1: a37ef548edfdf526b7274c0712f7967242aebc9f MD5: 9d65ae5a5015402e85d8694f684322ca SHA256: 727d8957c910dd733b4960f22535e61375e417cc521b820ae8a917597af86295 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-6q801	Win.Trojan.DelphiSpamDown-6333_e9f45c7a	Windows	This strike sends a malware sample known as Win.Trojan.DelphiSpamDown-6333. This malware sample is a Delphi downloader. It can be found in the wild, and is related to a spam campaign. The MD5 hash of this Win.Trojan.	e9f45c7a87e2535835c30dfeeb98d97b	SHA1: 6c0ca799263fa113fcd8c76ef700a5809f889c59 MD5: e9f45c7a87e2535835c30dfeeb98d97b SHA256: 72464898f83126f1a89d76cf76b2867b58655b3b316c2000dd185f2c31a4d786 http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-0jq01	NukeBot_9831b109	Windows	This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.	9831b1092d9acaeb30351e1db30e8521	SHA1: 3b25a4553abced0c237198335fd967f92ad86756 MD5: 9831b1092d9acaeb30351e1db30e8521 SHA256: 916c68203f329eaf00e0dbf5a7571107708ce037935b5f51d7eed41ad581cdfd https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/
M17-v0l01	LockPoS_0ad35a56	Windows	This strike sends a malware sample known as LockPoS. LockPoS is a point of sale malware that was first discovered targeting systems in Brazil. The malware utilizes HTTP to perform C2 communications and credit card data exfiltration.	0ad35a566cfb60959576835ede75983b	SHA1: 2faa933c98cd21515b236d139476a6d09a3d624d MD5: 0ad35a566cfb60959576835ede75983b SHA256: 063f14091c811feb0b99de21d52dc55ca2ccb0c387b515e7407ea09a4337ceef https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/
M17-4un01	.Net	Mixed	This strike sends a malware sample known as .Net Dubled Backdoor. This .Net malware is not particularly advanced, however, it comes with many features including the ability to spy on the target system and record a user's banking activity via the ffmpg application. The MD5 hash of this .	2a07346045558f49cad9da0d249963f1	SHA1: 08f2c18438296576c650ee2da713319ca9c9ca30 MD5: 2a07346045558f49cad9da0d249963f1 SHA256: b920e5f907caced96cebd946cbf6aad02b10676712c2663f2187a8a9fad5b311 https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/
M17-7rx01	LeakerLocker_0d780a9f	Android	This strike sends a malware sample known as LeakerLocker. This Android ransomware sample does not encrypt files, but instead collects personal and private information from the device, and threatens to share them if a ransom is not paid.	0d780a9f05bed552d6450ff3bc791c04	SHA1: afe2d4ec4ae8250f8d3131338b6158e9a3c6f3a2 MD5: 0d780a9f05bed552d6450ff3bc791c04 SHA256: cd903fc02f88e45d01333b17ad077d9062316f289fded74b5c8c1175fdcdb9d8 https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-acts-without-encryption/ http://thehackernews.com/2017/07/leakerlocker-android-ransomware.html
M17-uxx01	Doc.Macro.Obfuscation_a55c0e19	Mixed	This strike sends a malware sample known as Doc.Macro.Obfuscation. This Office malware sample uses macros to compromise the target system by indirectly accessing data from arrays to perform its functions. The MD5 hash of this Doc.Macro.	a55c0e191e6754909a051d5fbf00bdea	SHA1: 18aed4a0b16f6eb97e337acbf29c96523bdd3bd3 MD5: a55c0e191e6754909a051d5fbf00bdea SHA256: 4c5f92378c3fe002163abb763ab30de3b167512255af8f90c0ab7ca85e15fe7f http://blog.talosintelligence.com/2017/07/threat-roundup-0714-0721.html#more
M17-iix01	NukeBot_078aa893	Windows	This strike sends a malware sample known as NukeBot. NukeBot is a modular banking trojan that was created to steal the credentials of online banking customers.	078aa893c6963aac76b63018ee4ecbd3	SHA1: 640702a92e4281515e755649cc4c01db21881394 MD5: 078aa893c6963aac76b63018ee4ecbd3 SHA256: aaf4d39111ba8681cf2b501ec90b612b54a6feae817f37925e99739009f9d37b https://threatpost.com/modified-versions-of-nukebot-in-wild-since-source-code-leak/126920/

Malware Strikes June - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M17-s2701	Valyria_Doc_Macro_3e0c5a01	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	3e0c5a01e1c13b6066d561f152b28291	SHA1: 6323db3ff1bc490a6b8ceb4447c5791543f17732 MD5: 3e0c5a01e1c13b6066d561f152b28291 SHA256: 7fcd49ea71363a666377a734b80c7608842a9acb868e1b35a3820a1eefd68975 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-9hj01	Fireball_79abd4f5	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	79abd4f5c79cd2eb0c0de0b4664652d5	SHA1: da0ae02638e0f190f159a8a24b6d40ce80d1cdf0 MD5: 79abd4f5c79cd2eb0c0de0b4664652d5 SHA256: 656ceb29cf552689f2e3f1b10bbbd39ca74c0ce76451127aacf1851925e3c2ca https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-q1m01	Fadok_01d9a9d8	Windows	This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.	01d9a9d87e38c06f7a17382477be414d	SHA1: f38a92520fbbbea0b1894084ca5df9c7ea407eeb MD5: 01d9a9d87e38c06f7a17382477be414d SHA256: 0ab690ef09a14798b9deb6cd0c116b8e0ed906b6bac16a05a5ae4bc38cabf467 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-55501	GenericMalware_377b5d0c	Windows	This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	377b5d0cb365a8a124126a57ba1103ce	SHA1: 614ab749f50a70faecfbcb54b442fb357f79f745 MD5: 377b5d0cb365a8a124126a57ba1103ce SHA256: c97f4a5bee60b6c823abe53c28230df34026f49bc6fbdba5f1197caf7db47790
M17-wxd01	Qakbot_4ac8b676	Windows	This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.	4ac8b6761e6504e1e96d2165f6038ced	SHA1: 107705a77990d78f63379bc3e498781a9477c6c8 MD5: 4ac8b6761e6504e1e96d2165f6038ced SHA256: 4712cf80102b7886a946ab6454fb0978f9d94feacd52c5df18850dbefa0158ec http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-0nv01	Sivis_1de38c8f	Windows	This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.	1de38c8fb92851c60ec6019ac7924558	SHA1: ba8326ba8e11e955ac99de4720dc629f592d6f14 MD5: 1de38c8fb92851c60ec6019ac7924558 SHA256: 38f441a14f81c370d0ac0934340d3d196bca832668ee6772ac88330614a91b2c http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-0bf01	Fadok_a115b384	Windows	This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.	a115b384fa775472d82cfa8290551bcf	SHA1: 129c85d614eadacef177aed41aebd06033c2e184 MD5: a115b384fa775472d82cfa8290551bcf SHA256: 03692f096e7fc9ab6bd470f7092ae80cc5dcfbf1dcb2a849dae2a2384e421315 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-xrt01	Valyria_Doc_Macro_8d45f392	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	8d45f39227d5e8fd3bf9b270dc7d46ad	SHA1: e38a4ed2f3beb4722d5dbf1800334c678ec70374 MD5: 8d45f39227d5e8fd3bf9b270dc7d46ad SHA256: be53a9f3aeca760dfcea58b676db1f687f238e0c6996ec57e36fa6040f43e75e http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-62401	Valyria_Doc_Macro_12dca91f	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	12dca91f7b79b4bef4f408f042fcbda8	SHA1: ec53f9456c433ea9a63c8404cf42836b992f102f MD5: 12dca91f7b79b4bef4f408f042fcbda8 SHA256: 0cfe5dfa2b53c51076a5ea1aac89e7be91e83a70c6438b037dfd00ccd839ca6f http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-a3r01	Qakbot_5838ce69	Windows	This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.	5838ce69e86bfd9f93e32746d73a779d	SHA1: 5ea507dca63035e969f4db6bff585896cf4bb096 MD5: 5838ce69e86bfd9f93e32746d73a779d SHA256: 006b191a135afecf86bd4df2fbf619f8f019ab316d2edb33d053209384c7d4cd http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-d0k01	Siggen_e3ab4a4a	Windows	This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.	e3ab4a4a2f18c482e4add154f7ad5436	SHA1: b852fc3e5bfb59978d905c064d0a79e526acb835 MD5: e3ab4a4a2f18c482e4add154f7ad5436 SHA256: 8998b35cd76f170e62275661c0f0256883ec2b8e34b9e5ff9530c9da4d07fb74 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-6qj01	Gh0stRAT_47029c8d	Mixed	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	47029c8d9d652d45c15d8c0108f2c9ae	SHA1: 9d11b23989615d9c4c161fc833801c063c141d4a MD5: 47029c8d9d652d45c15d8c0108f2c9ae SHA256: b6915dd2a9ffae5c6a969247e4a3e2b739e094ed9f90516b41251185d9d301a5 https://www.ixiacom.com/company/blog/state-eternalblue-exploitation-wild
M17-s2h01	Gh0stRAT_26d01a08	Windows	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	26d01a08650fd21664748cd7446f3396	SHA1: 116c2d8eab2d6cfdd0de59b622eefbc526d4b043 MD5: 26d01a08650fd21664748cd7446f3396 SHA256: b60d4093fe1a7aa545d22292bd2daafaa07bdcda335aa5e9f2c56e0c4f8668cf
M17-49p01	Valyria_Doc_Macro_5139ef78	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	5139ef78258da030fb38081cb48e6343	SHA1: e5390594ab62a10d62a8377acee4fe28861a52d3 MD5: 5139ef78258da030fb38081cb48e6343 SHA256: 27a035174244dd347ee81cc932fccf414b1c32a0820fe6a55e242ee04e9c0686 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-xy701	Fireball_bb2dec87	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	bb2dec875c10abe72b645bd6376c1c0e	SHA1: b30d5b4fe6f11cb683c4daaf78dd337c1b94c8d9 MD5: bb2dec875c10abe72b645bd6376c1c0e SHA256: 683d13ecc2c2faea61e7095a16f801ac2e00993de838b29042426498dbf92a01 https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-ay001	Valyria_Doc_Macro_05080c76	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	05080c76008874c298f4011ea33190d5	SHA1: f6be84cad04bdec852a669e514d3d99def9b1e19 MD5: 05080c76008874c298f4011ea33190d5 SHA256: d845e07f961afb0341e8d8da25fc08896bccd09ccc5136e74454308c9f95eff6 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-15601	EternalRocks_0e83b186	Windows	This strike sends a malware sample known as EternalRocks. EternalRocks is a network worm which uses the public (The Shadow Brokers NSA dump) SMB exploits: ETERNAL BLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY along with related programs DOUBLEPULSAR, ARCHITOUCH, and SMBTOUCH to spread.	0e83b186a4d067299df2db817b724eb7	SHA1: 1e24f6dfdcfac543d89e6e4ee8f2d9fc4321f264 MD5: 0e83b186a4d067299df2db817b724eb7 SHA256: 48b1024f599c3184a49c0d66c5600385265b9868d0936134185326e2db0ab441 https://github.com/stamparm/EternalRocks https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27113/en_US/McAfee_Labs_Threat_Advisory-EternalRocks.pdf
M17-58a01	Crashoverride_11a67ff9	Windows	This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.	11a67ff9ad6006bd44f08bcc125fb61e	SHA1: 8e39eca1e48240c01ee570631ae8f0c9a9637187 MD5: 11a67ff9ad6006bd44f08bcc125fb61e SHA256: 3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571 https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-8ah01	Fadok_ee28f9a8	Windows	This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.	ee28f9a8753c779b5c26f6271df09f00	SHA1: 273ff949fda1d3d84259659fc29bedc40a85bc5a MD5: ee28f9a8753c779b5c26f6271df09f00 SHA256: 06f89aa03b2e1f070b9fdfafd5356d0eaa1ea840f05ab7189d89f1cb1f70ff66 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-3mu01	Valyria_Doc_Macro_24d4e462	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	24d4e462da6609e38a4b92b2674520af	SHA1: d2c6ad43986fef31e212f87b95a35ce2f82f98a6 MD5: 24d4e462da6609e38a4b92b2674520af SHA256: bb4e1f338f6d5c46d7890aa7eabe929de1467d8760a463c74379d651600638e8 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-5l701	Siggen_5ebfb9fe	Windows	This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.	5ebfb9fe30b274780c0f37a22fa88ba3	SHA1: b92adf5db6e0c047f0706a427fed6dcf65e5c295 MD5: 5ebfb9fe30b274780c0f37a22fa88ba3 SHA256: 76cac7eac498813164dcb94ed0812163bc4d261ef80232ec528aa941e0622479 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-e0d01	BackdoorTrojan_a1dcc833	Windows	This strike sends a malware sample known as BackdoorTrojan. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	a1dcc83376ae59d6a156096b79c3c856	SHA1: 0f876e85fa1b0e0449db420b8cac168d744829c7 MD5: a1dcc83376ae59d6a156096b79c3c856 SHA256: 65433c71ff7901c183d55bf42452e6b77c9554a2573cc983ff8ab31b0c4f29d6
M17-aq401	Valyria_Doc_Macro_3dcc36e7	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	3dcc36e7164d4d1d2d2c8cdb93f8db46	SHA1: b42cb2e11162a6a3876d4235398ba5d68d0f7bf4 MD5: 3dcc36e7164d4d1d2d2c8cdb93f8db46 SHA256: 38e71cd7dba75c6e6dbfa326843d10421d57ab3781c94c1174cfc260c86d4361 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-8uu01	Qakbot_d0afd8df	Windows	This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.	d0afd8df9e7c9dad6d2e68d45a4f36c0	SHA1: 4f1115d7f1da62b572c9dfa08c406a65efc0baf5 MD5: d0afd8df9e7c9dad6d2e68d45a4f36c0 SHA256: 02ad78b356cb9723b18122a2fad033e0487be7e367864d7481371bde0b0b8acf http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-ksv01	Qakbot_8a3ab5d3	Windows	This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.	8a3ab5d3fa3644ec1829e7825b0a22a3	SHA1: d3f484c3e7ff9fe0a639728ee78edc19b324560b MD5: 8a3ab5d3fa3644ec1829e7825b0a22a3 SHA256: d52f95bb330930af7477604547dd33fdf3fe76e20301a67a7d490f6b1ebe5247 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-zma01	Gh0stRAT_0fe309fe	Windows	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	0fe309fea26d8747faaa4a5b51f6baf9	SHA1: 7b8f4552b3aeae03b5f55373f8d538753035b68b MD5: 0fe309fea26d8747faaa4a5b51f6baf9 SHA256: e0740ca59b46de2c823593aaf6ac5a2deab7b5257b4ebd74ea962c0f4683a90c
M17-e3g01	Valyria_Doc_Macro_cd85a6c4	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	cd85a6c4130a6666261f583e0a66dea0	SHA1: ec6db43027ba0e034d61348549832458fbce7666 MD5: cd85a6c4130a6666261f583e0a66dea0 SHA256: ff9b033e0f4d48b6f77ae849cf3a94ea411583ea8c232b1da6fd1bc99d5e40d4 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-k0501	Siggen_3669fd09	Windows	This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.	3669fd09ab7a14b79a324b5a729f4bd8	SHA1: 873a65b0f441d8589e19463f1c807d888d6a1f21 MD5: 3669fd09ab7a14b79a324b5a729f4bd8 SHA256: 74a306f136aa3b098fe99f6e35a1163d808c996e7ca6f8cd03fc69ec0a2573c0 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-hyq01	Dvmap_20d4b9eb	Android	This strike sends a malware sample known as Dvmap. Dvmap is believed to be the very first malware for Android to ever hide a malicious payload, and then unleash it and directly inject it into a device’s system files.	20d4b9eb9377c499917c4d69bf4ccebe	SHA1: 7eaed59d6a166bc3ec8ce19a27eeb3d5e9c5802c MD5: 20d4b9eb9377c499917c4d69bf4ccebe SHA256: 183e069c563bd16219c205f7aa1d64fc7cb93c8205adf8de77c50367d56dfc2b
M17-zvd01	Dvmap_43680d19	Android	This strike sends a malware sample known as Dvmap. Dvmap is believed to be the very first malware for Android to ever hide a malicious payload, and then unleash it and directly inject it into a device’s system files.	43680d1914f28e14c90436e1d42984e2	SHA1: 05b0513cb53b0c5ee4ed55ce68cd694e676d4d2b MD5: 43680d1914f28e14c90436e1d42984e2 SHA256: 92f8bcd9e62047b380c76afe772ab0fe12ced53b9702d08c37e98424dbb590ae
M17-84i01	PonyVariant_Dropper_8a55ecad	Windows	This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process.	8a55ecad10a7cf3dad3630ac40e420a1	SHA1: c808faa7617fda487819622ac435cad5f90e929f MD5: 8a55ecad10a7cf3dad3630ac40e420a1 SHA256: 47c916890c345a0588e52cc29e6488b5c709217823b0049a46b9a9e5e07a6efb http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-gu601	Win32/Virut_b4e71b49	Windows	This strike sends a malware sample known as Win32/Virut. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	b4e71b493e165eb0aa15e8d9b427ac3d	SHA1: 6d94a2b3fbdb70beafa49c4b653c6a8d0e2a99b6 MD5: b4e71b493e165eb0aa15e8d9b427ac3d SHA256: 86a0383757ea9716facdc3cd71ebeaa4486ae87ff302a1217bbcf29a95a4003a
