Malware Update 2020 Release Notes

Malware Update 2020

Malware Monthly Strikes

Malware December

Malware November

Malware Strikes December - 2020

Strike ID	Malware	Platform	Info	MD5	External References
M20-72zh1	Gh0stRAT_34a648b5	Windows	This strike sends a polymorphic malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.The binary has random bytes appended at the end of the file.	34a648b57683dd4d48a4123aee6542be	https://attack.mitre.org/techniques/T1009/ SHA256: f423b11021ce9175c79881f2988516428e9e80659f41105ae037cdedd5e0da8c SHA1: 9d7b304bd8a65f1f788ab5e8a788e0f5e1748061 PARENTID: M20-gt381 SSDEEP: 1536:MbuXXlyLMFM6NRjebOZewU/R4kY6WpsQEYzQI4wb9DprLElnY+fsrcNgF0f2bb3C:lFyLM/NR+O8wl6usKH9DRJUyMrAny MD5: 34a648b57683dd4d48a4123aee6542be
M20-lblq1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	cf1ad0f6c0f7dfe7b5940008ed27bc28	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: ea27862bd01ee8882817067f19df1e61edca7364ce649ae4d09e1a1cae14f7cc SHA1: 6599794ea40f54656c8ac0d7c2efe1362ec8414d MD5: cf1ad0f6c0f7dfe7b5940008ed27bc28
M20-hywt1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	ab109ced41f9be476da69b671d4e28ce	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: b2b3a199291c3651b1d7413c7dba92566a893010a50e770e1802f173f1c2c7a4 SHA1: f6085a9c93fd2ea75c1843a2bfc7b1e85f919d7a MD5: ab109ced41f9be476da69b671d4e28ce
M20-wde71	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	9935435529057201dac86957275a43e9	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 3cd581621d9a16ebe724e9ba7445aa82162307ff6b2a31be572e87dbce2aa8ad SHA1: 2201ebb6e819f38c080b252f7ae48accd78159be MD5: 9935435529057201dac86957275a43e9
M20-vs2i1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	3b8c4e9f27a265c2ba4c39ee94e135a2	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: 56e96ce15ebd90c197a1638a91e8634dbc5b0b4d8ef28891dcf470ca28d08078 SHA1: fa7f4b931dda6ece05a23d552a96c757127c3e0e MD5: 3b8c4e9f27a265c2ba4c39ee94e135a2
M20-w8jx1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	1955375a3ba47f2d293aad78e2478edf	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: 78471db16d7bd484932c8eb72f7001db510f4643b3449d71d637567911ca363b SHA1: 006513670374228a112e15ed03e24089515d085b MD5: 1955375a3ba47f2d293aad78e2478edf
M20-qzdx1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	af27bf67e462bf5ef61b15a0e160ea84	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: 5736e167e234e06b33e8d8d6bb80e13b1bacca8d7cd3271695220cdec2e4a79e SHA1: f5849ee6ab9de4be3024775cd2bf809b742f4bf5 MD5: af27bf67e462bf5ef61b15a0e160ea84
M20-4dqj1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	dba03b64b963b77fe966238c261aace4	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: d50f28cf5012e1ffde1cd28655e07519dadcf94218b15c701c526ab0f6acb915 SHA1: 009d4a6ab775f4d8ac0a3343adf5e5910a8747ec MD5: dba03b64b963b77fe966238c261aace4
M20-98eh1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	c7e84d5c86f51a349445ad126c42fd89	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 4d39782ccdb902e8e5348b8b3ce92f0834c713c565cca82be67a0a8eb6468df6 SHA1: 5b13441e82f6964164e05ea3c92145b70d400201 MD5: c7e84d5c86f51a349445ad126c42fd89
M20-bkbm1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	86d297b262fb1e9f8c1cee271ceea40e	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: f80bcc60e79b387f63edfe0f1fc66492af4ff201ad5eb8080b1249ca43f6f30f SHA1: 62493be40396091164113e76c289df62ffeec90b MD5: 86d297b262fb1e9f8c1cee271ceea40e
M20-2fqg1	Barys_6a191144	Windows	This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random bytes appended at the end of the file.	6a191144dc2744c0d803461b8b35336b	https://attack.mitre.org/techniques/T1009/ SHA256: 0fadbc1a6cbbdcf8c6dfef369ca47881d562813e5e4de984d16001eaed83692b SHA1: 1a13b6c282d8ac31996a79e3cca2e18194d2568c PARENTID: M20-rmoa1 SSDEEP: 384:/DLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEJdxg15GMIScho9meh:/gbT8MlIcdk+odC41HjmzZJmr0jeyE MD5: 6a191144dc2744c0d803461b8b35336b
M20-hsdz1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	039e75cdd8787394789d11ca6d2c7711	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: a50b58e24eb261157c4f85d02412d80911abe8501b011493c7b393c1905fc234 SHA1: d940407a48bc4e0481b2790e89e58aa020b8887f MD5: 039e75cdd8787394789d11ca6d2c7711
M20-qla01	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	3d89a7dfd0984f23c4ebd1931d029108	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: d271569d5557087aecc340bb570179b73265b29bed2e774d9a2403546c7dd5ff SHA1: 39c6484c0ca69f2e98adad292436fadf80c3c12a MD5: 3d89a7dfd0984f23c4ebd1931d029108
M20-20vf1	Defray777_210f47c8	Linux	This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering.	210f47c8f47ded8525da927710abc6ad	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/ SHA256: 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d SHA1: 50f191f04aa6cff1d8688a3c5d6cce96739ab6b3 MD5: 210f47c8f47ded8525da927710abc6ad
M20-yg4v1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	d0857462281df296b60a8814d4fa052f	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: b3c6f365819864340a8a8fe3076fb326c1debfdbbc826384cb2978aea82edc48 SHA1: 658c536d92c7b60e7c31bc4eeb43504c83204df7 MD5: d0857462281df296b60a8814d4fa052f
M20-mzle1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	440c46ace55eb539376c05dc03e98cd4	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: 0da9e149ba324f20a390140e9d7913b13ababa07f5b65e4d25e3555c1119e768 SHA1: 038e505ed342a39766d034ffee1e87fdfc62930b MD5: 440c46ace55eb539376c05dc03e98cd4
M20-exgu1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	0ea9b7a283e7d4601fb7dbd63493b342	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 56934547dcf0d7ecf61868ae2f620f60e94c094dbd5c3b5aaf3d3a904d20a693 SHA1: b655342769408e0bdd46449aa8968c4c362a222a MD5: 0ea9b7a283e7d4601fb7dbd63493b342
M20-a54g1	Chthonic_35e71926	Windows	This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has the timestamp field updated in the PE file header.	35e7192617a5bfe4e3663f40610a7f11	https://attack.mitre.org/techniques/T1099/ SHA256: 01785bc411c5f7c386ac0c155e9334a624750722911cb420bdd6ba9666c4a075 SHA1: e2363a3d1230c852837d19c13cc421ecfdd9f2af PARENTID: M20-569e1 SSDEEP: 768:Ph1SGw0Nd6EF+MIi3hISRdJlDED1Anx3LScmjElP/Vc6+DxIamqtswYh/YY86AAx:iV0Nd6EF+eljbx3LSqt+GF82jco MD5: 35e7192617a5bfe4e3663f40610a7f11
M20-keqo1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	6932dfcd3789f88e828d939174183446	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 5dc7f70a0d20f97c30c25bd927235deec713cde5d1c41916e23dd0c3431ffacd SHA1: e289f6a347facc397402d63d36f70f58338d8ca8 MD5: 6932dfcd3789f88e828d939174183446
M20-jhm51	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	4ef817562dc042e616ae26a2c8773f23	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: a098b5455fd1e9d0dea067405cd891b94cc42a0067cbd21d385f9c1254c21fdd SHA1: c1b9b376a54b08d5eae491f951b57d6bb04afa5a MD5: 4ef817562dc042e616ae26a2c8773f23
M20-wlk11	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	b18ee982de606adc6715e7a52648b63c	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 8eef012c2eecb7f8a776464f52e12f62c466cfc85adf4eef0d2bc270e7a19212 SHA1: f3c97b56b85eb3a0009bf831e89a4cf57d4deb41 MD5: b18ee982de606adc6715e7a52648b63c
M20-vihm1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	aa64323c466ac0ae62ec6532bac30936	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: 92a8b74cafa5eda3851cc494f26db70e5ef0259bc7926133902013e5d73fd285 SHA1: 007f198146686cf0bad9d8c5bb262f8e5c007706 MD5: aa64323c466ac0ae62ec6532bac30936
M20-75p01	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	5d2fd364769d12d26c83922e5e31e48e	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: 563dd5a95f439bc2b4170a74c8be565a1af076e6cbebd1d018b2809a1e8bc908 SHA1: 00263c910dcf67f7eaa37c48914c30b78261652c MD5: 5d2fd364769d12d26c83922e5e31e48e
M20-o3n51	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	dcba8d6cf6b336ac96db500ad99b0013	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: fcdd72fd2e03badfac13eed5e2d17054bbdcea7c1743179095ce109bf40a7f0f SHA1: 1bacc1afd4bd2d34279b39e9e2fc6099c49fa29f MD5: dcba8d6cf6b336ac96db500ad99b0013
M20-4n511	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	31dc5267d3daf057baaa37f8d5d59229	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 608f34a79e5566593b284ef0d24f48ea89bc007e5654ae0969e6d9f92ec87d32 SHA1: 15c3985c14c98de4a7eabba3495b474f753923b7 MD5: 31dc5267d3daf057baaa37f8d5d59229
M20-727z1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	088d29b4a238a650e12f5ce97ec58289	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: e48e88542ec4cd6f1aa794abc846f336822b1104557c0dfe67cff63e5231c367 SHA1: 08a6b196e3a2d140314225ef8c88228aaea09ac5 MD5: 088d29b4a238a650e12f5ce97ec58289
M20-qxtk1	Barys_2f511a1d	Windows	This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random strings (lorem ipsum) appended at the end of the file.	2f511a1df6582dea8340fd62e27c9f3e	https://attack.mitre.org/techniques/T1009/ SHA256: 41a98f4a8ef76470d573c6daa9db027ee7cd76a957c669d7a30ebcfe01c5e1bd SHA1: f812646cd54274420324b42801e6bca7dc128a88 PARENTID: M20-mxx31 SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMnL:MgbT8MlIcdk+odC41HjmzZX630nMnIU MD5: 2f511a1df6582dea8340fd62e27c9f3e
M20-0xi41	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	f198217bafc00828a2f5bc7f816c8e1d	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: 814357417aa8a57e43d50cb3347c9d287b99955b0b8aee4e53e12b463f7441a0 SHA1: 0342939f6ff3699c7528f4adfdad5a35d1353b88 MD5: f198217bafc00828a2f5bc7f816c8e1d
M20-129q1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	05d24dd80b9a39e2148e94c742f8f16b	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 350926c6bb7419330e55e687c9f00520a560c41f6013528cbb9ea42faeeb3201 SHA1: 1ca072554f6aa3a320587bff3ec200e61310654c MD5: 05d24dd80b9a39e2148e94c742f8f16b
M20-c38p1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	ddf9e95123d9b585fa9e164236bfd338	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 8373be56ddab97188a8606eb5f529187bfb819f5cb5a50c56f6a7878c94c7f86 SHA1: f87c2ce9936da536fa7e229adb6d79800a9961fe MD5: ddf9e95123d9b585fa9e164236bfd338
M20-g0121	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	1856d7d2a60bfc2da5c36781294e5033	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: c3b3f46a5c850971e1269d09870db755391dcbe575dc7976f90ccb1f3812d5ea SHA1: e2ac158c425965b639b1ec5949e3c8300c278310 MD5: 1856d7d2a60bfc2da5c36781294e5033
M20-lalu1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	eb885e485049ee4516bbdf6d9c5f202d	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: e5fede5eb43732c7f098acf7b68b1350c6524962215b476de571819b6e5a71fc SHA1: 90851164d3452929fd2567de72153d1c018de994 MD5: eb885e485049ee4516bbdf6d9c5f202d
M20-vrn11	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	54c11dcb706996a76976211c3685153d	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: c9400b2fff71c401fe752aba967fa8e7009b64114c9c431e9e91ac39e8f79497 SHA1: 74ab88499a9b8d77cd9a8820e2884e617fa9245a MD5: 54c11dcb706996a76976211c3685153d
M20-q8081	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	2aac141539e4bac0320ce3992e632d97	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: f9290cd938d134a480b41d99ac2c5513a964de001602ed34c6383dfeb577b8f7 SHA1: dc53f9f9f7dac4fa1ba748b2fa7e6819187f2f8e MD5: 2aac141539e4bac0320ce3992e632d97
M20-75a91	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	68cb520d2084020638790187e34638ea	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: e1653fe62e8d90153557324ffe4470d9c9262fe3bddad2bf555680b6078cf66a SHA1: 94c14074d879fd773a1c331210cc4c6e282b9185 MD5: 68cb520d2084020638790187e34638ea
M20-qwgb1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	127aa359a279cb299b63bb720f35ed1d	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: 4d0176e2d6e30e31352f420a4dec79d26cb00f1e6c789b31e84cd05eb4d50956 SHA1: b826c09b4e6dd84c5d74ce4af5545f13eba64811 MD5: 127aa359a279cb299b63bb720f35ed1d
M20-0l931	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	d76837f88a8d62351e2d551be2fe9893	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: de44656b4a3dde6e0acdc6f59f73114ce6bb6342bec0dcd45da8676d78b0042e SHA1: 1aad813f52a7627c94e236f15d2ac3b1d090c15a MD5: d76837f88a8d62351e2d551be2fe9893
M20-m1mi1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	e2b15234dee641b74ee7959df2ae2e43	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 625c22b21277c8a7e1b701da9c1c21b64bfa02baef5d7a530a38f6d70a7a16d0 SHA1: 27fd1c79ce0f8459ed201886512f38af5e466bba MD5: e2b15234dee641b74ee7959df2ae2e43
M20-dozu1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	8357b48174b91644012b7969d2ae9597	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: 510cf6e1c55a190490e93d222ea606ed888d222ecedda18bfb2f32bb73f33cab SHA1: eb17b9cdce04f77428499afbb950f48249492a2a MD5: 8357b48174b91644012b7969d2ae9597
M20-0tvr1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	164b162f8cd59acf9d3da0bec7ea1c52	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: ccc162d3a3d6136a9c472d7d2d07acbae47f88a9a7d9b2c9b97b331e7ab7605d SHA1: fdb3289f239a06023842d90c0e5cf6f8f0aa1c99 MD5: 164b162f8cd59acf9d3da0bec7ea1c52
M20-rp6s1	Sunburst_846e27a6	Windows	This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.	846e27a652a5e1bfbd0ddd38a16dc865	https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/ https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html SHA256: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 SHA1: d130bd75645c2433f88ac03e73395fba172ef676 MD5: 846e27a652a5e1bfbd0ddd38a16dc865
M20-a1c21	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	225747a368357a5eafaac5337ee56c9a	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 3a3b7b198769de3e5d81a92aa166f783b611a39a7fcea1b5ec762b54295dbc8d SHA1: 49a8ab54ac1137b9fa2281a9fdbd1d7b50cf6cee MD5: 225747a368357a5eafaac5337ee56c9a
M20-8etv1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	6f6a04e60af90862b2ced5864b6b23f9	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 95e5e83b10df32f06080bd6f8428592d81febbf55e72ec5f843dd6188bef25da SHA1: ab96d796a4b394af911c5282446f61bcd94c1ae1 MD5: 6f6a04e60af90862b2ced5864b6b23f9
M20-rmoa1	Barys_006a7221	Windows	This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.	006a72219afabff2f56695f413ca43db	https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html SHA256: a98b443dab1373415ceefacf3be09bb209377827785a02e5f7d4a20c3badc01c SHA1: 5e8f2e325a452ebfeeafeceb7ef6b1a8cbb186ad MD5: 006a72219afabff2f56695f413ca43db
M20-4pvo1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	b90fbb7ae572eca2f64d14c0e0dc4a21	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: cb2619b7aab52d612012386d88a0d983c270d9346169b75d2a55010564efc55c SHA1: 39289138cd3d75cbffe41172772cb40acde3972a MD5: b90fbb7ae572eca2f64d14c0e0dc4a21
M20-bhso1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	2f6340654f5d07c7a5d19b9d228dabb1	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 80c9d6cf4e8119dc2d0e263f3f4d5c3bf4221715117505d9d6a02e3671337bf8 SHA1: 40e314bef8a7fb314b8dfb8b641fa2426d198488 MD5: 2f6340654f5d07c7a5d19b9d228dabb1
M20-r1rf1	Barys_3c11a2bd	Windows	This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random contents appended in one of the existing sections in the PE file format.	3c11a2bd2d5f1c68588dd60b742008f1	https://arxiv.org/abs/1801.08917 SHA256: e6ad8931d16e75beccc55f4706194876b6b13aaac6c291d453a981ccb20ff198 SHA1: 50b5f6ed2ab9c18b04ec24a6651ffbb7e162bcc7 PARENTID: M20-mxx31 SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMn:MgbT8MlIcdk+odC41HjmzZX630nMn MD5: 3c11a2bd2d5f1c68588dd60b742008f1
M20-wnyb2	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	1d191d54cdd3adb4621b5c3a13d1ea91	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 01011bb45dec3b520ea09e5d9d3c9fb4acce74de72261f68ff1011f9ea6ccebb SHA1: 3e6868e7359df4bddfdbd7575052431360c57dd9 MD5: 1d191d54cdd3adb4621b5c3a13d1ea91
M20-039f1	Barys_d1365296	Windows	This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has a random section name renamed according to the PE format specification.	d1365296a329a50b6d389373aa50fa01	https://arxiv.org/abs/1801.08917 SHA256: e30a372793ba1181082bb313a63f3c88e4075645d6fa30f84666e8feacb858eb SHA1: 17525859a1efb97ad394092c0c561d43386ce9e1 PARENTID: M20-mxx31 SSDEEP: 384:ODLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMn:WgbT8MlIcdk+odC41HjmzZX630nMn MD5: d1365296a329a50b6d389373aa50fa01
M20-19el1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	aa03fbbd932b6f57d26c53cf7a01ef1b	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: a765df03fffa343aa7a420a0a57d4b5c64366392ab6162c3561ff9f7b0ad5623 SHA1: ed495940c14db3067e841b1e1cd29724b4f8989c MD5: aa03fbbd932b6f57d26c53cf7a01ef1b
M20-7twy1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	13cc74a4168aab6c63b5e44358f47604	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: c5ca45581da0bbb3e4d0c6e51d602512fa52833cd16eebed351397a9a0326518 SHA1: 74b9f153234306a4e0f5c0cfa7bebb68eb0d3890 MD5: 13cc74a4168aab6c63b5e44358f47604
M20-p6nd1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	9d4c4af4b600bb90e92a5c0b86551507	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: edecfdd2a26b4579ecacf453b9dff073233fb66d53c498632464bca8b3084dc5 SHA1: fb49d70aa78dae091a7fdf31d28a83d270e377bd MD5: 9d4c4af4b600bb90e92a5c0b86551507
M20-kkm31	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	77e9031a6ba4afeecda915e914a352df	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 840985b782648d57de302936257ba3d537d21616cb81f9dce000eaf1f76a56c8 SHA1: adcdeb818c9dfc9f1c17bf3af5ba9523927ca643 MD5: 77e9031a6ba4afeecda915e914a352df
M20-pmq11	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	e0d2c9aac9a8489a2154aff6e0abcb6e	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 3928bd8f2fd2db4891b320fa85b37c2598706d27283818ad33a0eeac16d59192 SHA1: 2e489ff43e12c708430f3ea07024970a4d1ba737 MD5: e0d2c9aac9a8489a2154aff6e0abcb6e
M20-jzoq1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	988b54d62c2163cdb5398ff6571e3c80	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 75728bc96c934c1521ae08e03ec916e20628e000b056c55b6ee04ccc18c602f6 SHA1: e741885b90a4d6b4699948b9184cf38bf838b890 MD5: 988b54d62c2163cdb5398ff6571e3c80
M20-mynx1	Chthonic_39a1430c	Windows	This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has a random section name renamed according to the PE format specification.	39a1430c7d0bf12a9b42dad4e6b49ac6	https://arxiv.org/abs/1801.08917 SHA256: 28dacb33875c738c866f6d41b16074f6ca48dee3aee14e8899f845912d02a50e SHA1: eae617ce1247de24ce7caed9b13be5a2934f3c7c PARENTID: M20-569e1 SSDEEP: 768:jh1SGw0Nd6EF+MIi3hISRdJlDED1Anx3LScmjElP/Vc6+DxIamqtswYh/YY86AAx:GV0Nd6EF+eljbx3LSqt+GF82jco MD5: 39a1430c7d0bf12a9b42dad4e6b49ac6
M20-jyxn1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	a76db545952dcb01bdb966e656c3baca	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: fe564fb38a99dbb94cc8a66d8955b0b7f8e67bf0a5eb820c4a5d0c3efb96c1e5 SHA1: 5b231d4361da177cfe4c3343a1ba75fb099db547 MD5: a76db545952dcb01bdb966e656c3baca
M20-qgfs1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	ed784123007890e3df70b2348779b007	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: 61b9b7e1329eb540dd751d1db6c00cc45d91b6f58db75ab0212976d4ec4c848e SHA1: 9512a8aa4835c0aab0999a9ba17b60b1b976aeae MD5: ed784123007890e3df70b2348779b007
M20-luhr1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	fa8a1311b6488e40de471cc183ce50eb	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: 1d970f2e7af9962ae6786c35fcd6bc48bb860e2c8ca74d3b81899c0d3a978b2b SHA1: c7e544de0ca082cb13e68265914dc3bd7d22ed55 MD5: fa8a1311b6488e40de471cc183ce50eb
M20-910a1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	643fbcda0041c2b57a2740bb02e16db0	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: b1f54b88c9b7680877981f6bebde6aea9effbc38a0a8b27a565fb35331094680 SHA1: e90b6b2edb9171d28cac4f437b1fa6a03b39e546 MD5: 643fbcda0041c2b57a2740bb02e16db0
M20-aei21	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	9d3e12893fae7eb6c33682b5bbea6d93	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: edd1480fe3d83dc4dc59992fc8436bc1f33bc065504dccf4b14670e9e2c57a89 SHA1: 08868d9b1a31b59ab8e3f4ac38f210ac8e080106 MD5: 9d3e12893fae7eb6c33682b5bbea6d93
M20-w0u91	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	1f937cbae354345087860c7d33e0e61d	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: d7641089fd5d0474b835a633d6d852028b3481c18b3574023b021bfa1e3c1cc1 SHA1: 52c1795326e7704395450b07332c766fb0d1acc7 MD5: 1f937cbae354345087860c7d33e0e61d
M20-yp8y1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	fc2fefb951bfbfdb1e337c9019968c8d	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: bec5a3cfd7332241e3a7463d951b8f9a9e771d4f436d7776a426074a82d19a7d SHA1: 1291b32719aef4f71732010263339e59726aaa90 MD5: fc2fefb951bfbfdb1e337c9019968c8d
M20-9ybb1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	81ba4107943bb4ad2ec351ba2417f987	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 2b13dae3c35eb3958253dbf945f6609e59978c2aedbd163608f03920d7d3623b SHA1: 974dc36f9342391724f1e911e6fd92fccce7ef1a MD5: 81ba4107943bb4ad2ec351ba2417f987
M20-xxco1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	a7da167512ae0077122e349e1cf54085	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: e0f22863c84ee634b2650b322e6def6e5bb74460952f72556715272c6c18fe8e SHA1: a0c913a04254c65154013904d99ea90d574ab3a2 MD5: a7da167512ae0077122e349e1cf54085
M20-5r9z1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	e843170e564321228fc88b9291a4265c	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: ecf3f4ba8dd16551908488cfbf2afd18a55584dbf81c28623026a29b9fa4a62d SHA1: 100baeffdf9be3002d4ff15785a28ed75c6c0f7e MD5: e843170e564321228fc88b9291a4265c
M20-xmrm1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	615292e183cf11759b672148998bfa18	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: ddf83c02effea8ae9ec2c833bf40187bed23ec33c6b828af49632ef98004ea82 SHA1: 3a98e49010e7720abc5d5af43c6c1f665fe3dc0d MD5: 615292e183cf11759b672148998bfa18
M20-oh7j1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	ca4682a32cdaaf2c0357a2a79e32ee9b	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: bd7da341a28a19618b53e649a27740dfeac13444ce0e0d505704b56335cc55bd SHA1: 2418b3bb9690ff1f3b0ffbe3a7895800ba335903 MD5: ca4682a32cdaaf2c0357a2a79e32ee9b
M20-nbpl2	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	4eab40382656af8fa25fb23b6e6473a0	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: 7330fa1ca4e40cdfea9492134636ef06cd999efb71f510074d185840ac16675d SHA1: 64f0b82b09081cb1782f9f5dc5011306764cd8a9 MD5: 4eab40382656af8fa25fb23b6e6473a0
M20-wfqq1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	4201d7681dbbde038de0e5d3568363da	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: 3aa746bb94acee94c86a34cb0b355317de8404c91de3f00b40e8257b80c64741 SHA1: 54a06b7ec2dbf0db1976be14875ba8be0947fe70 MD5: 4201d7681dbbde038de0e5d3568363da
M20-qmya1	Gh0stRAT_a5d16fe0	Windows	This strike sends a polymorphic malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.The binary has the timestamp field updated in the PE file header.	a5d16fe034462a43c0ddb0b62a52121e	https://attack.mitre.org/techniques/T1099/ SHA256: 004882c756bd37bc9fc49085b9fb6b1496a7deeabbf5849ff2e8a24dc519d7c7 SHA1: ade07b3275a20e1b42186e5563d1b32818b9874c PARENTID: M20-gt381 SSDEEP: 1536:zbuXXlyLMFM6NRjebOZewU/R4kY6WpsQEYzQI4wb9DprLElnY+fsrcNgF0f2bb3X:WFyLM/NR+O8wl6usKH9DRJUyMrAn MD5: a5d16fe034462a43c0ddb0b62a52121e
M20-zw841	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	a07761d3be0749c5ba7da3d8222f1d86	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: e03680e0af40a6fa1a12bed2f701c6137335d28b3d222579552658e951cbd13c SHA1: dc3cf5372363cb5a0f5b8124386e548f38da24d4 MD5: a07761d3be0749c5ba7da3d8222f1d86
M20-w2oz1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	8041965231306e1c2dff3695d6327524	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 5aec2fa9e954473d9c6b5233512f833e63541965e2d2e4af2419a457676c440d SHA1: d1df2aa545c341d512668fe82dfd067240d7d459 MD5: 8041965231306e1c2dff3695d6327524
M20-pceb1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	808c956808d1a47b50f51df08d45f391	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: b7fbbbdf7e8795022a41f4e6a94be1de432ae1911e49625f73555e01a5fdc719 SHA1: 631722e3bb67297c0d0af1e5390a0390a16cd99d MD5: 808c956808d1a47b50f51df08d45f391
M20-gjhy1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	4f2c11ee45ce87eeee7789b43cc91ac3	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 3259dd0efed1d28a149d4e8c4f980a19199d9bead951ee1231e3a26521185f2f SHA1: 5de46e1ae70c456d867c7807a7dab337d11a03f0 MD5: 4f2c11ee45ce87eeee7789b43cc91ac3
M20-y21h2	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	b5d6214c223b3f6bc4a77c47e0e2a864	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 6f1e8f91773609087a417cb34887f292a0be5c246dab667195854f979a45349a SHA1: 61f4e7dff34352fd8d065e57abaa60b149ebaae3 MD5: b5d6214c223b3f6bc4a77c47e0e2a864
M20-p3ko1	Gh0stRAT_58db1853	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.	58db185381561f59c85b0f5eccb428af	https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html SHA256: ad85f99b2d8de491c472aa7526dd02c4e788c2c7fbda519eb2e967c1419d3ec9 SHA1: ae744ee69906bc719a2db679f44ba288b9e9416d MD5: 58db185381561f59c85b0f5eccb428af
M20-2wgr1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	571425452e7fa287ce283a4a4b479ff1	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: 9847cea40cec394c947de06010ad1f3033316903b5c822ba16f9574acb30f0cd SHA1: 518feab46fd17e85d685fe1b26bb3ff3eb7f499f MD5: 571425452e7fa287ce283a4a4b479ff1
M20-adie1	Sunburst_56ceb6d0	Windows	This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.	56ceb6d0011d87b6e4d7023d7ef85676	https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/ https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html SHA256: c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 SHA1: 75af292f34789a1c782ea36c7127bf6106f595e8 MD5: 56ceb6d0011d87b6e4d7023d7ef85676
M20-4h8j1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	49819f0eee4399ea309d83fea14acb69	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: 6485bec374f255831b7ddbfed9925e988dcd7e893f610842809dd7cd1988cffc SHA1: 6c0bc83620d82967d75bcfb64196cc89a5a8ac11 MD5: 49819f0eee4399ea309d83fea14acb69
M20-08jw1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	78038fcb760ec0d4a446e243f496f026	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: c7ddbc24a57d1353d73533c47a65e5e3a74e3b666c1fed685fc90de1f089c72b SHA1: 427c91fe58a5b05e0c1e164e0c1cddff651f96da MD5: 78038fcb760ec0d4a446e243f496f026
M20-k9va1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	7031a1138e1892fb09bfbdf518dba07b	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 2ceb5de547ad250140c7eb3c3d73e4331c94cf5a472e2806f93bf0d9df09d886 SHA1: fe14ed259e1125d6bec4d920af804cf0f6acf94b MD5: 7031a1138e1892fb09bfbdf518dba07b
M20-46m51	Barys_c594feb4	Windows	This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random bytes appended at the end of the file.	c594feb41863cd0726eadf0e1c376ee6	https://attack.mitre.org/techniques/T1009/ SHA256: b09f5955b5e0e1bdbe2e21af580b6d48baecf8362bbc9ca02010605b28ce4078 SHA1: a74fd87caf08b2e5710340312e19d5ccbdbdb8a1 PARENTID: M20-mxx31 SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMnw:MgbT8MlIcdk+odC41HjmzZX630nMnw MD5: c594feb41863cd0726eadf0e1c376ee6
M20-ybbq1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	e5b622b9864d3a2e31a4edac46c1cb0c	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: e07dd37c92d24ac20b94a183e1f0a22a4eec0f950f441761c065faf0afd2abdd SHA1: e01af7b18c432fa352fea4a166e56c60e6895d0a MD5: e5b622b9864d3a2e31a4edac46c1cb0c
M20-xo5t1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	38bb2a242823592548a6c6539d69e72a	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: c58f5b3f7300a13fd9a0a61757e20399fc5e86544befdafae15e8809a02c2db0 SHA1: aaed6ef09b54137cb62bb55ec20f73407739537f MD5: 38bb2a242823592548a6c6539d69e72a
M20-gt381	Gh0stRAT_d2a67090	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.	d2a67090e3a8b6d1ca55ff3f3f00c768	https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html SHA256: c10af0e4b2e6dd378d5c69d44cd61657dc96fa8facf5b61f45c9b49071208811 SHA1: e8cc4081e07c07c593424ccde149cd8782dd27e6 MD5: d2a67090e3a8b6d1ca55ff3f3f00c768
M20-f6xg1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	94b27b9de692308cdb07aa6cc31391f1	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 66c2038c6d86333cbc51726bc54d3b8a00162493b2c92ca7f839b50435eaa314 SHA1: 500719895a31db2d1a3e81b3c798e39a89f3dee2 MD5: 94b27b9de692308cdb07aa6cc31391f1
M20-lise1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	41eff4cd049a8b5debf437b229e7c044	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 91c62841844bde653e0357193a881a42c0bc9fcc798a69f451511c6e4c46fd18 SHA1: 0491a3d718b76aae5f81bb8dfac49eb0c427f8a2 MD5: 41eff4cd049a8b5debf437b229e7c044
M20-p32m1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	4b3064c24cb16361027233138fd539dc	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 87210d6f1773473d28b51de21ed55ecfb6a9bd34f56d2d37f483ed05a1d7efd8 SHA1: 8b1da0482b98f77f86f35e830a4a94b3d884e3a0 MD5: 4b3064c24cb16361027233138fd539dc
M20-569e1	Chthonic_eda8ab97	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	eda8ab9741ff7b166c04d59e4c778a45	https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html SHA256: d999dc87b0d9c537f3182f9ec8b1b2e781f1690f08ab69be141404f9ee9b1ce3 SHA1: 6b07119eb7943251d43fbeb07195065189bc0dcd MD5: eda8ab9741ff7b166c04d59e4c778a45
M20-m3881	Defray777_aa1ddf0c	Linux	This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering.	aa1ddf0c8312349be614ff43e80a262f	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/ SHA256: cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849 SHA1: 91ad089f5259845141dfb10145271553aa711a2b MD5: aa1ddf0c8312349be614ff43e80a262f
M20-c9oj1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	23dae47577cda08dfc82e65e1217cbee	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 47d6cc0a05218d0c1078dabf8d0ca7b7b424cdd73eaf3bf6261fa1b42f92fe0b SHA1: 89372b60bcee0329e442e601a81766f88baf89e9 MD5: 23dae47577cda08dfc82e65e1217cbee
M20-p1491	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	23594ad0ba8ec37ad5eaec84aee9cecd	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 73609f8ebd14c6970d9162ec8d7786f5264e910573dff73881f85b03163bd40e SHA1: 41ec57139e036ccbc7feb2d6485bc4456317cd7e MD5: 23594ad0ba8ec37ad5eaec84aee9cecd
M20-r3of1	Sunburst_2c4a910a	Windows	This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.	2c4a910a1299cdae2a4e55988a2f102e	https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/ https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html SHA256: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 SHA1: 2f1a5a7411d015d01aaee4535835400191645023 MD5: 2c4a910a1299cdae2a4e55988a2f102e
M20-bu5m1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	2133b1c7bb6145cdd121eb8c423d35a7	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 1309b052618c6301901ec75cf552e7b49f93d66fb47d4de59b82d37d6ac39039 SHA1: 15fdcf02b66f83c11f6d256e37ff9a901685e354 MD5: 2133b1c7bb6145cdd121eb8c423d35a7
M20-p99v1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	ae07f0b180bc52b39000f50353e4e97d	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 88565b4c707230eac34d4528205056264cd70d797b6b4eb7d891821b00187a69 SHA1: 682e5f116a0aea2b097f05c9a6009d6d499b71bc MD5: ae07f0b180bc52b39000f50353e4e97d
M20-fvau1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	36ae75fd0c0afc7d6503f66880d6acf8	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: 5e90a331bafd98e41bcf36419c44bd7ff8296ac18cce652e944ae22db15a5366 SHA1: d2aca69c9060161cfa20c4e3aa92d3633f1cf8ba MD5: 36ae75fd0c0afc7d6503f66880d6acf8
M20-vrpk1	Chthonic_7e665259	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	7e665259f4178cfc254d809d3acfc2b2	https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html SHA256: d5ed9e42ec45ed31455433272ab28baa6392ffbca83d787b272aae011ef5db13 SHA1: b55ca4aec4a079dc23f8b1842a743d201536bf8c MD5: 7e665259f4178cfc254d809d3acfc2b2
M20-ziag1	Barys_2775ccd0	Windows	This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has a new section added in the PE file format with random contents.	2775ccd010831c057c8d3c822adf7fc3	https://arxiv.org/abs/1801.08917 SHA256: c76b574047bf0fd21da5256ba787faea64ad816d2d1af16a23548a101d449be0 SHA1: d551a54045ed0eeb686284f2cd3b9adb28431e2b PARENTID: M20-rmoa1 SSDEEP: 384:DDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEJdxg15GMIScho9me:jgbT8MlIcdk+odC41HjmzZJmr0je MD5: 2775ccd010831c057c8d3c822adf7fc3
M20-runn1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	aa0bf0045c4faa988815117cebcacdeb	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: c7f96f8b15c324bd6bf1aa16f6697d6d407f91ad2d7628a14d70f146334d34be SHA1: e744a577e52d594342bb727ef268796553f2c0d3 MD5: aa0bf0045c4faa988815117cebcacdeb
M20-g4s61	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	4bee85530d15be0a9e6c8672e355ddc6	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: ce0936366976f07ea24e86733888e97e421393829ecfd0fde66bd943d4b992ab SHA1: 69111b86feb35bc38f22f9cd3797144c3a154d2a MD5: 4bee85530d15be0a9e6c8672e355ddc6
M20-mxx31	Barys_f815281e	Windows	This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.	f815281ed4b16169e0b474dbac612bbc	https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html SHA256: c88f7682caa26ce756341a27d45f3c6507641249b3b26e2381decf768930e43f SHA1: 69174275cdef661c88060872d16f559726e391aa MD5: f815281ed4b16169e0b474dbac612bbc
M20-bgsm1	Chthonic_4ad3b625	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	4ad3b625ebadf92523edc1b0730dba9a	https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html SHA256: ae2261cf8620e125ea3f5ca178ed304858db9aba288d8db81c066ba3e9b6b470 SHA1: 490e553b0a1697935d32489d30bf4b4c97939cc8 MD5: 4ad3b625ebadf92523edc1b0730dba9a
M20-ug9n1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	4d1b52e30629477a12dcf2bbbc196e88	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: d7d28af8af5be22ecca267bdc7e142667f584550cf8a3bbebdb1368725bb6469 SHA1: 2ff4fb871acd8e48b549a3c00df91c014ef1c0f7 MD5: 4d1b52e30629477a12dcf2bbbc196e88
M20-neon1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	4d9e184b5e67c83a4a9901ee43232934	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: e2faf6586f8ac70cd98e4ec648f79435bfabaf84d440044aedce0c5c59b662e8 SHA1: 2b2aeeda9282e1b924e228bae316d265d1eeacc9 MD5: 4d9e184b5e67c83a4a9901ee43232934
M20-qz1e1	Defray777_fcd21c6f	Windows	This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering.	fcd21c6fca3b9378961aa1865bee7ecb	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/ SHA256: 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458 SHA1: 0abaa05da2a05977e0baf68838cff1712f1789e0 MD5: fcd21c6fca3b9378961aa1865bee7ecb
M20-5upn1	Sunburst_b91ce2fa	Windows	This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.	b91ce2fa41029f6955bff20079468448	https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/ https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html SHA256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 SHA1: 76640508b1e7759e548771a5359eaed353bf1eec MD5: b91ce2fa41029f6955bff20079468448
M20-c3ej1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	111019f2333c79cd320b3acc474df34c	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: 84428ece8efcb6298435b15d3c4ea281592accf0990cc840ef3a7a0644191061 SHA1: 690e6e0067ca394b0f5177b398fe0e5563963adc MD5: 111019f2333c79cd320b3acc474df34c
M20-aoa01	Gh0stRAT_52729f8b	Windows	This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.	52729f8b7185d792be872d0821a251a0	https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html SHA256: b2bf5993d399a91c2ef2d3629a201c8f97702b9359c0bef119e3391eaf47acab SHA1: 3f9087791230f65247e353f499d6a156dfc77ae6 MD5: 52729f8b7185d792be872d0821a251a0
M20-gl0j1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	1cae93d1e1ab2e6bb1db8b65d374b785	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: ed675db1e7c93526141d40ba969bdc5bbdfd013932aaf1e644c66db66ff008e0 SHA1: 6a0a7e3a21888b87fde3323e0dc4fc085e71a8b7 MD5: 1cae93d1e1ab2e6bb1db8b65d374b785
M20-2de21	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	26e4a7443332461d330e6dc4e9a22f5b	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: a50a25a312adb9103e52e94018013ebdb6dbfe792a34122cacd53cfa3bbb26ac SHA1: 9f98147977ce4afd45be30b05e6169ed3522a66e MD5: 26e4a7443332461d330e6dc4e9a22f5b
M20-iilb1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	fe180737bfb5436a592581de52ed9368	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 0d14a1b5574dc12f6286d37d0a624232fb63079416b98c2e1cb5c61f8c2b66ff SHA1: 4c8e2a76a08060d0bc727cb92962263d356d0e63 MD5: fe180737bfb5436a592581de52ed9368
M20-4zuy1	PyXie	Windows	This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.	e4940335c81b5bcd4713ad929027077e	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/ SHA256: a7affc0d93e27165ce44c55ae28189e8b55967443f9e464232f230ab4ba175ca SHA1: f0f9bd7a786f3ea78ceada0749d36d802b20298f MD5: e4940335c81b5bcd4713ad929027077e
M20-bkym1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	25e8d46d27e0a1034804aba00ba75d38	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: d612144c1f6d4a063530ba5bfae7ef4e4ae134bc55dcf067439471934b841b00 SHA1: c42bb245cddbaaeb80fe1b178600ca353161b9f0 MD5: 25e8d46d27e0a1034804aba00ba75d38
M20-mqub1	Barys_1aeb9636	Windows	This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.	1aeb9636011a15736fa535f7d3ba7f9d	https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html SHA256: a404215539b7bc308e112222493ba4d59a41adeb5204e59ad14cd7836dd6a545 SHA1: 062caa4e2bda8b359cb6ff2ec160918b37ef1dcb MD5: 1aeb9636011a15736fa535f7d3ba7f9d
M20-q0yy1	Sunburst_d5aad0d2	Windows	This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.	d5aad0d248c237360cf39c054b654d69	https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/ https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html SHA256: abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417 SHA1: b485953ed77caefe81bff0d9b349a33c5cea4cde MD5: d5aad0d248c237360cf39c054b654d69
M20-fibd1	PyXie	Windows	This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.	837dda0135b0aa7628874b451c66b50f	https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat SHA256: 3a47e59c37dce42304b345a16ba6a3d78fc44b21c4d0e3a0332eee21f1d13845 SHA1: 3a196669ea458c4e9e3bc4272c7046c688fd63b3 MD5: 837dda0135b0aa7628874b451c66b50f
M20-npvg1	Vatet	Windows	This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.	6363cba1430bf8a617d789b49e275975	https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ SHA256: 7ad92c9d63bd9ed305acbe217c40f9945deb98ed5ecced8b92b93332dc27d3c6 SHA1: 0f0966c832dcb143be60ce1f296f8b177e4f0220 MD5: 6363cba1430bf8a617d789b49e275975

