| Malware December |
| Malware November |
| Malware October |
| Malware September |
| Malware August |
| Malware July |
| Malware June |
| Malware May |
| Malware April |
| Malware March |
| Malware February |
| Malware January |
| Strike ID | Malware | Platform | Info | MD5 | External References |
|---|---|---|---|---|---|
| M18-6zq01 | Triusor_86ccc97b | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | 86ccc97b747d7cbc76bae4bf1bdf6512 | 81bea2a893e787dafc1f4b03201a155d6c44209d 86ccc97b747d7cbc76bae4bf1bdf6512 0bc3007209f850ac764646065dcc8fdd85c46425dc98d72631e51045ba36069c https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-39001 | Triusor_0607065e | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | 0607065e4cc014b3b7476c988f6a0b40 | 51a24aa6903a1dc3411537e3c7e909ae7ec09e5b 0607065e4cc014b3b7476c988f6a0b40 9e76c9877cb6820ff88937ee158cd59cbe16b9eb26526f0f1ec39d09601dca05 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-gd001 | Donoff_3cca9fc6 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | 3cca9fc676659a1fae4c6a8fff9e0e20 | 7751ff9750955bc8e5576e12bd06008f00f1f9f2 3cca9fc676659a1fae4c6a8fff9e0e20 19badf1bbaa2ba68db14bf76e88b11a29492fb8d0cf180b83736a55d23a402be https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-62c01 | Xls.Dropper.Donoff_bd57ed1e | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | bd57ed1e6203e3f3fa62ed4c4d9b9b9c | 52bf032f08f8d5806a777cbd00a8e22705d17c6f bd57ed1e6203e3f3fa62ed4c4d9b9b9c 0587d2fd8a94400a1a8f87a59111b4ec53c69ab7e4a50e6a4c7dd6eb7590e0b3 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-lvm01 | Win.Trojan.Emotet_ca21b7d8 | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | ca21b7d81598c7cbbe5e4962765a376f | 8cee4684677a59e6c8060d34590ee0310759fd66 ca21b7d81598c7cbbe5e4962765a376f 3567201c7de66370aa8eb0bd6242b0ce6edf3d4326c2255828470407a2a124b3 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-zpw01 | Triusor_d0b71e03 | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | d0b71e03bb71785f5cce3bb7a5c4ef42 | d78e553578d5aef541b20e619d0ac0b0742c9e19 d0b71e03bb71785f5cce3bb7a5c4ef42 3822de7241c17afa298071ab05ea0552456c7b9e78f2655b3471554f972520cf https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-g7z01 | Xls.Dropper.Donoff_c65fb06a | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | c65fb06a84caab2a3c91119f4184ec3e | 3cd02d1e37cde6598e2b36904349c645a719de0d c65fb06a84caab2a3c91119f4184ec3e 99b43c4080202b48a2a729ed28dac8e3b98cd837494b2e419d71e7693b0652b8 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-y1001 | Donoff_e6b68bc8 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | e6b68bc88fb560f12a377b95ab3c13af | 02ebd10101e0540014df56d5aeb2bb0aba7ac042 e6b68bc88fb560f12a377b95ab3c13af 0b2a44c3b90bfc7c26605321c75fdc9703d67f71849cf106ef1e9fbd3160c533 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-hxi01 | Esfury_0f1d1f4c | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 0f1d1f4cd097684180f8133e4d0642d9 | 5d7e436434c47a4e1dbf5ac3ad75590ccd681416 0f1d1f4cd097684180f8133e4d0642d9 09a8a4d6b7e8d68dcbf7279923f5d8322e4d46dea86ca1da0f553bdb1f5fc222 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-nn901 | Triusor_db9f71f9 | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | db9f71f9a64a5aef6ace9ed30addbe0f | 0d98c5ae08adc0c4fa496a6cc81e1a9ee85e9e70 db9f71f9a64a5aef6ace9ed30addbe0f db6317729cabcb31a4be51a3cc281bffc5dd38a8164861c4d7fe7a0be386f892 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-98301 | Valyria_42893e13 | Mixed | This strike sends a malware sample known as Valyria. Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet. | 42893e139246458afa15464117cfecde | 999593d85a85f61666566d40ff6e8613dd723f3b 42893e139246458afa15464117cfecde 500fe0e5847b6677fa8b91073d3c0fca1d80fef35cafd57b95634abab8973d42 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-2p301 | Doc.Malware.00536d_bf64ed9e | Mixed | This strike sends a malware sample known as Doc.Malware.00536d. Doc.Malware.00536d is the denomination of a set of malicious documents that leverage VBA and PowerShell to install malware on the system. These documents usually convince the user to enable macros that, if executed, will download and install additional malware on the system. The MD5 hash of this Doc.Malware. | bf64ed9eb96d8584979c021b046582bc | af25b8ca38e2b9ab56fd0238bc1642b8802f3d91 bf64ed9eb96d8584979c021b046582bc ecbb1cacd8390963a669b92cdd6a78f3e3dfffa93e794dde7426d4ef2780fab4 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-2wg01 | Donoff_1a0820dd | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | 1a0820dd4f6910e2e2684650f8d7f65a | c508cbe8e34a13d45baedc1a4bb283d6041e684f 1a0820dd4f6910e2e2684650f8d7f65a 2af5928b3dfeaeff2556b7fbf27ef564c0a67457ef2ec6ac41dcfdb214b84856 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-pem01 | Donoff_f760b521 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | f760b52142693a7babf374dce0ec6ec4 | 39139c54462bf9253e5da83c695170fb4f0f205a f760b52142693a7babf374dce0ec6ec4 1792e52f31de940e6d233967b62bd6712deae048fc110ba38cea000314781c16 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-4os01 | Donoff_81f63312 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | 81f63312e5bf0ca60984249974cbb8d1 | e0bf9ab67d5ef5f0db89d5f7ad5f0121f0861b7b 81f63312e5bf0ca60984249974cbb8d1 06aa7214d492067f4f6a8aa0a910b5b32aee7734e0525a471bb2ca111ee6f3d0 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-zsk01 | Esfury_2a8187aa | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 2a8187aa944732f506fb38d000c9464b | a48fe658c2c65bd67d9a8db9508cd80c4a8d0d7d 2a8187aa944732f506fb38d000c9464b 05d0ef6586355e9255a5723ae5909602de6def71e64f3e1838211bb0d3c9de81 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-tc401 | Valyria_e080607b | Mixed | This strike sends a malware sample known as Valyria. Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet. | e080607b757f20d93263cb9e2741e1dd | 2cd00e526452b6cf3615b0bd7a2e3918ff38014c e080607b757f20d93263cb9e2741e1dd 61da1d5f5a0e508f1b79fee2a8ed00b37970f5c967cdfbf4a7933163752d777a https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-0eo01 | Donoff_80d4b98e | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | 80d4b98ed3542939f6de5591b98050db | 7c4f3359fb23aa3d9f36202b939e14fd9f738fe6 80d4b98ed3542939f6de5591b98050db 0a12a0000a78dfa623f71b0274df5b54f14dea7ddfe0799ad09cd76db2340441 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-9mo01 | Triusor_8f62d9d2 | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | 8f62d9d276c84b8e36a16aac91d4d33d | 7e2a07490b52a873f4c38a6f2c52dbcd209c94f5 8f62d9d276c84b8e36a16aac91d4d33d 9df2784ba1fd594ab90357d799b26e0fa3abca65a5744ce3d62993d74b0f7e0f https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-1yr01 | Donoff_c1ced218 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | c1ced218ba05ead3906d899b096f9bf2 | 92f35bd2199d16c93461d76b0ebe05d7e3bed110 c1ced218ba05ead3906d899b096f9bf2 0fe0f094572df903940dd8394c4c5c307705bb4146c794e77793f74a1e873327 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-70o01 | Donoff_0c15821a | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | 0c15821af957c5b9e3be928a7b3d1a09 | 52d7f3960f27f4a2e49ad288fcf17b82b9b38f25 0c15821af957c5b9e3be928a7b3d1a09 2caaf8bad60e3e663993727b5ff26d685fb511892f90939d04e5f92765154687 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-29o01 | Triusor_2eaf5b9b | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | 2eaf5b9b0d6fb8cbc179125dcd50cb25 | fa80b66470872d3dc29ff8db07ea64118083865f 2eaf5b9b0d6fb8cbc179125dcd50cb25 68d400f36ef0ac8869499a0185fc52a7d22add5a137fcdd9d73b7e47d8514049 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-pgu01 | Donoff_da60d8f2 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | da60d8f26c1991efd1153a0f5e70b57c | e8b0d7d1bb9445be206ed77a4c8cc9a944206981 da60d8f26c1991efd1153a0f5e70b57c 043a80eab9723a815096c7338c14105011f90c8fe1fe86a02c7c763726cfaa2a https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-jz401 | Donoff_6df1613f | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | 6df1613f5b8788f662c500f948d66ed9 | 9a42bf0aac09a65d89cc419dba1e1a21f4bf2f73 6df1613f5b8788f662c500f948d66ed9 16fa280526ab5a33bf77f4f86ffcf2a0b54c0733e26a2e070e724981927d1ad8 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-doe03 | Esfury_dcb71480 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | dcb714802afee98cea089c4550948ae3 | 07d9942d0c4d33cc911d3cb2c8e66ea992b113d5 dcb714802afee98cea089c4550948ae3 027b08647ec8a4976897114dcac6810acb215dc13805edd0986d4bce04528f59 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-v3501 | Win.Trojan.Emotet_10f92b8a | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | 10f92b8a6eaed33bd0f339e47953ad3b | 2ba0c793b428293a27e9e1e913df2e436469fa2a 10f92b8a6eaed33bd0f339e47953ad3b 7d42a037f8c824724e3525e40f09ae6b3f0eaca4278e4f0b95bb5ca50f008f7b https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-8f801 | Win.Trojan.Emotet_7494919a | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | 7494919a5ee6e60bc56d24c9745ace75 | 693ff315cd0061112e91ca3d9d13bf7b42f6e33a 7494919a5ee6e60bc56d24c9745ace75 3f2fa56542583680c7feeda31a5e16b85f11d74b710e6cb699ffcf15b6ca753a https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-avz01 | Win.Trojan.Emotet_92a40dcd | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | 92a40dcdc1d6706d95a6fd98114152cd | eddcf0de04bf37127f63b72edf4bcfad7c733ec8 92a40dcdc1d6706d95a6fd98114152cd e06807d11e7fba844ffe986638234633bfb93ccea283187b9019e0268b7876f4 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-4cw01 | Esfury_e11731ec | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | e11731ecede1d7b45daa78a4bab227c0 | 397967942585468786e09887387427869eb59dbe e11731ecede1d7b45daa78a4bab227c0 183b07b0a5e93388d391deeac811b405d0cf46c66f3817efe535780a6d06c10a https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-mg902 | Xls.Dropper.Donoff_dfb87cec | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | dfb87cecb4e1c33ea93efc64372d186b | 1ae598b16a47d3514f4768db1c6facc6d663f2cb dfb87cecb4e1c33ea93efc64372d186b 21df4279e0c9f6df6fb9ac8462e89ec9d2c777a3309dc9b8cf891a5232178800 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-uf701 | Triusor_620326dd | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | 620326dd50dab27c91e39eb21a030c47 | c05ea959be8ad9bf1618a618179e95a6bcdbe8b5 620326dd50dab27c91e39eb21a030c47 8f4bd4d1d9d337cfd8ffd0afe80213ae90063d274aad64b04aa8558b837218e6 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-k0301 | Win.Trojan.Emotet_912807d7 | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | 912807d798d35323a534fdb59399a9b0 | 2060d9f147311fdeec4de5f5d940b7a6f849846d 912807d798d35323a534fdb59399a9b0 78ccba1d9e5d32658ce4cd4b2f8a8be65c6aa6a4f4eec2016777afb3a50ac843 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-4b001 | Donoff_a0a56a80 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | a0a56a80b5400ac336a123433ae9dce7 | 7cdaa16ee951e323cf85c0395ac0963dc0a38c20 a0a56a80b5400ac336a123433ae9dce7 2696e57e2daac38a37ca382f979f1e4c61b20f516dd18ba33290fd00ef3eec7e https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-w8p01 | Triusor_2edee29d | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | 2edee29d4ff7868aa74992ccf285726b | 54ab7ad550e697925e23ae69e60a300a29c339cd 2edee29d4ff7868aa74992ccf285726b 14bc92fb1cb50fc6ffd2f34b701e57603fb99b96130c7e5b77187c2c3684a4db https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-pjd01 | Xls.Dropper.Donoff_f898647b | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | f898647b281b95a5fa2fd1a57ce6845b | 1ee365096195a8febc5821477c09ec72bbb32976 f898647b281b95a5fa2fd1a57ce6845b bffbd9caa578af5caa98fcb20e0e5e4f55154e9e2ca256364c1f70538c04c5b9 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-sqz01 | Xls.Dropper.Donoff_bbfd6b30 | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | bbfd6b30072f3fd8150f77b6fbe33d23 | 814795830b2157853a62316e3a6d31aae48d0277 bbfd6b30072f3fd8150f77b6fbe33d23 dcbdf1859c62728c680ed7267f65b3a425aaed5c79b0f7404ef2e6541150d573 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-2ew01 | Esfury_6f616a79 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 6f616a79b48160fc7ec6a3fe56972968 | adb6672bfe91c0d0b74b5ee4165a4aa3907ea586 6f616a79b48160fc7ec6a3fe56972968 033c6325a22ddee4d621558106fd297407f31e0713c7c2314024e8cbcdc0a5b3 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-sei01 | Valyria_9497ebcc | Mixed | This strike sends a malware sample known as Valyria. Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet. | 9497ebcc7f404288e16eb8cab121a549 | ad7658e4ec425e429bbd75813b8e1a79d82735b9 9497ebcc7f404288e16eb8cab121a549 608c215893b99203b2d355253d42b14fe0bae98b22a891cfa2950c79d8b4dfe1 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-80r01 | Triusor_7a794efc | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | 7a794efcc2c8b9a8f34d558ab578f66a | 247cb9286bd10667b8ae03ea8f9cd1e79631770c 7a794efcc2c8b9a8f34d558ab578f66a a3168cb7b3fd30eed135ba086e9e96984f56fd52317d185f3e988176440a5a25 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-byc01 | Esfury_a8320da9 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | a8320da93664895b7a1eb4a3442ea7f5 | 27d8765188f705636f7a5b693ae20936e6739e9e a8320da93664895b7a1eb4a3442ea7f5 02e94f61d5c4da2b4a3b8991278a77e937da0de55b2f5373f804344cae73dad8 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-68t01 | Esfury_4d999549 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 4d999549a38e2fb1138272d47a2279b5 | 0f2ff2f789e6b3b114ad12e55fdf9e5c9c251681 4d999549a38e2fb1138272d47a2279b5 082831142fe7826130b5d5ac7673d9ae8f7f56e126348283e77fc3c88f4d5b0b https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-9gv01 | Donoff_50a1ff58 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | 50a1ff580accedca1b49c89dc63f4c1f | 4374583937ba8404f97bb867e64e675826ad8fc9 50a1ff580accedca1b49c89dc63f4c1f 09d47ec5acae65e60e8316435d57e75b8a0153458f4471c8ff3510ee2a809558 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-vb001 | Xls.Dropper.Donoff_3f217606 | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | 3f2176060522c71c880cd34765a740e4 | 57a27af1e52bcf8ea99c78d36dd39fd8a9321c8a 3f2176060522c71c880cd34765a740e4 0033f2a32856a043d34d491b0b79a3b1d25fbc084447ae801b94a6f4c8c67eec https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-5iq01 | Xls.Dropper.Donoff_05f00632 | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | 05f0063292089fc36b9033c5d1de7e28 | a8d7bf361b900a4a2b422221af2608ba7ac4f3d1 05f0063292089fc36b9033c5d1de7e28 e723f535550c7c4398bbb29f16e76e7a59b8e314b0d0d602c96cda07da56cc17 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-10u01 | Triusor_e182bfd8 | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | e182bfd844b3cee5586bfa067ee80d31 | a0724f543f1c5f3fba92ff00a6b947a81004bfc4 e182bfd844b3cee5586bfa067ee80d31 6b34a29fcdf2ad7a74859ba38c3a622971c1bbdb6a1268d5c766fac441b9970d https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-idb01 | Win.Trojan.Emotet_dcebd14e | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | dcebd14e618ae42078dc8c24b5f791db | 5c8d2b526d89c6a5f66792a875cd663c751d0d0f dcebd14e618ae42078dc8c24b5f791db d60149eb78e3df622e24afec34b06c7c4c1d26a401ec326ea5eaaa74df873e3b https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-zwu01 | Valyria_212be643 | Mixed | This strike sends a malware sample known as Valyria. Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet. | 212be643884ad7cc867b357fdcaa7293 | 54a65038d090631cc9cd55af0c18761c4c58bcd7 212be643884ad7cc867b357fdcaa7293 0734985f67598ec0a0caf9ca31edd54bc93c5072ab0facc09f3d5164c8930afe https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-x0f01 | Esfury_10b398b5 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 10b398b567350889d290b12178475353 | 42db4c34327c1a51cd77034920f7d5ae425063cc 10b398b567350889d290b12178475353 12e12efef70cc7824ea45771c844393d1e1b878a86def41acc01093249bc7e19 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-gag01 | Valyria_c0e5d7d0 | Mixed | This strike sends a malware sample known as Valyria. Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet. | c0e5d7d0c0ac523f42f919928112933e | a7c113939d210809cf3264ea64a1c2b62003bbd7 c0e5d7d0c0ac523f42f919928112933e 15edcb2fc3b4d2fc1700f8e6837cd5c4759fb3791787c9cd9d0e16f129e0b234 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-fu901 | Esfury_012e3e16 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 012e3e162797d17ad0d92a9563eb1be9 | c789c03737335ad48f6bd3eda622f612eaac552e 012e3e162797d17ad0d92a9563eb1be9 0b979d82d329160c7f95cb8abc9ccc8e0ebb4f981ee321342e84a29ff33687f9 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-msj01 | Donoff_f0772e4d | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | f0772e4d8f1aa1caeb572fbca4d9edf8 | 5e2b77f6ec0d85c8df7fd03f44ebaf69248a8e96 f0772e4d8f1aa1caeb572fbca4d9edf8 1f312a61244c970d254c24055b714138835b839f1da36b9ee1cfc1acf636fbf1 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-99o01 | Xls.Dropper.Donoff_98c9fefd | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | 98c9fefdc2be08d63dc0d22992973746 | 50a9f94dd30d9c58af3b12cfea247ed1119ea98b 98c9fefdc2be08d63dc0d22992973746 9a9d1c1b43c93982eaf304c3c7ecb361bede0ea811c23cddb8b13a39328f0c3c https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-azc01 | Esfury_5947665e | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 5947665e3d1116667394c44357a12e32 | 449f867b9f9430bc69647ed64ccf6ed9d3b0a855 5947665e3d1116667394c44357a12e32 0e47b656aa6dfdc797ff650a7d1800639f7347d2af4fd0ae6520e02ff0cec9a0 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-pee01 | Donoff_b61e8461 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | b61e8461f8e39734cbac689b72b6bf17 | 670f3092acef6807be0ee51cf6eece8bac09d441 b61e8461f8e39734cbac689b72b6bf17 29de1616d80266c566605928b266a43dc9e1cb7c1a1ed9c95e32d54efd4f6696 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-3bb01 | Esfury_7188ac47 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 7188ac47ce4aca7e5f22c7dacb42f3ba | 11db5e1ca1416cc91621c0c7558c8dfa6e4d6d87 7188ac47ce4aca7e5f22c7dacb42f3ba 0eeb8d4cb796e8460ea5c283deed8788356822e6a7916c9cec496dc7cf4f3ab2 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-bk401 | Xls.Dropper.Donoff_88631173 | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | 886311732b0f98fc6b93ba2dde16e544 | 78e40bd174c1d4285147a8c20f2c806fdaa04292 886311732b0f98fc6b93ba2dde16e544 88ceeeed4a5d23e5c26c74300d2f1cc89376c09057ac848032b45e2777d15b3d https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-c6i01 | Donoff_28892696 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | 2889269690aa7d9484b36068be4b18d6 | 2e9379a89679c11ae9cd1a15445f47adb732651c 2889269690aa7d9484b36068be4b18d6 25fbacf14f3ea9918aa054f040c6cc73edb9450a34e2fe739b131d9c155e3e3d https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-heb01 | Win.Trojan.Emotet_bb90b643 | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | bb90b6432285aae0d7ebba6379f517f5 | c40a79fb597465cd1b9fcecf5bf53bd66efa1e23 bb90b6432285aae0d7ebba6379f517f5 c2ffeb181bc57e65011cb68ed33de62ef2ae79b12f320fa8362b096fe9f26430 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-xgp01 | Xls.Dropper.Donoff_4a555c84 | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | 4a555c84155d36dc018c278eaf6be6f5 | 4d22d9e21d2694451ebc234034b957ba05e75a35 4a555c84155d36dc018c278eaf6be6f5 6816c39d57cf2008ddd7ff252d97b9eb372c9c70ae9ac1834aee5beb0c24208c https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-ti601 | Xls.Dropper.Donoff_3f20efeb | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | 3f20efebe0e78d0a4197d4021198cddb | f2541dbfffa3eb5b9f88e70ffd8456068214a0de 3f20efebe0e78d0a4197d4021198cddb ee5fb50a88b4b4a97bf82258cefc53e5de1bd416ddbdbee363dd9dc269ad867d https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-elm01 | Triusor_f3110334 | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | f3110334e8dc6c6e910a8b8d9e44f529 | 0ab77e27d07704aa930c4cebb06e875469c9ad1d f3110334e8dc6c6e910a8b8d9e44f529 8cee25864d734f6624754ba68d47d0d6573ce6d4ca55c2cf3025a1435bf84685 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-2p402 | Esfury_0fc4b7e6 | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 0fc4b7e6335489cb38b074efcde87909 | d037ac836a5484f7fa979a8bfe7058cbc23ac0d0 0fc4b7e6335489cb38b074efcde87909 0206ba28fd335c6470736f976885f5916375e114ce442208f30aaca55525d41c https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html | |
| M18-qo301 | Triusor_f816d643 | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | f816d6436964e13714ac0f71cd0abdbb | e92ab65f1e3334b0f3f7513ef73993ef8320b034 f816d6436964e13714ac0f71cd0abdbb 3adbbb8794d8244bbc905ad9b7d54046e494374f1856447fd174869911f8ebd2 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-wd501 | Win.Trojan.Emotet_2b6afa67 | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | 2b6afa67bd42bf9a90ebc3b728b4ea41 | 1846c2fe64583db394eca035af3d440da6fdf0ff 2b6afa67bd42bf9a90ebc3b728b4ea41 864b1ce8feeed53db144afae131da20601bdf2951e198827177d40a233c490bd https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-zdn01 | Donoff_f33c38f4 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | f33c38f4a5f61dc51187e4ab5bf13084 | 353640a0f8240ae197938547a28db6419e0e67c5 f33c38f4a5f61dc51187e4ab5bf13084 1b409f2f2146c2318580c73d5eaeafbdd79e39d4d4f3e5862323b3b6f4a6c916 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-hr601 | Esfury_61de1883 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 61de1883210e8632b578f9aaea9651f3 | 244cbc51921bd5f2651a012b89119a06729848b8 61de1883210e8632b578f9aaea9651f3 0be8709e38625829811638c2460a8eaa993569df882f4a7263747f91bd08970a https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-xzk02 | Triusor_4eb4993d | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | 4eb4993d2b3099dcf4048fd0785c2dac | 7839c10ecc19cc94da1bd53c112434695169d52f 4eb4993d2b3099dcf4048fd0785c2dac 6a897eacea0f1a6773d19c6b1dbd101db860e3f8df547d97392c98a6aef0cce5 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-cdg01 | Esfury_ee787e23 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | ee787e23a0c603319c423279cb12f226 | a1932e3bea31306990333eb29a16ab0407f89b5c ee787e23a0c603319c423279cb12f226 1374cf423bc66983991c7fd3e3767aedf67094cf5a3eff6eb695112b51dc5e6a https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-40l01 | Xls.Dropper.Donoff_e40e5618 | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | e40e561837573ccf7c4a95e910640c45 | 91cd88e392638a490fc2da730a0872e142c4b5b6 e40e561837573ccf7c4a95e910640c45 792436cb281c6704ea7f53f7532e7abdfa1370ecf071cb07fdf690f8f6469013 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-st602 | Donoff_85b276b9 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | 85b276b9c189beff14dcdaea65da86e3 | 325b0173fdd2f3fc4c305eb783bdf3e80d686372 85b276b9c189beff14dcdaea65da86e3 33d98771535a91ad332f2e59969b9f51a2bf811dbe886208e139e456cd124631 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-7fz01 | Donoff_7896f09c | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | 7896f09c253c9cb647a281e26e1cafc9 | 1c9a6bed41d0b37452d9d5b86abcd58a1df8e92a 7896f09c253c9cb647a281e26e1cafc9 2eab620737103e94f0dcd33163071e8c0bd1cdaaf42c1d2e254d3e5e71851b24 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-vzs01 | Xls.Dropper.Donoff_6ffe8170 | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | 6ffe817013abab377ef6ed3f91aceaa9 | 10a7c72bb995d4c9e7acc9757162952c80ed9aa2 6ffe817013abab377ef6ed3f91aceaa9 d59e75ccdee3f0419fd247372697275fa45f391af8319a4cf1f56df411885805 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-cvn01 | Valyria_bba70058 | Mixed | This strike sends a malware sample known as Valyria. Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet. | bba700580c8fbd38f736809ad7ad732c | f7c6b8eb6cd671d8daa1d0e5375a3452b55956c1 bba700580c8fbd38f736809ad7ad732c 52fb2178d177421a16086155829b67154ddfc589ddc71a99b14f922741586479 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-rm401 | Donoff_9f11d9bb | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | 9f11d9bb69d946db53bd0eeb94e24755 | 3dc6c5b75287028a30ea7d7a6f02715c1fbc863e 9f11d9bb69d946db53bd0eeb94e24755 24d62b3de48bf8b55b79fafcd17bf4a2cb8489a86358b26aa361193ad355dee4 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-aq101 | Esfury_3501dc98 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 3501dc98d077e58a95cab4bf60ad81e1 | 5d6e4a2f0f9f91f56006eb4a4c30d6412548f0ba 3501dc98d077e58a95cab4bf60ad81e1 17ea3123406cb0ef21c174f4f27a89d4cbd5b61ff1359ec9b8c756b311ee0f4d https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-o0g01 | Xls.Dropper.Donoff_3a359e11 | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | 3a359e117d73c86eb37625eba9747e6e | 9ecfd8d8575fca34890a29fa94f4a08cb37e242f 3a359e117d73c86eb37625eba9747e6e 9e8fb999bba4c93ae100c02ede01475ddbc2b7db624930574ed76ec5813dd451 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-3lz01 | Xls.Dropper.Donoff_f7ee8c4b | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | f7ee8c4b62741fea6e0e7de7619d6b47 | e167c361f626de9eb2e3fa848519b0412f4ce541 f7ee8c4b62741fea6e0e7de7619d6b47 67e1cadae72e11ddb22ce0fe36e319fde32e417acaf9fcbe9ea1b0bd1852fded https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-d9x02 | Esfury_5ef94c6c | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 5ef94c6cebcf7e8c4c0c5ee1d2fa41f0 | 531d93725d99eeaa9009a0b357abd086f164586b 5ef94c6cebcf7e8c4c0c5ee1d2fa41f0 06e53af6c4bde93f7a9da0b90408e59b701d1ced02c5fb14fba45c7272452367 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-mp201 | Win.Trojan.Emotet_e5b098fb | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | e5b098fb8954a7913969f8b51ccc20b5 | df9d7a784a3ecc04d987141b421384fe97c4f339 e5b098fb8954a7913969f8b51ccc20b5 fe7d3a850371b6effe47525e39efbf705c4136e78b35f78228b1f986d30ceced https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-b3e01 | Valyria_c2051f72 | Mixed | This strike sends a malware sample known as Valyria. Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet. | c2051f72e532fe9da8f1a845d20180b2 | a571c36730b117ade8f315cee1060d06eb3b257c c2051f72e532fe9da8f1a845d20180b2 5ac2183dc29d6cea617b06c5787019409662898e259f6b1c0c7465c69054bb26 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-79302 | Triusor_7c21c148 | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | 7c21c148f3bbb12887ce933f1fff2b15 | 856fef8fcd5b87caacde42f96383562c5d33c60c 7c21c148f3bbb12887ce933f1fff2b15 ec0b82ac2d4ca03a4c20ebeaa2fe5a0fc33f4e2270f8bf08063400c06a005f59 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-vj502 | Win.Trojan.Emotet_d88c80f1 | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | d88c80f1db8016a4d95a29ce764d43be | 70ec7bc25e81073476c343c008172d78f6c414b9 d88c80f1db8016a4d95a29ce764d43be 5f30eab9dbf08a80292bc5184b6ff8e0ef075806b3d1eb8f5b5c525ec3efc4e9 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-esu01 | Donoff_fe2fc9bb | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | fe2fc9bb543aa92ae8e2d74c373968fb | c43488fbf8dfb9c98466b50f9acc14b8afec93de fe2fc9bb543aa92ae8e2d74c373968fb 0e12bab4d0a4c65141c6d16cc8401efda84373a667dfdca21f56b61466ef9e7d https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-v7n01 | Esfury_85541b13 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 85541b131d7caf6d80fb9a5269975d30 | a56beb152d1ce873addc9bef8be3e86f4ce33e2e 85541b131d7caf6d80fb9a5269975d30 13910ca1a7fbadf757c082dde5d1724b6b46d36b9eae47d1bd968c66a67be3ba https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-qum01 | Esfury_e4b3aa74 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | e4b3aa747aa0d5a137396f0ba38de860 | e0bbed6544cb9b1d1eb45bb1baf24db8edebd49e e4b3aa747aa0d5a137396f0ba38de860 09c40f54a73303ddf1d6170f3cd06778583260e82b7dfe155a2f804346aadfc9 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-onl01 | Esfury_ec541d19 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | ec541d190c4159ac6cfb8737a95dc633 | 28e611526de7091999a6344b41d86cec8f55102d ec541d190c4159ac6cfb8737a95dc633 01474c0dacb671b37172b985d8e96bb688f2e4f6f8975a6bdab76c3ebb6ca29a https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-n7l01 | Esfury_baf23c38 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | baf23c38114e85d9a9dd4e1618340fbd | 376ed0ed3fa2fb792c4693e8f3764a2baa4fcaf0 baf23c38114e85d9a9dd4e1618340fbd 0b032c40e0877bd1c4aeca8bf56b87d0daacc781ad2cb025cdc7c3944074e816 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-6pf01 | Win.Trojan.Emotet_e390ca8d | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | e390ca8d55f33ac89d090dafb85ea243 | 5fd93f27794514888d0282768535370b752c801c e390ca8d55f33ac89d090dafb85ea243 40ef85a4108702a3af09f9047b66585ffa2c73458cf9177a6ca67b4d8f388050 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-nip02 | Esfury_8726d5fb | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 8726d5fb85e27d692eb679383821663d | 7c9f7844ac8b802831b1c83323214b95a55d3fcd 8726d5fb85e27d692eb679383821663d 11e0b16cfcd0e45c21a1fbe9b7b14bf019f3e2ceb7894eee8e458eb6a7571c34 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-4q902 | Esfury_3dde5d0c | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 3dde5d0c3185b189a22543fedc8336ed | a297f59be0f621d75b0862a09ab873f1ba2439d2 3dde5d0c3185b189a22543fedc8336ed 101217714340fcd5d1194ac746d2b4c9d42f739f12b983ce33801d2baebb71ab https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-gs201 | Doc.Malware.00536d_cd5941b5 | Mixed | This strike sends a malware sample known as Doc.Malware.00536d. Doc.Malware.00536d is the denomination of a set of malicious documents that leverage VBA and PowerShell to install malware on the system. These documents usually convince the user to enable macros that, if executed, will download and install additional malware on the system. The MD5 hash of this Doc.Malware. | cd5941b58668f5313408ce28b500f4bf | f989047b059c3ab52f78feca639430f6748c9633 cd5941b58668f5313408ce28b500f4bf e796ca332e26230a092f392d509829b63808965679e245d5914a3a9fbaeeb04f https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-cte01 | Win.Trojan.Emotet_ca09f71f | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | ca09f71f50784652354806186a6c3a38 | e2cb27f4790aba6e8b5a8c0906805527b174595f ca09f71f50784652354806186a6c3a38 529a8f391dd994779340aa59118b703256321bb421db138ee0b7db4265599b12 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-nv801 | Win.Trojan.Emotet_e02b09f1 | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | e02b09f1f638cde48435b4993c027c94 | c6d4f189353305237b55cec121976ac4c1054d61 e02b09f1f638cde48435b4993c027c94 c1b6f751fda9de784eea8764525eda4ea0644492c1dd8f1da9fc34e5b26b95b6 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-pjk01 | Donoff_b1f82127 | Mixed | This strike sends a malware sample known as Donoff. Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. | b1f821272196571d9fef48f99e37961d | a503bee06173330abd6f2354d726bb103ab90e30 b1f821272196571d9fef48f99e37961d 121c49ab3eccc4472a13766f874b489b025ef1d5d9e1f8243085cb07290177c6 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-8cg01 | Valyria_3d2080c2 | Mixed | This strike sends a malware sample known as Valyria. Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet. | 3d2080c234c910bc2434cc9d57d7f172 | 049cb728843c56cf93d16d5a71dab9e3875bd8d8 3d2080c234c910bc2434cc9d57d7f172 52577b1c77ef1a8e21c3681d4610bf47fec5fbae0f751f3396dc349d23186de8 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-ovh01 | Triusor_41e1694c | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | 41e1694ce3ddb74f6298d5532808cc9c | c43dadcc8ada8549f1f40f773eda5586aaef1d58 41e1694ce3ddb74f6298d5532808cc9c dc8c46a57c38955f4b6356d29662beeb0f88eeca50a94191df8892efab3bfc2e https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-rm701 | Win.Trojan.Emotet_cbb12b1a | Windows | This strike sends a malware sample known as Win.Trojan.Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday. The MD5 hash of this Win.Trojan. | cbb12b1abd614fd51ba65b366f222a12 | 3a21532ae26c9c1b618934c39c20621fcef61488 cbb12b1abd614fd51ba65b366f222a12 f5e1c6d6d9bd26a6d0ae3b8657030dd40138e0371b824013821f48302e3f67f3 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-iu401 | Triusor_10b77c0e | Windows | This strike sends a malware sample known as Triusor. Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection. | 10b77c0ebe212ccd6ed234741d16c41d | edae115a4b959685239ffc0c212689bcaf20cdc8 10b77c0ebe212ccd6ed234741d16c41d 249ac287cada8bab59c445a286a8edb645f58035681c788687979c17d7eb766f https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-uq301 | Esfury_d65a4fcb | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | d65a4fcbfa3ee5c14a6781e9e76eb891 | 94dd80248211a9c056fa327c9ab2f54d4c82c550 d65a4fcbfa3ee5c14a6781e9e76eb891 08617dcb9523e28efed1e47917b6f9dc6dfb534c6d0d7df0888e977099f4db71 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-gfr01 | Esfury_75583f80 | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 75583f80e814b350a2e096c26534bc3a | aa3422d6d7f89d9348bba174590f362f1f8bc783 75583f80e814b350a2e096c26534bc3a 00de9aefee7e84028781e5d88e23c7ac53d8a10aa97116411d43b6532112fa16 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| M18-d0o01 | Valyria_4e29a162 | Mixed | This strike sends a malware sample known as Valyria. Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet. | 4e29a162f87bf97276c6523c9262d0cd | 58fb95f9bbb1ace97908fa3118f90a9513c11232 4e29a162f87bf97276c6523c9262d0cd 0ed8f1b95565876de24b49ab281f37d05d68130edc574ddd66300c5d5c9ad468 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-kg201 | Valyria_63ad7c25 | Mixed | This strike sends a malware sample known as Valyria. Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet. | 63ad7c25273eb13fdf9d3495e3433ee1 | 5162e1020bf1ee01ac3c32c6ee1fd2852918800c 63ad7c25273eb13fdf9d3495e3433ee1 13707ac10ce41e2ec1547148c17a6186ff06009cd79789e01b879e96a5765f8a https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-mqo01 | Xls.Dropper.Donoff_ee90c808 | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | ee90c8089a170884b803dd089b9f9584 | 073f42b487fb05a8bf026ebade169a6fa8115cbc ee90c8089a170884b803dd089b9f9584 f60827889d806f6864b2af5e5c08c467c1f41b176ae47b51bb3918f5cafa68a9 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-ol701 | Xls.Dropper.Donoff_7ce9aa21 | Mixed | This strike sends a malware sample known as Xls.Dropper.Donoff. Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. The MD5 hash of this Xls.Dropper. | 7ce9aa21925e22e6d70ff649dbfa57de | 3928809fef29ce4242e5a1907ab73e3dec7b8a09 7ce9aa21925e22e6d70ff649dbfa57de 405e08a4ab0c60f3ddc24dc4f4998bb654fbfae556163c9b70a2545cb79c4414 https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.html |
| M18-kg901 | Esfury_47c9078f | Windows | This strike sends a malware sample known as Esfury. Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files. | 47c9078f89000d08f23a6c8067645e84 | d315c306fc5c8f038be335d27fb43042a44c0b72 47c9078f89000d08f23a6c8067645e84 06bdc32de83eec39c9153b7944b8abc0137e3b69c80ac02e74d6903c656915e7 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html |
| Strike ID | Malware | Platform | Info | MD5 | External References |
|---|---|---|---|---|---|
| M18-7sy01 | Gandcrab_b91a77fb | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | b91a77fb35ef6c01ce3d85849efaa024 | cfdf1f35749c32adafbac6d9741730c73790b763 b91a77fb35ef6c01ce3d85849efaa024 0a48f61677791bca8d2553662ec6bce8acfdb3249cfcabac2802ba216ac54262 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-3v801 | Vobfus_cf17419d | Windows | This strike sends a malware sample known as Vobfus. Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. | cf17419d230a34033845258ed68923e4 | 2676bc9ae0b1ef83eb198747d2f59139f956a970 cf17419d230a34033845258ed68923e4 133fea888e19e34c7703b38194ec08360ce8d697d7aec79da979a35072adce02 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-9ld01 | Upatre_b2f4668b | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | b2f4668bd5e1185afa6bcaa270535536 | 73bb866c6128f254d2229a5af603ac00985fdc42 b2f4668bd5e1185afa6bcaa270535536 bcdfdc97d2a6f3769902d3bf55b180b4dd9efc74af345cf23a795dbdc9456b51 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-qx602 | Dijo_a30502ea | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | a30502eaea733c662a1f0e150531b9bb | 7fe35f8d2ed5f35ce6758a8eea33bdb2737bb4e5 a30502eaea733c662a1f0e150531b9bb 01aa3a5ab9590ff079a13d66f67d40b441ab171d2a6ead0df5453b2d3b55888d https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-rgc01 | Gandcrab_0c13b508 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 0c13b5084c0de79bd17846db859772d0 | e888556b0395ac80caa79ef6974391d11c3e4a26 0c13b5084c0de79bd17846db859772d0 0acc350e791e4201a7dd17e389ba8e03264343020432389d3e1b9d08874005af https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-am401 | Gamarue_ef78d661 | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | ef78d6619c72c3dca9e371402ed4c5ba | 0f7ac8d96d7f94bfdf2e55d10d9ff6d31d4c9925 ef78d6619c72c3dca9e371402ed4c5ba 4d60b0ae61b9ef56997be59f7c896f2a60e81e28d267cbcec52a75140e05aa16 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-k6p01 | Gamarue_d0573162 | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | d0573162e5f9420070f99e6c9d06d8ec | 2febcf10810c9fa1ef465476ddf1930b84ff7e60 d0573162e5f9420070f99e6c9d06d8ec 44e49ebd375b57146ad486e37db18e7809d01d51c0ed55e8d8afe9c43d3a5485 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-hsu01 | Emotet_5dd3fd84 | Windows | This strike sends a malware sample known as Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails. | 5dd3fd8405b3af2532b30ccd42dc01a2 | e9a13af010b9e9fa1cb202d8a027078db1b65c94 5dd3fd8405b3af2532b30ccd42dc01a2 b53fb3cf4ed1d4e62dd0cc9d8e1d482dc1a55dedc3804a097f1b213080bb64c5 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-awg01 | Dijo_89573cee | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 89573cee1420d858dbf5ad2eef44e9ad | 07c768f52f6867467d5ca7b8ba89dabed652eea1 89573cee1420d858dbf5ad2eef44e9ad 0b438e78bb3fe8bffc8f5f1453f318efe177c97d9e4f0ba7e26969a60671a67e https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-vis01 | Emotet_b51a68cc | Windows | This strike sends a malware sample known as Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails. | b51a68cc20ef5bd16a55e132ca62e15f | 219817a065763243fe2c841b4dfced24eb8021c6 b51a68cc20ef5bd16a55e132ca62e15f 11fb93e3b137ff6978fd79fdd634f44f257ee28f9bc5c2965108cb5c49a0d949 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-rdi01 | Upatre_0c66098d | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | 0c66098d9390fc284f5616e0bdb3200f | 0663b5e46378fb0a683e4309f7d30a49b1c478f1 0c66098d9390fc284f5616e0bdb3200f af44d4fff8ce394f9ecb9b3f9d95b8fb440a7b8f1892574f41355072ec2f0999 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-olm01 | Mikey_177a6adc | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 177a6adc86da9097f74a4bc3e64b9028 | c46fc9859cd86c6af815b719d3b4f1e65b881504 177a6adc86da9097f74a4bc3e64b9028 201872934f7f6674af89597d1a819f79cf843578aa9928191561ebdb637a53cd https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-wh801 | Gandcrab_a38ca4bf | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | a38ca4bfbafe6794c3c3599169fc584e | 10674c336d22324ae41e8f9dd6a0ab0f9679fea1 a38ca4bfbafe6794c3c3599169fc584e 13ab0a6dcd3cfd5136b54d11739169917df37a5681189baf92c4c6b0a2df0bc9 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-pm101 | Dijo_1ede6fad | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 1ede6fade6fa59f6ebbe07bfb00ecadd | 361ba38715d8d9583856d95f8cd56fc5194ee798 1ede6fade6fa59f6ebbe07bfb00ecadd 0326d68f08fc899cd8bb7f1a9c1d7df50bc5b979e0f7d2532904a419ab1b7160 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-5wt01 | Emotet_44d33f5e | Windows | This strike sends a malware sample known as Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails. | 44d33f5e0db7e8dc2f3a62d3a41b1e09 | dd068887950d4fafd9078f4beb9b14c542a22c3e 44d33f5e0db7e8dc2f3a62d3a41b1e09 ea8479d471d38105312f8264f2d93c7dd317d1bfda94f345f74313efffe8fb54 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-vhm01 | Gandcrab_72e2b716 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 72e2b7166b4c79e4f8b58635f86f9718 | ba5a361b98dda44308a42336b6b112ceef952c2f 72e2b7166b4c79e4f8b58635f86f9718 09abf839c42200b000d3065d2cda41d858be415a521a5cb2b77b6e62503ae460 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-06x01 | Upatre_c3ed95d8 | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | c3ed95d8ece4d48060bf324b2de77507 | b8423998f4df971a0cca2c52694b8505ae95a9e4 c3ed95d8ece4d48060bf324b2de77507 c224d27d7adf2fece2e9round2f62e244e8e5bcaa98c89ade06d40b0112e6bd1 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-dzd01 | Dijo_6fa50420 | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 6fa5042099c0263594c92894663675f8 | 2aaaff2a9f6ffd0ea58c799ba7d9fc1d2be7c8c1 6fa5042099c0263594c92894663675f8 01e4c31f4836784dc4d297c4ba6e8f680216693735339022e11669960b929dcc https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-ray01 | Dijo_6da5c152 | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 6da5c152acd675f3d40ba161ab650361 | 854519fbba5e3f73cd961c5ede8fb4b2d247bdd9 6da5c152acd675f3d40ba161ab650361 0b4d5c0751ead190373484f7b4d8f0d7e5de5ade613b888712b92947fc173a6a https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-5oy01 | Dijo_943a92b7 | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 943a92b7b787ea05bb8e6f51404d8141 | 2e570e6ba9ade4556bb4b5e76ffb8e5712cb76d1 943a92b7b787ea05bb8e6f51404d8141 03df086184a6b1b146858ea3cef951dc9c3bf6148a26740a74e2384f5cc4a256 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-jl501 | Gamarue_a2334783 | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | a233478346fb01b7191b51d0cd8a0cf2 | 3cd50292cce2857fb991e30687d6fe11d3e6e9a8 a233478346fb01b7191b51d0cd8a0cf2 59751557033163959f841a10157e94f1c9fa8e5366a910644f1966a125ad9b35 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-x5401 | Nymaim_0d3e630b | Windows | This strike sends a malware sample known as Nymaim. Win.Malware.Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. | 0d3e630b954b9d181833158eb1955c8b | 716593553edfaa80b873cd148f5899d6c12d1080 0d3e630b954b9d181833158eb1955c8b 079c12699c6dbd13e486a4c7db333ec114420da38acde8afe4d62219c62afd82 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-1pc01 | Dijo_9f96c2a7 | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 9f96c2a7e210439b1b3b6f77d01bde56 | 75213195187697a185894944964346301eafb2f6 9f96c2a7e210439b1b3b6f77d01bde56 004a4d3772f1253ed309ce48cdefb8358c7500b91b7fc1a548dd32af03f8178d https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-ch001 | Vobfus_b2393681 | Windows | This strike sends a malware sample known as Vobfus. Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. | b2393681aef1a9712b42511368a143ea | ace283dd391a9003cc2185511e89d4f5fd9885fc b2393681aef1a9712b42511368a143ea 0feb943bda713bb872c82a94bceb10acd11a1ec0cd2997236dc17da24b646288 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-ngc01 | Upatre_de5099b3 | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | de5099b3f458a6f567545e99c4f41798 | 9e3066958d034f88c290561ac76f57f1822b6bae de5099b3f458a6f567545e99c4f41798 d7afe736ed75987b854236b451a4cb6f0642b4e9cc92f3a9a96e2b8535070d05 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-nih01 | Mikey_12236d1f | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 12236d1f87bd057b46c81d3b05640019 | 0f30fdb27377c614b7835a3b710a7d6133510541 12236d1f87bd057b46c81d3b05640019 48437e0f2c8bc5f0d3f46fec63ce26b3b66dc65610e3c97b4fa8a1b643c8e2f1 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-hyp01 | Mikey_9b9905b2 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 9b9905b290a1fa192b032e97150136ad | dd086a87350d39b1559d21cbab6d89939ec7f432 9b9905b290a1fa192b032e97150136ad f99b50470431b2f91b80f3acccbf179441aa24bc702d3f2ba08f4f9f2357d6c8 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-vv401 | Vobfus_be76a71f | Windows | This strike sends a malware sample known as Vobfus. Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. | be76a71fbd7ab349e9c13aea9dc96f68 | 6724be40d4072f5024421675806297b9a368be18 be76a71fbd7ab349e9c13aea9dc96f68 0db0feea81c1b211fbae852151734fca8fb423102cb953dafb3c188f40491482 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-aab01 | Nymaim_6bb72d2e | Windows | This strike sends a malware sample known as Nymaim. Win.Malware.Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. | 6bb72d2ee5c0e66a27291b448ae26115 | d177d2bd9c546ee6768cef406aba717d15081ccc 6bb72d2ee5c0e66a27291b448ae26115 91e2920a163dec32f3edd8ff50a8b545fb192ad3d75c2ee96db6ac9b01f373dd https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-rck01 | Mikey_ab923633 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | ab923633032c47ff6d9c40ed36a40b2b | b7c4fbc1b9bc8715582fb9624672c3aa6b86ddce ab923633032c47ff6d9c40ed36a40b2b 3c66d120d27778c2a1110170ad85eed2313fcc5cf55345cdbdc283ada76a86c1 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-glp01 | Mikey_dfc48442 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | dfc4844209da59d73ffe55e86a32ed19 | 69c6a72a68bc8603c65a1021659bda5be6348e57 dfc4844209da59d73ffe55e86a32ed19 8f815fbcf18c1bc554756233e3fa7d326645a30809042b068ac03daef649c307 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-6fa01 | Parite_09557cca | Windows | This strike sends a malware sample known as Parite. Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives. | 09557cca23be7357bddeb0b0d52700c8 | 63dfa90220db37bb90eb7c8462deaf1a8909fbf0 09557cca23be7357bddeb0b0d52700c8 51bbe9d3ae4bd23f31fd90ddf0d8af295ca98773653a16c2bb5a950670352888 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-g5p01 | Nymaim_824c18c9 | Windows | This strike sends a malware sample known as Nymaim. Win.Malware.Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. | 824c18c98e40097027c7ffdbc10714d8 | 1b25c0df2b6b22ba1ce02b613606f43b1ea17903 824c18c98e40097027c7ffdbc10714d8 303f8d6644e52783c8d4ebdef5d4e720803e828529eef24607806cb6041d1adc https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-hq101 | Upatre_bc25ca4d | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | bc25ca4d4d2bc446ad42ae03bbbdf584 | 91776cb8cfcdb218271352c7f19f3da812828ef4 bc25ca4d4d2bc446ad42ae03bbbdf584 7da8dd2d31ad4ed61c87b5f44e1d70bcb938d9c5ff9abbc94c8e76cf0b10f379 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-14901 | Dijo_d090014c | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | d090014c5368ff2b933884ed7848b42f | 5f51503d8ff904810b256e41cbcb20f76baeaea8 d090014c5368ff2b933884ed7848b42f 03e17ccdc6dfa104759f6d08c38a1ee96fd9cb161600fb5446b61132e4d9bd3d https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-dy601 | Parite_0d2b7458 | Windows | This strike sends a malware sample known as Parite. Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives. | 0d2b74583db3119d38bf181cb87c01e6 | 65f150a8555a06593e12d01081aad03fe01f1afa 0d2b74583db3119d38bf181cb87c01e6 15c7b9a2c4688af296b57ac418f01347c8fbbd74ac5fbcae17c90f9bcdfb8e26 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-66k01 | Vobfus_d3955505 | Windows | This strike sends a malware sample known as Vobfus. Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. | d39555056c2196f079c2a0b9bd177b53 | 75bd33da1025388a376f7281fa1b50d183d43833 d39555056c2196f079c2a0b9bd177b53 0ceecae1d802f19881b04e6f97af98b5039f2b8ccd538c293d66de93d8d77964 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-cs301 | Upatre_a8de1a4f | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | a8de1a4fd81ba43522595ce44abc145d | fbe187704eca5c92e814c3b5034117fce65d524a a8de1a4fd81ba43522595ce44abc145d 61e96310f388db546db48b6b8d81958264647add9f7cc880067cd6f875b5b4f9 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-7ks01 | Mikey_37c49226 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 37c492268b68f7a00419c59c177b5859 | 730010dc3690beb8abfb5815f89cad37e603a6d7 37c492268b68f7a00419c59c177b5859 d3edf8ca17f1b41fa96ea9b4377d5778a7965345230425730940444469ce57fb https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-j9d01 | Upatre_e844abda | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | e844abda1418fb88ced2052cc9bab9e9 | 6e0fd6bdc67e0e9e59a4667d3ec098040cf37256 e844abda1418fb88ced2052cc9bab9e9 87071c84cff348e086cb28fcfeec54daf58d728c5fb3aaa26ff4aca42fab4b4f https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-vn801 | Gandcrab_47a8d848 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 47a8d848c48dd4733c3c339182307a33 | 280eb52a118a54d35e15fe915a54ecf6bfc9aecc 47a8d848c48dd4733c3c339182307a33 10b5897f820d7ae3fe0194b8969c42c5c5de6cc658baf95699f8a781e18237ff https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-dtg01 | Mikey_f86f73bb | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | f86f73bbd0ff1862d39e09d041f5b0db | b4858a448637f4d3640b3e82b3495d34298bf27c f86f73bbd0ff1862d39e09d041f5b0db 633bcbf980d9299324b3b0baefe80954f06e41a6f71267bfc83c8950a8932696 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-6w001 | Upatre_5bec3f93 | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | 5bec3f937091694bf4b5ce26e9e76e1e | 22ac7ddf2c6aad3a63d36e5866ffd923f825a970 5bec3f937091694bf4b5ce26e9e76e1e e6c03bfb271c97063320d079b7ed156b8eae18c75ccf5c25d5ae5cc01df62139 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-qc801 | Upatre_b9427bb7 | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | b9427bb78c372b02410ed1a519c1bc1c | 75ddaa6387e8e86664c865d54f4cab83751d0434 b9427bb78c372b02410ed1a519c1bc1c 1df5a1477102ad9d32a976eea0af04b7c63a660fefc39a8c2c524e8cfa9634e3 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-8bv01 | Mikey_be6b70ce | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | be6b70ceb3de89f9b4d5f2b2faba676d | 6a9dcc55f5610727b55cc05f3e8bc0342591d4c4 be6b70ceb3de89f9b4d5f2b2faba676d da37e831e94b3f7226688cf7f201ef4c032d393ee25bd2437d826a21e08c03b4 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-irm01 | Mikey_4b628393 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 4b628393f5e7827b345d6d98ad055ef8 | daf14f1e4876ea7688857a5227c5fdf3c81dd42c 4b628393f5e7827b345d6d98ad055ef8 19e073fb9fb7811440e873ae60578b28c06b0aec9e21d730f8205c81b7ababf5 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-h5r01 | Mikey_6e4f04e9 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 6e4f04e94f22b1a967407ce84e20d1ea | 4c2431c4dcfa569814368de6888f4cf0b934875a 6e4f04e94f22b1a967407ce84e20d1ea 243e098e78e1ff111354e231fac6b01e69f473cb10c27f2485a568316c0395df https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-wqy01 | Gandcrab_0e69d065 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 0e69d06516255a02aec969f5174462e0 | f8803ee66b34ea9c59de33950b34e22deca654fe 0e69d06516255a02aec969f5174462e0 051f4d57fc51e1491eb9121cb6ecdd036e140103f1afbc73fe9cef9a4fd67a84 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-czd01 | Gamarue_b6617548 | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | b66175488bdbba0c2837e074f154e10c | 9c87dc70cd25c10e2f19950087480f098d4e4c58 b66175488bdbba0c2837e074f154e10c 06c823cc443447348137467a2951dd2d34b4ffdcde178e6d1700394ef5e2793f https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-shl01 | Parite_7ecf46e1 | Windows | This strike sends a malware sample known as Parite. Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives. | 7ecf46e19900a69db8e0c68bcdf261f5 | 25c67c970701117f7b65533c667367120e5f755f 7ecf46e19900a69db8e0c68bcdf261f5 29f37223352f9584de101958ce00b41c3c66d9cfb15cc27d22a67df2c9dcd53e https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-igs01 | Gamarue_ea4c2e0d | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | ea4c2e0d5fbed4ef514eb71ebc6a2eb4 | 6eef6032a734b2cba64871293618445dd8010b22 ea4c2e0d5fbed4ef514eb71ebc6a2eb4 5ff49224ceb338b6b35b7303c68ff3df9f87099ffcec50970627a06e938f510a https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-sj801 | Dijo_03b7c60b | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 03b7c60b63c2ac06ab926971540e0923 | 1481f07ebb2bfc3558a8059764cf64b1b6c1f2a8 03b7c60b63c2ac06ab926971540e0923 016ef438660d7acbe94a229f0680b154bb963bc9dbc56eed7450dab36d486c01 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-xev01 | Dijo_95d64b60 | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 95d64b60a5d8ce76418042b042a45289 | 7c873dbf0c143126e4251938c5545e5a43c2bddb 95d64b60a5d8ce76418042b042a45289 0d1b953aa006b38c0140f3a2bacda47a28262d54d5676aeeaf432235e356a5bd https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-b4q01 | Gamarue_f0f136dd | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | f0f136dd4cbadf24865d7784cb1a0948 | 2ead3c5e2b855a3126e04cac3e0bef44c734f9b7 f0f136dd4cbadf24865d7784cb1a0948 84b9a43ff01d4b6be671749b56dcf724c0c4553153dfa336730f36b42fac6969 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-3se01 | Emotet_aede0078 | Windows | This strike sends a malware sample known as Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails. | aede0078e3504fccad3199ad3d147159 | 0329933659b404db026712b9975c22349a698481 aede0078e3504fccad3199ad3d147159 fc5935b12a8d07abcafc613a04d3c6773e088f31b88f78acc7f8ee2d2fc2d529 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-c7n01 | Vobfus_77fa9a2e | Windows | This strike sends a malware sample known as Vobfus. Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. | 77fa9a2ec302b7ffa338531616c5ea89 | c217b25d6a6dcb866f1883919feda0dcaea35545 77fa9a2ec302b7ffa338531616c5ea89 145fe07226fb8eb92f609f16f7044ae5a529433730d285ca7c33b9cff6b86b71 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-upq01 | Gandcrab_e4af76e2 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | e4af76e25598f76071227ffd0ef7438b | 024e2068f07983150cb49aaa2313addab45eef63 e4af76e25598f76071227ffd0ef7438b 00f07cc799aabac7449a324ff47161a6a34ad02ba4b2074ddb382152d383ed14 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-esq01 | Gamarue_f79369b8 | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | f79369b86340f236e94bcd8bc08bce2f | 6f6d543d57209f8a9ce1c481ce9304478a86f6ee f79369b86340f236e94bcd8bc08bce2f 478ea2c130bd95ecf1763952f2f644a8b175184284f9713cc35abe0c6f6f848e https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-g7u01 | Upatre_aa9e88c3 | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | aa9e88c343d4348a7c4d74de25c62eaa | 63bf95dfd89f23ae45183fb70dd2586893300dbf aa9e88c343d4348a7c4d74de25c62eaa 1b806d44ead6688b22e623a1d50ad910af73b6ebe274901cccff8aabd526e3dd https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-fo001 | Dijo_674c6e32 | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 674c6e3271cae13aeebe979e5ae31d00 | 55a80851731f890c19144585a1fd275bf805aa77 674c6e3271cae13aeebe979e5ae31d00 0024d14e96fc79b1f7fd052945424e685843a48b1124f2b19b3a0b00570fb716 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-eh301 | Gamarue_5aea77ca | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | 5aea77ca4f1fd3de53278433f25825b6 | f706ab756892e3d88a0bb97750006a1c1586eaef 5aea77ca4f1fd3de53278433f25825b6 6b82c968572a2ab008cb8bca2816d3f7cca491c059aee6b1e7a693b10580e073 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-fyw01 | Gandcrab_b48cda00 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | b48cda006af1eea9b0339814ed76d9db | 351a3035433721b1222d3517e17156ce143e046e b48cda006af1eea9b0339814ed76d9db 0b3e086550e4baaa05c69777d484b9b20773b01d5c6da124197eff423b798b04 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-uqv01 | Gandcrab_0b77afd9 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 0b77afd997f9a9520116ca9720151fd1 | 69dbf7e275d9630bb06ae0009b3723a79deccc6b 0b77afd997f9a9520116ca9720151fd1 0f50d6433d2a79f30c2417fc434098d029eceedf3acd405901d3951208be2ae7 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-ezl01 | Upatre_ee8db9a8 | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | ee8db9a869f31c626b6223293d3dfdbc | 8d6d436242cadd332dac85861374b9636eb122e9 ee8db9a869f31c626b6223293d3dfdbc f41388706c803a31645f416804995ad881d8ee0e0de0f0c355fb87fc415de211 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-0r001 | Parite_2233191f | Windows | This strike sends a malware sample known as Parite. Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives. | 2233191fb297b8a867d677c88be02407 | f6883cfb5989855d06acedaefd1f5c08f89aa7eb 2233191fb297b8a867d677c88be02407 3b6a4dbf9a923ac935f6f671b38de0ed83da428b74dea48efa180365a507e13f https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-p4i01 | Upatre_aa0320c4 | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | aa0320c4011b351308264f16999f3ee4 | 5e416338276a67e991acd5d4447cf8787d22f372 aa0320c4011b351308264f16999f3ee4 99230cc2ba171d71a9c5bade432d53bbf1ea78be629f62b90bb73fd71a26e8a4 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-elo01 | Emotet_efc70b33 | Windows | This strike sends a malware sample known as Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails. | efc70b3370c9267ae5fb4596ae1224f6 | d35a4bc2508cd3cba3167bad7cd324baf4b3345d efc70b3370c9267ae5fb4596ae1224f6 dab7877de92a3793873fec30c4b2e4a758bd5c3c6a67c8da20bfce7c255031be https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-1at01 | Mikey_aa40501a | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | aa40501a99badad5c42bef705176f39e | ddafc99b3750c02f7300f0bfccc5c4b9df8268c4 aa40501a99badad5c42bef705176f39e f980768d4d68e75b6d83cff0c80ec153a80bf700f7df3bd53fe9f06bdafda01b https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-k3w01 | Vobfus_ede865de | Windows | This strike sends a malware sample known as Vobfus. Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. | ede865de6fca1bd7255da5af4704677b | 8198f6d72d7382fb6eb38dd4a5a5dd15ac8b5ea2 ede865de6fca1bd7255da5af4704677b 0572a5a7f2888736e647fccbd2d4ed051bb038b82d3d53fb899dcde836922fc2 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-xd701 | Dijo_315a4174 | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 315a4174f3302c518a4f47bc064f9a75 | 5e97bdb40de5cccfa6562864129da999ef7b8b1b 315a4174f3302c518a4f47bc064f9a75 095114cf4e2a81c44821a1ad9d4ea632e8cf17cf35a5cabc65813a29bcc41157 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-6hm01 | Gamarue_4afc6f9a | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | 4afc6f9af11563748df65b94297f1fdb | 2577d37bd3970addb1890e582c2ab589725b6208 4afc6f9af11563748df65b94297f1fdb 9b082ca14ca1f7f7244f1a6b93062c01a8c336bf3ef6cab707a2aada4214178b https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-egz01 | Vobfus_3309c008 | Windows | This strike sends a malware sample known as Vobfus. Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. | 3309c0086ad3985ae8a249dbfe3e16d0 | db3eb8a67881d58408d2aed3bbd1340b96edd202 3309c0086ad3985ae8a249dbfe3e16d0 1551de875bb37b13c332d5b67ed64026c477f21bbcc6ad3d50ba8b3b8702ee5f https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-rbi01 | Emotet_f5e2f375 | Windows | This strike sends a malware sample known as Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails. | f5e2f3757a46c9aea1b49317f6f162af | 05b6cc1ef2a0aeba9e807c6090703abad7850778 f5e2f3757a46c9aea1b49317f6f162af f2a2d0eda6e21c4273d07aafe190918d96c21db335de4c4872e1eca136920c6b https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-05701 | Mikey_70e0402f | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 70e0402fbdf691bfe937911bbf259018 | 0b0b88774b2170b41f308a7ff05543a417f62657 70e0402fbdf691bfe937911bbf259018 6705cf85955113629d95a7206deb524f82ed5a3fe04666d98423b944c3ce2156 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-y0a01 | Gamarue_eb0b7118 | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | eb0b711845dd08e91bdd44d7497d0d17 | 8beb7f516c13c91d541a3173f5c5d75f79b9fea8 eb0b711845dd08e91bdd44d7497d0d17 884ae2b467d21f8dbf65bce26b08a6659d75004b22f1af5d7ed8e4198c2688ae https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-cuy01 | Dijo_0ddd0f79 | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 0ddd0f792d796a17dda2eb8c86eabe0f | 0b2608a951ef2c0060833807d5bd086590d60d75 0ddd0f792d796a17dda2eb8c86eabe0f 00f9d43bdeb5c30acc9e5594c0ff1bd29b52efdcaa63bb8eba745342c165f856 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-myk01 | Nymaim_d564c47f | Windows | This strike sends a malware sample known as Nymaim. Win.Malware.Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. | d564c47fd6868621489bc5ae4c051110 | 3fa400f3c3c3a8eba5be0fbaafebc6d3dc0dcbb0 d564c47fd6868621489bc5ae4c051110 899752fd8fbe560e658be72bf03a3a774b6dcb9d2d14e25da862d7edce5d9fbf https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-jry01 | Upatre_a59835ca | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | a59835cadb669dab9b77121900e42908 | 5154869f01394674a42ff187bdceec7ab8d872bb a59835cadb669dab9b77121900e42908 7a305e442718a07f2ddcc7ae9a8983c49be3247c123b06dabcf7d48d3a4bdcde https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-10p01 | Vobfus_e32adc17 | Windows | This strike sends a malware sample known as Vobfus. Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. | e32adc17d458423676ab0db622780ecc | 1476f6947d9c46e1d17648368381b57a011058df e32adc17d458423676ab0db622780ecc 02f72dfcc27501cd1a44b3a0eed9e41831f745fc26d6b7d1526c151c94d58333 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-moj01 | Upatre_621d6842 | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | 621d6842b256316318e7f239f9926207 | 1425d836d59d3ffe35d35b4045c312c5eb2b7b73 621d6842b256316318e7f239f9926207 fb75875cdf989e58a80330aa43543b9ab3765fde077174729e2011555cd295d9 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-cyj01 | Upatre_d14d90ed | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | d14d90ed71124890c53ba0bf441375cc | 24ed80ef1e5186f1020d16681eea07fc4c15197c d14d90ed71124890c53ba0bf441375cc e4eddc3910aca83db9bef4bc4f11006c0ae09a1552a6266adac79dc922ffe90a https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-kq001 | Upatre_bcf9779b | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | bcf9779b0c493a280446c948e8a4026a | 429039b3a9df26f8be9941501625df40bcfd8162 bcf9779b0c493a280446c948e8a4026a 71dfc74d26d696f74b65c03c93a9118b9c62e5adfb6c93a5e15d00dcb50d585f https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-cqe01 | Emotet_e29f583b | Windows | This strike sends a malware sample known as Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails. | e29f583b36c9863d507e078ed6b04bb6 | b645cd8dbeeb5164616d603745c96838743065f5 e29f583b36c9863d507e078ed6b04bb6 fba4b9baf4b72790f1ff9ad58160efd7bd4a1927191668da75468255083e48b9 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-ucp01 | Nymaim_4ee79820 | Windows | This strike sends a malware sample known as Nymaim. Win.Malware.Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. | 4ee79820c39adbdfff55a342fb57b967 | 848324da5758d6e1f9a05f0a6704f2343003453f 4ee79820c39adbdfff55a342fb57b967 86bd123441e1b1ed3f37938b58dbc572b844e7ba8e59506ccd41fd0d9d950628 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-0in01 | Upatre_7803f307 | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | 7803f30705d8da528407496ab4cba9ce | 96ee53b7f6566661228f36cb5b56a1fd2ca64ff4 7803f30705d8da528407496ab4cba9ce 64c1bb68e91d30812c0ea2690a4bb15d2788b43ec6c54aa9672de758ee7e5042 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-rc401 | Mikey_c243f8bb | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | c243f8bb39dc7367db3aa9c6d7b88e9e | ea7f28b856cc2729246be97537a8d986836e94e9 c243f8bb39dc7367db3aa9c6d7b88e9e 4f80b59c35090b1dbdf94f73770c222352555e7112bec28efb189e3b340b4c2c https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-thv01 | Mikey_1fb9d5b3 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 1fb9d5b305c3bcd4f1fc29aa9b089c45 | b6dc734da746c310299b3f580cfa2c43ab915e3e 1fb9d5b305c3bcd4f1fc29aa9b089c45 4a2364a4b3e8ad43b505a616486ef537159c8b8df9fe140977c9ab6aa1bad658 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-frl01 | Gandcrab_c7666c17 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | c7666c175b72291ff6649ebd523040f6 | ffa2d7846b828244dd4ef034916cd57b708e8cb6 c7666c175b72291ff6649ebd523040f6 043f30bd958e54d6947631c10d70ddec772ababd8a3852ceb0e646e87d670a92 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-48m01 | Emotet_294a2053 | Windows | This strike sends a malware sample known as Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails. | 294a2053699d333b5928cac2ac984a66 | 2c207f29530d8d5d92546a39cb20b6a18c0f0a53 294a2053699d333b5928cac2ac984a66 83b316b9a9f76efcab1e741c8eeb7a0c7a50072c3fde5acd49cb0d28afbe7a23 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-vfs01 | Vobfus_7b961908 | Windows | This strike sends a malware sample known as Vobfus. Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. | 7b961908fcb6ff2461fee3382d36eb95 | 25e964ef7096bfc6e49fd694be4da2b59f2a446d 7b961908fcb6ff2461fee3382d36eb95 121a6b3a8000948f073e3660ecafb19bf5d204a9d468112575afd15c39222eb1 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-ssp01 | Dijo_1f694996 | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | 1f694996fef7ea9bba3bb8869783fc8a | 6829432a671118873994a302a909254fdb5f601c 1f694996fef7ea9bba3bb8869783fc8a 0a088fe8df26a9a2cd4330224134e1ea0d249300cbce0eaf11fc6f70b75f21f1 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-a4901 | Mikey_60ad68e8 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 60ad68e8bc5d9b1c96446ecde4f32bea | d6a43de37a1e7d13860c552783693466c299a855 60ad68e8bc5d9b1c96446ecde4f32bea 711c1db67575b1a795a4aeb439ada79ab8a7cc98f2c68cb0e2beacafa5d044de https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-szh01 | Emotet_b4cb5f6a | Windows | This strike sends a malware sample known as Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails. | b4cb5f6a77a41852eb0478fa09300a9d | be00bd2a0dd1fdda16c06e9b082ff22787cd5c60 b4cb5f6a77a41852eb0478fa09300a9d 313f19bdb8c46b96ac18bca55f53f5c0eb03d2fcececaab47b9339d8f014f7c7 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-3g001 | Mikey_094cc5ab | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 094cc5abe363b54f30925cc227b76c50 | 01178f67e7cef8ac1ffea324b3322e2c4611d4ae 094cc5abe363b54f30925cc227b76c50 70a7d3ac821670090237f52308fb6b1ca47e032d3de9267584f59abe247e536a https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-etb01 | Emotet_1f99daa9 | Windows | This strike sends a malware sample known as Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails. | 1f99daa94d90515dec89b753db9225cc | dc60f9629f5dcff60dc3b00791fc67ef036bbc74 1f99daa94d90515dec89b753db9225cc 5df55f78a21cd8457c9432afc8da45c182fad6107e3b6e4f5cf86272b68012b1 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-te001 | Gandcrab_69507fa7 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 69507fa72856abe90439fe5a66960617 | 65f40191f39f75b4219d61803347f4d764f1308f 69507fa72856abe90439fe5a66960617 166627c9ad4fb0acb0bec8e09e1d4ceedc3110e7cdbaa709322d0dbe41a2f70f https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-t4c01 | Parite_ba12d382 | Windows | This strike sends a malware sample known as Parite. Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives. | ba12d382901e8e3441e61483b0e9f043 | 47242cd528fea1d863e89a877e1239a3335e2070 ba12d382901e8e3441e61483b0e9f043 0e70c57c577078b1c9cab7d6bd1215372330548ae0c20ff2b80f0cb86cde2074 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-dih01 | Mikey_8c78fe46 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 8c78fe4624fa41924bd85711477e7d08 | e2b0a3f11474f12c795dddc843e5e482f50be117 8c78fe4624fa41924bd85711477e7d08 6f74c88c2c04eb117c26d5283d83ac4735928bb50f76b2104be36f8101466aa3 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-y1v01 | Gandcrab_9ed39ba1 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 9ed39ba18273fa59f2e60ea41a3e3b45 | 15e7df77aa783bba7b65fa01ddcc570e87b638bc 9ed39ba18273fa59f2e60ea41a3e3b45 06cafb061ce341647e48d4113eb71bed76290d30d54ce6d98169fcfe8bbe83c5 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-3fc01 | Gandcrab_144b6c81 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 144b6c81aea844c0d54a7375fe782d92 | 76cb2a7778d654b4b42766ccc1663c4888f88df2 144b6c81aea844c0d54a7375fe782d92 13ccda5af78a1dea028d076418db880ab3734c745f068d2c4df5de4d4968b478 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-ywy01 | Mikey_32ac0af9 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 32ac0af91ffaab48f32591e00fb4413c | 21690639af1520bc8faadf85235e9a94eb556112 32ac0af91ffaab48f32591e00fb4413c dedb1d0c69521f7c47abc2e6fa925642269fd40a00ea21270b7b950cb101f7be https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-3q601 | Dijo_a77f4728 | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | a77f47289052c3bb6b7439349ac0d4d2 | 76f00dd1377887065c509ba8328fa05e96b423a6 a77f47289052c3bb6b7439349ac0d4d2 05a5bbabbab5444214ce70c1190f41ccef8ef3dee786d1821d26a396d8a49eb5 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-5fa01 | Gandcrab_1a8847a7 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 1a8847a71de661411d0b9418eeaaada0 | 944d7871e0d1aea01863834eef9199891e5f4b57 1a8847a71de661411d0b9418eeaaada0 0dd771fecae00517f9297e21a42956d2ee113f6f0bc4d3ee277f887721efc19a https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-rj201 | Upatre_e026a1d1 | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | e026a1d1bc15063357cfb0fa9ba37b96 | eababfbec7293fa23fa232d9ea9ec7974bbf856b e026a1d1bc15063357cfb0fa9ba37b96 56db7b1dd0bcbeca631eee556146fb599fc363466f51ec01eae28ecd4289e838 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-mfh01 | Nymaim_2e0a1fc4 | Windows | This strike sends a malware sample known as Nymaim. Win.Malware.Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. | 2e0a1fc473c0a91fc958ea9b6f77cb47 | 94dab538f1f7c8d64470b6799b1dfc30b56b727c 2e0a1fc473c0a91fc958ea9b6f77cb47 1e12e3edeb209993fd7d5623fb10f342dca54e101ea8593348d8cc9e72e91384 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-qi301 | Parite_0f1f2362 | Windows | This strike sends a malware sample known as Parite. Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives. | 0f1f236295242cf3cff1c2ba480f2899 | 8366d06a7eef5f023578e4cca2abba0c4329c8be 0f1f236295242cf3cff1c2ba480f2899 35270fa68190eba46f59bba10c8dce3a03e55d8af7e8a33f9a330e077f63aeff https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-fbc01 | Dijo_adbfe348 | Windows | This strike sends a malware sample known as Dijo. Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. | adbfe348bd245cd6e1d941b3b9639441 | 177b14ccad550ffb110cf1fc01e81935a9693d90 adbfe348bd245cd6e1d941b3b9639441 04ef397e7e52f4c71553f5eb2d4bc1971d2eda8a54eafa5a23aae4700264688d https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-yn001 | Gandcrab_f1b70fb3 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | f1b70fb3a82a98bb4b083a7ed6e18cb2 | f81996c304d582b202b485f88db673f3b47bf969 f1b70fb3a82a98bb4b083a7ed6e18cb2 0799d33c49bceeeeb9c92077d448d5823ab8e71a04b71c6b8afa7f386fb5aa92 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-mlz01 | Gandcrab_9f9ec21b | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 9f9ec21bc23a3161edd8fcefa69d69bf | d45c0d508b8157a6db04f30efbc2d0c9959476b2 9f9ec21bc23a3161edd8fcefa69d69bf 130f32c65f3f2e67bdc228f125bc07c049f40fae04114b0de920e9fd0b00bccf https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-40601 | Nymaim_ad8a90c4 | Windows | This strike sends a malware sample known as Nymaim. Win.Malware.Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. | ad8a90c40e28ae32413caef915437888 | b3e00337277044b67d571ce3979dca5f4e1a2ee1 ad8a90c40e28ae32413caef915437888 a98b56d5bd9e67da1d1052cc044af7f45cc0a6472093799466d48e6f841016db https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-ff101 | Nymaim_41e20428 | Windows | This strike sends a malware sample known as Nymaim. Win.Malware.Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. | 41e204282ea905371512d35206d37a2e | eae3728e40e63f2fa7be26ebfbe4a15361a8e90d 41e204282ea905371512d35206d37a2e 87c04d2500b70ebf0865d5ac5889f13bdc86d0a137dd1a20094a3308b52ac191 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-3rw01 | Vobfus_c3a68d0e | Windows | This strike sends a malware sample known as Vobfus. Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. | c3a68d0ec1fed0bbb56ff380001a2073 | a49d398c1a8e3d7b7ae68234f0a2ca98248012fd c3a68d0ec1fed0bbb56ff380001a2073 080d08b5202a6da7052a3256c1863db41121881d75188ad96b9af9ab5932a97e https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-m4001 | Gamarue_b4ad9dc6 | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | b4ad9dc6d4c2787e5716310b2c6e84bd | 15a4c1cd078f33c3c4576c666ca59ee6af824f71 b4ad9dc6d4c2787e5716310b2c6e84bd 3e3decd6f11025d59dbb0c0457b9e5e0353a063d53d5725a3a94836819613a1c https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-xdi01 | Mikey_2087a325 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 2087a3256c8035aa72379c8720015579 | 91d827064e488a769aff6d07a4cfe5a46ac0cb63 2087a3256c8035aa72379c8720015579 bb99c43836000b751e3fa1deda851b646f02be036ad9d86a09adb7963bec7b69 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-mow01 | Upatre_cff046a9 | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | cff046a913975f5734f6d476ded97f1f | 1dd5e06c3cac49203718c828fa19523384bb808f cff046a913975f5734f6d476ded97f1f 2e09c458bc34495f4390b2783d17369a2f809860eb95b95ff914c6610fd42ab0 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-9i101 | Vobfus_faa1d8ae | Windows | This strike sends a malware sample known as Vobfus. Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. | faa1d8ae1741841cc4b958d71043d621 | 81b2447c97b8b2ffaf9872825cea96a31fa2137a faa1d8ae1741841cc4b958d71043d621 18ee7ed2c61ee532f9a42d02c3c53b017496071608324361117514bdd3fdcade https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-cze01 | Emotet_f8b0934b | Windows | This strike sends a malware sample known as Emotet. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails. | f8b0934b106e04ad16f3c5c1587cc562 | 50b7130386ff9dec22c943930207223bbc8b20c8 f8b0934b106e04ad16f3c5c1587cc562 40651a1759d2ae614541d3f6e8bb6298ab72a242673c44e541dc28e30ca8929f https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-fzo01 | Gamarue_cfd38073 | Windows | This strike sends a malware sample known as Gamarue. Win.Trojan.Gamarue covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands. | cfd38073c0542bbe4e3a3d5b5bde5713 | afea0cb5182f279cea464bf7c206cae331a93667 cfd38073c0542bbe4e3a3d5b5bde5713 cd80fcca97cb88cb92da3d5fb396b24e102001d3efc06082e6e3dfded9f8ee0a https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-blh01 | Nymaim_e3b91ef1 | Windows | This strike sends a malware sample known as Nymaim. Win.Malware.Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. | e3b91ef1583194d01055d46635e92d83 | c5a4e6a7ea5e634fa3279a68e5f9a9141acaa977 e3b91ef1583194d01055d46635e92d83 5056a547e092c82e74a2da61a5a90eb2a7e7e551e39a3387753917bedf8c3130 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-mby01 | Gandcrab_f4ef0e90 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | f4ef0e905cbba60c9bd6a91fab534b38 | 3a6c6fb82f666f6ef90b6fc07894e2b0820bdc12 f4ef0e905cbba60c9bd6a91fab534b38 02edf037074ebd2445625737108f7337715a6af17ec161429fa0392894e479bd https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-xoo01 | Gandcrab_6eac5ed1 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 6eac5ed1e9961191c5942c87f54e726c | ef39c9730831fae694b8ff244ed568a9589f5440 6eac5ed1e9961191c5942c87f54e726c 04196939eee8a21a4480a5e5bcf34f70b20f1dad9c3038bc632a415130ac47e8 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-8mu01 | Mikey_e97e1d93 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | e97e1d93996abcc91a7d870c91a8e482 | e6310161edb7093829edd829edab65b7cc18c953 e97e1d93996abcc91a7d870c91a8e482 42228a6bafdf985fc02536b17990299589d967ad44d22dbefdb2dbc44681741b https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-s9101 | Upatre_bae1315a | Windows | This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. | bae1315a80c5c19ef9edbcc1dfe9b0d4 | 0f685019dc2ccf8c4d9c61ddd049596a75468b7b bae1315a80c5c19ef9edbcc1dfe9b0d4 d9d107fed85d142d6a5cb4d40a48b3ddf5c61f97bc502a297f816ac902fa13a6 https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-hvg01 | Nymaim_1d14820d | Windows | This strike sends a malware sample known as Nymaim. Win.Malware.Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. | 1d14820d7ddf2970b1020396b6684d71 | fabbd4473dbfa68dc84711252a42a6136eb867f0 1d14820d7ddf2970b1020396b6684d71 a20d48b79e72d3fc229929af39560ac26504fd31d20a7b29b81a4624eda6a0b9 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-soa01 | Mikey_6c9afb18 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 6c9afb18178718b71ced2ae97394a60e | 4d5a6373ae8a3e5958cea0275a22cfa972461e49 6c9afb18178718b71ced2ae97394a60e 95aa51bc0016bf055d53f1d663b560c97d15d19956787aecf8af7933e6765e5b https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-ly001 | Mikey_670f08d3 | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | 670f08d3fffe3998bf97154bfa68540a | 3bb792281bfdf0d72b1cae541e5bbdeec3f19abe 670f08d3fffe3998bf97154bfa68540a 2b52ef895983a4778aaa66dd90cc8bb296ca3b96b891c087c4fcf483d5bf48c6 https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-do301 | Gandcrab_81d7e038 | Windows | This strike sends a malware sample known as Gandcrab. Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. | 81d7e0384ef386da5dfeba80311cf5d0 | 6a99e4901f3016afbd78adf51d41b8d102e8ae49 81d7e0384ef386da5dfeba80311cf5d0 1ac89466a2668afd8d06d0f9345d48151dc2978b81985070bb23e30a767bd71c https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.html#more |
| M18-i3201 | Mikey_e8e1a47c | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | e8e1a47cf4cf45eac05fe17665d3b223 | d1561956b02573f51fd555d20157a4e1a4ea06e0 e8e1a47cf4cf45eac05fe17665d3b223 911ce750a17ac1e43d53087630b1e3af416619aff2d086b89b6def0d0bfa927d https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| M18-f4o01 | Mikey_fe91a7bc | Windows | This strike sends a malware sample known as Mikey. Win.Malware.Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request. | fe91a7bc87b62b1f115a4c993a368243 | ca117bab2cb20a35e085392230c2d474c5b01a2a fe91a7bc87b62b1f115a4c993a368243 f3dd18c0de2af39bfd1dc3498de48e31668f6fdeb89065dcc9e7a81ae6c5046e https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.html#more |
| Strike ID | Malware | Platform | Info | MD5 | External References |
|---|---|---|---|---|---|
| M18-xnq01 | T9000_b9c584c7 | Windows | This strike sends a malware sample known as T9000. This sample has been associated with the malware backdoor T9000. T9000 is a modular malware that was initially dropped via an RTF document that contained either CVE-2012-1856 or CVE-2015-1641 exploits. It includes capabilities like capturing encrypted data, taking screenshots, and evade security products. The purpose of this malware is to steal information from the targeted machine and send relevant critical files to the attacker. | b9c584c7c34d14599de8cd3b72f2074b | 73160d3a59db4a5858cd51ef7428a444caaf7cc4 b9c584c7c34d14599de8cd3b72f2074b bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f https://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/ |
| M18-4k701 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 28ef823d10a3b78f8840310484e3cc69 | 9cc55e437efbacf2ddf0558c74c8b77bad889dcc 28ef823d10a3b78f8840310484e3cc69 b097a3fa288331b8ec2dd2e1332154268935afffbbb35ca0b302ee17ec9e89fb https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-r3401 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 19e3daf40460aea22962d98de4bc32d2 | 9d8f83e322741f98d145b073516738e9a2f9680f 19e3daf40460aea22962d98de4bc32d2 d44321ee252a6dd3a20315487bb249867a7d5d0089237d4d5622f006c863ce89 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-z3a01 | Ryuk_1354ac0d | Windows | This strike sends a malware sample known as Ryuk. This sample is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | 1354ac0d5be0c8d03f4e3aba78d2223e | a44a8c8c8f167d455db41316f3616ef5703bffff 1354ac0d5be0c8d03f4e3aba78d2223e c51024bb119211c335f95e731cfa9a744fcdb645a57d35fb379d01b7dbdd098e https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ |
| M18-y4g02 | Marap_e96b1418 | Mixed | This strike sends a malware sample known as Marap. Marap is a modular downloader malware with a focus on downloading other modules and payloads. It has the ability to add functionality to itself over time due to its modular nature. For example it downloads a system fingerprinting module to allow the attacker to perform reconnaissance on the targeted machine. | e96b1418314fe28dd5423144f756b7a3 | a69899bc097b0a69af732010b79ba9744799d0ea e96b1418314fe28dd5423144f756b7a3 1c6661cc19d071df75ef94c58829f223b8634c00a03d1dadcde222c25475fa05 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap |
| M18-v8401 | GreyEnergy_275f821b | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 275f821b328c06a2ef7b5ebb22af9cb6 | 748fe84497423ed209357e923be28083d42d69de 275f821b328c06a2ef7b5ebb22af9cb6 7ceab4ac6b3376bb6b6e11e8b6b2a3c2398e0c1f1faef138bf60aa1765bfd25a https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-abw01 | NOKKI_48f031f8 | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | 48f031f8120554a5f47259666fd0ee02 | 02ee6302436250e1cee1e75cf452a127b397be8d 48f031f8120554a5f47259666fd0ee02 b8120d5c9c2c889b37aa9e37514a3b4964c6e41296be216b327cdccd2e908311 |
| M18-51m01 | NOKKI_42fbea77 | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | 42fbea771f3e0ff04ac0a1d09db2a45e | 2b6b6f24f58072a02f03fa04deaccce04b6bb43b 42fbea771f3e0ff04ac0a1d09db2a45e 9bf634ff0bc7c69ffceb75f9773c198944d907ba822c02c44c83e997b88eeabd |
| M18-e0r01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | b964645e76689d7e0d09234fb7854ede | 5c38844d5618f51ce356d95c5811760305eaadd4 b964645e76689d7e0d09234fb7854ede 1588e671c3c29ecbced61b01f08622562614cb9b19411cce3e259deafda6f2b7 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-80p01 | GreyEnergy_92f63b12 | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 92f63b1227a6b37335495f9bcb939ea2 | 30af51f1f7cb9a9a46df3abffb6ae3e39935d82c 92f63b1227a6b37335495f9bcb939ea2 c2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15 https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-ixw01 | KONNI_38ead1e8 | Windows | This strike sends a malware sample known as KONNI. This sample is a Remote Access Trojan that has many capabilities like taking screen shots, finding and executing files, and uploading files to a C2 server. | 38ead1e8ffd5b357e879d7cb8f467508 | d6b306a283ebba49c77f888c6e3e7c6034acd5eb 38ead1e8ffd5b357e879d7cb8f467508 44d0a1eaca283426c02a506f8dd2499ee006b96af26746bc751bc0353978922e https://www.fortinet.com/blog/threat-research/a-quick-look-at-a-new-konni-rat-variant.html |
| M18-1ob01 | GreyEnergy_2bff6b87 | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 2bff6b87ee4b4d1d4f9468939797e8a9 | bfc164e5a28a3d56b8493b1fc1ca4a12fa1ac6ac 2bff6b87ee4b4d1d4f9468939797e8a9 037723bdb9100d19bf15c5c21b649db5f3f61e421e76abe9db86105f1e75847b https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-rec01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | ee0718c18b2e9f941b5d0327a27fbda1 | 0e05cd3914443dd45000ed5f80c727bc846b59a1 ee0718c18b2e9f941b5d0327a27fbda1 d0ecc4b289a6bae15b8d05a3ce396ae17ff80bc74ba71999b6baeea59d114ee9 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-btp01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | a5d2403b98cddcd80b79a4658df4d147 | 8f7ff105469267cffb46d79937023e017dd71185 a5d2403b98cddcd80b79a4658df4d147 14ef13a6d07575a06d788f305175fb3095640ba5c42d2558cc8b0dd552f8e5a6 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-uux01 | NOKKI_ae27e617 | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | ae27e617f4197cd30cc09fe784453cd4 | dc739ca07585eab7394843bc4dba2faca8e5bfe0 ae27e617f4197cd30cc09fe784453cd4 9b1a21d352ededd057ee3a965907126dd11d13474028a429d91e2349b1f00e10 |