M17-ogg01	Valyria_Doc_Macro_9243540e	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	9243540e9c72aeacbbbb557045249bdb	SHA1: fa1fff26c23c168b6d4be1d64baa49885d6bb6b6 MD5: 9243540e9c72aeacbbbb557045249bdb SHA256: 556556a774b187d2068e8d6e4cc2d098fd06fe146e0b4578b68a602d9b9c47f7 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-sme01	Fireball_46ce735c	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	46ce735cacb3e63bd6c6b100918b25b0	SHA1: 99e0d7dd87b3aa21cba43e6a853d2b1c9f726aab MD5: 46ce735cacb3e63bd6c6b100918b25b0 SHA256: 8a7730de37028da75947da9dd008344c36536c5131b587ce64ba38ae53734944 https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-8kr01	GenericMalware_6b1e19c6	Windows	This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	6b1e19c656499a624b9319b9c9ba3f08	SHA1: afcc00a2f4940cb5db74e5c5b1be951bccc48828 MD5: 6b1e19c656499a624b9319b9c9ba3f08 SHA256: c995fd44ce9ebe245c71e1768eeaa278e59247fc7002f870dd3c744940b8046d
M17-6qq01	Valyria_Doc_Macro_76928501	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	769285015391f1771e82d16de5325b6e	SHA1: e94f8b79adc5648b2b3bf31184d18eae3b16ed12 MD5: 769285015391f1771e82d16de5325b6e SHA256: 3ea1c668e2b904c00f60d3bdd735a31261c49b29a39f2523c03271328a69c580 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-ojw01	Valyria_Doc_Macro_d3adb534	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	d3adb534e7691d0f1efb12e649c171b5	SHA1: 5c4530cd11ea1cedd8c5de64642c063b3097acc8 MD5: d3adb534e7691d0f1efb12e649c171b5 SHA256: 56e76f857ba0006ce64a71404b3a5e0166659e069c7d31d488de248e3e8a7af4 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-iw501	Necurs_a9af7994	Mixed	This strike sends a malware sample known as Necurs. Necurs is a large botnet and when active it distributes massive volumes of malicious spam. It tends to take breaks on weekends and it currently has an ongoing campaign using malicious PDFs to download Jaff ransomware.	a9af7994a9b1e0ba8a117eb64c31c926	SHA1: d364eb043e01f61822c9d2906a36ad2f902c60d7 MD5: a9af7994a9b1e0ba8a117eb64c31c926 SHA256: 3d9728ec88afe74e3ad5bee49c5c64a771f6d39b5f4b16fab280175b989d79a6 https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/
M17-d2m01	GenericMalware_59dcde96	Windows	This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	59dcde96ce99c4793a6c96d358921930	SHA1: 79df1dc8bf60b9662ad045fbbf0769d5cea55edc MD5: 59dcde96ce99c4793a6c96d358921930 SHA256: 260ebf8e4c489f80cc0f744f2d599810320792ac3bd318713f6e0062ddde366d
M17-28f01	Valyria_Doc_Macro_f5cf1855	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	f5cf1855746885e59348062ca0cedc05	SHA1: 6aea27de5a0e9c48902be8d6b8be55e30bd0be59 MD5: f5cf1855746885e59348062ca0cedc05 SHA256: e618d44cf1e7d121c9e934b1d530ebc4e830d1dd7d8228ac5b53a455def791a9 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-fup01	Fireball_960045ab	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	960045abfa2d230ab5d60fc992a08852	SHA1: 95c7c5a3ff9c9e771c8369d81b6f09640469012a MD5: 960045abfa2d230ab5d60fc992a08852 SHA256: d6c600ccacd3d37d6558333d6d8fed129d86fd028bb92ae5ea9da49fe6455b49 https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-avj01	Crashoverride_7a7ace48	Windows	This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.	7a7ace486dbb046f588331a08e869d58	SHA1: b92149f046f00bb69de329b8457d32c24726ee00 MD5: 7a7ace486dbb046f588331a08e869d58 SHA256: ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910 https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-zv401	Keybase_48987f1f	Windows	This strike sends a malware sample known as Keybase. KeyBase is a trojan that can be used to capture screenshots, keystrokes, and other pieces of system information.	48987f1f272848cb3b188bbe26a9ce08	SHA1: be11eabc8bc566b02737580f74314250e4ceb1c1 MD5: 48987f1f272848cb3b188bbe26a9ce08 SHA256: 8b1c64f993778c52906b8170cc6c16a07f4116e23661956a738323aca7b12c3a http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-bic01	Crashoverride_f67b65b9	Windows	This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.	f67b65b9346ee75a26f491b70bf6091b	SHA1: f6c21f8189ced6ae150f9ef2e82a3a57843b587d MD5: f67b65b9346ee75a26f491b70bf6091b SHA256: 37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4 https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-mqe01	Valyria_Doc_Macro_b508df1d	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	b508df1db86363d813b21589a2f48531	SHA1: af24bd58abb727cef7f6bba08d0926a36204254d MD5: b508df1db86363d813b21589a2f48531 SHA256: c571b06649be9a8d07ae380a7131dd8deba1bee2aa7067557857fee8cbd2c130 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-oi801	Valyria_Doc_Macro_bd93081f	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	bd93081f18c481680c05cb452ce59284	SHA1: c15f37b5722862aa8addc2ceb9b32d3584748de0 MD5: bd93081f18c481680c05cb452ce59284 SHA256: fff62aadd6740b7c1a4b57758f95d5de0cc36e471e6d1ae40ca8141a5845a7eb http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-y8i01	Valyria_Doc_Macro_d93a9a3b	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	d93a9a3b2a332fd69a3d0d7f1b64b5e7	SHA1: fc1f0082257f9983c31c7b85c7efbd0ab4de98e6 MD5: d93a9a3b2a332fd69a3d0d7f1b64b5e7 SHA256: 2378d2f333b50cc341e08f574d300ebcf12ee7140cb897620bc9c35f93929854 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-t5x01	Gh0stRAT_d5536e59	Windows	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	d5536e59be24fd3ecfe07cdc8a1f8772	SHA1: 4cfa4834b5278631e99ad3f5a3be9b3129889a34 MD5: d5536e59be24fd3ecfe07cdc8a1f8772 SHA256: 16c6a023ef62a69ae260972cd564e6e168ee656f4e751a6ee071c591b0aeddb1
M17-l8901	Fireball_41e928af	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	41e928af129c0583d2eb8c13a6caee64	SHA1: d7c6f623f941ff21d5e172ec599c9525e4bcf953 MD5: 41e928af129c0583d2eb8c13a6caee64 SHA256: 24f1b40015760028743e03f2e0dbd6333f07fa43bcbdb37bb33a1b6626eb0684 https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-aux01	Valyria_Doc_Macro_1eb97d04	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	1eb97d04bcb26e07565ffe223a969507	SHA1: b2b9f29e076dd260c5315011c3696242444d0d99 MD5: 1eb97d04bcb26e07565ffe223a969507 SHA256: 7ec2376443a777c789d853489ba4192ff21923ab95f4810660faad4dd93e0813 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-0nr01	Crashoverride_a193184e	Windows	This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.	a193184e61e34e2bc36289deaafdec37	SHA1: 94488f214b165512d2fc0438a581f5c9e3bd4d4c MD5: a193184e61e34e2bc36289deaafdec37 SHA256: 7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-8op01	Sivis_0a5d3828	Windows	This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.	0a5d382821b9239d12f996bf6a623012	SHA1: 712e446768496651dafd48725b5d7544e0a24ccf MD5: 0a5d382821b9239d12f996bf6a623012 SHA256: 4e5297e0d0b8c702e6c97fbaeee1f329b2246a046790e0e8adb595f94accf47e http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-qcr01	Fadok_eea3c727	Windows	This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.	eea3c72780e07f805ffa1bb7bb76298a	SHA1: 9686299e7fe5ddcef27e3e051916f5bb339fe39e MD5: eea3c72780e07f805ffa1bb7bb76298a SHA256: 148c4618e14a3c30f73dd6f910df6999ea4be2e32818f3747bdae03c175b7c48 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-s9z01	PonyVariant_Dropper_55babe51	Windows	This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process.	55babe5130c6b73b47fc48a46d0b0e16	SHA1: a013f9e3652807743c366612f76c0435e874dbd3 MD5: 55babe5130c6b73b47fc48a46d0b0e16 SHA256: 24558ad4b3a745c24a2dd42c73800ccfcd0c10dc17c67d83f3dcb3a4e479d46c http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-xsv01	BackdoorTrojan_82180b3d	Windows	This strike sends a malware sample known as BackdoorTrojan. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	82180b3dc79c71c15d10ce7f52c05db0	SHA1: 66616825dbc92de5a12f75b188983bff971b2a7d MD5: 82180b3dc79c71c15d10ce7f52c05db0 SHA256: a1f119908b935199ded134e9ff57ebf205e1d6c27e0c9562979634ddc1c5f9e5
M17-2fs01	Valyria_Doc_Macro_674d849e	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	674d849e8fe0351d927e1262f13e8e17	SHA1: f43ec260e655536519f41bdae66afc2ad3ec5a8b MD5: 674d849e8fe0351d927e1262f13e8e17 SHA256: eaa3cb0af249967c7d9a66185db3cac7e93196da6281014206b6d0bc0fb7f34c http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-yma01	Ursnif_23fb9126	Windows	This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.	23fb91262a83aed54abcebbf86e2af96	SHA1: 3bf342ec0a3aad1f4269c19eecf399be3afd4a94 MD5: 23fb91262a83aed54abcebbf86e2af96 SHA256: cbe692191547918894975784a02015b409923cfcda0ddb82b9331fecaa8e39f6 https://www.trustwave.com/Resources/SpiderLabs-Blog/URSNIF-is-Back-Riding-a-New-Wave-of-Spam/
M17-ala01	Siggen_396a1016	Windows	This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.	396a1016606c2539873ec0467440ea0f	SHA1: 2bd4a382556d5ae7bc153cb8a7427250270b2d60 MD5: 396a1016606c2539873ec0467440ea0f SHA256: 87701e501b48b94e9494bbda3f42a8b2a92a0e19d51d3e6023efae30b86f74a0 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-h8801	Jaff_35eed9ca	Mixed	This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.	35eed9cafb26975c42b7a621352565d2	SHA1: 03b17da93cf91f61c9dbb4d25182016cefec0659 MD5: 35eed9cafb26975c42b7a621352565d2 SHA256: ddabbe9cac0a547105ba8ccf223c7bcadebd680e724bca39c9d17a998726f854
M17-1s101	PonyVariant_Dropper_084b72fc	Windows	This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process.	084b72fcf63d2628b157f4c7a9d9c00a	SHA1: e308935ab855d4c4513dc030b035cc703d823ad2 MD5: 084b72fcf63d2628b157f4c7a9d9c00a SHA256: 4fe60f488f45f914edb650cc2e248d156ad8b257b610ad4848b1c245f38053e3 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-y7301	Valyria_Doc_Macro_be6dd256	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	be6dd2561ed2258740306253b58e2b49	SHA1: e8214a0a00f8261458157a44dfba335caecd85f1 MD5: be6dd2561ed2258740306253b58e2b49 SHA256: a57fe946d0e6d5324080ad9625ed5f4cc2720c53cfa8dfc4185cecc9320c8e45 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-dzm01	VBS.CobaStriDldr.A_3a1dca21	Mixed	This strike sends a malware sample known as VBS.CobaStriDldr.A. This malware has been reportedly used in a targeted attack campaign named as APT19. This phishing campaign targets global law and investment firms. The malware arrives on the infected system through a spear phishing email, containing a Microsoft Excel file or XLSM document. The MD5 hash of this VBS.CobaStriDldr.	3a1dca21bfe72368f2dd46eb4d9b48c4	SHA1: 3ddc3d2f40c64333adfafe508726344d90598c7b MD5: 3a1dca21bfe72368f2dd46eb4d9b48c4 SHA256: 42ff4fa4a92fba9ec44371431997700195f22753d4ea16c0dda0a5c4116a61af https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
M17-dod01	Crashoverride_ab17f2b1	Windows	This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.	ab17f2b17c57b731cb930243589ab0cf	SHA1: 5a5fafbc3fec8d36fd57b075ebf34119ba3bff04 MD5: ab17f2b17c57b731cb930243589ab0cf SHA256: 018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81 https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-1t601	Valyria_Doc_Macro_788a6918	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	788a69180a4ad792e3798e4e50f61c1f	SHA1: 5e122e37318aa8fd3d8f88ed23d1685fcbcfbe81 MD5: 788a69180a4ad792e3798e4e50f61c1f SHA256: 17b965a0cf6b0b316da2c659ec2c7bbe747819d09c1c1401d5a80272f47b813a http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-28m01	GenericMalware_4d621871	Windows	This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	4d621871d5de77993f46353cbcb2c571	SHA1: e097699803af2f9b690f2f4c6d35613a73eaa49e MD5: 4d621871d5de77993f46353cbcb2c571 SHA256: 4996a9d19d17e8e436a188164e3c7725595a64edc8c45f611005f7f2832a8e2c
M17-9p901	Qakbot_24be8c46	Windows	This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.	24be8c4601fe3170a01166969f8213c6	SHA1: 7c03395e543e6f7123437682c81c89936195af14 MD5: 24be8c4601fe3170a01166969f8213c6 SHA256: 0200b37385ee4b54572e9ff8f9dca6b20ef6a41feefeb9f5eaf14fa35fe82b87 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-xmu01	Qakbot_55ba2a99	Windows	This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.	55ba2a99ee46c18e2d6f545bfb5ffff6	SHA1: 5e384fafa16bf6c2103543d0d9bec3448aec7436 MD5: 55ba2a99ee46c18e2d6f545bfb5ffff6 SHA256: 0452810a21fc1207dc11a2a82127f30354fdc41aef95371b77a00b5592c11bb4 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-s7m01	PonyVariant_Dropper_1dbf9a8e	Windows	This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process.	1dbf9a8e3f11514aee40fcaab87a4794	SHA1: 09647c9edd512adc143e449d58f789b02a527150 MD5: 1dbf9a8e3f11514aee40fcaab87a4794 SHA256: 50733aaab0b6ca4210df15017f51bb576c84fea2cbeb0912dd40a32056cd3c1b http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-hbu01	Valyria_Doc_Macro_957d8224	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	957d8224e35c282d15b50b43257beb5d	SHA1: 598aa2cd6b85674801b00ad077cf076b4faeb60b MD5: 957d8224e35c282d15b50b43257beb5d SHA256: e90846bb4883914000462df105e679bc4ad05d3d1b0900363dd18eba1aca5c33 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-qtq01	Valyria_Doc_Macro_d770c4ed	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	d770c4edfe83ea4b72336ccaf64422d3	SHA1: e1e878411f2a6b7400ab963b12726c39d1259b69 MD5: d770c4edfe83ea4b72336ccaf64422d3 SHA256: 73b30d45b7f7a0893f8d8a1b3b55f10ff9d11e86619dccbb22a60d1f2462d5f6 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-yrt01	Sivis_98f6a14b	Windows	This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.	98f6a14bc884609eb523b125be4a8ecd	SHA1: 75644ce47dc6f94a88390e9c2a0e2de2fb515c73 MD5: 98f6a14bc884609eb523b125be4a8ecd SHA256: 7366a0faef62af909a1ef1da05e2cbd1fc9534cbb26e20e90538e043f4517d5c http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-qkr01	Necurs_6686dec2	Mixed	This strike sends a malware sample known as Necurs. Necurs is a large botnet and when active it distributes massive volumes of malicious spam. It tends to take breaks on weekends and it currently has an ongoing campaign using malicious PDFs to download Jaff ransomware.	6686dec2e57b635f864ec0597512703e	SHA1: 2001971c7ddaa9b2550d1b870f5e377c56f15f70 MD5: 6686dec2e57b635f864ec0597512703e SHA256: 778034b1c61ea7ab25a64bf49b5ae7d8c5dd2ce5f0ef3f8178adeee04f6a1e1f https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/
M17-12k01	Gh0stRAT_ec66f69e	Windows	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	ec66f69e6ee7facceb6cde1fdae46276	SHA1: 2d1077b5698382c22683f35d37711e7228b55dd6 MD5: ec66f69e6ee7facceb6cde1fdae46276 SHA256: 986e68ea037df3e00aa78ba996d31da0233a46aeea2eaa77be3ee5e4bc008176
M17-i4s01	Sivis_930c0d6e	Windows	This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.	930c0d6e81335a76ee13ebca9c78b9df	SHA1: b428f5be0fbe76595e86714bad964858cac7b98e MD5: 930c0d6e81335a76ee13ebca9c78b9df SHA256: ccbf43a2ab8074ca4a27952f0f3c052435ffe38cfa4644f63b609f96c978c014 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-oeu01	Sivis_6fbaf919	Windows	This strike sends a malware sample known as Sivis. Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.	6fbaf919f8cd2f44f077572418b390fa	SHA1: 99cfe8649d79d93be19bd32ea8ef99d197ce6fa4 MD5: 6fbaf919f8cd2f44f077572418b390fa SHA256: 0a08a78e10ffd4c2e176e089e092f3692b94da97457abcfc694082c525335fcf http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-55001	Valyria_Doc_Macro_e65bf51b	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	e65bf51b842f903e2d8814f7c2973273	SHA1: eecac6bd49051c53b67b0122161a39468a0cd9b6 MD5: e65bf51b842f903e2d8814f7c2973273 SHA256: 913b51d636924dc67655ac2bb69449858448f71363eafcd3cb7881da3fe12994 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-o6r01	Valyria_Doc_Macro_50bdf5ca	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	50bdf5ca6bdee15865eb3e21b9a297b3	SHA1: 589e0635f90ab6fdd9cddc920076502d992cab00 MD5: 50bdf5ca6bdee15865eb3e21b9a297b3 SHA256: ac1803de8dea5bca07b2eb654f0ce9b013285686014483e6c81ae7235b68e1aa http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-c5h01	Qakbot_08bacffc	Windows	This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.	08bacffcc1e4df896670047790373497	SHA1: 34b74953be0071c8a1d41115b3555664e085b0fc MD5: 08bacffcc1e4df896670047790373497 SHA256: 5b7a5a58e4af312cd23e1f28597f2818953dd23abdeedb52adb882958e2766cb http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-76n01	Crashoverride_497de9d3	Windows	This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.	497de9d388d23bf8ae7230d80652af69	SHA1: b335163e6eb854df5e08e85026b2c3518891eda8 MD5: 497de9d388d23bf8ae7230d80652af69 SHA256: 893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-tng01	Valyria_Doc_Macro_2cff60d4	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	2cff60d45d124f27874d2ea0fe4195e2	SHA1: d4ea353cc42ffe2337af79baf50e542bc7cb2e76 MD5: 2cff60d45d124f27874d2ea0fe4195e2 SHA256: 097de8a240500e67ed2b1b0d8d95a4bcd8f07764c5abdcf7eceb17d15c592611 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-8as01	Fireball_fab40a7b	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	fab40a7bde5250a6bc8644f4d6b9c28f	SHA1: 8b6388810047db449d3699333eca9091568a094c MD5: fab40a7bde5250a6bc8644f4d6b9c28f SHA256: 9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022