Malware Strikes November - 2020

Strike ID	Malware	Platform	Info	MD5	External References
M20-be2v1	Zegost_46762216	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	4676221611d727a8b2c54f6e78da92ee	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 00331272677a88d4775ab1a949ab287ac412aeaa182ed3d3561673d36d571198 SHA1: 6b4a24a51478936573579b6599cf5c08c19aff91 MD5: 4676221611d727a8b2c54f6e78da92ee
M20-sj181	Scar_0f32fa41	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	0f32fa41e160bdb3ad0ce83daad79f75	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0e4c2e2cc046d82a2287ee3bcba656449660dadf6dba3bc9b1c3017f1fb650e9 SHA1: 7a0982cb7fc3cbf8752cebad1c1fbcbe90c3836a MD5: 0f32fa41e160bdb3ad0ce83daad79f75
M20-98an1	Kuluoz_a250b5c8	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	a250b5c892d7c5b73d1d37b5305b1898	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 052e0204d7d9aa823e6074db99c124911c1c3575026a12a2d0b3ed4edc313586 SHA1: 930cecb3e758784add6930e51652cbef129b9c1e MD5: a250b5c892d7c5b73d1d37b5305b1898
M20-toh31	Kuluoz_330ba1d3	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has the checksum removed in the PE file format.	330ba1d383004c9ca6dca37fbbea2467	https://arxiv.org/abs/1801.08917 SHA256: d15cc86f5308193f5eaeb02be97961cb850a6efcb26a9c60d640d40232f9decd SHA1: 6e64e491d93f9c9e87d6a12e832f015a52be7975 PARENTID: M20-vqam1 SSDEEP: 3072:t+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9f:srRRyD5E7YZOCQY MD5: 330ba1d383004c9ca6dca37fbbea2467
M20-1uls1	Scar_0274c84c	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	0274c84cd3e88e0f60f8843f56b3a632	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0a0a9da107427744e53c7fe3b52ed7af370502197c3c301c32c0199ffc7e0ac8 SHA1: 4e7fd41dd1ec3b57647c8103157f2ed5242b416c MD5: 0274c84cd3e88e0f60f8843f56b3a632
M20-a5n71	Scar_33454c7f	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	33454c7f55343c4200bbf4f7b7fc767e	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0a64542d9bb9dbc1264d80503b03aa119ac4f38cf8369f5e0d66a4e985e99b83 SHA1: 6902facb04325d6476dce00e0a5131a71ca227c5 MD5: 33454c7f55343c4200bbf4f7b7fc767e
M20-fv3k1	Ruskill_b3a7b671	Windows	This strike sends a polymorphic malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.The binary file has one more imports added in the import table.	b3a7b6717595d216675b92c351502193	https://arxiv.org/abs/1702.05983 SHA256: efe951051689b8ca1913b2db392ad2bc32fcc63502e302960af50bb7ec444c03 SHA1: ca15aa98feefc81be7388049b14c063f5b4d9232 PARENTID: M20-b3zp1 SSDEEP: 3072:6eZAb3i+S4XAg0Fuh/oAu005l+x+fQ5UpkK3LIu78iPNH4jrsgd1zS+wL0/PMsVV:6efEAOZo3f78ENmrJdRS++0nn0uug MD5: b3a7b6717595d216675b92c351502193
M20-j8yz1	LokiBot_ce3ac223	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	ce3ac2236b1cdd0a2695dce6ba384477	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: 6dea1bdf016f1e88f6fedfa3b79d89ebfed8f1aa0db547a7d389bc59b589f18a SHA1: c954f28aed0a616a68c19aa9aaa5a569dd7451ac MD5: ce3ac2236b1cdd0a2695dce6ba384477
M20-exg71	Zegost_1c449492	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	1c4494926a2b2555a13753a528bca733	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: d73e05c11d942abda55aaa50a6c96e235508777c89985208c8e0f94195df9d67 SHA1: 69197ebe64f7c9f0cd789be063822eea5239c767 MD5: 1c4494926a2b2555a13753a528bca733
M20-ta6w1	Upatre_f0256ed3	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	f0256ed39ffdd70c0df59941538d041b	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 14248c863bdaea2df1bde2d0a01f3d2506a2bcf5810fb651b27e2fe16b03b2e7 SHA1: 0634310f2401a7496b3c2db32dc70a3afc4a4ae8 MD5: f0256ed39ffdd70c0df59941538d041b
M20-4tpo1	Ruskill_653db921	Windows	This strike sends a polymorphic malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.The binary has random contents appended in one of the existing sections in the PE file format.	653db92104917aa366ce680b9ac563dc	https://arxiv.org/abs/1801.08917 SHA256: 5d0a7067f9f5275a256e1a45b2cbb815e0589ae28723d93b6aaf99184e138f1e SHA1: 3227f0fd7b55813cbed5a0617117052f2656f620 PARENTID: M20-b3zp1 SSDEEP: 3072:KeZAb3i+SYngFAg0Fuh/oAOnge05l+x+fQ5UpkK3LIu78iPNH4jrsgd1zS+wL0/b:KefrFAOZoIPf78ENmrJdRS++0nn0u MD5: 653db92104917aa366ce680b9ac563dc
M20-yhbo1	Upatre_1ba36e0d	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	1ba36e0dd3b26bce1b1c9dabefb4fa96	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 0edaf9c336bb1123ed3dc419a54d483670352cb075c70bb8ed59cbe38048e482 SHA1: be5d59a67202cfb805cb82883ef476598bc20f04 MD5: 1ba36e0dd3b26bce1b1c9dabefb4fa96
M20-ps131	Scar_628f4334	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	628f4334ccffc5726199ac0cdf0d31d1	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0104ced43c17c50d44ef5517e095d15d38cc922071a5370bd4526e40802e05a3 SHA1: 5ba7dc5f628f4afc4be883f10f10ec0206b88bc7 MD5: 628f4334ccffc5726199ac0cdf0d31d1
M20-0lxw1	Kuluoz_4f2d6b2a	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary file has one more imports added in the import table.	4f2d6b2ad873d6e30155a0dd44202d55	https://arxiv.org/abs/1702.05983 SHA256: ac8f24adc539fd1255ed7b2a633ead7715a3c870a7cc531680b4beb2f3cf717e SHA1: 0b1e4f86aeb9d95c9dac91ce7dc68d1c948ba3a6 PARENTID: M20-vqam1 SSDEEP: 3072:O+3rnRRy6Z296cjNZGIJtYYdftMdzsFGY9fs:RrRRyD5EbYZOCQY MD5: 4f2d6b2ad873d6e30155a0dd44202d55
M20-a4tk1	Zegost_88ae879a	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	88ae879afdc027bcb823d51dbb777d15	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: fcfebe1d5d63610ffff431cffda049582931c3c1dd7e6a2ca10258a230b8e21c SHA1: 9b60a57c659b7b1365c969b694718e14de53a032 MD5: 88ae879afdc027bcb823d51dbb777d15
M20-vymy1	LokiBot_298271a7	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	298271a724316ae773dfbebea4703038	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: 0204655a385df7ad8797bfc31f817e1208e7e62154c866a333683f35aa9a7d41 SHA1: 1aa220d1403461427f235ca5311be174686c9ba8 MD5: 298271a724316ae773dfbebea4703038
M20-6xmt1	Upatre_8df21c17	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	8df21c177228404e4b420b9753f10f14	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 0fc901eb87412c4c4734827a0b220de9f6a5932600d1f15bfb643ef2b9eeb0e2 SHA1: 3fd85c6997e889a0dd35054673c60aeaf19ffcb7 MD5: 8df21c177228404e4b420b9753f10f14
M20-749i1	TinyBanker_ebf2fb86	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	ebf2fb861086af8914d60d11d6451977	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 2d792d1df39ab0201d721c389eb4094568e2fbc96c6d1e9f6d8711c96669ed8d SHA1: c34f81d4a9c1f8d364d6fbefa4b9bc86fc5c046b MD5: ebf2fb861086af8914d60d11d6451977
M20-zpqj1	LokiBot_cf156148	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	cf1561485f3bae2ae2e9ba8a09a28e3d	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: baedd4452291763813c3fcb3129f1be226b33c5e2ccc8fb85bf6d614c57da29d SHA1: 1249d133595c252eb5d0ad44c05e7e4e16c7ed15 MD5: cf1561485f3bae2ae2e9ba8a09a28e3d
M20-9c5o1	LokiBot_754ba410	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	754ba4100095de1dfb830d226af267eb	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: 1ab3437a50129edfc7fb6fb1117468f6166387e29e7b8b84123bc817fa80ec53 SHA1: f3efb9cb4392fbfc45fce0781090150dda5f2c28 MD5: 754ba4100095de1dfb830d226af267eb
M20-fi9r1	Kuluoz_18ebe58a	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	18ebe58a606b06daac837db615ceb3ae	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 147f5d45e43693be523fb498df1a864fc7753454fa3842cddd682502e44b8703 SHA1: dfd98e9e859b983d1813201f3eb65ca2d92dfa15 MD5: 18ebe58a606b06daac837db615ceb3ae
M20-9h2k1	Kuluoz_2470172c	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	2470172c7e9f2ead84917c01bb009992	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 102dc1c84b94f9f5e5723c544f34f737dc2c9ac54fa95c89942fdf2cefc3bff2 SHA1: b24b266fb003d9fbfff77517fe9ed0b53c3d292e MD5: 2470172c7e9f2ead84917c01bb009992
M20-z22p1	LokiBot_4d198d9c	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	4d198d9c0564a594ce46be7bce19edd6	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: 18885983795417170faf05d6f4c58dc6dc2ef4977f97d37a2b2c461cc3d0f4a2 SHA1: 343d81618c27bd77467ba7eca36e17e9012a9473 MD5: 4d198d9c0564a594ce46be7bce19edd6
M20-5ytn1	LokiBot_47026faf	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	47026fafcb973ba3387e8c97f6871bb1	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: 26f747be5df0197b793030c61e5bdc84336057b7e40153e42e6f17b50cd420ec SHA1: 99c019ef2bfd0ada44d57eb46f047faaf0a411fe MD5: 47026fafcb973ba3387e8c97f6871bb1
M20-ehnu1	Upatre_3affcb33	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	3affcb33be9245925725fac356b626c7	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 1339b417dc6a9fb2f4148ce0922d91b7dbfd16a18b23eddf45698e5859a21a28 SHA1: a8ed34c9fa381d8a9fd83e0da9c8ba3e8777e322 MD5: 3affcb33be9245925725fac356b626c7
M20-djld1	LokiBot_9080d22e	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has been packed using upx packer, with the default options.	9080d22e80227fff2e55c42ca53b4061	https://attack.mitre.org/techniques/T1045/ SHA256: 0ec2524eedaa47e7b9be76a29a3d44e60b5ff9389ad5643ab5b2d64b0dc6f639 SHA1: b5326e2e9bd01342aa708f780367e5882a6fe0b9 PARENTID: M20-dkum1 SSDEEP: 6144:4NJcrNeJgEMtxC1B6WurrD0FpWvCmqD3C7uW/JPnkqpHCmVafem:Xxeoq1FuropW63CfJPkqpigZm MD5: 9080d22e80227fff2e55c42ca53b4061
M20-x1ky1	Scar_3171bbe3	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	3171bbe396ea5bec0d85042f7e891677	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 19e5a32971083cf05139a5440aa32ec245e382cf97b39c0dfd78d0517bd76156 SHA1: ce00c9f019a282fcc8e23e081f066ad936e40514 MD5: 3171bbe396ea5bec0d85042f7e891677
M20-b3zp1	Ruskill_be5e43f2	Windows	This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.	be5e43f2786d628b7aa8689c2108247d	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: e94e2513ae3d7d289ddd91e059554e0416a2e912e5153607c7f4de99a6a05282 SHA1: 03a7ec0e3607010cb872fd08b3b367fd6bb53cb3 MD5: be5e43f2786d628b7aa8689c2108247d
M20-1tr41	Zegost_b4d81bd7	Windows	This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has been packed using upx packer, with the default options.	b4d81bd727d1b0f197e83dfe045147f0	https://attack.mitre.org/techniques/T1045/ SHA256: 5ee23b7541c85513df1d260ac7b25c2825a7cec5144ef7f86aef38066326af7e SHA1: b6abda109dd932785b479312b106e47524320992 PARENTID: M20-a4tk1 SSDEEP: 1536:blncXusueq0pzMaJ5EK5ylBsmaGRrnGxBug2gVjiBIrAAsG6awM:pnk3q0LxK68 MD5: b4d81bd727d1b0f197e83dfe045147f0
M20-kuwr1	Kuluoz_cdf5509f	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	cdf5509f6620ea3199e5bd0a34530435	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 05c69adb568ceccc1817572db5ce9b124614cad27e6bf61e09e370e86619d9e5 SHA1: 5547743d81d92b997224148ed71931925e6d2ba7 MD5: cdf5509f6620ea3199e5bd0a34530435
M20-rz9r1	Zegost_114a0086	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	114a00861438a53af3626629f072c496	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 5d21dc1acd0a1dc1f3eee5da9a1fd8caa2830fc17cc1bbb7d48322c20c528e3b SHA1: 58c10e0af3cc6ad9a02880ada017b5b95ac6fde7 MD5: 114a00861438a53af3626629f072c496
M20-yfho1	Ruskill_4cc1fdf0	Windows	This strike sends a polymorphic malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.The binary has the checksum removed in the PE file format.	4cc1fdf07ade397fe202ff10dcd9d1d3	https://arxiv.org/abs/1801.08917 SHA256: 8fa14c7d8971a6ef7455fe3595f7bef89b1b58f814cf4cb4008e2138b6d79798 SHA1: f9bc211a993da5fbc0ac2cd59f513038606d828b PARENTID: M20-b3zp1 SSDEEP: 3072:KeZAb3i+SYngFAg0Fuh/oAOnge05l+x+fQ5UpkK3LIu78iPNH4jrsgd1zS+wL0/b:KefrFAOZoIPf78ENmrJdRS++0nn0u MD5: 4cc1fdf07ade397fe202ff10dcd9d1d3
M20-9r711	Kuluoz_317767f7	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	317767f77668bbd3f31cf19b7c0bfb99	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 164d7067512529bc58a2c4f7559b2febe1adbf25a510229d180c6dc83f3c79d5 SHA1: b32e9ea71127d83027ae890a2e70a6fff06db829 MD5: 317767f77668bbd3f31cf19b7c0bfb99
M20-znq91	Scar_0c6c38f7	Windows	This strike sends a polymorphic malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.The binary has random strings (lorem ipsum) appended at the end of the file.	0c6c38f795d373fc8f5fc07f908903c4	https://attack.mitre.org/techniques/T1009/ SHA256: 71cbe6f587485263adfb09cbe7d72ffa8ae4aad8010bd6861af1b8ae62313990 SHA1: 4ba4c168b6662702eaf96c1a4031b8a677cd985b PARENTID: M20-z5lw1 SSDEEP: 1536:XeNCn/HB8HMNYDBbZDeNCn/HB8ir6Ze8qVgMXL5Vl:XeGOMNYPDeGR6vYfl MD5: 0c6c38f795d373fc8f5fc07f908903c4
M20-8zgd1	Scar_2008fa22	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	2008fa2210a7123f228d83616b5b206b	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 044b16ad91fcea7968cf813f2f14978051f08420a85ef2adfc3b72e6710dd7b8 SHA1: a0742fa353a9580d99e8def64e49049a179cf005 MD5: 2008fa2210a7123f228d83616b5b206b
M20-md401	Zegost_5bde8a69	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	5bde8a697c4ed4b020035278f48ebbca	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 131daa7870f3dc8d2c2499a38930371595c86fbdf5394159b4a11c68eaac5c9d SHA1: 600df1cb18a0153207ecda6f2e8b00b81768fa64 MD5: 5bde8a697c4ed4b020035278f48ebbca
M20-j2gg1	Zegost_1e5b1708	Windows	This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has random strings (lorem ipsum) appended at the end of the file.	1e5b1708147129aba1f46ffeae389376	https://attack.mitre.org/techniques/T1009/ SHA256: 76641e4832354cce2faf6943a4db0c588cb64a1006f2046ce8dbfa31bd08ed92 SHA1: cd03e440dbdb9d6135a721575c45e80115b8192b PARENTID: M20-a4tk1 SSDEEP: 1536:W7rQY+94cHoLdfTYfNXKFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHMf:z9nILR01XKvxrG8r MD5: 1e5b1708147129aba1f46ffeae389376
M20-f9gt1	Zegost_e8bea4b9	Windows	This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has random bytes appended at the end of the file.	e8bea4b97c08b5123088e99497c4cdc7	https://attack.mitre.org/techniques/T1009/ SHA256: f4ce6cb08e3e5bb097259d02ffb390a053065633f72eb3f22fd38829f16310fb SHA1: 9093604b348cc3af6f1e3782f963be714c5f77e3 PARENTID: M20-a4tk1 SSDEEP: 1536:W7rQY+94cHoLdfTYfNXKFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHMj:z9nILR01XKvxrG8X MD5: e8bea4b97c08b5123088e99497c4cdc7
M20-qcg81	Scar_4139d679	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	4139d6792f8a47e5d9e0fe1b434cadb5	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0c3f298c88b8f94b587306a536b32644a8960994e7d9db810a0e5468bbc624e8 SHA1: 428781e02008259a6ef4d581050c9dbb4496de08 MD5: 4139d6792f8a47e5d9e0fe1b434cadb5
M20-enn51	Zegost_9f52a0f4	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	9f52a0f4981acda5629b4281651eba9f	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 04505dcb27c2849a8096879511fd5fec19af6cbc84b8399c96ee37006e8478b4 SHA1: 835740677fdfd9c301eb11d148ccedcc6f34e673 MD5: 9f52a0f4981acda5629b4281651eba9f
M20-b93g2	Kuluoz_287f6409	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	287f6409bcbd54c59c175fece1abb995	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0033aace105fe8a25a363b73c0029b0a1608a1300267d02772e7478d04096b6e SHA1: 0962aa36ed16417903891d8667fa5ebf3375692c MD5: 287f6409bcbd54c59c175fece1abb995
M20-3lfv1	LokiBot_e2f72215	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random contents appended in one of the existing sections in the PE file format.	e2f7221545da3787b1ad45c0e245f0e1	https://arxiv.org/abs/1801.08917 SHA256: a07dca7969782f0449b767aec9e79bb10b8b04d6a0899cc8220703c765a48b65 SHA1: cfb984b053b2f1974649027817739688e23b62c7 PARENTID: M20-dkum1 SSDEEP: 12288:l8lL+2DoylNo6ssspUiDKJqzisC+hez53Wc/U:ellsylm62KMO6C+0Vl8 MD5: e2f7221545da3787b1ad45c0e245f0e1
M20-usvx1	Kuluoz_639147d6	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	639147d6eae567f8d88715bef315905c	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 01b866aac1fcf13c0b46057146b0ff5ffee55cc4512e892696c477430e4c93f4 SHA1: f9644e20dd81378e5efe3e2f6af941aa61bd2ad5 MD5: 639147d6eae567f8d88715bef315905c
M20-g25h1	Scar_c5cc2b2b	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	c5cc2b2bd4979d83a23297389e7a66b8	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 04f37e9dac2d7e0c327576c20d9c6de2e7e25dfca39af8043a5eac12a1609c46 SHA1: 76f5521d946f3d303cc244de54aea5b6e1817d33 MD5: c5cc2b2bd4979d83a23297389e7a66b8
M20-lp4y1	Kuluoz_5afe943a	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has random contents appended in one of the existing sections in the PE file format.	5afe943a3fde584fcf5fed55ce5b1d79	https://arxiv.org/abs/1801.08917 SHA256: 1b49af3213c7f64ec08cfd643c09af2571097ccea9e73a0418936da8cc27a476 SHA1: c834437df6f4054e0bb916a0290e47d0ac7b20f2 PARENTID: M20-vqam1 SSDEEP: 3072:B+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9f:orRRyD5E7YZOCQY MD5: 5afe943a3fde584fcf5fed55ce5b1d79
M20-l8dw1	Zegost_e4fb9690	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	e4fb9690e4d9fdf344b73d4196c18ef3	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 9413345aa7058c93e4c376adccb0e3107d76c18a8fd7fc598e27f3104e9b8031 SHA1: 4903253ffe990be3b45e337d95c6d0a6e099b72e MD5: e4fb9690e4d9fdf344b73d4196c18ef3
M20-z1hj1	Scar_e9bd79bb	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	e9bd79bb61fc7ac4f4ff2dea03751bc1	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 14096dde1b9c83ce19a9ed099cd8e3cbb05a463ffe1898fdc863328bc852fe5c SHA1: 76d0192e280d6435900e50fed3f90106b0c3335c MD5: e9bd79bb61fc7ac4f4ff2dea03751bc1
M20-qqw61	Scar_91eb29c6	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	91eb29c6e9c065a0259b936101739b90	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0d896d314daf2f17200db696b73e43916fe35c2c02838557bba7aff3950cbc4c SHA1: 3f8d7dcbe5ce17d04e9309825dd3f8b8c30c246b MD5: 91eb29c6e9c065a0259b936101739b90
M20-uyvp1	LokiBot_b16e4e70	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	b16e4e70f692bc53b71d54679e63af6e	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: a2058e7365fff5315e1a1452e7d438d8e8149791293654ad0c3976bde76a1795 SHA1: 15600c670042ecb6449ef7b1308e693e0050cf1a MD5: b16e4e70f692bc53b71d54679e63af6e
M20-2gm71	Upatre_83392327	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	8339232735ecae5963462f7c4e73ef85	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 113eedd981dffbcb9039f646be991681a3be66069b0fe5bbef60135b2bd633a4 SHA1: 3234a1dbf3559348916f934c3d889ea06077c7d5 MD5: 8339232735ecae5963462f7c4e73ef85
M20-byum1	TinyBanker_b20386f9	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	b20386f967f4214050b3c18f5d335f9c	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 3484dd48824bd7f55fd0e3e90f065c7a01b71c80110db34471e4064db306d7e3 SHA1: 2edb4f4c5a62ed0154df29d7afd6cdbb26039df8 MD5: b20386f967f4214050b3c18f5d335f9c
M20-4a4b1	Ruskill_949c9314	Windows	This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.	949c93148b31f353b564ead90bc2644d	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 3a6e951c5102c0b49619c9eaa4ac1a429cd3888a00ec385a4bd043b5913a569a SHA1: ede073f0b49cb55ae0282d2fd26e9456f5e356e3 MD5: 949c93148b31f353b564ead90bc2644d
M20-7u2o1	Ruskill_688624dd	Windows	This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.	688624ddab6d450d24a7a6c317de6cc3	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 5994380423f37b540168ac921c4b48dacbdb52bec45271bca8e14c1691e36810 SHA1: b345be0353ab925d58cdf7f62eca2849fe669b12 MD5: 688624ddab6d450d24a7a6c317de6cc3
M20-dkum1	LokiBot_186e231b	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	186e231b1e4d0ff6626403f2c1f58906	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: ce9d8f4765b5204c63db281fb6f3124681ee66a75d236426027c71f1fc575b0f SHA1: bfadab32ad8b781e80f8f760b94c1582bbda7918 MD5: 186e231b1e4d0ff6626403f2c1f58906
M20-z6661	Upatre_c3e570fc	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	c3e570fc670c2c76e36a072f06740bd4	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 131da532114bed0cf7fb3fec6e07bce430dd81eea06ff1c37d5cae3e82345afc SHA1: c74a952b7ab8e4875b2339cf6945a5755e99c102 MD5: c3e570fc670c2c76e36a072f06740bd4
M20-qzfp1	Kuluoz_93af451a	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	93af451a9a9b7ce0b3f227ba2d6ad085	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 10ca01e9a958354e6cc4c199d4552faa328548a856a75eba90f8fc8555de053e SHA1: e79d0d2e3ab9ec1397c77ac08870232eb62949ca MD5: 93af451a9a9b7ce0b3f227ba2d6ad085
M20-aznu1	Kuluoz_3e015bab	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	3e015bab445cb8763636cd4a4c66d801	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 180430089f1befbe2aba2e1303dcba20d174f73421a80fdda7062a7ce936a9d5 SHA1: ca4f34f568457bd4e299bb0ce40c593e5ecf114e MD5: 3e015bab445cb8763636cd4a4c66d801
M20-9iky1	Kuluoz_77aca864	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	77aca864bb43d404baa9ecbfb97d130d	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0b68e11e0ec63aa1598b7b1f4d3325a6200c9dcfb8ac03b335454345a8ad9cf1 SHA1: c230fd5bbbe91da61ced91b53d0d0ef17441daa8 MD5: 77aca864bb43d404baa9ecbfb97d130d
M20-cllo1	Scar_27161106	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	271611065a218801f7869636ec844402	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 00e796f8000ef5caa26c673c7fad9bbe4f3877219dbc6ad4788638518a2bab8a SHA1: 9f0148e2887daa9e5bac58b370e922d7b1cc0e0e MD5: 271611065a218801f7869636ec844402
M20-b4hk1	Scar_ebaed22b	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	ebaed22b81e90153fc2ad70098604ae2	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 01abd635501f74d0309ca806ea66b015f0665f4ba5e44e1aeb10a3fce67d91e5 SHA1: a4be8561e7c96cf6534a18d747ab95c227d55704 MD5: ebaed22b81e90153fc2ad70098604ae2
M20-ja2m1	Upatre_d481d1cc	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	d481d1ccafdaec0da47049d151459e4e	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 0a82b11e85126cb623e27a61726f74637e8c652187cf9a770bae47056ec823ef SHA1: 14bbf233dbb539b6c977fba74fccab06911cc3e4 MD5: d481d1ccafdaec0da47049d151459e4e
M20-3v7z1	Kuluoz_a8376144	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has been packed using upx packer, with the default options.	a8376144472b76b3df8c4ab2aa626511	https://attack.mitre.org/techniques/T1045/ SHA256: 800d3cace4d9179399af71f347b1cf32536ad6e43a2a88fb866f9e0dd45209ab SHA1: 7b2af14b83ad7a7a76800d0b827e6ad3e7cdc455 PARENTID: M20-vqam1 SSDEEP: 1536:3cWVl7eWu9Gfqo2rRR3eloIVK5SItcZLyqffr9Rmmq7QvgQQruRYtLl5J6:M0lq2kr73eyIE5Z+FHmx7ZjOY1w MD5: a8376144472b76b3df8c4ab2aa626511
M20-28bh1	Scar_7e089601	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	7e089601c83340ebdbaaef2a9d4ebb45	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 07f4b5112399b282a12f5a503f7084f9c6c458d0ae6cf557b0c4b5397263b61d SHA1: 6ccc6cfd4e5126ccb198273bcc105e853f8f5d3f MD5: 7e089601c83340ebdbaaef2a9d4ebb45
M20-zmxi1	Ruskill_08417575	Windows	This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.	0841757582ec90c1aa0b2e5dcfa18a10	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: cb213c083836d38c60732422b6bdd871018f8807458d3161a9ed669e0f4dfdd5 SHA1: 469a177e87877e02c012fb47138af07679d1510a MD5: 0841757582ec90c1aa0b2e5dcfa18a10
M20-kpej1	Scar_6664c718	Windows	This strike sends a polymorphic malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.The binary has a random section name renamed according to the PE format specification.	6664c718d5bb1dc98f97a91013a9f017	https://arxiv.org/abs/1801.08917 SHA256: c890f10146c4afbdece20da0f3999d26bbe5b5bf0bc4e60d3125d9473a2b1de2 SHA1: f78aaa4b181806e060f881cb97722feb1633a435 PARENTID: M20-z5lw1 SSDEEP: 1536:reNCn/HB8HMNYDBbZDeNCn/HB8ir6Ze8qVgMXL5V:reGOMNYPDeGR6vYf MD5: 6664c718d5bb1dc98f97a91013a9f017
M20-j5ym1	Kuluoz_f328c1a0	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	f328c1a0ab5d0bd50d346ffe5e4dcc5f	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 100d6826120b96cb7eb3f3b645612a8c245909cc83fe84706dea4f4ecd79586f SHA1: 902afcd1f4dc73ba4f21c4cdc13b7031d1acce50 MD5: f328c1a0ab5d0bd50d346ffe5e4dcc5f
M20-dnx71	LokiBot_dcf9cbe7	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	dcf9cbe7ae9f37c58edc4f37821a44da	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: 6020db3ccb630880906593dbdbe6c4487ec81e8dea4555114f33eef0ac16b62a SHA1: d0fd4d0c4d7ab3eab2b366971be58c446cf99ddb MD5: dcf9cbe7ae9f37c58edc4f37821a44da
M20-jwe71	LokiBot_fd81a8e6	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random bytes appended at the end of the file.	fd81a8e64de9f065551f77558849e86e	https://attack.mitre.org/techniques/T1009/ SHA256: 8e6218dc85c15023cbe11fcc514aee6c22156dd076df8e0865b3ab8a46961a65 SHA1: 797f35b33b1501548cf740b5da18d7b081927103 PARENTID: M20-dkum1 SSDEEP: 12288:c8lL+2DoylNo6ssspUiDKJqzisC+hez53Wc/UI:Lllsylm62KMO6C+0Vl8I MD5: fd81a8e64de9f065551f77558849e86e
M20-temi1	Zegost_6538e4c9	Windows	This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has random contents appended in one of the existing sections in the PE file format.	6538e4c9b1665b2aa256b625e2fb9fa2	https://arxiv.org/abs/1801.08917 SHA256: 7dca88e8f6105127e23f66af5ceb90228921ca17d75e6fd2ad6ee9c5357813a5 SHA1: cdf1c17c3884357dda543ed9259f52062fb1f8eb PARENTID: M20-a4tk1 SSDEEP: 1536:W7rQY+94cHoLdfTYfN8KFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHM:z9nILR018KvxrG8 MD5: 6538e4c9b1665b2aa256b625e2fb9fa2
M20-2mqg1	Scar_30a527e1	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	30a527e1edc2815eafc93d038c755f3d	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 14166b0c720afd84d38e577adb42521b7d61130cd23c4098ac8ca7fd19f7b6ee SHA1: 30a77c17114ff69064b13be252dde2fdf1800d8d MD5: 30a527e1edc2815eafc93d038c755f3d
M20-eslj1	Upatre_3d374745	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	3d3747456ab3054f941ec41ebdc3ef1b	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 1025f9c3232e2f5b318e5ea8f0cc586c91c161d254917d0491e6827309ffdab4 SHA1: ee7ce8237934b407952ba8ca5a54d5a86a439cfb MD5: 3d3747456ab3054f941ec41ebdc3ef1b
M20-p9j01	Upatre_45df574c	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	45df574c429c134460b49582c8d58b9c	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 146413516e7e49489e8e1ca7e56b9a3173173a18e5e9078f3ee9a004d9b18d70 SHA1: d15558ab1d1d24512215de60b8f815b5601369d2 MD5: 45df574c429c134460b49582c8d58b9c
M20-iwdf1	Kuluoz_14d35354	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has a random section name renamed according to the PE format specification.	14d35354a20f9a516b7225b6372b3af5	https://arxiv.org/abs/1801.08917 SHA256: 8a6d102cc80ea5967522830de3fa96ec7f43d54a9eddaf8071786ae293659769 SHA1: 17030d672a9d278fe4de429a256dc55c99be587b PARENTID: M20-vqam1 SSDEEP: 3072:K+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9fY:VrRRyD5E7YZOCQYO MD5: 14d35354a20f9a516b7225b6372b3af5
M20-tvy51	Kuluoz_7d34c334	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	7d34c334b27aa770df9ea753945cb4fb	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 1acba8f21ef1494cbb3e66e51a54681d8f77f5c41e09b33e410ca52cb67b633d SHA1: b05843047fda8da076b53cbe029389b3ba5d2c93 MD5: 7d34c334b27aa770df9ea753945cb4fb
M20-okyb1	Upatre_d6ec3e39	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	d6ec3e39ce013ea0a2ea573d90445ff8	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 0e0fb83e04e675b809013f37d4af1ff31c36e4813c518b97dd395ec97dcbc92a SHA1: 328d3ed68a767a9ccd8b86c75bdb2aaaa642bf75 MD5: d6ec3e39ce013ea0a2ea573d90445ff8
M20-tv741	Scar_874499a9	Windows	This strike sends a polymorphic malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.The binary has been packed using upx packer, with the default options.	874499a974acb34d4827b6e1a91143d6	https://attack.mitre.org/techniques/T1045/ SHA256: bd878726d91fc43ed10cfc6cffe0f69c53cb4fe20874e04d3f1fbddfe1cae301 SHA1: 736f9f668ad0a021a84152391c26cff97a7072fd PARENTID: M20-z5lw1 SSDEEP: 1536:YYBXhObiXs279wsGk/8TxC0Fo45gXeNCo/2B8:ZBREws2BwszETP5EeP MD5: 874499a974acb34d4827b6e1a91143d6
M20-0fv31	Kuluoz_7539c94b	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	7539c94b87c2f141589181e77b57d6b5	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 14f747e7d2fd0f8336ac7aa68a3fcdb213b3ddf8960078ab72c11a67cf1a2fdd SHA1: f6ab1641f7534975a4886ab05942eb5c28bd84d7 MD5: 7539c94b87c2f141589181e77b57d6b5
M20-b81e1	Scar_4d3e4ff9	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	4d3e4ff9f638ab8e9b6a23c372c107b6	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0720c05702858c2ef059400fe74cd0488e85dce1f60cb45d9e8ea51a84138251 SHA1: 521904746e0f238ab61c4f04448ffc31e0df9fc0 MD5: 4d3e4ff9f638ab8e9b6a23c372c107b6
M20-6r0p1	LokiBot_c6582fc0	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	c6582fc0d09ccf4f8bb82b06b5c40935	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: 578527d2bad084c3e95629d1bf870074cdc7c88e857256da8884f3c16272a629 SHA1: 576c25f018f2e9dbdf2dea2cd4abbc149bb2c1da MD5: c6582fc0d09ccf4f8bb82b06b5c40935
M20-9rzg1	TinyBanker_10b587c2	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	10b587c21e9e11de2c9815423f035095	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 2e024b66655bbb942837d7b0a785597c29a73387a108f8cf45bca9c9a072736e SHA1: a752159b5c632772e64ff99fb2a7e303d201f260 MD5: 10b587c21e9e11de2c9815423f035095
M20-8z9x1	Kuluoz_f3f4fb94	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has random bytes appended at the end of the file.	f3f4fb94b96c123a321d122c90b3380c	https://attack.mitre.org/techniques/T1009/ SHA256: 99f98a6d10d2456896018931914d5d1921003248d09826c8e71c8e84f355d4d3 SHA1: 288100a428665b4ef5f3fa86bd61dca2651da413 PARENTID: M20-vqam1 SSDEEP: 3072:B+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9fY:orRRyD5E7YZOCQYe MD5: f3f4fb94b96c123a321d122c90b3380c
M20-ee7r1	Scar_f740c3dd	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	f740c3dd1532b687d451dcc4f63ecfd3	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 1654a2fa288cb96cde4af7122b02945c1b50b8b9d7a5f3874b7855673c9e577d SHA1: 871bbe7026584d462031e9698d894027ce531ec9 MD5: f740c3dd1532b687d451dcc4f63ecfd3
M20-75e41	Kuluoz_d78697f6	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	d78697f62bbc18e4623fc6265668673c	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0d4231d10d29a8bfb15f3f2301b8aa912fded08a5d8cf5ca260c3f75037b9f6e SHA1: c1009152e6daacef139f63e7fa8e599bb7a85c08 MD5: d78697f62bbc18e4623fc6265668673c
M20-h1tm1	TinyBanker_2fc76498	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	2fc764982d67accb3b0f94fb7e19ef94	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 2a0b1b320e3a820e243d13306a5b7437da75fb2ec20bb6dcc72021ce3e38e9ae SHA1: fbc8db05146c736a367ba9e7917f2013605ddb06 MD5: 2fc764982d67accb3b0f94fb7e19ef94
M20-8b8p1	Kuluoz_a21740b0	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	a21740b03a097f9323dcf55887e372f4	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 106f3f6972ef655e90eb6b82fe1a06e54b5b9140355578ca455b10294956e121 SHA1: c398f3878117ad2aa9eca886e73eed4e0105f961 MD5: a21740b03a097f9323dcf55887e372f4
M20-vqam1	Kuluoz_ea87a054	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	ea87a054f0f61ca41781c4a428d90070	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 1dbf4d454d75881e59fd5b10f8c2ba3b35a6120d8a4e2b90783d0625cdabf28e SHA1: feee16c54c0a06c2ecc217453f9b52e7cd3cd4ed MD5: ea87a054f0f61ca41781c4a428d90070
M20-t66f1	Scar_01abda83	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	01abda83c026ff0fe5dedd293b9c12cb	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 134ac830b48d951a7d40e4cecc6db14e7e4ccc77d4c4191f1adddca8288b97f5 SHA1: 90e2238c51a5530990e6856749f7830d5055f623 MD5: 01abda83c026ff0fe5dedd293b9c12cb
M20-gqd01	LokiBot_c1579bc6	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	c1579bc69d2861973aae40e76fe10626	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: 89605a9bb702c8522e00bdf8a51a381eddda7ba3fa1bf2a195b05b2e4cd0c278 SHA1: 5ce80cf296cca8adbd1e2c5f38885ba29ee4b708 MD5: c1579bc69d2861973aae40e76fe10626
M20-0yiu1	Scar_e4f3dfb4	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	e4f3dfb4b4fd91b082f8d58a6d25befc	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0e65e81fb294daff44d544beabf671be28b14605fc62c5f0e1fff4703af58cee SHA1: e98349e358bdf858acbeb66a89372ca1a751238f MD5: e4f3dfb4b4fd91b082f8d58a6d25befc
M20-s8401	Kuluoz_c68b0470	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	c68b0470a04ba3eb2a42ebe8bf04f9ae	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 15c74ab7669eddbbae7c453187b161fa4c3d1511a236cc3045a243e09d7e8777 SHA1: c615ed327ca81764ffa253d813ec6be7a809d6ca MD5: c68b0470a04ba3eb2a42ebe8bf04f9ae
M20-k57r1	Zegost_582433da	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	582433da271d3f4c78027bbbebba4e4c	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 7348169666e09fb7a97643248db6c8dd42d6f05f51c27ded7d2fdf6cf5bc1c49 SHA1: 7ad90bb50f24bfe37fa1181cb172e59f2aabee7a MD5: 582433da271d3f4c78027bbbebba4e4c
M20-vh7a1	Kuluoz_f818a873	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	f818a8731476ae4471e348d2b6ecda94	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0b50a4bcd4dfe5a626f245156af61bfc97e6e3a5afba1363c4f4be23d3df6a92 SHA1: a698d408614126341917e1364a3f7eb2f2184fc6 MD5: f818a8731476ae4471e348d2b6ecda94
M20-vsx61	Zegost_d9d34b56	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	d9d34b56a18544febb9acbca806cfad7	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 22e173179c12d1ebb141a91d20060747e1b3688d89a9b5569a95f3c88b433ee0 SHA1: c9a601361f00d83dd2f8e2d2e5fea585a4c37ac8 MD5: d9d34b56a18544febb9acbca806cfad7
M20-ztqi1	Kuluoz_426e964b	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	426e964b0e2d38ea23e9f88093069c67	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 1182b65de57d6ecb62c5602e7fc967f0c8c1faf287b1d1feea934e549fe9a45e SHA1: 1834526a29efe81fb4cedd2cf176e502afcfb5c0 MD5: 426e964b0e2d38ea23e9f88093069c67
M20-v3yx1	Kuluoz_678fa6d7	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	678fa6d7254b0ab4ed2f895256f03c17	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 01e7a9362183d2f90aa7bfd9ed6e6c0654cc203185f2b531a7dfd930ff257c21 SHA1: d507870d7730158fef1fdcd3d00d7e27cf213273 MD5: 678fa6d7254b0ab4ed2f895256f03c17
M20-u0et1	Upatre_b1de5235	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	b1de5235a3e3429f25828979ddfd0be7	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 0ae81273084ac32b25d8c604256e30fa4426711e5f9b525cb6979ded72886ec6 SHA1: c4140b466a86687d96c2d0bf9490f0250cbb51f7 MD5: b1de5235a3e3429f25828979ddfd0be7
M20-qsg01	Upatre_14b99208	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	14b99208c98f98a9ee76b5f9d3eef207	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 11a20d7c6783209ed9f57dfa22d665144590ca8d296b40a1805c9269fbc7b82b SHA1: 0b920898267269ec85af3cb0ed261d3bbdbe0048 MD5: 14b99208c98f98a9ee76b5f9d3eef207
M20-gbx21	Scar_a3d952e7	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	a3d952e7057f8a0d89f6d846f46befa9	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 009ac8868badb96e5f1f5bbf293a3fc23c1ac221304f0ed372b660cf68f7bc16 SHA1: ecfd86518e6af9afcd36751f40455a52d54614da MD5: a3d952e7057f8a0d89f6d846f46befa9
M20-fnau1	Kuluoz_e0389d5e	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	e0389d5e1468addd772d596c39e3f58c	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0de03ee14c8b289d89d353aceab634dea2182b31418277371c19320748d58bdc SHA1: 796ade862774c7c0a949575adbaaf8c79932e70b MD5: e0389d5e1468addd772d596c39e3f58c
M20-z5lw1	Scar_3786118b	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	3786118bba547421d900ad3c1136fabc	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 14c43fc15fc6df997335bdf209e9d0b4676069f5ae43621c853db2a43699266b SHA1: 385a6879ed1061e0cb1ffda1f0206c584061f988 MD5: 3786118bba547421d900ad3c1136fabc
M20-junr1	Kuluoz_11c108f7	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has random strings (lorem ipsum) appended at the end of the file.	11c108f7a7e10c3b8c83b4822bc10a30	https://attack.mitre.org/techniques/T1009/ SHA256: 6683aedb03b5c307697a51746408fbf540ac2af9da83a205eee15526356f5aa8 SHA1: 4df8f34f7cdc94e32a98c1510f5a9929eee5a9c1 PARENTID: M20-vqam1 SSDEEP: 3072:B+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9fx:orRRyD5E7YZOCQYf MD5: 11c108f7a7e10c3b8c83b4822bc10a30
M20-l0ly1	Kuluoz_4590a340	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has the timestamp field updated in the PE file header.	4590a3401e47f5c6aec094babfff788a	https://attack.mitre.org/techniques/T1099/ SHA256: 2d24eda33a2fc8674c659e205f5b555eeefb8a4401bd87fac1f0a02c169556de SHA1: c980fdd11da7882cddd1339c79c6b208d6b2a294 PARENTID: M20-vqam1 SSDEEP: 3072:K+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9fY:VrRRyD5E7YZOCQYO MD5: 4590a3401e47f5c6aec094babfff788a
M20-24ip1	LokiBot_5885b5c9	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	5885b5c94d4e34a250d8e325a0727578	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: 5b0dae6508cd9af449f5462cdbe32c2550339d23c1e77028ab87659564be75de SHA1: e1390850661b0e7e059667979907331b94d96545 MD5: 5885b5c94d4e34a250d8e325a0727578
M20-kmgo1	Kuluoz_97765c75	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	97765c75f51e113c6acf427e006d4bb3	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 066bd86a49dc4218d4ad2cb1547616327bbea107438a124fdb425b6ac2c51161 SHA1: 551fb832830e1f69081fcbcda58f83ba1aaad9f2 MD5: 97765c75f51e113c6acf427e006d4bb3
M20-oz9j1	Scar_35ab4641	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	35ab4641aa1904672a8b211ffcc45d4e	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 106b06727fb72673e05e26957d4e567d56e98fd0aa1fb37d2479ebd0ced9964e SHA1: 7b6bce0b90b0f1088d4a76756060373f148eb039 MD5: 35ab4641aa1904672a8b211ffcc45d4e
M20-cn3c1	Zegost_0a9281d4	Windows	This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has a random section name renamed according to the PE format specification.	0a9281d4c468831b6b946d43d2ebf16f	https://arxiv.org/abs/1801.08917 SHA256: bafc798dacf46b7db329da1e189992a0139b69618e317a4982bb49a152009d16 SHA1: ecb829c3444f4764451e0374309906940139c240 PARENTID: M20-a4tk1 SSDEEP: 1536:u7rQY+94cHoLdfTYfNXKFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHMO:79nILR01XKvxrG8i MD5: 0a9281d4c468831b6b946d43d2ebf16f
M20-054j1	LokiBot_81ea5d32	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	81ea5d3263580f61029ac0c028f70e62	https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html SHA256: ea67e1e48066b1cffcc0af2693d8a38759b168d7b3334ccc9841b41403a8d2f6 SHA1: b294dffd724df2bc71034050b891543627da5cac MD5: 81ea5d3263580f61029ac0c028f70e62
M20-g40s1	Scar_d2522dc0	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	d2522dc08fd312cbd1104d7fe2086656	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 030eb42c179d1994f85727e41416ea798f485b6f3cfd1cab9d121f8c1f9621ea SHA1: e2769c9ad9d6069b904487294efabafb6902af0a MD5: d2522dc08fd312cbd1104d7fe2086656
M20-c5po1	Zegost_5f51017f	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	5f51017f19491c2ac494eff70ea30279	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: abe76a08ea7127f7df5dbb8155fa4061c958628d4d07f3d90b3d92f7e20784f1 SHA1: 08473369ac82de40deb9081cfb013839b0525c24 MD5: 5f51017f19491c2ac494eff70ea30279
M20-exiq1	Kuluoz_6302a1e7	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	6302a1e74ad439abe9f38f2d28ff846d	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0380980aeade229e8992d75176996030e2043bf858e8740cb757389048e6039c SHA1: 44a1a25a944301765ebaaf2a8c3a6ec4ebbefc02 MD5: 6302a1e74ad439abe9f38f2d28ff846d
M20-3y561	Scar_db3b2e97	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	db3b2e97fdc5cb7c4c830d937475a0e5	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0e2eaaaa7d7919e1d0b01df0043b435c162371ba094f25f1f6963bb931815e59 SHA1: 483001d4a916c503ed05bf29c12a94cb1103258b MD5: db3b2e97fdc5cb7c4c830d937475a0e5
M20-97321	Upatre_12b8dbba	Windows	This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.	12b8dbbacf6c077b871ae1c699abbf8b	https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html SHA256: 0c0e4dd0566ca31d20d0cf43ee47b0d5af3e68e853f89f458c7358fe40980ab7 SHA1: 33fd7156e149effed73c4a37fea700731616c286 MD5: 12b8dbbacf6c077b871ae1c699abbf8b
M20-72w81	Zegost_e12b647e	Windows	This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has the checksum removed in the PE file format.	e12b647e05df25b0a8d0ec89c409969e	https://arxiv.org/abs/1801.08917 SHA256: 5caa5853a7717924971b71b01ee1af1696902a3d93204120a0dd0bef4d70d78a SHA1: 645162d0c2a377fc8dbefd44b9d41b08f807272a PARENTID: M20-a4tk1 SSDEEP: 1536:W7rQY+94cHoLdfTYfNXKFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHM:z9nILR01XKvxrG8 MD5: e12b647e05df25b0a8d0ec89c409969e
M20-n4x11	Scar_2033f6b7	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	2033f6b72b573bae14191c702d12bfab	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 0d98df2243ea1123dc16eefffcb3b496a026c741a614d2cc7aad958281c1807e SHA1: d121ae1c169e78e9daff2ceb21237b97a1d5b7fd MD5: 2033f6b72b573bae14191c702d12bfab
M20-oxjr1	Scar_a9b07c69	Windows	This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.	a9b07c698d3a6ef0e1b6fee12cd2abfc	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 078ed55ab87871d0694337af69acd378cbf1a27ee2eb2fcdeb9243bab60e6701 SHA1: 22e174a28ae97c012bf0077ad5cca600328b7bfc MD5: a9b07c698d3a6ef0e1b6fee12cd2abfc
M20-g5t91	Zegost_4b186588	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	4b186588668a181de87fd5520bf57219	https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html SHA256: 9f1104af5a05b0549a7dabf55e1d935e02d9e39a407bc03a9a97441141ece571 SHA1: f5a24541305eefe7d6b7f3ca9f9593710ee1165a MD5: 4b186588668a181de87fd5520bf57219
M20-bkna1	Zegost_2609f845	Windows	This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has the timestamp field updated in the PE file header.	2609f845507a4ae9a9d2a32016498630	https://attack.mitre.org/techniques/T1099/ SHA256: 621513c71ffdc7ff9f154fcad76da0a3ab649e0cad5ff9b10227358b5cbbdb21 SHA1: ef2149ee0a95920e481f60077e7945ce98e4af70 PARENTID: M20-a4tk1 SSDEEP: 1536:U7rQY+94cHoLdfTYfNXKFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHMO:V9nILR01XKvxrG8i MD5: 2609f845507a4ae9a9d2a32016498630