| M18-fgi01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 8a4ed9c4a66d7ccb3d155f85383ea3b3 | 923f95c17b37fd8a8b9394095b1047fd44d2138e 8a4ed9c4a66d7ccb3d155f85383ea3b3 1a4cac4a70cb95fae23bb917a549756ed33910b8b9be31c3b4d3c701879ec8fd https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-nb401 | ChachaDDos_36d3cf44 | Linux | This strike sends a malware sample known as ChachaDDos. This malware establishes persistence during the first stage by adding itself to dhcprenew. Once this service is enabled it downloads and decrypts the second stage binary. Finally the malware performs the DDoS functionality through a TCP SYN attack. | 36d3cf441cf46c4be9763c30b2b95305 | 0ab55b573703e20ac99492e5954c1db91b83aa55 36d3cf441cf46c4be9763c30b2b95305 0006a8dfc7bb8d07c233b66fd54aff8b2f9c10cd2ef518e2541f7b81ae5650bb https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/ |
| M18-zwr01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | fe0198f4b3d9dc501c2b7db2750a228b | a4d682cd2b3f2c475d06939004152f624a6ea6ba fe0198f4b3d9dc501c2b7db2750a228b 067d9a08ea3cc9c37dc03dc2d88d364bb17d4b07a2bd4060b2dde6f96b3dce88 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-khh01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 3e4bff0e8ed962f3c420692a35d2e503 | a7ea3faf634a752db70ce01d1d8c1f43fd4f4884 3e4bff0e8ed962f3c420692a35d2e503 8bbce6b2772a4d4e014634bcda448ad015743fd95ac801c713cc390704829c1d https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-3nx01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 5145c98d809bc014c3af39415be8c9ac | 8b320db4452788315c34bce7f7af81f84ad7adc1 5145c98d809bc014c3af39415be8c9ac 7c8eb86d2181a69691dd32d1ec4b8bf3171a9f8eecd324799fadc4915caffc56 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-vkr01 | Marap_13cc8c74 | Mixed | This strike sends a malware sample known as Marap. Marap is a modular downloader malware with a focus on downloading other modules and payloads. It has the ability to add functionality to itself over time due to its modular nature. For example it downloads a system fingerprinting module to allow the attacker to perform reconnaissance on the targeted machine. | 13cc8c748ab6beab2b942a9d04679511 | 7bc60af7993f8bf3d595e98e87f8dd99d8e7182e 13cc8c748ab6beab2b942a9d04679511 2c5729e17b64cd4e905ccfeabbc913ed945e17625c35ec1d6932194aae83d7c6 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap |
| M18-r9801 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 31e61e52d38f19cf3958df2239fba1a7 | a9ee622c0dc661a10dc3f96f3696b0ef8dbe7953 31e61e52d38f19cf3958df2239fba1a7 cc2617d7d904986b83baf7843db6969151363000678e8da599edbf6cf23cb827 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-nn102 | NOKKI_cf62c2f6 | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | cf62c2f67cd933ca176f84a26d4cdca2 | 65195ce6b3437acee417f405153f1c210cc86f6c cf62c2f67cd933ca176f84a26d4cdca2 d5fc0ef2d1ed037b5b6389882f9bb4ea15a6b41f21cdc0f5e90752f4e687445c |
| M18-61102 | Ryuk_5ac0f050 | Windows | This strike sends a malware sample known as Ryuk. This sample is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | 5ac0f050f93f86e69026faea1fbb4450 | 9709774fde9ec740ad6fed8ed79903296ca9d571 5ac0f050f93f86e69026faea1fbb4450 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2 https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ |
| M18-gf401 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | a21322b2416fce17a1877542d16929d5 | faae3d8930839a2283423212f9a38ac2bf59b405 a21322b2416fce17a1877542d16929d5 7e49b7c6ed359b4e910e8d4d2c9436d99cddeb7f9af2e2f1082d0ca45d469566 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-q9p01 | CobInt_2f98a491 | Mixed | This strike sends a malware sample known as CobInt. This sample has been associated with the CobInt downloader malware. The malware is modular and contains three stages the initial downloader, the main component itself, and various additional modules that are often associated with modular malware functionality. | 2f98a491258b6606b7d9ad2a662a5513 | 0add1984917ac56eb2824ca20f71e730a814fdb5 2f98a491258b6606b7d9ad2a662a5513 5d29b89e9ee14261c1b556bbc66650488b590f311173aef641e178ba735e6e0d https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint |
| M18-zq601 | CobInt_f3bb3e2c | Windows | This strike sends a malware sample known as CobInt. This sample has been associated with the CobInt downloader malware. The malware is modular and contains three stages the initial downloader, the main component itself, and various additional modules that are often associated with modular malware functionality. | f3bb3e2c03f3976c107de88b43a22655 | a9fa69915e8c6e8b96c6cd68b94f7220021053cb f3bb3e2c03f3976c107de88b43a22655 5859a21be4ca9243f6adf70779e6986f518c3748d26c427a385efcd3529d8792 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint |
| M18-us901 | Roaming | Mixed | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 6cac4c9eda750a69e435c801a7ca7b8d | d53e174b0df2083643bf567cdf0e8886c3e34772 6cac4c9eda750a69e435c801a7ca7b8d 7c6d4d34a237087546d625960973fb2ad17fd8c81bd63cce710aa10e115ad40a https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-08m01 | GreyEnergy_1cb35f43 | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 1cb35f4340a37e75aff1f901629b59f3 | cc1ce3073937552459fb8ed0adb5d56fa00bcd43 1cb35f4340a37e75aff1f901629b59f3 b60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22 https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-5yr01 | AdvisorsBot_6c8e800f | Windows | This strike sends a malware sample known as AdvisorsBot. AdvisorsBot is a modular downloader malware that was seen in the wild originally targeting hotels restaurants and telecommunications. The malware employs many anti-analysis features to slow the investigation process. Like most modular malware it can install modules that perform functionality like running system commands, take screenshots, and system fingerprinting. It then sends this information back to the attacker controlled C2 server. | 6c8e800f14f927de051a3788083635e5 | 1d8e2f4218acfb6f05932f6b57a814135e1a068c 6c8e800f14f927de051a3788083635e5 ee32c4e0a4b345029d8b0f5c6534fa9fc41e795cc937d3f3fd743dcb0a1cea35 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot |
| M18-ric01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 808b186ddfa5e62ee882d5bdb94cc6e2 | 983e80acbe61c5e4097217c6d33447811a6cf086 808b186ddfa5e62ee882d5bdb94cc6e2 29e309dbb4873fe43e279010932735baff53b32da95263079e06080a29a875b4 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-xhe01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | b4152bee9eca9eb247353e0ecab37aa5 | 7771826c19890d967efd3f5e5e233ce411f31b5f b4152bee9eca9eb247353e0ecab37aa5 e629f80c9e393cf0ff02b7097a12f098b94dd879f18283caa70c426087c39a4a https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-s7801 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | f89214bfa4b4ac9000087e4253e7f754 | 04599b2367a3aa9937b5820c8563b10f48578e05 f89214bfa4b4ac9000087e4253e7f754 e3228f9fc6a6bc71e5281010fdc78dcc453401074c95e51791fd9a4ee2affcf3 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-kxp01 | Ryuk_d348f536 | Windows | This strike sends a malware sample known as Ryuk. This sample is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | d348f536e214a47655af387408b4fca5 | 13f11e273f9a4a56557f03821c3bfd591cca6ebc d348f536e214a47655af387408b4fca5 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4 https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ |
| M18-rdf01 | NOKKI_88587c43 | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | 88587c43daff30cd3cc0c913a390e9df | 1cc8ceeef9a2ea4260fae03368a9d07d56e8331b 88587c43daff30cd3cc0c913a390e9df 07b90088ec02ef6757f6590a62e2a038ce769914139aff1a26b50399a31dcde9 |
| M18-49001 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 46c34be9b3ff01e73153937ef35b0766 | 62cc7b2ec891637029f4e108155d2837816f21dd 46c34be9b3ff01e73153937ef35b0766 53296107feaca4bdd0cb320502cbc905f3dff9841a004a2576f7190dbe21e328 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-drx01 | CobInt_0e01a700 | Windows | This strike sends a malware sample known as CobInt. This sample has been associated with the CobInt downloader malware. The malware is modular and contains three stages the initial downloader, the main component itself, and various additional modules that are often associated with modular malware functionality. | 0e01a700ab4255045e3d29c1fd977600 | 7c3a69cd06707540a7115d4c32a1d26f5fe80424 0e01a700ab4255045e3d29c1fd977600 ab73ad1ef898e25052c500244a754aa9964dff7fd173b903d1230a9e8d91596f https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint |
| M18-4o301 | T9000_2299fb82 | Windows | This strike sends a malware sample known as T9000. This sample has been associated with the malware backdoor T9000. T9000 is a modular malware that was initially dropped via an RTF document that contained either CVE-2012-1856 or CVE-2015-1641 exploits. It includes capabilities like capturing encrypted data, taking screenshots, and evade security products. The purpose of this malware is to steal information from the targeted machine and send relevant critical files to the attacker. | 2299fb8268f47294eb2b18282540a955 | cb57196bde3f520e87c948b4676bf487c0fd513e 2299fb8268f47294eb2b18282540a955 3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9 https://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/ |
| M18-bik01 | GreyEnergy_549ace27 | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 549ace2711a324a977be83887f10ed9c | 10d7687c44beca4151bb07f78c6e605e8a552889 549ace2711a324a977be83887f10ed9c 6974b8acf6a8f7684673b01753c3a8248a1c491900cccf771db744ca0442f96a https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-6q301 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 1cc88a79424091121a83d58b6886ea7a | 9f7ad6e64c1063b52fe11439fd55f902211b72e3 1cc88a79424091121a83d58b6886ea7a 4e32493e6c87b0e2ef3e6ae32f5c32d75ae36c92524a185eabc88fea3c7938c8 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-mqr01 | CobInt_9e60c89c | Mixed | This strike sends a malware sample known as CobInt. This sample has been associated with the CobInt downloader malware. The malware is modular and contains three stages the initial downloader, the main component itself, and various additional modules that are often associated with modular malware functionality. | 9e60c89cc58b3e47d93864433622ae32 | e99a477d8942b7727cbb8be468039f7bfb34dfb3 9e60c89cc58b3e47d93864433622ae32 eb9d34aba286471a147488ea82eec9902034f9f1cf75c4fa1c7dd40815a493d8 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint |
| M18-71201 | Ryuk_29340643 | Windows | This strike sends a malware sample known as Ryuk. This sample is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | 29340643ca2e6677c19e1d3bf351d654 | 1581fe76e3c96dc33182daafd09c8cf5c17004e0 29340643ca2e6677c19e1d3bf351d654 113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ |
| M18-w4y01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 4d9a7e425f8c8b02d598ef0a0a776a58 | 6326ee3221532268e5d26164376408b28292ff85 4d9a7e425f8c8b02d598ef0a0a776a58 c65318aa58c9091b938948b62c4b5d6e47237697d8d2f96863f99ef177b6818d https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-yq901 | AdvisorsBot_54abb22b | Mixed | This strike sends a malware sample known as AdvisorsBot. AdvisorsBot is a modular downloader malware that was seen in the wild originally targeting hotels restaurants and telecommunications. The malware employs many anti-analysis features to slow the investigation process. Like most modular malware it can install modules that perform functionality like running system commands, take screenshots, and system fingerprinting. It then sends this information back to the attacker controlled C2 server. | 54abb22b0b5656540eec35fc5591a324 | f96760cf48d7af79e7cf78fc90082900059522ea 54abb22b0b5656540eec35fc5591a324 6d73bea291bf6114af8333031187ac05fdfc8afe05025b272f510a6977b2153e https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot |
| M18-yl201 | GreyEnergy_224c2d88 | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 224c2d888bce0c3d19fbef41cb20b45a | e3e61df9e0dd92c98223c750e13001cbb73a1e31 224c2d888bce0c3d19fbef41cb20b45a 165a7853ef51e96ce3f88bb33f928925b24ca5336e49845fc5fc556812092740 https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-46l01 | NOKKI_82625a7f | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | 82625a7fd34aa47602f82d7b1f454ea4 | 6ae0969e068e937fc7a3825307d9e66814ab56da 82625a7fd34aa47602f82d7b1f454ea4 4e84f97bb61c2d373a574676fa374131460839ecc7b53064f558ce7ce55528ad |
| M18-4ml01 | GreyEnergy_c9d46876 | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | c9d46876d5ab346e8921973b719aff58 | f36ecac8696aa0862ad3779ca464b2cd399d8099 c9d46876d5ab346e8921973b719aff58 c21cf6018c2ee0a90b9d2c401aae8071c90b5a4bc9848a94d678d77209464f79 https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-hae01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 07eab01094567c6d62a73f7098634eb8 | 9b960d4d85026a52271a31f07e2f1609ab58a947 07eab01094567c6d62a73f7098634eb8 4e26d9e0ab05647c36392c3122e6b5615c96d069d4c708ad8bc02786b98cf1ea https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-wix01 | Ryuk_c0202cf6 | Windows | This strike sends a malware sample known as Ryuk. This sample is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | c0202cf6aeab8437c638533d14563d35 | 5767653494d05b3f3f38f1662a63335d09ae6489 c0202cf6aeab8437c638533d14563d35 8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ |
| M18-cs901 | GreyEnergy_e420d6e2 | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | e420d6e25bc6a01216de80237460f565 | dfd8665d91c508faf66e2bc2789b504670762ea2 e420d6e25bc6a01216de80237460f565 c6a54912f77a39c8f909a66a940350dcd8474c7a1d0e215a878349f1b038c58a https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-89i02 | T9000_a45e5c32 | Windows | This strike sends a malware sample known as T9000. This sample has been associated with the malware backdoor T9000. T9000 is a modular malware that was initially dropped via an RTF document that contained either CVE-2012-1856 or CVE-2015-1641 exploits. It includes capabilities like capturing encrypted data, taking screenshots, and evade security products. The purpose of this malware is to steal information from the targeted machine and send relevant critical files to the attacker. | a45e5c32fc2bc7be9d6e4bba8b2807bf | fb7eba5de0304aa81711e645d6f3f203a1092613 a45e5c32fc2bc7be9d6e4bba8b2807bf 1cea4e49bd785378d8beb863bb8eb662042dffd18c85b8c14c74a0367071d9a7 https://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/ |
| M18-ml601 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 7aa46b4d67c3ab07caa53e8d8df3005c | 7e92fefd5e4991aad951e9b9ec16be5c0d6633dd 7aa46b4d67c3ab07caa53e8d8df3005c a2fafbb7cb9fab38aa31f1e14a6302ac528bb891b6063c6db12737a53d29cde7 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-5wg01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | b84b0d5f128a8e0621733a6f3b412e19 | 1f4b437f985e2c56f06bfe7f538be32330770a57 b84b0d5f128a8e0621733a6f3b412e19 1849e8dfd9d1c03dbe6c1464f9b05492012a6c14a0a5b63feb938f1c8b70309b https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-pw601 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 904b4d615c05952bcf58f35acadee5c1 | 04924ecb63f0d30c16fa25d625d6e350fc0b28f2 904b4d615c05952bcf58f35acadee5c1 7595c97eb7f2ff4da237746cdac7992df6a4963dcf2f96c9ae19f7a2dc8c88f7 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-6dy01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 531714703557a58584a102ecc34162ff | 9030d2bf4fc529aa914b171edbd32970ddd2eeb3 531714703557a58584a102ecc34162ff e58196f94f3b76e6c3d90c4ade26403ac655327385f7b875c29d3abf6ee715da https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-ojw01 | NOKKI_f9e42414 | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | f9e42414fb19fd863fdf7066e01661f3 | 0885341bd5a6fbcad2f010b2e839f7e8b47e6b37 f9e42414fb19fd863fdf7066e01661f3 c3172b403068aabc711b7cbe4d923ae1fa705ce11c4cc71271fde83ce751c21c |
| M18-6hz01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 3ed3b8ecce178c2e977a269524f43576 | dbd1a0dffdea64a10e95fddaa40541ae5f7867f8 3ed3b8ecce178c2e977a269524f43576 c888118cea08d596daf41ebd518098e2b43c226898a5dd1cdd3760a7ab2723a2 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-g4z01 | AdvisorsBot_a487b5f2 | Mixed | This strike sends a malware sample known as AdvisorsBot. AdvisorsBot is a modular downloader malware that was seen in the wild originally targeting hotels restaurants and telecommunications. The malware employs many anti-analysis features to slow the investigation process. Like most modular malware it can install modules that perform functionality like running system commands, take screenshots, and system fingerprinting. It then sends this information back to the attacker controlled C2 server. | a487b5f266a5abdca7ebd94c878605ca | fe7b30e03eb8594a719c667fff0da120c7f2b1de a487b5f266a5abdca7ebd94c878605ca 956eae6395ed5e1b2d49ffa08ff85b42d1fc210531ab9c48c2d76e6ee38c9781 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot |
| M18-jce01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 36b2609a98aa39c730c2f5b49097d0ad | 4fa838a4c72042f752e40c7ca7dace252abb67b4 36b2609a98aa39c730c2f5b49097d0ad cb93528b0f5465d9402ab0530f4e325693f5c189794d2b5466f85d3703f7e861 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-yei02 | NOKKI_73be3dd1 | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | 73be3dd11a9cb73483d22cf3cb5022e1 | 7a7840893327535a3b54461051d40e0c7a595a58 73be3dd11a9cb73483d22cf3cb5022e1 fd673703c502be907919a4ff2922b7b969d96d206abc572a5cb83e69ab32ca18 |
| M18-zwb01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 03108e7f426416b0eaca9132f082d568 | e2af0ce5ed66cd81a403f6d0a8db1ac3f418f6e8 03108e7f426416b0eaca9132f082d568 6f20f227f79debfdae32233b59f4dc15c7faf05036b21e8cd46b24ebc52f0bf8 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-niw01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 307d2780185ba2b8c5ad4c9256407504 | abd6c061f19b457517301238c3207fdcbb11e1af 307d2780185ba2b8c5ad4c9256407504 e86995febce96d9db7d4963ad4ca4b974ba614e25213850757323d0e4abbb803 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-v3m01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 3e01b64fb9fe9605fee7c07e42907a3b | 36ea37c47fa27c1a7419fb4367cdf2b071182d25 3e01b64fb9fe9605fee7c07e42907a3b 034fab67fb4d351b524975c75794c8406f1f35d17ca969513d03d9748402d7ab https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-t8501 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | cc1e4d3af5698feb36878df0233ab14a | 8da871d717417704aadc4cfe32e2503cb526503b cc1e4d3af5698feb36878df0233ab14a 537843714adaa141c2a084041a7f373ecab20d75f63dc7dc522bb59b98c1f630 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-qpo01 | AdvisorsBot_148166c4 | Mixed | This strike sends a malware sample known as AdvisorsBot. AdvisorsBot is a modular downloader malware that was seen in the wild originally targeting hotels restaurants and telecommunications. The malware employs many anti-analysis features to slow the investigation process. Like most modular malware it can install modules that perform functionality like running system commands, take screenshots, and system fingerprinting. It then sends this information back to the attacker controlled C2 server. | 148166c4423934a72db2eb5d88c99483 | cd7a9e52e101b8a304a5eb767a18022f81c1c691 148166c4423934a72db2eb5d88c99483 1eb1ef64a9b41267e362597e071e181acb86b50e708ede4a9448689da7fb2425 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot |
| M18-c8101 | NOKKI_27a7d46b | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | 27a7d46b76379ab025b5166905379e4f | 87d0dc7d69e79855c7f65164b7bac49c62b09f89 27a7d46b76379ab025b5166905379e4f d211815177ce4b9fd2d3c258d2fc6282c23b8458d71f8f6f0df06a9dda89c12f |
| M18-3rj01 | GreyEnergy_16bb9def | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 16bb9def4fabfa2ccb3efc1ca5bfc2fa | 0b5d24e6520b8d6547526fcbfc5768ec5ad19314 16bb9def4fabfa2ccb3efc1ca5bfc2fa 0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0 https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-3sk01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 1b984d8cb76297efa911a3c49805432e | 9b571558d73df65cc73a169e6be641fad0c456a0 1b984d8cb76297efa911a3c49805432e 9deb2e7f95d73656bd25fe769179e36939f8c18439c8713da27f2e0b356d50cc https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-ybs01 | AdvisorsBot_4d747171 | Windows | This strike sends a malware sample known as AdvisorsBot. AdvisorsBot is a modular downloader malware that was seen in the wild originally targeting hotels restaurants and telecommunications. The malware employs many anti-analysis features to slow the investigation process. Like most modular malware it can install modules that perform functionality like running system commands, take screenshots, and system fingerprinting. It then sends this information back to the attacker controlled C2 server. | 4d7471711185364b8d9c8a19bc6ff3d8 | ea29bb4405bbba69cdd46c2302fcf7f21dbb9288 4d7471711185364b8d9c8a19bc6ff3d8 9dd12d3a32d2ba133bac8747f872f649b389a9cf3f4baaa9fad69a43d2e4f982 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot |
| M18-9jg01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 3ba4882dbf2dd6bd4fc0f54ec1373f4c | 2f404a2fc02a05430120f1a24032290820bf9f32 3ba4882dbf2dd6bd4fc0f54ec1373f4c f51084698b9c8f847ae21d443dc709e5edd2033e7b1065ab5d72a0487cd9df67 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-cvs01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 57abbe642b85fa00b1f76f62acad4d3b | be87ba65ae0c699735a821d45533d1827da2f94d 57abbe642b85fa00b1f76f62acad4d3b 00678c811a7b53c8b69cfffe9997a30d831bce50f69ae1dbdcfc635ef176bc89 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-ye601 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | bd90279ad5c5a813bc34c06093665e55 | 884ee61b14a6b81abb99d26965731009cd2fd8da bd90279ad5c5a813bc34c06093665e55 b125ea78fb390950893d146a51f513440314be7648207b59e5d0a1752740f273 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-tbb01 | NOKKI_04d3b08d | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | 04d3b08d48bcd7a46e32a70b457c419c | 3e0cc823edd8302bddb1ccdd4bf75dfab53763e8 04d3b08d48bcd7a46e32a70b457c419c dce53e59b0c48e269dadc766a78667a14f11b72c49f57d95abde62c84ac8d7ae |
| M18-qdq01 | AdvisorsBot_a4f80119 | Mixed | This strike sends a malware sample known as AdvisorsBot. AdvisorsBot is a modular downloader malware that was seen in the wild originally targeting hotels restaurants and telecommunications. The malware employs many anti-analysis features to slow the investigation process. Like most modular malware it can install modules that perform functionality like running system commands, take screenshots, and system fingerprinting. It then sends this information back to the attacker controlled C2 server. | a4f80119e61fa5fd0332079466dfb8a8 | 895a0dfcc96ff5d513f07da43a0f5e721499d8ff a4f80119e61fa5fd0332079466dfb8a8 fdf5072b904ba9148d8b98e4ba01987e644449e2b10f033ca4d2f967dc502a58 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot |
| M18-cqa02 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 7714321baf6a54b09baa6a777b9742ef | 9215e8ac473dbd61b1e1c684d377a031f19b1fa8 7714321baf6a54b09baa6a777b9742ef 08327910f05f30e68f20c2a701a2f36459f31a919effdaf907747fb1237bf437 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-f6e01 | ChachaDDos_c3b5f4a7 | Linux | This strike sends a malware sample known as ChachaDDos. This malware establishes persistence during the first stage by adding itself to dhcprenew. Once this service is enabled it downloads and decrypts the second stage binary. Finally the malware performs the DDoS functionality through a TCP SYN attack. | c3b5f4a742557772fad593412352b014 | 334ad99a11a0c9dd29171a81821be7e3f3848305 c3b5f4a742557772fad593412352b014 8317367e18ffb58dda665c5ff31bcdb679f4c2968b0acd094bb2bf4441e5e2e5 https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/ |
| M18-rid01 | CobInt_61619907 | Windows | This strike sends a malware sample known as CobInt. This sample has been associated with the CobInt downloader malware. The malware is modular and contains three stages the initial downloader, the main component itself, and various additional modules that are often associated with modular malware functionality. | 616199072a11d95373b3c38626ad4c93 | 57201d6d3a8b1585f5855e7d3927542c281b1494 616199072a11d95373b3c38626ad4c93 2f7b5219193541ae993f5cf87a1f6c07705aaa907354a6292bc5c8d8585e8bd1 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint |
| M18-7qj01 | Marap_744e0a9c | Mixed | This strike sends a malware sample known as Marap. Marap is a modular downloader malware with a focus on downloading other modules and payloads. It has the ability to add functionality to itself over time due to its modular nature. For example it downloads a system fingerprinting module to allow the attacker to perform reconnaissance on the targeted machine. | 744e0a9c568456cfaed7aa72b6b4ca6b | a534b7a3cd26ffa9df62cdbbb9f4edc230f44765 744e0a9c568456cfaed7aa72b6b4ca6b a6a31f6b6ac73131a792daa255df88d71ba8c467abfa2a5580221a694c96c2cc https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap |
| M18-bgu01 | GreyEnergy_7552b4c6 | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 7552b4c677048caeb0112d9b8225459b | 3cbdc146441e4858a1de47df0b4b795c4b0c2862 7552b4c677048caeb0112d9b8225459b 4470e40f63443aa27187a36bbb0c2f4def42b589b61433630df842b6e365ae3d https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-utd01 | Ryuk_cb0c1248 | Windows | This strike sends a malware sample known as Ryuk. This sample is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | cb0c1248d3899358a375888bb4e8f3fe | b72e75e9e901a44b655a5cf89cf0eadcaff46037 cb0c1248d3899358a375888bb4e8f3fe 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56 https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ |
| M18-a8g01 | NOKKI_62a20f39 | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | 62a20f3938af51bab9d64ad49f8864fa | 24f5ad95ad8e26d6b643333083646b25820541ee 62a20f3938af51bab9d64ad49f8864fa 0657f788e89a437a1e6fe2630c19436736aa55dcf255540698864a7576192611 |
| M18-wnv01 | CobInt_ec9d45b6 | Windows | This strike sends a malware sample known as CobInt. This sample has been associated with the CobInt downloader malware. The malware is modular and contains three stages the initial downloader, the main component itself, and various additional modules that are often associated with modular malware functionality. | ec9d45b695f98bfbf3b7cdc1dc02f83d | 068c562c764685ee3df900c39efc07e901dc89fc ec9d45b695f98bfbf3b7cdc1dc02f83d 1fc24f89f1d27addd422c99a163cedc97497b76b5240da3b5f58096025bbe383 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint |
| M18-cqj01 | CobInt_a3b705ce | Mixed | This strike sends a malware sample known as CobInt. This sample has been associated with the CobInt downloader malware. The malware is modular and contains three stages the initial downloader, the main component itself, and various additional modules that are often associated with modular malware functionality. | a3b705ce3d677361a7a9b2b0bdf04a04 | f3eb833f53dac1cc98b3b411c6d9fd66603cec02 a3b705ce3d677361a7a9b2b0bdf04a04 0367554ce285a3622eb5ca1991cfcb98b620d0609c07cf681d9546e2bf1761c4 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint |
| M18-vig01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 34efc3ebf51a6511c0d12cce7592db73 | 5f657a60d5ad9bbf01acc49f2242ec7348065f21 34efc3ebf51a6511c0d12cce7592db73 b623da28673a1934bd61dea94a88c37e5fbe9999ed3d6ba311176d65f64c4a4d https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-fa201 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | ff163a92f2622f2b8330a5730d3d636c | 85e968fdf17fa9850879114090121e9d9a676934 ff163a92f2622f2b8330a5730d3d636c aa183fda57fde0137ab931f3729215956e6f9ee158d90ed82151948f70db841b https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-bs901 | ChachaDDos_b81ee6fa | Linux | This strike sends a malware sample known as ChachaDDos. This malware establishes persistence during the first stage by adding itself to dhcprenew. Once this service is enabled it downloads and decrypts the second stage binary. Finally the malware performs the DDoS functionality through a TCP SYN attack. | b81ee6fa0d906f44c5567a25e126d26f | bd5d0093bba318a77fd4e24b34ced85348e43960 b81ee6fa0d906f44c5567a25e126d26f b2a2a3a9c99f45096ee4b08be3f8f0a17cfed33e8384052bb332ee4941fab9a5 https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/ |
| M18-opq01 | GreyEnergy_e3a2c3a0 | Mixed | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | e3a2c3a025d1aee589026d09e2a0ca50 | 177af8f6e8d6f4952d13f88cdf1887cb7220a645 e3a2c3a025d1aee589026d09e2a0ca50 f50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321 https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-r9y01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 13c8dda30b866e84163f82b95008790a | 114b60e1b0ebd0960ce8a9a35e9bff02dd876754 13c8dda30b866e84163f82b95008790a 6973dbf328a589ac4ceac259231430c3dc66259d22bdfdc02d1b369dcf703aac https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-3li01 | ChachaDDos_198b7540 | Linux | This strike sends a malware sample known as ChachaDDos. This malware establishes persistence during the first stage by adding itself to dhcprenew. Once this service is enabled it downloads and decrypts the second stage binary. Finally the malware performs the DDoS functionality through a TCP SYN attack. | 198b75402448a731f11d076a44cf45ec | 0413f832d8161187172aef7a769586515f969479 198b75402448a731f11d076a44cf45ec b2c5518000921f3f6bd6b800b89ceb51d37359f83dbff2ca120e0cc9bfe52b9e https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/ |
| M18-h8201 | AdvisorsBot_733d9102 | Windows | This strike sends a malware sample known as AdvisorsBot. AdvisorsBot is a modular downloader malware that was seen in the wild originally targeting hotels restaurants and telecommunications. The malware employs many anti-analysis features to slow the investigation process. Like most modular malware it can install modules that perform functionality like running system commands, take screenshots, and system fingerprinting. It then sends this information back to the attacker controlled C2 server. | 733d9102c99787ecef25db845df14d21 | 5624ade8e168052fe90f9856c7306c1a9dc52b9e 733d9102c99787ecef25db845df14d21 c659b00a65a574a08fff64662581a8ecae7eafa38850a6c7c19b88c2085a1c03 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot |
| M18-qys01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | b43335b043212355619fd827b01be9a0 | 4081d97e42386d8a9d28c073ad7ed9337e783543 b43335b043212355619fd827b01be9a0 bcb34ee2d1e1083bfbb5062fc8f10de6eece0904c853821f0e8d39086bc31503 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-9rs01 | T9000_fb1e8c42 | Mixed | This strike sends a malware sample known as T9000. This sample has been associated with the malware backdoor T9000. T9000 is a modular malware that was initially dropped via an RTF document that contained either CVE-2012-1856 or CVE-2015-1641 exploits. It includes capabilities like capturing encrypted data, taking screenshots, and evade security products. The purpose of this malware is to steal information from the targeted machine and send relevant critical files to the attacker. | fb1e8c42d11e3a2de97814e451ee3375 | 2552c92922e2391246e761dcfc1e4b930fc4ae2f fb1e8c42d11e3a2de97814e451ee3375 d5fa43be20aa94baf1737289c5034e2235f1393890fb6f4e8d4104565be52d8c https://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/ |
| M18-2d301 | KONNI_834d3b0c | Mixed | This strike sends a malware sample known as KONNI. This sample is a Remote Access Trojan that has many capabilities like taking screen shots, finding and executing files, and uploading files to a C2 server. | 834d3b0ce76b3f62ff87b7d6f2f9cc9b | 7a4c3bdcc2b7da50994b4c8ed1dc33512344868f 834d3b0ce76b3f62ff87b7d6f2f9cc9b df2ea575168063c53454b5f07f2741d728276309049a5b8906948cbc653fea71 https://www.fortinet.com/blog/threat-research/a-quick-look-at-a-new-konni-rat-variant.html |
| M18-o9v01 | CobInt_bf97e090 | Windows | This strike sends a malware sample known as CobInt. This sample has been associated with the CobInt downloader malware. The malware is modular and contains three stages the initial downloader, the main component itself, and various additional modules that are often associated with modular malware functionality. | bf97e09016e5e6a65968933f94d10a1d | e0bf3066f06fef0cc7aff20b6dc3655a40354e64 bf97e09016e5e6a65968933f94d10a1d 8263e0db727be2660f66e2e692b671996c334400d83e94fc0355ec0949dce05c https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint |
| M18-t1m01 | GreyEnergy_7a7103a5 | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 7a7103a5fc1cf7c4b6eef1a6935554b7 | 94f445b65bf9a0ab134fad2aaad70779eafd9288 7a7103a5fc1cf7c4b6eef1a6935554b7 6c52a5850a57bea43a0a52ff0e2d2179653b97ae5406e884aee63e1cf340f58b https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-33s01 | GreyEnergy_73676711 | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 73676711f838906a9a64e6528e0481f6 | 51309371673acd310f327a10476f707eb914e255 73676711f838906a9a64e6528e0481f6 d4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-op701 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 2a1da7e17edaefc0468dbf25a0f60390 | b942e3e6fe7634e3fdbbef1399e493338c6ef8dd 2a1da7e17edaefc0468dbf25a0f60390 4cfeb0169a27990ef25ea453ec31268f7885e025783898e97543cb98e2e26121 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-bjq01 | GreyEnergy_6ede63d6 | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 6ede63d6f216affbb57a26200fd31608 | 62e00701f62971311ef8e57f33f6a3ba8ed28bf7 6ede63d6f216affbb57a26200fd31608 b602ce32b7647705d68aedbaaf4485f1a68253f8f8132bd5d5f77284a6c2d8bb https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-p3o01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 6116dc0a59e4859a32caddaefda4dbf4 | ec972c1c92ed0afd11baf11eadca75767c4d2c26 6116dc0a59e4859a32caddaefda4dbf4 5b8b8336b2261371553c7f9e5fe7ebf49ca0d60a1962eb65b61ae02670e9e1da https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-02w02 | Ryuk_958c5949 | Windows | This strike sends a malware sample known as Ryuk. This sample is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | 958c594909933d4c82e93c22850194aa | d7c5fa9df1c79a7d0c178d0b7a2fe6d104d35278 958c594909933d4c82e93c22850194aa b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8 https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ |
| M18-1d801 | NOKKI_a64a023f | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | a64a023f3fc62193699081b63753ff4f | c87c0222550a4694f0c3836c53a3ecbee680f05a a64a023f3fc62193699081b63753ff4f c07bea0928a35b9292eebab32563378d01d95434d098e5c7c076e94866a14212 |
| M18-2w501 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | bf5538df0688961ef6fccb5854883a20 | 60221ed2f3fb7cb25b73f2412d5452e551b6d0d7 bf5538df0688961ef6fccb5854883a20 5cdda0a2f871f3d17c875fe8311829db913eece93082b1d5858d5442007fc636 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-iu701 | ChachaDDos_10bd68a7 | Linux | This strike sends a malware sample known as ChachaDDos. This malware establishes persistence during the first stage by adding itself to dhcprenew. Once this service is enabled it downloads and decrypts the second stage binary. Finally the malware performs the DDoS functionality through a TCP SYN attack. | 10bd68a7310b48a1129ee9e139188796 | 56ac7c2c89350924e55ea89a1d9119a42902596e 10bd68a7310b48a1129ee9e139188796 4d23b0365cc2c63e82c4990e31abe5e91462a2f241722773f2be5e5cc0ec1e52 https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/ |
| M18-trg01 | NOKKI_69ff4cbd | Mixed | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | 69ff4cbde674cb3d5d1ba16cf1be8dab | 03335660592b20b494956692cd4ca50d904e61f9 69ff4cbde674cb3d5d1ba16cf1be8dab d92c94423ec3d01ad584a74a38a2e817449648a4da3f12d345c611edc5c4cdbd |
| M18-qlk01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 6d5f6065ec4112f1581732206539e72e | 584f4edac4d171cea9be54e59244a219fb10aeb0 6d5f6065ec4112f1581732206539e72e b8686ab7946a626ed31e2fdbb631ec6dd8d3b8f6c2c8eae40e938e6788563f88 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-txe01 | CobInt_9270ac1e | Windows | This strike sends a malware sample known as CobInt. This sample has been associated with the CobInt downloader malware. The malware is modular and contains three stages the initial downloader, the main component itself, and various additional modules that are often associated with modular malware functionality. | 9270ac1e013a3b33c44666a66795d0c0 | 3c80c44d95cca6e94975e1c7b33281b2cdd3b9e5 9270ac1e013a3b33c44666a66795d0c0 dad7b4bfe0a1adc5ca04cd572f4e6979e64201d51d26472539c0241a76a50f28 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint |
| M18-vnd02 | Ryuk_86c314bc | Windows | This strike sends a malware sample known as Ryuk. This sample is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance. | 86c314bc2dc37ba84f7364acd5108c2b | ad20c6fac565f901c82a21b70f9739037eb54818 86c314bc2dc37ba84f7364acd5108c2b 9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2 https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ |
| M18-j1f01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 6e1926d548ffac0f6cedfb4a4f49196e | fd1d8b3cfd7002986e26aa47a7fb7b1b69c438cb 6e1926d548ffac0f6cedfb4a4f49196e 9ef653326e0c5f7bbe84bf1d870d5c0ac7e6cc3ec857c5a76a3658c5599960cc https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-qsh01 | Marap_47205fbb | Mixed | This strike sends a malware sample known as Marap. Marap is a modular downloader malware with a focus on downloading other modules and payloads. It has the ability to add functionality to itself over time due to its modular nature. For example it downloads a system fingerprinting module to allow the attacker to perform reconnaissance on the targeted machine. | 47205fbbb191dbcab606007fd7612ba7 | b5806f9c13a41ff3991789a0320519156875efe2 47205fbbb191dbcab606007fd7612ba7 bea0276c51bd6dbccb64110a8655fd623cbb9ebf6e0105c57f62e53e209361b6 https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap |
| M18-6ig01 | GreyEnergy_5f58059d | Windows | This strike sends a malware sample known as GreyEnergy. This sample is part of the GreyEnergy malware family that drops a lightweight first-stage backdoor to compromise the victim. Attackers then map the network and collect passwords to elevate their privileges. This malware also tries to employ stealthy C2 communication by getting the internal servers to proxy C2 requests from nodes inside the network to an external C2 server. | 5f58059d894e8aaf58b2da6be6f97aa8 | 455d9eb9e11aa9af9717e0260a70611ff84ef900 5f58059d894e8aaf58b2da6be6f97aa8 dcade5e14c26c19e935b13d5170d74f99e75d3e4dba443db1dab8bea78745584 https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf |
| M18-kmg01 | CobInt_61e3207a | Mixed | This strike sends a malware sample known as CobInt. This sample has been associated with the CobInt downloader malware. The malware is modular and contains three stages the initial downloader, the main component itself, and various additional modules that are often associated with modular malware functionality. | 61e3207a3ea674c2ae012f44f2f5618b | c565c95765c0493c2918ac0eff80f0a50284ac7b 61e3207a3ea674c2ae012f44f2f5618b 6ca3fc2924214dbf14ba63dde2edb1e5045a405c3370a624c1bb785f1dc0e8ff https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint |
| M18-4fb01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | 9f94c34aae5c7d50bc0997d043df032b | 4f26a05a51260e6299b29f99de70be152a5db592 9f94c34aae5c7d50bc0997d043df032b cf623ae9585d3faff1b800274066165c3d03971a727316f4ccd22018bed37e48 https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-p4v01 | CobInt_a983d2ae | Mixed | This strike sends a malware sample known as CobInt. This sample has been associated with the CobInt downloader malware. The malware is modular and contains three stages the initial downloader, the main component itself, and various additional modules that are often associated with modular malware functionality. | a983d2ae308fc03f4548f4cab7d608b1 | 5827d71019f0570a432a2eec994a825e044f6e1d a983d2ae308fc03f4548f4cab7d608b1 9c0ddfcfb8d1e64332fa7420f690e65a6c4ecbeef6395f4c7645da51098962cc https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint |
| M18-4eg01 | NOKKI_dee3f76e | Windows | This strike sends a malware sample known as NOKKI. This malware establishes persistence on the victim machine. It then establishes a connection to a C2 server. It will collect information from the target machine, and can drop and execute various payloads as well. | dee3f76e4469f6ff00d1898db9abcbf3 | e0e5e375bc830aa19919b4f4f66c69726dde1c6e dee3f76e4469f6ff00d1898db9abcbf3 0d98ca35b29d2a9f7ca6908747c457ebdba999f0e83e182f770848e2335ade5b |
| M18-j7701 | ChachaDDos_798bd416 | Linux | This strike sends a malware sample known as ChachaDDos. This malware establishes persistence during the first stage by adding itself to dhcprenew. Once this service is enabled it downloads and decrypts the second stage binary. Finally the malware performs the DDoS functionality through a TCP SYN attack. | 798bd416bf6bdd51842a340d749cd487 | 0328fa49058e7c5a63b836026925385aac76b221 798bd416bf6bdd51842a340d749cd487 57078d489642e8b6e434a7b74a4393ef1178e5e2e17606807a759e8a42db6115 https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/ |
| M18-zzd01 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | b7afa4b2dafb57886fc47a1355824199 | 8f18958778f9fce9910732c34c599f2bae750695 b7afa4b2dafb57886fc47a1355824199 f57abe6a7d78d2fcac660d2ddaa5ac98dae214ff9b071dde3221b443c723341a https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| M18-vu701 | Roaming | Android | This strike sends a malware sample known as Roaming Mantis. This sample uses DNS hijacking to infect Android mobile devices. Originally the malware was located in Asia, but has since spread geographically with landing pages and APK files support 27 various languages throughout Europe and the Middle Eastern countries. | e56cccd689a9e354cb539bb069733a43 | b3f652b1f6cdc46275215e380ea7e41e165a98a6 e56cccd689a9e354cb539bb069733a43 e3be552101422f3a7ea6ae664c1ac3e5e8d58c186499ca277eb6748da6b6cece https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
| Strike ID | Malware | Platform | Info | MD5 | External References |
|---|---|---|---|---|---|
| M18-nhv01 | Gozi_8bb3ba30 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 8bb3ba30f2d004437b878829c54c84bf | 36bd8afb99dc238c2b90d61f43219be331714e5d 8bb3ba30f2d004437b878829c54c84bf d1509de315be40dac5807a016fd4c843abda063012d29732720db7087bb73f1b http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-pac01 | Neutrino_86e461c7 | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | 86e461c77c398bf314605556bb03cd9d | d29cbf86f56d0cddab991028f941f05d49a2b1e3 86e461c77c398bf314605556bb03cd9d 3431065d2208123137714d2d432427d33cff576d202e1fc7ea2990b21847cce1 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-3xv01 | Fareit_d0f9b665 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | d0f9b66595164fd1c9dac24d60feeba3 | 637fd31d870fda81f19378df838bf639dcfd3492 d0f9b66595164fd1c9dac24d60feeba3 9c6def0cb6963372a10888e6f702d80381559a29db1da32ab149273b3d10ca34 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-9u101 | Gozi_402496b3 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 402496b36984ba7d4f384e6d37f29e2f | bf781f9ca6bf84691af81afe2377f3e953dc6c98 402496b36984ba7d4f384e6d37f29e2f cce6c0a11c9c10efbe0b7b6f5d8ca6150886188dc748c1d372358bd4e62cc720 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-cyo01 | Gozi_acdb52ba | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | acdb52ba10e89aec5fe717f428636875 | df4bec2c8db28c8d5a9892c9b716825bb82ce467 acdb52ba10e89aec5fe717f428636875 d156e14065b5293a5511a027e6943399b3450a6b3ff74c50e31b3b7f4a1153f1 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-qgx01 | Gozi_9e9019bf | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 9e9019bf73721932fae204e518434f9a | 615223858659a63d29e41606003fc2c099d24bf3 9e9019bf73721932fae204e518434f9a c4313ab89c3d94ab70185df327c664379490b263d47057543a5d7ab40e2ee588 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-6ur01 | Fareit_4e70fdc8 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 4e70fdc8daeb5407f94ae0fc08153a69 | 1bf33d2d59953981ceb693ae5a2c83f5050965e8 4e70fdc8daeb5407f94ae0fc08153a69 3ed671f4ea7e92ef0e0bf61e7bacc0b7a2a82ccea73a53e7cde66e3497a86520 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-11l01 | Gozi_046c3f9b | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 046c3f9b6ef9e9ea743428f2da359966 | a2c531dd0692088e1afdf22b9624335f2e72b930 046c3f9b6ef9e9ea743428f2da359966 b41c8eb7d5907d0a13d03163cbb4114a2983c4dc00237aab00f1a632725c27a6 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-35001 | Gozi_231d4f2c | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 231d4f2c7eb9b8af7915e3ca4d4c1d2b | 55e714a36a7922274733ffaf8ddbb9ff77787c22 231d4f2c7eb9b8af7915e3ca4d4c1d2b c273a69f39e66cf687f1d9089e7c21191f265c34c0dded99cefea57df8509c24 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-joh01 | Startsurf_01cb31d2 | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 01cb31d2516e8a3e4d4340dd698809ad | db2c7e74092e6a4499fb8bfe53985850f2121c0b 01cb31d2516e8a3e4d4340dd698809ad 41bf7b4e4d7a87395cc8867e026ed9d586830420a70325a672d07ea9c1a351e0 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-axf01 | Gozi_0cacb65e | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 0cacb65ec9da1de3c40dc0415e3ebc12 | 0d2002f4b7132a675ed7513d8a076a621539b466 0cacb65ec9da1de3c40dc0415e3ebc12 cfd3c017a7e9a7a1a1e47a60bdbfde167899caae9da81e5854994a851d9927f4 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-dbj01 | Startsurf_0b2e3b4b | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 0b2e3b4b0f7966745eab9308f9c7f563 | 1ec05f2f0fd5cadb5ebd4d85d50989f69ad08661 0b2e3b4b0f7966745eab9308f9c7f563 66af9dc27feb2b69729b82e4076dd699cc504c3c8dce943d2023c7bdeca00f2a https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-ow601 | Gozi_32d09598 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 32d095989392b0aa877729ca11e66e60 | 9c3774494d1a4550276d7507aa9e77409d302b1e 32d095989392b0aa877729ca11e66e60 ecb914fcb7ac970616768bf7ec7c8fdb27512fe0d1ae00980e6070b1226d95bb http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-63w01 | Carberp | Windows | This strike sends a malware sample known as Carberp variantD. This sample is variant D of the Carberp malware. It employs the Early Bird code injection technique to bypass antivirus software. | 29872933e896d0b77fb6a3613f583544 | 0d432597736f2789ed75419b374cbe96f1f89b1a 29872933e896d0b77fb6a3613f583544 a82c9123c12957ef853f22cbdf6656194956620d486a4b37f5d2767f8d33dc4d https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/ |
| M18-b4j01 | Gozi_249a5fb9 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 249a5fb9382f9b42fc5b09c14cfb469e | 2b3a9ad7772c5592c2ecb4380bada0ee52000b56 249a5fb9382f9b42fc5b09c14cfb469e bafb6b31625dac34208b40dfbd0d61632a0096e8eac5220e80c4b8225fcb5b61 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-bcx01 | Early | Windows | This strike sends a malware sample known as Early Bird. This malware sample has been identified to use the Early Bird injection technique which allows code to run before the entry point of the main process thread and bypassing antivirus software hooks. | 03e662753b2c4a05c40ad3525eeef903 | 084de9501d126b1ba152d4c52ebec53704a411fb 03e662753b2c4a05c40ad3525eeef903 165c6f0b229ef3c752bb727b4ea99d2b1f8074bbb45125fbd7d887cba44e5fa8 https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/ |
| M18-q5e01 | Fareit_ee9803da | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | ee9803dab96dba5f4acc1323d9dfc2c3 | b4d3075cf211fca5556a5ceb4e59672052860a43 ee9803dab96dba5f4acc1323d9dfc2c3 85d0021f75a2d312a27bc1c17702d09520006aff590d439a90d8045d2325a04e https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-rb501 | Startsurf_0a2f5b36 | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 0a2f5b366536bf0d7c2d9bcf04ba0281 | e7ca93029ce7c3e83cfbf2f5ee97e0e813092c29 0a2f5b366536bf0d7c2d9bcf04ba0281 4696ddd4a7ed96a86a09413f14657c7e01053213f6f1f6008a3a3bbe4fe45229 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-et601 | Gozi_d16db9fc | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | d16db9fc78598014d0dda258c84377e4 | 38149c57f239b678c4a1ab44cda8639db576c7dc d16db9fc78598014d0dda258c84377e4 ca9d11fb8b3919443e066d8e91587c34191c3b273a0f884c48084df77263de55 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-l7201 | Gozi_672104a5 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 672104a5544738f88e98ca2dcadf15b5 | c9dd0aa112ed4fda6fdfb13e9a7b17843ee58407 672104a5544738f88e98ca2dcadf15b5 e9f64d3adddf546b49d2281519c8ada60cfbb3abd6b66a6ba25992cd6627ad26 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-axx01 | Gozi_3944464c | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 3944464c989438ff54697b4e190c9b19 | e0c315a7c217cb7cace5f307e5e1ea4d3761f899 3944464c989438ff54697b4e190c9b19 e31f26fbb1265cef7403c4204fe2d47cf27617a6f9e166b2416cbffdafe34a28 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-zju01 | Fareit_8d0fb621 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 8d0fb621ee78ad8e35aa4965cbf4e475 | 9b3389de25b4f5248760ad9c520d4e52db0c0b9e 8d0fb621ee78ad8e35aa4965cbf4e475 ba0a2f6e001bc9c02ee8c5fbcd6cceaa74ced5ec058dfda71623146f06ff2490 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-vnp01 | Gozi_340f5747 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 340f57477a1e9b238ecc22ae4bb60b4f | c9d4dadcd7f6851d0a249274530ee09808f7b9c2 340f57477a1e9b238ecc22ae4bb60b4f ed16e269224b7daeb5fb8aa5194543c3b300d5e9e916f1c00e268747c676247c http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-jp401 | Gozi_847994b3 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 847994b3a270208c427f6a8584fe494d | 079cfe48c45f90318bb4c819b246957b7be10e1a 847994b3a270208c427f6a8584fe494d c0296ba94b4445a4e3be227a31d3ccba011ebb358e93224a5141f53e9f6ec832 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-5jl01 | Gozi_6693e904 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 6693e904fdd23b36f443613cba5735a6 | 574c0bf112d0d15a6579652c01ca0c1c39d93424 6693e904fdd23b36f443613cba5735a6 e9fe7ebd22877358cc0f02c233faeaf4c40cf057a3c9fe5ba0a53ff3d9765f4b http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-mpg01 | Gozi_b7060ec2 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | b7060ec29c4020b340be54997845187d | c46cbf8fb7b6066e4a9b2ffd6daf52eb1395e801 b7060ec29c4020b340be54997845187d ce53701bddcc24071c55b2b02c79508276b3c69444275f994c0fe690c63b8df8 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-kx301 | Startsurf_05c9bafd | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 05c9bafd172cd4832bf57ac9bc7e37c9 | fcf95beedf57b54a8891eb8b1d91d9d9762e052b 05c9bafd172cd4832bf57ac9bc7e37c9 04ead5ee82c762a26e1dc0e6a8b21c54669c771cca0291b5d41282d2e73a7fc0 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-i9z01 | Gozi_00cf83ee | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 00cf83ee91654990c031ce1b1de05435 | 696ae9e32c7cc085d62336d910abe45111280f66 00cf83ee91654990c031ce1b1de05435 baf4586c1fcdc32fa2ac1441df17591aa34f54d842ad596abd2cadfc190f02e9 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-rhv01 | Gozi_2b9bead7 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 2b9bead7066d932743ca82e2e90e482a | 97b132de05a2ccca487bdc19ce10db493c18bba2 2b9bead7066d932743ca82e2e90e482a bb4eeb211e54b55d35f7b46ab85420e2ed033c0594f906aef7495430d30bb7f7 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-uqw01 | Fareit_aa971830 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | aa971830a71ac5ed72a41008e817d68e | 545674151c18be26a234873cabd26836a0304aab aa971830a71ac5ed72a41008e817d68e a854a9702c14be3508d35873e80577ee9b1296c993ee2a4269c283884775564e https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-2s901 | Gozi_63074bf4 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 63074bf458228184828d9938941dd12c | 81e9ad0bb72e459f2fd47c89cacd01c0efe3fb30 63074bf458228184828d9938941dd12c e4d735594547dc26fbb13846676cdaf387120da23756b4d5ae563da8a7609f3a http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-5rf01 | Gozi_1a292f55 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 1a292f55814ef9e1f70049df9334fb57 | 93ce5a6a664312b6486d000077fcdebe3fbddb9a 1a292f55814ef9e1f70049df9334fb57 d8f73e616842ea745a15959c217dd383dd41cd0f706035759d40e5ea1ffdacce http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-fqv02 | Neutrino_053e2d24 | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | 053e2d245b3192f430ee06c33865f531 | 120718cc4ca8df9dd7b11108e632bb7b0981f2ce 053e2d245b3192f430ee06c33865f531 174286f1a0bd66552237da989be39ef821b11fc6acccef5eabc00448991d1876 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-79501 | Startsurf_0236820e | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 0236820e0e54b9db96afebbee3719673 | ab279e125a2aa2cd86934da9f27d36184a01813f 0236820e0e54b9db96afebbee3719673 f1dbfaf0378434cd1758feaabe050171df1c234ddc6215df494c6592a9e92547 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-oft01 | Gozi_bf362810 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | bf3628109b384926c0daf5ef34446282 | 03cb29686389c965dd0176c318ede853e547054a bf3628109b384926c0daf5ef34446282 b5a71e35a190c091720e643f0dedc09c07cd481f11cfb23866f2adecff8728be http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-6rt01 | Gozi_8a0ec9cd | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 8a0ec9cd97b84b45be7c72601e625656 | 7e09feadb08692ae98f1d5c7effb0074acbfe93a 8a0ec9cd97b84b45be7c72601e625656 d4e793361db4e58aaf534f93b57e4ae5e2e53583caebede11522cb757e29696c http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-msg01 | Gozi_9ab3d830 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 9ab3d830514a2619ae98d4449cf08860 | 3b2974b7901f51dd935a0a606e7ce221565518d0 9ab3d830514a2619ae98d4449cf08860 b964569f2697dcb72fd36076744995eec99a35f056826b6aab2c929e908d48ba http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-uvv01 | Startsurf_05bef52c | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 05bef52c0d184f19d99d55e90aa2a40f | 052c2631b3af54323f2514827b1413084fdaa62f 05bef52c0d184f19d99d55e90aa2a40f bc782f40d16fd6574c1e84edd0728470f426a31d2ff94e4bbb87a19cf3992048 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-cve01 | Gozi_6d64c1e2 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 6d64c1e20c8953304a76f313f0e36e8e | a83d6c9f14f0e5104492498fb98e91096ec9b9a0 6d64c1e20c8953304a76f313f0e36e8e b82fd4927cc9347513227a8b8d0a206a4678461b16c3acb5f6add2e5d1f089dd http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-x0402 | Gozi_1a75be6c | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 1a75be6c77ffedd2cde402495ddbe668 | b8a3f39c3f8e61b4ea3de7973b749ff470da162c 1a75be6c77ffedd2cde402495ddbe668 b4898ad9f1757bd6f127fd9a539f393004654608037ba94b3a62a81166fd1163 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-y6y01 | Kwampirs | Windows | This strike sends a malware sample known as Kwampirs Dropper. Kwampirs is a Trojan horse that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. These samples act as droppers and have been identified in the wild as being deployed by the Orangeworm group in an attack campaign targeted against the healthcare sector. | fac94bc2dcfbef7c3b248927cb5abf6d | 20b7e624eaa2da04867a9229e9aca41f952917c0 fac94bc2dcfbef7c3b248927cb5abf6d 3e7181fd3e893e6b13cc40ed70afa549c8aaf37fe9bee22445b8bd912d7bc522 https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia |
| M18-e7j01 | Neutrino_bdaf573f | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | bdaf573f5f56f4542196d69e9af17b60 | 0700816b242e950ca16e58e33f8c31d173b9371a bdaf573f5f56f4542196d69e9af17b60 973c024f2af38334bfe80a5c1fc2f96b2215397124ff08110e3c96aa986e7440 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-cvk01 | Gozi_edcb2629 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | edcb262923c5d492034f6db5dba88cc5 | 49db9d14abe36ce23a24209eb3070038a6714e65 edcb262923c5d492034f6db5dba88cc5 e15200f16ce6d15b4405184bd6fb3889731ba3de306844f76913113e26146cf2 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-uh501 | Gozi_4ddb841c | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 4ddb841ce0b99075668e22674716c8d4 | d049a2c4cbdcf5f742b012fdd24e81078878d197 4ddb841ce0b99075668e22674716c8d4 e7d93e7f5cf85d8daa275fe73346930fe70233d553bd1d509cb7c2008abd3c7e http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-5bt01 | Neutrino_36661ea7 | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | 36661ea762fcfb7bfee99a90696c5caa | 16ec8afa964a524f40e4dcfd285415c299a3315d 36661ea762fcfb7bfee99a90696c5caa 4632c1023c0baaa1e227defd4923098c4f3c49317964ff1cb088b40b9df7a605 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-gyb01 | Fareit_4ef158b4 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 4ef158b4573016629ad7e98ac8745bf6 | 8084b94e5dfab7e19e9f55c20f66db700af70949 4ef158b4573016629ad7e98ac8745bf6 b4abd9556f093b7d80bdc755d502917310a807d5ee9d9f9bac19bb0c8d596dbc https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-dju01 | Upatre_015fd375 | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 015fd37556083555fe11ad6dd0a144e0 | 57fb04b626594b1ef374073a4c4f85dfd4dd4543 015fd37556083555fe11ad6dd0a144e0 79a50327843a8ccf58147971d1c86945f9a40cd0d4ee35084b8af26c9f5ab210 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-hw001 | Gozi_9d095bfe | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 9d095bfe4e4de6a0ff97f683fb3355f1 | 13e758afee7ee7fabbdb5191a3b699508a91e388 9d095bfe4e4de6a0ff97f683fb3355f1 c39babff09e33d20d0d24c0ff68810aa593a22fd53f5da287991a7373446a8da http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-csm02 | Gozi_0afeecbc | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 0afeecbcc47c0cf76c36e5b4c6412122 | a6a231c081b7bf58316b24aa9a43bb982962958d 0afeecbcc47c0cf76c36e5b4c6412122 caec6bb70c5c1ba33b2c0981e39b335177b3a31d9fedfd23e4c8194abdb3d6f1 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-a6c01 | Neutrino_f361c249 | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | f361c249ee3d8f4e5aa365e7dc8eb1cb | 6f6eaee7ae811898f9e9bb30715ae3d8303c7687 f361c249ee3d8f4e5aa365e7dc8eb1cb b1d0bfdd95f168cea0df0e138ee627cb7feb0a26ac7a736baa031547bb6fb08d https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-rgx01 | Early | Windows | This strike sends a malware sample known as Early Bird. This malware sample has been identified to use the Early Bird injection technique which allows code to run before the entry point of the main process thread and bypassing antivirus software hooks. | 706630a77f06ef8fb90eb312fa2cbfe6 | 7b1a8cbd4a860bb14bcd690681fe856de2457d98 706630a77f06ef8fb90eb312fa2cbfe6 9173b5a1c2ca928dfa821fb1502470c7f13b66ac2a1638361fda141b4547b792 https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/ |
| M18-6f001 | Gozi_051db7e1 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 051db7e12077819ba14e6ac0fb63102e | c5e582b4fda04883c2fead58c5876b30a83c04f8 051db7e12077819ba14e6ac0fb63102e b6cb8872c9c836932cc4d9fa84c217f8cdd2e840d5f1f34441d572aaccf6c844 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-qld01 | Gozi_359745ea | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 359745eae11ef65e0bf88700ea5b94aa | 63046f4fdbbd5dac4f06e146fbfcbe87ea0c464c 359745eae11ef65e0bf88700ea5b94aa cdd034e8c27dcaf9baad53fa038b5931f2aeb4f313980fd99b5eb7d615df3458 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-exo01 | Neutrino_ab282b76 | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | ab282b76982e4d9dc477732a3aecd93a | 3ee8a12b2110b21ceffb54942a0b925bc5a44c26 ab282b76982e4d9dc477732a3aecd93a 2df889657dd28f91ea10c08d5a72cf890bf142a6fb4928520ecdefcf708cc2b5 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-10t01 | Fareit_0a72951f | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 0a72951f5e1ed79de9f470ba42cdd606 | 2be592e359a630f45b5a59b5953c1cbe9c7b3308 0a72951f5e1ed79de9f470ba42cdd606 7b24f0523af239668ee8946c433c53d0c233b0290bbaca405885d39dff86fa1f https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-1uq01 | Startsurf_0f102fc1 | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 0f102fc1cc92f69ee36e08fcdd3e1968 | a0d18993251ae90c83bf97008cf08d35188a6714 0f102fc1cc92f69ee36e08fcdd3e1968 0863bf4a5476b5de02a15c3bdec1604c7d8ab7c8ca1c0546edf2f16a756e0d8f https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-lyc01 | Gozi_be781592 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | be781592db7b68fcc27aeefe5dbec8b1 | d4925c4922a8a989617812d58bac72dfb3e59212 be781592db7b68fcc27aeefe5dbec8b1 c1c6df93b8a8be0778e11214954017d9bf9971e30bef80a4c2031aadb2c63e3b http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-ku701 | Kwampirs | Windows | This strike sends a malware sample known as Kwampirs Dropper. Kwampirs is a Trojan horse that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. These samples act as droppers and have been identified in the wild as being deployed by the Orangeworm group in an attack campaign targeted against the healthcare sector. | 6277e675d335fd69a3ff13a465f6b0a8 | 3f5ea936f02187e3e6297c410e260e71ca11e14b 6277e675d335fd69a3ff13a465f6b0a8 6f7173b7ae87b5f3262e24a5177dbbd4413d999627f767754f08d8289f359bb3 https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia |
| M18-qu801 | Gozi_0b08cf45 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 0b08cf45db88cdaf34b088daff9ad54d | b37f6583310053975dead7cd6d69044799d891af 0b08cf45db88cdaf34b088daff9ad54d b4e43c40405579f7e508e5d546975b4b2bff83a70d7dfe98fa64dc407894d103 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-hug01 | Upatre_04b1767f | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 04b1767fc8c7576329d0d9f130570483 | d564f1a814aa7ee497506900e9f6f08dac802a62 04b1767fc8c7576329d0d9f130570483 e122d91eb62a33c8b4ef56b2299caf2f58fd4e48694c97e06c92f858497cf860 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-vwq01 | Gozi_151c2c24 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 151c2c242a9ee4e72a0731df6f56c921 | dc98c1d9f891b5292cc4e8d8d8d63702d516f996 151c2c242a9ee4e72a0731df6f56c921 eeb435abd819f5ec850aba835f52125beba9d45e3d86ac0000eafc27f9844dc8 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-8lo01 | Neutrino_edfaea51 | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | edfaea51fd99182341fe5c0b503b738c | fe6bd0ecd3dc1be10d3fbadf08075e22bac98ca3 edfaea51fd99182341fe5c0b503b738c 530607f9b54be981e420a7bca1d33d0fa180e6c42877beddeb23836cc440f062 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-0sw01 | TurnedUp_8953c846 | Windows | This strike sends a malware sample known as TurnedUp. This sample of the TurnedUp backdoor employs the Early Bird code injection technique to bypass antivirus software. | 8953c8469d9f364928a686d9175c3bf7 | 29c06165805855719f710c9f7f7393d24cba1e4c 8953c8469d9f364928a686d9175c3bf7 5e4a563df904b1981d610e772effcb005a2fd9f40e569b65314cef37ba0cf0c7 https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/ |
| M18-1oz01 | Gozi_d5dd0189 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | d5dd018912ab9082c5589de04bac629f | 4a4afbe594e40e5bede5a23d633807310e150c31 d5dd018912ab9082c5589de04bac629f e1b34078b5aab799cb78e7103286817a740da430fd1f107bfd4a673dce8fa9fc http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-jvp01 | Kwampirs | Windows | This strike sends a malware sample known as Kwampirs Dropper. Kwampirs is a Trojan horse that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. These samples act as droppers and have been identified in the wild as being deployed by the Orangeworm group in an attack campaign targeted against the healthcare sector. | 0240ed7e45567f606793dafaff024acf | 2646a18fdd6a7a2063b3443283ec1159696c1339 0240ed7e45567f606793dafaff024acf 14461260f9b3988d4eb4e46bc7d9861172266a9a01bf15c57916a9e4f9dc0618 https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia |
| M18-cy301 | Neutrino_5d02896f | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | 5d02896f184bdc95400b10d02227177c | a129959a7e2b279273942088665fbebf521c2a1c 5d02896f184bdc95400b10d02227177c e9bcf85599744033e320f5031ecc8157e0498a42d699cb175d7242c95b9f4358 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-7tm01 | Early | Windows | This strike sends a malware sample known as Early Bird. This malware sample has been identified to use the Early Bird injection technique which allows code to run before the entry point of the main process thread and bypassing antivirus software hooks. | 8cac249e2a9ae6ae8c5d90a9d52dbb88 | 4c6d6a3ed59b8f8b4e3fb7c9bb5d119305800503 8cac249e2a9ae6ae8c5d90a9d52dbb88 c54b92a86c9051172954fd64573dd1b9a5e950d3ebc581d02c8213c01bd6bf14 https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/ |
| M18-52z01 | Gozi_12317118 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 1231711812ceecce5163337c82aa1e7d | 99e2f9906d4480a1471853abb1755c44d414e749 1231711812ceecce5163337c82aa1e7d cecc04094781c3d8440f54999d5b69e4ab7f4f2a3a0d6e85878ca60c0cafa34c http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-q8p01 | Neutrino_9de2f18b | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | 9de2f18b09633a5aa822df9df7cd52d2 | 4c244838fd8588e6cc4b5107067e0025a01d536f 9de2f18b09633a5aa822df9df7cd52d2 24281907f8904bf6b9af4116f52ae2ba8b4b97ce586cd3b2b2777a8f3c76c8cc https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-1uk01 | Gozi_d38bf4f8 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | d38bf4f8675fc8e27d533e6c489bac03 | ede200073e2e9db262b255a1fbe7bf61c5436075 d38bf4f8675fc8e27d533e6c489bac03 e08f1f54620bafe44200b3e12177e6a934e2d27910125144aec9606b68d44a88 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-3zd01 | Gozi_15b184dc | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 15b184dc5f5e2c6cafdf3edce8334a83 | 7ac5151f5704d285f8b08339cb63cd44d0e96e86 15b184dc5f5e2c6cafdf3edce8334a83 ed99eea02491a4c659a54cb39f368b7c4713cbc6ef9677f169c1cb09f533bd6d http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-5tn01 | Gozi_ce9fd40d | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | ce9fd40d404d258405e38f78f08c0912 | 0936f307d2aa64cc6236726a4b906bf6ce605c50 ce9fd40d404d258405e38f78f08c0912 d158c1111de1b21a41af1099e0718ecda240a42636a5456ce2074f3ee6f7ba9a http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-e9l01 | Startsurf_05d7f6cb | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 05d7f6cb4e4711de53515e9587442dee | 662ac4eebb5060027016d9875594832741d0e687 05d7f6cb4e4711de53515e9587442dee 739f27ac00dc449895f589ff28e86d78ea17ca298ffc0b40021136d7c77ed679 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-ok001 | Kwampirs | Windows | This strike sends a malware sample known as Kwampirs Payload. Kwampirs is a Trojan horse that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. These samples are the payload dlls and have been identified in the wild as being deployed by the Orangeworm group in an attack campaign targeted against the healthcare sector. | 939e76888bdeb628405e1b8be963273c | a59de3e9f8c0b684575df7cac9cfe2d84ba26d6f 939e76888bdeb628405e1b8be963273c 7bb12284fc28fbb270507c410afdc21c60bde5d34d59de67f78796c09f5ccd9c https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia |
| M18-7nx01 | Gozi_8c5ecc13 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 8c5ecc13e19fecd5215e191f73e40bfe | 6d1d952a34b0a40f44adbfd08ed1970cda0a1581 8c5ecc13e19fecd5215e191f73e40bfe cfde9188f77427c56c541fba1ff15249dbdf2baf3f466367ba72a5c9a70b0d80 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-6zd01 | Fareit_7de3b448 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 7de3b44801868f8da4e983f9818f1e0b | 48f0481cbf046c32f240376aaf5d5dd5d4d90e13 7de3b44801868f8da4e983f9818f1e0b e981fd64b4c1f1d50cdf3f21d3cd07dfb04dec58c518bee8697a187069997498 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-d9901 | Kwampirs | Windows | This strike sends a malware sample known as Kwampirs Dropper. Kwampirs is a Trojan horse that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. These samples act as droppers and have been identified in the wild as being deployed by the Orangeworm group in an attack campaign targeted against the healthcare sector. | 3b3a1062689ffa191e58d5507d39939d | ce3e75f6f8b187656d18618756da68aac135b334 3b3a1062689ffa191e58d5507d39939d ea61bcd4774ce2b6ab364a7831f36e010214be2ba2e6daa7dcba10b7e229ddfa https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia |
| M18-4uv02 | Gozi_1b3ecd95 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 1b3ecd957973c315fbab3aa1bccd3ace | 6cdc4027a5dc1219e26a2a0acbc2fcb7d4c5eddd 1b3ecd957973c315fbab3aa1bccd3ace e43c2070435f9aa704408a6e4f9112b2e83288039bf8382023c3973956c670ac http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-7su01 | Gozi_350b607b | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 350b607bad40d521cbfffcba0023d432 | 1e733b782ae647c79e0097a3f1c150f4ecb7f863 350b607bad40d521cbfffcba0023d432 c068b9246a31d99b810b253b7e92695108bcf27d253de4e4ac0aed3ab02e83ab http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-pc001 | Upatre_021828dd | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 021828ddd4e024644001a759bb4829bf | ab2192f0ac57ebfb3a16062b1aad790c7acc9e96 021828ddd4e024644001a759bb4829bf 06c65a259d7c96000fcec97a7d8c5b6c4d0c8b8e52ed1d45c934a50d0369b3eb https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-dm801 | Gozi_82d5bc54 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 82d5bc54464e1d903cb806b9cc66faa7 | f7a48cdfc7dccc4db70fc2d96058020ade558264 82d5bc54464e1d903cb806b9cc66faa7 e9c24d0a80b622749a1b30f9d384a7cdd844310dbd3054898ec322cfabb65280 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-y3s01 | Gozi_3e2c9fe2 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 3e2c9fe205543b825746ebed07976b65 | f63603f75fc2c562df52a8dfefcff39538cefbcb 3e2c9fe205543b825746ebed07976b65 b3dbbe79bdbf9e6d6a8eb1bcc9350f847b76aaf304bc981dca9fdf281ba22360 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-dyj01 | Startsurf_01721c6c | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 01721c6ccbbb56f63476aa17a3cb7dba | e537d1bc24836778059e89a891232feef7529fc0 01721c6ccbbb56f63476aa17a3cb7dba 6c8ca3ba14ee685739ea32a3ddc613d4544c69194a97c55365c570c053609938 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-kz201 | Gozi_6217b0f7 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 6217b0f76209446747f02f379915acb4 | 3a9c86ce483a1c05925f6fd602302d8015d7409b 6217b0f76209446747f02f379915acb4 cee3b79780438aadc98ea5b4229b754566430516e2792cc7d048fc472c4dbc79 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-hao01 | Neutrino_9164bbb5 | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | 9164bbb56803391261d42d9ee69b42da | b8aaf98dca8a84eee3bb4151fa66ae61d51e5331 9164bbb56803391261d42d9ee69b42da 2593e0c6d66d36c7d8b3061f3c242875113310a2939f89aea73eda1397e44e31 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-3lm01 | Gozi_c2ac177a | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | c2ac177a2399449ba13389429fc9b44a | 6c1b558e91ad4e48f2d6f4b997a52100d3648d24 c2ac177a2399449ba13389429fc9b44a ec58ed473d3c8fc3d6f4430930359436771de9291d58b30d67b333ef01d59dba http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-f8b01 | Gozi_ad41641f | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | ad41641fc3eb31fe2130b5358e39b724 | d448756c51b53ec040d4b80f02fa59276b26560b ad41641fc3eb31fe2130b5358e39b724 d7841ad990416b6c46e98331ca6ca133be96dd1c463407f1b0e4bc759b002cfa http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-8vi01 | Gozi_0d609854 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 0d6098544b53298c86b99ce5890bb398 | 5b90a1b7b095bc7343079fd7fece1ad80a668efa 0d6098544b53298c86b99ce5890bb398 d69a55c55cf4c831579defdc8ae640997141c577558adc07fe53d037008541e3 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-zeo01 | Fareit_ed1ef915 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | ed1ef9158da2ef353c31613b649d906b | 3766378217eea6e7047771e0108983000c697321 ed1ef9158da2ef353c31613b649d906b 61ff6f5d48f02c0a5b7a28936f8aa9ebad2344f3552608fae2ce3f14a9bf14d4 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-baa01 | Fareit_aebe8f53 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | aebe8f53070a8e5687641789666e9482 | 50f9f2eae65ccb06723a3f470ebf338978b23277 aebe8f53070a8e5687641789666e9482 97702356739358d428d1e7c7ddcc8aa08379562b290edb12348cae2bc0ddbb32 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-ug401 | Gozi_9845ccaa | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 9845ccaaf3c4fe109bda24adc6b93dbf | d229149bc19716ec4edaf3be9929706116953cc0 9845ccaaf3c4fe109bda24adc6b93dbf eafc44e91530127b5ac46763dc14015963b77c2c52846ec7da42c50ecbaabb54 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-isk01 | Fareit_0bccb0c7 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 0bccb0c7a3e542a36ec6448c02efc415 | 380d90a3fd1606c22c16ddc9f3b04426c37abee0 0bccb0c7a3e542a36ec6448c02efc415 a7d667e9d67d4b7db00c52572ca1e945b1aba8139dce9c647b8b9bce89ba45e0 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-f1g01 | Startsurf_02d70e30 | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 02d70e303afff2a186d4459bf384ddc7 | b71a6988660ac18b1ad6fe0667f958727eaed6ec 02d70e303afff2a186d4459bf384ddc7 e586da2bd9fd73223281176033b97e6e4e137249f9aff8430004099b31508e12 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-o4o01 | Gozi_b6396acf | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | b6396acf9a09c594e9ab140d82f3d049 | 5e03582d68dc08d555cc787e289f64831712a6b6 b6396acf9a09c594e9ab140d82f3d049 ed43f1d983feb172fcf4b62956428ab6b4410a4cddbc6f02657f00dce2fc3a1c http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-w7v01 | Fareit_0dceec9a | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 0dceec9a6b080d4bd9d14696259386c9 | fe6672e154b70441b6d144ede426012cffec2e02 0dceec9a6b080d4bd9d14696259386c9 444147472ba54f1f58776a84e98152ae28dfbca23602cb440a830fddd4a283cf https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-pdp01 | Gozi_52504984 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 5250498499d2bf02620df74117baf476 | 9f1c2ba4061f9e527f85c1aa0573c9577f82a3fb 5250498499d2bf02620df74117baf476 e985205932309edce7ea1130d1a3ba169a8b9b5a84c890e01633e45aa7b76e0e http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-lqf01 | Kwampirs | Windows | This strike sends a malware sample known as Kwampirs Payload. Kwampirs is a Trojan horse that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. These samples are the payload dlls and have been identified in the wild as being deployed by the Orangeworm group in an attack campaign targeted against the healthcare sector. | 5c3499acfe0ad7563b367fbf7fb2928c | d1e791f3f8c79d76d4629b9360e1104156682899 5c3499acfe0ad7563b367fbf7fb2928c c5b9406fdbe2c7bb1d516d1d270568c54a6e0002a4506668aaad9ff13298c3f2 https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia |
| M18-9g001 | Gozi_0eb8580e | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 0eb8580ea0c1634a11e2fcd7fcfcae04 | 03f59b018acbda4c6e63db913a78c70499323bc0 0eb8580ea0c1634a11e2fcd7fcfcae04 b84cac469c097e1296c00029f8ffb1b7e12fb791d10da6e01485079a7750958c http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-p1w01 | Neutrino_4633642e | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | 4633642e88630f65f9661d0117535446 | 9d47f46a1e364eda6b2ead54e22a9ffc61111027 4633642e88630f65f9661d0117535446 61cb5cbccb6d1c329cb1a641c3a74fd4a4521dee0d2d03e810f3f12303e0f1f1 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-a8101 | Gozi_17bfd2e6 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 17bfd2e6a363c52192da32afe98786e9 | 9d91e7a1b12ddbcef885c025c2309fffb48a65c7 17bfd2e6a363c52192da32afe98786e9 d3f79eb90bfeccb507f69989ed38e32fddd7108660c92313260a64c798fe0167 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-abu01 | Fareit_6ed420bc | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 6ed420bce873b34153f076776fe6b91d | 43d1813f848e5d1fa639a8b09c964e33e95d8dee 6ed420bce873b34153f076776fe6b91d f68b0c32da95c0fb06c4cefb992e1a0039afed32f6cfcef083db39a0702a06c7 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-bjk01 | Gozi_418a530d | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 418a530d741325eee659d030ef26f991 | d7b1e8e6b5a493b2449ccd978131729fa741dda1 418a530d741325eee659d030ef26f991 ebed0b54c50962470c7e541ea3874b6ccf71812540edff4a06080f978900d840 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-7fx01 | Gozi_b0d0b281 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | b0d0b281554f8fbe9f6af749a0bd9239 | 5be7b445857ba4091ca81b768dba7e09698fce76 b0d0b281554f8fbe9f6af749a0bd9239 ebf4d1f9396d6ab1aff5b3cc6c8e682e1291c49bbbe51ac5c797dc252833909f http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-zyk01 | Kwampirs | Windows | This strike sends a malware sample known as Kwampirs Dropper. Kwampirs is a Trojan horse that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. These samples act as droppers and have been identified in the wild as being deployed by the Orangeworm group in an attack campaign targeted against the healthcare sector. | cb9954509dc82e6bbed2aee202d88415 | c6a56cd07bfeb45b2fecdf938927e3c5a5a3e38e cb9954509dc82e6bbed2aee202d88415 f8022b973900c783fd861ede7d0ac02f665c041b9cd0641be7318999fb82ce8f https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia |
| M18-rlz01 | Startsurf_057f0c2b | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 057f0c2b9a3377366ea36bc8f4454b40 | 9c385db869ef98dbe7df24e509f336d2307504c1 057f0c2b9a3377366ea36bc8f4454b40 1d70d1eb3210984b8d2c3c62ca6ade7b018f44688d009cbde3c2c214224a3ffb https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-nhb01 | Gozi_36027b6b | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 36027b6b489adcbbd12dc845f193cf37 | 342d96b456046c71cf7371d64bc8c07d77edacf1 36027b6b489adcbbd12dc845f193cf37 d10f6ae7735ec1767efb756a14aa8f45d3d0b926787eb6e682ae85a4f2e5f5af http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-jhf01 | Startsurf_0228d240 | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 0228d240888782fa29a9d1902986eeaa | 491ed32451e271c68726c60d47dd0e6d4e87da77 0228d240888782fa29a9d1902986eeaa e616d1e7e2b6e1d4f1ac2fea3e2041b842d27f5de05ff941b5661997cfe8a856 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-46t01 | Gozi_fdc33a07 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | fdc33a071fff70798295b2ec22cbf735 | 723da0bf4eb558853763d4b4ec58243709d7e0ae fdc33a071fff70798295b2ec22cbf735 d1f29d6ffb069c12670a264bf12a7ad4fc1c159b7f6aa61c97cd90d44289eec3 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-tr101 | Gozi_6bfb69bc | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 6bfb69bc644a2ea5303a0f6f24744fec | 5c0cf042a0219bd28b5cfe20b30221e978aecb01 6bfb69bc644a2ea5303a0f6f24744fec b67584f6baec97528656dfbff7749f7eb355497706359db0c4bd981c15b3e854 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-d1501 | Startsurf_107fac48 | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 107fac484f2ba8f2b8b80a52a8631707 | c50ab16bb0fa34aead71090ccfbe0d5f5556cfbd 107fac484f2ba8f2b8b80a52a8631707 39974f2161bc0151692ae2f380d38b626f2b47904f92ce5706e29b2fe05122d3 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-nax01 | Gozi_3974f65a | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 3974f65ad10cb0f98f88cbefccb12d6a | 44bcaaeda395e40e9b8a2f6654268d8a781d19fc 3974f65ad10cb0f98f88cbefccb12d6a e192c87072de321abd224a30c571207d986b882ec662da9c4ddf1b83d407eaa7 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-zph01 | Neutrino_91bea40c | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | 91bea40c811de97826177159d8bbdde1 | 307eced0088f03a1c535a050f794e49e3cb6e248 91bea40c811de97826177159d8bbdde1 ff5d541f260063a88b04a892cacfb3bcb13b8dd83c5f29ed5000737dbd6662c4 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-x9201 | Gozi_a755452d | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | a755452d568062234058f69114bf3ee2 | cab8950cc622639eea40ffcc0356d22fc8d0cac0 a755452d568062234058f69114bf3ee2 b4b6baca1104b0dbb289731c3b206cfeaefe58a23f45182e0d4f44069a7f5f39 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-yqy01 | Gozi_b53ef9da | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | b53ef9daae55e9850bd5c41f7ef4ea38 | f4e221406d2339df73b44edb795e426b8024ee93 b53ef9daae55e9850bd5c41f7ef4ea38 c097751002442abbcb8c85e5df07d64fae35c03789a4dfe364ffd3b5496891b4 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-xsh01 | Gozi_adc3f050 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | adc3f050e41ce0dcdfae7070838b5350 | a227fca87c1bb0ac4e0094101ce96c5d7987a417 adc3f050e41ce0dcdfae7070838b5350 b7fe03048f861222f9a161369e5eb38f67b13eb0de4050be089b394c7f30c593 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-eoh01 | Neutrino_d4ecd35b | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | d4ecd35ba98595ce86442c472ef2113d | 78dc8028af915547543310b96a79e69b861da70a d4ecd35ba98595ce86442c472ef2113d 9af34cdb7f0b01c044fdeb64f0b733d78e8b9be854c4beeee679f8ee083530b1 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-8k201 | Gozi_21ab6e81 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 21ab6e815063f66de014230f2d13bda1 | 26ab72a7420d6538c6aa6186c23a27eb874e78eb 21ab6e815063f66de014230f2d13bda1 dcf687e47e3ff38a34ab94cf0651e6a45a7d63ee4c7668bfbe3ebc375da3d7ba http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-ie602 | Gozi_fa7c4c89 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | fa7c4c891eeea64acb6b517da7cf2615 | 861fd776cdad3147e66cd7318c5656fabae5d310 fa7c4c891eeea64acb6b517da7cf2615 d2b3946be545c3da30e779f60e73db1796073d6ca5ebef49a7cea7a75169cabf http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-wux01 | Neutrino_ad21e171 | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | ad21e171d278d27ccebfbc9b2d4d0992 | 8cdfd3e94086a82b4fc9579d7e6fbe42c0b253cb ad21e171d278d27ccebfbc9b2d4d0992 ba975d346f8f543f348e1e42f03bf50167045740b321ae6dc8a8497e608e8766 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-lxe01 | Startsurf_06475fb6 | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 06475fb6c697ecbe07baad0014d507f5 | 92ead94fed5ef97166bf31b318400dc83f7c5b69 06475fb6c697ecbe07baad0014d507f5 404746279f7d963489d1d7d2d9be4bd1b1dd82e81e21f6ebf09091ee7b059988 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-yy601 | Startsurf_00613dd1 | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 00613dd1637c16fe5abc5a7d3e838626 | bec0a96f3877b587656be58aef2da475032343ec 00613dd1637c16fe5abc5a7d3e838626 b622971e681f9e2fa5f84bfcb9e7144b6198d3fb554de8d4488117ca1e3f51c8 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-hs201 | Gozi_cf6c098d | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | cf6c098d4eff4facdc4212f5c1ccba05 | 78f9eb44e86d5e48dc2211ded1c43083fd908bc7 cf6c098d4eff4facdc4212f5c1ccba05 ecfeced9d622807d2b82b64fc2ba725603f9116f41e1ddb58715e1f751bbebb9 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-ou001 | Startsurf_0d2372f6 | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 0d2372f66e72cd334751ad39f9577686 | 3c792497664d6244ed4593d7c1a7ff47706aae24 0d2372f66e72cd334751ad39f9577686 4694e19504a1bbc0335c213bad487727ab75faab3bf29d92cb7e3d14a2d3a8d0 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-xfq01 | Fareit_665a7013 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 665a7013308c25b7b08173d58218e34c | 37998b9399096642ec6f961f9354f9dea4a067de 665a7013308c25b7b08173d58218e34c afcdd2fda5b3c9e78a977df31be307ea7323b746e07e35e4d3c39a3a3f4b4b79 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-5m401 | Gozi_8da11c75 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 8da11c7503a0054f90db43dd73dda94b | 4147d86b5939bf8e77e2126c8edc64f573bc1c36 8da11c7503a0054f90db43dd73dda94b d11b980ada1634b17462c05c4f2ade8894f2267b254038aa27fddbf2e2f4c850 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-iol01 | Gozi_113920d2 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 113920d295806c64d572d3fdfdcde155 | 7eed79144d9d22e809bb7242e38fe47f5bbae44d 113920d295806c64d572d3fdfdcde155 bcdefbeb609a3d839518b3fe9d77b138e4b8a7f3208e963650a5a2aac6373e25 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-dxy01 | Kwampirs | Windows | This strike sends a malware sample known as Kwampirs Payload. Kwampirs is a Trojan horse that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. These samples are the payload dlls and have been identified in the wild as being deployed by the Orangeworm group in an attack campaign targeted against the healthcare sector. | 290d8e8524e57783e8cc1b9a3445dfe9 | 3adbb352b23e8750d993e3df27904b0e5a466016 290d8e8524e57783e8cc1b9a3445dfe9 15fc575b0278281541212e393f03278d47ea03d26693efeec8e16261735bc634 https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia |
| M18-7qz01 | Gozi_a7efde4e | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | a7efde4e103890f2974ab7e9eab9d1c2 | 9f9d34ff665c799ae2ec996796f5f7b18d7500f8 a7efde4e103890f2974ab7e9eab9d1c2 bb06ec141b6382a111c20c70898b161f2287dda44a7024b949cc91fab1d3ca62 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-7h801 | Gozi_136c2578 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 136c2578fdd33600a0a41f4e4f52ab9c | 4b5f0137640677356f0a93d09dde53ef7b9afd3c 136c2578fdd33600a0a41f4e4f52ab9c b16db20a9a2e19b318d0ecfd8e9253e16499d8498156bcad684c39a9b3c37c4e http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-jut01 | Gozi_07bb7384 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 07bb7384fc75df9e7287736aae4049c7 | e2ba239cf29bd9713e59797b2de06c3c04c9ac9b 07bb7384fc75df9e7287736aae4049c7 bd7138482a831b4a81150dda541b2375a10796dd365e5af441caabeea42bf455 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-t2y01 | Gozi_76f9e428 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 76f9e428cef62823b24fef1027b0e1a1 | b86f5bc56ec349271819792a85b4f906d7a6c5da 76f9e428cef62823b24fef1027b0e1a1 b930d8c294a10f76e7dc9fbe1b257142fa5abc4bea0bc51ef544117b4ad51e29 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-k7301 | Fareit_feaa9e91 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | feaa9e91b65701090f24d63b6454206a | 074e44100027996f616253eefe6ae4185b585899 feaa9e91b65701090f24d63b6454206a 7c83266775aceac7e54b9d7db2620245520a52e854a5e61f5c5f2452a60432de https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-f8o01 | Gozi_29ceb929 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 29ceb92955f0ffc8d347f51555ae46a5 | 79321be62ec5edcdb3023b460125939d41e541cb 29ceb92955f0ffc8d347f51555ae46a5 cc3ceb50174349d9346cee8c330b9d172c8260a7a98d38de34c5322cce53c31b http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-7qw01 | Gozi_150c7891 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 150c7891677c165c26418fb313cf33d0 | 4fe88dba4bbedab222c2276b85d9fd6171403373 150c7891677c165c26418fb313cf33d0 b221d49022a39106207a6630db8a135d1803178b9d7e536525979c578184f752 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-i8301 | Gozi_1a453d07 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 1a453d07485b6cb2c889d2676d4cf67e | bad636002e12d41fcc6e0f5ca38a5b8879d3d412 1a453d07485b6cb2c889d2676d4cf67e dee5e465fc4959e019cc6e781d4be278997c34a0465fa36825339e12068119c5 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-u7g01 | Gozi_afc23d6e | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | afc23d6ebabe021ed4ce772a7d50d118 | 45a3c50a210f4b16afea250d50f1784cd7ee046a afc23d6ebabe021ed4ce772a7d50d118 d00bdf9012c8e83fd4e7f6ddb9dee9167db6297151d48fd9ea660a6ae52239cc http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-u1d01 | TurnedUp_eaa4b5cb | Windows | This strike sends a malware sample known as TurnedUp. This sample of the TurnedUp backdoor employs the Early Bird code injection technique to bypass antivirus software. | eaa4b5cba278e00955059bf30202cd18 | 42548c9c67fbda329d788cb4e8b88f55475cde11 eaa4b5cba278e00955059bf30202cd18 d17dce48fbe81eddf296466c7c5bb9e22c39183ee9828c1777015c1652919c30 https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/ |
| M18-oyt01 | Fareit_0e42f545 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 0e42f545f20a7066e80b1cb0ee73c00a | 880afff080d249f26514e4d26a8211d43f7ca1fe 0e42f545f20a7066e80b1cb0ee73c00a 1ca88b2c00b625bf596b93abafae873a6aec5bf1afeee1e116dc402cae69f83a https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-s0j01 | Fareit_818a695c | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 818a695c9bf2b107c4394695a2f57528 | 8fbf05caf42e5618cadb0343bcf4b249e33ceb22 818a695c9bf2b107c4394695a2f57528 431e6a8252837a5e1c7c98aa9b72c1df4b21e34ae8c7e73882294097f140466e https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-ee501 | Fareit_4f08735a | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 4f08735aa600f1c9ac4ce5af469e994e | 70de718c364af5831fc7227d394df71424786f7f 4f08735aa600f1c9ac4ce5af469e994e df58773cc519e82a8beebeca8035018168cb3cb26aa491aae89c8d68cec835a7 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-74601 | Early | Windows | This strike sends a malware sample known as Early Bird. This malware sample has been identified to use the Early Bird injection technique which allows code to run before the entry point of the main process thread and bypassing antivirus software hooks. | e1383bea710422248b7e1edc4e0ff6ec | 4903780091874b4bde18b2f71bc0d8d23662d457 e1383bea710422248b7e1edc4e0ff6ec 368b09f790860e6bb475b684258ef215193e6f4e91326d73fd3ab3f240aedddb https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/ |
| M18-17j01 | Gozi_0b841d3e | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 0b841d3ea970f05ddf1009711d82572d | 0317909ce88167641bda95d27d7890afe346d0ab 0b841d3ea970f05ddf1009711d82572d dc8c82e7dd88d9d42f2872fee149eb219b537c2f21035834bed17cd205f54a51 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-2m301 | Fareit_bf09e291 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | bf09e291cb6a4aff8e1eab04efe7bf13 | 699171ae82700a702a02ba5cc0743f08814e4f18 bf09e291cb6a4aff8e1eab04efe7bf13 09574981553c2729c9779beee8e6007734f932a155de278eb46d9fc557c39400 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-79301 | Gozi_c1bf4051 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | c1bf4051aaf7f5b78d5825c333769c3f | 2c61002849ee203cc068f5360875096a2c14fb60 c1bf4051aaf7f5b78d5825c333769c3f baf336f2048ed4de6b342d4cdf8b6ca4a95cf83167c2f2c044c12fd85923ed87 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-nq001 | Fareit_7cdaf947 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 7cdaf947fdcd6dbfc03f975a77d4a12d | 3415c7bfc040b417006f5f4ca6dea6080a19348a 7cdaf947fdcd6dbfc03f975a77d4a12d e5d34b53cb6e4e111e167cf13b608b87f7ab7d43d7f08f995ae9f2c1139e8f51 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-6xc01 | Fareit_d5d05a68 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | d5d05a6827c5dfff19ae5726295afef7 | 0763ddfca3fedcbadbf91f2946d6701e7425e7de d5d05a6827c5dfff19ae5726295afef7 1d7a1a4181706379a7f80ed926c47cb0ebc7beb953739c9b41cec20093c63914 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-yqr01 | Neutrino_4472d7dc | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | 4472d7dcfc811e1b0da7d62fa3ce486b | ae79399cc079dbb20d6ab3b50b30236e9d015038 4472d7dcfc811e1b0da7d62fa3ce486b 86746d7dfa923b5b1e0e5a0d27f19eb40979dcf342f2fba01ccbb09175b9363c https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-slk01 | Fareit_4a6b63f1 | Windows | This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server. | 4a6b63f1b4efaf59a4343f3fed896026 | 59e38dbfed36c465202cea50f908d445da969098 4a6b63f1b4efaf59a4343f3fed896026 3f2925b26b0f0b0f141346d8a654a74704d9326492537de17518bd6fb11671e8 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-uzj01 | Startsurf_01ebe810 | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 01ebe810b6d69d0f6588191c333d6106 | af14fd59d99d16ff6fd967986d000bb8a773b6ba 01ebe810b6d69d0f6588191c333d6106 f0bfcb581935377def575a18a89290427d335c95da6781b11d1ad91711cb4a81 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-kp901 | Gozi_9357ef16 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 9357ef1690f7d4435d37553c760acc3e | 6b10b9c7a6e9e156171b775f2a5a7cd7a84e9d93 9357ef1690f7d4435d37553c760acc3e be5e420236c341bac83cdcfe4e3ec58ac9b32ca2c36af1596bf0e3642ab29d1c http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-tgm01 | Neutrino_d939dc2d | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | d939dc2d8297c32805f7182f13c56891 | 1c2c3f3d4efe36ab51263a502a4670c444041121 d939dc2d8297c32805f7182f13c56891 1a1144444adb05aee9ef8adfb3c892a97d32b870d1ee300975a5f3597f2ed638 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-61m01 | Neutrino_e65541fe | Windows | This strike sends a malware sample known as Neutrino. Neutrino malware likes to employ various sandbox evasion techniques. This variant of the Neutrino family targets point of sale terminals. | e65541fea778be35e24b5dc27b866819 | 79d8b1df541e1aadae1a59a4a10e24749803986e e65541fea778be35e24b5dc27b866819 e9a7b16189e27dff9ff67e31d09fa05e7f32658dfa56bb51feff8ca0cfb4eb85 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-gmw01 | Startsurf_00169225 | Windows | This strike sends a malware sample known as Startsurf. This sample is a trojan that gathers personal information to steal from its target. | 00169225291abe1864627a2da79125a9 | 7a589eb3487062f60ac1f98a309aed5227be1221 00169225291abe1864627a2da79125a9 0fee9d67ef1967d2bee1f67b1dc5ae24dff5d6dba17b9247e33b87f5bf6e6856 https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-krj01 | Gozi_8281a8b8 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 8281a8b8a324aa55c22363912af080ae | bb982a9b37330741202d807504224c852314e91d 8281a8b8a324aa55c22363912af080ae c0e4aa6f57baae774b036bb5f9e9dd70a069d5ef03164c4b5e2a5825846b365e http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-sxi01 | Gozi_3b687c51 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 3b687c516e1269c54c04e709ce0826a0 | aeffe4e76999e2f738ea72f2d1979f5e0c9e3bca 3b687c516e1269c54c04e709ce0826a0 d942f42f13aebdeff0f6d2ad02ba0d86d7ef7bfb070fec0e32e0aa8851032e9d http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-kl801 | Kwampirs | Windows | This strike sends a malware sample known as Kwampirs Dropper. Kwampirs is a Trojan horse that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. These samples act as droppers and have been identified in the wild as being deployed by the Orangeworm group in an attack campaign targeted against the healthcare sector. | 7e5f76c7b5bf606b0fdc17f4ba75de03 | 20c30a82cc974cf1ef21dbcd94dfba73d7c4b723 7e5f76c7b5bf606b0fdc17f4ba75de03 a37bf368f0285ac938e1477c1c0230d28e8f39717ddded2fd82b00190cdf090e https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia |
| M18-mbm01 | Upatre_049be077 | Windows | This strike sends a malware sample known as Upatre. Upatre is a downloader used in exploit kits that retrieves a variety of malicious executables for the target to execute. | 049be07740c4928fec7cee21a07cc414 | bd1c84b7fa1baefcede8e4be89b7cc73001ca3f2 049be07740c4928fec7cee21a07cc414 6b6eb4cc4aa8e3d71a97a8657ffcd27d2bd12466faf3b1f7fcbcd274a4b9561c https://blog.talosintelligence.com/2018/04/threat-round-up-0406-0413.html |
| M18-g3w01 | Gozi_9ce80da2 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 9ce80da250a8eddd660d36a050c71b82 | 92d149b1776c35ddd8255b075e3a74b9ceb7c117 9ce80da250a8eddd660d36a050c71b82 b2b0fe8835f5cb0a941b876b48d7fda262b85b6fec15436e48fdd2003ed914d4 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-e5p01 | Gozi_918c7b59 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 918c7b5973b7205ca1e065561e403a29 | a098c3094d73821f609be84ee5043fd3c5605d95 918c7b5973b7205ca1e065561e403a29 bf490a1a63c7e23b4afbe9140955b587457fef2c281c38defd8cde2c76c6f65b http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| Strike ID | Malware | Platform | Info | MD5 | External References |
|---|---|---|---|---|---|
| M18-wa801 | Win.Trojan.Generic-Dropper_11b9c78a | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | 11b9c78abb0330036a200e4cf33c60ed | eb2dfa76e8d6260331133f62bae6d653c86579f2 11b9c78abb0330036a200e4cf33c60ed 3b0e9faf07e32d593b54cdfebd725707988bdaa7d81ab2ab396630384127fdc9 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-ydd01 | Gozi_981c8038 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 981c80386599f9922c4f34fdc7a4d49a | 3935ba570fb257c255efd433251b2234b0a3f771 981c80386599f9922c4f34fdc7a4d49a e112816a6380c8dd1c242ff911c2e59331615443fec86f5125e51ab10db1ad43 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-xq101 | Gozi_3961de98 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 3961de98d1abbea525fbce184b538624 | 38d8d3a9be1128e3f2e6656ba011713d4ae92526 3961de98d1abbea525fbce184b538624 f8af90b820a1e6b052ce62d9f8446457f74a4542c6d6f6eec354b895982502b1 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-f8h01 | VMProtBad_bab5318e | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | bab5318ed3d7561d55f3d63a30d0b5b4 | 2ff11c513e696308a752f6e7743e7f41cde63c33 bab5318ed3d7561d55f3d63a30d0b5b4 e8e31878a125c47e835ceea2f783fe7938bc9882869a98d9d2cb67c756c8cf97 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-kvy01 | VMProtBad_de5fed9d | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | de5fed9d6a68a3cfbf8b79082086aea6 | 6ca819b3d65d2434f5ab0d165b958c29354424e2 de5fed9d6a68a3cfbf8b79082086aea6 2e20f3dc237275d5579b96c46195aa05f79b206a356918a0e1bc990a42979111 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-c7o01 | Gandcrab_00891e2a | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | 00891e2a94330956e31f0523c38fd8f5 | 4af5e829fbbab9f747205dc89bc731f58766c2a7 00891e2a94330956e31f0523c38fd8f5 14426a13dc4620932fd0af40005fb3f508d6a6d69eca897ef5af4f58f7761d3c http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-7e101 | VMProtBad_d89d8435 | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | d89d84358c3af62f62b3a4b71e17baca | 9385e27f2b207a7ff3ed1412e2657cdf85d8c5d7 d89d84358c3af62f62b3a4b71e17baca f9225972bdc9d23e545a4f530f79760913eba49f8a78e53fc6b361cee499547e http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-srx01 | Gandcrab_f3788597 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | f37885972222feee8571f1d383d0fae0 | a1f98094dabe8b25c3cefd25b41e3be79d1ce186 f37885972222feee8571f1d383d0fae0 1cbcecc05259b821d7d82f6b2e779de2f4d4dd1561445a213a91db8617e61c4c http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-v7t01 | VMProtBad_bc2e6119 | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | bc2e61198ea9ee52735414d728756d36 | 3af83bb095eb4384b58dad5ecacac423efb6c3bc bc2e61198ea9ee52735414d728756d36 28d599079555f858bb7496dc8fe8fec7fb450aa083f039e90a1c9e11ed7d9094 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-yvg01 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | 0d9af6d18d7447a714225c2e93177873 | 2773bbde621556255a42e4decb270e6b30ac9ba2 0d9af6d18d7447a714225c2e93177873 184ccb64f12601a3797e9c73ce77c89d05b50f2a668f94ec8cfd1c7414906c0e http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-90y01 | Win.Trojan.Generic-Dropper_50787cb0 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | 50787cb08c0f499fa16d27f3a4ad8e67 | 7d65e47c4258d036184d47d8eace2ae404c2df98 50787cb08c0f499fa16d27f3a4ad8e67 fddbec3a6e8fca4f3f388ff5856b8030005339967ffda594035f9353f5c71bd2 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-63r01 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | 01a890a87580e73210cd4104021baf25 | 0f0e1f02a030674de69c9eb143663ab955ee9eb3 01a890a87580e73210cd4104021baf25 1e7eebcaf485682da709a94fb1c679555a9090592cfe54564f5eb396c7458044 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-e3v01 | VMProtBad_26a887de | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | 26a887deb12ef27c995566b0ccdd98c1 | 11c99967baf24c70021269c33217d9df99843bc6 26a887deb12ef27c995566b0ccdd98c1 5aad686faa09afc69b067b67cb3db992820f96d3cadb5e160878255510194dc5 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-rhp01 | Gozi_12d070eb | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 12d070eb94b43e5ea279f913b1b88888 | 8e8ee386d56f308511f69045b9b06160f3cc40f9 12d070eb94b43e5ea279f913b1b88888 f7854d717ea3449b6cf2ed56b8fc1e790dff23df19c62e554f233300faac8750 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-44o01 | VMProtBad_e1341b1c | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | e1341b1c5b78dee9f58106d0d1932b1a | a79d8d898e82ce775543e63ead7cc368533bf363 e1341b1c5b78dee9f58106d0d1932b1a c55447abc07f82e59c4573b50038117d494bc8069bd868e2f4755cea405ec104 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-sg801 | Gozi_735eed3b | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 735eed3bd45110f9bc21dfb3bf3406a8 | 296d79ab15c935818b5689d42da022803c8fd045 735eed3bd45110f9bc21dfb3bf3406a8 f03677848e924269e0c8f357ad56e96fb7d0875b6aef434779594e5fbeacb2aa http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-8wx01 | Gandcrab_42189447 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | 42189447f3f1b3c5a9a9dbdc097edfa9 | ae020f16aea472eeded0331cbb84d81f7fafb24a 42189447f3f1b3c5a9a9dbdc097edfa9 1f941ec87c3d98827d051ae46d626702960a690bf1f62645828b0ea5cbd6c5ec http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-05p01 | Gozi_802be047 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 802be047127b51467ae4300276a6f2d8 | 1139780b91c6052cfcc2ac8f41df55855bccbef3 802be047127b51467ae4300276a6f2d8 d5d0afc9b0697ddbf097e4704c0e4818b09a3f195b88f276b57f3e665352d7c9 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-h4001 | VMProtBad_5bf60b9a | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | 5bf60b9ad4900ede4497e1d6fa0b2110 | 48cba7240e82a93671664d0d5372d834521ce7ec 5bf60b9ad4900ede4497e1d6fa0b2110 67694e083c8b54090afe2a580da0242d9d05746953832b34af1c11290efe544e http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-wme01 | Win.Trojan.Generic-Dropper_93bc7e9c | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | 93bc7e9cdb7d0b859e67b0bb0b9ef37e | 661d1023cb74b62e139344bd0320047cf395c92f 93bc7e9cdb7d0b859e67b0bb0b9ef37e 2d1cfd1ae428729b32af03264179cb7640d4aa7b1e3c299cb106a77cfe42d216 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-1zb01 | VMProtBad_a4b89d1c | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | a4b89d1c33c0be3fec820c1398aa9af5 | d7b8d563ced2092cba04a1e3c32882a8d64227f0 a4b89d1c33c0be3fec820c1398aa9af5 66c9cd00579297128b36295f8c13cffb5a6d805f73e3086cabceaedfb361c37c http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-1a601 | Gandcrab_ac321b0d | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | ac321b0d6326ff027e3b5f0867ee5ca1 | 90ae8e7b70519251f2f4455175523dc1ae7657fc ac321b0d6326ff027e3b5f0867ee5ca1 22ddc024bf53ae71ff42cb79564f1bf8c9eb4f59d7c2ce3bc378c70ce067b250 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-a4h01 | XMRig | Linux | This strike sends a malware sample known as XMRig Miner Malware. This sample is part of an XMRig Coin Miner campaign targeting Linux Servers. The malware specifically targets CVE-2013-2618, which is a vulnerability in Cacti Network's Weathermap plug-in. Once exploited, the malware drops and begins to execute the legitimate XMRig coin miner. | 70eabd2763d2309fc46b463bccc07417 | 67edb5cdf777416c0ce13b3f61d6a3d8e79edbf0 70eabd2763d2309fc46b463bccc07417 690aea53dae908c9afa933d60f467a17ec5f72463988eb5af5956c6cb301455b https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/ |
| M18-svc01 | Godju_630d7c62 | Windows | This strike sends a malware sample known as Godju. The Godju ransomware family uses Tor for C2C communication. After it encrypts the target files it uses the extension cypher to delete them and clean up after itself. | 630d7c621aac0cbfd2a7d0c450af75da | 9f7b34c4730234476e39ec5a6950d957db404609 630d7c621aac0cbfd2a7d0c450af75da 9a1794d3ae09b0a8c7a36fb27514760bb0227943d1ee37a7e81ffdfa9f36ec48 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-p8401 | Gandcrab_00d8564b | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | 00d8564b33568eb487367d0205b00ba0 | df79b94f5c82e0fc71bb4d8d4ca6fee320e50f8c 00d8564b33568eb487367d0205b00ba0 15b705ee101e26b1ba39d62d6c816409e059f395de8a1a5bfdd35d0e20b705da http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-7a801 | Gozi_7d3b215f | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 7d3b215f3fa77a0e6bb20612aecbacfa | 771c75a24462f8eca232d23456b297b1dbce1f79 7d3b215f3fa77a0e6bb20612aecbacfa f703df08f5e7388f4873137977cf1c96a24293a7bf93b952c586c27b34e4212e http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-w9001 | Win.Trojan.Generic-Dropper_7743f6a0 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | 7743f6a02d4943f37ae9911e266b0316 | 5064f32aa1d3d50d138a069cf8bae10633f540e4 7743f6a02d4943f37ae9911e266b0316 013ede62c35998c847f9248bcede46dce801480743a064d488341f95094c0d4e http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-3qv01 | Gozi_2eb34962 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 2eb34962194c741b1b5cf7319e4d31df | 5b2c33a879e0d74b01ce6c72e7ecff2eb822a0b9 2eb34962194c741b1b5cf7319e4d31df f97576b901e8daaac28370cbbc31ed48b98cea84b64a7d83c1fc2c805bf0c672 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-mpz01 | Gandcrab_a2c25e6c | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | a2c25e6ca41124fd24ab470c21827f19 | b1049363ceca9d3cb367cb7ed2512bcccb6f91c4 a2c25e6ca41124fd24ab470c21827f19 299edfd4bbf81f20fb8f8e2dd9d0fc4d26c925dbd1cf4372d9172bc2644d3ca5 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-fnr01 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | 0baf0db96ca395b8b1e0f95af9129319 | 0e4608e4c7f09277b80e4bc492506f81d3b42f46 0baf0db96ca395b8b1e0f95af9129319 19cebd1722376f2c62a1922214903052a964ad1d2505fa698376c5f3b4d0594b http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-zjh01 | Regrun_03b35351 | Windows | This strike sends a malware sample known as Regrun. Regrun is a Windows trojan that hides itself on the target machine and hooks into the Windows shell, disables specific actions and enables persistence. | 03b353514a67cf54f6f11d1b23dec33e | dda79836a918e373b9ddfa0b44268b94f8ab271b 03b353514a67cf54f6f11d1b23dec33e 59695cfe42cc0d5418a4568d946949af5fd9de14bdc160d1a5d12d5916a9b411 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-5m101 | Godju_0f8ccee5 | Windows | This strike sends a malware sample known as Godju. The Godju ransomware family uses Tor for C2C communication. After it encrypts the target files it uses the extension cypher to delete them and clean up after itself. | 0f8ccee515b88bae88aa3e4799d2265d | 4a237e6b8b6cac2dedee3c17e311b5c3918e0e6b 0f8ccee515b88bae88aa3e4799d2265d 0622fcb172773d8939b451c43902095b0f91877ae05e562c60d0ca0c237a2e9c http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-zvh01 | Godju_38ddf749 | Windows | This strike sends a malware sample known as Godju. The Godju ransomware family uses Tor for C2C communication. After it encrypts the target files it uses the extension cypher to delete them and clean up after itself. | 38ddf7498b83c64efb89b7d7953de77a | a7acda719c6a92fff6a9b620ae45e087a45f283b 38ddf7498b83c64efb89b7d7953de77a 36bba27b1fffbecb4f37400ec3368995e39dfabbce61422531a55a36c7696c33 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-97b01 | XMRig | Linux | This strike sends a malware sample known as XMRig Miner Malware. This sample is part of an XMRig Coin Miner campaign targeting Linux Servers. The malware specifically targets CVE-2013-2618, which is a vulnerability in Cacti Network's Weathermap plug-in. Once exploited, the malware drops and begins to execute the legitimate XMRig coin miner. | 5aeb79a353888fd552dc7cc129e696a6 | 8558d71fb7009dd1d6feb104cf7a060e50ab8d61 5aeb79a353888fd552dc7cc129e696a6 1155fae112da3072d116f39e90f6af5430f44f78638db3f43a62a9037baa8333 https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/ |