M17-bxd01	Fireball_94e46b45	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	94e46b4519ef0610a6a7d91d01584192	SHA1: 8a8c9c2e6401a5d11883d0459be32e435317dd2e MD5: 94e46b4519ef0610a6a7d91d01584192 SHA256: d6b51900305241cc5a7ba26858f3f55e5b7ddcff101e8f5c7060cead328bc7c4 https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27112/en_US/McAfee_Labs_Threat_Advisory-PUP_Adware-Elex.pdf
M17-xfr01	Fireball_66e4d7c4	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	66e4d7c44d23abf72069e745e6b617ed	SHA1: 7d9d44a8e33a7dd21d5f240eaa0fbc6e8de2e185 MD5: 66e4d7c44d23abf72069e745e6b617ed SHA256: 8f2e624dd9e77d0e2e74b01e271faace40f13a4f51fab61a585fbf0779bea627
M17-we401	Qakbot_142aaa6c	Windows	This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.	142aaa6c5fcb885e211039ccb6b0f5d4	SHA1: 66094ebc324bd90422bb4074ff204b92c594d07c MD5: 142aaa6c5fcb885e211039ccb6b0f5d4 SHA256: 007f9ee2441329fe8c8ebf6f597c84eb1e4fea764dd228cfae9bed400c8af53b http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-zjq01	Fadok_cd6a252f	Windows	This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.	cd6a252f9e59da13b3f199419ed3ece8	SHA1: 2d9d1e148fe5bfed0a4cb90cb055705f5affefea MD5: cd6a252f9e59da13b3f199419ed3ece8 SHA256: 056b0bc81124cf9ad6c094092e1f16f2aa96bf7efebcaeaf3830a8a228464a9b http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-p3f01	Siggen_90d18c3c	Windows	This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.	90d18c3c4bf09f1c6d0dba8f4c638f2c	SHA1: 2d3ffffa9286881ae0113aa19c444bb4e0677137 MD5: 90d18c3c4bf09f1c6d0dba8f4c638f2c SHA256: 745d8d433cba5315749dc61810d9bf4eb1864fb9737c4a2fc3718eda75917d6f http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-qd401	Valyria_Doc_Macro_fe6304e4	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	fe6304e4297dbeda72cd5afdbae8d7b2	SHA1: ac0930e02103970658fc20eae0869c7088b8cfe0 MD5: fe6304e4297dbeda72cd5afdbae8d7b2 SHA256: 2669d31701a90345db7492bc3de46db51af6a9137ce1bafdab2fd3122d2e040e http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-u6u01	Keybase_04311370	Windows	This strike sends a malware sample known as Keybase. KeyBase is a trojan that can be used to capture screenshots, keystrokes, and other pieces of system information.	0431137025391490648c9b8334fbf092	SHA1: 6ddf8c1c6d747553977e51cd685240c1aff7a61b MD5: 0431137025391490648c9b8334fbf092 SHA256: 7d22f93bea6e24c11497a826e692216861bb5710e0e6a9842ed9c30463a11b24 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-85r01	Gh0stRAT_88b8f7aa	Windows	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	88b8f7aadeb8c5d5f0a5b182e0f6fc28	SHA1: 407f4eda279c43c2e70e0fe2382524a6843a7843 MD5: 88b8f7aadeb8c5d5f0a5b182e0f6fc28 SHA256: e6bd0d021069df585eb281fd3206ecda655c40e6d4021a8ed0b6a7d4bd13776a
M17-w4301	Valyria_Doc_Macro_526ba8e6	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	526ba8e6f3dd094439202fdafda0f024	SHA1: f853532ac65154d37dad9328d1ecf1970731dfa7 MD5: 526ba8e6f3dd094439202fdafda0f024 SHA256: ceb3fd6d517aaff2a122df2f9e8ab368cbf1efc8644344d4f228198e90c56399 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-4mu01	Fireball_2b307e28	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	2b307e28ce531157611825eb0854c15f	SHA1: f7df2b019b5640c66e40b1cecbb327d1c9192560 MD5: 2b307e28ce531157611825eb0854c15f SHA256: 7d68386554e514f38f98f24e8056c11c0a227602ed179d54ed08f2251dc9ea93
M17-tj401	Siggen_61b2d117	Windows	This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.	61b2d117272fde42efef918cecc6031c	SHA1: b83a665772d11018cce2e72f24ca90aa27f3f298 MD5: 61b2d117272fde42efef918cecc6031c SHA256: dd249e28e052a2e7747886a0596e7faf7e447fbef7260198509fc6e08c294bbb http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-qf801	Fireball_7b2868fa	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	7b2868faa915a7fc6e2d7cc5a965b1e7	SHA1: 250a8bd174403e32ad77f7e710e7165e7df40a47 MD5: 7b2868faa915a7fc6e2d7cc5a965b1e7 SHA256: e4d4f6fbfbbbf3904ca45d296dc565138a17484c54aebbb00ba9d57f80dfe7e5
M17-30z01	VBS.CobaStriDldr.A_bae0b391	Windows	This strike sends a malware sample known as VBS.CobaStriDldr.A. This malware has been reportedly used in a targeted attack campaign named as APT19. This phishing campaign targets global law and investment firms. The malware arrives on the infected system through a spear phishing email, containing a Microsoft Excel file or XLSM document. The MD5 hash of this VBS.CobaStriDldr.	bae0b39197a1ac9e24bdf9a9483b18ea	SHA1: 7b0d8394b32cb59c59e4ac9471dba676678fd91a MD5: bae0b39197a1ac9e24bdf9a9483b18ea SHA256: e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9 https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
M17-ryl01	Carbanak_13a5fab5	Windows	This strike sends a malware sample known as Carbanak. Carbanak is a a Backdoor that targets the Windows platform. It sends out system information to a remote server and could accept commands that may provide an attacker with the ability to download/execute files, steal cookies, inject code.	13a5fab598763ae4141955f2903d66f9	SHA1: cf5b30e6ada0d6ee7449d6bde9986a35df6f2986 MD5: 13a5fab598763ae4141955f2903d66f9 SHA256: 6224efee6665118fe4b5bfbc0c4b1dbe611a43a4b385f61ae33b0a0af230da4e https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/
M17-i2301	Valyria_Doc_Macro_0b54f5ac	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	0b54f5ac562cda7def5470b2d4612067	SHA1: 714f80b2c610ab1899f2e550d8ca68dfcbf30eae MD5: 0b54f5ac562cda7def5470b2d4612067 SHA256: ef6269b66111c365ef251e4128a286e16c972359ca406a02b6f81fa8b55b1cda http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-3bk01	Siggen_e2ad0f4e	Windows	This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.	e2ad0f4efa073582e3bafbef550c3c81	SHA1: eaf6a846b4b1a34d091d5a4baf940c1a099dd80a MD5: e2ad0f4efa073582e3bafbef550c3c81 SHA256: 4a1b26fd16f985e1da3f1b5619b55f6170584ac51923bd6d6c4c455fc86d44da http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-doq01	Qakbot_74881c46	Windows	This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.	74881c460b8a9227e3dc74f36f77b226	SHA1: 3e68003a07b62f848e3051ea1766a04b2d14179e MD5: 74881c460b8a9227e3dc74f36f77b226 SHA256: 00141f6303dd960c61a4fdb06e686ccc972c0e0f092adaf823444e4b7e32ae09 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-g9x01	BackdoorTrojan_e93124fe	Windows	This strike sends a malware sample known as BackdoorTrojan. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	e93124fef0a3ac7869f3ae6ee696beec	SHA1: 03d4275dee52ef1b70e558abf9c2fef82a76339d MD5: e93124fef0a3ac7869f3ae6ee696beec SHA256: 926ed977382f409409d912cfb04191d3c375c9dc0b30a487510d3d83ab7cfc01
M17-vwg01	Fireball_69ffdf99	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	69ffdf99149d19be7dc1c52f33aaa651	SHA1: b6bbe04238834126043610115c253788f0cb8a39 MD5: 69ffdf99149d19be7dc1c52f33aaa651 SHA256: e3f69a1fb6fcaf9fd93386b6ba1d86731cd9e5648f7cff5242763188129cd158
M17-soi01	PonyVariant_Dropper_8b998ddd	Windows	This strike sends a malware sample known as PonyVariant_Dropper. This dropper launches some malware based on leaked Pony Loader source code. It tries to avoid detection by injecting twice and deleting itself with cmd.exe process.	8b998dddd5a658fc1f9f6e3adc9c6f12	SHA1: 57200ec3b13d5ca0e3e632aa3bd0d7a163265736 MD5: 8b998dddd5a658fc1f9f6e3adc9c6f12 SHA256: 416d71ce82336aa2dda064e6ba93a555ccf46c7ae2ad1faba379513965d9d485 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-4qr01	Crashoverride_f9005f8e	Windows	This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.	f9005f8e9d9b854491eb2fbbd06a16e0	SHA1: 79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a MD5: f9005f8e9d9b854491eb2fbbd06a16e0 SHA256: 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561 https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-j7i01	Gh0stRAT_233f31c1	Windows	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	233f31c12bc5305cb4186469c17b7e4a	SHA1: 03a288cc2cbd2cbe331a54c2afc5dd90761a82a9 MD5: 233f31c12bc5305cb4186469c17b7e4a SHA256: 45aedb18335d58aee6bad2888038bfa16e12460f89e7d181495101267be76b07
M17-0e801	Gh0stRAT_49e2f935	Mixed	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	49e2f935dd760b81c8979d429b51264e	SHA1: 5376a271f8f5d644ca1fb457b1c98a258d83b586 MD5: 49e2f935dd760b81c8979d429b51264e SHA256: e2d31ee0a4b6209fffa3eb52066c23db851777b0cc9b974f3ce3af7b69c62655 https://www.ixiacom.com/company/blog/state-eternalblue-exploitation-wild
M17-tju01	Qakbot_5ac1917c	Windows	This strike sends a malware sample known as Qakbot. Qbot, AKA Qakbot, has been around for since at least 2008. Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials.	5ac1917cf9a1a814bf39d01200127b40	SHA1: 62067adb0fe0b2e4a8357ea005fa7981523fd759 MD5: 5ac1917cf9a1a814bf39d01200127b40 SHA256: 9a238c95de1ba5bc414aa0fd45297bf79f02b1de03d93a65ad74e91e37eb9ae9 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-k4w01	Siggen_0894a86f	Windows	This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.	0894a86f8416bee1a519b438bb23ee83	SHA1: 3d1610c412404f7c0b87dbccd3f1c05cd09f867f MD5: 0894a86f8416bee1a519b438bb23ee83 SHA256: 5527923be2a750415d9565fcfc38550bf292206cee0e415278e8e08d3f3cdbdc http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-zz201	Gh0stRAT_5c1a8b3e	Windows	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	5c1a8b3ecfd936e3cb9128eb5063ece6	SHA1: f181d60a82fe94e7f4bd892b1cc1e7e08b8e9193 MD5: 5c1a8b3ecfd936e3cb9128eb5063ece6 SHA256: 90a1737f38c52f92aa0fb49f2104f81481c77044817f04a231dc5dbe95bbb215
M17-e3801	Fireball_8c61a693	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	8c61a6937963507dc87d8bf00385c0bc	SHA1: 0312325d31072afaac87f3aafff58261b549db5d MD5: 8c61a6937963507dc87d8bf00385c0bc SHA256: 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3
M17-y7x01	Fireball_b56d1d35	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	b56d1d35d46630335e03af9add84b488	SHA1: cc725869679e5c8c4b7fcdffe98bcd4d612a909a MD5: b56d1d35d46630335e03af9add84b488 SHA256: c7244d139ef9ea431a5b9cc6a2176a6a9908710892c74e215431b99cd5228359
M17-2q701	Fireball_84dcb96b	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	84dcb96bdd84389d4449f13eac750986	SHA1: 3c812ea95aa6a2234548814b5447c2ac786daa30 MD5: 84dcb96bdd84389d4449f13eac750986 SHA256: f964a4b95d5c518fd56f06044af39a146d84b801d9472e022de4c929a5b8fdcc
M17-98p01	Crashoverride_ff69615e	Windows	This strike sends a malware sample known as Crashoverride. Crashoverride is the first ever malware framework designed and deployed to attack electric grids.	ff69615e3a8d7ddcdc4b7bf94d6c7ffb	SHA1: 2cb8230281b86fa944d3043ae906016c8b5984d9 MD5: ff69615e3a8d7ddcdc4b7bf94d6c7ffb SHA256: ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77 https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
M17-wrk01	Valyria_Doc_Macro_508cefdf	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	508cefdf3010539f2149f5c302026177	SHA1: 7294eb013e53992a37239051e9c462e5925134d7 MD5: 508cefdf3010539f2149f5c302026177 SHA256: a3905f5dd2e106d19e260b36d9bdc7946cc8aae0f4343e8d6c7f671d0bdc7921 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-ohn01	Valyria_Doc_Macro_678f87e5	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	678f87e5ef02699daad6da0da7d2d8be	SHA1: ceab7dcc360a479c8955e1f2e9e14d0e7129cacb MD5: 678f87e5ef02699daad6da0da7d2d8be SHA256: 67e2d24be65f338f944eda6cffdda8013147088a8173e771795b399c3c182771 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-p3i01	Fireball_7adb7f56	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	7adb7f56e81456f3b421c01ab19b1900	SHA1: 30a176dde7aff87ee73c967d4f70d1b834a62dd4 MD5: 7adb7f56e81456f3b421c01ab19b1900 SHA256: fff2818caa9040486a634896f329b8aebaec9121bdf9982841f0646763a1686b
M17-z1o01	Fadok_dfa89d72	Windows	This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.	dfa89d72ef517428ce552bc8afc1a7ae	SHA1: ea2325b643cf653ffa9b20dbe5fd25e6eb562afa MD5: dfa89d72ef517428ce552bc8afc1a7ae SHA256: 0fffda2d0105f10690d1989859deae3d50287474534649605a320f078616d658 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-7qg01	Necurs_4d128c93	Mixed	This strike sends a malware sample known as Necurs. Necurs is a large botnet and when active it distributes massive volumes of malicious spam. It tends to take breaks on weekends and it currently has an ongoing campaign using malicious PDFs to download Jaff ransomware.	4d128c93c03605be2460e0e6767603c1	SHA1: 8e4f36e0710aee26f125acc69b14cac44467238f MD5: 4d128c93c03605be2460e0e6767603c1 SHA256: 5da7c8bf86dc71531b2cd34e565385dae7b080cde104e5abe29577ed03787a71 https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/
M17-yee01	Cerber_ae5a348b	Windows	This strike sends a malware sample known as Cerber. The Cerber family started to emerge during the 1st quarter of 2016 and has been seen being distributed via Neutrino or Magnitude exploit kits and spam emails using VBScript files.	ae5a348b9dd0ac3a6a46e70c82fa9c38	SHA1: f440edc4fe35452d0fbec35a5c352295f3e3bf0c MD5: ae5a348b9dd0ac3a6a46e70c82fa9c38 SHA256: 73a7497c8fa283b444242259ae061d5cbb705be04b5f531f1096a2c236bb5204 https://www.trustwave.com/Resources/SpiderLabs-Blog/FakeGlobe-and-Cerber-Ransomware--Sneaking-under-the-radar-while-WeCry/
M17-mzy01	Valyria_Doc_Macro_b4fb36c4	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	b4fb36c43f91d10ce9bd284fff4c7925	SHA1: c3ceae4d0b9b288bac70dbb563ef6b4eba39fb78 MD5: b4fb36c43f91d10ce9bd284fff4c7925 SHA256: 95fd8ea6a9b5778a75b76804ae8c1da2514239598edd1c324f25eb30a93fd715 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-lum01	Valyria_Doc_Macro_13f8df4a	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	13f8df4aea556dcd6d72f923faa24f3d	SHA1: b31c34f428fda8e02d4b684555b3bb3ebf17a74c MD5: 13f8df4aea556dcd6d72f923faa24f3d SHA256: 6b6221926ec36c928f0d0eef2d254766f30342714c3e791645d97c6c86cec31f http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-y0901	Gh0stRAT_b0424941	Windows	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	b0424941ef8e58bf9db2fefcd53cb459	SHA1: be347ce22989919d81bb5b2c1ef392b5282e7113 MD5: b0424941ef8e58bf9db2fefcd53cb459 SHA256: ed4b40578f0ddbfeb851835048cdadae0c1a9f8c8e67c6b00a9a1534c17b6252