Malware Strikes October - 2020

Strike ID	Malware	Platform	Info	MD5	External References
M20-7cze1	Emotet_4e27e219	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	4e27e2197bda5e1318eb13ea06b18205	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: c127cf0ce097e22f9f1fe0ca565c77a111745b85b0e78b21d20833055bc821d5 SHA1: cc18b6c62a6e9b279fc4bf9a456778bf054aef34 MD5: 4e27e2197bda5e1318eb13ea06b18205
M20-pb731	Nemty_5126b883	Windows	This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.	5126b88347c24245a9b141f76552064e	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ SHA256: d421d9b0cc9ce69fc4dea1d4bd230b666b15868e4778d227ead38b7572463253 SHA1: 9a121af9e0427a530ed12b72429fbc800d976623 MD5: 5126b88347c24245a9b141f76552064e
M20-3ytp1	Nefilim_ce3cd1da	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	ce3cd1dab67814f5f153bccdaf502f4c	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020 SHA1: f246984193c927414e543d936d1fb643a2dff77b MD5: ce3cd1dab67814f5f153bccdaf502f4c
M20-r7xs1	Ryuk_3266352b	Windows	This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.	3266352bea7513ac3ead6e7d68661ad3	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/ SHA256: 68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218 SHA1: 2c8ea348cc80ed41737d3d2d8cb5487dcd49d040 MD5: 3266352bea7513ac3ead6e7d68661ad3
M20-2air1	REvil_b67606d3	Windows	This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.	b67606d382f50ebf76848d023decee20	https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556 SHA256: 372c8276ab7cad70ccf296722462d7b8727e8563c0bfe4344184e1bc3afc27fc SHA1: 6c72756b12b03a2a594b8bb308944396438ec979 MD5: b67606d382f50ebf76848d023decee20
M20-zudz1	Emotet_212ede8e	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	212ede8ee978a5979b17d9d68a497d10	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: 939e9772cc64e88895365ccc1be8d7a6ef4b7c47b70165c35c79e2391ab50656 SHA1: 19763080a3c72c651224678eabadcdfca5d5cad1 MD5: 212ede8ee978a5979b17d9d68a497d10
M20-23qh1	CLOP_d3ace85c	Windows	This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has random strings (lorem ipsum) appended at the end of the file.	d3ace85c17df113fa90a92a541ff0ca7	https://attack.mitre.org/techniques/T1009/ SHA256: fd34ac2360302f24752fc352e161ed54609f3942178663eb0f46ceac8d58b099 SHA1: 05d7b3e2f6646bcd3a46ee9ec718497898678a81 PARENTID: M20-eoc31 SSDEEP: 6144:JrazEX0203RegvjxnpGhu3BJMIp2CuvY63n:B+3JpGEBJMg2CuvY63 MD5: d3ace85c17df113fa90a92a541ff0ca7
M20-x0np1	Sodinokibi_fb68a023	Windows	This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.	fb68a02333431394a9a0cdbff3717b24	https://www.acronis.com/en-us/articles/sodinokibi-ransomware/ SHA256: 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d SHA1: 1399bf98a509adb07663476dee7f9fee571e09f3 MD5: fb68a02333431394a9a0cdbff3717b24
M20-f9w61	Netwalker_5f55ac3d	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	5f55ac3dd18950583dadffc1970745c5	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614 SHA1: 6a13535190bdcd62af6b4930ea28664c13c6a6be MD5: 5f55ac3dd18950583dadffc1970745c5
M20-c1v31	Netwalker_608ac26e	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	608ac26ea80c189ed8e0f62dd4fd8ada	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010 SHA1: c5b3fa421db00fe931f439af5df4f65f7f3d9a1a MD5: 608ac26ea80c189ed8e0f62dd4fd8ada
M20-zvvm1	Sekhmet_b7ad5f7e	Windows	This strike sends a malware sample known as Sekhmet. The Sekhmet ransomware was used in an attack against gas handling company SilPac in June 2020. This ransomware has been commonly spread via spam email. Once it encrypts the files on the targeted system it leaves behind a RECOVER-FILES.txt file that includes a ransom note with instructions on how to pay via TOR.	b7ad5f7ec71dc812b4771950671b192a	https://bazaar.abuse.ch/sample/fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d/ SHA256: 0a739f4ec3d096010d0cd9fc0c0631f0b080cc2aad1f720fd1883737b6a6a952 SHA1: cf02d630465eaf009db8bcc8a0dd4242a1d2dd82 MD5: b7ad5f7ec71dc812b4771950671b192a
M20-j8sq1	Tycoon_ae037348	Windows	This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.	ae03734805e3b7ec0fa52c5a4f07a725	https://cyberflorida.org/threat-advisory/tycoon-ransomware/ SHA256: 8587037c15463d10a17094ef8fa9f608cc20c99fa0206ce496b412f8c7f4a1b8 SHA1: e20a4cc7f13f517491e772ce9e5c236aad2785f0 MD5: ae03734805e3b7ec0fa52c5a4f07a725
M20-fbd41	DoppelPaymer_66c11a6c	Windows	This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has the timestamp field updated in the PE file header.	66c11a6cbbe59f2e580da1c75acd9ae8	https://attack.mitre.org/techniques/T1099/ SHA256: 039f721ff06c6965e97417a480fca2220f45bce9c10b63e4d0e823842533a70f SHA1: 36ce6b51c925a7a5f122e07ddd7d47916576e584 PARENTID: M20-zug71 SSDEEP: 98304:J56LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:JsLOqCkLzDouoOS36XV/ MD5: 66c11a6cbbe59f2e580da1c75acd9ae8
M20-4wbt1	REvil_54079282	Windows	This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has a random section name renamed according to the PE format specification.	54079282596df0fff118c2cdf8c6cbe3	https://arxiv.org/abs/1801.08917 SHA256: 20045aa54d765b77de371fba418505f38ece546cedd974c5cd2aebdf44a7b823 SHA1: d12e89ebbb638f16711318bf4e71aa16df7eb145 PARENTID: M20-du8w1 SSDEEP: 3072:hLFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCIm:1J0BXScFy2RsQJ8zgQ MD5: 54079282596df0fff118c2cdf8c6cbe3
M20-p56a1	Emotet_c730e1c3	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	c730e1c3cf2e54af08072778a7fd6f41	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: e218d7c8b3bd6e69065f2a2bee81c88865d2068a46c3997339a200318f7b82b4 SHA1: c868e42736238372f66d6a5bcedb636d28d15346 MD5: c730e1c3cf2e54af08072778a7fd6f41
M20-jbb31	Emotet_699bd905	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	699bd9053663bbdeb39df9d6f4f2b483	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: cf9401d8bcbb01edf06c19509b572a26047b2788a41f0ffa5d52c2189fe5a125 SHA1: 24c615d82cfbd4b2a16cf03f0ce12c252b4c1eb5 MD5: 699bd9053663bbdeb39df9d6f4f2b483
M20-q7u81	Emotet_74e9ae66	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	74e9ae66b4029ce403ef9a76d2dd1ec4	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: d366dfc971747d113549ee401fa6dc07dfa0f478c9b08109640f84151bd2da29 SHA1: c137dce76d338fe94c8efade25596c93c082c0e8 MD5: 74e9ae66b4029ce403ef9a76d2dd1ec4
M20-oxbt1	Nefilim_3beb3d46	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	3beb3d466bcc0977ec2dd66d72ab6bb3	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: b227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17 SHA1: e94089137a41fd95c790f88cc9b57c2b4d5625ba MD5: 3beb3d466bcc0977ec2dd66d72ab6bb3
M20-n54a1	Ryuk_fca20e17	Windows	This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.	fca20e17ce8c0c3f3c78d82c953472ed	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/ SHA256: 7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20 SHA1: c8ecc9b34184e7e1c15b4ed49fb838e7882dbfc6 MD5: fca20e17ce8c0c3f3c78d82c953472ed
M20-pqk51	Maze_910aa498	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	910aa49813ee4cc7e4fa0074db5e454a	https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/ SHA256: 4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9a SHA1: 45831987fabeb7b32c70f662be8cb24e2efef1dc MD5: 910aa49813ee4cc7e4fa0074db5e454a
M20-zqyf1	REvil_cce629db	Windows	This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.	cce629db2606ae98ba6e931adbf1aeae	https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556 SHA256: 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d SHA1: 2649ce761c00f4505758e20580e8bdf3e8d559d1 MD5: cce629db2606ae98ba6e931adbf1aeae
M20-iupe1	Netwalker_f957f19c	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	f957f19cd9d71abe3cb980ebe7f75d72	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: b2d68a79a621c3f9e46f9df52ed19b8fec22c3cf5f4e3d8630a2bc68fd43d2ee SHA1: 96432d979fdec055e4f40845a27cf4a9c0a0a34b MD5: f957f19cd9d71abe3cb980ebe7f75d72
M20-jn451	Maze_c043c153	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	c043c153237b334df2f2934f7640e802	https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/ SHA256: fb5de69b222d81fea2f4b08fd5af612faf24b9e75698ac331af066fbc360a30a SHA1: d5ef91b849122109615007329ec6548830f13bfc MD5: c043c153237b334df2f2934f7640e802
M20-b7qt1	Nefilim_ddc50d4a	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	ddc50d4ae0674d854a845b3eb32508c3	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: 8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2b SHA1: c61f2cdb0faf31120e33e023b7b923b01bc97fbf MD5: ddc50d4ae0674d854a845b3eb32508c3
M20-9e4q1	Nefilim_dc88265c	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	dc88265c361d73540a31c19583271fb0	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: 3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5 SHA1: e99460b4e8759909d3bd4e385d7e3f9b67aa1242 MD5: dc88265c361d73540a31c19583271fb0
M20-kubx1	Sodinokibi_177a571d	Windows	This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.	177a571d7c6a6e4592c60a78b574fe0e	https://www.acronis.com/en-us/articles/sodinokibi-ransomware/ SHA256: f0a16b0224a24647e9e8cf2f6f4479d93c8fb540a7ca656023a41f399e6c69c2 SHA1: 7f1b49c2946a9a036cf60e25e1a8452f6237a57d MD5: 177a571d7c6a6e4592c60a78b574fe0e
M20-jzr31	Netwalker_bc758596	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	bc75859695f6c2c5ceda7e3be68e5d5a	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d SHA1: 5be2fb7adcfefd741e6b98b4beeadf9e24ea7423 MD5: bc75859695f6c2c5ceda7e3be68e5d5a
M20-d5741	Nemty_f2708056	Windows	This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.	f270805668e8aecf13d27c09055bad5d	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ SHA256: 572b2dad5fca5f1dab7c18afa986fe7ef639e7892776593fc7636ff03ff783bc SHA1: f0078a38d56384f9dbced7c0a9837cdb22c4daf0 MD5: f270805668e8aecf13d27c09055bad5d
M20-ocu81	CLOP_9ec70a82	Windows	This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has been packed using upx packer, with the default options.	9ec70a82f8b4797c4ad4fe646cfb6e10	https://attack.mitre.org/techniques/T1045/ SHA256: ada51ae85a78dc3641bbe52505e3eaf670353477abbb77fb5c781713545b5f58 SHA1: 1a18c783bdcf3af6c52a9daaa712c56ee5816832 PARENTID: M20-eoc31 SSDEEP: 3072:m7QoN+AOSJUT5I/QN7lg3w0EIpRomDOhRJ+ZHNN9cY2ritPOFjy54:kQokAaT5gCg30SRBD07KH39cAPqx MD5: 9ec70a82f8b4797c4ad4fe646cfb6e10
M20-iort1	Nefilim_5ff20e2b	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	5ff20e2b723edb2d0fb27df4fc2c4468	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: 08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641 SHA1: e53d4b589f5c5ef6afd23299550f70c69bc2fe1c MD5: 5ff20e2b723edb2d0fb27df4fc2c4468
M20-6ei91	Nefilim_26c35850	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	26c35850483c877ee23f476b38d58deb	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: 7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599 SHA1: 0d339d08a546591aab246f3cf799f3e2aaee3889 MD5: 26c35850483c877ee23f476b38d58deb
M20-dzq81	DoppelPaymer_4601ec39	Windows	This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random bytes appended at the end of the file.	4601ec39e2934ba61651decf6d06de64	https://attack.mitre.org/techniques/T1009/ SHA256: e9be48e03f80f6ef0bc5cbe36cbd4bcba30fb6d2b3a1a95e4f0e856816ef8cd4 SHA1: 86c6242cbdb9b45dd9028639c1bcf9dc07d664d0 PARENTID: M20-zug71 SSDEEP: 98304:556LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfNt:5sLOqCkLzDouoOS36XVt MD5: 4601ec39e2934ba61651decf6d06de64
M20-jdde1	Nefilim_8f90539c	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	8f90539c405672016c0dec7ac3574eea	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3 SHA1: bd59d7c734ca2f9cbaf7f12bc851f7dce94955d4 MD5: 8f90539c405672016c0dec7ac3574eea
M20-xv3b1	Nefilim_7354e71d	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	7354e71d9c28e0c150cea3377e5f70d9	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: 3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953 SHA1: 9770fb41be1af0e8c9e1a69b8f92f2a3a5ca9b1a MD5: 7354e71d9c28e0c150cea3377e5f70d9
M20-1jg41	Ryuk_5f7dd374	Windows	This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.	5f7dd3740a3a4ea74e2ee234f6de26aa	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/ SHA256: 235ab3857ba2d2cd09311d6cc7bf1139863022579ea98be2b503921104ee20ac SHA1: d9f8eb52ce514d3dbf8f8e6a1ecb29c1dc46ea12 MD5: 5f7dd3740a3a4ea74e2ee234f6de26aa
M20-93le1	CLOP_f2114603	Windows	This strike sends a malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.	f21146030cbe2ebe5a8e3fd67df8e8f3	https://www.trendmicro.com/vinfo/ae/security/news/cybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomware SHA256: 2ceeedd2f389c6118b4e0a02a535ebb142d81d35f38cab9a3099b915b5c274cb SHA1: c777107d839938da8c41beacc78802a0e05e8b74 MD5: f21146030cbe2ebe5a8e3fd67df8e8f3
M20-zug71	DoppelPaymer_8c54bbe3	Windows	This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.	8c54bbe3f191a8627bfeeb4cb02634a9	https://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/ SHA256: f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555 SHA1: 2fc2ecbed153344557386e80a2fbd097bf795559 MD5: 8c54bbe3f191a8627bfeeb4cb02634a9
M20-3cxk1	Nefilim_0790a7e0	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	0790a7e0a842e1de70de194054fa11b3	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: 7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377 SHA1: 4595cdd47b63a4ae256ed22590311f388bc7a2d8 MD5: 0790a7e0a842e1de70de194054fa11b3
M20-pe1b1	Netwalker_93f91bfc	Mixed	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	93f91bfcc1bf0c858fc7f3bd4536eba6	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 59ba11aa5b9a4d2ef80d260b9e51f605d556781b8ce682443ad1e547898eb0a6 SHA1: 2ddf48174221371ad4f5d339353a3f998044d95d MD5: 93f91bfcc1bf0c858fc7f3bd4536eba6
M20-hrde1	Netwalker_0537d845	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	0537d845ba099c6f2b708124eda13f1c	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 12717add64ecf32d7bcb6b2662becbff6b516cf8073f399dc5e4d3615d452e89 SHA1: 3fb77d821ea7ec2b30fd3944c3d9361093a58cd6 MD5: 0537d845ba099c6f2b708124eda13f1c
M20-yqkh1	Tycoon_80675f08	Windows	This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.	80675f08a4dad40a316865619f6adaaa	https://cyberflorida.org/threat-advisory/tycoon-ransomware/ SHA256: ac0882d87027ac22fc79cfe2d55d9a9d097d0f8eb425cf182de1b872080930ec SHA1: 3d845a707f2825746637922d7dd10fab18558209 MD5: 80675f08a4dad40a316865619f6adaaa
M20-h4tt1	Nefilim_80cfda61	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	80cfda61942eb4e71f286297a1158f48	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea SHA1: 6c9ae388fa5d723a458de0d2bea3eb63bc921af7 MD5: 80cfda61942eb4e71f286297a1158f48
M20-t9wu1	Tycoon_51a7822f	Windows	This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.	51a7822f388162ce1c66dd90da207545	https://cyberflorida.org/threat-advisory/tycoon-ransomware/ SHA256: bd3fdf1b50911d537a97cb93db13f2b4026f109ed23a393f262621faed81dae1 SHA1: 03023d7e3a54d915cca82429dfeedb1bebd5c182 MD5: 51a7822f388162ce1c66dd90da207545
M20-ozkg1	Tycoon_9c7befb1	Windows	This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.	9c7befb18ccbd63100a497fe7c1acc69	https://cyberflorida.org/threat-advisory/tycoon-ransomware/ SHA256: 853fa18adc3f9263a0f98a9a257dd70d7e1aee0545ab47a114f44506482bd188 SHA1: 8e7a5500007c1552e1231bd1157433f7ef638672 MD5: 9c7befb18ccbd63100a497fe7c1acc69
M20-11ox1	Netwalker_59b00f60	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	59b00f607a7550af9a2332c730892845	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 26dfa8512e892dc8397c4ccbbe10efbcf85029bc2ad7b6b6fe17d26f946a01bb SHA1: 794589026bdc8b01cad097ffcd50be37a87e7c29 MD5: 59b00f607a7550af9a2332c730892845
M20-c0k61	Nemty_0b33471b	Windows	This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.	0b33471bbd9fbbf08983eff34ee4ddc9	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ SHA256: f3e0b5808c1394c884b4b2c7fa0c0955f7b544959a46b8839b76c8d8e2735413 SHA1: 42256ea23ee775e71702cc901c3632ef2fd53a02 MD5: 0b33471bbd9fbbf08983eff34ee4ddc9
M20-9vw62	Nemty_4ca39c0a	Windows	This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.	4ca39c0aeb0daeb1be36173fa7c2a25e	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ SHA256: cc496cec38bbc72bae3cb64416baca38b3706443c4f360bd4ba8300d64b210d2 SHA1: afa8bc5c0a014e6202a8dd39f3f288bc927dacd0 MD5: 4ca39c0aeb0daeb1be36173fa7c2a25e
M20-5ca61	Sodinokibi_858c29ef	Windows	This strike sends a polymorphic malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.The binary has the timestamp field updated in the PE file header.	858c29efee084e86616b21fdc4d2a3de	https://attack.mitre.org/techniques/T1099/ SHA256: e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37 SHA1: d642f7ecda3fa135761d68eb20f44d66eba798fa PARENTID: M20-u2sg1 SSDEEP: 3072:Or85CuLbi4eTMlwDCnuZ3puJ1ni8Iy8EytZ:O9ebnWJZ3P8IUyT MD5: 858c29efee084e86616b21fdc4d2a3de
M20-otig1	REvil_b26fbb99	Windows	This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has random bytes appended at the end of the file.	b26fbb999449caad351b18364a17bd6e	https://attack.mitre.org/techniques/T1009/ SHA256: 6d9349a99d80e9003d3a01e0ad19c5f175e18b2dee7ef533b630772548f6c727 SHA1: 323135aa6987945df756cb9636ad72938d5a064f PARENTID: M20-du8w1 SSDEEP: 3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCImk:ZJ0BXScFy2RsQJ8zgQP MD5: b26fbb999449caad351b18364a17bd6e
M20-ghdx1	Netwalker_239163e6	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	239163e6019670e326087aa59adb5007	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 92e4d38e17e4dc32519df7324013477908c9cb725ea29aea6e4fd8c27eb7087d SHA1: c26d5fbe02f8b0e6a40672b12e69ee78343e9a41 MD5: 239163e6019670e326087aa59adb5007
M20-0hr01	Maze_fba4cbb7	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	fba4cbb7167176990d5a8d24e9505f71	https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/ SHA256: 5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353 SHA1: aa6cd2698d4f9a7fa99f5807f4b6695a0bfd0124 MD5: fba4cbb7167176990d5a8d24e9505f71
M20-a7bi1	Netwalker_cc113e42	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	cc113e42c52c6e4e7beca74829b89a68	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: eb1470786fda58fc8291e099c7fcd5d36a04de85d1f6fe8683c1950b7119314e SHA1: 5b165601b8d0b13a8833c31cb36644aea8121f74 MD5: cc113e42c52c6e4e7beca74829b89a68
M20-kkmm1	Sodinokibi_e713658b	Windows	This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.	e713658b666ff04c9863ebecb458f174	https://www.acronis.com/en-us/articles/sodinokibi-ransomware/ SHA256: e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec SHA1: 8b1d4ae7cbc6c0fa0705122b9556745670863214 MD5: e713658b666ff04c9863ebecb458f174
M20-mc031	DoppelPaymer_81f50e95	Windows	This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.	81f50e95bfbbe7d86229ac9592febf2f	https://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/ SHA256: 46254a390027a1708f6951f8af3da13d033dee9a71a4ee75f257087218676dd5 SHA1: 3b24602e453950a1391124f348bc897593ddfab9 MD5: 81f50e95bfbbe7d86229ac9592febf2f
M20-b1vh1	Ryuk_3925ae7d	Windows	This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.	3925ae7df3328773be923f74d70555e3	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/ SHA256: 884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5 SHA1: 948af4614e8ff150fbe0bc38f40806b457acaf3a MD5: 3925ae7df3328773be923f74d70555e3
M20-d9ti1	DoppelPaymer_69061465	Windows	This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.	69061465ae5067710402c832412e2dae	https://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/ SHA256: b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9 SHA1: 963f6c4e2f7c202fd1676eee27c160de2ad2f774 MD5: 69061465ae5067710402c832412e2dae
M20-nx2s1	CLOP_508a671c	Windows	This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has the checksum removed in the PE file format.	508a671cf24f381582459ccda863d520	https://arxiv.org/abs/1801.08917 SHA256: f1884560d6384a695360251b63b465d12d52095e71bc1a073a1d32243bdd537a SHA1: 5324545e7713fbb38ea01f825a14626c30b9f428 PARENTID: M20-eoc31 SSDEEP: 6144:rrazEX0203RegvjxnpGhu3BJMIp2CuvY63:/+3JpGEBJMg2CuvY6 MD5: 508a671cf24f381582459ccda863d520
M20-g3yi1	Netwalker_dabbc5e5	Mixed	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	dabbc5e50b9275cb2996c50fd81e64b4	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: e1a8a38dda16a7815bd20a96f46bd978ac41f2acf927993ad965abb258123d8c SHA1: 79e6d0dbdfb89350fcf924c6554a5b7c79d4d66d MD5: dabbc5e50b9275cb2996c50fd81e64b4
M20-oroy1	Nemty_37aaba6b	Windows	This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.	37aaba6b18c9c1b8150dae4f1d31e97d	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ SHA256: 505c0ca5ad0552cce9e047c27120c681ddce127d13afa8a8ad96761b2487191b SHA1: 02637179c597eaa821ff190ef89ba9eb013a6ea2 MD5: 37aaba6b18c9c1b8150dae4f1d31e97d
M20-nyqm1	Tycoon_f28c603b	Windows	This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.	f28c603bbe75516372159bb79ef3eb63	https://cyberflorida.org/threat-advisory/tycoon-ransomware/ SHA256: 868cb8251a245c416cd92fcbd3e30aa7b7ca7c271760fa120d2435fd3bf2fde9 SHA1: a2c17f04ce259125bc43c8d6227ef594df51f18a MD5: f28c603bbe75516372159bb79ef3eb63
M20-4eyf1	Netwalker_5ce75526	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	5ce75526a25c81d0178d8092251013f0	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677 SHA1: 1e1b1c4ae648786fe429c9ddd2182e0d58bcf423 MD5: 5ce75526a25c81d0178d8092251013f0
M20-yq7k1	Nemty_0e0b7b23	Windows	This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.	0e0b7b238a06a2a37a4de06a5ab5e615	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ SHA256: 267a9dcf77c33a1af362e2080aaacc01a7ca075658beb002ab41e0712ffe066e SHA1: 703f5f6a5130868a7c3ec06b40b9f37656c86d24 MD5: 0e0b7b238a06a2a37a4de06a5ab5e615
M20-gc8v1	Netwalker_3cfd36a7	Mixed	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	3cfd36a72db703e25aecd51eb74f0feb	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 5daf828fd452f5325c28bc145a86d3d943cd86bb13ffe35c440ebf3cd2a45522 SHA1: 807d30f37bf2e052a253f64d102a7ab21933567b MD5: 3cfd36a72db703e25aecd51eb74f0feb
M20-30im1	Netwalker_645c720f	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	645c720ff0eb7d946ec3b4a6f609b7bc	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 29aef790399029029e0443455d72a8b928854a0706f2e211ae7a03bba0e3d4f4 SHA1: 16094d75f4bb593b196210e5d082a7abcdce1d8c MD5: 645c720ff0eb7d946ec3b4a6f609b7bc
M20-37651	Tycoon_b58476f6	Windows	This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.	b58476f659782f770854726847601fda	https://cyberflorida.org/threat-advisory/tycoon-ransomware/ SHA256: 44b5d24e5e8fd8e8ee7141f970f76a13c89dd26c44b336dc9d6b61fda3abf335 SHA1: 77676865f875eff23699189f57c37c76b92ba2b9 MD5: b58476f659782f770854726847601fda
M20-86kc1	REvil_3777f3e0	Windows	This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.	3777f3e092f2208c6670c01816562a7d	https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556 SHA256: 6953d86d09cb8ed34856b56f71421471718ea923cd12c1e72224356756db2ef1 SHA1: a7e6a0986b641d66b12d14752b20a470c9ba692e MD5: 3777f3e092f2208c6670c01816562a7d
M20-suzd1	DoppelPaymer_a6a31da6	Windows	This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has a random section name renamed according to the PE format specification.	a6a31da60473168dc613b64c7a00fc5e	https://arxiv.org/abs/1801.08917 SHA256: 692922af8eb58fda7ecf086937e02fd2cd0e89a233a19fa3a2bf531dde172c31 SHA1: 60858d68463e69043c7f118f8647974bb0cbba1d PARENTID: M20-zug71 SSDEEP: 98304:z56LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:zsLOqCkLzDouoOS36XV/ MD5: a6a31da60473168dc613b64c7a00fc5e
M20-u36z1	Nemty_348c3597	Windows	This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.	348c3597c7d31c72ea723d5f7082ff87	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ SHA256: 69a44e62abd294bb262906814ce385296eafaa8f0fab82c8c453c19796839549 SHA1: 71917d536b3418fd1ce005ecb96976d172e356c3 MD5: 348c3597c7d31c72ea723d5f7082ff87
M20-tv9r1	Nemty_0f3deda4	Windows	This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.	0f3deda483df5e5f8043ea20297d243b	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ SHA256: a5590a987d125a8ca6629e33e3ff1f3eb7d5f41f62133025d3476e1a6e4c6130 SHA1: 70dac7f3934659e583f962e7c5bff51a4b97dd11 MD5: 0f3deda483df5e5f8043ea20297d243b
M20-mcxn1	DoppelPaymer_b2a0c322	Windows	This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random strings (lorem ipsum) appended at the end of the file.	b2a0c322572d0f5f52d92dbd336ac14f	https://attack.mitre.org/techniques/T1009/ SHA256: 7823b40d3a721e9fb556489f19f044009244ec9f2c69bd7b406bc603f475f99d SHA1: 6fa2213a9f3429c0b0dae4cfab53d70737204219 PARENTID: M20-zug71 SSDEEP: 98304:556LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN2:5sLOqCkLzDouoOS36XV2 MD5: b2a0c322572d0f5f52d92dbd336ac14f
M20-u7vw1	Nemty_5cc1bf61	Windows	This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.	5cc1bf6122d38de907d558ec6851377c	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ SHA256: 6a07996bc77bc6fe54acc8fd8d5551a00deaea3cc48f097f18955b06098c4bd3 SHA1: 5ba5abc14c4e756a679cbafbc41440458620b268 MD5: 5cc1bf6122d38de907d558ec6851377c
M20-ml6e1	DoppelPaymer_2d1e555a	Windows	This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random contents appended in one of the existing sections in the PE file format.	2d1e555aa68fcc2672e03c976203f96d	https://arxiv.org/abs/1801.08917 SHA256: 7f53022212625070e4166c274634efe4023a23a1dc63c9fd14ca3e68082076ed SHA1: d7200fe3bc2fb6b1b44fa4fbe485d7310c021af4 PARENTID: M20-zug71 SSDEEP: 98304:559LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:5LLOqCkLzDouoOS36XV/ MD5: 2d1e555aa68fcc2672e03c976203f96d
M20-83i11	Emotet_ef389a78	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	ef389a7806af11a628bcce9be3897f72	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: e145443e68242815362d6737543409a1adb395879c75c43849abd5e401df522d SHA1: 820b81f34cbb249ba29703ba85b9b658b6be8217 MD5: ef389a7806af11a628bcce9be3897f72
M20-9pt11	Netwalker_8fbc17d6	Mixed	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	8fbc17d634009cb1ce261b5b3b2f2ecb	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: fd29001b8b635e6c51270788bab7af0bb5adba6917c278b93161cfc2bc7bd6ae SHA1: d35cbad4163a967f66be460bac029895506917ed MD5: 8fbc17d634009cb1ce261b5b3b2f2ecb
M20-du8w1	REvil_9ecca170	Windows	This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.	9ecca170d0515fb14c8b78302b8053e7	https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556 SHA256: ec0c653d5e10fec936dae340bf97c88f153cc0cdf7079632a38a19c876f3c4fe SHA1: 2b498759c83f05beda20adc991be476934ea0fa8 MD5: 9ecca170d0515fb14c8b78302b8053e7
M20-oz2x1	REvil_63a945da	Windows	This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.	63a945da1a63a8e56e8220c4ccf7fd0c	https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556 SHA256: ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195 SHA1: a99cf1a2426edeac97c789d0a4b7d38606d7aa45 MD5: 63a945da1a63a8e56e8220c4ccf7fd0c
M20-fmnm1	Emotet_bd562cd9	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	bd562cd9ad0134eb4ad2600ff5f2a66e	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: d7f2699f9b7e0c263fcbd73238a883871965586fad16985455a85498ce8b520a SHA1: 3a251b9817e458d9f1283a324dfd7760757a6f18 MD5: bd562cd9ad0134eb4ad2600ff5f2a66e
M20-p3xt1	Netwalker_4e59fba2	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	4e59fba21c5e9ec603f28a92d9efd8d0	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77 SHA1: e57731be1f15c323a7b55b914a0599722ff3985f MD5: 4e59fba21c5e9ec603f28a92d9efd8d0
M20-ictz1	Sekhmet_1343bd0e	Windows	This strike sends a malware sample known as Sekhmet. The Sekhmet ransomware was used in an attack against gas handling company SilPac in June 2020. This ransomware has been commonly spread via spam email. Once it encrypts the files on the targeted system it leaves behind a RECOVER-FILES.txt file that includes a ransom note with instructions on how to pay via TOR.	1343bd0e55191ff224f2a5d4b30cdf3b	https://bazaar.abuse.ch/sample/fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d/ SHA256: fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d SHA1: 6412cbf10ac523452e051267afce4095d7f3d5ac MD5: 1343bd0e55191ff224f2a5d4b30cdf3b
M20-pmmk1	Emotet_c73019b6	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	c73019b6b6b46c63f6a45c38b8c2ebbf	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: 9f2b84e3636d99a49ea3ae417c564253d9a351cc49c756a61c63acd530fd3748 SHA1: aab060435c36a7f930861f9e4fb8dd2d639f7388 MD5: c73019b6b6b46c63f6a45c38b8c2ebbf
M20-gt501	Tycoon_12a47095	Windows	This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.	12a470956f7437a00d7bcf47f1995ea7	https://cyberflorida.org/threat-advisory/tycoon-ransomware/ SHA256: ce399a2d07c0851164bd8cc9e940b84b88c43ef564846ca654df4abf36c278e6 SHA1: 7301382916d9f5274a4fb847579f75bc69c9c24b MD5: 12a470956f7437a00d7bcf47f1995ea7
M20-mfyo1	Tycoon_d3f44bfe	Windows	This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.	d3f44bfe42b2e3c735e9df5bb793b9ef	https://cyberflorida.org/threat-advisory/tycoon-ransomware/ SHA256: 346fdff8d24cbb7ebd56f60933beca37a4437b5e1eb6e64f7ab21d48c862b5b7 SHA1: bf38aca2c659f9eb2b2fa2fad82ccf55b496b0cb MD5: d3f44bfe42b2e3c735e9df5bb793b9ef
M20-ls811	Netwalker_cb78a77e	Mixed	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	cb78a77e9ab26e4cf759e7d7b34bdbdc	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: f2b96f7d6f1bfd464507790120d07bba46cb4c9856399335748f93ebd52b5696 SHA1: b00710d529aefd25d8d51a2c0577bbb72191bc05 MD5: cb78a77e9ab26e4cf759e7d7b34bdbdc
M20-brxz1	Emotet_46d69f8e	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	46d69f8e1deebb60b276e62047b7ea8e	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: 3f5284458a0d2d7d50d7487391aae521f625a8920bfe03a7c88d412f8c17699e SHA1: bc3590512e097608b61118c4d7079153daa7a1c9 MD5: 46d69f8e1deebb60b276e62047b7ea8e
M20-g9yn1	REvil_2019e63a	Windows	This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has been packed using upx packer, with the default options.	2019e63a90b551b369bf42ede3827002	https://attack.mitre.org/techniques/T1045/ SHA256: cf533171a72bb7178de1e1c03635005893b7698602fe46f2fb37b01474820bb8 SHA1: 76bd674bf1265c82e3c9007f645aef4cb8d4b6e3 PARENTID: M20-du8w1 SSDEEP: 3072:j/3/CvLYtvOT3apvSfg+jhOUtp/yAQSHtRIKeMsTwV:j/IY64vSfg+jRp/JHQ0 MD5: 2019e63a90b551b369bf42ede3827002
M20-jype1	Emotet_007a2eae	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	007a2eae29bc5bfa2eec17ae8104f61e	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: b18241915f09540635b0cc900d7652b72af39fa16e4a3fb8a1e17264b3e0b3e0 SHA1: e31d39ca64d7257153201a783d0289852cf0ecb2 MD5: 007a2eae29bc5bfa2eec17ae8104f61e
M20-d64w1	Netwalker_747dc998	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	747dc998c4cf60c6d40a77de18a9aa62	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 664a129052f024acaca3ca8df9b52a432e2172678b1f80af82fcd2ec9d642e18 SHA1: 0e76db2d2a61b5983c295bb325049b64e74b40ba MD5: 747dc998c4cf60c6d40a77de18a9aa62
M20-lm8y1	Nefilim_70e4b9b7	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	70e4b9b7a83473687e5784489d556c87	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6 SHA1: 1f594456d88591d3a88e1cdd4e93c6c4e59b746c MD5: 70e4b9b7a83473687e5784489d556c87
M20-q9iy1	Ryuk_40492c17	Windows	This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.	40492c178079e65dfd5449bf899413b6	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/ SHA256: fe909d18cf0fde089594689f9a69fbc6d57b69291a09f3b9df1e9b1fb724222b SHA1: f3fa5d5942e5085586d7fcc496d3fad7804abcc2 MD5: 40492c178079e65dfd5449bf899413b6
M20-qi7u1	Nemty_dcec4fed	Windows	This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.	dcec4fed3b60705eafdc5cbff4062375	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ SHA256: 688994783ce56427f20e6e2d206e5eee009fcc157ba37737dce1b14a326cc612 SHA1: ef71426550dc3a3121746b475bf9a8416a73ca54 MD5: dcec4fed3b60705eafdc5cbff4062375
M20-u2sg1	Sodinokibi_bf935904	Windows	This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.	bf9359046c4f5c24de0a9de28bbabd14	https://www.acronis.com/en-us/articles/sodinokibi-ransomware/ SHA256: 963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e SHA1: d1f7c41154cbbc9cd84203fe6067d1b93001dde6 MD5: bf9359046c4f5c24de0a9de28bbabd14
M20-23yc1	Ryuk_db2766c6	Windows	This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.	db2766c6f43c25951cdd38304d328dc1	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/ SHA256: aacfc3e386ed12082923d03fa1120d5fa6bf7b8655ba77e04b96a45434fa9a83 SHA1: fc62460c6ddd671085cde0138cf3d999e1db08cf MD5: db2766c6f43c25951cdd38304d328dc1
M20-vc5b2	Netwalker_25c0fde0	Mixed	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	25c0fde038e01fe84fd3df69c99e60a1	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d SHA1: 147c1adc615daa93e84a5a9210ccc14ae86f6c55 MD5: 25c0fde038e01fe84fd3df69c99e60a1
M20-qr3q1	Netwalker_d09cfda2	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	d09cfda29f178f57dbce6895cfb68372	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: f298725e197f974b7a8407c5d79114a4ac322c573813d543141ccf1d9119dd8b SHA1: 82720e4d3fb83baff552ec25eea0fed2befe94fa MD5: d09cfda29f178f57dbce6895cfb68372
M20-2sw81	Netwalker_63eb7712	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	63eb7712d7c9d495e8a6be937bdb1960	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a SHA1: 1897bcfc7f3d4a36bdd29da61e87ba00812dca24 MD5: 63eb7712d7c9d495e8a6be937bdb1960
M20-wimr1	Netwalker_b49ea177	Mixed	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	b49ea17739f484b2ccccf79f245186f3	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 7a456f306593a051bea004493f073bb54c5135d8ce3c428f2433c877afd858f3 SHA1: 5c3aede31aaa0c77bfc56111ec39ac0503662dd7 MD5: b49ea17739f484b2ccccf79f245186f3
M20-m0cs1	Maze_bd9838d8	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	bd9838d84fd77205011e8b0c2bd711e0	https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/ SHA256: b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1 SHA1: c5938ec75e5b655be84eb94d73adec0f63fbce16 MD5: bd9838d84fd77205011e8b0c2bd711e0
M20-bbin1	Ryuk_d7697d0d	Windows	This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.	d7697d0d692bd883e53036b906108d56	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/ SHA256: 5b1ab6fae05ca9005ee7026cc30fb79780c470d6a920a63383c3496381778fb5 SHA1: cbff9d66d68fa67e40ca4a295daed68f0d5f8383 MD5: d7697d0d692bd883e53036b906108d56
M20-vqz11	Maze_a0dc59b0	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	a0dc59b0f4fdf6d4656946865433bcce	https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/ SHA256: 9d86beb9d4b07dec9db6a692362ac3fce2275065194a3bda739fe1d1f4d9afc7 SHA1: c10fd0163c42f1149d5dcfb44e31b53a4fe6c6c9 MD5: a0dc59b0f4fdf6d4656946865433bcce
M20-eoc31	CLOP_a04eb443	Windows	This strike sends a malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.	a04eb443870896fbe9a0b6468c4844f7	https://www.trendmicro.com/vinfo/ae/security/news/cybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomware SHA256: a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02 SHA1: e3001ef25b1386763caec9b5339ec6ddb0275a71 MD5: a04eb443870896fbe9a0b6468c4844f7
M20-7blu1	REvil_1a0545bb	Windows	This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has random strings (lorem ipsum) appended at the end of the file.	1a0545bbcac7a44a1406cdac135288ca	https://attack.mitre.org/techniques/T1009/ SHA256: 8c744fefa5d609f9c57eb147e22e74680585e19d27f49244dd4c629db21a7502 SHA1: 7f24239d5e392dffbca97c562bec63435a93858f PARENTID: M20-du8w1 SSDEEP: 3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCImQ:ZJ0BXScFy2RsQJ8zgQX MD5: 1a0545bbcac7a44a1406cdac135288ca
M20-fod61	Netwalker_9172586c	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	9172586c2f870ab76eb0852d1f4dfaea	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49 SHA1: 69e858f578fb0e7fdfb1d26db52dd6a95f5802ff MD5: 9172586c2f870ab76eb0852d1f4dfaea
M20-v87c1	Netwalker_2f720c55	Mixed	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	2f720c55dc1969da5299a45e031816ae	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: 940d411e8f6c3aecfebc74614f856b892aaf0ad546b0aeec4152a75711a4267c SHA1: 6da8ae1da95a0c96b432ad822076a0255e6744fd MD5: 2f720c55dc1969da5299a45e031816ae
M20-ckxn1	Nefilim_dfd4dbfd	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	dfd4dbfd7cbd6179fc371e5f887f189c	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: 353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5 SHA1: bbcb2354ef001f476025635741a6caa00818cbe7 MD5: dfd4dbfd7cbd6179fc371e5f887f189c
M20-vcwy1	Netwalker_6528c101	Windows	This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.	6528c1013ddb23f6eeca08d02f3d7834	https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ SHA256: c677014c312b87da89362fbd16f7abf7ba5546220000bfdaa0f77bba1edf5144 SHA1: 61905f80bd29b2bd0cd522a7e822aeb8733bb78c MD5: 6528c1013ddb23f6eeca08d02f3d7834
M20-jyvy1	Emotet_4247302f	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	4247302ff7876d70434aa55bf65fe7e1	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: e3f75fa3896fe0551e1a892b0bf308e786326218836e5824fcfac7cd813c142e SHA1: 39feb1450fe49ee8c82766f0f7d9e1ca6c3998cf MD5: 4247302ff7876d70434aa55bf65fe7e1
M20-d4cb1	Emotet_97e77c7d	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.	97e77c7db614b3304ea6ef7a598697fb	https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html SHA256: 3dc27bfea129de80fabb8e5ec05816202ae50e9b182b9d1f67546491c7fbe01c SHA1: 1744fd5bcb9e4162bcbf6a44a9da5cfbb698a7bd MD5: 97e77c7db614b3304ea6ef7a598697fb
M20-rqxl1	Nefilim_053ec539	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	053ec539c138afb99054bd362bb3ed71	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: b8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e SHA1: d87847810db8af546698e47653452dcd089c113e MD5: 053ec539c138afb99054bd362bb3ed71
M20-9hz81	Nefilim_659c4b68	Windows	This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.	659c4b68f2027905def1af9249feebb3	https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ SHA256: 35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156f SHA1: 2483dc7273b8004ecc0403fbb25d8972470c4ee4 MD5: 659c4b68f2027905def1af9249feebb3