| M18-hby01 | Gozi_4fd9ccd0 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 4fd9ccd0bd6e296a356d5e4ed06eec4f | 133af28ead4b2ef10f05f4cf8aaedb819a0b1bc1 4fd9ccd0bd6e296a356d5e4ed06eec4f fee25e7d024107c867f4ddbb61756bb02e935a8802813f5d8677b3ecc282759d http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-n7f01 | Gozi_0d4c1fc6 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 0d4c1fc61258263a829d21e99affc6cd | 31b6714de2f8087067c2454d72b91c72dc8c0562 0d4c1fc61258263a829d21e99affc6cd fa9beaf7e8eb887f46ed584d2bb5b79f3c0fe5d57d6a5aecbdc7f6093c316eb8 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-cu601 | Godju_7ffed972 | Windows | This strike sends a malware sample known as Godju. The Godju ransomware family uses Tor for C2C communication. After it encrypts the target files it uses the extension cypher to delete them and clean up after itself. | 7ffed9727a4c90f3a244141cbc16ca90 | 225e9dab8a46458474ef05eef40ac366e318dc92 7ffed9727a4c90f3a244141cbc16ca90 4f888e9b613765653355f7dc2be015e7f32d677ae25fa7ff0298dc252339dce4 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-uxa01 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | 2090c66a0742e7c2646f50770c32047e | c4d0e614849ea2c4d2dd122d960dab728c815894 2090c66a0742e7c2646f50770c32047e 18dd0a662f77ca2ec235b3ae761cf7f4e6a3adb3fe32b2c994c080b6b7f10389 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-e9v01 | Win.Trojan.Generic-Dropper_621d2d7d | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | 621d2d7d319c79ab209d663f9adc9884 | a192d168b58ef1a0364801e5de8fcc6d6423dc2e 621d2d7d319c79ab209d663f9adc9884 ab1c0fd38656ae73d1ec96bb5b3ee5e354022feca924653c606ad5dbc3ae0c47 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-6el01 | Gandcrab_d09b8363 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | d09b83633fbd149873b6eaf1b96bae57 | 4f95200f1e971d4db1958f7bd9f59b4b956b8d5a d09b83633fbd149873b6eaf1b96bae57 1bbee00688a4632749b40312e4109fdc58afa0b5a9e8603718d386fca095a015 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-r2n01 | Gozi_6e1e89c7 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 6e1e89c787c27e62567cc32ef684e013 | 6c02d3acaafdb4f9765f062354bd6f226694f48a 6e1e89c787c27e62567cc32ef684e013 fc88d645f9885abf4274e7ed18e555447da13ef2c88082fdf904c3b869ab2854 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-aj701 | Win.Trojan.Generic-Dropper_97b69663 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | 97b696632cc402913ee7d70f2e246838 | 1aa3693216a86124a437846882a25ad93e6d0b64 97b696632cc402913ee7d70f2e246838 38cf958875c3eb34a07f15163e7ceb8294ada5eccb765aa37ea69aba4fe79cd8 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-29d01 | Win.Trojan.Generic-Dropper_204efe1f | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | 204efe1f3c0f1a41539e78ca96ea40bf | 9811ec0b3b9f6d79c72b375c9194e7d00a226366 204efe1f3c0f1a41539e78ca96ea40bf 5943eb982b5def7773628c728369398d5722c39f67b978c10782311eb00a50bf http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-9mm01 | VMProtBad_d5517d03 | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | d5517d03e0bd665e3f42510eddb8fbe8 | 4c3f90c141f96630c48761c3857a8cb968274f42 d5517d03e0bd665e3f42510eddb8fbe8 8ee03ed6082b418b4ea91cc8e63848ac8113ed29c65ec9e3403e8f1f90c41b4a http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-mvr01 | Win.Trojan.Generic-Worm_8ee1bdf6 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Worm. This trojan is a worm that makes an external call to a C2C server, and exfiltrates information from the victim machine. The MD5 hash of this Win.Trojan. | 8ee1bdf601ae27f311eff9861fdb8b79 | a09ee04751bd9a479200df5bb02dfa2d2e75229b 8ee1bdf601ae27f311eff9861fdb8b79 eada793b386002f297ad511a2ae780cd011b189f1dccbd6ca62d89345095d6e6 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-fcy01 | Regrun_0547e900 | Windows | This strike sends a malware sample known as Regrun. Regrun is a Windows trojan that hides itself on the target machine and hooks into the Windows shell, disables specific actions and enables persistence. | 0547e900b8d385306e6522c12a6fe9e5 | 860d2d7689810023b17876c52e218bff5bfc88e3 0547e900b8d385306e6522c12a6fe9e5 d86831a343b89136da7a224b0abfae57a79b1ce5d0ae3447bef628d262fb0f12 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-qgg01 | Gozi_3caaa4e7 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 3caaa4e73ce36a5a784722e8f3414779 | a8498b821900f38185d4c06020c1947c128e3386 3caaa4e73ce36a5a784722e8f3414779 f4b997725f499272c992b611b85db6b23f5b147319c0db0f093550178cbc1a17 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-c2401 | Win.Trojan.Generic-Worm_ec1d2857 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Worm. This trojan is a worm that makes an external call to a C2C server, and exfiltrates information from the victim machine. The MD5 hash of this Win.Trojan. | ec1d28577d98caa817b98f4dbf67dbf0 | 209ffb1fc2aea7d49c219d7f7a49c0db65817efe ec1d28577d98caa817b98f4dbf67dbf0 46a5a182b94569e4db66ae877064a18a1ca470aa0302d400eaed02545d83c1eb http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-szs01 | Gandcrab_b6a47fd5 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | b6a47fd5a74326b86fa1eac0ace7c821 | 08c5d456c3394d851a569d50342a7e06ce508042 b6a47fd5a74326b86fa1eac0ace7c821 052a7544e45619190ee911406cdaff1708951c9d0a4070a5f7a69cc541f2e558 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-tzy01 | Gozi_1ee0336e | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 1ee0336e030dc9d11b09d43f33cdb9ed | cf76616a5b3a58055407d69df9e2ebbba460ed48 1ee0336e030dc9d11b09d43f33cdb9ed ff10e852973c6675fa1f623eb27ff70306ba607a25c976d78d9396731205ec0e http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-vgw01 | Gandcrab_ccdd4315 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | ccdd4315f56994d591b64b0175ac450a | 7571205ca029f57a90323340793bf9befd826e27 ccdd4315f56994d591b64b0175ac450a 04ef7221209f5ea957312704743139e6000e24dc4399ccc46d5e102ecf2ab3db http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-bc801 | Win.Trojan.Generic-Dropper_6cad1510 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | 6cad1510d9acb0daf67f1c647bea1858 | 1cf4319acfc7f6f3389329fb8097bd49594f13b9 6cad1510d9acb0daf67f1c647bea1858 166ee27653415896013b0e775c03ffc27db5a7b6daa7a4c78976fdd7bc166416 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-al301 | Gandcrab_c4118a27 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | c4118a27c9f291a55fdee8c611dfb000 | a4a728e9ad8b28c165a8746498977b8a5f092993 c4118a27c9f291a55fdee8c611dfb000 29a86b3a5c2f1a7a5ad325ccf5c906b532bb2275b79071e2ec98a281a290aadb http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-92a01 | Gozi_0bec6bc9 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 0bec6bc954b25143f321d42b7dc8ab7a | f5ad792f0b7c0e4235c7671c381cbb97bfe81932 0bec6bc954b25143f321d42b7dc8ab7a f010103d51638b98c985abdab4fe9deaeb850bf924f93b53c9084da8ce927f5b http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-tld01 | Gozi_d4b6fc64 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | d4b6fc64a83cde8f4a8f58dadae2652e | d9ca71ac2e1074c9a7321d9d07a0f007ee74b860 d4b6fc64a83cde8f4a8f58dadae2652e eecfcd71ce7ec89f8d1b642c80106db2ccae5721bf88148031ce077a93172068 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-uel01 | Win.Trojan.Generic-Dropper_dea49e5a | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | dea49e5add62110ef1444817a9b87ad4 | c25c626fa3513fb6b0e521803bd7dee4dd49177a dea49e5add62110ef1444817a9b87ad4 4ca97c879d841e79a5588f350cea663272bdfab1a1e7761b109c6bc72da523fe http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-vg801 | Win.Trojan.Generic-Dropper_ad8df4b5 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | ad8df4b5896201f00979b5f1cc67c156 | 75c2214bacadcb6e6f944cdc87167ec561310334 ad8df4b5896201f00979b5f1cc67c156 9414096ebca4dd3e948014b7348578e5adfec4729e5a9f15f6b06dfffbd13408 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-oul01 | VMProtBad_ebf0d6b5 | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | ebf0d6b5841dfdc9d38363447f48cb8b | d55b8b670ac65ef4801b914568fb6f1a5fe7d180 ebf0d6b5841dfdc9d38363447f48cb8b ecb1e4e860ea7612793420677588c7411fc5717825470c956f1e21c30b5325d6 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-ei701 | Regrun_05c3375f | Windows | This strike sends a malware sample known as Regrun. Regrun is a Windows trojan that hides itself on the target machine and hooks into the Windows shell, disables specific actions and enables persistence. | 05c3375fa24baa0328d2ca06c4b8c94d | d51b0eaf18ce50f3a569eabbb5a8c37ab54b19fb 05c3375fa24baa0328d2ca06c4b8c94d 13cf35842c9ef3f362bb7d3c6c8c50957f5b156e865b45b57e2e420416a3f656 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-4km01 | VMProtBad_afe05cda | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | afe05cda61aeeb19a885855a7d6d8986 | d9734c31572d7b31cf1d80cc7bf4e721263377bd afe05cda61aeeb19a885855a7d6d8986 09c953e9fcc681daee3f311513308988048049bc687f3d10d9ae4e6462cdd4b8 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-lxf01 | Godju_168fd9fd | Windows | This strike sends a malware sample known as Godju. The Godju ransomware family uses Tor for C2C communication. After it encrypts the target files it uses the extension cypher to delete them and clean up after itself. | 168fd9fdcccc385b78913b18b7e644f0 | 13c207c1277030bbff5ce8dd2e13764423a4bcbd 168fd9fdcccc385b78913b18b7e644f0 9690fec193714171652f8e0c7498d8ee3581fd0b074693a3a0ba07e5d95a141e http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-4q901 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | 01ef2aafc7cea348552ed7b67c9dbaff | 1f7091658fc59bb92cf70047f8c22b020632dd60 01ef2aafc7cea348552ed7b67c9dbaff 32ee0ff7fbec042edbb9420e522eda1a126e1872da2b7a13b0627a03be4d1d59 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-3eh01 | VMProtBad_2c292dac | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | 2c292dacb339fd464ce42bf360f9eca5 | 520092abeca38054ecfe4d61462e348f5573730b 2c292dacb339fd464ce42bf360f9eca5 4e2624a133a42107d3def6ae7ffcb5e1a5c372ca2d8638438a03a4a040802517 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-t9p01 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | 200914872736a72a37d2433460f4dfb7 | c9d8bb9fd2472f1af12bfb3a9594e4ad767e8361 200914872736a72a37d2433460f4dfb7 3570b95ea454efd6735bf4942d69521d608ab7d0c9745cfa636f1107acc6a23c http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-vys01 | Gozi_ec8bae15 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | ec8bae15417dcc2ba4b92a03904ef297 | f1879f675834d2ac2db61ca72033b5e7ef892881 ec8bae15417dcc2ba4b92a03904ef297 f584ec598c2926ecd0ee48c84a0a4e6d780de993281f390f6f93f014649fd2f2 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-4a201 | Dofoil | Windows | This strike sends a malware sample known as Dofoil Coin Miner. This Dofoil malware campaign launches a process that pretends to be a legitimate windows process but actually drops and executes coin miners that have the ability to mine different cryptocurrencies. | 942faeae9f5b5442bc89438c437b7493 | 88eba5d205d85c39ced484a3aa7241302fd815e3 942faeae9f5b5442bc89438c437b7493 2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120 https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/ |
| M18-qhr01 | Gandcrab_ad7b4240 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | ad7b4240854cfd31b56eee2e36c91bd5 | 3fbb7d0d4ea30bc3f038271cc9e2021787dd16d1 ad7b4240854cfd31b56eee2e36c91bd5 0a2ebbf4d5ba25049b8225cb253f7f99423b706f9a239c877595eaf696058f56 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-ewl01 | Win.Trojan.Generic-Dropper_a44ca498 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | a44ca498971eec7f99e564b77f0d865c | 8e6024e9da2d0b3cef1cdafa519b5c0ac6badfc3 a44ca498971eec7f99e564b77f0d865c 45b40df9bc6508a11c7fdf06de88a039485dca91d985fb667a91a4af35a08b2a http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-82b01 | VMProtBad_906c8fd1 | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | 906c8fd114f0820c0a5acdbf6116241f | 162a1a07f8df7a87e852c6aed64d7a6b9801d430 906c8fd114f0820c0a5acdbf6116241f 59880ac464244c14deea6569d4d79377fec91f63b7951f137bd457985528f3f7 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-cad01 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | b4faf1965caa433a5dc10894c8040ebd | 1bc9f4f400dab4198d72b31f6f1d5380c19f5c88 b4faf1965caa433a5dc10894c8040ebd 29ce80f75b8877e22cdcdf3fbecb01d2d1a65161f18311facdbbd090769b5ee6 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-iux01 | VMProtBad_3a20b788 | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | 3a20b7881d50f299f88674997697a927 | 150a2dcffd8842d41adf17ac7cd25aa69febe506 3a20b7881d50f299f88674997697a927 b2e43a6ac8301d5304715b8528c40da58c5e2f473995738178d9f5444d52785a http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-1m101 | GhostMiner_dcf13317 | Mixed | This strike sends a malware sample known as GhostMiner. GhostMiner utilizes Fileless Evasion frameworks in an effort to spread itself to other targets. The mining component is launched from memory and uses XMRig miner. | dcf13317db595b6114ef90659f3860df | b73c9ab9f12e5481a892217e28480a8713014827 dcf13317db595b6114ef90659f3860df 40a507a88ba03b9da3de235c9c0afdfcf7a0473c8704cbb26e16b1b782becd4d https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless |
| M18-k7501 | Dofoil | Windows | This strike sends a malware sample known as Dofoil Coin Miner. This Dofoil malware campaign launches a process that pretends to be a legitimate windows process but actually drops and executes coin miners that have the ability to mine different cryptocurrencies. | 53bee1572d43897c55e2df143a66da7c | ba84eb93a12e8a6bae1e29fe02d2c5b04759263d 53bee1572d43897c55e2df143a66da7c d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/ |
| M18-4gn01 | Gozi_12b22e4f | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 12b22e4f0733f2b4b9804ac3bb8e4a5a | 2f6ff9751a790141c0e2e3b82f5dbc6e840594e9 12b22e4f0733f2b4b9804ac3bb8e4a5a f47750218afdebc37ae9462356dd5a1209a238e4228dd10001641211b91862ac http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-k5902 | Win.Trojan.Generic-Worm_4a370d54 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Worm. This trojan is a worm that makes an external call to a C2C server, and exfiltrates information from the victim machine. The MD5 hash of this Win.Trojan. | 4a370d54a912cfe6a9a017fe33252b62 | 40aa3638d61ba8dc4a9f01f3727571a0e708e5a2 4a370d54a912cfe6a9a017fe33252b62 4c54271a9c1fc98d0561c6f8ab45be77121bb382453e07d49f2b56d89bd263ab http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-hlj01 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | 63904c4c1196d7a7274a9fef219f00fa | 294aa5b201b9acedc091c9fa26932034a5c1c3a7 63904c4c1196d7a7274a9fef219f00fa 14944d9db8baace4d7fb97cdf285009b5e0472bd6aa4d9cb530a1f3893287682 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-u2e01 | Gandcrab_1154eec2 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | 1154eec2c27091268e16db59fcb491e6 | da8bd7f19fc476569c12ba37a173af089c303242 1154eec2c27091268e16db59fcb491e6 261fd62f71e3b566c8ae77e44760f0346c4f353a25f879ee5401e4755745ba10 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-s0l01 | VMProtBad_d5574ea5 | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | d5574ea5b6655af24b7cc74fc0be762b | 84f022316c785e8618d9e4c719223c6625187d42 d5574ea5b6655af24b7cc74fc0be762b 246569246bb8a4694f7b48e9c7abdc6e732b7e1c73b2c802c045d5cda03ef3da http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-0hz01 | Gozi_bbf3be06 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | bbf3be06a6f4b6b34af48f55072da837 | 4ee432a723f26b76fd7f91991b297e57b0913562 bbf3be06a6f4b6b34af48f55072da837 f23d4daa59e771990a4ed13100d5a39454c89e3c01ccfb6bfa9b3257dcd51b13 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-qwt01 | Gozi_88aeb1bf | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 88aeb1bf08ade97d24ea8e379cb923a8 | b189ea64e1a3054a1b2e617624e06649e912d42e 88aeb1bf08ade97d24ea8e379cb923a8 ffd17e07e3b64207128b0b10f7b638c8bc97022f07b4410e7de28ad07650db09 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-p1m01 | Gozi_00a7b967 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 00a7b96790c3ca21f7e5bdcdfe7a15e7 | 33b861b31419dbc6b21d2fa4444a8a78b988ea13 00a7b96790c3ca21f7e5bdcdfe7a15e7 f82333a95a38167b554da0a6d2da54b19a0c633e6d8aa3a3a47c98a3fee304ab http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-wa001 | VMProtBad_a646c214 | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | a646c214cee2f6db3df0d6ba0c96c866 | aef259b74b081efdf49116bf5a0aed640e781c34 a646c214cee2f6db3df0d6ba0c96c866 0412d1da28e300a2677e46ea1af64d664ee47f845336d1081d15df58d3e9016a http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-nrt01 | Gozi_d6229a6a | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | d6229a6a24180bbf601015d9a14d4b1a | c5184154b100074ef4c743409ecee20f4b41b78e d6229a6a24180bbf601015d9a14d4b1a f974b1b74f862028f1335b15ed98d1388cdc770b6770aac9b7cc62847d9dad32 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-wo501 | Win.Trojan.Generic-Worm_db602aec | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Worm. This trojan is a worm that makes an external call to a C2C server, and exfiltrates information from the victim machine. The MD5 hash of this Win.Trojan. | db602aec1381d775c174f99ecf614a3c | d2b7f16a5d9be3483b3832048198eb60b53347f5 db602aec1381d775c174f99ecf614a3c ba1d8858e7863db19f04cf44cfa92906887833a84099f2bc810ed5c6863b46b1 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-3e201 | Gandcrab_fc2e6154 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | fc2e6154756d329eaed7f099d18b91da | a9d01c428332ed9f9ee43bf01c320faeac004c6e fc2e6154756d329eaed7f099d18b91da 03c8bece3db3e2d6b26cc9769d2a694071117cbcf21830aa143507b03b402681 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-jme01 | Gozi_8ee304ef | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 8ee304efa087574c9df940ab2ca5474e | 024652ecbfa0bad984f890fd3cf94e37cf783e01 8ee304efa087574c9df940ab2ca5474e f11b7237907275ca59ce4f0b630f69a6c3770b0060359917bf465690e2309e47 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-h1e01 | Godju_d62d87fc | Windows | This strike sends a malware sample known as Godju. The Godju ransomware family uses Tor for C2C communication. After it encrypts the target files it uses the extension cypher to delete them and clean up after itself. | d62d87fcd8fc52dd64c101f6df5bc05b | 33f050ddb5f137180a6a673d2734f088ffe64ccd d62d87fcd8fc52dd64c101f6df5bc05b 412ce2fea4821c63074f3cd6223c9e9d7f074f18d5cd88dc1d7a36a1bb2f919c http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-6x901 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | 0a218cadbb446ced377affcfbd9e6276 | e0780f26a5b13fde96b0c65628f5cfe919695f74 0a218cadbb446ced377affcfbd9e6276 1eae0edf899f881fd86f0500b58f9b6497d5b94a99ac439307d61c0f24cb1573 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-m0z01 | XMRig | Linux | This strike sends a malware sample known as XMRig Miner Malware. This sample is part of an XMRig Coin Miner campaign targeting Linux Servers. The malware specifically targets CVE-2013-2618, which is a vulnerability in Cacti Network's Weathermap plug-in. Once exploited, the malware drops and begins to execute the legitimate XMRig coin miner. | 6f87973abb1cb978fbb2f59be7daf929 | b398e371770efdcfd56b61e5564b8b7ee4921180 6f87973abb1cb978fbb2f59be7daf929 2c7b1707564fb4b228558526163249a059cf5e90a6e946be152089f0b69e4025 https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/ |
| M18-unn01 | VMProtBad_5acf350e | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | 5acf350eddd24517407a9db1e3c6e8b4 | e1d2927bab1b77939d8c681403d4de6d2f6e573d 5acf350eddd24517407a9db1e3c6e8b4 fd7fe9120abfd3da2124357680acaf010d1768fdaa570e471b30207a4e8d9dae http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-dph01 | Gandcrab_af889676 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | af889676466d8ea91d9e89264e16c672 | 891d740f6488e4d1f2315bf4d55cea7d5d5f1963 af889676466d8ea91d9e89264e16c672 15b3a69b86710122a8824ce17996c3301e96b1c629b7db3d9919012954903c85 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-opj01 | Win.Trojan.Generic-Dropper_23cb92a3 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | 23cb92a3a247bb538413bf625e761945 | df9fbf25183ac4466d80a69e2bb385ac1df2ef0c 23cb92a3a247bb538413bf625e761945 1f1ec9a132226bc4eac25a6e999cc9b937718cb356c8d41b2bb08266ca1c5a38 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-dcx01 | Gozi_a190d9f1 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | a190d9f1f987ec7e7845d8bbb766b45d | b1e303d44b81ebdb4efd6e25438a9ae753d0a0b7 a190d9f1f987ec7e7845d8bbb766b45d f0b78cf8d5df4c9873ecd7750eb6b49d565097ca59e8592b07a2e748fda1ab2d http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-s2e01 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | 0b28c7f03f230c29383c1918397a285e | 2b4e8413a061ee896d2fa85decbce2060e7dcd40 0b28c7f03f230c29383c1918397a285e 1257a5650f02a4cbff43c190452517e17f4aa46284b7063162e4a54d318aff79 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-3uj01 | Gandcrab_bb281189 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | bb281189b366b439e99fa1ab1866e85f | fbd684c21c57b84f39a84799339adbabba35e21b bb281189b366b439e99fa1ab1866e85f 084d5c8161764da9af2b1dde0146a7f9b51491c562d8036aa28b85a4a1a32aaa http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-fu001 | GhostMiner_f94d5386 | Mixed | This strike sends a malware sample known as GhostMiner. GhostMiner utilizes Fileless Evasion frameworks in an effort to spread itself to other targets. The mining component is launched from memory and uses XMRig miner. | f94d5386f58f663a40b3aa444a024855 | eb9e8203bfe096d37258fea68c5a650449a17f48 f94d5386f58f663a40b3aa444a024855 9a326afeeb2ba80de356992ec72beeab28e4c11966b28a16356b43a397d132e8 https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless |
| M18-js001 | Win.Trojan.Generic-Dropper_32cc3da6 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | 32cc3da6eb18696d7b6cf797500eb8cf | dffa22dba6fdd7454bc579bb5f4726b9948f3f6d 32cc3da6eb18696d7b6cf797500eb8cf 3ff03a32f5a944c6655789bbfa124a7d52bb17df771c975685a5dce69c124d04 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-4tz01 | Win.Trojan.Generic-Worm_6d111706 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Worm. This trojan is a worm that makes an external call to a C2C server, and exfiltrates information from the victim machine. The MD5 hash of this Win.Trojan. | 6d11170602281c8b365c638901f67369 | bc7f34e80f06c34872fb8df4c19ec8e9c4aca4a9 6d11170602281c8b365c638901f67369 dde1cc674ef61703752be1d3354f0f766724678aa0fdeb6376e7448a901d7f78 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-f5t01 | Gozi_f143d252 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | f143d252ab3c1ee86aee33f3e1eb2f8b | 20cb638150ee953c13a391cbb6f1f0045b82b651 f143d252ab3c1ee86aee33f3e1eb2f8b f323778fbfaca654f6b91124c60d81bc3fba360ff96d30f0253293760ae504a0 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-xru01 | Win.Trojan.Generic-Dropper_0465b1c6 | Windows | This strike sends a malware sample known as Win.Trojan.Generic-Dropper. These samples drop various malicious files, including cryptominers on the targeted systems. The MD5 hash of this Win.Trojan. | 0465b1c699c8cfb95b43e0e0276fcb4b | eab93b24c1eb6f0c2e3712b28b33637d6a3eb532 0465b1c699c8cfb95b43e0e0276fcb4b a6a9ec0af4abe94b72e557f4b9c9d4d0b59b4296aca3175a1551b84efefed856 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-2xj01 | Godju_493640f0 | Windows | This strike sends a malware sample known as Godju. The Godju ransomware family uses Tor for C2C communication. After it encrypts the target files it uses the extension cypher to delete them and clean up after itself. | 493640f022a7ac07ad4e8d6f2cd3740e | 4c4a1df308e415ab356d93ff4c5884f551e40cf5 493640f022a7ac07ad4e8d6f2cd3740e 7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-l8w01 | GhostMiner_6883db2a | Mixed | This strike sends a malware sample known as GhostMiner. GhostMiner utilizes Fileless Evasion frameworks in an effort to spread itself to other targets. The mining component is launched from memory and uses XMRig miner. | 6883db2a29856e4e88a944ad962683dc | 5a9740c6c1e0db3f1f32fb49d06bf5530bf21a3c 6883db2a29856e4e88a944ad962683dc 8a2bdea733ef3482e8d8f335e6a4e75c690e599a218a392ebac6fcb7c8709b52 https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless |
| M18-anp01 | VMProtBad_ea1baff5 | Windows | This strike sends a malware sample known as VMProtBad. This virus is a packed file injector that installs unwanted web browser toolbars and adware, and also has the capability to detect many Virtual Machine environments. | ea1baff59f0673cb691612c12b17482c | 703e30cac6d24c0960a887caa32083b1014d56d3 ea1baff59f0673cb691612c12b17482c a4cc65474efd0b0e3aeaee8614b397dbc9bd3ecf7a95a8526d8ac84ed3848ee4 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-s3o01 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | cf85b692e58a94538052047ccaaad006 | 08c9f04c1002311ae51671427be6994ed604e797 cf85b692e58a94538052047ccaaad006 3732c9fd5ff38c31fda2492dd81584819f12cce5731f7361f536bdf8040c724d http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-boj01 | Gozi_6f347d19 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 6f347d19fcc0d336809ac1c49fdef3c2 | 4443502cfd80dd39d3c49943df0264872a7bc4c7 6f347d19fcc0d336809ac1c49fdef3c2 f7dd9c3111f0e0ed831ecf858f98a95389818378526a5c69e0cfea1977638d0a http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-t7d01 | Gandcrab_e49a2983 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | e49a2983f432472d5e64fd970bb68a88 | 638fffeebb259f7055a319db622606d6b65eeee5 e49a2983f432472d5e64fd970bb68a88 289d660ede22b4062d102307d5830a2af10da669ce573c279db8e055e6fbdaaa http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-vy301 | Gozi_b06572a6 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | b06572a6b4f3261b6cf355225b7d139c | 7873067b2442d577078d6bba33838e750dd422ef b06572a6b4f3261b6cf355225b7d139c f6546f3a9fb403743f9ab72ed5c8e9cc63f26bc65f4fbd7139e4adbb12e854b8 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-r2c01 | Gandcrab_ae3ed37e | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | ae3ed37e2a1252582adbc4b4092d11a1 | 8eb194eb9a028cad16dce58ebd2e77ba9acb1a07 ae3ed37e2a1252582adbc4b4092d11a1 0664a3cca1d5c0c9f2b7f0e6b2f0f20e99b3f902e98e9e709f0bb8ac1cadb867 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-7pw01 | Gozi_0d32128c | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 0d32128c5b6ae94200a79e41384ad7f3 | 24fc1f5a56fd9542ec8fb63c8c69c76f53b0ecee 0d32128c5b6ae94200a79e41384ad7f3 423d6adbb47ce64e47944fe07bd22fd1a06e2332f5975b0da329394dcd7a5d3a http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-1fk01 | Gandcrab_c1f93966 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | c1f939662db002c454f43b74db7841f9 | 2336ae922d4651359510da460fc8503e69712d99 c1f939662db002c454f43b74db7841f9 02e90fb6cd303ebced661c5c7c9af249241835285e0e64b1092731485584ab8a http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-vul01 | Gozi_dded59f5 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | dded59f51a5d04c60faea5fd6150661a | a73edebf73f202815466aedfb4c51bbefd217e4c dded59f51a5d04c60faea5fd6150661a f2e0902e21abde220813e7a4ea68c7b6039e92cecf338a522739e0d03bbbca16 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-iwn01 | Gandcrab_06c96441 | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | 06c96441f93299addff5fb44506a3e9f | bc1de7f70f34ad5db88b0b69ee6c6bfe26289a67 06c96441f93299addff5fb44506a3e9f 075c9b925c8a0c5cea4d26b1f3c23666c99cede647c9769503f8e35a96c098b9 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-fqv01 | Regrun_05044912 | Windows | This strike sends a malware sample known as Regrun. Regrun is a Windows trojan that hides itself on the target machine and hooks into the Windows shell, disables specific actions and enables persistence. | 05044912df5fc8d7f8d6e752bfd55b25 | a4528d68b0382a178869b9c0ed97746a98c7090b 05044912df5fc8d7f8d6e752bfd55b25 4a66e0bfcdd2addfccd8ba68c50d2b803beb2b8120a6cf4f8fecf4a0b0cf1678 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-id801 | Givelet | Windows | This strike sends a malware sample known as Givelet Packer. Givelet is a Windows Packer that obfuscates malware. It has been seen with malicious samples like the Gandcrab ransomware. | 056225eee12cca9813de30bb8074e569 | 3a266b4ecba535dc496625e27afba30f52324a44 056225eee12cca9813de30bb8074e569 10f2ed852befc9c9c15e5231b2167bbec66e3700c44bcf324312a32e932fa819 http://blog.talosintelligence.com/2018/02/threat-round-up-0216-0223.html |
| M18-ji901 | Gozi_223b43c3 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 223b43c3adf88f89c86c1f1e6da1d2e3 | 80ddd53193e956dfdace98b42e3d085ec94c7edd 223b43c3adf88f89c86c1f1e6da1d2e3 f85cdff7982cdd06bfd1deea928678ebc6d83625a2f5090f094153312e914849 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-gtr01 | Gozi_2c90625f | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 2c90625f84a51b57e75049beee698252 | a1cb2dfc25dcaa41ecf093c85187f25aec2f6227 2c90625f84a51b57e75049beee698252 fe18a882867fd6725bc5c3afc0f8b7e9a81383d7c8baf30dec362c4eb2c95ccb http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-wwh01 | Gandcrab_a1fb858b | Windows | This strike sends a malware sample known as Gandcrab. These Gandcrab ransomware samples attempt to encrypt user files, and then append the extension GDCB to them. | a1fb858bf56af11a5ab261bffecb81da | 92e6e136ad1240ff446234d34176f8af1d0c7d2f a1fb858bf56af11a5ab261bffecb81da 022024c7db211df7da83d533d24c795eb4178f5a7b9a27acf752874bcdbd5477 http://blog.talosintelligence.com/2018/02/threat-round-up-0209-0216.html |
| M18-lk701 | XMRig | Linux | This strike sends a malware sample known as XMRig Miner Malware. This sample is part of an XMRig Coin Miner campaign targeting Linux Servers. The malware specifically targets CVE-2013-2618, which is a vulnerability in Cacti Network's Weathermap plug-in. Once exploited, the malware drops and begins to execute the legitimate XMRig coin miner. | 07b28eee8623cd2905db82a6a8580265 | c4577702ee18f7b7674555b7aa688e37d847aec6 07b28eee8623cd2905db82a6a8580265 48cf0f374bc3add6e3f73f6db466f9b62556b49a9f7abbcce068ea6fb79baa04 https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/ |
| M18-97c01 | Gozi_01ed114f | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 01ed114fde71c5f9e77dfdcec884767a | 1ef6aed3d369cf10977426fab35e78886469ada3 01ed114fde71c5f9e77dfdcec884767a fb74870bd4441e5933712c79804c3d9aeb0ba86162295990183abe8daa235c3d http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-qn201 | Gozi_ea592197 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | ea592197a398714700eec0b1b4ee8e33 | 85c1052f392c6f39c368dcf5d5cc39890cbdabf2 ea592197a398714700eec0b1b4ee8e33 a85ec8d623a497bd37efe216f8bd9e88ad24050949aacaf66461165ba09d5861 http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |
| M18-3xd01 | Gozi_228a7bb6 | Mixed | This strike sends a malware sample known as Gozi. Gozi is a popular banking malware that has been around since 2007 and was recently spotted by researchers in specific targeted campaigns. These are Document related samples that have been related to the malware campaigns. | 228a7bb6a6d10523afff39da47621133 | a7a638420c84ea2957df25d9798859ff9c6d7744 228a7bb6a6d10523afff39da47621133 ff9785c05c08789800db47812c4e70ab892ecdba07189aa38fe0edbc4b87837d http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html |