M17-kso01	Siggen_006ae6cd	Windows	This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.	006ae6cd35f486808f3125eca11557f0	SHA1: bd265c7cdac416b95078755e9f340fb1381130c5 MD5: 006ae6cd35f486808f3125eca11557f0 SHA256: 2dd6b33d9e07c68b79b6674e0972f28ee316548c5e53b28331d88c739d1a5b8f http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-66d01	Valyria_Doc_Macro_1fac3695	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	1fac3695445d7f62094c5f25c856d91a	SHA1: 586e4bedbe58e0f1b6fc923225f60ff2d46e7f77 MD5: 1fac3695445d7f62094c5f25c856d91a SHA256: f6650409983332866425e807dedc231b28a7cd3a468fe9e17be029fda17efe15 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-2dk01	Carbanak_36f36696	Windows	This strike sends a malware sample known as Carbanak. Carbanak is a a Backdoor that targets the Windows platform. It sends out system information to a remote server and could accept commands that may provide an attacker with the ability to download/execute files, steal cookies, inject code.	36f36696b948b550ad4afe4b0bc53fbd	SHA1: 83d0964f06e5f53d882f759e4933a6511730e07b MD5: 36f36696b948b550ad4afe4b0bc53fbd SHA256: 91ff7b9c4cdcaa61b01f0783dacdbbed3f848fb01013c635bc9d87a85183ebc0 https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/
M17-41901	Valyria_Doc_Macro_eb9c35b3	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	eb9c35b3190fcb1e478028b24d2ec585	SHA1: 7221fbfea71e10535005ea6ab1f13a8110afcda6 MD5: eb9c35b3190fcb1e478028b24d2ec585 SHA256: d6d05984c0d493eb75861c7d56c2cf649fcc912134e7df2894fc8bb3eec8980f http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-fan01	Valyria_Doc_Macro_4f169840	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	4f169840bd08c25d9477a4ae9c31caec	SHA1: cc7935cf02d42672c90903034b3abaeee6c3fc0b MD5: 4f169840bd08c25d9477a4ae9c31caec SHA256: 2de9f4f8df35ca71c1738d22bfb6a147670c25dcbe2014cfd0870a53e33f385a http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-w9m01	Valyria_Doc_Macro_2250018f	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	2250018f91f2c6841f163e14874592eb	SHA1: f5543f426cec914da878070d41836e506b298ea5 MD5: 2250018f91f2c6841f163e14874592eb SHA256: 3d93b69809ad4d6cb2866583c7fc0144aa0db167fd4940ab17b3252c809bf1d1 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-jan01	Win32/Virut_825e3522	Windows	This strike sends a malware sample known as Win32/Virut. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	825e3522037eab1da5bafc09a195ab92	SHA1: d0a111636b10b02f599278220247f8fb82490c5c MD5: 825e3522037eab1da5bafc09a195ab92 SHA256: d76818d5ac2a4ceec907bc6246862d64399f67cc954d66e31897afa414feda27
M17-dya01	Valyria_Doc_Macro_42ea2531	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	42ea2531137994b6531f656b35bbe845	SHA1: fb290b19c57e4e0fa70a14de3f8d705fcaa6e7af MD5: 42ea2531137994b6531f656b35bbe845 SHA256: 5cc180f858ed3148aad169790640664280c4b908867256f7b1a0718575192c78 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-8ib01	Fireball_5bce955c	Windows	This strike sends a malware sample known as Fireball. Fireball is used as a browser-hijacker being frequently installed through bundling modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine.	5bce955cf12af3417f055dadc0212920	SHA1: 720ef2a0fbc262a3acedc05b12cc884a9e3cd2a5 MD5: 5bce955cf12af3417f055dadc0212920 SHA256: adcf6b8aa633286cd3a2ce7c79befab207802dec0e705ed3c74c043dabfc604c
M17-ou501	GenericMalware_93d48870	Windows	This strike sends a malware sample known as GenericMalware. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	93d48870d5b55c1611f01261a37f25ed	SHA1: 9a766bd82a4dc8a016ff25292ad50f4573b04dad MD5: 93d48870d5b55c1611f01261a37f25ed SHA256: 6dc964d2c112fe3eab072f890e91b1bc9f79b340cf6bbb479c7d3c8ed096938a
M17-7u301	Valyria_Doc_Macro_189f1358	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	189f13580169be011b73ba17a6dc051f	SHA1: 48f334eb52c19d56f3f37bfc4b60460bc453ce61 MD5: 189f13580169be011b73ba17a6dc051f SHA256: 900f2319a95ec33f4c42a4ceac088f0ab940aa0cde64c4da186b0322746d3e36 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-yzu01	Valyria_Doc_Macro_be4d6281	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	be4d6281c8ecb2a008ed007fdc8b904f	SHA1: 74a4325d9595f6f603cdbbfe02e8538c4eda2f4c MD5: be4d6281c8ecb2a008ed007fdc8b904f SHA256: b08b5eb8f5ab0a2fa8acebaf86bf48653f38b7efed83d88ba6076f0da4af9ace http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-ber01	Valyria_Doc_Macro_bcec1085	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	bcec10859b916d1017a72c5a39f8961c	SHA1: 6cb5d156e33d66361730e49f4d49c2f38f34e156 MD5: bcec10859b916d1017a72c5a39f8961c SHA256: 3f3adeed33a1a057f697c49f9d776c27c7fb9afb7cfa62eec2936ac24ae0d19d http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-4e001	Gh0stRAT_1778fc96	Windows	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	1778fc969d29bb3e8537d24402ccb44a	SHA1: eb036fb0c50c1d95f5c009f4987bcea384e5f504 MD5: 1778fc969d29bb3e8537d24402ccb44a SHA256: dd023467cb90438086802cbe16bd80547e52e81fc21d05d6a92b0d268fa65f8b
M17-0qd01	Fadok_1bcc4df9	Windows	This strike sends a malware sample known as Fadok. Fadok drops several files. The instances of the malware are auto-started when Windows starts. The worm drops and opens a Word document. It connects to the domain wxanalytics.ru.	1bcc4df972bb5784a2cb05295db25b0a	SHA1: 11a9062c8522e7746f702b52d88bf4081f9f9f35 MD5: 1bcc4df972bb5784a2cb05295db25b0a SHA256: 0cac66a5a16efe52e2e878f5e8f6e34749e049c547ecf18f54955141e13e7058 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-20w01	Valyria_Doc_Macro_86fe38f9	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	86fe38f913c7a296760db0af0a5eb2f6	SHA1: f194d570c17f05d9d7a5987fe8bc312051785c39 MD5: 86fe38f913c7a296760db0af0a5eb2f6 SHA256: fbdee3574019ef790ca4609c0414bf63da402c051351552e3a24f4e325e494e2 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-cxm01	Jaff_192b829b	Mixed	This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.	192b829bf7f6829549519168c173c931	SHA1: 551f953db4ba48452a4f7de9f5f7149c98ddf52f MD5: 192b829bf7f6829549519168c173c931 SHA256: e0573ec5a6ed61a6f38ab209e3d0d309b0c15af9dacc253240476c6899b5690b https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/
M17-sk901	Valyria_Doc_Macro_4903486e	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	4903486e2676500014cd644ece03300d	SHA1: ed4f1cf48929316eef12652507af82b11f3d7b4d MD5: 4903486e2676500014cd644ece03300d SHA256: 24384267829131c7158c50c109afea6026d327c65a66ef559a6540c2c8863094 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-m3h01	Gh0stRAT_acf5eae7	Windows	This strike sends a malware sample known as Gh0stRAT. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads.	acf5eae7273613c791ea665569935cf4	SHA1: 78cccddcbd9db5db9e1445b9e16140043c3eef73 MD5: acf5eae7273613c791ea665569935cf4 SHA256: eb1f2d077482e389c3bbe8d93f01d47af63eb68b1cac2586ce43c3f1ecff1555
M17-kj501	Siggen_86778a4e	Windows	This strike sends a malware sample known as Siggen. Siggen is a malware with anti-debugging and anti-VM capabilities. The sample drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.	86778a4e35d9dd30a1f110ec40c6426c	SHA1: 0f4f07d8de2d580866715c50832909294b915e48 MD5: 86778a4e35d9dd30a1f110ec40c6426c SHA256: f20ef69203c8bd06da68071ccf38001fcd411de5c951bb38bb46a15e6d205458 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-18201	Valyria_Doc_Macro_112d36da	Mixed	This strike sends a malware sample known as Valyria_Doc_Macro. Valyria is a Trickler that targets the Windows platform. The malware arrives to a victim's system as a Microsoft document file, which uses Visual Basic for Applications to launch a PowerShell script to download and execute files.	112d36da54ca80a330239cd0d42b99fb	SHA1: 7a46a0dced16dac0dade93b0584490992e757770 MD5: 112d36da54ca80a330239cd0d42b99fb SHA256: 4914a3125bf4d54a07ade2109325a324f813c500a5b6e8a2781b7c1876671455 http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html
M17-99b01	Win32.Trojan.Nitol_79d54d06	Windows	This strike sends a malware sample known as Win32.Trojan.Nitol. The sample has been identified in-the-wild being downloaded by DoublePulsar backdoor payloads. The MD5 hash of this Win32.Trojan.	79d54d066efe6691b606d8977a126258	SHA1: d1f88097e99cc5b1821686050d1290dea4a0035b MD5: 79d54d066efe6691b606d8977a126258 SHA256: f63e678fbf20ac431ff9f4ff6e3456d78aa2497cfb6b15e8adab0e7cf25fee63

Malware Strikes May - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M17-as601	Jaff_a88358eb	Windows	This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.	a88358eb5e1efc92c74b35850ab6f2af	SHA1: 8385a34d752d8e2c4fbbfa45a4cd3698210abd58 MD5: a88358eb5e1efc92c74b35850ab6f2af SHA256: 341267f4794a49e566c9697c77e974a99e41445cf41d8387040049ee1b8b2f3b http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-eh301	EternalRocks_496131b9	Windows	This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.	496131b90f83e8278462d2dd21213646	SHA1: f1c027679d5009da067b12af258adc8afaade178 MD5: 496131b90f83e8278462d2dd21213646 SHA256: 94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97 http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-yr301	EternalRocks_b7cf3852	Windows	This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.	b7cf3852a0168777f8856e6565d8fe2e	SHA1: 1cbc9d531ba0e5e67a1ada95cff19bf0020f88f8 MD5: b7cf3852a0168777f8856e6565d8fe2e SHA256: 9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-jm101	Jaff_ef87cec0	Windows	This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.	ef87cec0cd8407f2be2e7c715fa5080b	SHA1: e2b666ac2d90c9f03ea9ee068f29858129c2c97e MD5: ef87cec0cd8407f2be2e7c715fa5080b SHA256: 9f159fc971a397f8bc560f56a34c5de3626cfa4906408228c33730e2fe6c1c43 http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-ltz01	WannaCry_7f7ccaa1	Windows	This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.	7f7ccaa16fb15eb1c7399d422f8363e8	SHA1: bd44d0ab543bf814d93b719c24e90d8dd7111234 MD5: 7f7ccaa16fb15eb1c7399d422f8363e8 SHA256: 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd https://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
M17-9zl01	EternalRocks_198f27f5	Windows	This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.	198f27f5ab972bfd99e89802e40d6ba7	SHA1: e8b40f35af4d5bb24d73faa5a4babb86191b5310 MD5: 198f27f5ab972bfd99e89802e40d6ba7 SHA256: a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0 http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-68201	WannaCry_d5dcd286	Windows	This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.	d5dcd28612f4d6ffca0cfeaefd606bcf	SHA1: cf60fa60d2f461dddfdfcebf16368e6b539cd9ba MD5: d5dcd28612f4d6ffca0cfeaefd606bcf SHA256: 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf https://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
M17-y9401	EternalRocks_ba629216	Mixed	This strike sends a malware sample known as exma-1.dll used by the EternalRocks malware. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.	ba629216db6cf7c0c720054b0c9a13f3	SHA1: 37bb800b2bb812d4430e2510f14b5b717099abaa MD5: ba629216db6cf7c0c720054b0c9a13f3 SHA256: 15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9 http://thehackernews.com/2017/05/smb-windows-hacking-tools.html https://www.metadefender.com/?_escaped_fragment_=/results/file/aceebfc33b88455d9aa096456615447b/regular#!/results/file/aceebfc33b88455d9aa096456615447b/regular
M17-wlj01	EternalRocks_c52f20a8	Windows	This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.	c52f20a854efb013a0a1248fd84aaa95	SHA1: 8a2cfe220eebde096c17266f1ba597a1065211ab MD5: c52f20a854efb013a0a1248fd84aaa95 SHA256: cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30 http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-ckc01	Jaff_924c8441	Windows	This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.	924c84415b775af12a10366469d3df69	SHA1: 8ab568db2bc914e3e6af048666eb0bc4ba2e414d MD5: 924c84415b775af12a10366469d3df69 SHA256: 0746594fc3e49975d3d94bac8e80c0cdaa96d90ede3b271e6f372f55b20bac2f http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-5r901	WannaCry_db349b97	Mixed	This strike sends a malware sample known as WannaCry. A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'. The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.	db349b97c37d22f5ea1d1841e3c89eb4	SHA1: e889544aff85ffaf8b0d0da705105dee7c97fe26 MD5: db349b97c37d22f5ea1d1841e3c89eb4 SHA256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c http://blog.talosintelligence.com/2017/05/wannacry.html
M17-w9p01	BondNet_e685219f	Windows	This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016.	e685219f5704bd854d5ed6668b0e9146	SHA1: a645b3f5956aba168437ed7368c6584db130b6bb MD5: e685219f5704bd854d5ed6668b0e9146 SHA256: c1fee6f3375b891081fa9815c620ad8c1a80e3c62dccc7f24c5afee72cf3ddcd https://www.guardicore.com/2017/05/the-bondnet-army/ http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html
M17-15o01	WannaCrypt_d724d8cc	Windows	This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.	d724d8cc6420f06e8a48752f0da11c66	SHA1: 3b669778698972c402f7c149fc844d0ddb3a00e8 MD5: d724d8cc6420f06e8a48752f0da11c66 SHA256: 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-yqs01	EternalRocks_3771b975	Windows	This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.	3771b97552810a0ed107730b718f6fe1	SHA1: f57f71ae1e52f25ec9f643760551e1b6cfb9c7ff MD5: 3771b97552810a0ed107730b718f6fe1 SHA256: 64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15 http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-dfi01	WannaCry_4287e15a	Windows	This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.	4287e15af6191f5cab1c92ff7be8dcc3	SHA1: cd79b536868efb8b2edd2db4e4100f0bd2f69e28 MD5: 4287e15af6191f5cab1c92ff7be8dcc3 SHA256: b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06 https://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
M17-g4v01	Jaff_ab5f5327	Windows	This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.	ab5f53278c24077be9bba7c7af9951e9	SHA1: d148f8f990efcba6c49d73d33fc438185f61d6f2 MD5: ab5f53278c24077be9bba7c7af9951e9 SHA256: 03363f9f6938f430a58f3f417829aa3e98875703eb4c2ae12feccc07fff6ba47 http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-doy01	WannaCry_4fef5e34	Windows	This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.	4fef5e34143e646dbf9907c4374276f5	SHA1: 47a9ad4125b6bd7c55e4e7da251e23f089407b8f MD5: 4fef5e34143e646dbf9907c4374276f5 SHA256: 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-1kd01	BondNet_37e2490d	Windows	This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016.	37e2490d6c9391fe81043eeb7cfa637a	SHA1: 6cdbd359838b7213f2958717b914b1ac4157408c MD5: 37e2490d6c9391fe81043eeb7cfa637a SHA256: 18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178 https://www.guardicore.com/2017/05/the-bondnet-army/ http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html
M17-lvk01	Jaff_3f6c1a27	Mixed	This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.	3f6c1a2735a8595cb1b03260bec9cb1b	SHA1: be968fea50dea7568d19e79b1fe667d36f11ab13 MD5: 3f6c1a2735a8595cb1b03260bec9cb1b SHA256: 9e16ad6391fa20ec5f59c8790ade437b495a344979bb5e22df3c6706b4380b0b http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-0k701	EternalRocks_2d540860	Windows	This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.	2d540860d91cd25cc8d61555523c76ff	SHA1: 822db2fd78b39b49547cce2f7fb92b276c74bcef MD5: 2d540860d91cd25cc8d61555523c76ff SHA256: ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-n4j01	Gh0stRAT_4dbd1730	Windows	This strike sends a malware sample known as Gh0stRAT. The sample has been observed being spread by EternalBlue/DoublePulsar in-the-wild.	4dbd1730fc1d9ee7dafe0cd19f2910f1	SHA1: a1c6ea9579ab8376ec4173a86b71ba716524aa9a MD5: 4dbd1730fc1d9ee7dafe0cd19f2910f1 SHA256: 86b6178314c57c51c67d91ae45ee25fad1fb6d6e37d35bc4307fa5c49bde2910