Malware Strikes September - 2020

Strike ID	Malware	Platform	Info	MD5	External References
M20-3a671	Emotet_c703787a	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	c703787ab240e6a6959b267c71b4927d	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 1aa92916074cf5c819de2ea8b9ca9b5f04e1afd1f6ccfeae0a8849c3e8153e46 SHA1: 01dae25c32a749e277e3db4d6251d65b6f2fd5f1 MD5: c703787ab240e6a6959b267c71b4927d
M20-xzln1	Gandcrab_fc157cd5	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	fc157cd5d8a9c32ecaec8a273b064296	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 119bd50529bb4cfefcf102346d4f14ec741f48c72ecab7b65417f76fbeae8bc1 SHA1: 10720df03005d7fee3e4bcd9e86732ea89f8b7ce MD5: fc157cd5d8a9c32ecaec8a273b064296
M20-c7nd1	Arkei_f3a4bb8f	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	f3a4bb8fca6d399c3a1a9ff750c48441	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 2296a27b28562b0f72ac638106fa1cbdee429c7261412afcf8ce1820a6bc8e73 SHA1: d50d34dd5e2651ad18b87b4595ea2cb95f334624 MD5: f3a4bb8fca6d399c3a1a9ff750c48441
M20-25ct1	Arkei_3dc6ef89	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	3dc6ef8923433a89af4bab1e54ccdc02	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 272d4ca5a9e6bf8647e8ac6cb0d426f1f8fdbed0fdb8cf5ceadfe351517d3364 SHA1: cbc2f9e47eb2f58d32fe8befb9b75f62bc46a183 MD5: 3dc6ef8923433a89af4bab1e54ccdc02
M20-y6qp1	Arkei_e63543c9	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	e63543c93b4d214c80e8c589582a7acb	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 0f1dc323161ce0b22e510945d2b69f3d4bde2cbbf892761d426ff61735ab8177 SHA1: 7dc1f304ff8cb49664e763c7a57f04c1fa748d05 MD5: e63543c93b4d214c80e8c589582a7acb
M20-vvdu1	Expiro_b6200879	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	b62008793dce122676720498b66b9a14	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 00cae541f806bef35e8b7056c18f0fbfcf4271b5041194773f6ab07af8c17855 SHA1: 960b43d2c75ac4184d92ea68e4c946797049dee7 MD5: b62008793dce122676720498b66b9a14
M20-lo9a1	Gandcrab_c78096f0	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	c78096f041d994cc2e007a1a0c09a357	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 12cdd2a84ecd40578e34c33ba6530200e1fdd243e30bfc15e074251b0bbb5e03 SHA1: 2cdd146d664eb7a9b0523a4c3b5e04eb0d2883b7 MD5: c78096f041d994cc2e007a1a0c09a357
M20-wqmk1	Razy_b42a8425	Windows	This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.	b42a842553913cbac45effdc053e9696	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 2af8f1dff3ccc5fa0be79b89473e08a3c30732770cb3c3e529ee6815dd6ad53e SHA1: 7a41fe8baec119b3aea23e9b2981c198eb32b4bf MD5: b42a842553913cbac45effdc053e9696
M20-qx671	Emotet_68b36e7e	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	68b36e7efd2a6f2b24893650e30e15ea	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 2455308d12306b5b5ecb3c4de58a0cc1f09f1cfda7b69c936fe447b619e9cddb SHA1: 07287cbee6e005eec05efb3f1556acffeda10e33 MD5: 68b36e7efd2a6f2b24893650e30e15ea
M20-6i181	Expiro_cb601c51	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	cb601c51cd742f846c50e3feddceb789	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: cdfadce2ce67b7448c509d6e9b6a5d7e23aab7b5b4c7659cb83327ea2eb5ebc0 SHA1: 6c5ab487e9f0d24ab5d49aa2e383e273881e25f2 MD5: cb601c51cd742f846c50e3feddceb789
M20-6s511	Shiz_d072d816	Windows	This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.	d072d816a7fd9b22d226fe4e27289e5a	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 71b52dfe10bf2ce5a88d06e4c66cdc3b34d933070a7b8e984f9b5ed1cb36a227 SHA1: 9b6ffd470343c4406b0a2c159cd5b51c728a0638 MD5: d072d816a7fd9b22d226fe4e27289e5a
M20-qmpg1	Arkei_8edaee6d	Windows	This strike sends a polymorphic malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.The binary has random strings (lorem ipsum) appended at the end of the file.	8edaee6d0a70ed278c0dbc435d957d31	https://attack.mitre.org/techniques/T1009/ SHA256: 38800a65afe22c6aa96c06530e18f48f423eb9cdeb45450190c4d61597b140e6 SHA1: 0de58fa1f5bb619e3b98a1bb98601eff3b6c1268 PARENTID: M20-c7nd1 SSDEEP: 3072:AjBiNsFBUawG9dY5AfhTQavJckkZ/p3dyBnf76hoPRO/t:0iyxwG9C5AuaWXP3IBnjNPRO/t MD5: 8edaee6d0a70ed278c0dbc435d957d31
M20-ygg91	Shiz_a47a581f	Windows	This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.	a47a581f94f93bef024f2f9c099ac15e	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: c6e223d9a20a0f4f21c4c0dd21d6a6fa094b51688322171aa54d7c7a996003db SHA1: 195a1429cb187fc179806c86d65d75f49b88b4a5 MD5: a47a581f94f93bef024f2f9c099ac15e
M20-5mec1	Gandcrab_81740cc0	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	81740cc0d01c2b9841f1946dadab4263	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 0c80f42e2d6af784935e2804e124e5d5cee2ce62bf7bd19996fb81d3dc121b0e SHA1: 4bada265a65396b59040944d3ad2f72a58246ce2 MD5: 81740cc0d01c2b9841f1946dadab4263
M20-qmkg1	Shlayer_4d86ae25	Mixed	This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.	4d86ae25913374cfcb80a8d798b9016e	https://securelist.com/shlayer-for-macos/95724/ https://objective-see.com/blog/blog_0x4E.html SHA256: 05a3b34be443c7fabcb89a489c78fb7f27c896da29d125162c8b87f2d2128010 SHA1: f95055be76b834ae61c7d2b077a0639a9d68cf64 MD5: 4d86ae25913374cfcb80a8d798b9016e
M20-rzxv1	Expiro_b08ad0e8	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	b08ad0e8469c891ff4f71ba623e18d01	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: bbb8bf6f5c8ff6d1028ba95bd64ddf19175e8a78ef6cea48eabf7fe125112d2e SHA1: 317e2de8b044605ab31aa37178cf7e4d5931d04c MD5: b08ad0e8469c891ff4f71ba623e18d01
M20-89ow1	Razy_f6be4584	Windows	This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.	f6be458489923d7fa91bf8d6f28aa5af	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 03e97e16c8724c33270953be58da27091a18725edfed7ebb596fa051b029329f SHA1: 8566b0163fda63052deee03a7139db0063da4178 MD5: f6be458489923d7fa91bf8d6f28aa5af
M20-xxlu1	KryptoCibule_47a12663	Windows	This strike sends a malware sample known as KryptoCibule. KryptoCibule is a new malware family that uses the victim resources to mine coins. It tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection.	47a12663fce9b7ad2238f768ba482f49	https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/ https://www.zdnet.com/article/new-kryptocibule-windows-malware-is-a-triple-threat-for-cryptocurrency-users/ SHA256: 04f3aa4152f3d9a0a9443c2adce00717a7ca4432bf9ced35aa9135ba8067714d SHA1: 70480d5f4cb10de42dd2c863ddf57102be6fa9e0 MD5: 47a12663fce9b7ad2238f768ba482f49
M20-w8b51	Arkei_249acf68	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	249acf68b841fb953571ab1ef246b497	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 2cb29b407451530fbf07c2afb72eab72a937df43563073f566a8fcbf6342c8de SHA1: 5f5799593986ee25b3cef3e7df939e3066fd862b MD5: 249acf68b841fb953571ab1ef246b497
M20-3v3y1	Expiro_c71fb079	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	c71fb07961cd7b69347f2cb2a6d8a30a	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 2478553b39a47ac319550e9bf65c12cc08944bb61d60e8aabb8e48a751f94359 SHA1: 1a00426e5e5120087c7e7b2f39f44e8d4626f2a9 MD5: c71fb07961cd7b69347f2cb2a6d8a30a
M20-pbml1	Expiro_ca95f186	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	ca95f18632c18edea8580ffd5443bb57	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: ddb9c3a37b16026ae097ded0b9209c6927bf31e616a18a4649651eb9fc7e07a2 SHA1: 94dd0461eb199aa827389b9f54d7dc5e60565712 MD5: ca95f18632c18edea8580ffd5443bb57
M20-1o0u1	Shiz_4f199253	Windows	This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random strings (lorem ipsum) appended at the end of the file.	4f199253542d306639e414eececcefba	https://attack.mitre.org/techniques/T1009/ SHA256: b57f882e4f082c078a104ca8bb52c202a83f3f04bc54d6c6e73f38a222ce4a25 SHA1: cb143ed1001bd317550f025b63bec576a0d0478d PARENTID: M20-i59h1 SSDEEP: 6144:HZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtfi9jcxm6rPIXTTX:HZwUUUUUUUUUUUUUUUmg46jIXv MD5: 4f199253542d306639e414eececcefba
M20-qggl1	Razy_201dd9a3	Windows	This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.	201dd9a3dac6d9fc554914615c5944ad	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 3b72a6c6452e71e537e8d3aa4310d57abfb2a1bd39f3808ef222ccb4af2c35e4 SHA1: 1030d3459f11f9da8b2f93bb043ce0d1d710cd68 MD5: 201dd9a3dac6d9fc554914615c5944ad
M20-toxh1	Shlayer_1c859729	Mixed	This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.	1c859729bde4b392eaa1694c19ba5f9c	https://securelist.com/shlayer-for-macos/95724/ https://objective-see.com/blog/blog_0x4E.html SHA256: f2ca257139e4c20a975f10ee86633e980ae3417e74f05db4c461d60f69bd840c SHA1: d8a35dfa14623a7d3e034d336ec24c499027c09a MD5: 1c859729bde4b392eaa1694c19ba5f9c
M20-vk3t1	Arkei_f7359ffd	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	f7359ffdc1b165863867f00046c03bd1	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 27a35d3565bf6bef2ec1f80a8604456458d306dbee60bb0dc727e0297002f972 SHA1: 36664016072d469743d538c9f70218bf7b8bc0ae MD5: f7359ffdc1b165863867f00046c03bd1
M20-r7cy1	Razy_bb99864d	Windows	This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.	bb99864d4aef505915898a5b42db891b	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 88f398002b7b629049adf26a9838bdaad15ab3d69f1cb44b6fd8c6db9a65d3d9 SHA1: 94096bcdf96703fb89fc590f9f3a9d30ec1cce45 MD5: bb99864d4aef505915898a5b42db891b
M20-5ifk1	Arkei_f2ef1fc0	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	f2ef1fc097d3805815d0f1db06db6c2f	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 075c993e56b48fe87c24c0b58b21c8f8b45213073c32606b222b0e5c60854d21 SHA1: 5ddd4886f2dd0b2574cf0321733da8aec154fe8d MD5: f2ef1fc097d3805815d0f1db06db6c2f
M20-5nro1	Shiz_d4a279b2	Windows	This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random contents appended in one of the existing sections in the PE file format.	d4a279b2c8c86d8434c24de05f041252	https://arxiv.org/abs/1801.08917 SHA256: 9229bcc25b746bb789987b3ed450c5003d078f542bf1e374e384d694e6b18090 SHA1: aca889763f115f6b515262bea5909d232b206b28 PARENTID: M20-a5wv1 SSDEEP: 6144:lZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtmMTYf+3jvneAasScLyzGqiO0z/O8kO/:lZwUUUUUUUUUUUUUUUmpMTYf+3jveA52 MD5: d4a279b2c8c86d8434c24de05f041252
M20-g1en1	Arkei_8cd00f75	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	8cd00f759280f034e02f6e58720bda7d	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 29f2fc13f37a5d7d9acd4819b0e87158b3ffa897d5e3e211e1a251d0334c3332 SHA1: 34e527ae6326b3c4736489da4d3f0e2b0232cdbe MD5: 8cd00f759280f034e02f6e58720bda7d
M20-nx4m1	KryptoCibule_437d1461	Windows	This strike sends a malware sample known as KryptoCibule. KryptoCibule is a new malware family that uses the victim resources to mine coins. It tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection.	437d14610738f18977cefaac1af84686	https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/ https://www.zdnet.com/article/new-kryptocibule-windows-malware-is-a-triple-threat-for-cryptocurrency-users/ SHA256: 8c32a47ca925c8e424ed86c42257132ab2b381943b10c6d798e9b7b532db0a40 SHA1: 352743ebe6a0638cc0614216ad000b6a43c4d46e MD5: 437d14610738f18977cefaac1af84686
M20-smg51	Emotet_e3740306	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	e37403061d0fc0c796f6d107b7c79492	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 129b85aaa1cb31320bf74ea541452331d8e7a6b5bec9a9e7a5f36d761f60b328 SHA1: 8907d90e248489a4a11b96f44f4714fb71a7c04d MD5: e37403061d0fc0c796f6d107b7c79492
M20-n4ft1	Arkei_cf64deaa	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	cf64deaaefbcb00ff53e14bcfd9a86e4	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 26d2ebaa52fa0042dac17c6c29d6a530b70c2b82166df16a62aad1295c124562 SHA1: fb8676a1b7e523c45056019f316b5c7bbc82a53d MD5: cf64deaaefbcb00ff53e14bcfd9a86e4
M20-yqub1	Shiz_28329ecd	Windows	This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.	28329ecd0afc07c18ab89730c81e7790	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 18a1852a601d618c6172869c36b27c6cb36ae15436c654335dfe84954504898e SHA1: 1977bc9f0043e69b32813a1e07eb2549f2efbc66 MD5: 28329ecd0afc07c18ab89730c81e7790
M20-bypj1	Expiro_ae1693e9	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	ae1693e916245a7cbe94536db6c2dfb9	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: cba09cb5056c6ea03b6d42d0528df900ae55b41a47dc211f44163c8ef250d06a SHA1: a3c48335634ee2f555ab6195635dc7c9301112c2 MD5: ae1693e916245a7cbe94536db6c2dfb9
M20-2q1m2	Emotet_a6ae4aaf	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	a6ae4aaf85b21a4b811504d50054bb13	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 219d1f3a929f192d379292bea355e8f4dac85ab3802f603eb9509560fc845b5f SHA1: dbd79af174a06a35c37c9555f99aebb976485f26 MD5: a6ae4aaf85b21a4b811504d50054bb13
M20-nqew1	Expiro_a1a42c4c	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	a1a42c4c4f8e99f18e9dac5e0195a117	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 5b70fd5e886fc50ce1339c79843adb520e5197f9c759c7c00f15bfce1b946b4f SHA1: 19c4c0df7276a7d7a3c61c570c6d6230f39fa9d1 MD5: a1a42c4c4f8e99f18e9dac5e0195a117
M20-4mf61	Shiz_485acf5b	Windows	This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random bytes appended at the end of the file.	485acf5b5c53e4b6f61c4add87c6373f	https://attack.mitre.org/techniques/T1009/ SHA256: d24f04886f30642e82e358b3f0c7b2fa35ec5951adee126500b466784913aa1e SHA1: f0e6e9e4a30792bac1420b774fbd2e9a15f2642e PARENTID: M20-a5wv1 SSDEEP: 6144:xZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtmMTYf+3jvneAasScLyzGqiO0z/O8kOs:xZwUUUUUUUUUUUUUUUmpMTYf+3jveA5W MD5: 485acf5b5c53e4b6f61c4add87c6373f
M20-aray1	Shlayer_594aa050	Mixed	This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.	594aa050742406db04a8e07b5d247cdd	https://securelist.com/shlayer-for-macos/95724/ https://objective-see.com/blog/blog_0x4E.html SHA256: 26e791a54b0397f07b6ba2ea7dc3c0db37381ec56e2349574546494a2c99ea77 SHA1: b35a29862550316e84fa095b7b418d2e09842ab5 MD5: 594aa050742406db04a8e07b5d247cdd
M20-e5uo1	Arkei_2da317a6	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	2da317a6e7600b40a419eb788608191f	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 121a41530bcd85d027a3b3a9f5f011b2d79de054ba8589041de21385b480af81 SHA1: 4f2c56fdbaf68ebc5f7b0137a8a685c384a0599e MD5: 2da317a6e7600b40a419eb788608191f
M20-9v4j1	Emotet_9a45c567	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	9a45c5675acd860cd45950be5f300546	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 2a6a8755b93ac09b7aff0d03f2743c1bd9e01823dc6cd4811ba0ee492b2414c0 SHA1: 0cd3d86fcb11dd33b9e42df5a8adb72bd645c147 MD5: 9a45c5675acd860cd45950be5f300546
M20-c2rb1	Arkei_10a38d0a	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	10a38d0ae84dc819e4e91bdc307ed3dc	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 0c7aabd1a63fe9d74b77819c9f0ed4a05309c062ed4ebe7591cf309d593c0e5e SHA1: 1b450c3423057492ff87f1c666d1cbc54f6d24a8 MD5: 10a38d0ae84dc819e4e91bdc307ed3dc
M20-3w5h1	Gandcrab_7dc8699e	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	7dc8699e71e067f3cd4600c2c4fd4a9f	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 1598fbecd257a923af9074477c0439991ee8f88e62f2a9544a4f03cb692e9ea3 SHA1: 9eb47f2f69966d710e52269666e858daf50d1dd6 MD5: 7dc8699e71e067f3cd4600c2c4fd4a9f
M20-7x3a1	Emotet_a0c0c876	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	a0c0c876217f30ee39fd06de0fcb8f57	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 200af4cf86eaf071d6dca59f9678feccf9f024da48ea982fe9ed3a230ae32fc0 SHA1: 72d6192d447ca4cf4bb4e403c2e5312696b0b889 MD5: a0c0c876217f30ee39fd06de0fcb8f57
M20-i8r51	Gandcrab_1c6b014e	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	1c6b014e86d887ef235adbdce8c23a7f	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 142ee3a78064f1c5da3798744113f522c0a95dc842a5cf1c1346c6d67cd54c0a SHA1: 433ff78ab4c1c0079462aa4b59510e7d49d12a94 MD5: 1c6b014e86d887ef235adbdce8c23a7f
M20-1tqy1	Arkei_b119465c	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	b119465c150e0173b6b184448b5cf088	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 1610453727cf82bf981deb05041c2a0655cac62aa9bbf341bbb1b0a46d83b059 SHA1: 4b3d28b3cb13522624075375629179df760fb685 MD5: b119465c150e0173b6b184448b5cf088
M20-1jux1	Expiro_c3a4c6fc	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	c3a4c6fc3924bea9ff0af427a1595380	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 6737302d9422c8720861a818d7b042682c9f7b5b04a409b1f7dfc81b6e41381e SHA1: a52b6309e530659c8403704c02203f577c7b6b99 MD5: c3a4c6fc3924bea9ff0af427a1595380
M20-2dci1	Emotet_e4de4b24	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	e4de4b24bf98b3af0b5732a10e5a159f	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 15deba69044594e12348428dccd3451e2b8c78df74daac11f16a6cd29a75874d SHA1: 1dde153f0cf904671832a8741126d7d7350bd45e MD5: e4de4b24bf98b3af0b5732a10e5a159f
M20-1s5l1	Shiz_a15fbb32	Windows	This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random strings (lorem ipsum) appended at the end of the file.	a15fbb32ccf830baf1c4adbc32c871b6	https://attack.mitre.org/techniques/T1009/ SHA256: d8380b323612d496e4ffac68c39dbe9fa35fceebf063c5d1ce0dab6184bbda83 SHA1: 6ec4caa465e140897c429c9fdc2fc208aa0ce201 PARENTID: M20-a5wv1 SSDEEP: 6144:xZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtmMTYf+3jvneAasScLyzGqiO0z/O8kOd:xZwUUUUUUUUUUUUUUUmpMTYf+3jveA53 MD5: a15fbb32ccf830baf1c4adbc32c871b6
M20-dzlc1	Expiro_ceb637aa	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	ceb637aa93f653ec7fd14dfec80ddec2	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 1da9498f9d75574bdbb6969ab423b559c370d61603e7c66ef7dd34efc168af71 SHA1: d19f9f2cc49322fe984ae7ee8d4b2853cca529db MD5: ceb637aa93f653ec7fd14dfec80ddec2
M20-t75k1	Emotet_9db82b4e	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	9db82b4e3957bf1d62d7526821b12d62	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 17c72fae234cbcd5593919d234d5e5be0f10f357cb64076810efb0f0e41f9578 SHA1: 2344e1c4b08c92a043ccba80b7ff44cc689f7f96 MD5: 9db82b4e3957bf1d62d7526821b12d62
M20-ltkk1	Gandcrab_6704dc8f	Windows	This strike sends a polymorphic malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.The binary has random strings (lorem ipsum) appended at the end of the file.	6704dc8f351350724184257996f9066b	https://attack.mitre.org/techniques/T1009/ SHA256: 9daa713127b5e3192e388a4b5eb62ccbf5a27edf6849555b815e05b327c3b0c5 SHA1: 8779e69762ede4b7f196e22fe4c66e245dc0c0fd PARENTID: M20-xzln1 SSDEEP: 3072:cgzlmnQjGjtA77nRw3u04PbvZDV/y9afXqTXnCBNcESnrbieOVL5M:ci777Rw2hpy9afajnCBwrbTO9M MD5: 6704dc8f351350724184257996f9066b
M20-yq3v1	Joker_baa1ecdd	Mixed	This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.	baa1ecdd95d6a13551f783b715cb19ae	https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/ SHA256: 2dba603773fee05232a9d21cbf6690c97172496f3bde2b456d687d920b160404 SHA1: 8376ac9d586f60759d4954d7ce00519931e38091 MD5: baa1ecdd95d6a13551f783b715cb19ae
M20-a5wv1	Shiz_d662f757	Windows	This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.	d662f75719f02414a66a17b16a2c721d	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: dafbe2d5b3334c81504712162eaf3b333330d5a100deb68ce6a9033df764782c SHA1: 0b2566be9347d2a47b75ec1dedec641a9a736a9e MD5: d662f75719f02414a66a17b16a2c721d
M20-mm4h1	Shlayer_fa124ed3	Mixed	This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.	fa124ed3905a9075517f497531779f92	https://securelist.com/shlayer-for-macos/95724/ https://objective-see.com/blog/blog_0x4E.html SHA256: 734166ee7958d06ea63659ff0315de39181966884e204d3c6031887adcbfa505 SHA1: 1ecce6aa9615937471359bdb72b0df719277d694 MD5: fa124ed3905a9075517f497531779f92
M20-fyoo1	Joker_0b9911cc	Mixed	This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.	0b9911ccb089c7ab5ad8a0cbbe25c700	https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/ SHA256: f6c37577afa37d085fb68fe365e1076363821d241fe48be1a27ae5edd2a35c4d SHA1: c7e850256ba1d67fbaaa8b2d1e92c2acfb317e68 MD5: 0b9911ccb089c7ab5ad8a0cbbe25c700
M20-r0d21	Emotet_debd3b52	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	debd3b52b96f9903d5b877d39aebe3f4	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 209e9056d13fee66177c3a5afaf80a077875e5b59f0247cc0a6a024e6ae92bad SHA1: 70808f8b9ec7bbd24d749e4bdf6784120ae992d8 MD5: debd3b52b96f9903d5b877d39aebe3f4
M20-mut81	Emotet_571ad3e0	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	571ad3e0d627ea0b6acb95f9e35e0661	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 24e66606dd42fb259e7ed01e81b054c21190a9ea60adc8b7be387e05b04b303b SHA1: c6d01d22ccd75739716bc9a14b4145fd1bc1e088 MD5: 571ad3e0d627ea0b6acb95f9e35e0661
M20-hy3i1	Razy_fcd67c80	Windows	This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.	fcd67c8088b3a39fab73c9cb47a86713	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 47fc91290b2d99a471a62d5390e13369fcbde2d7820e08c209fb3a5cbb5713e4 SHA1: e5438961a1eae144c51513d7358d4aaf92b4a1d4 MD5: fcd67c8088b3a39fab73c9cb47a86713
M20-epm11	Shiz_47de3e4f	Windows	This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random contents appended in one of the existing sections in the PE file format.	47de3e4f669440589fe34532ad9114b2	https://arxiv.org/abs/1801.08917 SHA256: 335695d906c1dd9b13a6e7d51c78a8bf4f70f575f17e66f8619686c3a76ab556 SHA1: 5d3221e198ce7c632d322435f0e33b9d3f833fdf PARENTID: M20-i59h1 SSDEEP: 6144:BZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtfi9jcxm6rPIXTT:BZwUUUUUUUUUUUUUUUmg46jIX MD5: 47de3e4f669440589fe34532ad9114b2
M20-rbjk1	Arkei_00befcd0	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	00befcd06035d0bb7f4256c22145e077	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 08641de04bd051e43e72527006a3cf1d799ff394d5a5a75b219b3171c4666a11 SHA1: e4d19fac6412c140e7f0c60beccf237c2fc4c33d MD5: 00befcd06035d0bb7f4256c22145e077
M20-nfap1	Arkei_568b477b	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	568b477bb674e07132eefd19d5c45a56	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 132e2edbf9a97eb30b59d2fa9dde82d8e8d80440e35b23dee73b8df6db748ddc SHA1: 4556618327c4b955f828f5245e718f18fea2b5e2 MD5: 568b477bb674e07132eefd19d5c45a56
M20-t9hu1	Shlayer_9c88732f	Mixed	This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.	9c88732f4a04c10ec4853f871de6b5eb	https://securelist.com/shlayer-for-macos/95724/ https://objective-see.com/blog/blog_0x4E.html SHA256: b274f9f28fe11e14f5f3d4724e2396d206965714527929502102f1d10c2259f6 SHA1: 52873957878e37d412cd5dabddfb770bcbdf5783 MD5: 9c88732f4a04c10ec4853f871de6b5eb
M20-oukt1	Arkei_a4b38793	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	a4b387930e6081c7739f28bf77f2ce4a	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 1bf99f63bb8bba5e8d3c7338e0c9338fcf0d170bb567f0c6ce8dc063c6c0c72a SHA1: 85bdfb271923dcd97d006180d1d68acd76eb8633 MD5: a4b387930e6081c7739f28bf77f2ce4a
M20-cm0l1	Gandcrab_a1458bf8	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	a1458bf8e676667471b8ebddc42123ab	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 0ba338f0917356577dc6c00217ef973395e83f952031ca3df1bd2a1f14ffce89 SHA1: 7402e469dfd8e8832b3e7b9500adba37dfd9c58d MD5: a1458bf8e676667471b8ebddc42123ab
M20-ya871	Arkei_05fdf040	Windows	This strike sends a polymorphic malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.The binary has random contents appended in one of the existing sections in the PE file format.	05fdf0408dd7e5ba480e1d62a5843466	https://arxiv.org/abs/1801.08917 SHA256: 947c426d720811188724ac0ed0bc5ea7c32f512d8650cc8564943e7a89134dfd SHA1: 2b0d4081816af66a5bbcaf262216b6d1528135ea PARENTID: M20-c7nd1 SSDEEP: 3072:AjBiNsFBUawG9dY5AfhTQavJckkZ/p3dyBnfJ6hoPRO/:0iyxwG9C5AuaWXP3IBnBNPRO/ MD5: 05fdf0408dd7e5ba480e1d62a5843466
M20-jzqb1	Razy_48693a04	Windows	This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.	48693a04e8279cf484232dddda0373eb	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 225a8e97056d1f80ce1ff761b5826fdaa5f1e302ee6a1187cf0cd46298d7c37a SHA1: 714af9dfa8407513104aa600ca88496b368cfc2f MD5: 48693a04e8279cf484232dddda0373eb
M20-6n4t1	Shiz_6d3cbc15	Windows	This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.	6d3cbc15a8831097e04672b19add433f	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: f3457979390343ca08458f68005cc84af0ed08b9594e65d45d3a6b8e5c287376 SHA1: c15ab40e0d101b106bbb0cdbfc019c13e4f6e9ef MD5: 6d3cbc15a8831097e04672b19add433f
M20-ruot1	Emotet_3da98789	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	3da9878997705570052d1a3ae3270671	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 17922392a72894af5fc275928a401d843f296d08934821be606ef25268767162 SHA1: 9a9c79c2c556129209f075f62f6605efa8f2c0dc MD5: 3da9878997705570052d1a3ae3270671
M20-mrsf1	Joker_b0dce678	Mixed	This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.	b0dce6785bb79f271611b69a7ea81f71	https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/ SHA256: 0d9a5dc012078ef41ae9112554cefbc4d88133f1e40a4c4d52decf41b54fc830 SHA1: 9a75fa84f5eb357111077b86e4c6f68cc5348e31 MD5: b0dce6785bb79f271611b69a7ea81f71
M20-8yqz1	Arkei_55a7ecd0	Windows	This strike sends a polymorphic malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.The binary has random bytes appended at the end of the file.	55a7ecd0c065b3f57347ab2737a44295	https://attack.mitre.org/techniques/T1009/ SHA256: 88e0c77c0e0079cee4b29c787dbdefcc3d0b7c271e14942d7a0106746e906776 SHA1: 10ad133d20bed4fd15e27f5e85a0f71479f9e851 PARENTID: M20-c7nd1 SSDEEP: 3072:AjBiNsFBUawG9dY5AfhTQavJckkZ/p3dyBnf76hoPRO/3:0iyxwG9C5AuaWXP3IBnjNPRO/3 MD5: 55a7ecd0c065b3f57347ab2737a44295
M20-uqsm1	Arkei_0f6b5657	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	0f6b5657da0ffc54ac13fc4ce414cf4d	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 0f29e3c9e5d0d3440649e9f742081b278be83c5b9f76cb65bf06049f180d09ae SHA1: 25fe88adfc55e0d63ed8f3253fd948ae6f2ffa27 MD5: 0f6b5657da0ffc54ac13fc4ce414cf4d
M20-htrl1	Gandcrab_e34a5f17	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	e34a5f177d5bb5b8012024708d3f0217	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 0c80a368fc9d5320b676f065c7fe95d4b2560b7fc557c3b5cd2d52d6cbc107ef SHA1: b58f68e5a557a19c3c3eeee04eb82d53d37627d5 MD5: e34a5f177d5bb5b8012024708d3f0217
M20-llvo1	Emotet_e1c97191	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	e1c97191eae9b1537778fc88220c44ed	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 149a3d53f6065bd1885682a82148193582f678bc6bbeef4c27c0fc96a6112dd7 SHA1: f5c39b475824a439640e71958536aaae30873863 MD5: e1c97191eae9b1537778fc88220c44ed
M20-gsa91	Arkei_167af7b6	Windows	This strike sends a polymorphic malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.The binary has random bytes appended at the end of the file.	167af7b6ea9eccb08d2071e78ded9c47	https://attack.mitre.org/techniques/T1009/ SHA256: f043effc89970cac58a72b1e4ae6cd60115111ee30ac177d5e48acb35f4a8764 SHA1: 08d1172afe6a323dd4adbdfae60e030f999e53af PARENTID: M20-ovtg1 SSDEEP: 3072:6q3YsRrXrUf3RFh2XintmrKYkv/pacEzDvVROz4:BYsJU3RFKinUOT5aPz5ROz4 MD5: 167af7b6ea9eccb08d2071e78ded9c47
M20-u0ou1	Shiz_277b47f8	Windows	This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.	277b47f81244411d20903be4d78dd5d9	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: e8688040a73b6393ca931129ac30aa24af9be6e5571f10e01203cb71810147bd SHA1: ca1ff1c161cb11084b74a2ed52da9038144a7192 MD5: 277b47f81244411d20903be4d78dd5d9
M20-yygu1	Shlayer_6ac3ae1c	Mixed	This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.	6ac3ae1ccb9038388e492a64ef08e5ec	https://securelist.com/shlayer-for-macos/95724/ https://objective-see.com/blog/blog_0x4E.html SHA256: e530ea35295e9b990e536297637c532e98f32a2de58514cbce0fee625ccc8da6 SHA1: b801963a180d253741be08dfbb7a5ed27964ac14 MD5: 6ac3ae1ccb9038388e492a64ef08e5ec
M20-iyd31	Expiro_c3e02b8e	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	c3e02b8ec2aee25f4ceac1773696b924	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: a178d3644ef3f1d41b93ccf94aaab483fb87a80aeb1fcf4d944b0cc3d5d80c73 SHA1: 18a9d8a32ac8e952034a4b86d7838988a06ca6cc MD5: c3e02b8ec2aee25f4ceac1773696b924
M20-ej8l1	Razy_77b5096d	Windows	This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.	77b5096d8ae7e182bf8a36d2349a64e0	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 48058f6425b28d82fec96109d9371a8c30bb2fdac8c448370ab455013da0edd3 SHA1: 695c0b1897de68bbadd3961dbdeaaa080d5a6f3c MD5: 77b5096d8ae7e182bf8a36d2349a64e0
M20-6g761	Shiz_228ee144	Windows	This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.	228ee1443e6f972d2cb502a4a030aac5	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 421fb4e60b5ddf11d5456170224ba935bf033689c1a679d3ace07fea5b00041c SHA1: 87510e0a0ef635a4a7932fd3e6042ca1c729553b MD5: 228ee1443e6f972d2cb502a4a030aac5
M20-2n3f1	Shlayer_b2b51960	Mixed	This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.	b2b519602673e27aa40085deb8827bd1	https://securelist.com/shlayer-for-macos/95724/ https://objective-see.com/blog/blog_0x4E.html SHA256: 852ff1b97c1155fc28b14f5633a17de02dcace17bdc5aadf42e2f60226479eaf SHA1: e827f4c1a1790c13cd761cdbf31cd2c0d7b25e55 MD5: b2b519602673e27aa40085deb8827bd1
M20-fon51	Shiz_e7e1bd55	Windows	This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.	e7e1bd5531ca3ad87a051bac9d1a80d3	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 5bad643662584c558d2a1d65621928e8681dd9770382820863c9f6d0b4e8ad73 SHA1: 54193aff5385a99dca3312606e76f2df38266d8e MD5: e7e1bd5531ca3ad87a051bac9d1a80d3
M20-sxxu1	Gandcrab_eb5f7771	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	eb5f77715eb2a50f1aaf03074f3ad388	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 0e5a46c96a9ddd3a61f68c19ffda0f9b12c76e1c3e7f2a4c4528d56c498f7828 SHA1: f903a47a0f9fd6d5008d4f1eeda832dd717061e0 MD5: eb5f77715eb2a50f1aaf03074f3ad388
M20-e8k21	Expiro_b947b154	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	b947b15406b13614d0f8cdeec8564d05	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: b5e655696e1807c5f4ce0f7f86cfe988f92206a5cc0960c9d4d871922551a1bc SHA1: a6d72116bf4f5a1802c3e5ac88c9581e236c23c3 MD5: b947b15406b13614d0f8cdeec8564d05
M20-jl5d1	Shlayer_fefcfc50	Mixed	This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.	fefcfc50214786bbbd33ee67abd7f1f3	https://securelist.com/shlayer-for-macos/95724/ https://objective-see.com/blog/blog_0x4E.html SHA256: 97b11ae80b8d4de5c6875de2cc7c164d837f94f8ae313a57fb45cee6c6a1fef8 SHA1: d28d75c9f61d20aa990e80e88ed8f3deb37b7f7f MD5: fefcfc50214786bbbd33ee67abd7f1f3
M20-1rhx1	Joker_87d70b11	Mixed	This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.	87d70b118d68b5b8630d09ca3c2083ae	https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/ SHA256: f90acfa650db3e859a2862033ea1536e2d7a9ff5020b18b19f2b5dfd8dd323b3 SHA1: 9b279a8ee3d1002f9b012fa5105fcbe81be3b6b5 MD5: 87d70b118d68b5b8630d09ca3c2083ae
M20-ukd81	Gandcrab_a01269b3	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	a01269b36a5f153ef7c210001e2b071a	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 0d6b3d50621831eb2ba716d92d91eed97fa6fb3d194175cb2fc59bb6e50b8d3b SHA1: 5e845005c5095019c2c55707c748fc60cefd5e2b MD5: a01269b36a5f153ef7c210001e2b071a
M20-ovtg1	Arkei_f52cb089	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	f52cb0892baaab89703ab9d4f42a5483	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 33965321082bfc45696ef27b8aa84b58d0b35cb62bfd6f2d9b499696bd447484 SHA1: 250cd94354b8ec3c66bd3dde0abbe68bc7ff7018 MD5: f52cb0892baaab89703ab9d4f42a5483
M20-3xou1	Gandcrab_8b73329e	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	8b73329e7fbe4ea24e9b814c6fe3c61d	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 11c7e045e19f6a53ff5e904d7250b3218a14431ed5c7ad299668f11717dce3d8 SHA1: bca4f701c34c26a39cdd9d4cfd7156a2e4823ce4 MD5: 8b73329e7fbe4ea24e9b814c6fe3c61d
M20-hfwk1	Shiz_59a089a2	Windows	This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has the checksum removed in the PE file format.	59a089a2c1cab2bd3f9c733cdc4f96cd	https://arxiv.org/abs/1801.08917 SHA256: d1a41a674b3c71215faa51660c6387ea0bf8d14ec043041011868b58138afacb SHA1: 30513c0d32228fa6d62ad9eb969f57a824ac6596 PARENTID: M20-a5wv1 SSDEEP: 6144:zZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtmMTYf+3jvneAasScLyzGqiO0z/O8kO/:zZwUUUUUUUUUUUUUUUmpMTYf+3jveA52 MD5: 59a089a2c1cab2bd3f9c733cdc4f96cd
M20-kgyh1	Gandcrab_9c8a7882	Windows	This strike sends a polymorphic malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.The binary has random strings (lorem ipsum) appended at the end of the file.	9c8a788266cfa8884798ea6bf37b1b10	https://attack.mitre.org/techniques/T1009/ SHA256: b4ad2e1bbd01656e7c5b37693600dcc23344a5f1488baf54b5c781daccdad6a6 SHA1: 6e27f82b083b88c60f4b9b58e39c5bb2d3f289df PARENTID: M20-sxxu1 SSDEEP: 3072:fgzlmnQjGjtA77nRw3u04PbvZDV/y9afXqTXnCBNcESnrbieOVL5M:fi777Rw2hpy9afajnCBwrbTO9M MD5: 9c8a788266cfa8884798ea6bf37b1b10
M20-mc6o1	Emotet_d206510e	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	d206510eee9c015251b40bdb0b3af3c5	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 220732c38506e7c51e3f0c1f27a142052b52c1a5306c0991acf7de311b7c8e2a SHA1: 9a75a512f40c5bd5eb5ddefd80a765d683086f0c MD5: d206510eee9c015251b40bdb0b3af3c5
M20-m4981	KryptoCibule_3165d2f5	Windows	This strike sends a malware sample known as KryptoCibule. KryptoCibule is a new malware family that uses the victim resources to mine coins. It tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection.	3165d2f5d802226b0dd8d3ccc8336110	https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/ https://www.zdnet.com/article/new-kryptocibule-windows-malware-is-a-triple-threat-for-cryptocurrency-users/ SHA256: 5ee586a836049b22a90d5cabf3c2a29a2626ce96c55397bf36cc9024a2e6b430 SHA1: 3bcef852639f85803974943fc34eff2d6d7d916d MD5: 3165d2f5d802226b0dd8d3ccc8336110
M20-s1ve1	Arkei_1df03fa3	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	1df03fa342958648b48b9369be8ff9b3	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 0fd077d6c5fa7bc948c64262b0f277bc7152b6ca9b05958af7f059a6a9bf1f35 SHA1: d4e335c2bb11332ee86e53be87c8967e6c286985 MD5: 1df03fa342958648b48b9369be8ff9b3
M20-5twq1	Emotet_20ad8937	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	20ad893754a3df823fa368fe84e51a8a	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 2de44ef1df4fcc293491c9c21c8c5a42a0f335f6383ae96e0ef06ea76ba13c6c SHA1: 3db8d8ba1bf2573edd0cf1ef297ecda9f5c07269 MD5: 20ad893754a3df823fa368fe84e51a8a
M20-e91o1	Shiz_36cda7c7	Windows	This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.	36cda7c70419a9c2d08cb110dd58b099	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 80b48015c935dd1a4f3ce47e896c74321de60510b11b171ac937afd983c3e4a3 SHA1: 0e014b38f0d85852f736b848c362fb8caf4df5bb MD5: 36cda7c70419a9c2d08cb110dd58b099
M20-0jak1	Gandcrab_a2ea3a19	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	a2ea3a1987942abe4d79b75d8676d2ad	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 08db1e474efd740dcbf6a0fac4dc93ca77bc803eef8e5ebdf85ff5495800d007 SHA1: 189763719ab2a36e82d38f9a1322781565fc39bc MD5: a2ea3a1987942abe4d79b75d8676d2ad
M20-5uzi1	Gandcrab_9bfb2b63	Windows	This strike sends a polymorphic malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.The binary has random contents appended in one of the existing sections in the PE file format.	9bfb2b6312ba962055b988777e1ee99c	https://arxiv.org/abs/1801.08917 SHA256: 42e6312dadf15c1215d67ffda85374b3b80f802b524a6075559d8ea5e12feb3f SHA1: 83cc7f73ecb9f241c61f8b300a04ed9684d7cb8e PARENTID: M20-sxxu1 SSDEEP: 3072:fgzlmnQjGjtA77nRw3u0qPbvZDV/y9afXqTXnCBNcESnrbieOVL5:fi777RwYhpy9afajnCBwrbTO9 MD5: 9bfb2b6312ba962055b988777e1ee99c
M20-3osl1	Joker_c8e8080c	Mixed	This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.	c8e8080c1365da6dc340edc17d86f674	https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/ SHA256: 5ada05f5c6bbabb5474338084565893afa624e0115f494e1c91f48111cbe99f3 SHA1: f90e3487177dc8556c54b836e74e6419ea0f533b MD5: c8e8080c1365da6dc340edc17d86f674
M20-3txg1	Gandcrab_e7a61e47	Windows	This strike sends a polymorphic malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.The binary has a random section name renamed according to the PE format specification.	e7a61e4706cc30fd9fce858d4461a7fb	https://arxiv.org/abs/1801.08917 SHA256: 393df63d9d9325f174819d5dc1a7a974dd16d3bfabd03aa2cddc4ff3bc7ef0f8 SHA1: ab83543bae1c0bb13eaee1789d7f1ad9e1bffb08 PARENTID: M20-xzln1 SSDEEP: 3072:MgzlmnQjGjtA77nRw3u04PbvZDV/y9afXqTXnCBNcESnrbieOVL5:Mi777Rw2hpy9afajnCBwrbTO9 MD5: e7a61e4706cc30fd9fce858d4461a7fb
M20-dtna1	Expiro_c54812ff	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	c54812ffecccb9d42b6af9d85329fb10	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 38ee02819c5d7d6a0336730be9aee691c42d12d09b5982197a4bbc7fc411374e SHA1: 7a1dcb967dd970f5555eda86079e41a8c8c7e18e MD5: c54812ffecccb9d42b6af9d85329fb10
M20-gbfr1	Expiro_c47b8c02	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	c47b8c02e838398bf9a3afc757fdb802	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 21a5c373438de8a85a6bf798b24406a7658c0ac376d8820341dc5b973fb6bfde SHA1: 0940b3a6ee7e4e4bea27c361ef6e85108b41101e MD5: c47b8c02e838398bf9a3afc757fdb802
M20-ut1e1	Shiz_4cc39df1	Windows	This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.	4cc39df1f7950b7883fd861af127afd4	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: ffbc0f6d023ed357af6eeb674e3c451831068403a52bc7fe94a67c99356c4ca3 SHA1: 1d2532c626b052b4504a353ae0bf7457f0128211 MD5: 4cc39df1f7950b7883fd861af127afd4
M20-0ege1	Joker_d1a2ee8a	Mixed	This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.	d1a2ee8a66fa0d90477e29cc35a84ba9	https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/ SHA256: 46a5fb5d44e126bc9758a57e9c80e013cac31b3b57d98eae66e898a264251f47 SHA1: 873d72701d49676c4bf8e70eefc9394fecbe3b8d MD5: d1a2ee8a66fa0d90477e29cc35a84ba9
M20-ij2p1	Gandcrab_dd6e6968	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	dd6e6968b41bfe67b1eb6ca06009e029	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 0a6b83a865695ba7a5baf6337c115cd06358085cd2c174806fbd75837ffb49d7 SHA1: b363633bdfb62b19e8b048f415703d92bbd0d559 MD5: dd6e6968b41bfe67b1eb6ca06009e029
M20-yxpi1	Expiro_a96008e0	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	a96008e0c13b46ba555464e1b9fc681f	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: cb08c29f457ad766d086cff777eed87baa4796c4f29bb92239f99107ecaded91 SHA1: 77b9462650e927b00c1f696e11349c3196397281 MD5: a96008e0c13b46ba555464e1b9fc681f
M20-1rp32	Emotet_0b422cc0	Mixed	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	0b422cc0719a274d2da0e23d68091b41	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 274602404a722f0dc7b82c61d520573d1f9a010d174f4685b59899a4158cde5b SHA1: ade83fdb62a61f10f6d7563c29c924f9c31b2cdf MD5: 0b422cc0719a274d2da0e23d68091b41
M20-ciyx1	Razy_faffdf7c	Windows	This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.	faffdf7c523de20379785fdbebf179f0	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 62ac5775145716be2f3799face7ac9c5229122b93b3839e03f63334f548f0cac SHA1: 524c510d4e91b12e725fa3607397ad3ef13aa309 MD5: faffdf7c523de20379785fdbebf179f0
M20-1cs11	Shiz_5bc37cdd	Windows	This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random bytes appended at the end of the file.	5bc37cddf1f3be9ad2f6d194a7206879	https://attack.mitre.org/techniques/T1009/ SHA256: 5d383bcaccf72ffdee57e36e02181b46bfb319ff0708878a2415bbbcf5a01172 SHA1: b5e66c9f96c85513af91dfe7c2f1fce0c1990f25 PARENTID: M20-i59h1 SSDEEP: 6144:HZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtfi9jcxm6rPIXTTW:HZwUUUUUUUUUUUUUUUmg46jIX+ MD5: 5bc37cddf1f3be9ad2f6d194a7206879
M20-gcg91	Arkei_d73ec126	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	d73ec12627a319b61bf8f248c6516262	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 039d7013364ec66261347c7f055ced54bf256ea3f5a018d31b066449bf4b014b SHA1: 7e5fd6bb1f293845584e4cd7decae53ccad88829 MD5: d73ec12627a319b61bf8f248c6516262
M20-7qwp1	Shlayer_04e7bae9	Mixed	This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.	04e7bae95f86118fd5e347ee43537b06	https://securelist.com/shlayer-for-macos/95724/ https://objective-see.com/blog/blog_0x4E.html SHA256: 1afcea3625c2725a95e87df1d660130a374c29e98624cb9b51b415c9f5c9e305 SHA1: 7f79800951160875b94df94bb834c30ad11a9021 MD5: 04e7bae95f86118fd5e347ee43537b06
M20-v5m81	Gandcrab_e45f0c5d	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	e45f0c5d59ce9f66ecbf7f1207e010fc	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 13909277ca03cbd8231fa197f36486c7b12f9cc78e0a3cfffe735fb2ec0f2909 SHA1: 4f828e2cbcfa45c480f90b3a73f710e7f6f7ecda MD5: e45f0c5d59ce9f66ecbf7f1207e010fc
M20-qom31	Expiro_b167581f	Windows	This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.	b167581fcb856d403e0c2163ced4a080	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: b9b702693b83d22988ae375b1b080128155c9e36cdb949c261797f2c4960f99b SHA1: 069bb8aea83b059c75aafbfcd9f4e74bc33b58bf MD5: b167581fcb856d403e0c2163ced4a080
M20-h5uq1	Joker_966daec1	Mixed	This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.	966daec16869c8bbdfb1243dfc115712	https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/ SHA256: 2a12084a4195239e67e783888003a6433631359498a6b08941d695c65c05ecc4 SHA1: ab0e7e6ea3c8a77e67f643400d709826092ec770 MD5: 966daec16869c8bbdfb1243dfc115712
M20-hnuo1	Razy_0206fb01	Windows	This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.	0206fb018cf06a3876e7694ccae14151	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 10544c9619839680f12a58ebf5f9b96468cd311bf05a27ada2362986ccd493e5 SHA1: 9c305334e32f6efdca153f1f1f015ae76795b428 MD5: 0206fb018cf06a3876e7694ccae14151
M20-djt51	Joker_6d0e6a88	Mixed	This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.	6d0e6a88f5ec092de6045ac4a5e6219d	https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/ SHA256: 044514ed2aeb7c0f90e7a9daf60c1562dc21114f29276136036d878ce8f652ca SHA1: c14b4e6e4bce7aab292f3cdd9805ffb1a5cf5209 MD5: 6d0e6a88f5ec092de6045ac4a5e6219d
M20-8dqb1	Gandcrab_22bc40bd	Windows	This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.	22bc40bd16d93b14848a4e49b708c8a0	https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html SHA256: 08e8ac381eab35c6f8fedef1c921b3ca0c1fbc862cc8482aa817220fd1800c65 SHA1: 3cb6f2c8cf82bafece5342f46745292ffa662a97 MD5: 22bc40bd16d93b14848a4e49b708c8a0
M20-738i1	Arkei_307dbc09	Windows	This strike sends a polymorphic malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.The binary has random strings (lorem ipsum) appended at the end of the file.	307dbc0918a2ee073c645d4882f3552b	https://attack.mitre.org/techniques/T1009/ SHA256: c732c4b1a163072ccc6fe37a6c96b65d3147b3c1261979e92af2e2a93a126ea1 SHA1: 42a586337fe5e5485bb6e70ddaa22e57f6fba98c PARENTID: M20-ovtg1 SSDEEP: 3072:6q3YsRrXrUf3RFh2XintmrKYkv/pacEzDvVROzt:BYsJU3RFKinUOT5aPz5ROzt MD5: 307dbc0918a2ee073c645d4882f3552b
M20-0oiu1	Joker_3c5abec5	Mixed	This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.	3c5abec5b685809a670dee9b729a9096	https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/ SHA256: d54dd3ccfc4f0ed5fa6f3449f8ddc37a5eff2a176590e627f9be92933da32926 SHA1: 2cbdd5f9d8ff6f36d3c6bde5232a654025492d86 MD5: 3c5abec5b685809a670dee9b729a9096
M20-i59h1	Shiz_ba522cea	Windows	This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.	ba522ceacf187c3aee16f32af3031aa4	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 74bcf9d958ffb06408a4e01aacedfb503f2e484ebf2026ae10c0708132332c6a SHA1: 0048eeb3abec0ed99ca3346462e832aac7ddc508 MD5: ba522ceacf187c3aee16f32af3031aa4
M20-11ij1	Joker_2a7d3d07	Mixed	This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.	2a7d3d0734f31eb11397cef2b49225c7	https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/ SHA256: db43287d1a5ed249c4376ff6eb4a5ae65c63ceade7100229555aebf4a13cebf7 SHA1: e853c6ad4af6a4e3459b9690b64e72a8c59ad9c5 MD5: 2a7d3d0734f31eb11397cef2b49225c7
M20-bhpa1	Arkei_0eed4e7b	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	0eed4e7bb0e7e3e84b119e1e623b427f	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 201cc587859c40b56250f600b450274d9e7a083f35391d863cd579e9e4fc378c SHA1: ef49822b5cbb38d460c806e9965f9e8515eb0c94 MD5: 0eed4e7bb0e7e3e84b119e1e623b427f
M20-fmfl1	Shlayer_c4e8f038	Mixed	This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.	c4e8f03892756086e9813db09485b0bc	https://securelist.com/shlayer-for-macos/95724/ https://objective-see.com/blog/blog_0x4E.html SHA256: f5e6b93eb5979518df4bb5e9edadd2630317da0986da771c085b653a52f8fcd8 SHA1: b76ed43c69ee366cf653461a735bddf9dfec2027 MD5: c4e8f03892756086e9813db09485b0bc
M20-t5791	Arkei_15712005	Windows	This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.	157120055c4f2922c52bd5efebf090b7	https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html SHA256: 30522dedbbb52e22c5a663bd9754ba14aaf0f7130a05660566f96f1475611f2a SHA1: 9d0b9f8b74b0e273d00dde8c62c0cbe75633cbb7 MD5: 157120055c4f2922c52bd5efebf090b7
M20-vo3b1	Shlayer_e8a9e861	Mixed	This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.	e8a9e8617f6f83729e5c4bec46ad1c77	https://securelist.com/shlayer-for-macos/95724/ https://objective-see.com/blog/blog_0x4E.html SHA256: 3b62518db961771c6028f1cd43257e6efa0c2a6b330e088aa1300841e00c7abb SHA1: 43a44d4f58774157857d04d67a9fef7045dacb2f MD5: e8a9e8617f6f83729e5c4bec46ad1c77

Malware Strikes August - 2020

Strike ID	Malware	Platform	Info	MD5	External References
M20-g0r31	ZeroAccess_8426c0cf	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	8426c0cfafeb261c69b5c08d63724c70	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 1d5d89235918c062861e244103fa8bc5717edae77286ee15d39c3e83890ff0a0 SHA1: 967bd4f8a2a60e43265dbc8132c835eeb58cfe81 MD5: 8426c0cfafeb261c69b5c08d63724c70
M20-7u8i1	HawkEye_3eb89430	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	3eb89430ad1c97dc03a85175299a5a37	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 9830b084b68d05603ee40063017f69e4044897e2311d9bcaf11e1af6041ad93b SHA1: 09887d2df4e36dba3293946aa728e09c253bfefd MD5: 3eb89430ad1c97dc03a85175299a5a37
M20-bcb41	Cerber_41732f62	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	41732f6244f7d05554fe973021aefcc7	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 1f2161956d8bb447845b0ef70b514edc31f6f01b1007ee6c7a5ebd77e4331439 SHA1: 83397fbeacff9cef1d1aacbcf87b0b531375cc00 MD5: 41732f6244f7d05554fe973021aefcc7
M20-6g8w1	Cerber_af19eac8	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	af19eac84be5efd362b46e15930cc538	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 27343c1b2124a0767c1513d568c8cc25aec07ccbe9b136ee7005c63be965e354 SHA1: f09fa67a7c8c3eb5d58547d40d77e36b535844e2 MD5: af19eac84be5efd362b46e15930cc538
M20-u3tc1	HawkEye_9ea93fd1	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	9ea93fd1175bb07b354c496ee3a04664	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 3997379d4c182f45f93e3d7172922a95b5d83de0611134f301760bf6be4cb1e0 SHA1: ad8d53e647840971fd9523411254d1037572d97c MD5: 9ea93fd1175bb07b354c496ee3a04664
M20-t2vk1	ZeroAccess_95ddece9	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	95ddece98d72b8ef206cbcdeb9436653	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 282c84cd4ab3afc6cff3d5f6e980b6b6430b27c3768841aaf086edb69d98249f SHA1: 536063c15bfe781d48efd10cf53d4d3c711b281d MD5: 95ddece98d72b8ef206cbcdeb9436653
M20-pu4v1	ZeroAccess_cba44d1a	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	cba44d1ad8632bbc2beccf7ff27b743e	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 15ec244569c18762a6a8e45c3b3ffed7fd9ec1081d67695a5f96c8a8d9f3f58b SHA1: 04658a802887e1a4a9e21457b450c390f6ed8ec7 MD5: cba44d1ad8632bbc2beccf7ff27b743e
M20-bl5b1	ZeroAccess_ffd533f2	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	ffd533f2f95fa70144abf171e18665de	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 32cc788c4b705b9bed78e2b60c1215276b064f1992781c0910e47804a1f75b51 SHA1: ace077cfef975464ad6332415690135535490366 MD5: ffd533f2f95fa70144abf171e18665de
M20-7q8k1	VHD_e29a03db	Windows	This strike sends a polymorphic malware sample known as VHD.The binary has random contents appended in one of the existing sections in the PE file format. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.	e29a03dbec644238fa5257311d428694	https://arxiv.org/abs/1801.08917 SHA256: 7b664a13de55f60ed25edd6c1e9a7eadff00d6d15a0a0aceaa9bd9e3bec5ebb4 SHA1: f45c9fb784cc92fa2acd16e2389c61f7961c8452 PARENTID: M20-rpz71 SSDEEP: 1536:CN5P9xb8ZqPbKx3U58YjdZqV355b38poNqa8tCBwFn5B1qMqqU+7upOu4:CN4aEU58oqZ5jT8s+1qMqqD7upOu4 MD5: e29a03dbec644238fa5257311d428694
M20-wvo01	Cerber_d1d5145d	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	d1d5145da3dde367f9a84b3f23c0e399	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 3de3161efe34122601f3865aff18e56cb873ddcc2adb6b7a8b6c4afaa38ec3e4 SHA1: 412a8cc61864eb67645d212f326159de07ef1e10 MD5: d1d5145da3dde367f9a84b3f23c0e399
M20-y9591	LATENTBOT_d349806e	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	d349806ea1f2af0f447b2c9e20cb88f0	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: 77a2389bc9ff7425e3e6a93f2102149c8fea6be51d41d8719fe0a73defeb15e7 SHA1: 5c13fe64b667062b7c97cc079cf364b0fe636b32 MD5: d349806ea1f2af0f447b2c9e20cb88f0
M20-346a1	LATENTBOT_08bb5f82	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	08bb5f82dec4957ad9da12239f606a00	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: cd525c392d35a43166b75f1fa578a2d3b6a9a015b6e78da8615756b6afc717ee SHA1: 26296927a32d3de0eb92b1b1d72ce88c2e7c7ba8 MD5: 08bb5f82dec4957ad9da12239f606a00
M20-e7g21	LATENTBOT_a11362a8	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	a11362a8e32b5641e90920729d61b3d4	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: 1d3ff6cf195488bdb76d53b21361cd7f948d86199b00db8f506d415cdff690cf SHA1: 8c1381dc44f1aca6768a11f0b489b2f435b99f03 MD5: a11362a8e32b5641e90920729d61b3d4
M20-mvh71	LATENTBOT_56ba76cf	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	56ba76cf35a1121bf83920003c2af825	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: c218eeff26478878f93e0f92c47e95f30a9a26c75cef0160557e287ebdc2ce2e SHA1: ef600bf662acea7511178e460985a08e89f8858c MD5: 56ba76cf35a1121bf83920003c2af825
M20-bu9q1	LATENTBOT_1dd0854a	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	1dd0854a73288e833966fde139ffe385	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: 39af310076282129e6a38ec5bf784ff9305b5a1787446f01c06992b359a19c05 SHA1: 3abdaa765769195a495f72fd71cd9037e03dd33c MD5: 1dd0854a73288e833966fde139ffe385
M20-82aj1	Cerber_1cb05585	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	1cb05585c3264a6c3c70d9c56c4792ce	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 4fb0907454e2b6faa947003184878d70555be3073132e677b4606032907ca91f SHA1: fa54cde378d2f45ce09e3eb72eb13369a6575b4b MD5: 1cb05585c3264a6c3c70d9c56c4792ce
M20-2yl01	DOGcall_dc6c2033	Windows	This strike sends a polymorphic malware sample known as DOGcall. DOGcall aslo known as ROKRat is a family of malware that was initially seen from attackers originating from North Korea. The malware has a loader that drops the core payload. This sample is the final payload, and it is a Remote Access Trojan that provides the attacker with a number of functions including data exfiltration, credential harvesting, screenshots of the system, and communicating with a remote C2 server for additional received commands.The binary has random contents appended in one of the existing sections in the PE file format.	dc6c20333f94a04c6cdea4fe9211ac09	https://arxiv.org/abs/1801.08917 SHA256: 3c79fbaaa59377075068e6f0d6a8835c558e396bf4c3604ce7a431be67b424eb SHA1: ebc79c9c4b1a59f1f59fe59006446938f0fa04de PARENTID: M20-hccx1 SSDEEP: 12288:cbeQm0+6dUlyAcdqfAkMvGpns9gKYLd+NjhzZkZf75:ADuJGv2ns9XRkZfV MD5: dc6c20333f94a04c6cdea4fe9211ac09
M20-iyxr1	ZeroAccess_b5b0b385	Windows	This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random strings (lorem ipsum) appended at the end of the file.	b5b0b385842df2d28e13532b05996e7b	https://attack.mitre.org/techniques/T1009/ SHA256: 956d07d44f0da1a9356da1a99a6962fef3ea6b3547a0e5acad43389006109a6f SHA1: 37f13f10c94efc9648155a98b987fd70a7743fba PARENTID: M20-slow1 SSDEEP: 3072:rEUIFarjgd+x6FNCYkvRBjtAWyUOJQydy/x0NZDTwb2Rl:rEU8qjc+8DCYGBjtLqHM0Ndb/ MD5: b5b0b385842df2d28e13532b05996e7b
M20-npww1	ZeroAccess_98f3a2ab	Windows	This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has the timestamp field updated in the PE file header.	98f3a2ab6191279de94de7a956c53dc5	https://attack.mitre.org/techniques/T1099/ SHA256: 7027f4196799de02cc3e5690d984ac9f1b85d30b77497079a3449f936dfb6c42 SHA1: da00cf1eb1266c084042c067f21dc02401a3a296 PARENTID: M20-vt1r1 SSDEEP: 3072:8ENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2Im:8ENUxovX8mwoLt/LUP0Id4DZ0tdb MD5: 98f3a2ab6191279de94de7a956c53dc5
M20-7qok1	HawkEye_65e73f93	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	65e73f938774b6dfadea69ac7cb37193	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: cc967f71c2e3a2c54ce25312ed1087cc34a7e0d42606b4f0d401a7a391f47ecc SHA1: e8564295f82b85875cf89c21d78cc33fce81f1b8 MD5: 65e73f938774b6dfadea69ac7cb37193
M20-ay8h1	ZeroAccess_569b2af9	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	569b2af985cb1f4b9b368444889d13c4	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 13c49095c22376a2ccb73ebc18e57b8ad8d8fd58997007115b70bb116244d763 SHA1: 63666fdf40ce1f3f68152295ac31b707dcd6562c MD5: 569b2af985cb1f4b9b368444889d13c4
M20-u1nq1	Exorcist_7e415d5a	Windows	This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.	7e415d5a1b1235491cb698eb14817d31	https://twitter.com/VK_Intel/status/1286028389518901248 SHA256: a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351da8813d7d SHA1: ca1a94c1be4e51da577e51957428263ca9c0c0ab MD5: 7e415d5a1b1235491cb698eb14817d31
M20-orul1	Cerber_8baa9694	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	8baa96945edfd47b00622762f66af5ff	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 18c4f60df01b00809a5affabfa5ba04a724e4d4a98ab7e9fb83e9f627aa789e1 SHA1: 5e83b0b872cc03d0d0294145eb5b9539b6392fdc MD5: 8baa96945edfd47b00622762f66af5ff
M20-9mq21	ZeroAccess_0d6be0ae	Windows	This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random bytes appended at the end of the file.	0d6be0aedd9217ecd67e329f37479768	https://attack.mitre.org/techniques/T1009/ SHA256: 7b38f0975be4bd43c06298c88d31ceee10747423943a9346763dfdaf1887eb9a SHA1: cd3575b62884a79f8c0edce461f1aa435195c62e PARENTID: M20-vt1r1 SSDEEP: 3072:5ENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2ImE:5ENUxovX8mwoLt/LUP0Id4DZ0tdb0 MD5: 0d6be0aedd9217ecd67e329f37479768
M20-ojwy1	HawkEye_f0d75fb8	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	f0d75fb839b44dc8d064b7bf8295f94d	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 544f6d58158bbc5e36692c74722101571e167a65fe72c70a9d13522b5e72c18a SHA1: 69a163a71a33da5348b70e1e9c4c52c9d0390f21 MD5: f0d75fb839b44dc8d064b7bf8295f94d
M20-zhk41	Cerber_e122bb15	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	e122bb15a9fe5912c2812e5517760477	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 5adf50576a375547c4775341535461d49078234283379e17bba88465cd286f7c SHA1: aa9f6a4fcf623b89023da83c23882643cba9b5be MD5: e122bb15a9fe5912c2812e5517760477
M20-vrgu1	ZeroAccess_9be94e1a	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	9be94e1ac5349f1265c0627b48fd0fa6	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 32444739f82129df10cb9ec20b0efff24fde19415e4829edfad35d0eca9e37bf SHA1: a75278c4f71417018528369df3365954971ca9b4 MD5: 9be94e1ac5349f1265c0627b48fd0fa6
M20-hrez1	Cerber_ae6e64f2	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	ae6e64f2fe99eea396b7167192c091f8	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 6959e3521c3ce4a39a250cfb899f52cc74b6bd1a7a1ba4ee03d4766210346fa3 SHA1: f9cda58cf62557085ac86bf0ced62570644a0a66 MD5: ae6e64f2fe99eea396b7167192c091f8
M20-xvpr1	ZeroAccess_194fc911	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	194fc911595fb4024d0e008946ec6b18	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 1cce1a38e7ded5ab7d23928b730f514ac05c6c97107e89e293ac7590cc84b455 SHA1: fe986ea201862dff2bef345418835052910a502a MD5: 194fc911595fb4024d0e008946ec6b18
M20-0dl21	LATENTBOT_5446022c	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	5446022c6d14a45fd6ef412a2d6601c5	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: cb2c0ea31f33540ea223b777888d3580d32ba8ed73519ea6fafcda5238a0772d SHA1: 08fb0245cadb2a0ee74aec2b7099d0377308993c MD5: 5446022c6d14a45fd6ef412a2d6601c5
M20-vt1r1	ZeroAccess_9ea002e2	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	9ea002e2ac906ab1aeaa2c85486955bd	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 3730b1bedfa415b29e894ec046500518632997a3891757b70bf3d78d2c4bc879 SHA1: ed42de3f8149f331326198a0b4d29a3c197cd358 MD5: 9ea002e2ac906ab1aeaa2c85486955bd
M20-e4ls1	ZeroAccess_2d3ecd00	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	2d3ecd0011581f113735ffd46ef8fc22	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 2bf2b2f2b05ce861866ce6037f249676386d188a9167690cccc80ecc2bcc84c6 SHA1: 94527d0d3644cf701459bcc337a7208be0af2f8c MD5: 2d3ecd0011581f113735ffd46ef8fc22
M20-rrh02	ZeroAccess_8f15b013	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	8f15b0136b3fbc214755ac1fa2f3347e	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 30748c87416d2c5f6a711a2f2f84d585062f709225ccf691f86ea498cdeacba3 SHA1: 5d9dd74e93e1adfe33683d33e3ae04db099997ed MD5: 8f15b0136b3fbc214755ac1fa2f3347e
M20-qkxm1	Exorcist_cb3a1463	Windows	This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.	cb3a1463f4fd3e74b8f1ca5e73b81816	https://twitter.com/VK_Intel/status/1286028389518901248 SHA256: 8da469200a4b3899b23a34232eec537f12c621aa3c8766a9745d8ff721ef5296 SHA1: 2007db72d68b6c63e906aa625196a3b4ddd01a51 MD5: cb3a1463f4fd3e74b8f1ca5e73b81816
M20-i5sh1	ZeroAccess_49158788	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	49158788220d59f7692de831f7e64175	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 13459c39decf77e6570f70a4452ca88b44b890800970bff0ca8b4ccf168db12e SHA1: b9c7532182724ddde73eb8005f1813fb906aecb4 MD5: 49158788220d59f7692de831f7e64175
M20-tytl1	Cerber_d08b6626	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	d08b6626b95874a16a0b4aee087b9536	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 29b05e9f79e56a480421ca565d2ae57b6db6e6b54e15d603534686bbde6c5759 SHA1: 0fbca35bbdbf0037802c1b1be663f5bf606a69f8 MD5: d08b6626b95874a16a0b4aee087b9536
M20-j69i1	Exorcist_8cc13fea	Windows	This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.	8cc13fea61cc0ba1382a779ee46726f0	https://twitter.com/VK_Intel/status/1286028389518901248 SHA256: eeb8a83d7532797d39d060ffb2a65562e8d803c4dbd8379289f99367cac2f850 SHA1: bd8ef46a02085153605a87fcc047f7ef3d0c4131 MD5: 8cc13fea61cc0ba1382a779ee46726f0
M20-g7mg1	VHD_2d5da841	Windows	This strike sends a polymorphic malware sample known as VHD.The binary has a random section name renamed according to the PE format specification. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.	2d5da841280f2544e0516cfb40f2a0a9	https://arxiv.org/abs/1801.08917 SHA256: 484f0943385861d91cc0e8bdc7128dacc1b5e367edea906d8fcd1ddf1a268c3d SHA1: 0d4847681799f5aa38876d033156720c44354bb4 PARENTID: M20-rpz71 SSDEEP: 1536:YN5P9xb8ZqPbKx3U58YjdZqV355b38poNqa8tCBwFn5BcqMqqU+7upEu4:YN4aEU58oqZ5jT8s+cqMqqD7upEu4 MD5: 2d5da841280f2544e0516cfb40f2a0a9
M20-ke151	LATENTBOT_af15076a	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	af15076a22576f270af0111b93fe6e03	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: 46aaea7273e79f046f7f938941a90c09fa3c04af677ef52f9ce7b1b8a3e40938 SHA1: 02d17707c6f98d84d8d18bc023a2fc5b7529e33e MD5: af15076a22576f270af0111b93fe6e03
M20-wyxj1	LATENTBOT_6ea9d27d	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	6ea9d27d23646fc94e05b8c5e921db99	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: 99573b10c10277d3b695f55fa7f0a6dbfd74a5c14393b2fd9edb56a94a6dab2a SHA1: fb7f88abe94b4a0bd31a4bfaffad80db9fca678b MD5: 6ea9d27d23646fc94e05b8c5e921db99
M20-aty01	ZeroAccess_e30a52b5	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	e30a52b5e3ba0ead21a352895e02f83a	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 06b5a57ea7803b52eb7f6cec3af051dd37127327d060e5247f10f2f31a1a10f2 SHA1: 6fb9a827174baa672fe74cfd9d20185d0e3c8ead MD5: e30a52b5e3ba0ead21a352895e02f83a
M20-vtg21	ZeroAccess_c4c69c5a	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	c4c69c5acd63a6d9be8c893b56b43434	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 2f8ca4f09c3ae69627663fdcabaf70eb71d1860a6959e8a76c8c80f58690f727 SHA1: c962d49d63a572f20fadc677f305a0371e4fea3c MD5: c4c69c5acd63a6d9be8c893b56b43434
M20-szh91	Cerber_de77b672	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	de77b6722ec5f99fc2e5d562ebb6e864	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 0712fdbf593406d803bfc4638264b7a5d8dc95316d4988079828106e6f6925e3 SHA1: 446963841c3cea1c203afe003ee7e6108116d9cc MD5: de77b6722ec5f99fc2e5d562ebb6e864
M20-2r9f1	Cerber_a6fe0fda	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	a6fe0fda24d5a34b151ba42d11d3af2b	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 34959098859ac166ece6bf7c8edc1f28feefa4cec1f26eeb531466449ee4345d SHA1: 1b74e9cb36473bb8c1b7839c708199ccab5fb4c1 MD5: a6fe0fda24d5a34b151ba42d11d3af2b
M20-2k0f1	ZeroAccess_9aa64232	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	9aa64232ca7425b4831bb10687293399	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 39f354ab2ab87d5232a50faf54945c1d135bacda212cb3e21b8e3707eb5f8372 SHA1: 04fd8e73b0b4483c9bd0e9f14be45c8c05017713 MD5: 9aa64232ca7425b4831bb10687293399
M20-rpz71	VHD_dd00a861	Windows	This strike sends a malware sample known as VHD. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.	dd00a8610bb84b54e99ae8099db1fc20	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ SHA256: 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473 SHA1: 3d31b2f6a6c59194cad3347d08197bd79f020274 MD5: dd00a8610bb84b54e99ae8099db1fc20
M20-ez7x1	ZeroAccess_ba15b25f	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	ba15b25f7eac496cc69525ac079338ff	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 05b4adf6c681db28bbef8e60349a6763df7be81bcd6e137f90ddbe0856f9cd4d SHA1: 583b68aeca848c03bbd4f8bcafe84876fbb47821 MD5: ba15b25f7eac496cc69525ac079338ff
M20-qtuh1	Cerber_dbe1d59a	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	dbe1d59af02ee4e9ad739f6261b01648	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 350cafe8a66a3bebfc84fe7c9fc5533a976a476354583e840364e8c9d0ee1cb9 SHA1: e7ed5e94e94faab732346ae8baa1589cf1092d37 MD5: dbe1d59af02ee4e9ad739f6261b01648
M20-x4gi1	HawkEye_a818e1ed	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	a818e1ed86f7fa07ac47954694bc91fe	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: aba452ab6580b4ec6182fc8a662c8197496792b5d19af680ccc155d56c36b465 SHA1: 770bf25d96a36b04de90cea8b97526660edb0442 MD5: a818e1ed86f7fa07ac47954694bc91fe
M20-63f21	HawkEye_88b882aa	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	88b882aacd9a1ca0f1f7304c21aaae66	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 249eb266faaf08964a5da1f666a9f0ba2f2dd645a6fd3787c168d7a6e5d4d7b3 SHA1: 0bb017c67f760f747e40be53771201e3141b763d MD5: 88b882aacd9a1ca0f1f7304c21aaae66
M20-m6zl1	LATENTBOT_fa20c7f3	Windows	This strike sends a polymorphic malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.The binary has a random section name renamed according to the PE format specification.	fa20c7f3e1091c12dde319acf4b75b9a	https://arxiv.org/abs/1801.08917 SHA256: f82f5652d0a825a04313512c84f7f806f15d7c375ec3169e7384ed6ff60af1a5 SHA1: 9e0d78cccc353741c0c0a9fa06f3a624bd673ecc PARENTID: M20-5u4k1 SSDEEP: 49152:prG2NAFop+qvBOedFLib4cz8kneCdpUz+P:pWFodvBOaFLiEfoe9z+P MD5: fa20c7f3e1091c12dde319acf4b75b9a
M20-b17z1	ZeroAccess_4c6089f9	Windows	This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random contents appended in one of the existing sections in the PE file format.	4c6089f91462f9f07d0de266688420e1	https://arxiv.org/abs/1801.08917 SHA256: 1f86e137f43a4c4cd2bd5e647adc1ddd6afea0bea5e1940d9049507d73d63c00 SHA1: f79e25add7b9aded6e062346eefcc26150837999 PARENTID: M20-vt1r1 SSDEEP: 3072:vENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2Iw:vENUxovX8mwoLt/LUP0Id4DZ0tdb MD5: 4c6089f91462f9f07d0de266688420e1
M20-zdt31	Exorcist_f4009abe	Windows	This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.	f4009abe9f41da41e48340c96e29d62c	https://twitter.com/VK_Intel/status/1286028389518901248 SHA256: 6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01 SHA1: 01636cd2ab7eada533ded51728acd8cd99020c57 MD5: f4009abe9f41da41e48340c96e29d62c
M20-4nn91	ZeroAccess_079c063f	Windows	This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random bytes appended at the end of the file.	079c063f97182ef3c31dfa5707c9909f	https://attack.mitre.org/techniques/T1009/ SHA256: db38744989f553084e95a5ab04f2a98d1b9f2919d374e8d9a4e2654e0872a875 SHA1: f6310a9a0b2aec8671958c3e2eb8c1c37148b6e9 PARENTID: M20-slow1 SSDEEP: 3072:rEUIFarjgd+x6FNCYkvRBjtAWyUOJQydy/x0NZDTwb2Rj:rEU8qjc+8DCYGBjtLqHM0NdbF MD5: 079c063f97182ef3c31dfa5707c9909f
M20-kykt1	Cerber_4d71d738	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	4d71d738887d2bc046f732bf1f13391c	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 6edbea75b6b0904f0cbebda821805eeb3af462cde35d9af3d3ecdb6e8145e860 SHA1: 988f8c67b7a4a92dfdfd5c5a045e9441aa11122a MD5: 4d71d738887d2bc046f732bf1f13391c
M20-9x9l1	Exorcist_5a63e7d3	Windows	This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.	5a63e7d371dd69c5625f5b48da426c14	https://twitter.com/VK_Intel/status/1286028389518901248 SHA256: b1bcc54ef15f91d9291357eca02862174bd6158e95813eff1ab0c16ba48ff10e SHA1: 63a5bd8b7ed922ad5fe498d2a15a57d1d552055a MD5: 5a63e7d371dd69c5625f5b48da426c14
M20-c42m1	Cerber_b7549aee	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	b7549aee594d32bcc4a8389b77ae412b	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 413eeaef11563646ef90407e4fdd8e0078f95dfd309fb2ada8728e45befbb313 SHA1: 287f714064835f8b47f20b185194010f4cb27810 MD5: b7549aee594d32bcc4a8389b77ae412b
M20-wnru1	ZeroAccess_539f9f37	Windows	This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random strings (lorem ipsum) appended at the end of the file.	539f9f377347a58ffde24c5bf659697b	https://attack.mitre.org/techniques/T1009/ SHA256: c2c964b5dd8fe884122198891327bd5e76c5ef32e3e465ae80032f6272fb5995 SHA1: 669642065b1c423d4639d5343d6f57a5c7fd53d0 PARENTID: M20-vt1r1 SSDEEP: 3072:5ENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2Im8:5ENUxovX8mwoLt/LUP0Id4DZ0tdbs MD5: 539f9f377347a58ffde24c5bf659697b
M20-71wv1	Exorcist_79385ed9	Windows	This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.	79385ed97732aee0036e67824de18e28	https://twitter.com/VK_Intel/status/1286028389518901248 SHA256: 8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf SHA1: 2f65a2b8ac21b3505855f7b89551cc1f31bf636e MD5: 79385ed97732aee0036e67824de18e28
M20-98en1	ZeroAccess_218c68ce	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	218c68ce147d4b49365e643806d0b1cb	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 37762286cb02f4c93d6735764fc0c9c727f8886129a0b017f727c339b08cb39a SHA1: 48a4804b435dd0bd3befe2bfadb7d2587a35b3ec MD5: 218c68ce147d4b49365e643806d0b1cb
M20-rx3d1	Cerber_9f2a535d	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	9f2a535d3d35f990f291c3bbb0c0fc8a	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 2778aa52eaf8d8fa2950cd2ef50faae6f49c9d7e0c55d813a36613fe63a3be73 SHA1: 12346271cbfebcf4da42e4cbce118eff9455fe61 MD5: 9f2a535d3d35f990f291c3bbb0c0fc8a
M20-k95s1	Cerber_8e3ff00e	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	8e3ff00e2f4ffb177b991b68f8975001	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 24f656fed8bb0ea0e5cca4422dd61a3b7a2eeeccff942403429f722cfcdef5a3 SHA1: 85cf77cc1d7dd3d3e133f764ae025e8f0fc03e83 MD5: 8e3ff00e2f4ffb177b991b68f8975001
M20-wde81	HawkEye_bc66e2a1	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	bc66e2a191d06f12b1a035975660052b	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 4a3197916ff9e336d191baf4e284407d6774119b733bc194ddc89e649ec1db33 SHA1: d99332f2f99d2ef34cf3b47e2749e63c80237ad7 MD5: bc66e2a191d06f12b1a035975660052b
M20-ebbi1	HawkEye_f4274360	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	f4274360fefd50fb219f0ec648bf015e	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 6f0f235b4b8977922739508a3cda37cb80662f5e3114e9aeb85ff61b60164a3d SHA1: 3faadaf938bd586fe9756a8d123569da5f29e64e MD5: f4274360fefd50fb219f0ec648bf015e
M20-hccx1	DOGcall_394e52e2	Windows	This strike sends a malware sample known as DOGcall. DOGcall aslo known as ROKRat is a family of malware that was initially seen from attackers originating from North Korea. The malware has a loader that drops the core payload. This sample is the final payload, and it is a Remote Access Trojan that provides the attacker with a number of functions including data exfiltration, credential harvesting, screenshots of the system, and communicating with a remote C2 server for additional received commands.	394e52e219feb1a5c403714154048728	https://www.carbonblack.com/blog/threat-analysis-rokrat-malware/ SHA256: 2ca7c2048f247b871e455a9ac8bcb97927dd284477e7c2c4d2454509f97413b5 SHA1: 16468fbc241be27b32ececa645898915e2e4ec94 MD5: 394e52e219feb1a5c403714154048728
M20-n1e61	ZeroAccess_c4e7f9c9	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	c4e7f9c9224801d1811880efb64d1398	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 0613e2173bfb29e045412fa140712fcefd84c630544d3c56ecab662bc5fcd983 SHA1: f41b58d9e41327b756aa5cf14ed9c56df8248442 MD5: c4e7f9c9224801d1811880efb64d1398
M20-y9411	VHD_fa1f20d9	Windows	This strike sends a polymorphic malware sample known as VHD.The binary has random bytes appended at the end of the file. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.	fa1f20d928ae60a5dedcd3522dde2252	https://attack.mitre.org/techniques/T1009/ SHA256: 824936d626c2bbfc30da6a6767411ee84a1df8c98b6ac4ea24d5a59ec799a637 SHA1: fac5ca38e4b0152ea6de2cfa4f3c4a47881889ba PARENTID: M20-rpz71 SSDEEP: 1536:CN5P9xb8ZqPbKx3U58YjdZqV355b38poNqa8tCBwFn5BcqMqqU+7upEu46B1:CN4aEU58oqZ5jT8s+cqMqqD7upEu46X MD5: fa1f20d928ae60a5dedcd3522dde2252
M20-sagy1	Cerber_f6486529	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	f6486529e6ae82d03dca5889ff20e8d7	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 6a49ffcb3ddb3a8912c3f75ae35b846913b6d3cc6303c395f251b3e66ee1621c SHA1: 7327dbc4d9b2315e382fd2b7bbf7614ddf048245 MD5: f6486529e6ae82d03dca5889ff20e8d7
M20-xjvr1	LATENTBOT_4135552b	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	4135552b0045e7d67b26167f43b88a30	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: 370ea3f098df7064faf4ee7456588d023b35c497a362add49853e90090f8b6df SHA1: 8f571ebb8b8ca739dade2d0cad262d18db506df7 MD5: 4135552b0045e7d67b26167f43b88a30
M20-opj91	VHD_ccc6026a	Windows	This strike sends a malware sample known as VHD. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.	ccc6026acf7eadada9adaccab70ca4d6	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ SHA256: 73a10be31832c9f1cbbd798590411009da0881592a90feb472e80025dfb0ea79 SHA1: 800c8a12ac05459197256940e32234b9bc2db08b MD5: ccc6026acf7eadada9adaccab70ca4d6
M20-5u4k1	LATENTBOT_47f220f6	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	47f220f6110ecba74a69928c20ce9d3e	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: 45aefcd50e62d9d5a9535d9d99f78a5c6725fd7ffcd378ef181d3dbbf2a115a5 SHA1: e88679c01bba1a880e54ce699e1555285ada3619 MD5: 47f220f6110ecba74a69928c20ce9d3e
M20-07gu1	ZeroAccess_49570ea4	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	49570ea4a111bb82d2ae773164f58c04	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 31cecd5a427756b23d5fc757b7307df03157b53947dd737d345b8e7864ee44ca SHA1: 321c875113e77896a7f415abb4860e2a40742f4f MD5: 49570ea4a111bb82d2ae773164f58c04
M20-ikwy1	ZeroAccess_b2401b9b	Windows	This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has the checksum removed in the PE file format.	b2401b9b875c7259ca8ed1b833c63dea	https://arxiv.org/abs/1801.08917 SHA256: 7ea363fc7e7ff355d212a74b8ff48609b64a0365320fa48ae4df854aca117375 SHA1: 3cc75e0f862c425cd5632daa02869a31e82fb306 PARENTID: M20-vt1r1 SSDEEP: 3072:PENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2Im:PENUxovX8mwoLt/LUP0Id4DZ0tdb MD5: b2401b9b875c7259ca8ed1b833c63dea
M20-cafi1	HawkEye_3ba7171c	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	3ba7171c8836de935a74799291ebca46	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 15b0c6331f2eff371e176e24c3fe3f30c40c56e56f19412e89718f5f6ad91eda SHA1: 535d5c232fba95d042b3986f82af578edc1b45fb MD5: 3ba7171c8836de935a74799291ebca46
M20-dlsc1	Cerber_aae16290	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	aae16290207f1251b6b9510a50760323	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 3f92bd7f208dafca5d89a7ba1145836f264336baab457f62269129028eb53ecd SHA1: 76c3fdcc8feb1846b61d2520ccaefbdcea691d10 MD5: aae16290207f1251b6b9510a50760323
M20-2uua1	ZeroAccess_353353e7	Windows	This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random contents appended in one of the existing sections in the PE file format.	353353e771ca42fea2cb01005485fd8f	https://arxiv.org/abs/1801.08917 SHA256: 3f94f98176abf4ba7545ef1afeed5ba3964dc09fdf31e8c2a5c5d15aff21790e SHA1: e8a636393698a263fcdb92b3171dc34e50cf146b PARENTID: M20-slow1 SSDEEP: 3072:tEUIFarjgd+x6FNCYkvRBjtAWyUOJQydy/x0uZDTwb2R:tEU8qjc+8DCYGBjtLqHM0udb MD5: 353353e771ca42fea2cb01005485fd8f
M20-j5ka1	LATENTBOT_4d0b1402	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	4d0b14024d4a7ffcff25f2a3ce337af8	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: b43b45748709d4c332f0487c10cb4e97dfcad63db4d74acce6d85fe90787dcc3 SHA1: 8dc665e939c9f5e301a54ed542b5f01280b266fd MD5: 4d0b14024d4a7ffcff25f2a3ce337af8
M20-8au81	Exorcist_55e43a8a	Windows	This strike sends a polymorphic malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.The binary has a random section name renamed according to the PE format specification.	55e43a8a489e4c9756a6375a15b2f102	https://arxiv.org/abs/1801.08917 SHA256: 9d53b77ca6527237bfa47486e9805b2171144fc41ecf38b11db9d9bb538bcf58 SHA1: 44921473ec4473a3e59ce32a45a166a38bf43da2 PARENTID: M20-vxhj1 SSDEEP: 768:Y/w63PwCrEBP+2XES4nrr+nsUeO3za+7dqqtDbruFBT8QFJFmxCTXY+PNqHliQyW:KWQRnrUZJrCgahY+PY1/z MD5: 55e43a8a489e4c9756a6375a15b2f102
M20-than1	ZeroAccess_3a328207	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	3a3282073f5d36d0e2edd18fa20bcb5d	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 264b224641e979ede2e2c2fdf41a29db5419184e1c589864193fbb373c1bb72b SHA1: fc25611cb856308715e4751d33e6e55e199f9287 MD5: 3a3282073f5d36d0e2edd18fa20bcb5d
M20-u46p1	Exorcist_0d256ab0	Windows	This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.	0d256ab0a8b8b7a3b3d4aaf566189ca6	https://twitter.com/VK_Intel/status/1286028389518901248 SHA256: f86e27e58356c554269b93713ea53b797d92359f0abb25bf70fe2de278278f7f SHA1: 2f0142e0f5a21822fd9e391246b6cc470f4089a1 MD5: 0d256ab0a8b8b7a3b3d4aaf566189ca6
M20-9jhi1	Cerber_047b31ba	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	047b31ba3dfe6a21c2249f646b178cc7	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 03c87da71be399ace0ed9a4ebf95e2b95d32060f273fd8ea8001e25d08cd54dd SHA1: 6266e9c5396a5e8c15b08950ecc46d29eb95c67b MD5: 047b31ba3dfe6a21c2249f646b178cc7
M20-pkgi1	ZeroAccess_c352fae2	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	c352fae2894124a4c4e7e9c5ff99f8e5	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 3000d4944b8ddc0a992c63129028c40ea1639faf48abc2054e5ca11304fbf7b6 SHA1: 021339ec1dc3850503bbda1c181816d98711ca98 MD5: c352fae2894124a4c4e7e9c5ff99f8e5
M20-d0js1	Exorcist_e763b9a8	Windows	This strike sends a polymorphic malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.The binary has been packed using upx packer, with the default options.	e763b9a8460c2dc9a1229d0c8bf71ab4	https://attack.mitre.org/techniques/T1045/ SHA256: a48fec2cd9b43646537f03028cf69c809d6914cc63a36535bd80adae5bb936aa SHA1: 7772956346d9cfbb099f07f82ac12a92cc49d36f PARENTID: M20-vxhj1 SSDEEP: 384:SfGS/SzuVgu+vufbo8YUSCw1et0HXSZFbSSfkZw51VBahZ26UcoUzOpq6:St/3+vuDzzSCw1HXkFiQVB6oUqpp MD5: e763b9a8460c2dc9a1229d0c8bf71ab4
M20-ppaq1	Cerber_53d0d6a8	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	53d0d6a85e1c7722ab507955473438dd	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 2b2acc6a166aa30ff190af2b95ccbe0b31596f5ddf24661a062630a2eaafe516 SHA1: 2c86944641394951b8ef45046268874ba107c917 MD5: 53d0d6a85e1c7722ab507955473438dd
M20-mkl51	Exorcist_fa4c4ac8	Windows	This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.	fa4c4ac8b9c1b14951ae8add855f34e8	https://twitter.com/VK_Intel/status/1286028389518901248 SHA256: bf6e5f9d060ebc5bb70144ca6e795bfc249c6590ab9f45e258ec9b5f3d49eeb6 SHA1: c5049dbdee3aaaf3a794edda02554789a25389bf MD5: fa4c4ac8b9c1b14951ae8add855f34e8
M20-q6ds1	ZeroAccess_7dbfa1f4	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	7dbfa1f42d8fb465ebdf98f564196984	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 1f261e7108e46792076ed1231596ad584c25f8bd72e000cda3359562f24cbcb6 SHA1: 9ade43d292ccfeea258b7caa954f511cb50177ef MD5: 7dbfa1f42d8fb465ebdf98f564196984
M20-e87q1	ZeroAccess_55d36baa	Windows	This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has the checksum removed in the PE file format.	55d36baac8bea015ef59279f331b6c88	https://arxiv.org/abs/1801.08917 SHA256: 5c7e88ff6a86bb1cf5066b24a48618e09b769c580a0d73a5fcf2388e6a6ce9a4 SHA1: 2cf7aa9f9f6c55b863f839a79306f4c65a282b2d PARENTID: M20-slow1 SSDEEP: 3072:rEUIFarjgd+x6FNCYkvRBjtAWyUOJQydy/x0NZDTwb2R:rEU8qjc+8DCYGBjtLqHM0Ndb MD5: 55d36baac8bea015ef59279f331b6c88
M20-d8pc1	LATENTBOT_5eaf2d54	Windows	This strike sends a polymorphic malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.The binary has the timestamp field updated in the PE file header.	5eaf2d547323c5bbb89290ae1cbf9ab5	https://attack.mitre.org/techniques/T1099/ SHA256: 6fab9d6547e7947cc42bc5e3bae8a8330c1d6d2531d64dc92decd78d52a8e6c6 SHA1: 67fa5dbd25279219127a0a75e10af9152b5200ac PARENTID: M20-bu9q1 SSDEEP: 6144:C6oO0wbHincoS1kM5sLrJwIZHjX9FbjoyS:C6oO0eHacwMSLm0z9lVS MD5: 5eaf2d547323c5bbb89290ae1cbf9ab5
M20-71zh1	ZeroAccess_51d0091f	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	51d0091fd150543df73799749056996f	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 039f37371da4173924ee5fdaa33dd7429cd56bdc35045c42167f7eed9efb2005 SHA1: 927cb43156cdeafa36c91a14fa41da02e1432da8 MD5: 51d0091fd150543df73799749056996f
M20-lcy71	ZeroAccess_11451aa1	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	11451aa12c105af614f8271381983400	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 1d9ce6eedd04b81f61b96f3537214e290efef23a3aa2f31a55744a3feaadf4e1 SHA1: e392aff11c833b98bb69022618999c1f49fb19a6 MD5: 11451aa12c105af614f8271381983400
M20-vxhj1	Exorcist_d4d32e75	Windows	This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.	d4d32e7583b3fd8363ded73c91ed3d08	https://twitter.com/VK_Intel/status/1286028389518901248 SHA256: 2b37a372626063afce9e08199342a41bbe4183b0d5ba7864ff61eb6e6f7c4fdf SHA1: 4079602dce0fb495ed0ec97c5aea5988127fb50c MD5: d4d32e7583b3fd8363ded73c91ed3d08
M20-kztm1	ZeroAccess_e8a0eeaf	Windows	This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has the timestamp field updated in the PE file header.	e8a0eeaf2c2ef871660694530020cec6	https://attack.mitre.org/techniques/T1099/ SHA256: 7fdf01aa47db1607ba8768155ad497ba5b395cb7692e573cabdaff57775d3e4c SHA1: da0f71420d45f7b8cfcc518d0a5155b70dd0b10a PARENTID: M20-slow1 SSDEEP: 3072:dEUIFarjgd+x6FNCYkvRBjtAWyUOJQydy/x0NZDTwb2R:dEU8qjc+8DCYGBjtLqHM0Ndb MD5: e8a0eeaf2c2ef871660694530020cec6
M20-snny1	ZeroAccess_5752712f	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	5752712ff20c633b34db7207cee893d2	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 1cbc12777b9265341a1bcb4a4897d875577a7c3dccefda23c0b7c30d78dda71a SHA1: ffe140cbc76c17c2276a9ecd9b15d3aed4d3f938 MD5: 5752712ff20c633b34db7207cee893d2
M20-7dxa1	Cerber_5a381543	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	5a3815434730fab61a38265930c678f9	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 5ab3a63e8d334368280d566f526718a2a10c95073059a53a9707af0bb74eeb9b SHA1: 6c3e803fa996f51358fbe21cb52e901b76981bf8 MD5: 5a3815434730fab61a38265930c678f9
M20-kl1w1	HawkEye_bd568bca	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	bd568bcacc3b34646de7676d03ff741e	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 705b0cc2a09c0e5c34ad6eb5940263bf281285cdd99078e8766690de3aa28f54 SHA1: 9aa3b889459f717f2cb6e81ef7151867b59630e6 MD5: bd568bcacc3b34646de7676d03ff741e
M20-wqis1	Cerber_c48a35cf	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	c48a35cf1626e9cd2f2a4e5b2493790e	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 2eeab773c4cc1760a51cf0e0dee6e0fdb0b1e2c5ee81e14a297e379bf4f75fd4 SHA1: 6778da03fbd9e08efce7148e05e9355fd19cf992 MD5: c48a35cf1626e9cd2f2a4e5b2493790e
M20-5s9t1	VHD_efd4a87e	Windows	This strike sends a malware sample known as VHD. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.	efd4a87e7c5dcbb64b7313a13b4b1012	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ SHA256: 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306 SHA1: 6a7296f56410d3ee007587020ad6864d5781b4bc MD5: efd4a87e7c5dcbb64b7313a13b4b1012
M20-j4kf1	LATENTBOT_2d2484d5	Windows	This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.	2d2484d578bfcd983acb151c89e5a120	https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html SHA256: 295bc1a9feb90d0e882f6293832c37754b66a1263257ba1266a3bfc0b4bb7eee SHA1: 4973ea0ed99aa37278a563b5be0c381601d34182 MD5: 2d2484d578bfcd983acb151c89e5a120
M20-5vbk1	HawkEye_f5968828	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	f59688280c0e7c9122ba24ae6c1274b9	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 71986aa0789a34b51fc2c4c4170bcb93b0237820434f2b15a69ddbae17aeaa77 SHA1: 71d47298f1a8c055dd34d8c23dc7b802bf6f64b0 MD5: f59688280c0e7c9122ba24ae6c1274b9
M20-zr9u1	HawkEye_ed31cc34	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	ed31cc349fffdc64e35ad4b149c06d55	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: be9dfabe29a6c6b8cbbfbac2d813eb30ced6d53e88d861eae595dd9d5bad03a6 SHA1: 4725a37fdae0fbc499f3f0a06b283cf59607533d MD5: ed31cc349fffdc64e35ad4b149c06d55
M20-2fvi1	Exorcist_f188cf26	Windows	This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.	f188cf267d209a0209a25bda4bb75b86	https://twitter.com/VK_Intel/status/1286028389518901248 SHA256: 027d99aaaa6803a07d07ce0ba1fa66964388129d3b26dcf8621a3310692b0a61 SHA1: 3ef4c199d1b5187784f4d709ab8e1cc6901716e8 MD5: f188cf267d209a0209a25bda4bb75b86
M20-wl8v1	LATENTBOT_2aaa53ce	Windows	This strike sends a polymorphic malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.The binary has random strings (lorem ipsum) appended at the end of the file.	2aaa53ce895c64e5c1e168f0b2d7ce2f	https://attack.mitre.org/techniques/T1009/ SHA256: d8fe14a2801a429b90cb9027bd8437e5802d4db8d560957aa277d1ee02608685 SHA1: 7faa14bdacf629c5959f2b1e9548150d59879d9c PARENTID: M20-5u4k1 SSDEEP: 49152:prG2NAFop+qvBOedFLib4cz8kneCdpUz+PR:pWFodvBOaFLiEfoe9z+PR MD5: 2aaa53ce895c64e5c1e168f0b2d7ce2f
M20-h9b31	HawkEye_2a759d9c	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	2a759d9cc498a190f3f8c71f57e65644	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 136da8040b3d50523033e3054cb4e7aa63a3055e0d8b03d40d7fe376dfb9d7f2 SHA1: 9b43a30662df0c827334b949caea8c69a4990319 MD5: 2a759d9cc498a190f3f8c71f57e65644
M20-grmc1	HawkEye_600fb168	Windows	This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.	600fb1681d639f913b70884da6996d5a	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: e12d967791f4c0b92202edcb1ff79ded976b543e22df3f5dbeb8d552533474bb SHA1: ecce15dc7ae33a40a5a2b63d93d93d3ae60266b6 MD5: 600fb1681d639f913b70884da6996d5a
M20-ek801	ZeroAccess_1b80880f	Windows	This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has a random section name renamed according to the PE format specification.	1b80880fd0c401f7a25e47e56105cf7b	https://arxiv.org/abs/1801.08917 SHA256: 1130073e510f520a6a94abcc967049277dfa460cddd98416cb094f98398e6d34 SHA1: e448a3ba5a277a7f4f21c3182889e1ae86028512 PARENTID: M20-vt1r1 SSDEEP: 3072:oENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2Im:oENUxovX8mwoLt/LUP0Id4DZ0tdb MD5: 1b80880fd0c401f7a25e47e56105cf7b
M20-1qn21	Cerber_d8aaf63d	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	d8aaf63dd0d7e7a646e8edc7fcc09f87	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 40bc0cd77874e7fff3d9c3fccf64ce3676d870af88ea27caafb4b650aabe7593 SHA1: 336472b3866a582098f266bd200f43727941b899 MD5: d8aaf63dd0d7e7a646e8edc7fcc09f87
M20-slow1	ZeroAccess_ff795bd8	Windows	This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.	ff795bd814b0102b9d01ebd74b1f2b9b	https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html SHA256: 38346650fafdeb425ad7fd1bcffe6d2ecc88d55fccb8924b1d2133be11a05eab SHA1: b160b18ef3de43fdb9ae808ada41f4a1f57becf7 MD5: ff795bd814b0102b9d01ebd74b1f2b9b
M20-aooa1	Cerber_ebf48e14	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	ebf48e14acaa333bc1049b9fd09838f0	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 01a392328bde81495f6682e728034b82556d4019bcceb8e9fd7337525370ca82 SHA1: e0e1a1ecd728d74e592bead0d7a7e71161aaa15a MD5: ebf48e14acaa333bc1049b9fd09838f0
M20-adfg1	Exorcist_4908a364	Windows	This strike sends a polymorphic malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.The binary has the debug flag removed in the PE file format.	4908a364b1d9467f2c9c3fcecccba202	https://arxiv.org/abs/1801.08917 SHA256: f1cff1473246a59b1eb1250c8028567bf298e32f776ba4f06fa5d1c5941f15fa SHA1: d8c24281221f1003502f37f7da45e8924c530be8 PARENTID: M20-vxhj1 SSDEEP: 768:D/w63PwCrEBP+2XES4nrr+nsUeO3za+7dqqtDbruFBT8QFJFmxCTXY+PNqHliQyW:/WQRnrUZJrCgahY+PY1/z MD5: 4908a364b1d9467f2c9c3fcecccba202
M20-sjx01	Cerber_7c4d7506	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	7c4d7506133b8cd8d584c703ff5364d2	https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html SHA256: 68e5aaea215f94b30d9bfafc8f62cda3460e7f230edffc66d8902cbbb513b53c SHA1: 208cad38cb7888a1cc84d3c259c426af3ea50da7 MD5: 7c4d7506133b8cd8d584c703ff5364d2