M17-syt01	WannaCry_509c41ec	Windows	This strike sends a malware sample known as WannaCry. A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'. The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.	509c41ec97bb81b0567b059aa2f50fe8	SHA1: 87420a2791d18dad3f18be436045280a4cc16fc4 MD5: 509c41ec97bb81b0567b059aa2f50fe8 SHA256: 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa http://blog.talosintelligence.com/2017/05/wannacry.html
M17-dyn01	WannaCrypt_84c82835	Windows	This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.	84c82835a5d21bbcf75a61706d8ab549	SHA1: 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 MD5: 84c82835a5d21bbcf75a61706d8ab549 SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-5tw01	BondNet_8b11325f	Windows	This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016.	8b11325f4b729b7072c050035b454759	SHA1: a5a5cf1910339490ec429b605a324b74a92edb38 MD5: 8b11325f4b729b7072c050035b454759 SHA256: 785d97c2c215c3c0b76c11610680f04236ef1a5c7fbcf4a86fb5f89996858b78 https://www.guardicore.com/2017/05/the-bondnet-army/ http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html
M17-a3m01	Adylkuzz_f2e1d236	Windows	This strike sends a malware sample known as Adylkuzz. Adylkuzz is a Windows malware which installs a cryptocurrency miner on compromised machines.	f2e1d236c5d2c009e1749fc6479a9ede	SHA1: 262c22ffd66c33da641558f3da23f7584881a782 MD5: f2e1d236c5d2c009e1749fc6479a9ede SHA256: 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233 https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar
M17-2eu01	WannaCry_8495400f	Windows	This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.	8495400f199ac77853c53b5a3f278f3e	SHA1: be5d6279874da315e3080b06083757aad9b32c23 MD5: 8495400f199ac77853c53b5a3f278f3e SHA256: 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d https://isc.sans.org/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
M17-6q201	WannaCrypt_a44964a7	Windows	This strike sends a malware sample known as WannaCrypt. This sample uses the exploit known as EternalBlue. It spreads by using CVE-2017-0145. Once infected, a host will encrypt all files and then search for others hosts to infected via SMB both on the local network and across the Internet.	a44964a7be94072cdfe085bc43e7dc95	SHA1: 507409fb6d519580efe81756ca49172f33bcd388 MD5: a44964a7be94072cdfe085bc43e7dc95 SHA256: f470fbf340e5ad8be24b29712f565eaff0c67564a4872e0cedb05a1876a838d0 https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-bcd01	Adylkuzz_71b0279f	Windows	This strike sends a malware sample known as Adylkuzz. Adylkuzz is a Windows malware which installs a cryptocurrency miner on compromised machines.	71b0279ff6b5f1dddac59a0704070e28	SHA1: ff50f7d7e1d09298ff5a37351a682f83c5df8c87 MD5: 71b0279ff6b5f1dddac59a0704070e28 SHA256: fab31a2d44e38e733e1002286e5df164509afe18149a8a2f527ec6dc5e71cb00 https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar
M17-n1f01	EternalRocks_994bd0b2	Windows	This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.	994bd0b23cce98b86e58218b9032ffab	SHA1: b05f2d07d0af1184066f766bc78d1b680236c1b3 MD5: 994bd0b23cce98b86e58218b9032ffab SHA256: e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-1ap01	WannaCrypt_c65f526f	Windows	This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.	c65f526f7a2868f9dcd9150c1ad1a0fc	SHA1: 098e0ad1ff79ece7c514155bb4b9ef643848ff6b MD5: c65f526f7a2868f9dcd9150c1ad1a0fc SHA256: 00c3ddb3a4bccb0577041f0a4fc536a0a9fbc29aadc68e92359ec20373b94ede https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-zn801	DDoSBot_154c03c6	Windows	This strike sends a malware sample known as DDoSBot. The sample has been observed being spread by EternalBlue/DoublePulsar in-the-wild.	154c03c6d02d443898cddb6a6001a3d3	SHA1: ca6af34d30067ee45c7671a4e4e70abbf36f4e85 MD5: 154c03c6d02d443898cddb6a6001a3d3 SHA256: 3ec21d093edc24aa7ffaff014cfa9ee2d5ea165f1434590bc0d1b0c31845c2a1
M17-aar01	Jaff_f115d1fe	Mixed	This strike sends a malware sample known as Jaff. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.	f115d1fe4f579841c054b03d1ba29c97	SHA1: 65f36039af8c1f74de0d998965f22988a0fc4ef5 MD5: f115d1fe4f579841c054b03d1ba29c97 SHA256: 4028f165d9465df0541c431b8ec815e4b0208ac505b9101b8e8e4bfd558ee778 http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
M17-8qf01	EternalRocks_7f9596b3	Windows	This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.	7f9596b332134a60f9f6b85ab616b141	SHA1: 9f993f080b2708ece0d8d42df2c19dc77aaa80f1 MD5: 7f9596b332134a60f9f6b85ab616b141 SHA256: e77306d2e3d656fa04856f658885803243aef204760889ca2c09fbe9ba36581d http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-x7v01	EternalRocks_5f714b56	Windows	This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.	5f714b563aafef8574f6825ad9b5a0bf	SHA1: 03f3901595438c7c3878fa6cf1c24ae3d06bd9e0 MD5: 5f714b563aafef8574f6825ad9b5a0bf SHA256: 20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1 http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
M17-ui301	BondNet_e3427d9f	Windows	This strike sends a malware sample known as BondNet. BondNet is a botnet consisting of more than 15000 compromised servers. It is used to mine cryptocurrencies and it can be easily switched to other purposes. It was first spotted in December 2016.	e3427d9f439aebefa3d9c299e2a94af3	SHA1: ffff4672790378677ec30d3634fc593c10dfd37e MD5: e3427d9f439aebefa3d9c299e2a94af3 SHA256: 7374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6aba https://www.guardicore.com/2017/05/the-bondnet-army/ http://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html
M17-n0201	WannaCrypt_f107a717	Windows	This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.	f107a717f76f4f910ae9cb4dc5290594	SHA1: 51e4307093f8ca8854359c0ac882ddca427a813c MD5: f107a717f76f4f910ae9cb4dc5290594 SHA256: f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85 https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-4lg01	WannaCry_7bf2b57f	Windows	This strike sends a malware sample known as WannaCry. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.	7bf2b57f2a205768755c07f238fb32cc	SHA1: 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 MD5: 7bf2b57f2a205768755c07f238fb32cc SHA256: b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-8ku01	WannaCrypt_465333f9	Mixed	This strike sends a malware sample known as WannaCrypt. This ransomware can stop you from using your PC or accessing your data. Unlike other ransomware, however, this threat has worm capabilities. It uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.	465333f97e486c74906464105320c5b2	SHA1: bba61e561a4cfa3ba7929eae2395d99298043ed3 MD5: 465333f97e486c74906464105320c5b2 SHA256: 3abe4af565974df6727007ea63742289403477a85ce897d71b4612dd26950fde https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
M17-ov601	EternalRocks_67ef79ee	Windows	This strike sends a malware sample known as EternalRocks. EternalRocks is a malware that spreads itself by exploiting vulnerabilities (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, ETERNALSYNERGY) in Windows SMB file sharing protocol.	67ef79ee308b8625d5f20ea3e5379436	SHA1: 7d0a8cef28518f9be8ad083dcbd719ac4c85d89c MD5: 67ef79ee308b8625d5f20ea3e5379436 SHA256: a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392 http://thehackernews.com/2017/05/smb-windows-hacking-tools.html

Malware Strikes April - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M17-4g501	Locky_385e0361	Mixed	This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017.	385e0361652c51b07cf73d670536a9a3	SHA1: e2caed21a8d7a96f3c56a0b33c2e6bf4695101be MD5: 385e0361652c51b07cf73d670536a9a3 SHA256: 52db4cca867773fdce9cd8d6d4e9b8ea66c2c0c4067f33fd4aaf6bfa0c5e4d62 http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html
M17-gv901	LATENTBOT_c10dabb0	Mixed	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive.	c10dabb05a38edd8a9a0ddda1c9af10e	SHA1: 9aed05edab5d0200eb509ed22c8c30f19652814c MD5: c10dabb05a38edd8a9a0ddda1c9af10e SHA256: f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66 https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
M17-2kr01	Dimnie_555363dd	Windows	This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features.	555363ddd1dc30b1f1dc2399fc404a5c	SHA1: ba4f86a7f7d4a09c938600f057be58eaa8b9f425 MD5: 555363ddd1dc30b1f1dc2399fc404a5c SHA256: f3a1fb80a5c79d3735ddc4328b915a4b034526ae96345c9b2465c16582ab54be http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/ http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html
M17-twk01	Dimnie_72fe42ff	Windows	This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features.	72fe42ff160524017760de177243518d	SHA1: d52a7fa6d4dab80eacf95513139b9abb69e6dc9f MD5: 72fe42ff160524017760de177243518d SHA256: 3bb134617af6f7b0f0c483b315f7ea45b2ed2c4a91005b453c9ec9e86ef0d70b http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/ http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html
M17-gx401	Dimnie_7853b5f8	Windows	This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features.	7853b5f8407c70dfaa9bb5e8dc983e90	SHA1: fae17a413c0418bb5439c209ae5764b150bd2efd MD5: 7853b5f8407c70dfaa9bb5e8dc983e90 SHA256: 210024ece45a6935da89ab7c5ae3293616679414e96e2157e49f9f607c831bdc http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/ http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html
M17-2hq01	cerber_eb94cadf	Windows	This strike sends a malware sample known as cerber. This ransomware sample was collected while analyzing exploits for CVE-2017-5638 during April 6th 2017.	eb94cadf5b25feda33888b7ac35e04e9	SHA1: d4c5e130a0ac94120fd68ecd988df12b5a25f0c2 MD5: eb94cadf5b25feda33888b7ac35e04e9 SHA256: 5952963708e4cf2e13c29ced6451a52284afb3f45a11ba4087c3c438dad2427d
M17-3vi01	Dimnie_d03eb7fb	Windows	This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features.	d03eb7fb350abc68de35fa9dc6cd22aa	SHA1: 879dad113a572ebae9022eecc84c5cae0495d800 MD5: d03eb7fb350abc68de35fa9dc6cd22aa SHA256: cbb7c2fedc753f62fa1bf47f2e0c6aa487eecfd27d867789764dbde97a8b9449 http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/ http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html
M17-w3d01	Locky_7fe902d6	Mixed	This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017.	7fe902d6f42089267ea7ae60d9a4df01	SHA1: 60584a00bcc2941376600d98d7d30f8c95e7224d MD5: 7fe902d6f42089267ea7ae60d9a4df01 SHA256: 10ce87f33381989373c519e2ff539f86c2a0a2a4cab0b791e82d4afece0367e6 http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html
M17-7xo01	Cerber_1fdcd604	Windows	This strike sends a malware sample known as Cerber. This sample of Cerber ransomware was discovered while analyzing drive by exploits abusing Apache Struts CVE-2017-5638.	1fdcd6045c7e69f05fb7b4e497f813cf	SHA1: 5f80cf741d7a8fac10e269d7b085d69558483c64 MD5: 1fdcd6045c7e69f05fb7b4e497f813cf SHA256: 89e5cd34fc349ba0791ee42fc68b84c69f8b579bcb2207b2925762e14b36048e
M17-hik01	LATENTBOT_025b6fb2	Mixed	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive.	025b6fb24dc9dc6c93aeaf6e5baec2aa	SHA1: 88357af86c5984cca1b34150e7be08d5db58be03 MD5: 025b6fb24dc9dc6c93aeaf6e5baec2aa SHA256: e9339747b31f576e6d4049696a4f4bd7053bcd29dafb0a7f2e55b8aab1539b67 https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
M17-60z01	Locky_32093440	Mixed	This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017.	3209344017e6ebf524ad7cba9951dbed	SHA1: bd91035775b260b1f48924bc8c0a2ebd71b71760 MD5: 3209344017e6ebf524ad7cba9951dbed SHA256: eb822fb0d99a0b8aefcf70e484b997979a4a4c22325dfd52c4bec492e9937a03 http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html
M17-b4v01	Dimnie_adc75bc4	Windows	This strike sends a malware sample known as Dimnie. Dimnie is a data-stealing malware that targets developers with Github repositories. Dimnie includes keylogging and screenshots features.	adc75bc411a3b5e7d806606f09925f86	SHA1: 356d5e07ca3157d6523c9878bc20b99935f6a897 MD5: adc75bc411a3b5e7d806606f09925f86 SHA256: 4b373c2d50e600fdae5259bbd3e989d002a776c443869b92afeb5d53b73bd1c0 http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/ http://securityaffairs.co/wordpress/57565/malware/dimnie-data-stealer-github.html
M17-byx01	Locky_5636bb84	Mixed	This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017.	5636bb8497a75a3fc676c9a0a0964c77	SHA1: 12893670db1a209af2bd90e8acbee291120927f9 MD5: 5636bb8497a75a3fc676c9a0a0964c77 SHA256: 026fa1191fcf895ce375ad8f8f2bda47aa8b1cb27e6be490399a1ad47d452b68 http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html
M17-9qt01	Locky_34a811ae	Mixed	This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted. This sample is a Word document, described in a Cisco Talos blog about new Locky malware seen in April 2017.	34a811ae4390bc9529ec79844e2a7edd	SHA1: f235463d86aac9a2dc0b6a8d9eb985dc4ad5e0bc MD5: 34a811ae4390bc9529ec79844e2a7edd SHA256: 2665260758371f88ca4e49dd577e885fc138651a0e2b3564309b892eea36f7af http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html
M17-zqx01	Chrysaor_3a69bfbe	Android	This strike sends a malware sample known as Chrysaor. Chrysaor is an Android surveillance malware.	3a69bfbe5bc83c4df938177e05cd7c7c	SHA1: b6850881561265d89597d0d245b33dba3d7d3f47 MD5: 3a69bfbe5bc83c4df938177e05cd7c7c SHA256: 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86 http://securityaffairs.co/wordpress/57702/malware/android-chrysaor-spyware.html https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html
M17-pti01	Cradlecore_53f6f9a0	Windows	This strike sends a malware sample known as Cradlecore. Cradlecore is a Windows ransomware.	53f6f9a0d0867c10841b815a1eea1468	SHA1: a2a164a4a535c5542accb45d1268ac072b48ff1a MD5: 53f6f9a0d0867c10841b815a1eea1468 SHA256: 47d02763457fe39edd3b84f59e145330ffd455547da7cbf67c3f0cb3ddf10542 http://securityaffairs.co/wordpress/58089/malware/cradlecore-ransomware-source-code.html https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale
M17-h5y01	Cerber_7daecdce	Windows	This strike sends a malware sample known as Cerber. This sample of Cerber malware was collected by ATI's honeypot network on 4/7/2017.	7daecdcec1739285f99e86e46f5dbd01	SHA1: 16c95612c45351caadfeaac333a3625daa40b4db MD5: 7daecdcec1739285f99e86e46f5dbd01 SHA256: 4570fd53f92d28fefb8c8c437ed7cd85f52e643921afd197c332707a45c08326
M17-cq401	Philadelphia_0a380f78	Windows	This strike sends a malware sample known as Philadelphia. Philadelphia is a variant of Stampado ransomware. Philadelphia targets healthcare industry and it is distributed via phishing emails sent to hospitals.	0a380f789a882f7c4e11a1b4f87bb4fd	SHA1: 448c93e79bf0741798ed99bb3108d1ceb90b6901 MD5: 0a380f789a882f7c4e11a1b4f87bb4fd SHA256: 2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector http://securityaffairs.co/wordpress/57795/malware/philadelphia-ransomware.html
M17-gp301	Rokrat_c909ca40	Windows	This strike sends a malware sample known as Rokrat. Rokrat is a Remote Access Tool (RAT) delivered via malicious Hangul Word Processor (HWP) document.	c909ca40d1124fc86662a12d72e0fb78	SHA1: 75d7f88e010e5c7d9a4617157034cff16da0733f MD5: c909ca40d1124fc86662a12d72e0fb78 SHA256: 051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00 http://securityaffairs.co/wordpress/57709/malware/rokrat-rat-south-koread.html http://blog.talosintelligence.com/2017/04/introducing-rokrat.html