Malware Strikes July - 2020

Strike ID	Malware	Platform	Info	MD5	External References
M20-ysaj1	WellMess_ae7a4652	Linux	This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.	ae7a46529a0f74fb83beeb1ab2c68c5c	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b SHA256: fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950 SHA1: a57c896486564d7663a4dce6fbf723a1deb81378 MD5: ae7a46529a0f74fb83beeb1ab2c68c5c
M20-60oe1	TinyBanker_3b97508b	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	3b97508b20857a70120a3ae571ce8abc	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 1be832d22e4a3c920076ff78eeb08e73d0077b04d29b29c2347c5de170b425d4 SHA1: 0be8014136efed974c83cdad29cf22d023f95538 MD5: 3b97508b20857a70120a3ae571ce8abc
M20-ou7j1	TinyBanker_02b612be	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	02b612be794b972b9aa5a3edf461680e	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 02f714d9530681ca2b5de1651c8e71a29c0bef9fc570a2d54eeb24d8ffcf02be SHA1: ed76f0d9db122bc079de1eb49e704e0d1be77a55 MD5: 02b612be794b972b9aa5a3edf461680e
M20-shxr1	TinyBanker_1d646810	Windows	This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has a random section name renamed according to the PE format specification.	1d646810d3fbc4b2e3f332481f160798	https://arxiv.org/abs/1801.08917 SHA256: b30c8bee53959b6c17a8838676b5a55716b63acfa5b69ad5d1e3b82cb0c289dc SHA1: bd8ad94876509125653bad3a5b513c2416c25551 PARENTID: M20-ou7j1 SSDEEP: 768:F/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtL:m4QUbHM3PC8Q1Hn417sNPy+L MD5: 1d646810d3fbc4b2e3f332481f160798
M20-mt3r1	NetWire_01281973	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	012819731462ea2ad6234817a040d7af	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 005d4ba8835d3554bebf46c7910bbf3b8823c08abec4270b9096dd22ecf295a4 SHA1: 575db9cf2121110f36fe934e56be71c49332426b MD5: 012819731462ea2ad6234817a040d7af
M20-9qvu1	NetWire_53abe793	Windows	This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has random strings (lorem ipsum) appended at the end of the file.	53abe793f2805e7aabf5b6422a4e7ac5	https://attack.mitre.org/techniques/T1009/ SHA256: 9cae09583a2584c4e58bc67ed8f17b78f6e4b8f0470e1112ad56814fa8a2fa6d SHA1: 9afbfc8108f3af6e7d68b0c636d2c26e878aca34 PARENTID: M20-mt3r1 SSDEEP: 1536:3UEd6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JF+:3QT8svpbqFK6AV MD5: 53abe793f2805e7aabf5b6422a4e7ac5
M20-8ojj1	WastedLocker_bceb4f44	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	bceb4f44d73f1a784e0af50e233eb1b4	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: 97a1e14988672f7381d54e70785994ed45c2efe3da37e07be251a627f25078a7 SHA1: b99090009cf758fa7551b197990494768cd58687 MD5: bceb4f44d73f1a784e0af50e233eb1b4
M20-zl9k1	WellMess_e7caca72	Windows	This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random contents appended in one of the existing sections in the PE file format.	e7caca722341bff3e4fe32ac6609874b	https://arxiv.org/abs/1801.08917 SHA256: f572ef4a9e7118f9c34196b769e6d627a106a5663199a2252439d30dd8408db4 SHA1: e32c320359b6c29bcd01333a2f3b8a80eee60776 PARENTID: M20-n8yw1 SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4U:oc6qkt5vdU6ECe4U MD5: e7caca722341bff3e4fe32ac6609874b
M20-e4431	WastedLocker_d7eefcce	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	d7eefcce371e3deec178a2a1c12f2c22	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: 9056ec1ee8d1b0124110e9798700e473fb7c31bc0656d9fc83ed0ac241746064 SHA1: e13f75f25f5830008a4830a75c8ccacb22cebe7b MD5: d7eefcce371e3deec178a2a1c12f2c22
M20-bvxf1	DarkComet_75a0a9c2	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	75a0a9c29a1af4867e318fa63c79b056	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 1899e0b8e3b986a5de287ba23c6e81b287078d7d17eecf30eb10b8013633f709 SHA1: 24827e97f23017121572c363d515bf3f65bbb7ec MD5: 75a0a9c29a1af4867e318fa63c79b056
M20-amc21	Emotet_86e76726	Windows	This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has the checksum removed in the PE file format.	86e76726bffb79bf1ef261c8cea56510	https://arxiv.org/abs/1801.08917 SHA256: 337241ed419d172fd9aca0dbce8892307682de1ad2adff179d1f3b0525935e64 SHA1: 83214658e8833682921a50f3bbf594366aaecf90 PARENTID: M20-75mm1 SSDEEP: 6144:JjNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2g5cvAtyKZD:JRX3wK9rybO3AlLBeTWi+eO6e23AtyK MD5: 86e76726bffb79bf1ef261c8cea56510
M20-cyes1	SoreFang_01d322dc	Linux	This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine.	01d322dcac438d2bb6bce2bae8d613cb	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a SHA256: 0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494 SHA1: 8830e9d90c508adf9053e9803c64375bc9b5161a MD5: 01d322dcac438d2bb6bce2bae8d613cb
M20-qcbv1	DarkComet_de957930	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	de95793098522775a222b0b874bcacc9	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 152d31444542e5096b757127ed11c3aa8aa75869c7bed47c110251d6e4dc73de SHA1: e4058766d3b0d672b843840cd267dfd1246c0c18 MD5: de95793098522775a222b0b874bcacc9
M20-3il91	NetWire_4e05cb20	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	4e05cb209291091b7263c7d4f5c31103	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 83ab262d766c76a413251c5b7f7598eac14e6a273580ef388be2f1856baed52c SHA1: e36f2685995d242b593de10a7e70905c6ead90f7 MD5: 4e05cb209291091b7263c7d4f5c31103
M20-g2pn1	TinyBanker_038d0f48	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	038d0f48cf53443817f515263b5f4709	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: b853ec7bf8d69a2ea7203a8881c2671c8e2a546e7a9a299e6062275e52f10cb2 SHA1: a944cb8530194a7fe293ea6faaddf912d1d2be83 MD5: 038d0f48cf53443817f515263b5f4709
M20-v6ck1	TinyBanker_02ef97cd	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	02ef97cd7f61f4dec5ea52276eb7d776	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 7b4bc90a5a8ebd89b6dd4b804257ec8c0c3b6bc2565a6c6f1e24f77f4b33fca5 SHA1: f5b7f7401110a5304477042d816812d3c7d883ba MD5: 02ef97cd7f61f4dec5ea52276eb7d776
M20-6gzv1	SoreFang_c5d5cb99	Windows	This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine.	c5d5cb99291fa4b2a68b5ea3ff9d9f9a	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a SHA256: 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75 SHA1: a1b5d50fe87f9c69a0e4da447f8d56155ce59e47 MD5: c5d5cb99291fa4b2a68b5ea3ff9d9f9a
M20-bx2o1	DarkComet_94450dbe	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	94450dbefcfdf11eb85fec5a2e9e79c4	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 3b765b6d85b21b8304c2287d2ede993082455f64d904529dd8eb03482b5cf3b3 SHA1: 8bf0af36f38d01b3a8f4de82c1ce7ed18b2ad5ae MD5: 94450dbefcfdf11eb85fec5a2e9e79c4
M20-rt3f1	NetWire_a297dff6	Windows	This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has random bytes appended at the end of the file.	a297dff6004ac5e1ce577f9b0474cb3b	https://attack.mitre.org/techniques/T1009/ SHA256: e2bcc45e934d72f16d87d299278d1c507b0a7fe4b351df9943b8647bcb6f893d SHA1: 2db18eaa442052a0eb0d3b2936b391a5342b60e3 PARENTID: M20-mt3r1 SSDEEP: 1536:3UEd6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JFm:3QT8svpbqFK6Al MD5: a297dff6004ac5e1ce577f9b0474cb3b
M20-9klw1	Emotet_91fb4712	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	91fb471283081bd2960ad253d14aa2ab	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 338b14380a84844b2e8773ba6846e2a8a23fe266b5d079dc3efbb17f9473a250 SHA1: b4aab2d7bcc50737276b1e89a18e19ec356a41c7 MD5: 91fb471283081bd2960ad253d14aa2ab
M20-flcr1	NetWire_796cbb64	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	796cbb6400d4f1e1290374a0fcc8c4a0	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 11f841dcd0ffd44e32bbfaf6ee2e3e4c47efc0ae80ab95a4b4f6f0cd4f9fbb2a SHA1: 82959fc4042c193ab5afb7c1f15e3d410147bcc3 MD5: 796cbb6400d4f1e1290374a0fcc8c4a0
M20-pk0z1	WastedLocker_13e623cd	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	13e623cdfb75d99ea7e04c6157ca8ae6	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772 SHA1: f25f0b369a355f30f5e11ac11a7f644bcfefd963 MD5: 13e623cdfb75d99ea7e04c6157ca8ae6
M20-ekw01	DarkComet_d96a9a72	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	d96a9a72a8e2b99d4d2674e849631db1	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 63935268c3fd6806fc5de779b5f72358721f7dd537de53f019f3baa1cbdb3451 SHA1: ae8972c472806faa87599cae7fbea22ba0cf9d59 MD5: d96a9a72a8e2b99d4d2674e849631db1
M20-zyb81	WastedLocker_572fea5f	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	572fea5f025df78f2d316216fbeee52e	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367 SHA1: 91b2bf44b1f9282c09f07f16631deaa3ad9d956d MD5: 572fea5f025df78f2d316216fbeee52e
M20-8m231	WastedLocker_2000de39	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	2000de399f4c0ad50a26780700ed6cac	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a SHA1: 70c0d6b0a8485df01ed893a7919009f099591083 MD5: 2000de399f4c0ad50a26780700ed6cac
M20-i6gz1	Emotet_86ecac07	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	86ecac07b0e42617b45835cc31ad9af0	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 1dafb532cac149ced3cb5f6bcaef801208d8de38c3f6b7a8a69ba2277d90e5fb SHA1: 65c7fd2314fa8d8f3776f62d1e9409619340732f MD5: 86ecac07b0e42617b45835cc31ad9af0
M20-l8661	WastedLocker_0ed2ca53	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	0ed2ca539a01cdb86c88a9a1604b2005	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8 SHA1: 4fed7eae00bfa21938e49f33b7c6794fd7d0750c MD5: 0ed2ca539a01cdb86c88a9a1604b2005
M20-h6ig1	Emotet_d89d6736	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	d89d673631c11ce32a05b1e36bcb6735	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: dd5048f55ce7d16e2cce8ba707b66ae2c8c7ae64549b98fdcdb0f3ecf2874f17 SHA1: 5a1de3a9350a210999e84c305bfa03f40a2ae6e1 MD5: d89d673631c11ce32a05b1e36bcb6735
M20-e6fw1	Emotet_d9b152c6	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	d9b152c6297363628706d37d3b85d8ed	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 1b1c8d35b6dff722f9439985f78da06098d5bad82e7d0b5d1fa41dcc6b3c432b SHA1: 651726ab4329a51e51babd5a9021f1de823b9c74 MD5: d9b152c6297363628706d37d3b85d8ed
M20-bf2g1	WellMess_8f1e36bb	Windows	This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random strings (lorem ipsum) appended at the end of the file.	8f1e36bb3bc44914eb13465471400063	https://attack.mitre.org/techniques/T1009/ SHA256: 67c72f8eaff6c96b4b70be02cf0e571321fabb8bbe50d8f15f5eca8c73895e5f SHA1: e5f74991182ae58a09892cfe406b93da51a1944a PARENTID: M20-n8yw1 SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4UL:oc6qkt5vdU6ECe4UL MD5: 8f1e36bb3bc44914eb13465471400063
M20-dzyd1	DarkComet_a5361ce7	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	a5361ce78de87cfd962242da00f11662	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 3ee0145434048bb9dbff5a92a2083b3baae1c539a459668e34316bb75ad318de SHA1: c1b8bf7f8ab9fa35155497b7757482883e7074aa MD5: a5361ce78de87cfd962242da00f11662
M20-yewi1	TinyBanker_729a37e0	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	729a37e05315e8179d16169168a667eb	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 4015c1917edbb2e1b9db30a3c02f3ae4e8f9ba7015f3c3c0a4274c281e508f7d SHA1: 8da80e6a453f89e0e2026660b1938aed69330c39 MD5: 729a37e05315e8179d16169168a667eb
M20-27lf1	TinyBanker_31dc4cc0	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	31dc4cc040d13f9b06bae2bd61426372	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 47381ffb76fa60172fe273eba6dbb66ac6ebe05c1e6b6a7af863be2b990482c0 SHA1: 84a16b9420bcf817a462700f5ef0be2f6947bbc5 MD5: 31dc4cc040d13f9b06bae2bd61426372
M20-po0s1	NetWire_350b809a	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	350b809a45dfe3dca55870d8f994333f	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 4be38ea855bd9088282cd6afbb6b2698aa45fc1f507a609a66af4894a8a3eaf3 SHA1: 5f04765f73bdd55acf606e7acd65469449773845 MD5: 350b809a45dfe3dca55870d8f994333f
M20-eyn31	NetWire_1b524f5d	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	1b524f5db5738143efbd54f6a5a56573	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 2e86be5c9c364bd944b4823b9191f217c181bb6c980e1708800be13dac953cd5 SHA1: 1c096168f6db961ba445dd31004532a0684292eb MD5: 1b524f5db5738143efbd54f6a5a56573
M20-l4nx1	Emotet_3292ce99	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	3292ce99235f89437fdf33c0227df4fa	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 4b953167cdee60b1fda17ce2293590c05b26db580e93ce93fb0ffee08527ac2a SHA1: 96dc6429f3432dec156030e0234ccb776b2d93dd MD5: 3292ce99235f89437fdf33c0227df4fa
M20-b9xh1	NetWire_9fd86daf	Windows	This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has a random section name renamed according to the PE format specification.	9fd86daf25d2498d84395bfc9ad5dcac	https://arxiv.org/abs/1801.08917 SHA256: 67c92144dc4444d9a3c486fd9e3d0c8df2825dd96d5a74f87461c7987bf354f1 SHA1: ffc6523cdb858118e0815e3f8846b279f32beb21 PARENTID: M20-mt3r1 SSDEEP: 1536:30Ed6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JF:3wT8svpbqFK6A MD5: 9fd86daf25d2498d84395bfc9ad5dcac
M20-blce1	WastedLocker_ecb00e9a	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	ecb00e9a61f99a7d4c90723294986bbc	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80 SHA1: be59c867da75e2a66b8c2519e950254f817cd4ad MD5: ecb00e9a61f99a7d4c90723294986bbc
M20-ddcg1	Emotet_74fb55f5	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	74fb55f5f7bbf504228af8e136c4b8e7	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: e66da3958ee12be370fb6e1e429611f98d575b21b5e555d9f8dee58eb2481def SHA1: 34228506df007ad3ec1672b01ce6abf7293598b7 MD5: 74fb55f5f7bbf504228af8e136c4b8e7
M20-rils1	TinyBanker_42d34ef5	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	42d34ef5b4a2e9637fa0b7cdfdbf7d2c	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 0ebaddef17527ae1f59121ac7ae05fcb2806fc36fd4ea5e3a8d63999d1ef8245 SHA1: 2ada07cade8d09a3fdf74f3764542fe052ee523a MD5: 42d34ef5b4a2e9637fa0b7cdfdbf7d2c
M20-e29i1	TinyBanker_ea88c8a1	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	ea88c8a14f624a0069719a609bfb93b1	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 9d76af39b9de6fc9f58ca5d7a83798f37790d2193ff88a71cccad19092009a5c SHA1: 2f4786eef36db3cd34a569759ded38b94144cfcd MD5: ea88c8a14f624a0069719a609bfb93b1
M20-dazc1	NetWire_86b2dc6b	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	86b2dc6b035832b396832ee96498b557	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 9d163b8e00e7574fb1609b2ee8db2b07d3b6aafa233f3add788dda1baf5b3322 SHA1: 9a3e9da47404aa4817ba301976d0e5211b444ead MD5: 86b2dc6b035832b396832ee96498b557
M20-0rye1	WastedLocker_edbf07ea	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	edbf07eaca4fff5f2d3f045567a9dc6f	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3 SHA1: 9292fa66c917bfa47e8012d302a69bec48e9b98c MD5: edbf07eaca4fff5f2d3f045567a9dc6f
M20-vnec1	Emotet_3c0c754a	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	3c0c754a38f8f750b53ebf2d81d5b897	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 539f218904629efd90df998b1704cdfc101543b74c6d8afab2204e325d1e8bb0 SHA1: 7becb502bb543a46ef515e6037208b793a613af3 MD5: 3c0c754a38f8f750b53ebf2d81d5b897
M20-72n11	DarkComet_c3c2764d	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	c3c2764dbe9ec6f4d9207c84ca5b8201	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 0f6a595d6bfd0dc514dbde0b8be7cdb2aa1dba94a103f1c79205f0bcf9856e7f SHA1: 6e90e4c6a099f38a6810c37711cca2739cf22772 MD5: c3c2764dbe9ec6f4d9207c84ca5b8201
M20-jxz11	TinyBanker_4be2f390	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	4be2f39094acef6d9791f7604219d4f4	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 36d265d452dd91cfc0640b59f3184112c0e3e20f1c5f1e6409452881458083b5 SHA1: b08f3a3326bb484322a6fbba16dd28db4c7bf7d7 MD5: 4be2f39094acef6d9791f7604219d4f4
M20-8eet1	TinyBanker_19edfc7f	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	19edfc7f229677c5cd9fd8327a197745	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 9a21d7ef4b6f50a4e4ce47791bf2231a523884cf58e4d94e2089464967fd6e25 SHA1: 4b48bb99acd79c445f55b4d3eedccdb7cb2bc49a MD5: 19edfc7f229677c5cd9fd8327a197745
M20-p4zi1	DarkComet_bd4b11b9	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	bd4b11b929ec3f25c1caf63bc889d5fc	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 8167bea409789e03d3483aa7497762f2c3f33ed25122fcd8b7e7b45cb9b3e919 SHA1: f21c9217461452eab05e990e8b2ff20fde524c4a MD5: bd4b11b929ec3f25c1caf63bc889d5fc
M20-z9p41	NetWire_83f66181	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	83f66181010a41f2a47d4c7bd7d6296b	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 79dbd028f2768d0874fce30c00b227e6af46080727503918bc09ef965949edc4 SHA1: 5af13ebbc629d1dc062933a75577272c5016b1f3 MD5: 83f66181010a41f2a47d4c7bd7d6296b
M20-1dr31	NetWire_f74d7e56	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	f74d7e560926fdb7802e4b13d0c10e7a	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 9648d53a1276cdd0d3d170ba0c13a9c140b13c4ef3d3d4790164ca98f8f71a5d SHA1: 1fdaba3131e83a0e5b22d0a312dbb8f0c0d35bb2 MD5: f74d7e560926fdb7802e4b13d0c10e7a
M20-x2o41	TinyBanker_2752e633	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	2752e6339bbbbbc032826808cedc5d32	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 14398c45f2dc4d5c6d4c16ba9f276888eee4eb396863a355d059b55795d606e3 SHA1: 597850e0f0162bcbd571ab892fc3652d87c1de5c MD5: 2752e6339bbbbbc032826808cedc5d32
M20-gan91	Emotet_cfa658c9	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	cfa658c993fd56dd81a370e286163770	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: cb8a434442b33d664405f2191c9f57d7e04f97bb3a98116000d82a5967bd2868 SHA1: 897e9c21c02952020f9f3ef56f3154ab4b1afe38 MD5: cfa658c993fd56dd81a370e286163770
M20-980h1	DarkComet_03183a1a	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	03183a1a2b8381ecfdb47ba4cc824191	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 08039ef764c01600b0b21b33fb9c45031fecacfbc62ac1400a2604783c513e4d SHA1: 03787807f2e0b449abd3ebaf2d9945d738f2f130 MD5: 03183a1a2b8381ecfdb47ba4cc824191
M20-l83m1	DarkComet_12976937	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	12976937fbeef378e9b64d237991c45a	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 6557faee4a706e851f0aa28785e38dc56bfd422c4d8864c754c884163ab8ab3d SHA1: 29d586610d388065debc1f88cd19a8bc393431f4 MD5: 12976937fbeef378e9b64d237991c45a
M20-ands1	NetWire_edc2afa3	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	edc2afa36a416f93aa4e763e8660f933	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 51164673a792e1f214b69b1f21bf714ce289ddf8d898f7499f07aafb7a692e9a SHA1: c362a783af0b84241c16ef22eebf2811f8a57c1a MD5: edc2afa36a416f93aa4e763e8660f933
M20-tlrb1	SoreFang_861879f4	Linux	This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine.	861879f402fe3080ab058c0c88536be4	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a SHA256: 14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2 SHA1: db4f07ecefd1e290d727379ded4f15a0d4a59f88 MD5: 861879f402fe3080ab058c0c88536be4
M20-tk1k1	Emotet_6aa9aaed	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	6aa9aaed9e0281f98c4d178d9388b9af	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: ab87b202217c59a3d0346f4bdaa549813191ff25df57ad8a616b40647cb4c028 SHA1: 273a09c6320a70961371fba4cce6bf98f72c6ae6 MD5: 6aa9aaed9e0281f98c4d178d9388b9af
M20-ykkn1	TinyBanker_494744ed	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	494744ed921005e57d1495d1b3f23260	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 40c0d24f854db3548f0d9ef8fef3cfc7463fae25e690f426e044042e35f46a48 SHA1: 46fc9fdd01ce7b0cc2a9a7d3fa4f73d9a2c2faad MD5: 494744ed921005e57d1495d1b3f23260
M20-z1so1	NetWire_c5c68c05	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	c5c68c052096dd76f2dd85c322d950f1	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 1e7b37a04208f94239a05244352ae5bf45793f83bdcb4aaadbfa7ef4c48d805d SHA1: 4c7b85c0dfc53e3cc9cb79add07b4bf95c40fcda MD5: c5c68c052096dd76f2dd85c322d950f1
M20-jy701	NetWire_1d030db3	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	1d030db358ba16c4ea8ba4a928eb583b	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 255c6efe9551fd5b6381adb440b94af65aee2286465c76c8fdb596c6e7a90b1a SHA1: 321487b8c7827cc87d3a8bfacb912e0fb519d3a1 MD5: 1d030db358ba16c4ea8ba4a928eb583b
M20-ajbu1	DarkComet_d65fc205	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	d65fc2053dd33571ebb55a1b49bb03bd	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 57f94f852f1a625bebfe96a57be5c6cbcb17016f786ebe1991265c442dc42103 SHA1: 5de1d9dc4cd3fb5b3370cd8303a16838c0a97c39 MD5: d65fc2053dd33571ebb55a1b49bb03bd
M20-8r8e1	NetWire_9b7a4904	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	9b7a4904810d28f35158bb99cbd5df6b	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 7e6898b47574bbdb8b7c27bc392eab836bcd810e048fdc6b880537e3c7fb701d SHA1: 864a414d4d11cb57994e9efefbf494ef0b072a1e MD5: 9b7a4904810d28f35158bb99cbd5df6b
M20-uod41	NetWire_1a085a8f	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	1a085a8f86d2a2ed0e9f81c67f696d2e	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 62b6d90b250056d556971b7066e827eb03bbe2cb0b70848a98cb21fadc27d500 SHA1: fd065edaaec8a6d57cc225674249e03d6f65f5c5 MD5: 1a085a8f86d2a2ed0e9f81c67f696d2e
M20-h5qb1	Emotet_62f09a7e	Windows	This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has been packed using upx packer, with the default options.	62f09a7e9cbfeae4335ebeaa40b1358a	https://attack.mitre.org/techniques/T1045/ SHA256: cf2d015be5779753daceaab47e8745bb9deef81b646aa59313a365bf383ec6cf SHA1: dc28fb3e20309a27641d88acf8e9b0c459f9e363 PARENTID: M20-8ev91 SSDEEP: 3072:J61oDDSj+vIq7SELcPrra8pB87lTAEYE1u3MJSAt1TKjUMK6x08Uj:JZGj+vIq7SEIPfws79AtyKZD MD5: 62f09a7e9cbfeae4335ebeaa40b1358a
M20-jvax1	WellMess_967fcf18	Windows	This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.	967fcf185634def5177f74b0f703bdc0	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b SHA256: 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2 SHA1: 152189b62c546d6297a7083778fba62dcec576be MD5: 967fcf185634def5177f74b0f703bdc0
M20-4c7z2	NetWire_234465ef	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	234465efb8b8e3341f6d5736cb81cde2	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 28181484a3ef4f4f3ab8fc07388aa109b49f2e02bcfe65b819a4341369e5b4fc SHA1: 59bfeacd950b124ee4e30a6d2e5f41351b00f6b0 MD5: 234465efb8b8e3341f6d5736cb81cde2
M20-0nw31	DarkComet_aabfef70	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	aabfef7012a8afef5a38e48a2ecc3e66	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 73e47ae090f62b5723ccc7a1b452e8c8b305f22734f7efac6402c9edbd49bc5c SHA1: 0afdc73e16c8f8c3a84af9edc0cb710afc7929f6 MD5: aabfef7012a8afef5a38e48a2ecc3e66
M20-y1mn1	DarkComet_fd6af5f9	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	fd6af5f98b2b68add91fd43c0e9e2aae	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 50e76d4936b183bf0c03761a38bf0d74e037ce72b59df8a28764b7f446675f51 SHA1: 68a6a226909396bb31d2b88fdc0c1513514b1a2a MD5: fd6af5f98b2b68add91fd43c0e9e2aae
M20-wl4k1	WellMess_f18ced87	Windows	This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.	f18ced8772e9d1a640b8b4a731dfb6e0	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b SHA256: 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a SHA1: 92f7b470c5a2c95a4df04c2c5cd50780f6dbdda1 MD5: f18ced8772e9d1a640b8b4a731dfb6e0
M20-k1gk1	Emotet_15cbe4fd	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	15cbe4fdac2c40d14c0e5cc325a46c26	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 019cb08d08f8512b3a6af74bf8f1f4c99c8a9691af2775183c95e67c10388e74 SHA1: 1e7967ff30f173c2f990a1d3052a8acfc42f9733 MD5: 15cbe4fdac2c40d14c0e5cc325a46c26
M20-8ue71	NetWire_06008156	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	06008156d85ad3dfeea6abdb65eea5c3	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 22c07b60b192d882381a9e4e5c1cefff80c7bdcf12efa66d19765625b9ea7d00 SHA1: cfa7fca227843cff5c7d5c12e591cb8669da452d MD5: 06008156d85ad3dfeea6abdb65eea5c3
M20-obtk1	NetWire_ad08c13a	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	ad08c13afea59519ec36163c9942c44d	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 483b6c1fc090a248beb40574446a998c3af6a8f3c42df5f0e95a162fd4b9b534 SHA1: 4d0e8803552159d436ed5d4264aa58644a4542f7 MD5: ad08c13afea59519ec36163c9942c44d
M20-4n931	TinyBanker_0f1da9b6	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	0f1da9b6fffc07884725e9eec9dbe85c	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: b47214f748eef3fdd27388c1d59b4a308910d442f78cead2dee6895169ae9e76 SHA1: 8f67bb887c3e84f063dcd402614495198f9e538f MD5: 0f1da9b6fffc07884725e9eec9dbe85c
M20-7osy1	DarkComet_9faa5a31	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	9faa5a3166dc6fbc745d085d154ddd93	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 5d0671d8aa8a4c3eaeca7d73c197f20fa5e3698f97d9f99abf50b4e43ab1d113 SHA1: 9d424326bd59695cd59295f06a861a01fc5e4839 MD5: 9faa5a3166dc6fbc745d085d154ddd93
M20-9xaa1	TinyBanker_13d1b1f5	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	13d1b1f5afe9d95a5d3a67243b15bbf6	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 3c21cb07d0391719918fa40c59ac02b1d0444813bff01aa57ed0173ea17907fe SHA1: fc4680ad54ce3dbb7e382467f3795c97da4470de MD5: 13d1b1f5afe9d95a5d3a67243b15bbf6
M20-5ge01	DarkComet_0d3a2129	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	0d3a2129a486493974d845cbb5ff41e4	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 31535bfd8856f9497076a79fc6bac118901275a4928e9c31bfd42641aa624a98 SHA1: eb72bc690b2be5033faca68820ecc0388c89df26 MD5: 0d3a2129a486493974d845cbb5ff41e4
M20-n44n1	TinyBanker_e20a97a6	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	e20a97a65ec439978dba244cb67a9a48	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 43b909534495841ca1ca6d5a16b4a8ced3c611ae84114d150731c9606cb1b574 SHA1: f86353352ebd92bb10bfab1fd694e8966502261f MD5: e20a97a65ec439978dba244cb67a9a48
M20-9oew1	NetWire_f17dc7f4	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	f17dc7f4fe64200ef073b064ee74a4eb	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 400dc0e03ffdbe53b008300711d2490e94f7b9eab93ac16ae49b39abd28a48ac SHA1: 574a1e1c54a143915983aa45e525ebad612bbca2 MD5: f17dc7f4fe64200ef073b064ee74a4eb
M20-2i2a1	TinyBanker_290ba91b	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	290ba91b81e92f59bb9174cce41d97d3	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 4d060e479439e757e3472f81a15da6ae38c7cbf9155c7de9817bf30552088b22 SHA1: fa84aa97a4e15d4ad4435ade518538942c227a6d MD5: 290ba91b81e92f59bb9174cce41d97d3
M20-ndtq1	Emotet_07d8ff0a	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	07d8ff0ad28c47ecce6cd3a7b1f86bbd	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: bdb054e3f565c5bf244417609322ccebcab26fdbc74c31516ce66ffd2aed2268 SHA1: beed57f3be93af3b49a3c905299e856e788e4622 MD5: 07d8ff0ad28c47ecce6cd3a7b1f86bbd
M20-i5ni1	DarkComet_2b04df87	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	2b04df87d237933c7e71774904fc6e0c	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 1be1d57117ab25b16d4d17176062dc0cb469e25dcf2ec8c751c2104365697ae6 SHA1: bd7199a08b3aebe0a080965a517fb6599ff500d2 MD5: 2b04df87d237933c7e71774904fc6e0c
M20-vy0h1	TinyBanker_3bb35a94	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	3bb35a94356e2fc3083256ad8ef0ff0f	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 200a2c5eaa6ce90cc3f825ec4f4f3d8de444282dbd558a9dd0698a9520db2a58 SHA1: 65abe6f5a75658e03e43529c65092e8da386d813 MD5: 3bb35a94356e2fc3083256ad8ef0ff0f
M20-kz851	WastedLocker_2cc4534b	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	2cc4534b0dd0e1c8d5b89644274a10c1	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a SHA1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653 MD5: 2cc4534b0dd0e1c8d5b89644274a10c1
M20-tiib1	TinyBanker_28f303b6	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	28f303b61050866816ddde0597134e83	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 40789d2be55ca929fe9e9ebdf084b84a42ec88d166744d06bbda41e24bb98e39 SHA1: 90ef73f984ae4cf09e19f0a69138d75544e5d9fe MD5: 28f303b61050866816ddde0597134e83
M20-i6tl1	Emotet_daca8565	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	daca8565d4e8c131ad95e2ed744f7e46	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 887226f61b841051a606edd1ced5ad1c1919e71fae4583afea1d995fd027ad08 SHA1: d1fdd23ec6d48d9718c23104c02725dc45473193 MD5: daca8565d4e8c131ad95e2ed744f7e46
M20-0yd11	TinyBanker_958dd51e	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	958dd51e24b8d9f1df8470f971ef5726	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 645dafa65eec41b157e7dd205b07df97148105950dea2d0722f02f53f449e2a0 SHA1: c4e3d6b2ee15d4cbffc5c8266df9304ad1dc4a8d MD5: 958dd51e24b8d9f1df8470f971ef5726
M20-k6al1	NetWire_bbb734f7	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	bbb734f7ac43646319d4148e58a2dcf4	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 045ed6c11f72b1a11803a205abcd7ea82b2ad478a8a795984c322f540d159a79 SHA1: 2490ce8e8266b559e3b0b0c54dd35f3b33e8ae2b MD5: bbb734f7ac43646319d4148e58a2dcf4
M20-ww611	NetWire_5479b76d	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	5479b76dc7294f003d4e793c80f22311	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 492c1e4ae807107b8792e9e4a0c619f92dbb9f0a1fd457ac79fa0e07292354b0 SHA1: ce4fe8c69974ac451aa03cb2e3d95a8530334258 MD5: 5479b76dc7294f003d4e793c80f22311
M20-kvrs1	NetWire_c92888b3	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	c92888b389f779e39804aef0244ff8e4	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 387109054b3a59071d6ca8af6656eaa223fa4d1825efbcc4213bd192c5d6e29e SHA1: 62961686c78694a227c04b867dd343fe5bea25ca MD5: c92888b389f779e39804aef0244ff8e4
M20-ifta1	DarkComet_07b77b6d	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	07b77b6d48e99b5c94040411f2f42d06	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 70ba4783c12ca57a129c5f3ab9d85ee34f5dc753952d15b49f5c54c6f067909e SHA1: 319d8c6e96c8df82943367186359bbdd364cf2ee MD5: 07b77b6d48e99b5c94040411f2f42d06
M20-ksew1	NetWire_68cd8d68	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	68cd8d68115f9d46805a4aaccee773fd	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 229d7221c71a16c1b2d8bd1f74dded37d27dec2dcc713150d7657837c6c67be0 SHA1: ddfead21af149214c0eaa128e56b0bf7aae279b7 MD5: 68cd8d68115f9d46805a4aaccee773fd
M20-n8yw1	WellMess_a32e1202	Windows	This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.	a32e1202257a2945bf0f878c58490af8	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b SHA256: a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064 SHA1: 416df2d22338f412571cdaedb40ab33eb38977af MD5: a32e1202257a2945bf0f878c58490af8
M20-lmfw1	NetWire_41f2edd9	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	41f2edd93e423aa2c29c97de03e63fed	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 523e3d1fda9eb37098ae774b20f87e5552c5f38228dcf311298caf4bc5c2d086 SHA1: 70925ffb54be19c5e82d4abceba592f5a3f91be6 MD5: 41f2edd93e423aa2c29c97de03e63fed
M20-96d71	DarkComet_e0034c04	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	e0034c046f1581fb729c4ddd2a91cd5e	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 5e59a550cc3f18a66b663286b2ad08a5612fdd34e8e1667f5229c05e3053d48d SHA1: 64058e220af6fb681b9a47519de2cf3b7ef5fd68 MD5: e0034c046f1581fb729c4ddd2a91cd5e
M20-6u8y1	DarkComet_a98f3960	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	a98f3960268e9543cc989dade3f4242b	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 833d572bc5d010513b2db0ddf8585146717626ca0b1ed31afcf2c060a85532fc SHA1: bbace94ff7787114a74cd015637dd75fa4960e1d MD5: a98f3960268e9543cc989dade3f4242b
M20-thb61	WellMail_8777a979	Linux	This strike sends a malware sample known as WellMail. This sample of malware has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It provides encrypted channels for the attacker to communicate with c2 servers, and the ability to dynamically run scripts on the infected machines.	8777a9796565effa01b03cf1cea9d24d	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c SHA256: 83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18 SHA1: 53098b025a3f469ebc3e522f7b0999011cafb943 MD5: 8777a9796565effa01b03cf1cea9d24d
M20-8ev91	Emotet_12a8067a	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	12a8067a952be3e9264d69b401b3628e	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 1d225e3a3c3f52cadbf07a4ed069b4467c4618310d2f41678584f3704f95d19c SHA1: f442314dc8a12391233a24a6625cff6f046b9ef5 MD5: 12a8067a952be3e9264d69b401b3628e
M20-fo301	TinyBanker_38edfc34	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	38edfc343314d3f858e2e02cd2144461	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 292daa2b85d6423471ab688bf3dcaa91661f9e930ecdf88d9ae8cefdfe8e76fb SHA1: 37e26707457e8d82fd385c9a5a0348fbd2bd7721 MD5: 38edfc343314d3f858e2e02cd2144461
M20-tkow1	Emotet_ae09fcee	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	ae09fceed70fd9b510641b63be5a6502	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: d8e201ed2ca53622f1ca4cd4b794879ab2b6dc6d52e5e4e12540da1c3d588e0c SHA1: 9a73530f8671914be4b317080e0b7b559ac267e8 MD5: ae09fceed70fd9b510641b63be5a6502
M20-xhwd1	NetWire_c3925b82	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	c3925b82df0463c9329a0557f457540d	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 542d5b4e9100882a16a6ce60c6ff8532b1f0a22a7bdcda84c35cd7a1b49df664 SHA1: 6b89b78ce1d4b4dfb49386425ba2dc9ccb9e5211 MD5: c3925b82df0463c9329a0557f457540d
M20-qqc01	WellMess_7b9a439c	Windows	This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has a random section name renamed according to the PE format specification.	7b9a439ca58e3f76cbd60dcc60f77446	https://arxiv.org/abs/1801.08917 SHA256: 8ec45abe4179a22a739bcd48325ac1dd148c2d8c8a501c73dc8b7d2c28cb1b77 SHA1: ab974869f02a8f3e400e24955c7375bcf154a7b2 PARENTID: M20-n8yw1 SSDEEP: 6144:Yt4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4U:Ic6qkt5vdU6ECe4U MD5: 7b9a439ca58e3f76cbd60dcc60f77446
M20-efew1	TinyBanker_f77992eb	Windows	This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has a random section name renamed according to the PE format specification.	f77992eb5a494bdcd8dcda9bf5652937	https://arxiv.org/abs/1801.08917 SHA256: b30fb527393d891d28ccd413e119ea309a13749c38e5b661a21c519323febd29 SHA1: 0f177e999846f3fbfaa1591c139977d78ad31816 PARENTID: M20-cbuc1 SSDEEP: 768:r/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtL:44QUbHM3PC8Q1Hn417sNPy+L MD5: f77992eb5a494bdcd8dcda9bf5652937
M20-hks71	Emotet_7fba0b9a	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	7fba0b9afbf7a224224b3ce6be675f0d	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 633bed3b02759cc36b1e72c124d298607e68697a75f61f221b5b59decde14ecb SHA1: 6bb10b0e1a416ad0b66bd90ad6f3e472a10922d0 MD5: 7fba0b9afbf7a224224b3ce6be675f0d
M20-vws91	TinyBanker_0ed39328	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	0ed39328beae48e12b4dc877064b30d1	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 8cf7d553e27a5c642812bb040f97bc92746d64b9909bddbb38916d36fbeb8c0f SHA1: 89048b155b57f9824f6e20fad4e6b2a09d851441 MD5: 0ed39328beae48e12b4dc877064b30d1
M20-ifi31	DarkComet_8e003595	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	8e003595d3f489e4776c97c8aabfa7b9	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 0e473f4bdc3a37ef888a4f44616e0c09c38b8d7fcdb617736aa8f294dd99e920 SHA1: 94afe765dcabc9b2d0b5edef418d6f7caa8cc3ec MD5: 8e003595d3f489e4776c97c8aabfa7b9
M20-yzp81	WastedLocker_6b20ef8f	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	6b20ef8fb494cc6e455220356de298d0	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d SHA1: 763d356d30e81d1cd15f6bc6a31f96181edb0b8f MD5: 6b20ef8fb494cc6e455220356de298d0
M20-c9tb1	WastedLocker_f67ea8e4	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	f67ea8e471e827e4b7b65b65647d1d46	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb SHA1: e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07 MD5: f67ea8e471e827e4b7b65b65647d1d46
M20-7cqt1	Emotet_2ed2b0d2	Windows	This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has the timestamp field updated in the PE file header.	2ed2b0d2f3f9662f99381c5bd18118f0	https://attack.mitre.org/techniques/T1099/ SHA256: 16e03f284d8a56db4fa112d46edd50537e35125c91086d68362ab8892e4f5a62 SHA1: bdcb584762443fee90ce2582a03750cd9408f5fd PARENTID: M20-75mm1 SSDEEP: 6144:QjNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2gFcvAtyKZDG:QRX3wK9rybO3AlLBeTWi+eO6e2zAtyKI MD5: 2ed2b0d2f3f9662f99381c5bd18118f0
M20-75mm1	Emotet_88e9eabc	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	88e9eabc35088da3b3b31d5134dc1b49	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 0622420430e3559c1a5175e77584feebbeac977922c0a5b72d52d996e8ba6707 SHA1: 03cfa8f152e83166b76db5ebafcd8211d92fe31c MD5: 88e9eabc35088da3b3b31d5134dc1b49
M20-k6mq1	Emotet_b612a63c	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	b612a63c45a0bbd1370572e19382bb18	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: c4339507d79d74a6260ee7769b98c58d3b5289a470bee7c5a87f96c78efc3851 SHA1: 089c8fa399a89bc7668c956f1dca854131ea2617 MD5: b612a63c45a0bbd1370572e19382bb18
M20-ekjm1	TinyBanker_2b2ac146	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	2b2ac1463040f9809c34d776e7fb5e6a	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: b43794417fec9191f8700df446b20875bb753c9380c70e0c7c6869502fa16282 SHA1: 98e69cb347d4966573ee9b3295251f51ca3c8e37 MD5: 2b2ac1463040f9809c34d776e7fb5e6a
M20-2wjp1	WastedLocker_3208a14c	Windows	This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.	3208a14c9bad334e331febe00f1e9734	https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ SHA256: 85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb SHA1: 809fbd450e1a484a5af4ec05c345b2a7072723e7 MD5: 3208a14c9bad334e331febe00f1e9734
M20-evht1	TinyBanker_0c0b91df	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	0c0b91df5d347924d0efa649e9f7ca63	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 15b502a449d911c76cce06cd378d291e8039619a06ace593abbdd2cebe3add27 SHA1: 23070b82c6a5fb619a3e8f38f96f4fda366ef24b MD5: 0c0b91df5d347924d0efa649e9f7ca63
M20-cbuc1	TinyBanker_13c2cce6	Windows	This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.	13c2cce63f1e8ae54c4b2f15770e69f3	https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html SHA256: 141731282c5378b959ee12a97d564b58bacae43a50ffbca289a5df8ba8d0771d SHA1: 89a90ff4f2fb186cff3d691998cd9ba461ffb05b MD5: 13c2cce63f1e8ae54c4b2f15770e69f3
M20-zeeo1	TinyBanker_40ad77d0	Windows	This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has random strings (lorem ipsum) appended at the end of the file.	40ad77d0de2dae24d1c942ba7f5e7c2e	https://attack.mitre.org/techniques/T1009/ SHA256: 4fe168b7028b1ad9985943474862f09b093915de233836d49e5a661c010af344 SHA1: a8577e727471ef1d6e239dd3c7ebc39af79f3bb6 PARENTID: M20-cbuc1 SSDEEP: 768:D/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtNU:w4QUbHM3PC8Q1Hn417sNPy+a MD5: 40ad77d0de2dae24d1c942ba7f5e7c2e
M20-6vdo1	WellMess_a2f5614f	Windows	This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random bytes appended at the end of the file.	a2f5614fa377753a02eed40056aa2459	https://attack.mitre.org/techniques/T1009/ SHA256: b67d856656e58e34b41086f4b0be823dd56b75af60485cc563c01b95711286be SHA1: 143ca415e9321b8b89e162fa9f06cfd6de33ce2d PARENTID: M20-n8yw1 SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4Ufa:oc6qkt5vdU6ECe4Ufa MD5: a2f5614fa377753a02eed40056aa2459
M20-j2ia1	NetWire_bf8079de	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	bf8079de4a89e0a0ebd154d99d05b91e	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 26fe99cf61903d3dd464b96e87bc8640dd1d1ba9df2c795e2f27db6dfb74522d SHA1: da92d8768be7a4a977802495f67f96b8ee591218 MD5: bf8079de4a89e0a0ebd154d99d05b91e
M20-0uff1	DarkComet_848fc1fa	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.	848fc1fa772f49d8f4563f38b3f4f002	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 18bc76cc05f305549fbee7757c01f897110effac971738af751815589036d5dc SHA1: 200be1cad6d7234ce468d6743ff27c79f490ec92 MD5: 848fc1fa772f49d8f4563f38b3f4f002
M20-rhxa1	Emotet_932a3448	Windows	This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has random contents appended in one of the existing sections in the PE file format.	932a344809bbabf777916b63e4e4e9ca	https://arxiv.org/abs/1801.08917 SHA256: 8add6324ff072fa544e73a8a300c9d8c20b251b8af6d449f2d9e3a1c11509311 SHA1: 6a98e51d8fb40ffcf73c815d9d537294a373e1b0 PARENTID: M20-8ev91 SSDEEP: 6144:+jNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2g5cvAtyKZD:+RX3wK9rybO3AlLBeTWi+eO6e23AtyK MD5: 932a344809bbabf777916b63e4e4e9ca
M20-ekzf1	WellMess_4d38ac33	Linux	This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.	4d38ac3319b167f6c8acb16b70297111	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b SHA256: 7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee SHA1: 01a71390892fad77987aa09a630b04ff72e37d5d MD5: 4d38ac3319b167f6c8acb16b70297111
M20-i73r1	Emotet_8b14c2ff	Windows	This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary file has one more imports added in the import table.	8b14c2ffbe2dd64f0a1937148e73c836	https://arxiv.org/abs/1702.05983 SHA256: 76accf214074a7c84309e275fa7d7fa18a22bdf6ddbcc86885e197a6bb647ff3 SHA1: f7b990444fb49812622fb675116e3a7b267a319c PARENTID: M20-75mm1 SSDEEP: 6144:njNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qL205cvAtyKZDZ:nRX3wK9rybO3AlLBeTWi+eO6K2rAtyK MD5: 8b14c2ffbe2dd64f0a1937148e73c836
M20-7x081	NetWire_c4166c5f	Windows	This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.	c4166c5f4bd570cd999f41474b664e4b	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: 44fd21ec687bfbecc1002f1a5e640f0d782b9aa9beff7e4822704fe1a09907b5 SHA1: 79090473cfdb6953da7fa188f4382e9a85ae5070 MD5: c4166c5f4bd570cd999f41474b664e4b
M20-jv5u1	TinyBanker_a862c24d	Windows	This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has random bytes appended at the end of the file.	a862c24d8824f88826ed42e5654a6088	https://attack.mitre.org/techniques/T1009/ SHA256: 2c94212a010e8fc70c1c52fa64eded136f09964713a82ef9cf73802f5e1314d4 SHA1: 70c7e8f13e4442332029f87a422e2445e16f7234 PARENTID: M20-ou7j1 SSDEEP: 768:V/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtf:24QUbHM3PC8Q1Hn417sNPy+f MD5: a862c24d8824f88826ed42e5654a6088
M20-o7xc1	Emotet_f1a41902	Windows	This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.	f1a419027bbe163301f856c793e8dc48	https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html SHA256: f21aaec6dab4428d5462f0a917908556054093fa9b94f386c94abc572c9d9e0e SHA1: 1468f82412c45be51b51619d9788b2a55bfe4e4f MD5: f1a419027bbe163301f856c793e8dc48
M20-vvs51	WellMess_3a9cdd8a	Linux	This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.	3a9cdd8a5cbc3ab10ad64c4bb641b41f	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b SHA256: 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb SHA1: e45f89c923d0361ce8f9c64a63031860a76b2d10 MD5: 3a9cdd8a5cbc3ab10ad64c4bb641b41f
M20-3lhg1	WellMess_2f9f4f2a	Linux	This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.	2f9f4f2a9d438cdc944f79bdf44a18f8	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b SHA256: e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09 SHA1: 709878e13633e44b45ad1ab569ad34e3dc1efd3b MD5: 2f9f4f2a9d438cdc944f79bdf44a18f8

Malware Strikes June - 2020

Strike ID	Malware	Platform	Info	MD5	External References
M20-2ej01	Cybergate_dbb05d12	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	dbb05d1214a55a1519b0ca816704452f	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 1cc729e873bc0ccc68b2cef59562a5196793c0511b05f952a096ce87c27bb02f SHA1: 9e9ea3f6ba4ecfa74c18ecd355e83f7e98dfb835 MD5: dbb05d1214a55a1519b0ca816704452f
M20-hdw11	Fareit_12113af5	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	12113af567bb825035e81fd73ff83d0b	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 10d0eaec661c9ec08bc6b28810666956ac6a76b054de73c6b8de46dec6147de4 SHA1: 90732a9aac12e720eb2ca1b806398a4e0e94a794 MD5: 12113af567bb825035e81fd73ff83d0b
M20-wfai1	Dridex_29ace502	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	29ace5025e0662d3c30e4ca96ec38eeb	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: fe6fad62d3e63eed458d33cfec58e20468d685bc21f69161f5f036bd5eb3c926 SHA1: c84383a51034b045093c049b6d689ec9f37d75c9 MD5: 29ace5025e0662d3c30e4ca96ec38eeb
M20-oh6y1	Cybergate_b5e64476	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	b5e64476b8c7ecfa37c3ec3374934018	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 3851caf965504e6d99ad2d541af43f8f4213c6ddaa460b8e7b812e2fdb299316 SHA1: e23f969c44621b3b29d18eabe323c68c873aaafb MD5: b5e64476b8c7ecfa37c3ec3374934018
M20-09up1	Zbot_dd17daf4	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	dd17daf4e28133d0fb052ba229b80342	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 476ce28be8b7576a3b0576e7dd8f90f2aa1cfc59ad90adb5abf14a9d5d866b84 SHA1: 89754b05c5a57b3ac78723a5ae394476beaededd MD5: dd17daf4e28133d0fb052ba229b80342
M20-foy31	Dridex_56afa171	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	56afa1715bfa03bdf47e45c9a12b9dda	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 15c213fa11b0440a690133df83c63e7f2729eb1b41e7143291f98a4b9d29f7a5 SHA1: 10b13d36e90c92b4ecb80c96fae504d974372fa9 MD5: 56afa1715bfa03bdf47e45c9a12b9dda
M20-zj661	Zbot_0b8b4771	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	0b8b477194321fb2547deae4afd052eb	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 5e15c7ef36f861bd967c4b7cf7b4476d37be287e3b1e18cc41168810b9e36f3f SHA1: 93991b30b6587bb3ad740c3713947ba4662e8d25 MD5: 0b8b477194321fb2547deae4afd052eb
M20-dbms1	Zbot_61bb1504	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	61bb1504fe867ab02734aaaa7683343f	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 2240fb081176a4811088f5818d0b5d6a60a2ffd64a8202fdd46b4e05f694ac2d SHA1: 8168c5aea69f349881944535695282e22b5b700a MD5: 61bb1504fe867ab02734aaaa7683343f
M20-n2a51	Dridex_b78246fa	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	b78246fa73a6cc9b69cb41a2ca68fe4a	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 9366c5124ceb956ef97059b5b649707c0732a85e6912232294d5e3bcb078dd7f SHA1: d9290d34eed824e23b32418276c2e900063bddd3 MD5: b78246fa73a6cc9b69cb41a2ca68fe4a
M20-7b0c1	Ramnit_d211c6ba	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	d211c6bae76231b80b3ad3f80edd9dd3	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 6a793585958d4db348868417923c49a74d6b0e053c8a914669e980a9f06901c6 SHA1: 305ba2cdf7e78be0d63f76c31041825f5df53141 MD5: d211c6bae76231b80b3ad3f80edd9dd3
M20-0yl41	Cybergate_8ba4005b	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	8ba4005b996edcb379796e9d70137847	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 21d5baf434ba1e61c0d24cc2c49d91e7bae8204d4a69a614dd81193ba2901a1d SHA1: e386e51f52711b6a96c49c260e2fb6f9976bbcdb MD5: 8ba4005b996edcb379796e9d70137847
M20-tycd1	Ramnit_cef48a53	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	cef48a53f568fb3649dfc109541a5b42	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 151f0e9786d903c3831e7555a64b980ae7fb8514f58d1044017b82276aae0d08 SHA1: 30c9c0c2ddfb774f1069671821d24c953296dc51 MD5: cef48a53f568fb3649dfc109541a5b42
M20-n6pb1	Cybergate_2c68199d	Windows	This strike sends a polymorphic malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.The binary has the timestamp field updated in the PE file header.	2c68199d84a6acaea4a0924e338f70c8	https://attack.mitre.org/techniques/T1099/ SHA256: a1dd7ddecbe9de6d58fb108b837a88967becbafb152e429197e56f047a9848d1 SHA1: 4f26f1f9fe04f48f41ab74b8d3988646729b3c91 PARENTID: M20-e7ik1 SSDEEP: 12288:haH6uGURWHTrbPq6US47zWfXkkctzkbpfPFNIKDGZfM/B35aI:0HbGMKT/Pq6USazkkkkopPFNI/fI5aI MD5: 2c68199d84a6acaea4a0924e338f70c8
M20-1mpd1	Zbot_fa39fd7b	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	fa39fd7b7bc3c8b3023c848ee4e6e8f0	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 2760e4f5c5119988b6c83907da6a3cf60e62c2425456ebf1e06893a00c04b91b SHA1: 0bcdffab5a6fb56b9877607a940319b597a16087 MD5: fa39fd7b7bc3c8b3023c848ee4e6e8f0
M20-cc0t1	Zbot_63a63e4a	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	63a63e4afbcccea6f3d8a3adcdf012b5	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 356b7cfcc87425f08c9ad492d272b5ac6e0476389193c20ebd37cf95e1215825 SHA1: 19080581f31ce285caa1df2160c16416755958a7 MD5: 63a63e4afbcccea6f3d8a3adcdf012b5
M20-lqct1	Cybergate_3b77c273	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	3b77c27302c72442400739d02483d874	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 243344e8c4defcf6d918ac46233381c21f2530f162962e8bf8fb384c341035be SHA1: 0216272dd6f1256f7fa68bef0843e2990f1cd083 MD5: 3b77c27302c72442400739d02483d874
M20-8j1p1	Fareit_32468fea	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	32468feac377c04df3a3c8232b2d9a1a	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 0264313435657e607a5edca952c8d6c6b49a067d889ea1b47861eca0c2151bc8 SHA1: 0c29d8ab76973553995de9600263bb6196ce16c4 MD5: 32468feac377c04df3a3c8232b2d9a1a
M20-rc2c1	Fareit_2b3e69fc	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	2b3e69fccb583599f5c0a11ecb336cb4	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 9d5f6d8d0ed7cf4af9424f57c34d95ba7a59057cc525ac51698d81c85987855a SHA1: 7a03cbfc9d1014f7cef67c600b6d4fb5e6a1e02c MD5: 2b3e69fccb583599f5c0a11ecb336cb4
M20-68d21	Cybergate_a7fcef42	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	a7fcef4218781bb5375871367d69a035	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 2fd297ddc4fb433b09adb0894aa7752fc3433a360597e23c5025250cd062e801 SHA1: 6b4524aeea301e29fc9221814069530bde21bbf7 MD5: a7fcef4218781bb5375871367d69a035
M20-ad7l1	Cybergate_86e26de8	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	86e26de88289bf179bdc51a9df320b6d	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 3b2a0d95b9643dcb1dfa555d9e79fbfbc27e98667014bdd79ff5b9e5c2f72c79 SHA1: 0ae0740bc781e5644b440df514e4fd5adafbf0ca MD5: 86e26de88289bf179bdc51a9df320b6d
M20-4g0r1	Fareit_3e7c67b6	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	3e7c67b6508b90cf7d85110d9a81e1c3	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 648bbe158a7dafc05b3ac0095ca3eec926970d11054f023c1a4c700069e43883 SHA1: a3348285010f66f1e25474833b436312e5b1a5e1 MD5: 3e7c67b6508b90cf7d85110d9a81e1c3
M20-3bm51	Zbot_b22dbff3	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	b22dbff35d41d361434211f4def02bba	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 5c0c7d1e7e52685b82c1d170368db66fbfbe06ab3e05c7a8243d9bad5500a64c SHA1: b3187b5d331c652924769220d62bda7a85c69d9f MD5: b22dbff35d41d361434211f4def02bba
M20-nqke1	Fareit_4a65c9c3	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	4a65c9c31cbe443d7fda091cfb29aacf	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 8e8933daed91bf2a385c9c49d572d9102ae959a582e3c6ea81219ef424951f58 SHA1: 24c85e09a8d8edd31c4609defe2da7341130bcab MD5: 4a65c9c31cbe443d7fda091cfb29aacf
M20-aipe1	Cybergate_accfb8cc	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	accfb8cc51a3e7447436e9f4d5f6584d	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 01b133f5e10b71f33f117a59e78836294341f26318747f5a504aa2bf2af7869c SHA1: 31480c9ec31d176a4e7e2c3b00dbc02a862b453a MD5: accfb8cc51a3e7447436e9f4d5f6584d
M20-m58m1	Zbot_2d0f9799	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	2d0f9799daa391a41d43691582ff510a	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 0649a007c9e7e7abc08fcfa53cfbc0a11c3119792b04d2ff6a47f8f53cdc5514 SHA1: e721b10afe61e65d2d3340741381b7c6789f5ad1 MD5: 2d0f9799daa391a41d43691582ff510a
M20-b6mw1	Zbot_668a40a5	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	668a40a5c4156c6b784cd7abce595134	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 0b9297a648aba6ee27b8a96cc95974be328547141e1b5a3e13e544f71bc045e0 SHA1: 94954457060a1a6c9936f16b77113257451e5b17 MD5: 668a40a5c4156c6b784cd7abce595134
M20-wdo31	Dridex_9659c150	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	9659c150b6e6dbb515fb5a7fe2fd38a5	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 846c29654222d6d540794abb5adff6da8aee5ecbc0f40ec9aec75610ff75f9d2 SHA1: 5f4004a4ea9f3401350efa8483b4a27fc89ed498 MD5: 9659c150b6e6dbb515fb5a7fe2fd38a5
M20-wyrp1	Fareit_cf67ef85	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	cf67ef8577d94f3dde6bb03a178d77a2	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 4fe440cf3713df731f2e7eb210eb70575978821b2862dc7161107d8de197824f SHA1: f7b5ca9bef871300c43fd559533a26000933d408 MD5: cf67ef8577d94f3dde6bb03a178d77a2
M20-kybi1	Ramnit_5c2f6dd1	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	5c2f6dd17f36c78511975c9bc90bac40	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: ab71e50d7620b1a0563f8a088d7bbc7c8bbe110ec067dc872ffabce155ba6060 SHA1: ad437bb752e1eb9039535065e9d70408b49ef0f9 MD5: 5c2f6dd17f36c78511975c9bc90bac40
M20-ea6i1	Fareit_fed439b3	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	fed439b3cf045e7d40cb6bb3c2631c2e	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: d90afab18a64702ce68aae194c7e73833ab8329e8e9f89013b0195b13123b2ec SHA1: cdbc70b72e3efd0871977d7b3ebc098de4fcb6cd MD5: fed439b3cf045e7d40cb6bb3c2631c2e
M20-zyb41	Zbot_096e0eba	Windows	This strike sends a polymorphic malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.The binary has random strings (lorem ipsum) appended at the end of the file.	096e0eba8eb233f6bf5fbee0fb6cb093	https://attack.mitre.org/techniques/T1009/ SHA256: 7fa7687c7509f526a9f4e96c3ed852ca4462097e5007c6515cf733b5f4eb814d SHA1: 91c83f81dc16fae89aa424dfca901de2ca38c8a8 PARENTID: M20-qrni1 SSDEEP: 6144:5/IZqkiisqNuNWyD+lLo9lvh1GhI30EfNqyF:IqJXqNuNLDyLo9lvhI40S9F MD5: 096e0eba8eb233f6bf5fbee0fb6cb093
M20-8buv1	Cybergate_b450cc20	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	b450cc209f0e230ff9549c962dd6163a	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 06dd14844f1219660dd4f18b30ff70289ece23be61938842299cbb0bdfe2cba6 SHA1: 72d522c9f2baa9c94ffb28e7a21311927668160e MD5: b450cc209f0e230ff9549c962dd6163a
M20-jztn1	Cybergate_0c689268	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	0c6892685ec8b806453a9ceb44335705	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 029d9e96045543dde92fcfc3e0850a1056bfe04f583d9d83c3f187d5db2d30a6 SHA1: c6b162774887cac646050e2ebf21913a92378eaf MD5: 0c6892685ec8b806453a9ceb44335705
M20-pz4p1	Ramnit_db4b4a6e	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	db4b4a6e729d1214ad33688f4167fffc	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: e1b4dc1a419e73795e791969e0a11770e52adb5ed58414b51ba9e16e46ce906b SHA1: ca05c6f232f14433bb2a9dc63ef4b49d4cdbb2ec MD5: db4b4a6e729d1214ad33688f4167fffc
M20-wtwy1	Ramnit_f8ce6bd4	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	f8ce6bd44f51a7d11538d2d7c504ea68	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 7a77148fafd2bb5a47ccb12d800e9d9e190554c5cb774e62dd519d19639723b4 SHA1: bf8bbef654f89d7c2dddcc3bd0ce7c78a450cab6 MD5: f8ce6bd44f51a7d11538d2d7c504ea68
M20-e7ik1	Cybergate_e30e91e2	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	e30e91e26dd5899759a809ffb26a390a	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 1e7963141202ea5535603b0239828a6e77613948e8e73b56f48a8d9e958c5744 SHA1: c3975ce610e8fd82efe4e6042749bf05667dda01 MD5: e30e91e26dd5899759a809ffb26a390a
M20-h4io1	Fareit_5c696072	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	5c6960726c52dbd3ef4b88cdc8a5df79	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 1312c2175d4037228e113c1cdb3893484396a4d5c399052543bcd3546908f342 SHA1: 8aa2e11f51e44b81fc9b0946374b83bc4c0cbfb8 MD5: 5c6960726c52dbd3ef4b88cdc8a5df79
M20-6y4i1	Cybergate_9ad9aa84	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	9ad9aa8439043c07a84c18e7e0724c15	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 4876314e5d223a296b8aa95fb5eb97859da5bcbf78da9e78674b28f4536cd591 SHA1: 333067aeca3842e1ae73b30c2f4799eb2dde68fb MD5: 9ad9aa8439043c07a84c18e7e0724c15
M20-0nxd1	Fareit_86a16f76	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	86a16f76020ed00029eed02a69156dd5	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 78f418bcdd925f56eabedaae6e092d993a245fde048606a680539cff6bcc54c1 SHA1: f5f32175eaad230c51e2992fc825a4b30be7e118 MD5: 86a16f76020ed00029eed02a69156dd5
M20-canz1	Ramnit_59c999db	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	59c999dba2f22a75f73ce59cb9ce4b25	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: cf42f89f988611c1beb42230e001c0eb871322950ca10cd50fb1796cdf95920a SHA1: a206ccabfa93a0568c6188783adbbb171379ae96 MD5: 59c999dba2f22a75f73ce59cb9ce4b25
M20-1ewp1	Fareit_5aec2111	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	5aec2111cc64271fe58feb1a07ac20f5	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 99b6a34cb8ad06ca530f7bde87b957c97c1526bb70f0540eba8da58a77b7f319 SHA1: 234c976c6aae3915dde5e9396738c875dbaae498 MD5: 5aec2111cc64271fe58feb1a07ac20f5
M20-gl0s1	Dridex_d27a1214	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	d27a12141e0cf90f3db2b32d4f1832b4	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 031f4d2eb9e330adfbe2767c568c49a45f8feada9d466b2f09f5cfa6c321760a SHA1: 7c34ab0c972128294d751e93d76190fa901bf4da MD5: d27a12141e0cf90f3db2b32d4f1832b4
M20-pt8o1	Dridex_b10d2503	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	b10d25034bb65fd14e70c3238a44412e	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: d5f3c9eab2e825b6e670dd529d1bb2212baf54437bd56915ecd6932b1745328a SHA1: 0b8cfefb16cf5eb0ce8cb6a2ba7572c2e7c73f91 MD5: b10d25034bb65fd14e70c3238a44412e
M20-u5x11	Zbot_a498a3da	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	a498a3dad481b39e4197428e2fb80100	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 0e475d4c0f6ff5e453668f962c6a7d78d218582a46d3d2f7ab36b221face4631 SHA1: 81f3701d0627176edbf308ade9433cfabc1cc47b MD5: a498a3dad481b39e4197428e2fb80100
M20-7jo71	Zbot_cf2941da	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	cf2941da39524cfcbee3398736ad6e13	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 67187b9ebc578ae12c06cddff756160d741eafd53440efd6756c646e4d9e7594 SHA1: 9870afda75d0e59b720e2e11c46f28fa622f4962 MD5: cf2941da39524cfcbee3398736ad6e13
M20-gxuw1	Ramnit_f3f4c192	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	f3f4c192482a755b8e4592e8577a3d29	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 9e8e5e20c1ac022c559a68d8ed67a7879ad68a917d4f97459bff72840bdba457 SHA1: d6ccf3e395f6a9687aefefe2920ad75df58c5019 MD5: f3f4c192482a755b8e4592e8577a3d29
M20-no5b1	Cybergate_bd8ea22b	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	bd8ea22bf277db93ce8113c27b217ab3	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 4dcb2bd6dc558fb9290f40656e630190658787f29455d5c73d459f0dee312c15 SHA1: e2ec17612da8210c4bdd16b01bc09d511908522f MD5: bd8ea22bf277db93ce8113c27b217ab3
M20-wah41	Zbot_f34d5023	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	f34d50230ee7e2db4899a6a88d40dc6a	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 498438a69aa744934cd33f6219709b3fb1531e3e89e95cef805f494ba8be938b SHA1: 24775b083870bd350025ae9d20b977e0afeab155 MD5: f34d50230ee7e2db4899a6a88d40dc6a
M20-yztx1	Fareit_bf975fa9	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	bf975fa90aa5cfa21b9f13e83138a605	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: bdf44a59073f52b5b4bada6afbeccd9410ce8ca0a46441149b66d4b97b305572 SHA1: 0f7abd44fce1da85112d9aaec189496eaa21651c MD5: bf975fa90aa5cfa21b9f13e83138a605
M20-60d01	Ramnit_d0f5c342	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	d0f5c342434f34b55eabccc6564a378b	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 7dec40a48b029de50868b1a85573fd1d566084d0ee4935acfb30887e30d1de06 SHA1: ce6049fb88ae1c6c2fd4a3c490d678360aaf04fd MD5: d0f5c342434f34b55eabccc6564a378b
M20-x9nv1	Ramnit_f0f74c6f	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	f0f74c6f873a9c19994af1c8b9af9775	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 11f697b19a583973236c5deacfc31dd9ff441045d495a68857373b14e95f449e SHA1: 478037ddbcaf904c6dc77146014cc8cd5c29eebd MD5: f0f74c6f873a9c19994af1c8b9af9775
M20-28yf1	Ramnit_d831b191	Windows	This strike sends a polymorphic malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.The binary has been packed using upx packer, with the default options.	d831b1911812a9093cf646871b9e5130	https://attack.mitre.org/techniques/T1045/ SHA256: 3d96c032b11bef9a4e67536d129f06f7b3063fb005cde1a425280641c1b04602 SHA1: 59ab94ae07b7671eed559e8670efe03ed490edc3 PARENTID: M20-668s1 SSDEEP: 1536:GlfMUc1eJMiSosL8/Zu+2fH/bRFz64KqPikiucOw4ZOryejmqn3BjtQM:GfQj4AhXm4KqPiY44ZgjT3Jz MD5: d831b1911812a9093cf646871b9e5130
M20-tp6r1	Fareit_cf2e03ec	Windows	This strike sends a polymorphic malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.The binary has random bytes appended at the end of the file.	cf2e03ec985d204a054788269665cfe0	https://attack.mitre.org/techniques/T1009/ SHA256: 1058a78aa8a27121459344f6c9fc70a6946af062abad30ba06f9a3a2b3a03a36 SHA1: abcc5eae47bd9bbc19b527d2c10acccf63e875bb PARENTID: M20-yztx1 SSDEEP: 3072:YyqX75fvyv3gYq7fhvFGErUVAMhqalOR/aukQ:f45fvigYqbhBrUVThqaqau5 MD5: cf2e03ec985d204a054788269665cfe0
M20-x9901	Fareit_64c39dd5	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	64c39dd59e30e965b6650bc5cb517675	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 9b54a9a9fde24c8634c47c950dcb7218d4e1ae1d7c4771f4abd3b92a12e9c686 SHA1: 93a02c721463fc26015d469a4f465b7ece2cb9d1 MD5: 64c39dd59e30e965b6650bc5cb517675
M20-7uax1	Dridex_224eac52	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	224eac52bf474257192ab18869dd7aab	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: a098e6f2a14908c4220bcc59c872d331841b3d7beaaea945717439be15778a23 SHA1: 8b32bc110b4e0a113b6a78877a9d5dfd770168cd MD5: 224eac52bf474257192ab18869dd7aab
M20-pnek1	Zbot_f9317eab	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	f9317eab06ef5c50754003c89b7f311d	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 058051ccc05ed076f17535e744f385290eda9c2e0912ed7c460e5b571b3e26dc SHA1: 269cca202ce7af7875e7fe9802a6a37854a209f9 MD5: f9317eab06ef5c50754003c89b7f311d
M20-3y2b1	Ramnit_6d9e71cf	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	6d9e71cf42d1e2afc45b2f0c3d4cd599	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 75d9881c6670d6e23fc962532a6c4ae2d23f816f59f88d93131d81400dcea15b SHA1: 9e88ef8ecb97fb2ef7ad74d73c647e15ebb9b5bf MD5: 6d9e71cf42d1e2afc45b2f0c3d4cd599
M20-ovf71	Fareit_cbecde1e	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	cbecde1ed1427e330fb19878a13c064c	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: b02eaf95b97c81f56eaddded473b0c66668ff4f55bb84c929c28af1b502b3b7d SHA1: f91c19abe19bfd4b1709e0441bb4f7d2288fdbd0 MD5: cbecde1ed1427e330fb19878a13c064c
M20-h66j1	Ramnit_3388c00a	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	3388c00abcea3960d9bd561627508021	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 7fe04f0111eebfeb1d602a42d78c80a48c2d4e9f139a1b432822ce2e549eb2ba SHA1: 41cba0d3b58bcd8de65e8476311a934301f7c6b2 MD5: 3388c00abcea3960d9bd561627508021
M20-u2u11	Cybergate_7c80cf1f	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	7c80cf1f754e32d3ca703e59cb8c8aa5	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 36806975e01188ab35484d5b3e119fa74fc8feebf99d400ed5fa9ac9fbf250f6 SHA1: 046d75ad03662cd3fe9780f3bf324b17849f3c9d MD5: 7c80cf1f754e32d3ca703e59cb8c8aa5
M20-wer81	Fareit_6ba7111f	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	6ba7111f3090b7449e50a10829b42ce6	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 887cbd08236e1dcdc582789a9fd1122cfe3a2729010a79efd9b48e50d0a290d5 SHA1: 387df9942e31049f1ea9448aa14fcadc11f145b3 MD5: 6ba7111f3090b7449e50a10829b42ce6
M20-ze9b1	Cybergate_0285f99b	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	0285f99b75d249de405ee6c97da381b8	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 497cebdc6a2b1b3a3948f94871de8ef1c2ac64e14a4d35c73e136b1f9ed12405 SHA1: c78a87c7e7ba0c73a8129112ee4332caf8fb5bd5 MD5: 0285f99b75d249de405ee6c97da381b8
M20-jhtf1	Dridex_26459aa8	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	26459aa8286195619b2345fe66cce7db	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 6dde7661cbe3990f93ec05bfbd95f587bc857d576e79144f8c65cf9a36ae6c0c SHA1: 356c9cb6e9ba8d64c0c9810d1e50b0418e12f6b3 MD5: 26459aa8286195619b2345fe66cce7db
M20-3sz41	Dridex_98f3f103	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	98f3f1033cf5e4381f0052d5fd9df795	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 5978e277d535ae6803d988ec03a5bb068a9930f4daf85ab966ac92278f59dabc SHA1: 13082431a67f99bbb9cba24cb1eb46e84943ab37 MD5: 98f3f1033cf5e4381f0052d5fd9df795
M20-p3dp1	Cybergate_33c634ed	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	33c634ed9e170734fef2d6344e25519c	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 1fc80523bb4a2290e683303ddad3f413079a320c0f23e055531b6ea543dcfc9c SHA1: d24e73de61e7e480563b04f87362fa5222612ff5 MD5: 33c634ed9e170734fef2d6344e25519c
M20-noos1	Dridex_42af089a	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	42af089ac1e30ee892aab97a952bbeb4	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 24770b17a0dff8ff2f9f2e593b7268a7626908c4753fa2dcae27535dc58442c3 SHA1: 5d2be766137505a3c545e1d9f51b4a95e717bae4 MD5: 42af089ac1e30ee892aab97a952bbeb4
M20-5i5u1	Zbot_8d845fad	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	8d845fade3fee728e50265a0c9ef7b2d	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 4de13fa0580a6f7f315652cfe448493336db4cbcbcc31fa15caf5016ce11aa72 SHA1: 825ae2fd158e6feec06d7f09a031ce30c9a21e6d MD5: 8d845fade3fee728e50265a0c9ef7b2d
M20-g0kb1	Fareit_8303126e	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	8303126e1baff7096a62462273a43b7c	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 1f22e636178472cd432cf834efadd3f231d868030c640d45bc7b319095f280f9 SHA1: c476963e37e0c05a4b31801ca82787dcad7ba8e4 MD5: 8303126e1baff7096a62462273a43b7c
M20-za8o1	Zbot_b02da2d3	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	b02da2d36283a5588c57da2f0753812a	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 29561a21de4d716de129ff67f4504feee5232e932dc7925d8acf2fd6220b7ba6 SHA1: 43fac469a5f19ca8b5c472714d636acfefdb78f0 MD5: b02da2d36283a5588c57da2f0753812a
M20-bgrl1	Zbot_108af110	Windows	This strike sends a polymorphic malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.The binary has a random section name renamed according to the PE format specification.	108af11013d29a29c7f8e374032b5ead	https://arxiv.org/abs/1801.08917 SHA256: 7a3fcddf51d036f5747cd050d6d93465f18558b45fb94908cc3c13f070bde408 SHA1: 73df8df6593ec5d07a0843272de4ac6f83c74f09 PARENTID: M20-qrni1 SSDEEP: 6144:O/IZqkiisqNuNWyD+lLo9lvh1GhI30EfNqy0:RqJXqNuNLDyLo9lvhI40S90 MD5: 108af11013d29a29c7f8e374032b5ead
M20-668s1	Ramnit_f0a3e4ec	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	f0a3e4eca113df7d09bbff6c3678ff27	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: d1cabff331de0b05c7ca7deae3f63eb272dfdd9e1a343c87c7f197eec40b218d SHA1: 913f7be2e737da1c2e6afdb239e2cc28808b1058 MD5: f0a3e4eca113df7d09bbff6c3678ff27
M20-xadb1	Fareit_e4a83956	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	e4a8395660df09d4e5855fe98d4e10e5	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 073eca66e8a691e4feb067ea9be6be2f860a37a16c0e4e2d82cbe0d9d6bcf626 SHA1: d2e5e9f9ee8b0d8d91304551cc547017769bf64c MD5: e4a8395660df09d4e5855fe98d4e10e5
M20-ypf51	Dridex_bb919215	Windows	This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary has random bytes appended at the end of the file.	bb919215a7a8d6b9dd58fe14ddbd2914	https://attack.mitre.org/techniques/T1009/ SHA256: 5ccebf9594479c285fe17ed737654992981e74f54cc2105c4cbcc593d9c0692e SHA1: bcd7696f083166022174882dd917665f5c4f9a29 PARENTID: M20-noos1 SSDEEP: 12288:7vT0ZFbuLSXE3SokMYdwfpM7S4hfs3TJRdQZ:WFCLSXNbMYyRMko MD5: bb919215a7a8d6b9dd58fe14ddbd2914
M20-oexa1	Ramnit_aab389b4	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	aab389b44733084ec9ab58b7f7f13a04	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 21925ad39855bfa10ffc15fb35dcbfaf652ceb2b72d247b3d04e17a370bb5124 SHA1: 25b317a85530aa31dc4cf8f328bd49758021f883 MD5: aab389b44733084ec9ab58b7f7f13a04
M20-c9sp1	Dridex_2794388c	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	2794388cf801e19b2e67e1e05565962b	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 43704d85c99c81841be1ecef92ad63d70050dda717ae6e176b62fa3133c52de2 SHA1: bf0e3772ec9f91b139eed6f71a8d88ecbfdf8006 MD5: 2794388cf801e19b2e67e1e05565962b
M20-sarj1	Ramnit_6a9c5dea	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	6a9c5dea5eed27a993cd13041c567fe2	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: b3636289fe8f2f0879c295edc278595c6b881a594c247504fa3f83ff8bbf6592 SHA1: e01dc036b738181582a558c8727838c9db6c4a2d MD5: 6a9c5dea5eed27a993cd13041c567fe2
M20-9grz1	Cybergate_67129895	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	671298951b1620412c95092891cf9f1e	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 612f9221336c5c7673f1fa6ae3e720d154089cb01a5c15265645bb89cc2b038a SHA1: 7d8d4de499ef0c13deee151fc97c18777cfb229a MD5: 671298951b1620412c95092891cf9f1e
M20-od361	Ramnit_091e4a66	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	091e4a6652bc3b65c5b03c36253a917f	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: c59dcd9cbd7ed3580a1172d749b6b9559b9cc68cd254741efba5b89ac4943db7 SHA1: 94dc381f6df4cd0861543fc12342fdd8d5f0c260 MD5: 091e4a6652bc3b65c5b03c36253a917f
M20-gci31	Zbot_c6a0593a	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	c6a0593a78d89a28044fc87f0986539a	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 07905ece0c4747aad1bf4b7f11693e319140a4e55f1b40308209f4ccf3c16dfb SHA1: 0dda24d77d4e7055f0065289104cce047f3c4050 MD5: c6a0593a78d89a28044fc87f0986539a
M20-jfox1	Cybergate_74c167be	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	74c167be7228f444eee933d7fca4001c	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 5b3adb4375bd0075be28205ca71ddbf4276b83bbca9b66cdb9ee82bed8682891 SHA1: eaf5f5f28b9da7bc8c1523e03a0ddedec3a06f25 MD5: 74c167be7228f444eee933d7fca4001c
M20-ew4h1	Dridex_f528adce	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	f528adce9b5cc0d37984d27682080241	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: 9f0ab6f0b08a40138b4de3be8cd9c40333c4a5e30f476e632bfd715c20e7e1ba SHA1: 13fcbae9a26eecd20676d45fba349d6281450e35 MD5: f528adce9b5cc0d37984d27682080241
M20-00pn1	Cybergate_192d1422	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	192d142254d76a2b78d11c0be27d9998	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 6b53e1a9fb4188b1440725ffa1f282fdf9676942729324a33870461c1cfa1915 SHA1: 4465a0be53715f42007a51a6c46d78c868b9a237 MD5: 192d142254d76a2b78d11c0be27d9998
M20-5i131	Fareit_5566bf3c	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	5566bf3c6508e9b23603ba5442a8102e	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 2a4dab5fa66737060a150cdab44506efcd2c33651cbe10a383d5a19e41e0ceb2 SHA1: cc11fc9c842ad9458702c66ade9f75c78800c0a1 MD5: 5566bf3c6508e9b23603ba5442a8102e
M20-uxkw1	Cybergate_2131e30b	Windows	This strike sends a polymorphic malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.The binary has random contents appended in one of the existing sections in the PE file format.	2131e30be3c45b6605db9341528f6d20	https://arxiv.org/abs/1801.08917 SHA256: 3b9660a4e1e9f2e6f9cd991a2550559a21e1598ecb2280d9474d904cd18130b7 SHA1: 6603276352dcec90b2b4cf30fd2a46f8a56bc96c PARENTID: M20-lqct1 SSDEEP: 12288:KaH6uGURWHTrbPq6US47zWfXkkctzkbpfPFNIKDGZfM/B35aQ:5HbGMKT/Pq6USazkkkkopPFNI/fI5aQ MD5: 2131e30be3c45b6605db9341528f6d20
M20-aw8m1	Zbot_51f30b00	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	51f30b009f64c9f8a6f9dba91ab58676	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 01f24045d18c966d195d0934ac6bc801652a5908a9ef50124c0557f6d03d42c3 SHA1: eadacf5cc009dd7a682e9a0feb55e91a8bdd3d81 MD5: 51f30b009f64c9f8a6f9dba91ab58676
M20-lyjh1	Ramnit_e06e8adc	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	e06e8adcd544f9cec8abb63e0ff34544	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 84ec757a84f0b5da11955b24486d1be60e7c6eeb2f5b8b4de656a2e498e9184b SHA1: 061bd0536a38f253c3a46a640d80ba64ad9a9d57 MD5: e06e8adcd544f9cec8abb63e0ff34544
M20-g3mn1	Fareit_142e6397	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	142e6397c9f16295e4075416f3bb8c93	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 1f1dccb65ab0390f7c11c5d022b19d2a082b7602f09273a7022a9cfaadf703f4 SHA1: d4e789b4a827364b460d3909b74d8b12cec1179d MD5: 142e6397c9f16295e4075416f3bb8c93
M20-846e1	Cybergate_d92780ef	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	d92780efdd7560ff9ab6fc4eaa7b12cd	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 1a6c0121d371ad7225ec0fd2c524979e30a57b3eef24676781cf631d704f0ec4 SHA1: e49dacf721f2c3b7db6312eaecdb4586fe799855 MD5: d92780efdd7560ff9ab6fc4eaa7b12cd
M20-e0an1	Dridex_0638b38c	Windows	This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary has random strings (lorem ipsum) appended at the end of the file.	0638b38ce1a6c57e05724a06af1d7fbe	https://attack.mitre.org/techniques/T1009/ SHA256: 66cb646f096d32ec982762055397f999b615949529e3ffbbade0f94778764767 SHA1: 2a00153bc737272d72d20643b28e6ebe4defe255 PARENTID: M20-n2a51 SSDEEP: 12288:7vT0kFbuLSXE3SokMYdwfpM7S4hfs3TJRdH:rFCLSXNbMYyRMkx MD5: 0638b38ce1a6c57e05724a06af1d7fbe
M20-zbur1	Ramnit_5beccf1a	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	5beccf1ad7af841b8a677c0de6a1a6fa	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 2e95a39f9ecc3f8c22b7fe785393eccc37326ccb84f984eaca9f06c51120ab1d SHA1: ab933176b3066273e776c44d59bd46df095a8e4d MD5: 5beccf1ad7af841b8a677c0de6a1a6fa
M20-jtet1	Dridex_a95370f4	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	a95370f484d8b485e874d860ee6b0e4e	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: f9db0f7f33191a91a6a4acc1593d696b62c2a6c927c1144937e58793e2249f78 SHA1: 2d01191bc8d7c9d0e9d44acac5d65baa86a9eb9e MD5: a95370f484d8b485e874d860ee6b0e4e
M20-mnok1	Zbot_aa126de1	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	aa126de1618733ecf610e28d875b9c29	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 2e8882116694efbb6b57355f7f3e6b79b77cfbae42b5204b3d3172497f7e327d SHA1: 81ba23af6ab955ccb583f4deadd56ff0cb9c6e49 MD5: aa126de1618733ecf610e28d875b9c29
M20-qrni1	Zbot_2be7af03	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	2be7af03eae4214b068bd65ae62f8e70	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 29114a3a6b05e119245d93373f8776a086a9018016238a3300ed93700d7f2f32 SHA1: fa8c2f9fc61a8f6752d0cf5cd4cfc6c443d86648 MD5: 2be7af03eae4214b068bd65ae62f8e70
M20-kxgs1	Dridex_ea6c06f1	Windows	This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary has the checksum removed in the PE file format.	ea6c06f15c61e2bed4d1aa3fee5c5914	https://arxiv.org/abs/1801.08917 SHA256: d8b27b6d492af215ed496e54d71447fad2d03017d3d81b8a21115e2bac61336e SHA1: 85a5cbeaab2d0ae5f74fbd64f3d1bb9268c02284 PARENTID: M20-n2a51 SSDEEP: 12288:7vT0kFbuLSXE3SokMYdwfpM7S4hfs3TJRd:rFCLSXNbMYyRMk MD5: ea6c06f15c61e2bed4d1aa3fee5c5914
M20-zrhw1	Fareit_a02acdb9	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	a02acdb96532b76691d5b1aafd9d2164	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 3fd16c2e53560649e0b1c79be0e86403887d50588700e66bac1dabbb2b99b753 SHA1: 7373ebe1342d377ff23f034d40ca9aca56239372 MD5: a02acdb96532b76691d5b1aafd9d2164
M20-64im1	Fareit_a87ec883	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	a87ec883548bd0e72239fe2953ffec20	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 8096baab22457c9fc3087dd93e90a0f4db9be9ecebead32f0f33c965e4b153dc SHA1: 1f84aca57eacfee5667a22b9eacbe982cb5e3a39 MD5: a87ec883548bd0e72239fe2953ffec20
M20-jdau1	Ramnit_d9ab842c	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	d9ab842ce16ca8f14fae8f075d8bdb1f	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: c052401b1d61a37fad733e4e178ac084ae44067c7e88ef834d35a09c70ca39e4 SHA1: ac86b0a61de7ca956a2f744248bd462ffc45c668 MD5: d9ab842ce16ca8f14fae8f075d8bdb1f
M20-nafe1	Ramnit_698ce9c2	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	698ce9c280a4f25f37d443b056ec3f97	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: a8ccbc5df926b0a2afdeab0344b55c93b5469237350634a4f8b170d3cc40e44e SHA1: 3cf455039f1621c7b0c9f2dbd24555406e37c034 MD5: 698ce9c280a4f25f37d443b056ec3f97
M20-keng1	Zbot_cf646bf9	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	cf646bf9541e8f6a394a6dbbfb10e3aa	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 4ea79444f67c2c5ef753e785887a9181ae17eb984c7f37a3113cad6a2b2e6ccd SHA1: 0864a1c222eaf8487ac9b2d2ee5237a4c3941ea8 MD5: cf646bf9541e8f6a394a6dbbfb10e3aa
M20-jeyj1	Dridex_179b0e16	Windows	This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary file has one more imports added in the import table.	179b0e16cc2dab63398de7b890da23f9	https://arxiv.org/abs/1702.05983 SHA256: 7e80399a12479a3f12db97ad30dd2f8c0bd8edb8405061ad38a36496c5df3601 SHA1: e2bd57e065a8522acc8c7381c0dc9b2c5f8619ea PARENTID: M20-noos1 SSDEEP: 12288:uvT0ZFbuLSXE3SokMYdwfpM7S4hfs3TJRd:5FCLSXNbMYyRMk MD5: 179b0e16cc2dab63398de7b890da23f9
M20-yft61	Fareit_1d226204	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	1d226204037b664cc2130ce6aab28830	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 2cf78102a3bc75a331abf49f6b46fa27546b0a33f4e937e05fed54d53499073c SHA1: 84d7b1748d4b293d6bbdf9d03d79ed5f1130097d MD5: 1d226204037b664cc2130ce6aab28830
M20-5imw1	Ramnit_8f11eb4c	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	8f11eb4c5d64f69d1eadabec2d9238d0	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 75350b7659af658758e04bf2d15172e405e8cc2158dfda64bcd6a513aeee9269 SHA1: 26d1a1461ec328888e75c12a01e28a91f9438b40 MD5: 8f11eb4c5d64f69d1eadabec2d9238d0
M20-3zrs1	Fareit_ab194d87	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	ab194d8704ff74eb3b6a7e3a72861ab1	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 3a3502534442c75174835e423e8571477269145b153c77b492156a06e9c47f05 SHA1: 404f354b11f5482c50d325b869e79ea19285e527 MD5: ab194d8704ff74eb3b6a7e3a72861ab1
M20-lxtx1	Dridex_03970801	Windows	This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.	039708012057689e82f5e51fcb1f7ea8	https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html SHA256: d63b9fcd6e2a3da9965cd991c2280c0297f0ddf9b38000eda95181e4f02736f7 SHA1: c63a876ffdde033ec6e1b374e8bc8121c6c9b29a MD5: 039708012057689e82f5e51fcb1f7ea8
M20-gun81	Fareit_9e4c920b	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	9e4c920b2480b5383e3ecf70d8f44ca5	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 1f816d531d333287dfd5728657cbb223f891addd28e628fb1cd9bfcfb3216825 SHA1: 72e55ba6323b6757d1db8287cda36e5c593d1eac MD5: 9e4c920b2480b5383e3ecf70d8f44ca5
M20-nurb1	Cybergate_6135e514	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	6135e51450700ceda22f9b729975d521	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 11cd8e3e83744af76e4e3906f7f06a549fe7e49a6ec61a14678f25d7d01509be SHA1: b7b615cfa3cf28726c14ff1f21ad0f1a74dab923 MD5: 6135e51450700ceda22f9b729975d521
M20-bq071	Fareit_d59b4589	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	d59b4589b612901efb782f8043871bb6	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: b8dd63abc6d1dee062cf5f5b68e8e91f748e29c354e19b66d119e04849f51083 SHA1: 3d402c2a72268973b9bb5fc399a773a2672fe107 MD5: d59b4589b612901efb782f8043871bb6
M20-pg911	Cybergate_d2378c47	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	d2378c479458df3f17211d4c272f2d94	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 6d0ce22174d45918ad313403aaeba8d38bbe59df1af2c09d8abb00d549251458 SHA1: 26e87f6e1ad2fd3142b270332fe3ea8fa2e76b07 MD5: d2378c479458df3f17211d4c272f2d94
M20-ge1m1	Cybergate_6fcde4d9	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	6fcde4d947efe58c76af4e816cac33bb	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 5a18e22eefd2d2492491d9001ea3d258f56cb8735576b021bc1e5bc2e6a0f3da SHA1: 866bb7f3a21dec50c98eb9129f618ea5eb3e1013 MD5: 6fcde4d947efe58c76af4e816cac33bb
M20-ljgk1	Zbot_edafffe2	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	edafffe2b082e31de90dd3fb83a220fc	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 115dd57d8c7887820eba732e628879f34693791da1cc8f4b270ef954e8a56b2b SHA1: 3164612cd3595b8cdc376fed133d4fd2f51c1989 MD5: edafffe2b082e31de90dd3fb83a220fc
M20-2rt71	Cybergate_9ffdc603	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	9ffdc6033e95cecd90f932c06a46d77e	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 64fa90ed57415dc00be6733a81c531f028324e897bc17e8b4de16f8085c4a113 SHA1: 2c279820e064d767a4a46bb3a4b8e705affbc7ed MD5: 9ffdc6033e95cecd90f932c06a46d77e
M20-mt621	Ramnit_4df42fba	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	4df42fba00af749db9a9be1e9d13ba5f	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: a9ea99bbe80da5f7c8bd97eadc8630831812480afdf2827d57a6620589f67ce1 SHA1: 83f12d8fade8c6f3a572800188290e7db9305682 MD5: 4df42fba00af749db9a9be1e9d13ba5f
M20-ahea1	Ramnit_0de235f0	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	0de235f06a9908d37b440a714bc83e4d	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 6c3e1a2ae98ec30890ef5a8640f0130fa0ead136852ed5a9fe452f6ac3c01dba SHA1: 1a1c46edae72fe36efc05e0507e5d3647c3ea0f2 MD5: 0de235f06a9908d37b440a714bc83e4d
M20-33zo1	Fareit_dbd0c574	Windows	This strike sends a polymorphic malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.The binary has the timestamp field updated in the PE file header.	dbd0c5748695321c966793651fc92702	https://attack.mitre.org/techniques/T1099/ SHA256: a3215c5eb44752feceeb3e301a7184c59508554dd34def23da1b4d5d414c7308 SHA1: d884b62adb2dbc736f18041d41b06949a195aa6b PARENTID: M20-yztx1 SSDEEP: 3072:8yqX75fvyv3gYq7fhvFGErUVAMhqalOR/aukG:L45fvigYqbhBrUVThqaqauj MD5: dbd0c5748695321c966793651fc92702
M20-gtjj1	Fareit_a2cbaa32	Windows	This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.	a2cbaa320fce0eaf8618816f522b0988	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 6e51b6e88a1962263b754210c4eaf76a422575d1b9c8495fa2885f3ccd164a7c SHA1: 66793e8c57d6bf787b986ba98cab3787778d9263 MD5: a2cbaa320fce0eaf8618816f522b0988
M20-fugs1	Ramnit_e15c3c1d	Windows	This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.	e15c3c1db02ac76fb3ef4cc3da611411	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 7952e478a1c6df2378e2174e83c69608401c46526efff974484c719ba44f19dc SHA1: 2ce19d82c3aba2b9f61e83171c5b17f18d51d653 MD5: e15c3c1db02ac76fb3ef4cc3da611411
M20-luni1	Cybergate_5103ceac	Windows	This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.	5103ceacc2fcd2ef558292edc98df7cd	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 06c9eeaf4b22ccc75f29da153dfa87ca1c3759a5bfb3b688813a07c78cf9cf5a SHA1: a8d88b9b7237ead3751800caa83d4eb95251ec58 MD5: 5103ceacc2fcd2ef558292edc98df7cd
M20-ysrp1	Ramnit_a5729a0d	Windows	This strike sends a polymorphic malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.The binary has random bytes appended at the end of the file.	a5729a0deb510677662e26c3e4cd288d	https://attack.mitre.org/techniques/T1009/ SHA256: 4bcc84f50103644d8412f28302b264151588db1be40a2172f919ba32a6a4708f SHA1: 84e3e2314b5c457b5d9480f4110fce52c4be1c97 PARENTID: M20-3y2b1 SSDEEP: 1536:04OfRSikTjHw8/VhTqi4EqjCrCKfrSL2TtpdhJ/b+RuA6Tj1qNQaeIiYqpb11CT0:Jmi4VCrHXT1bfA6uFqpb1ys+Y MD5: a5729a0deb510677662e26c3e4cd288d
M20-y2io2	Zbot_8b1c2ad3	Windows	This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.	8b1c2ad3137857f1cd122d5ac9db86c9	https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html SHA256: 4fbf3416adf96620028b3f92f661d24708aff0c83651868dddbbddae11110b9d SHA1: c0c6fa972e1a49dec5513c21f0ffca78a93bf528 MD5: 8b1c2ad3137857f1cd122d5ac9db86c9