Malware Strikes March - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M16-ew201	PowerShellMalware_2abad0ae	Mixed	This strike sends a malware sample known as PowerShellMalware. PowerShellMalware is a malware based on PowerShell scripts that communicates with the Command and Control through DNS messages.	2abad0ae32dd72bac5da0af1e580a2eb	SHA1: d00225d485c597bea712e7c7baa4fba7d7f281e3 MD5: 2abad0ae32dd72bac5da0af1e580a2eb SHA256: 340795d1f2c2bdab1f2382188a7b5c838e0a79d3f059d2db9eb274b0205f6981 http://blog.talosintelligence.com/2017/03/dnsmessenger.html http://securityaffairs.co/wordpress/56856/malware/dns-txt-malware.html
M16-1pn01	BugDrop_1a6986fe	Windows	This strike sends a malware sample known as BugDrop. BugDrop is a data stealer malware that downloads other data stealing plugins on the infected machine. BugDrop uploads all the stolen data on to Dropbox.	1a6986fe9e1ba213dd738054118fcfdd	SHA1: 0f42a1ee54b0137f5d22741524e5361880a83973 MD5: 1a6986fe9e1ba213dd738054118fcfdd SHA256: f778ca5942d3b762367be1fd85cf7add557d26794fad187c4511b3318aff5cfd https://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/ http://thehackernews.com/2017/02/ukraine-russia-hacking_20.html
M16-g3f01	Vortex_31329543	Windows	This strike sends a malware sample known as Vortex. Vortex is a ransomware based on a freeware encryption and decryption utility hosted on GitHub (AESxWin).	31329543947f1ee13ce020c826fb4af5	SHA1: 10fcf2dee3fa68c7676076623c0be570c67698a6 MD5: 31329543947f1ee13ce020c826fb4af5 SHA256: fd218e093741316782ec4ec89f520d2962a4f3850cb5b04f9c2c9fde567dc23b https://www.bleepingcomputer.com/news/security/the-polski-vortex-flotera-ransomware-connection/
M16-gt101	Disttrack_6a7bff61	Windows	This strike sends a malware sample known as Disttrack. Disttrack or Shamoon is a malware that's been around since 2012. In November 2016 security experts detected Disttrack in a new wave of attacks against a Saudi company. Disttrack's main focus is data destruction and system damage through a wiper component. Other components of which Disttrack is composed are the dropper and the communications components.	6a7bff614a1c2fd2901a5bd1d878be59	SHA1: 88fd8b5b6837f5b0342a4494d6491ef0e2e780c5 MD5: 6a7bff614a1c2fd2901a5bd1d878be59 SHA256: 7b589d45825c096d42bdf341193d3fd8fd9a0bd612a6ebd7466c26a753304df9 https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
M16-u9r01	StoneDrill_0ccc9ec8	Windows	This strike sends a malware sample known as StoneDrill. StoneDrill is a disk wiping malware targeting European petroleum companies. It is similar to another disk wiping malware called Shamoon (Disttrack).	0ccc9ec82f1d44c243329014b82d3125	SHA1: 279ff728023eeaa1715403ec823801bf3493f5ca MD5: 0ccc9ec82f1d44c243329014b82d3125 SHA256: 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260 http://usa.kaspersky.com/about-us/press-center/press-releases/2017/From_Shamoon_to_StoneDrill-Advanced_New_Destructive_Malware_Discovered_in_the_Wild_by_Kaspersky_Lab https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ http://thehackernews.com/2017/03/stonedrill-data-wiping-malware.html
M16-74a01	SwearingTrojan_25c2e013	Android	This strike sends a malware sample known as SwearingTrojan. SwearingTrojan is mobile banking malware that targets Chinese Android users. SwearingTrojan steals personal data and sends it to the attacker using SMS or email. SwearingTrojan spreads through infected apps or through phishing SMS messages impersonating Chinese telecom service providers.	25c2e0139354ac8eb7ddcc7df361ccfb	SHA1: d59e452d1535059cad3dae41fd6497c36ca000ff MD5: 25c2e0139354ac8eb7ddcc7df361ccfb SHA256: 7a7bef9d7bbbabc1bb16d1d8476fd0d48faffde0257f400bd5bd720736f8d207 http://blog.checkpoint.com/2017/03/21/swearing-trojan-continues-rage-even-authors-arrest/ http://securityaffairs.co/wordpress/57354/malware/rogue-cellphone-towers-spread-malware.html
M16-1pd01	RozaLocker_8ea7224f	Windows	This strike sends a malware sample known as RozaLocker. RozaLocker is a ransomware that requests 10000 Rubles for decryption. It appends .ENC extension to encrypted files.	8ea7224f71b5d248e9ec1b9cc56b33d4	SHA1: aac3914f728626bfc7ea14a31ea20595ed78dcab MD5: 8ea7224f71b5d248e9ec1b9cc56b33d4 SHA256: dfbea7de7c3e015eae2b121ff77133608cd5408e565bfe41bfe81ef82fb97426 https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/
M16-yno01	Disttrack_aae531a9	Windows	This strike sends a malware sample known as Disttrack. Disttrack or Shamoon is a malware that's been around since 2012. In November 2016 security experts detected Disttrack in a new wave of attacks against a Saudi company. Disttrack's main focus is data destruction and system damage through a wiper component. Other components of which Disttrack is composed are the dropper and the communications components.	aae531a922d9cca9ddca3d98be09f9df	SHA1: d3fec4559eff85b42d8fd56ed8b403e95e211e07 MD5: aae531a922d9cca9ddca3d98be09f9df SHA256: 25a3497d69604baf4be4d80b6824c06f1b7120144f98eeb0a13d57d6f72eb8e9 https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
M16-3yk01	ELF_IMEIJ_a16a281c	Linux	This strike sends a malware sample known as ELF_IMEIJ. ELF_IMEIJ is a Linux malware targeting products from company AVTech.	a16a281cbe544af40f8463c7f5186496	SHA1: 931321a4e6fb126f83bb6a0ff8ad4ffd260b9438 MD5: a16a281cbe544af40f8463c7f5186496 SHA256: 8040422762138d28aa411d8bb2307a93432416f72b292bf884fb7c7efde9f3f5 http://blog.trendmicro.com/trendlabs-security-intelligence/new-linux-malware-exploits-cgi-vulnerability/ http://securityaffairs.co/wordpress/57067/malware/elf_imeij.html
M16-ss301	xorddos_cdc45763	Linux	This strike sends a malware sample known as xorddos. This ELF32 binary is detected as XORDDoS. This sample was collected while analyzing attacks leveraging CVE-2017-5638 on Ixia honeypots.	cdc457633178e845bb4b306531a4588b	SHA1: f4bb1cbdab37e0107a9c9927f57b091c9a0f09bd MD5: cdc457633178e845bb4b306531a4588b SHA256: 98bd48f1574a891b5ae8dff726671255e10b4b30c2f562f3edc5f6f89f35804d https://www.ixiacom.com/company/blog/apache-struts-honeypot-scanning
M16-g4w01	BugDrop_38dfded4	Mixed	This strike sends a malware sample known as BugDrop. BugDrop is a data stealer malware that downloads other data stealing plugins on the infected machine. BugDrop uploads all the stolen data on to Dropbox.	38dfded491a1d8d3792669cb8e41e31c	SHA1: fff1e050f85d7b182e34e3737fc4808882d9f05b MD5: 38dfded491a1d8d3792669cb8e41e31c SHA256: 997841515222dbfa65d1aea79e9e6a89a0142819eaeec3467c31fa169e57076a https://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/ http://thehackernews.com/2017/02/ukraine-russia-hacking_20.html
M16-xoo01	Artemis!A70475EF2B22_a70475ef	Windows	This strike sends a malware sample known as Artemis!A70475EF2B22. This sample of Artemis was discovered in a drive by exploit and download of CVE-2017-5638. It was intended to be dropped on Windows based servers running a vulnerable version of Apache Struts.	a70475ef2b228c3edd2ade65ba3c6382	SHA1: 9024e4be85ba673995e869241f5977ad55b7dd68 MD5: a70475ef2b228c3edd2ade65ba3c6382 SHA256: 39178b53f41b34e250957af3198a9744f5d5675e4502884e8a45c860a44d46c7
M16-nyo01	StoneDrill_fb21f3ce	Windows	This strike sends a malware sample known as StoneDrill. StoneDrill is a disk wiping malware targeting European petroleum companies. It is similar to another disk wiping malware called Shamoon (Disttrack).	fb21f3cea1aa051ba2a45e75d46b98b8	SHA1: 0a4ffce8f301546100d7b00ba017f5e24d1b2d9b MD5: fb21f3cea1aa051ba2a45e75d46b98b8 SHA256: 2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83 http://usa.kaspersky.com/about-us/press-center/press-releases/2017/From_Shamoon_to_StoneDrill-Advanced_New_Destructive_Malware_Discovered_in_the_Wild_by_Kaspersky_Lab https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ http://thehackernews.com/2017/03/stonedrill-data-wiping-malware.html
M16-o6p01	Word_Document_Dropper_a2a01354	Mixed	This strike sends a malware sample known as Word_Document_Dropper. Word_Document_Dropper is a dropper malware that spreads malware by executing VBA code. It targets both Apple Mac OS X and Microsoft Windows systems.	a2a01354f9184d7fad24f37c93d77f67	SHA1: 115e69cc9b405d783d7cdd4cc91c1798a2a46270 MD5: a2a01354f9184d7fad24f37c93d77f67 SHA256: 06a134a63ccae0f5654c15601d818ef44fba578d0fdf325cadfa9b089cf48a74 http://blog.fortinet.com/2017/03/22/microsoft-word-file-spreads-malware-targeting-both-apple-mac-os-x-and-microsoft-windows http://securityaffairs.co/wordpress/57393/malware/malware-microsoft-apple-os.html
M16-bl601	Kirk_78117f7a	Windows	This strike sends a malware sample known as Kirk. Kirk is a ransomware written in Python that appends .kirk extension to encrypted files.	78117f7acc8b385e9b29fe711436d16d	SHA1: 0d4dfe880f8ec4b394f49f1a2608200dd06ba8a6 MD5: 78117f7acc8b385e9b29fe711436d16d SHA256: 39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc https://www.bleepingcomputer.com/news/security/star-trek-themed-kirk-ransomware-brings-us-monero-and-a-spock-decryptor/ http://securityaffairs.co/wordpress/57261/malware/kirk-ransomware-star-trek.html
M16-63z01	DiamondFox_08f3ed2e	Windows	This strike sends a malware sample known as DiamondFox. DiamondFox is an infostealer malware written in Visual Basic that has been around for several years.	08f3ed2e71f71c6a700db2249cfeb4ad	SHA1: ee8132046d37baf3f25dec56f928611e56318ec3 MD5: 08f3ed2e71f71c6a700db2249cfeb4ad SHA256: 858d3c7fb4953a2f2e98993826a4e95ceca25bc358ccbde732f0b85189158697 https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/
M16-n8601	MajikPOS_8d37a246	Windows	This strike sends a malware sample known as MajikPOS. MajikPOS is a PoS malware targeting business in North America and Canada. MajikPOS is designed to steal information and send it to its Command and Control servers.	8d37a2465daa53e8a507e7892be00dde	SHA1: 470726700027ef51a1e2036932935660bb083582 MD5: 8d37a2465daa53e8a507e7892be00dde SHA256: 283d1780fbd96325b19b7f273343ba8f8a034bd59f92dbf9b35e3a000840a3b4 http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/ http://securityaffairs.co/wordpress/57176/malware/majikpos-malware.html
M16-bvf01	DiamondFox_05ce3284	Windows	This strike sends a malware sample known as DiamondFox. DiamondFox is an infostealer malware written in Visual Basic that has been around for several years.	05ce32843c7271464b48283fe8f179cc	SHA1: c9e40a931298402a82ddda29579d374a2fc19558 MD5: 05ce32843c7271464b48283fe8f179cc SHA256: 81af849b00fdaa2e504a750e028dba24dbd2f9db3f53ff8df851ec5ea46f0c2a https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/
M16-1kk01	Lick_43b1a4cf	Windows	This strike sends a malware sample known as Lick. Lick ransomware is a variant of Kirk ransomware. Lick encrypts various files and appends filenames with the extension ".	43b1a4cf9ded9370d1daf5c3b96c6786	SHA1: 1fef19eb03c6f06279a7ba558f4ba8056455b203 MD5: 43b1a4cf9ded9370d1daf5c3b96c6786 SHA256: db01302b012161d8b6e6a2a9be582c3d4100eaf09099c4e009685719a5c09d52 https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/
M16-84b01	DiamondFox_6e9373d1	Windows	This strike sends a malware sample known as DiamondFox. DiamondFox is an infostealer malware written in Visual Basic that has been around for several years.	6e9373d18182d1ac6d027636de666aef	SHA1: 4a011a0e5c4558c36cdbe841711494f55976f856 MD5: 6e9373d18182d1ac6d027636de666aef SHA256: 179e71f74bbdbb3a00401c4efb0b08c637c26f38c06c8348e01bd74c4c5d70c2 https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/

Malware Strikes February - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M16-r1k01	Mirai_91a12a4c	Windows	This strike sends a malware sample known as Mirai. Mirai or Linux/Mirai ELF is a trojan backdoor which is targeting IoT devices. A Mirai Windows variant has recently been spotted.	91a12a4cf437589ba70b1687f5acad19	SHA1: 938715263e1e24f3e3d82d72b4e1d2b60ab187b8 MD5: 91a12a4cf437589ba70b1687f5acad19 SHA256: 2d8cd23e33e56ab396960a0d426c232f6d8905e2ac5833f37c412b699135f6ce https://www.bleepingcomputer.com/news/security/mirai-gets-a-windows-version-to-boost-distribution-efforts/ http://securityaffairs.co/wordpress/56103/malware/windows-mirai-bot.html
M16-s1t01	TeamSpy_67c81b63	Windows	This strike sends a malware sample known as TeamSpy. TeamSpy is a malware that uses TeamViewer to steal private data from victims. A TeamViewer session started by the attackers will be invisible to the victim. This can lead to numerous forms of abuse against the services.	67c81b63a5ba984396bd4e9ff5befade	SHA1: ecc8b7d5568eba6f75055ee4ffc4e95c0cfc577d MD5: 67c81b63a5ba984396bd4e9ff5befade SHA256: baef7e6b044bea15fba7970c768d0bba7ef3ccfe559981bc5444a8e56c7c781d https://heimdalsecurity.com/blog/security-alert-teamspy-turn-teamviewer-into-spying-tool/ http://securityaffairs.co/wordpress/56490/malware/teamspy-malware.html
M16-8sh01	KINS_20f7189c	Windows	This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.	20f7189c2989305e03e730fcdc8bd9e1	SHA1: 6aad1224f3ee26de0f0a06de01e834057b1bc440 MD5: 20f7189c2989305e03e730fcdc8bd9e1 SHA256: 786e347d5de0b2461049964b382ec2d93db62ad2541519c2f1be423fbde3e632 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-nqp01	Pushdo_638940ea	Windows	This strike sends a malware sample known as Pushdo. Pushdo is a downloader trojan. When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.	638940eacb4cf341bf586909c9a62419	SHA1: 2c285799b4911e1361718d38d09e141d583a2acb MD5: 638940eacb4cf341bf586909c9a62419 SHA256: f0c85788f33916c6d2f811860d5e1d6bdc44a44ada980aad7a65039757cae6c7 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-4ll01	MacMacroMalware_1de4838f	Mixed	This strike sends a malware sample known as MacMacroMalware. MacMacroMalware is the first macro malware detected in the wild. It uses malicious macros in Word documents in order to install malware on Mac computers.	1de4838f13c49d9f959d04b363326ac1	SHA1: 598ebb19bf9fbc17c0bf85ce4ece91fa061f74a6 MD5: 1de4838f13c49d9f959d04b363326ac1 SHA256: 07adb8253ccc6fee20940de04c1bf4a54a4455525b2ac33f9c95713a8a102f3d http://securityaffairs.co/wordpress/56226/breaking-news/apple-mac-malware.html http://thehackernews.com/2017/02/mac-osx-macro-malware.html https://objective-see.com/blog/blog_0x17.html
M16-hbg01	HummingWhale_5ee2367f	Android	This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HmmingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store.	5ee2367fa2c4f8dc79a9d466148b3819	SHA1: c26ad7e5aa53649d10c83d2e762afca737bb99a3 MD5: 5ee2367fa2c4f8dc79a9d466148b3819 SHA256: 952acb85c7763fbd5c5d6632b29dd4f8339e327bb71b421530c93e88d2f986f8 http://blog.checkpoint.com/2017/01/23/hummingbad-returns/ http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-roh01	HummingWhale_e59c7891	Android	This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HmmingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store.	e59c78910796699ec6ef63643605bf69	SHA1: 8cf73cad9e229c7827a0d3a0c4ec6ca9fe176988 MD5: e59c78910796699ec6ef63643605bf69 SHA256: c86d7680332b074af05a022f22229bbe0bc45126fdbbb24ea4e96b1fa13dbdd5 http://blog.checkpoint.com/2017/01/23/hummingbad-returns/ http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-i8h01	Tinba_9cd27525	Windows	This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.	9cd27525e69ad4559c907539ea1464ab	SHA1: d6845a4815a869ff73508383e3e2eee8569904ac MD5: 9cd27525e69ad4559c907539ea1464ab SHA256: 3026114a699e5f50a49c2a4ee0844c8a6ac217f8e9185d1735b79a13379e8fd8 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-w5101	Tinba_8ca23d7b	Windows	This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.	8ca23d7bdf520c3e7ac538c1ceb7b555	SHA1: 3b798dc89140abb59bcc92338fbda7ca8a76c6bc MD5: 8ca23d7bdf520c3e7ac538c1ceb7b555 SHA256: a8c8b1fd20d79235fd74f7c3722453412ad5ff589bbd8e3ce300e364e3495c2e http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-hb801	Tinba_1fc3ea4a	Windows	This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.	1fc3ea4a9bf2b6e546a25dd5601517f0	SHA1: 6ac08d546363cb0fb60cde9798730b7f815b08c0 MD5: 1fc3ea4a9bf2b6e546a25dd5601517f0 SHA256: 43740f3254084090f5d9dc5e74af184b8021a3e07c4d0e645f227852eccb0020 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-usr01	Shiotob_16efcafb	Windows	This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms. Shiotob is a banking Trojan also known as URLZone and Bebloh.	16efcafb19deb49f5c48df2a7297e4f7	SHA1: 0fe15ab3bad991ae46d649550aed79bda9e7aafa MD5: 16efcafb19deb49f5c48df2a7297e4f7 SHA256: fed5de3f9dbc37cf404e3a530d3358e6c1fbaf1a7d4833d19184b492a6f0da6b http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-mmk01	Pushdo_4f01c4a9	Windows	This strike sends a malware sample known as Pushdo. Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.	4f01c4a93ac21fb89869674414ccfed5	SHA1: d4a58f72a0331e5d8b990ef5fe43a82e68d1af3f MD5: 4f01c4a93ac21fb89869674414ccfed5 SHA256: 676a14cda7ff14af9d944326ec4635facf9eb999208f5a7badbeff76d55321e4 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-4bi01	Ursnif_79f01039	Windows	This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.	79f010394a2504472449d9c2c4ea8f64	SHA1: 84d6eeb4ad34d7ac0089bcb557930830b6381708 MD5: 79f010394a2504472449d9c2c4ea8f64 SHA256: 1f739f3f90382fb729401085388e2142d12fac724684c5b3dcf367b645781695 http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniques http://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-w1w01	Marcher_80c797ac	Android	This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts and they are being spread through SMS/MMS containing links to popular Android applications.	80c797acf9bdbe225e877520275e15f5	SHA1: f255de54ffbff87067cfa7bc30d6d87a00aded8f MD5: 80c797acf9bdbe225e877520275e15f5 SHA256: fcd18a2b174a9ef22cd74bb3b727a11b4c072fcef316aefbb989267d21d8bf7d http://securityaffairs.co/wordpress/56258/malware/marcher-android-banking-trojan.html https://www.securify.nl/blog/SFY20170202/marcher___android_banking_trojan_on_the_rise.html
M16-9r901	Marcher_9ddeda87	Android	This strike sends a malware sample known as Marcher. Marcher is an Android banking trojan that has been around since 2013. New strains of this malware have been seen by security experts, and they are being spread through SMS/MMS containing links to popular Android applications.	9ddeda87e85a17f25ac9ed86190b018e	SHA1: c2569b8206a9bd74b13b36ea7e2ebaac3a7626cb MD5: 9ddeda87e85a17f25ac9ed86190b018e SHA256: b087728f732ebb11c4a0f06e02c6f8748d621b776522e8c1ed3fb59a3af69729 http://securityaffairs.co/wordpress/56258/malware/marcher-android-banking-trojan.html https://www.securify.nl/blog/SFY20170202/marcher___android_banking_trojan_on_the_rise.html
M16-76j01	StegBaus_ab818477	Windows	This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families.	ab8184779f32477f7b965299e0ed2119	SHA1: 3f443529ec7994ff5b5c57e489b906f7fae19281 MD5: ab8184779f32477f7b965299e0ed2119 SHA256: 669e80679707bd00bf48994cf9d4fee5b58f6b87534cf7da5aefe71c0bee3d34 http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/
M16-3e401	Locky_5384149b	Mixed	This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.	5384149bb0fc79d8b1c1042764ae34b9	SHA1: 972ba459d35bf413e28fe37de327dc75d930d108 MD5: 5384149bb0fc79d8b1c1042764ae34b9 SHA256: 0822a63725345e6b8921877367e43ee23696d75f712a9c54d5442dbc0d5f2056 http://blog.talosintel.com/2017/01/locky-struggles.html https://continuum.cisco.com/2017/01/20/talos-locky-takes-a-break-and-returns-with-new-tricks/ http://securityaffairs.co/wordpress/55514/cyber-crime/necurs-botnet-returns.html
M16-frf01	FireCrypt_d8e99fca	Windows	This strike sends a malware sample known as FireCrypt. FireCrypt is a ransomware that appends .firecrypt to the encrypted files.	d8e99fcae9a469c2081e7ff01675c361	SHA1: ef7c4358717ec9d04b9adc8e40b1eb928885ebf0 MD5: d8e99fcae9a469c2081e7ff01675c361 SHA256: 757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4 https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/ http://securityaffairs.co/wordpress/55081/malware/firecrypt-ransomware.html
M16-19901	KINS_2f9cdc2a	Windows	This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.	2f9cdc2a7ce846fe626e47451f7fd63e	SHA1: b8fcbf49aac665f338f1d3f8dd2120a2d987006e MD5: 2f9cdc2a7ce846fe626e47451f7fd63e SHA256: bd6b9940e87be866fd8cb893769c51a3e4266452f97270a97bc13685b420d308 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-3hi01	Shiotob_863bd784	Windows	This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms.	863bd784a74ccf76afc69ba099185ba9	SHA1: 07bb89d6a8c16c6d91147702e3f7b8b4c013c3e1 MD5: 863bd784a74ccf76afc69ba099185ba9 SHA256: e0bdde6336208df8807c299ef8157ec7fd9e777dfd1cc1d49534c19e1a44f811 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-wsw01	StegBaus_9eeb3a21	Windows	This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families.	9eeb3a21ffe751bda6f708072ea8a74b	SHA1: 84b177a20e13f719d22090a40cbf70f747ea4052 MD5: 9eeb3a21ffe751bda6f708072ea8a74b SHA256: 7a457ced31004aeccbbdc169b66a02a55a38bd1934c0ed54d97a69980945f487 http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/
M16-31t01	Shiotob_6db1e83f	Windows	This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms.	6db1e83ff48abcf6906a6711b40d5e82	SHA1: 87c924139c6871d77c4a86f0b323d1b5749f7093 MD5: 6db1e83ff48abcf6906a6711b40d5e82 SHA256: 0733779b99ccced9808136088e08bed6518097fd892c51c150a5d7e99b755562 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-p2601	StegBaus_9f34374a	Windows	This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families.	9f34374aecde06cc5b3c8474bcc2b367	SHA1: 4321b67966538f1fe66e25e3a04df5b123bf5885 MD5: 9f34374aecde06cc5b3c8474bcc2b367 SHA256: b97c36f7d7118ab964ac7e7337dd3de0ab86cb286e724f3787b358aef5f2a5f1 http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/
M16-x7k01	HummingWhale_0a533a3f	Android	This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HmmingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store.	0a533a3f76496e57d11a9d6c3ed3258b	SHA1: 8c6ce6029d4646fdadb4fc262c7863a3da809f07 MD5: 0a533a3f76496e57d11a9d6c3ed3258b SHA256: d644444e6a8c7033df94fbc4fb7303441067933dcb085fd47c60903055c33f98 http://blog.checkpoint.com/2017/01/23/hummingbad-returns/ http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-klw01	KINS_27ef0d56	Windows	This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.	27ef0d565b8a125806fc0811c8eddd48	SHA1: e023d169ae10e19f24a260ff2e8d0b7b8c1ba2e2 MD5: 27ef0d565b8a125806fc0811c8eddd48 SHA256: ea05b0aff29ff657a578eed301f79a2ae7a469cda10030151426eff85b2390ea http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-uy101	HummingWhale_baad5914	Android	This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware.	baad591455367c2682c16336ff5769e9	SHA1: 8b41f9ab61ebead1e2a40282210742e0a3692169 MD5: baad591455367c2682c16336ff5769e9 SHA256: c752d601de41b08d1a94eb719584ce7813984217c7417b27c4b2adaedaf760bc http://blog.checkpoint.com/2017/01/23/hummingbad-returns/ http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-ufp01	Ursnif_f3c82e20	Windows	This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.	f3c82e209d94b592b30acd740ea145e1	SHA1: 449caf7925e874087a7005c7aa8862e434a6972a MD5: f3c82e209d94b592b30acd740ea145e1 SHA256: c7a2bc376d6ddfc678e7c7b3324b021edf19c896a80ab1ec7c2f36bc004ef29e http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniques http://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-vn201	Shiotob_c46e6aee	Windows	This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms.	c46e6aee8bd512fdedbee688e105df16	SHA1: cd34148a1ce37b13389647674653e981cfacd522 MD5: c46e6aee8bd512fdedbee688e105df16 SHA256: 124e6d6d3da321ad04e7f3aa9ae1b29fea2f382e8903a72ce48091cce47127ce http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-yos01	Spora_fbc7d35f	Windows	This strike sends a malware sample known as Spora. Spora is a ransomware written in C that has a ransom note written in Russian. Spora does not rename the files after it encrypts them.	fbc7d35f452a291cf4aba1f56fd787e5	SHA1: 236ca7ced117da12a3873f28c458cc6427702ba4 MD5: fbc7d35f452a291cf4aba1f56fd787e5 SHA256: 3a8067a03ed287888b90cf706b60ae12dc2881fe859fb1d42714ccd7dd7e16ed https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/
M16-qvo01	Locky_5c79eab9	Windows	This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.	5c79eab9b160e423f32e52fc3477e0ab	SHA1: 13d379790ae8bdde0820e17521bf8217368fde97 MD5: 5c79eab9b160e423f32e52fc3477e0ab SHA256: ec9c06a7cf810b07c342033588d2e7f5741e7acbea5f0c8e7009f6cc7087e1f7 http://blog.talosintel.com/2017/01/locky-struggles.html https://continuum.cisco.com/2017/01/20/talos-locky-takes-a-break-and-returns-with-new-tricks/ http://securityaffairs.co/wordpress/55514/cyber-crime/necurs-botnet-returns.html
M16-t4g01	Ursnif_4da11c82	Windows	This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.	4da11c829f8fea1b690f317837af8387	SHA1: 00c6ce1031f88b5276a5335e68fba663e769dadd MD5: 4da11c829f8fea1b690f317837af8387 SHA256: 3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832 http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniques http://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-67f01	Zeus_30e8ddf1	Windows	This strike sends a malware sample known as Zeus. ZeuS performs stolen data exfiltration and remote commands via encrypted HTTP POST requests to a Command and Control web server. The encryption ZeuS uses is RC4, with a key that is embedded in the binary. While the primary function of this malware is to commit financial fraud, its general information stealing behaviors make it a threat to all enterprises.	30e8ddf16279b6dacc6f9d47186b58f3	SHA1: 5ead66a3ee3f3bab0dc6a87ee6f935028ae23ebb MD5: 30e8ddf16279b6dacc6f9d47186b58f3 SHA256: 4b66d77bd775c7695f7211b95808e14c5cbef8c6d69e3749b21868bad296f22e http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-wx401	Pushdo_c7bebfb8	Windows	This strike sends a malware sample known as Pushdo. Pushdo is a downloader trojan. When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.	c7bebfb87ebea9eea43eeb681f7ff59b	SHA1: fa1e574e9fd240e27f4f1b7449e4dac555bebe0a MD5: c7bebfb87ebea9eea43eeb681f7ff59b SHA256: 59a512bcd4af8aef4769ce8b4f31c5116c2e9b6bd09e76f4824a073072ea822e http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-sec01	Tinba_7b9227f9	Windows	This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.	7b9227f98eea65ad3cab1e755cc825a0	SHA1: afb49223eafa9a12edc77f490c7270d6ae290da1 MD5: 7b9227f98eea65ad3cab1e755cc825a0 SHA256: 0482ac285c4e941a82de2425c3572ef2b951f90423d85627a282147fb3b95d14 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-hn501	Pushdo_ef9eb44e	Windows	This strike sends a malware sample known as Pushdo. Pushdo is a downloader trojan. When executed, Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.	ef9eb44ef708237cde29d841279e5371	SHA1: 43ab4c6809505a47c0c63b4d46d455f4fb28528a MD5: ef9eb44ef708237cde29d841279e5371 SHA256: e061a37cef414f8943972bf0fd2a990f7283a07b460aa2c9292c00323432f3b4 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-vr301	StegBaus_ee4165ed	Windows	This strike sends a malware sample known as StegBaus. StegBaus is originally distributed in a .NET-compiled executable that uses Confuser v1.9.0.0 obfuscation. It contains many advanced data hiding techniques and has been seen delivering numerous different commodity malware families.	ee4165edd514e03664e32b1ca162f99a	SHA1: 048ae25b235d203c01f82ea73bbccb7bf73dfd61 MD5: ee4165edd514e03664e32b1ca162f99a SHA256: e1fdd18455a4b256616f450af719721596804987a5fed0f8ef8fb0a96ab3b45e http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-sometimes-xor-just-isnt-enough/
M16-vtv01	KINS_ed09632e	Windows	This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.	ed09632e3d549edb8f31eaac5562df7c	SHA1: d78f465ffb433d4f2c9382e22e028709567c7eba MD5: ed09632e3d549edb8f31eaac5562df7c SHA256: 62989ab56f11701b109cddf0eb20e995c833078bb40942a8c931589497c25948 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-7ie01	Ursnif_4d5abd97	Windows	This strike sends a malware sample known as Ursnif. Ursnif or Gozi is a banking trojan. The malware is mainly spread through spam email that contains an attachment that downloads Ursnif. In the past year, Ursnif has been used in attacks against Japan.	4d5abd974d213339274581a49e9c2780	SHA1: 84d211bdd139ac61f760a3d396c7e19680163313 MD5: 4d5abd974d213339274581a49e9c2780 SHA256: 5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994 http://www.securityweek.com/ursnif-banking-trojan-uses-new-sandbox-evasion-techniques http://securityaffairs.co/wordpress/56473/breaking-news/ursnif-banking-trojan-botnet.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-r2201	JobCrypter_5d4076d6	Windows	This strike sends a malware sample known as JobCrypter. JobCrypter is a ransomware that has recently been seen in the wild. The JobCrypter Ransomware drops TXT files on the victim's computer with information about the ransom payment.	5d4076d6ca3391330504b9496c5d325c	SHA1: ba1117865e17966bb90be636a256dfe03a0646c6 MD5: 5d4076d6ca3391330504b9496c5d325c SHA256: d3ffc11e941727382d24f252d9627d126aabd9a0fc859436a74c06d31e6f5d2e https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/
M16-xj001	Spora_570e9cf4	Windows	This strike sends a malware sample known as Spora. Spora is a ransomware written in C that has a ransom note written in Russian. Spora does not rename the files after it encrypts them.	570e9cf484050e21346bcdcb99824d77	SHA1: f889cbfd2f25e65fae443c9f70192bd310a04b51 MD5: 570e9cf484050e21346bcdcb99824d77 SHA256: 2637247ad66e6e57a68093528bb137c959cdbb438764318f09326fc8a79bdaaf https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/
M16-ja801	Rovnix_af2016cf	Windows	This strike sends a malware sample known as Rovnix. ROVNIX writes malicious rootkit drivers to an unpartitioned space of the NTFS drive. This effectively hides the driver since this unpartitioned space cannot be seen by the operating system and security products. To load the malicious driver, ROVNIX modifies the contents of the IPL. This code is modified so that the malicious rootkit driver is loaded before the operating system.	af2016cf2b5d04543a94d83447103fc3	SHA1: 172f38ad7a33e0c393863d0cd75b4a9ce8508fbc MD5: af2016cf2b5d04543a94d83447103fc3 SHA256: fdca8fa4368763899eff263d472850273ac9df672e0867d4aa3546bb439be291 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-y1u01	KINS_9fa264ba	Windows	This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.	9fa264baf6f92a626949352923fb679d	SHA1: e8c636eee1ad5ec3384a0eb61ad4759c76ad11ce MD5: 9fa264baf6f92a626949352923fb679d SHA256: f3bf1e6cfd4a21f6f6907833bfbd9d44a9499eea4e27c0e4415f7e3975fa559f http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-wym01	Shiotob_4a8b8eb2	Windows	This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms.	4a8b8eb2afd717b679ffc800740b3bd2	SHA1: 26866a6d392db1f8a0c8d25a1746bd268be96d6b MD5: 4a8b8eb2afd717b679ffc800740b3bd2 SHA256: dbe42c50bfa0dd6fe0b236fe5371bc294f43d48bbf1243d4f3b2a98041f0d3ab http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-4wa01	Tinba_1fa127ce	Windows	This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.	1fa127ced06dac4a7f1b422dd4955327	SHA1: c2a11ce032de364c6edb0a2716d4542ad0b8ec84 MD5: 1fa127ced06dac4a7f1b422dd4955327 SHA256: 94c12b0de0e28a5c88d9b3242793f1d1cd4ff4a86a4bce991e68f3d2e04c56a6 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-ebh01	PortugueseRansomware_8a3a3256	Windows	This strike sends a malware sample known as PortugueseRansomware. PortugueseRansomware is a new ransomware that has its ransom note written in Portuguese.	8a3a3256e0a6916812d559f745775a89	SHA1: 9c1cb81a9e715f0b031db7b289946c5fab87f1c2 MD5: 8a3a3256e0a6916812d559f745775a89 SHA256: cab632fca64fc77a1f55168ad94561a8e98e47a6b27adcb5419e81fee90c959b https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/
M16-h8901	KINS_39f5ace4	Windows	This strike sends a malware sample known as KINS. KINS is a ZeuS Trojan variant. KINS has a modular structure, basic offer includes a bootkit, a dropper, DLLS and Zeus-compatible web injects. KINS trojan comes with the Anti-Rapport plugin which was featured in SpyEye.	39f5ace4ec18e8b7c6de54e6fc6d86f3	SHA1: 74f4211bf2b352bbdb308ffd85ad70cb60c50a11 MD5: 39f5ace4ec18e8b7c6de54e6fc6d86f3 SHA256: 0f300996a5d57c43b90bf97f158fed23709284b1fe4bbcabc6b843538f4fe961 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-nn401	Shiotob_69be1e62	Windows	This strike sends a malware sample known as Shiotob. Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments. It can steal passwords from FTP clients and email, send the URLs of websites that have been visited by the user, as well as steal data entered in browser forms.	69be1e62b00ba27cc4ae0e3b41720d41	SHA1: afc6f64765529ba12da69f3ea536fca661ae4610 MD5: 69be1e62b00ba27cc4ae0e3b41720d41 SHA256: 164eab81c9ef0b14b4f93f7f5b60b0111d9eb3de3131c35f2f388837e0309b9e http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-s8z01	Tinba_d7669dd5	Windows	This strike sends a malware sample known as Tinba. Tinba is a bank trojan that was first seen in 2012, it is commonly distributed through malware spam emails or malvertising. As a bank trojan, it's main capability is the ability to perform a man-in-the-browser attack.	d7669dd586396502b25c9ebf37b10db4	SHA1: 11ed83c66bd226a52915327bebc3cb073d579505 MD5: d7669dd586396502b25c9ebf37b10db4 SHA256: fcee667cb6900ddf55029f1f806995f73cd5be75912f1c94c905a6d177353e1f http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-hb501	Pushdo_6f58a94b	Windows	This strike sends a malware sample known as Pushdo. Pushdo reports back to one of several control server IP addresses embedded in it code. The server listens on TCP port 80, and pretends to be an Apache webserver.	6f58a94b52aae9f0fe5c1256a4ce19a8	SHA1: 1e147caade60277be732659a33878b3ff44d7b6a MD5: 6f58a94b52aae9f0fe5c1256a4ce19a8 SHA256: 242f192b9e985864ba5e3f6b0cb15efc280980e2b097d2ebaabd1d8de7117663 http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/
M16-7iu01	Cerber_208a394b	Windows	This strike sends a malware sample known as Cerber. Cerber is a ransomware-type malware that infiltrates systems and encrypting various file types. After encrypting files, Cerber ransomware changes the desktop wallpaper with one that provides instructions of what to do and how much to pay in order to get your files decrypted.	208a394b211726ac07d668ac28ad7ec1	SHA1: e89fb7405e242e359b652e5dd1276d4ba20c5aed MD5: 208a394b211726ac07d668ac28ad7ec1 SHA256: 547d791a4d8847926b250648898925ffe5ee41d636adc36aa3c1134cf43322de http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/

Malware Strikes January - 2017

Strike ID	Malware	Platform	Info	MD5	External References
M16-xku01	Sage_b1bfa47e	Windows	This strike sends a malware sample known as Sage. Sage is a ransomware. It is considered to be a variant of CryLocker ransomware. Sage is distributed through Sundown and RIG exploit kits.	b1bfa47e9776793c4d83f0c6fdad379c	SHA1: 5b1428cce7ef22e6d9da05da79a4e3d9bb872bba MD5: b1bfa47e9776793c4d83f0c6fdad379c SHA256: 362baeb80b854c201c4e7a1cfd3332fd58201e845f6aebe7def05ff0e00bf339 https://isc.sans.edu/diary/Sage%2B2.0%2BRansomware/21959 http://securityaffairs.co/wordpress/55650/malware/sage-2-0-ransomware.html
M16-icm01	EyePyramid_14db577a	Windows	This strike sends a malware sample known as EyePyramid. EyePyramid is a malware that targets politicians, bankers and law enforcement personalities in Italy. It is spread via phishing emails and after infection it grants access to all resources on the infected machine.	14db577a9b0bfc62f3a25a9a51765bc5	SHA1: 6b3e554e28b74343eee12fd801b166f7ac2f8234 MD5: 14db577a9b0bfc62f3a25a9a51765bc5 SHA256: 3b86409c26889be4fef9f3c4718193e1ea4d0e6551ec09eb55831dba761aecaa http://securityaffairs.co/wordpress/55285/cyber-crime/eyepyramid-espionage-campaign.html https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/
M16-p6y01	Cerber_6f0b1c63	Mixed	This strike sends a malware sample known as Cerber. Cerber is a ransomware-type malware that infiltrates systems and encrypts various file types. After encrypting the files, Cerber changes the desktop wallpaper with one that provides instructions of what to do and how much to pay in order to get your files decrypted.	6f0b1c63aa8e3ab57fe308d6c67c8413	SHA1: 71fa6f482f001922d75a2fba5eea6a36338aa2a3 MD5: 6f0b1c63aa8e3ab57fe308d6c67c8413 SHA256: 40f70b1e12dcabba4303a98a324d421e69c9ae60746cbf2f026f1d9da2d8cd70 http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/
M16-qb701	Ploutus_5af1f928	Windows	This strike sends a malware sample known as Ploutus. Ploutus is an ATM malware that was discovered in 2013. Ploutus' main purpose is to empty an ATM without the requirement of an ATM card.	5af1f92832378772a7e3b07a0cad4fc5	SHA1: dadf8493072a479950af004a58fa774f83fc984c MD5: 5af1f92832378772a7e3b07a0cad4fc5 SHA256: aee97881d3e45ba0cae91f471db78aded16bcff1468d9e66edf9d3c0223d238f http://securityaffairs.co/wordpress/55334/cyber-crime/ploutus-d.html https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html
M16-9g701	BleedGreen_c82617e2	Windows	This strike sends a malware sample known as BleedGreen. BleedGreen is the FileCrupy malware builder.	c82617e2ea031d93d5c2ea8165656753	SHA1: 62e495b8e7bf597cb5fac48828f808d46f064930 MD5: c82617e2ea031d93d5c2ea8165656753 SHA256: e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d http://securityaffairs.co/wordpress/55081/malware/firecrypt-ransomware.html https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/
M16-2uz01	MerryXmas_887b35a8	Windows	This strike sends a malware sample known as MerryXmas. MerryXmas is a ransomware distributed as malicious spams disguised as customer complaints. This ransomware adds .RMCM1 extension to all encrypted files.	887b35a87fb75e2d889694143e3c9014	SHA1: c8be4500127bfce10ab38152a8a5003b75613603 MD5: 887b35a87fb75e2d889694143e3c9014 SHA256: 78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae http://www.infosecurity-magazine.com/news/merry-christmas-ransomware-hangs/ https://isc.sans.edu/forums/diary/Merry+XMas+ransomware+from+Sunday+20170108/21905
M16-3tc01	Marlboro_48629562	Windows	This strike sends a malware sample known as Marlboro. Marlboro is a ransomware that appends ".oops" extension to the encrypted files.	4862956228816276ab2b1baaa019d4f8	SHA1: 99911950e0d1fd1728d5b80da43a16d90e41ec45 MD5: 4862956228816276ab2b1baaa019d4f8 SHA256: b5c37f3cf90026a815925aa4d53882823221c97127a378f0beb1b8276686caad https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/
M16-kw601	HummingWhale_4c635fcc	Android	This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HummingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store.	4c635fcce49743de86d8f9cc58d2de8b	SHA1: a87e15abc1b15443275e4d12d08d8070b793cec2 MD5: 4c635fcce49743de86d8f9cc58d2de8b SHA256: 0908a85853e1c472e9fe02b787c5e3bee4f42a448185a6e033797b5a0ee00f54 http://blog.checkpoint.com/2017/01/23/hummingbad-returns/ http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-bzi01	HummingWhale_700b2e0f	Android	This strike sends a malware sample known as HummingWhale. HummingWhale is an Android malware. HummingWhale is a newer variant of HummingBad malware. It is hiding in more than 20 applications in Google Play Store.	700b2e0fb8f6fc866599255347ddde76	SHA1: 5a747c5cd2f36b9731b097321a956001afe7c8eb MD5: 700b2e0fb8f6fc866599255347ddde76 SHA256: 32d9c801ffccad7d95f3eb256ca23c585329863a19d0316f7bedc556b5d59d8f http://blog.checkpoint.com/2017/01/23/hummingbad-returns/ http://thehackernews.com/2017/01/hummingbad-android-malware.html
M16-6e701	Marlboro_52d66a72	Mixed	This strike sends a malware sample known as Marlboro. Marlboro is a ransomware that appends ".oops" extension to the encrypted files.	52d66a72a492ef85bff1ea562fedf490	SHA1: 91902bd2e95502d12cc8c00b8ef289e2b01e84a1 MD5: 52d66a72a492ef85bff1ea562fedf490 SHA256: a2cf2ccc1d4a71ead386156b8c39a4f6240068cf9af485513284bf98662ae9b3 https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/
M16-k7m01	Cerber_7d181574	Windows	This strike sends a malware sample known as Cerber. Cerber is a ransomware-type malware that infiltrates systems and encrypts various file types. After encrypting the files, Cerber changes the desktop wallpaper with one that provides instructions of what to do and how much to pay in order to get your files decrypted.	7d181574893ec9cb2795166623f8e531	SHA1: 79440d8b1e4b8fa222f1be78435f43f86796f6dc MD5: 7d181574893ec9cb2795166623f8e531 SHA256: a098c20dd46c6afa031bb653cd6d6eede4260a5a6244cf8c1dffcb4d8565b404 http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/
M16-m6n01	Satan_c50deba5	Windows	This strike sends a malware sample known as Satan. Satan is a Ransomware as a Service (RaaS) which enables any criminal to create their own variant of Satan ransomware.	c50deba5542672ce85086c6ad747a1e4	SHA1: 25bb2935f75e15b4117779b93d064367049b5fa9 MD5: c50deba5542672ce85086c6ad747a1e4 SHA256: c04836696d715c544382713eebf468aeff73c15616e1cd8248ca8c4c7e931505 http://securityaffairs.co/wordpress/55487/malware/satan-raas.html https://www.pcrisk.com/removal-guides/10854-satan-ransomware
M16-2vc01	MerryXmas_1a7d5e0f	Mixed	This strike sends a malware sample known as MerryXmas. MerryXmas is a ransomware distributed as malicious spams disguised as customer complaints. This ransomware adds .RMCM1 extension to all encrypted files.	1a7d5e0fe2288a2fd4910c685b9142b3	SHA1: 63a5e7851c9146554e2e5cef467f7d78c734169a MD5: 1a7d5e0fe2288a2fd4910c685b9142b3 SHA256: 244b4205acb416700bec459c8b36be379c0b7e3d2a21a57c4a121ba95d229bc4 http://www.infosecurity-magazine.com/news/merry-christmas-ransomware-hangs/ https://isc.sans.edu/forums/diary/Merry+XMas+ransomware+from+Sunday+20170108/21905
M16-79x01	Spora_312445d2	Windows	This strike sends a malware sample known as Spora. Spora is a ransomware written in C that has a ransom note written in Russian. Spora does not rename the files after it encrypts them.	312445d2cca1cf82406af567596b9d8c	SHA1: d3c89ccaf190890fc0583ea24396b1a2cd8317c4 MD5: 312445d2cca1cf82406af567596b9d8c SHA256: dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbf http://securityaffairs.co/wordpress/55260/malware/spora-ransomware.html http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/ https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/
M16-uw401	Sharik_727cbccb	Windows	This strike sends a malware sample known as Sharik. Sharik is a trojan loader. It is distributed via emails with the sender impersonating a telecommunications company. The emails contain a zip pdf attachment which, when opened, infect a victim machine with Sharik.	727cbccb80206ebe6a989fc6386f222e	SHA1: 21bacd8c51fab29c15c1df8f25f7e91697d3bba1 MD5: 727cbccb80206ebe6a989fc6386f222e SHA256: 906d2ecdbc2b306ce7061b94d3d8cd64a9336fcfbc46f95d1a3bcddfdfbff7bb http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs-in-germany-show-how-threats-intend-to-stay-in-the-game/
M16-xnu01	EyePyramid_b39a673a	Windows	This strike sends a malware sample known as EyePyramid. EyePyramid is a malware that targets politicians, bankers and law enforcement personalities in Italy. It is spread via phishing emails and after infection it grants access to all resources on the infected machine.	b39a673a5d2ceaa1fb5571769097ca77	SHA1: b61633975206c58df648df144c78bb3e20051d93 MD5: b39a673a5d2ceaa1fb5571769097ca77 SHA256: d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c http://securityaffairs.co/wordpress/55285/cyber-crime/eyepyramid-espionage-campaign.html https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/
M16-n7i01	Marlboro_9c7a41fb	Windows	This strike sends a malware sample known as Marlboro. Marlboro is a ransomware that appends ".oops" extension to the encrypted files.	9c7a41fbe431a41bfdf933436c846858	SHA1: 15fd4e3c2aeffba55b9469820e9838e0062c72fb MD5: 9c7a41fbe431a41bfdf933436c846858 SHA256: a95d7606d17b221bca0960d04bffdc5ff1585ca13a2511bbf5347a732a3a025c https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/
M16-dfb01	KillDisk_5cc42c3d	Windows	This strike sends a malware sample known as KillDisk. KillDisk is a data wiping malware that was used as a component in the BlackEnergy attacks against the Ukranian power grid.	5cc42c3d67099d361c1c37750ae5ff04	SHA1: 2379a29b4c137afb7c0fd80a58020f5e09716437 MD5: 5cc42c3d67099d361c1c37750ae5ff04 SHA256: a6a167e214acd34b4084237ba7f6476d2e999849281aa5b1b3f92138c7d91c7a http://thehackernews.com/2017/01/linux-ransomware-malware.html http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/
M16-3hv01	Locky_afed9062	Windows	This strike sends a malware sample known as Locky. Locky is a ransomware for Windows systems which appeared at the beginning of 2016. The malicious code for this particular malware relies on JavaScript attachments to download itself. Like other ransomware, it encrypts local files as well as network shares and renames them to [unique_id][identifier].locky. The victim is requested to pay a ransom to get the files decrypted.	afed90629bb84de0ce8e7c6d2231e9c3	SHA1: 4e7fa838280b7ab7f70afd5e73c461639a1f0b5e MD5: afed90629bb84de0ce8e7c6d2231e9c3 SHA256: 79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db http://blog.talosintel.com/2017/01/locky-struggles.html https://continuum.cisco.com/2017/01/20/talos-locky-takes-a-break-and-returns-with-new-tricks/ http://securityaffairs.co/wordpress/55514/cyber-crime/necurs-botnet-returns.html
M16-eiv01	EyePyramid_a41c5374	Windows	This strike sends a malware sample known as EyePyramid. EyePyramid is a malware that targets politicians, bankers and law enforcement personalities in Italy. It is spread via phishing emails and after infection it grants access to all resources on the infected machine.	a41c5374a14a2c7cbe093ff6b075e8ac	SHA1: b25222b289cb3a8e7877c46a8840e560d1ab375b MD5: a41c5374a14a2c7cbe093ff6b075e8ac SHA256: 137846f698de9b30fe0fb81af20f175f36cf7c6297e3f920996e607cf80f518a http://securityaffairs.co/wordpress/55285/cyber-crime/eyepyramid-espionage-campaign.html https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/
M16-y5g01	Ploutus_c04a7cb9	Windows	This strike sends a malware sample known as Ploutus. Ploutus is an ATM malware that was discovered in 2013. Ploutus' main purpose is to empty an ATM without the requirement of an ATM card.	c04a7cb926ccbf829d0a36a91ebf91bd	SHA1: 66adf3ab1913e92be7f34adcd9be1b6eda677d59 MD5: c04a7cb926ccbf829d0a36a91ebf91bd SHA256: 04db39463012add2eece6dfe6f311ad46b76dae55460eea30dec02d3d3f1c00a http://securityaffairs.co/wordpress/55334/cyber-crime/ploutus-d.html https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html