Malware Strikes May - 2020

Strike ID	Malware	Platform	Info	MD5	External References
M20-ybm01	Cerber_58fcc751	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	58fcc751acce8ded997a7d2348e8a29b	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 0de40a567ebe34116450658eef3d6a81bf8fa350aa3b6a808f236a603202aa13 SHA1: 0dc33a22227214fb816d0c6fb4d5b1c8efdaf0f7 MD5: 58fcc751acce8ded997a7d2348e8a29b
M20-wea01	Chthonic_f2e342f0	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	f2e342f039eca55972cfa02b3564091f	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 7c9f6e39190124804994315278d5451dc80f0c59994778d7c1ee22d2f6903021 SHA1: 8f89731df7d712435765e3cb4a44b93eba0d93d5 MD5: f2e342f039eca55972cfa02b3564091f
M20-mrh01	Cerber_bcf1716e	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	bcf1716e2a2e75529bbf4de69b1159c2	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 15c5d4adfd697ea53278ad1cdc1128cbc96b808071fe06b8f5fdcbe847cd5fe5 SHA1: e506a27a5af061b47918810cd1e081cbe31a7187 MD5: bcf1716e2a2e75529bbf4de69b1159c2
M20-mge01	GenericKidz_433e70f1	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	433e70f1e417b54f3991c5480ba49629	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 0c9ca5ead3a092e8c36983821e2059b6107906467e3d74095780da026e53e1d5 SHA1: c873cf6a7b717166cb2b8ea17b909ccdb783d00b MD5: 433e70f1e417b54f3991c5480ba49629
M20-7z801	Ragnar	Windows	This strike sends a polymorphic malware sample known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.The binary has random bytes appended at the end of the file.	1e9104a4d587cd8483cda90b234a3780	https://attack.mitre.org/techniques/T1009/ SHA256: 5245f57c0cb21998d52b980fb326fd3ce73699772d85f7da0492d61fe7daced5 SHA1: 5528f8b16ae06f546e28a5f99d0a796481fd6f55 PARENTID: M20-kcc01 SSDEEP: 768:BpBsvKMNyoq65co7Bjd/3oqab0k3R2pXlj+BnkP7Z:BpPM4o4qFoqaXC+6N MD5: 1e9104a4d587cd8483cda90b234a3780
M20-oud01	Cerber_a6775e17	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	a6775e1725ee8b2ef02576bff56f2098	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 07265644f5a634d235c9c33eef1deaca73689d5d8123bfb22b31a662cc9e2643 SHA1: 2aa77bc40bbafb4c0815d7e98b4aaf8e2c259f9c MD5: a6775e1725ee8b2ef02576bff56f2098
M20-76o01	Chthonic_4491185a	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	4491185a608e1b581122f1f2ff31f80b	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 3c86595e1e7c456c182e0093475c5fce6656b44899ef23dff1badfa87a161468 SHA1: 4ca6b3c39c097b89e4e95dff5f21e0e039eea13d MD5: 4491185a608e1b581122f1f2ff31f80b
M20-gd301	Ragnar	Windows	This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.	f7c48ee1f3ee1b18d255ad98703a5896	https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/ SHA256: c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6 SHA1: 7c3a082237504d3bf36e47b986e02e014a2b8abc MD5: f7c48ee1f3ee1b18d255ad98703a5896
M20-6kb01	Maze_064058cf	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	064058cf092063a5b69ed8fd2a1a04fe	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 24da3ccf131b8236d3c4a8cc29482709531232ef9c9cba38266b908439dea063 SHA1: 92b44e52f13bcb097f412a6a61bdc46ac19584c6 MD5: 064058cf092063a5b69ed8fd2a1a04fe
M20-q5e01	GenericKidz_47d43093	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	47d430933b20724e741367fbc471ef4c	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 23af63321f9d1c310c14cc894f301d4c7dcb33fd06d4de84f2b3c8422fb83c06 SHA1: 41537f088cdbd42e0b3d5e8c6613f1ca60c66336 MD5: 47d430933b20724e741367fbc471ef4c
M20-4m201	Chthonic_f8b7320b	Windows	This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has been packed using upx packer, with the default options.	f8b7320bd389415d399e4ea8a30af167	https://attack.mitre.org/techniques/T1045/ SHA256: 5cb82d40e5b47c2396319700877f43a9f2fee3b6e68330cf4e12a786d96e526a SHA1: 73875a6320d05d26b1dd4caf7c16b932821c898a PARENTID: M20-wea01 SSDEEP: 3072:rhRPp1xigEkAJiUM9x5SAlYSzYrJTbCbK2jO8POnAWENw:rhJxisATM9x09iYrJTbCm2qE/WENw MD5: f8b7320bd389415d399e4ea8a30af167
M20-4jj01	GenericKidz_4cc4db0e	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	4cc4db0ea7cbf30b9401edbda75fcd55	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 1e0654a998adda2207a909a02f5f89e039ebbf107b16d77a6148f3caf23f07cd SHA1: 33c1d65f89dab800c20deb41cdb931daa6b1f7e3 MD5: 4cc4db0ea7cbf30b9401edbda75fcd55
M20-f3k01	Chthonic_aab84bb8	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	aab84bb852fafd609314abe64403d04c	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 73dbdd15d5aeba77d61b723e1f8eafc2b161679c61ca1aeb3de9e397faafcb6d SHA1: 2b28cd85d19b7b7cc63bfa999a14b3001434d64f MD5: aab84bb852fafd609314abe64403d04c
M20-rr801	Maze_80043a5b	Mixed	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	80043a5b285da88fb63d469243655751	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bed SHA1: 434e02e197cf7352ef01a8e44f1a64e0a49cd66e MD5: 80043a5b285da88fb63d469243655751
M20-yhz01	Maze_f04d404d	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	f04d404d84be66e64a584d425844b926	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82 SHA1: 34584e01a7208b6aa150cccd5d855ec37fd129ea MD5: f04d404d84be66e64a584d425844b926
M20-yry01	Maze_ad30987a	Mixed	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	ad30987a53b1b0264d806805ce1a2561	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639 SHA1: e7da9cac8fc6a30c2879ddb1ab97422e59979591 MD5: ad30987a53b1b0264d806805ce1a2561
M20-1uc01	Maze_d2dda72f	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	d2dda72ff2fbbb89bd871c5fc21ee96a	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2 SHA1: 7c928fdd5954ba9da5788453ce43a0ff440bf281 MD5: d2dda72ff2fbbb89bd871c5fc21ee96a
M20-4qg01	GenericKidz_4110f169	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	4110f169b8e3525a0dec5faa7086d171	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: c07aa81c90d9e55f10cbc16f268b12cd1f2c2e4e65942221169398238b70ccb7 SHA1: ad287121e708355b1e37b0b3f5fa6b81fc31a1a3 MD5: 4110f169b8e3525a0dec5faa7086d171
M20-fds01	Maze_ef95c48e	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	ef95c48e750c1a3b1af8f5446fa04f54	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0 SHA1: 8ea5950ffefa2b7193a40682513e80a28d743175 MD5: ef95c48e750c1a3b1af8f5446fa04f54
M20-25501	Chthonic_8a4e14ed	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	8a4e14ed621b815a3233071ed247918a	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 58962d2b0dbb2d469a15ce8fb8695014c733c750d0a61ada0595189d64c769c0 SHA1: 89ca538592113e753b6108cd791dc31a7efa7df7 MD5: 8a4e14ed621b815a3233071ed247918a
M20-hfw01	Ragnar	Windows	This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.	77e84f1baf2b6d0dba6ad7169dab07ad	https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/ SHA256: 1472f5f559f90988f886d515f6d6c52e5d30283141ee2f13f92f7e1f7e6b8e9e SHA1: 5938b9900e0c1978802319dc1cbababd70abf597 MD5: 77e84f1baf2b6d0dba6ad7169dab07ad
M20-nbe01	Chthonic_01c6db88	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	01c6db88b0aa86533073836d1bd8cf04	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 4d2c216c4ba2cec5e28324fbffc77479db4321862ef98fc2f6edbfa11c91b4be SHA1: 6be70b68b7af98d0d955e629d0bff83b153b0505 MD5: 01c6db88b0aa86533073836d1bd8cf04
M20-o5001	Cerber_9379c0cd	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	9379c0cd8e0b04c9326e9276be77e280	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 1abc5f123d1e92a151c9ffecd863cfaeaec589a4cb21c28b7667f9e6e62e2b21 SHA1: a068cfb5165e5a8b81e7a674a82ed6226c9adc8e MD5: 9379c0cd8e0b04c9326e9276be77e280
M20-17d01	Chthonic_1d4738a3	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	1d4738a31855c758963b3e4d8e192c2d	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 3780f9d56d95218a3a1e526c05aaf127d22d14093ee06bcf7fc9e3b78f87253e SHA1: f4006455e06ab52e3b5dd328726c9a6d3cef0d86 MD5: 1d4738a31855c758963b3e4d8e192c2d
M20-wvh01	GenericKidz_962468eb	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	962468eb7478581b08ac99444ab951ea	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 4044a3631fdbc686898028995532444f662d0a78be5a530d226239782445b4d8 SHA1: b4370cef329747da2d266002c84491abf8364d1f MD5: 962468eb7478581b08ac99444ab951ea
M20-jj001	Maze_02c0ba2a	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	02c0ba2a97617497e7089bb900ffdc0c	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 04d006f5c8498cc5a987a5c9379a0a117342d654d639fbf19fb8e050e85abb7d SHA1: bb684e83eb3740cde6afa61cb926ce2bf4d0be7a MD5: 02c0ba2a97617497e7089bb900ffdc0c
M20-umd01	Maze_53d5bdc6	Mixed	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	53d5bdc6bd7904b44078cf80e239d42b	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: cfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2a SHA1: 761910e01ca991434775bcbe40b56c2aa1fff029 MD5: 53d5bdc6bd7904b44078cf80e239d42b
M20-rug01	Chthonic_fb6acc3d	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	fb6acc3da250c5db470492f2790dc221	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 311ce91b0bacedf64d500efe57c919eef18865107d73420bc59967d121077cc8 SHA1: d514cfd7b0ff5221d12091a0810e78e4be245ba4 MD5: fb6acc3da250c5db470492f2790dc221
M20-1os01	Cerber_1295a615	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	1295a61551be8bb3fabd9403889eaac9	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 064579ef28c82acb6935b75fe3a2408b354a0d4d9004d3beb444045fb8ba1b9d SHA1: efd2175c782b5de133be6f7cb7245c60acd76016 MD5: 1295a61551be8bb3fabd9403889eaac9
M20-3re01	GenericKidz_988cd895	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	988cd895960f21183c83c298c4bb007c	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 47bf9eeb164237e0fc322125052d65783fa809bd804c8a9dbd6b4db210b24f92 SHA1: 4d468ea149bbe886b2602f2234e091cd2813665e MD5: 988cd895960f21183c83c298c4bb007c
M20-vc901	Maze_ee26e337	Mixed	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	ee26e33725b14850b1776a67bd8f2d0a	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: d617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8 SHA1: 7e4b1fd3a82448e9dd3422487aa8d2488f95bf26 MD5: ee26e33725b14850b1776a67bd8f2d0a
M20-m4t01	Cerber_177b8bca	Windows	This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber".The binary file has one more imports added in the import table.	177b8bcaa38f1fc024b2b02203ce3278	https://arxiv.org/abs/1702.05983 SHA256: 9b8c28c7bd3d3c643a9f56d7f9e8cd6b277cb42f75471ebabd12136a92d70be2 SHA1: e9a21d3a8a0e65c380f2d9540f31af00e5139339 PARENTID: M20-qcm01 SSDEEP: 6144:aPvsAaRn+h+/qM5gEZGmJ4swsCTUrHvHP/jvHbfbUsRtwI5Mg8QC1N1e:uGRn+4d57ZGy4D32wcMgile MD5: 177b8bcaa38f1fc024b2b02203ce3278
M20-yqt01	Cerber_af672b3d	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	af672b3d1f4c6f019e0e17d227087607	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 11018a64eeae53e33d66193676705e49ab658d04f5e2f8471ab896fbda96b1d5 SHA1: d0052224dd0a116507a60887ace1a55ae708df84 MD5: af672b3d1f4c6f019e0e17d227087607
M20-0vw01	Maze_d6e2396d	Windows	This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has a random section name renamed according to the PE format specification.	d6e2396df72ada10e2bbf0f48cb70462	https://arxiv.org/abs/1801.08917 SHA256: 18f03c65bf58549e8e230b8ef8595287fe51db0e5e411adfeaf261f87574543e SHA1: 27b1fa00a1a1edce9d2aa976aff216466042c930 PARENTID: M20-igj01 SSDEEP: 6144:kx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErNNg/ydlb4fQ6wFMvMK:EMAwmlDYNg6dNoQl+vD MD5: d6e2396df72ada10e2bbf0f48cb70462
M20-h0j01	Chthonic_35bc4e7e	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	35bc4e7e59b96ba08e6fde8a805868a0	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 356e8479fb35f301fe0f578726fe072ecec12d2d1074d20bafd9b107a0f2fa62 SHA1: 1444678488bd4463b196ada2e729a89986302120 MD5: 35bc4e7e59b96ba08e6fde8a805868a0
M20-vf301	GenericKidz_f27a8207	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	f27a8207eab1b5be953da9cde9e504ee	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 68fb0d69411cceecd15f52ab04953034ef20310d46df3fcb3afa01ef9815dfda SHA1: b687bef3d7452273ad42918629b24da1ffc89ad9 MD5: f27a8207eab1b5be953da9cde9e504ee
M20-acp01	Cerber_1c0de3d5	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	1c0de3d521d3fd02949cdb53d3b5334a	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 0e446d8cb2f076a30441b95278c77badff0a2814ed16ca59e5767795aff0729e SHA1: 0f0d261d3c3470bbb2eca065a9685a9b62ef7110 MD5: 1c0de3d521d3fd02949cdb53d3b5334a
M20-t7b01	Maze_1ffecd46	Mixed	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	1ffecd461b3d4b65e44faff8537f68d6	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4 SHA1: 8e6df1166afaae4aa5335aaee6a63f98a4613024 MD5: 1ffecd461b3d4b65e44faff8537f68d6
M20-tqc01	Ragnar	Windows	This strike sends a polymorphic malware sample known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.The binary has the debug flag removed in the PE file format.	453b78931f1856b9295117ef3b9db30e	https://arxiv.org/abs/1801.08917 SHA256: dc1c31a0e2ff3b048a875e2c1373e9836baa96250db547c7270a4bf4f599a5d6 SHA1: 85278411ede936ce43602f8a36abb10d97aea6f9 PARENTID: M20-kcc01 SSDEEP: 768:KpBsvKMNyoq65co7Bjd/3oqab0k3R2pXlj+Bnk:KpPM4o4qFoqaXC+6 MD5: 453b78931f1856b9295117ef3b9db30e
M20-sb501	Chthonic_06683c12	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	06683c12ede3b376d05d461be84a48ad	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 49f30782a139a159f630022bffa0cd2aef80149efa80436791807270954dda51 SHA1: 4bd1845860073e6aeb791e1d617b68690c140d04 MD5: 06683c12ede3b376d05d461be84a48ad
M20-8r101	GenericKidz_f12dd048	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	f12dd048ef5d97a4fdc97c983a8d1478	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 4004df1bf42ff674d7cb4a526e3af694302d6d8bdaceeee88dc8b4135fc7594c SHA1: 6deb902ed6d6da53f983d71bcb32c4e670ab45b7 MD5: f12dd048ef5d97a4fdc97c983a8d1478
M20-b4z01	GenericKidz_bd742339	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	bd742339bb527c17f0a07c19ec36cea3	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 78ab5f5da002769f5104e87bf633930d4218f9c764699427a01384d15e7ed43f SHA1: ebc728c74a1f63ebd370a8693d069afdc3c234e7 MD5: bd742339bb527c17f0a07c19ec36cea3
M20-9az01	Chthonic_c7844c3f	Windows	This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has a random section name renamed according to the PE format specification.	c7844c3f89c00041a31a6704ef8a4ef5	https://arxiv.org/abs/1801.08917 SHA256: 1a178c2abeb207f1c9b4ae5bb52e3a4d2b8d5c3953622c7721c6d7a7e7c8d30d SHA1: aaf1bd5308ba0592e2c7bb2aef4fd8987749935c PARENTID: M20-9l601 SSDEEP: 3072:DAUvnyA6tx3W7c4iFyLN1oGpVOfZaIHmmC8J26HuJzCc0:Nvn0xz4bB1trYmmCI2U2mj MD5: c7844c3f89c00041a31a6704ef8a4ef5
M20-4ik01	Chthonic_2306b513	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	2306b513b6283cf5c017dbf7240a7c19	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 3fa1d611262596bc923fc1e6ac7f44b5ad1c3d574270e588041f379c1b38b679 SHA1: bfd9403ec23512e453bad0ed0ceac99fcc1b75d9 MD5: 2306b513b6283cf5c017dbf7240a7c19
M20-o8301	Maze_be537a66	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	be537a66d01c67076c8491b05866c894	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1 SHA1: 8614c5aa7abe3b91ffbc5637dd53bdff886aa1c1 MD5: be537a66d01c67076c8491b05866c894
M20-yle01	Cerber_3feda6e4	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	3feda6e4ba4db978fe9b8533df206722	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 1177ecb326246585b0b1a3f3664969325eb3017d6ae93e8340fd04497391f41d SHA1: c5c7ed08900d9973f258097b0594c2da8f45d707 MD5: 3feda6e4ba4db978fe9b8533df206722
M20-af201	Cerber_b6ddcba9	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	b6ddcba95312ff109ba53049dd3df5af	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 15bcfa2a7f4a8446b9044b31ac577e75ceca42d8d47b7441f86e97610df7fb30 SHA1: c177741641cf582b05b9470d62830af1f2943e01 MD5: b6ddcba95312ff109ba53049dd3df5af
M20-7vn01	Chthonic_c663f470	Windows	This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has random bytes appended at the end of the file.	c663f470475adcec85d53ae121a28bef	https://attack.mitre.org/techniques/T1009/ SHA256: c26f64f5b77ff1aebb388055e18376e36b5795444dd3efc524b95d96a0d11b2e SHA1: 4f4e40f9283332d7c497c449157c86f5bf09d494 PARENTID: M20-9l601 SSDEEP: 3072:5AUvnyA6tx3W7c4iFyLN1oGpVOfZaIHmmC8J26HuJzCc9F:rvn0xz4bB1trYmmCI2U2mEF MD5: c663f470475adcec85d53ae121a28bef
M20-g3c01	Ragnar	Windows	This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.	9b2a874de86f10ff992a30febdb6f9e8	https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/ SHA256: a8ee0fafbd7b84417c0fb31709b2d9c25b2b8a16381b36756ca94609e2a6fcf6 SHA1: 01fff32c5e016bfd3692072ef0ef5b943f2da110 MD5: 9b2a874de86f10ff992a30febdb6f9e8
M20-rh201	Chthonic_ed8b7d43	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	ed8b7d43f752748610116d9c2ec2ad17	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 706c37e3dbf83e01206b37a4c3fc1f39611cd05b7f8df8ebe2456efd8a6970ac SHA1: 872b6e77f28602bd4af0b22f9ebe2d02b3429480 MD5: ed8b7d43f752748610116d9c2ec2ad17
M20-igj01	Maze_57e3d794	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	57e3d794b333f6ba4d2a968a54c7f7d8	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 78fb8d34cf3e034fbbaefd8f7587bd364a000a1e12c4a6fa45e192d56b93a25a SHA1: e850e2963deaea7e6d43c1390f4d69b20ed62a67 MD5: 57e3d794b333f6ba4d2a968a54c7f7d8
M20-kcc01	Ragnar	Windows	This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.	3ca359f5085bb96a7950d4735b089ffe	https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/ SHA256: 7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929 SHA1: 60747604d54a18c4e4dc1a2c209e77a793e64dde MD5: 3ca359f5085bb96a7950d4735b089ffe
M20-g7601	Cerber_d9456755	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	d9456755be7622b653eeb66cbe992c30	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 1263a68800e384bee88a29156b3240a4f5bd7c207d7bb3994ee42d9f8e3104b0 SHA1: 4ed16dcd3ff7d91cf073fcb091137a9ba3d26dec MD5: d9456755be7622b653eeb66cbe992c30
M20-r4901	Chthonic_5dc71fc5	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	5dc71fc5408d7749d25459cacc54c4d6	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 6e6d5dbe3d497750383b5b50ceb17a8cdb67eeb2c923af97219ef25f0d3f8274 SHA1: 04ce1a31b804ca5e100f2ddc6340c706a55df726 MD5: 5dc71fc5408d7749d25459cacc54c4d6
M20-f5p01	Maze_1d746808	Windows	This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has random strings (lorem ipsum) appended at the end of the file.	1d74680891b4955ff98287f689d23016	https://attack.mitre.org/techniques/T1009/ SHA256: fda037a68cb707b4609ae9d9f609ac73a3a2a53f279840983d1131eb04b5da9f SHA1: 7a297b8a73f34d9600e0942b9e79ea03825d43bc PARENTID: M20-igj01 SSDEEP: 6144:Sx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErNNg/ydlb4fQ6wFMvMD:mMAwmlDYNg6dNoQl+vC MD5: 1d74680891b4955ff98287f689d23016
M20-zlj01	Cerber_97c2f3bb	Windows	This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber".The binary has been packed using upx packer, with the default options.	97c2f3bb7328316b257cc6f319b32bd9	https://attack.mitre.org/techniques/T1045/ SHA256: 89c08b1ee24e19d5697f09bd3c1f6b8d146ab2b43b6d1949f367fb2a91f60b24 SHA1: 637c8a7737c59f7e2cfb3dc2ea48f4cfb7a3961e PARENTID: M20-qcm01 SSDEEP: 6144:QtHxDeGTNkEm3tLP09Kt1Y1yBnFi1Jg7q5EPQf2ZZBZvHZuV:QtR1R0tLF7B8g7q549ZZHvHZuV MD5: 97c2f3bb7328316b257cc6f319b32bd9
M20-7a801	Cerber_3507a8e8	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	3507a8e8633d46b72971e691189a62d1	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 03f07c9b09741428f840403a193a1dd7f0216371e3f8d159ccabdf7a4629bb9e SHA1: a987fab8c3dea79c4e37c24658a5a84297803ba9 MD5: 3507a8e8633d46b72971e691189a62d1
M20-z7h01	Chthonic_029263b3	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	029263b342d655892fee9634dc699c50	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 4bd6b56bad8e51cf3187d822dfdd6919382d338999df524dbb99c32495c20d7b SHA1: 3d48854abd5494e72fb77eac64b63d4a31b9ab0d MD5: 029263b342d655892fee9634dc699c50
M20-bg501	Maze_35a4ba50	Windows	This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has random bytes appended at the end of the file.	35a4ba50a7d6aac61fc36980a6153df2	https://attack.mitre.org/techniques/T1009/ SHA256: 33d489bbcc6f10df8c67eae9712d07c45ae7ca3d6405aa5814fa6edd7ae58181 SHA1: e51368fbd2c00cb84b84ef65aad179848d9bd564 PARENTID: M20-igj01 SSDEEP: 6144:Sx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErNNg/ydlb4fQ6wFMvMO:mMAwmlDYNg6dNoQl+vP MD5: 35a4ba50a7d6aac61fc36980a6153df2
M20-m1n01	Maze_4cdd275b	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	4cdd275bc7d6bf28c5691c1ee1b37eac	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 0b9c99276ed36110afc58b3fb59ada135146180189c25d99618ca5897537ee21 SHA1: b908dfc77cd01a03f1be1270e7ae570bef6b89f3 MD5: 4cdd275bc7d6bf28c5691c1ee1b37eac
M20-zb301	Chthonic_66f43845	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	66f43845fdd3fa7414b5d772806e7e26	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 2e434122795ce60847385431e28d8e96e0a63ced780a48d9acdbad149c262074 SHA1: 1d88592c20f7b850e61461ac9c64a728e41c14d5 MD5: 66f43845fdd3fa7414b5d772806e7e26
M20-6xe01	Maze_b9078b6d	Windows	This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has random contents appended in one of the existing sections in the PE file format.	b9078b6db33deb83201c8d2cbb3ced4e	https://arxiv.org/abs/1801.08917 SHA256: 8e2e8b266bf451bce36445ef9fe0284f2d171518b61ed4dc2e025799c7949e6e SHA1: f4767c509c5c6b5b0ba97931f810bbf8a4d3e02b PARENTID: M20-igj01 SSDEEP: 6144:Sx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErjNg/ydlb4fQ6wFMvMK:mMAwmlD2Ng6dNoQl+vD MD5: b9078b6db33deb83201c8d2cbb3ced4e
M20-3o801	Chthonic_d39d63cd	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	d39d63cdd5965a342f6465585fcf3bd4	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 4b255914b1ee12886e4dee4745799d21fcefcf2c95466d2ee5c4af056a280809 SHA1: 8782804d58d23f1c1c15783f29b1f6bb94ba78c8 MD5: d39d63cdd5965a342f6465585fcf3bd4
M20-7xg01	Chthonic_79a423d4	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	79a423d4b36a9f38cafd7402d3bf6708	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 6f22d50967bd631b8cf5fa77b96267817ae25c4f1de75998ce5a6046c74aee01 SHA1: 9effc7a23f15569d250d3ce3f21f556bb3204eaf MD5: 79a423d4b36a9f38cafd7402d3bf6708
M20-zwj01	Cerber_7a9698cc	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	7a9698cc75dc079ec4186faae460d4ca	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 17d48b5318fc9d45eb21d19793e3a699c5c95bd67bb8ca8cc240db9d69f6c770 SHA1: 3b82fd1201a89500c86b457e416a21446df90032 MD5: 7a9698cc75dc079ec4186faae460d4ca
M20-4th01	Chthonic_b678aff5	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	b678aff5be1fff867d80ca4a0c8309f7	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 031a584697feeecc9014a8d021576b1964545a96bf652a4102179b405aa4cf5c SHA1: ef8965cfb68984a1c3544ac758af8ee357be3d3b MD5: b678aff5be1fff867d80ca4a0c8309f7
M20-nuu01	Maze_5a568b2a	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	5a568b2a5e62e7889f1a8dfaf64d3a7c	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 0d8b74e1e9eb07e3e0c1c480153cc138ffb13fb0e2bb417b20f7ba9b5186e571 SHA1: 31fd982ba7e08d81e9c59b91afb7c023958dbdec MD5: 5a568b2a5e62e7889f1a8dfaf64d3a7c
M20-qqx01	GenericKidz_1faca9c8	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	1faca9c8ed5d600cc1972c17943507b7	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 2ce6928f41662856507bed0a7073b80e8504b7760f3c8b787543d25db7d5c1ed SHA1: 6bd30b6d6dc44d2881f87f200776e09a260dfdb0 MD5: 1faca9c8ed5d600cc1972c17943507b7
M20-b0501	Cerber_3441dcf7	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	3441dcf7cae2b362ed94147259d95977	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 09029946caf0de395b14a26364354dd32679aee7c7eb22c5e8c04775c0d3d538 SHA1: 31ab7d939d7eac34b658146e9a02c002dd6fe3f3 MD5: 3441dcf7cae2b362ed94147259d95977
M20-2iv01	Cerber_14dea99a	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	14dea99adcd67477f247c9dd1a8189c3	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 1b10ca8a96db74c1748019566edeca9b8967665c12264f5969ee30bd11ef1504 SHA1: 6fc55c7d36c0b714f00d946d5b8f050671addbf5 MD5: 14dea99adcd67477f247c9dd1a8189c3
M20-gxx01	Chthonic_c1d322b8	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	c1d322b838b40a2f040e3f22e1fb4f41	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 1fbb6393e4cf576e0f11b615e0990a8b2134b0ea0e9ec58374f7e7f49125d6f4 SHA1: b1245503bd123de66e2a1183b6c08010f2a03194 MD5: c1d322b838b40a2f040e3f22e1fb4f41
M20-5sp01	Cerber_a968db00	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	a968db00332971d364e7a17386ce7ad8	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 10ab9740564dc471636c8006f6bd36c3f6762e87859f912e337709b26dab6c15 SHA1: 09ca57c61961025212d4219986b4e3639410f517 MD5: a968db00332971d364e7a17386ce7ad8
M20-shy01	Ragnar	Windows	This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.	1ee5456c1226affd7b72bcdf3db443b7	https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/ SHA256: dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4 SHA1: e22344a92c91b567a6cba7eb66686c438d479462 MD5: 1ee5456c1226affd7b72bcdf3db443b7
M20-hxt01	Ragnar	Windows	This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.	6d122b4bfab5e75f3ae903805cbbc641	https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/ SHA256: 68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3 SHA1: 5197d1b54494f8cb043759b35e097c660a9e09ac MD5: 6d122b4bfab5e75f3ae903805cbbc641
M20-zsv01	Ragnar	Windows	This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.	00fb3f27bccef7c5658ff9f5ce487cec	https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/ SHA256: b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186 SHA1: c24fedb9b8a592722d5a9adb34d276fc3b329d6f MD5: 00fb3f27bccef7c5658ff9f5ce487cec
M20-c3c01	Maze_8bb9bf4b	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	8bb9bf4b8be1141c4cdc4d435bfe7d0e	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 0fb01d846e2682ed2507367d2d4537c45800304410b270a13e94f1ca778d161e SHA1: dfc77a86fb58c2aa04b6b0399eea6dd0d642baa0 MD5: 8bb9bf4b8be1141c4cdc4d435bfe7d0e
M20-lx201	Maze_8540030a	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	8540030a0ea3e18e84af7ce026ab9cad	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: a6ac82fc87e552476a77c8d22e2d1d64fa17cc3dea9f428a53776354c97825b2 SHA1: 4ccfe4cf5839024e768520c63e3a1982eee092f0 MD5: 8540030a0ea3e18e84af7ce026ab9cad
M20-nwz01	Maze_2fbd1097	Mixed	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	2fbd10975ee65845a18af6b7488a5236	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695a SHA1: 9806dfc1cf337f4f27c3469ba40f6c189b6d20c8 MD5: 2fbd10975ee65845a18af6b7488a5236
M20-69e01	GenericKidz_c2896bc7	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	c2896bc7bc97a3d4b93539403649fa9d	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: ce44dd760f7ac7402279368416c194c993f454ddb2e88a72bb73354f454c4d40 SHA1: 5b3c86aa0cc8431f583885933db61c13c4e35b69 MD5: c2896bc7bc97a3d4b93539403649fa9d
M20-2bn01	Cerber_690b5684	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	690b5684c5a82b42b22d54e3691903d4	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 15c3a3254008702641bdf20c7e32bd5afd317bde685c21a38a6e00eabd9d91a7 SHA1: 717bd79ba156d417694c95a8570174a615a601d2 MD5: 690b5684c5a82b42b22d54e3691903d4
M20-5uy01	Cerber_694d096a	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	694d096af90e04bf409c0633179789f7	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 072a4c4b5d8d97d3d9c678aacf7d9a73609e346ae563b330098ac20c4dd3945d SHA1: 4c4c0bd798b9556ebb18e2248f37284dc71438a2 MD5: 694d096af90e04bf409c0633179789f7
M20-dys01	Cerber_f3b921b7	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	f3b921b7d63f3f99bef732169ed4dfde	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 0b4eaa008cf3fa9b5b9e2413d520fc8e20c9f826976a1c48040644148a9d176a SHA1: c1b39c48d31fa2cc8401a9bf8aa79890217bc6b9 MD5: f3b921b7d63f3f99bef732169ed4dfde
M20-u2w01	Cerber_fffc65ba	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	fffc65baf12eaa1897d15d4cb99dd885	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 081992320357213e05b0c14f914f85dc108ccd96c442ed01c2e0a929c28081ba SHA1: 4ff489628198bb7380b3dfd365a4e9672c0b58b8 MD5: fffc65baf12eaa1897d15d4cb99dd885
M20-dkg01	Maze_c09af442	Mixed	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	c09af442e8c808c953f4fa461956a30f	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506 SHA1: 7b0b06069aca88f8d13176be5b285194f546904a MD5: c09af442e8c808c953f4fa461956a30f
M20-uv601	Maze_e5f4b224	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	e5f4b2242a57b3f00c2c4feee2df9671	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 042273f30363405ee416ca4dae6f0279668dfc5ea742c0e265b9553798a90ae5 SHA1: a62d4bf7b4d0e04b681f18ffaa2b904caf47920d MD5: e5f4b2242a57b3f00c2c4feee2df9671
M20-0qk01	Cerber_57a5aaec	Windows	This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber".The binary has random contents appended in one of the existing sections in the PE file format.	57a5aaecd4fd8261c9d527599d42a9b0	https://arxiv.org/abs/1801.08917 SHA256: 710a4e7339bbe22a8cf32d5eb626846893f6900ff508e2c883cde8ab6a92edcf SHA1: a0e198df945392f5ec4d38436fa422322bb61eca PARENTID: M20-qcm01 SSDEEP: 6144:qPvsAaRn+h+/qM5gEZGmJ4swsCTUrHvHP/jvHbfbU4RtwI5Mg8QC1N1u:eGRn+4d57ZGy4D3KwcMgilu MD5: 57a5aaecd4fd8261c9d527599d42a9b0
M20-a6d01	Cerber_2fc84f19	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	2fc84f19ff76dbd2eb9ea2a66167ed29	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 18f9701f2516d860384b0796815c163f2c7b2dd5cde6d8d1b479a3d68d65a194 SHA1: 1e202a09cc2f384e14bae9ca44b739ed273d5e00 MD5: 2fc84f19ff76dbd2eb9ea2a66167ed29
M20-ey101	Maze_b02be7a3	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	b02be7a336dcc6635172e0d6ec24c554	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: 0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f SHA1: a58b45f6ac4c4fbcf938de01ee1e585fe3715fd6 MD5: b02be7a336dcc6635172e0d6ec24c554
M20-9l601	Chthonic_431bae5b	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	431bae5bc5941c98f202be23a406a073	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 781a3db07da4ed20bbcfa7c481c525cf6282b0f9eb3fbdfff0baa2356294bb34 SHA1: 2c68a36590f77ef2c3a8f46e95faff59f58225ea MD5: 431bae5bc5941c98f202be23a406a073
M20-rgm01	Ragnar	Windows	This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.	6171000983cf3896d167e0d8aa9b94ba	https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/ SHA256: 9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376 SHA1: b155264bbfbad7226b5eb3be2ab38c3ecd9f3e18 MD5: 6171000983cf3896d167e0d8aa9b94ba
M20-wlr01	GenericKidz_3c885353	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	3c885353717f05e99153623439feda5e	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 47083ad7c0c9741e69eb4575f4b89b999519e80e044839edf3cc3fb228b9733b SHA1: a1dba065907f493429ee9e62f85eaed8ba57a654 MD5: 3c885353717f05e99153623439feda5e
M20-8lt01	GenericKidz_7bb5c3fe	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	7bb5c3fed88c6e84f6d6f731d4de6210	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 7902a68c192bef55edd8429d07c6bbcbe30c601a3fc41d35186eb4cb0592f1f1 SHA1: a4897fa9bd44e46e1415c77a0e0fa54ebb93455e MD5: 7bb5c3fed88c6e84f6d6f731d4de6210
M20-hji01	SNAKE_3d1cc4ef	Windows	This strike sends a malware sample known as SNAKE. SNAKE, also known as EKANS, is a ransomware that encrypts all processes related to SCADA Systems, Virtual Machines, Industrial Control Systems, Remote Management Tools, and other various Network Software on a system. The purpose of this ransomware is to go after all devices that are connected to the target and not one speciifc machine. The malware is written in GOLANG and contains a higher level of obfuscation than typically seen in ransomware.	3d1cc4ef33bad0e39c757fce317ef82a	https://www.tripwire.com/state-of-security/security-data-protection/massive-spike-in-snake-ransomware-activity-attributed-to-new-campaign/ https://twitter.com/VK_Intel/status/1214333066245812224 SHA256: e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60 SHA1: f34e4b7080aa2ee5cfee2dac38ec0c306203b4ac MD5: 3d1cc4ef33bad0e39c757fce317ef82a
M20-uy601	Maze_b6786f14	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	b6786f141148925010122819047d1882	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: c84b2c7ec20dd835ece13d5ae42b30e02a9e67cc13c831ae81d85b49518387b9 SHA1: 9e6e19c145cbf359c0a151b38d17e30ccbad6f4b MD5: b6786f141148925010122819047d1882
M20-p4x01	Ragnar	Windows	This strike sends a polymorphic malware sample known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.The binary has random contents appended in one of the existing sections in the PE file format.	f64a645f4d106e30cfbf076d43b40528	https://arxiv.org/abs/1801.08917 SHA256: f462c3d2797b8d9b580a5749cae74c92f5841e6bf80100fdaaad976cf60c2aad SHA1: c584c9a6ade80fd1f890b70fd288c9365487f0bd PARENTID: M20-kcc01 SSDEEP: 768:BpBsvKMNyoq65co7Bjd/3oqab0k3R2pXlj+Cnk:BpPM4o4qFoqaXC+L MD5: f64a645f4d106e30cfbf076d43b40528
M20-her01	Cerber_f53c055c	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	f53c055c2838d768ef530df3825188e2	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 078398933742904fe3bf5aeb856505bac9a255a1c1eeddf9705c29d411a7bee8 SHA1: 3303ae2218362ad4012d24369eda1e35e066f604 MD5: f53c055c2838d768ef530df3825188e2
M20-0i501	Maze_c9ea6430	Windows	This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.	c9ea6430da4e72b672ce29e56ecad603	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ SHA256: dee863ffa251717b8e56a96e2f9f0b41b09897d3c7cb2e8159fcb0ac0783611b SHA1: 31c3f7b523e1e406d330958e28882227765c3c5e MD5: c9ea6430da4e72b672ce29e56ecad603
M20-bnh01	GenericKidz_f70fe9f1	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	f70fe9f15d99e75b4151878b2a529d7c	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 1844b3b59e94ea263279fe882a6652fe936a0b0b13bbd21f1d3cd609aacf9b07 SHA1: b82f782be065a159f6fe77b374071635a9ddfe0c MD5: f70fe9f15d99e75b4151878b2a529d7c
M20-onw01	Ragnar	Windows	This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.	0fbbc59d4fe280a55c1fb6f5502c1e73	https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/ SHA256: 63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059 SHA1: af53890ed1d4753e7493d48862bdd7d18a2b11f6 MD5: 0fbbc59d4fe280a55c1fb6f5502c1e73
M20-qsb01	Ragnar	Windows	This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.	7529e3c83618f5e3a4cc6dbf3a8534a6	https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/ SHA256: ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597 SHA1: 0f944504eebfca5466b6113853b0d83e38cf885a MD5: 7529e3c83618f5e3a4cc6dbf3a8534a6
M20-bc001	Cerber_608b841c	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	608b841c52758d52facc067c443706fc	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 0a280fb6afce1778478df3f8b1f962ea46aa865b27c88d7ca75368029580773e SHA1: 767621b4d4c9d31074a670ed747becfce0cfc386 MD5: 608b841c52758d52facc067c443706fc
M20-a3d01	GenericKidz_5a99a2dd	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	5a99a2dd0525714396061c7504ea20fe	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: ab5d820fc7e40a39109653d0601d337487ed8b329a9a98fef128d29dd86d0a02 SHA1: 272d1ba756bff3795113d6d8c09fabb184b34667 MD5: 5a99a2dd0525714396061c7504ea20fe
M20-u9801	Chthonic_c8bba81e	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	c8bba81ea0611dbc891c3758147b6fae	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 5dd350e1e1f1ed234d2c90e8b5f67e5e101362e03ae00f10b824c7f00f8660cd SHA1: c741bd252b54ea2f4cf485777c19acfc74e8792a MD5: c8bba81ea0611dbc891c3758147b6fae
M20-gie01	Chthonic_502b1b65	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	502b1b65f1c1a4fd2361d099e974a898	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 7e5bc9f6c66a319309e81857b8232fc05acc203522d9114b9e3cc5f54c1b9986 SHA1: c31e6f03bfe79598958b22c773d621104a89bd64 MD5: 502b1b65f1c1a4fd2361d099e974a898
M20-tw901	Chthonic_370baeff	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	370baeff15dcd74c3ed1b9fd1128a962	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 63394c768a993b74c0e06aabda3fee9a9a67571764ffe60353347b0315e6c87c SHA1: e1f7316b11a02b3bea58d02fe05a53bc8a903e36 MD5: 370baeff15dcd74c3ed1b9fd1128a962
M20-dw101	GenericKidz_e3c0bf52	Windows	This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.	e3c0bf52abab62e7f6427d7984a30509	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 454100af51eec868d71d2994dc370aad164375d4b640bfddce831ee3fa940b8f SHA1: 40c5576699e1c003a3a9c12da8a173729d31af07 MD5: e3c0bf52abab62e7f6427d7984a30509
M20-daf01	Cerber_af3cc204	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	af3cc2049b1c06a001a456e2bb2caf66	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 0230d78c972d399f627b228776f2d8e96b717da068a128ace4b69067419708d6 SHA1: b1f164a36fab8cde80f2dc3fa04554558e27519d MD5: af3cc2049b1c06a001a456e2bb2caf66
M20-m2h01	Chthonic_bb5fbb93	Windows	This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.	bb5fbb9372ad0247b0bbdff420a0a477	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 2ff4747e01031d470d5feae7e5073aa34aff489f29cbed18502960baf7dcfebe SHA1: bdf60ae370120d75a827ea8e85833cab106b9d34 MD5: bb5fbb9372ad0247b0bbdff420a0a477
M20-qcm01	Cerber_a209900f	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	a209900fe0ec106ab8c651a7cbc99aa5	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 1ba1f09c7e2fd18f2577a62a3103461c1f09610304571e1eb055687a65b03fae SHA1: 11a4e53f43e2f5a3fc3596862822b9e527f99990 MD5: a209900fe0ec106ab8c651a7cbc99aa5
M20-dk201	Cerber_3af67275	Windows	This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.	3af672751c54a91f1175397ee62e536d	https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html SHA256: 11bc5389a0c2d2f5a5fd68630cd8e46f3fdcb3ba434492e7ee71544a70986930 SHA1: ea6cc3dfb1248ba82d270a5024f416fb322cb95a MD5: 3af672751c54a91f1175397ee62e536d
M20-ogi01	Ragnar	Windows	This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.	5b06303cdf191dae161e849841f8aff4	https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/ SHA256: 5fc6f4cfb0d11e99c439a13b6c247ec3202a9a343df63576ce9f31cffcdbaf76 SHA1: 64b99b55f0a1ec4f8f30897a460c574300a8acbd MD5: 5b06303cdf191dae161e849841f8aff4

Malware Strikes April - 2020

Strike ID	Malware	Platform	Info	MD5	External References
M20-mjm01	Kwampirs_bfc12d23	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	bfc12d23196ea7bfd712955dde3d2d85	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 425080dcf9901b5e6f195858c2191aba39892feedfd4955fc6fa9cfb42004b80 SHA1: fa8da972bc926d76cc817e3770a971278c4ce724 MD5: bfc12d23196ea7bfd712955dde3d2d85
M20-8yb01	Kuluoz_4f01e4bf	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	4f01e4bf0820972e5de9a7acfdb38e5f	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 11f515b2c3e828864f0067242ffc9f27439c3f978f9a5a21303c44942946aa65 SHA1: 62f31f77480e9ecd9f8759cdcf762aca867c99d8 MD5: 4f01e4bf0820972e5de9a7acfdb38e5f
M20-7ua01	Kwampirs_348410b4	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	348410b4d1610db75dd21935425fd9cf	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 8634fb9a62244dfc9aa9d657e1b120519fb560a1c7472e4b072a694db8d8759e SHA1: e33afdbbbb7a31d9f4ad659d7d7b2417dcbc3081 MD5: 348410b4d1610db75dd21935425fd9cf
M20-hri01	Kwampirs_2e616c67	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	2e616c67365340079d96e8319025c78b	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: bb88c94b719f226f871d5e537386316a2bfe13be5f326685d7399d53666fb5c4 SHA1: e1e1598167489aafde1ea2cd9004ee73eff40bb6 MD5: 2e616c67365340079d96e8319025c78b
M20-tkb01	Kwampirs_bc2d6299	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	bc2d6299417def3b7a8360b3c86809ec	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 9c531de46386e7435d40a9c81365874181696adb42ff38af4350b69ec53f6456 SHA1: e19b5a0c8f1acd01feaf7cf9bd91bea0c9da38c0 MD5: bc2d6299417def3b7a8360b3c86809ec
M20-qm101	Kuluoz_f168c072	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	f168c072cd2e59fd7dbbb9cfe0316bc1	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 13c78ebcfe7cb52b9a3dd8324b761585e99a96761ecf1f70d4f7370163597384 SHA1: cc3dbf850931e54260da77385385e8c88221ada2 MD5: f168c072cd2e59fd7dbbb9cfe0316bc1
M20-6cw01	Kwampirs_c26b8d93	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	c26b8d939c03328b14e3f13e754d5ca2	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 450aad84166d9a9d64e4f7d0db161057f88fd167154e4bde2da43a2fd67910ba SHA1: f0ce612f2a1ef0273b14bed12d3440864c13f995 MD5: c26b8d939c03328b14e3f13e754d5ca2
M20-7j901	Kwampirs_b3ebaa04	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	b3ebaa0495777a8e5f06ef931174a500	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 99e88408894b61903d57c8c10ebb806ddb8ca4b530a8778e8cb2fae0294243ac SHA1: e4b51cd8b5a29cc26079a1e7d4fb8e2e94393676 MD5: b3ebaa0495777a8e5f06ef931174a500
M20-c0i01	Kwampirs_463a1632	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	463a1632907f80e7598f42a7c5071be5	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: e3bc08f7a12f9b68a73de99ecd0aaef1447bbbba9e35f518d42fd0e751be858f SHA1: ef3c670cb2d5b05fcd5d2e1bb9f049ea1e2f5ed9 MD5: 463a1632907f80e7598f42a7c5071be5
M20-z8b01	Kwampirs_56dd0e33	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	56dd0e334ee817730e41b64b4306599e	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: a5e5b4e6caf7ac3ac8d9b7b3527f767ff011d138246686822fea213a3b0597fc SHA1: a2a7b97eded34a1df262933e985355e0ba7625bd MD5: 56dd0e334ee817730e41b64b4306599e
M20-gwq01	Kwampirs_40fe7da3	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	40fe7da3625ae67e51743b93dd5b6a13	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 871735d4fd0909ef5cd4873576871c55bb1b2836432ed84f36653076e8b14dd9 SHA1: fcb1540ddcff5ae7c606714a14df898d026e523a MD5: 40fe7da3625ae67e51743b93dd5b6a13
M20-pjy01	Kwampirs_955baf08	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	955baf084fa19f5eff933b676bfed3af	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 14efd1770406b3a76b6134d1f950458cb8cf2a2e60f43c54b6ad23874dc2f7e2 SHA1: fb4bf17060f1bf39ea742dc0549046b8fa446384 MD5: 955baf084fa19f5eff933b676bfed3af
M20-sq901	Kwampirs_6769be86	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	6769be8698af885b91e6fcf0f771a1aa	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 0d99096acbf2e894850b02223bab135d1689d4948ac0612cd37fc78a92ee8f6b SHA1: e96b3fa9a78876b2b8dc06cbd1fce60fb023a6fe MD5: 6769be8698af885b91e6fcf0f771a1aa
M20-d0h02	AZORult_cba6b081	Windows	This strike sends a polymorphic malware sample known as AZORult PE Payload. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the portable executable payload. The binary has random bytes appended at the end of the file.	cba6b081ddffbb34405b400812642d3d	https://attack.mitre.org/techniques/T1009/ https://attack.mitre.org/techniques/T1009/ SHA256: 4ce18913eeb53439349215fb83c639d7b40fcc98eb8974345cedac3c6aae3301 PARENTID: M20-ukj01 SSDEEP: 3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/rxg/g:Zzx7ZApszolIo7lf/ipT/rN SHA1: f2f36265101396b644622b26c5d38fcac3574c64 MD5: cba6b081ddffbb34405b400812642d3d
M20-idv01	Kuluoz_69eeb7c4	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	69eeb7c456f01b25c53bddac3e29b9b6	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 063fd1f568e4e29c08cfdc2f811467fda5c04f50bdce08942f4b606750de1183 SHA1: f9c95147a4371ff2f3d1c2c69e8745c314f0e2fc MD5: 69eeb7c456f01b25c53bddac3e29b9b6
M20-b4q01	Kwampirs_0ce38c97	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	0ce38c97cc477dc03787c25069c48739	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 19583601fe70c9cf9f0803d43021a3cf381fb84504c9e993f37cb28d93772d5f SHA1: ead29ee24e4171626cf605dd57e73c6e85540510 MD5: 0ce38c97cc477dc03787c25069c48739
M20-w4u01	Kuluoz_caefc5b0	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has a random section name renamed according to the PE format specification.	caefc5b0fd7c57a74436864ee5e46511	https://arxiv.org/abs/1801.08917 SHA256: dd785f9f99ba2fb7f83364b08215f4ffbea8e4599421ac45f7d6d8219a0f99e7 SHA1: 2166f6a49f698255dd520862cebef9f0de3f6e8c PARENTID: M20-ig501 SSDEEP: 3072:JWjNsGZ87NxszF4RdY5VahxL/ydhxi/ydhxi/yY904+S:cN5i0Z4g0bypsypsys MD5: caefc5b0fd7c57a74436864ee5e46511
M20-dpf01	Kwampirs_92bbf4b7	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	92bbf4b7efe77048e5abe51c3120b525	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: bdd81db9aba8e46d5209193db64c12ed76845243c2a7af68f84eb9002852099b SHA1: faa09555242edb2cdfcfa4e5513086efbe0ccbf4 MD5: 92bbf4b7efe77048e5abe51c3120b525
M20-ukj01	AZORult	Windows	This strike sends a malware sample known as AZORult PE Payload. This malware is know as AZORult. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the portable executable payload.	4b984851567f9b9a3c3d67669e3ccbc0	https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html https://securityintelligence.com/news/azorult-variant-other-malware-payloads-delivered-by-multi-pronged-attack-campaign/ SHA256: 42525551155fd6f242a62e3202fa3ce8f514a0f9dbe93dff68dcd46c99eaab06 SHA1: 31034e29c3c46fd61c69228cde96ad021a9fcea6 MD5: 4b984851567f9b9a3c3d67669e3ccbc0
M20-kxq01	Kuluoz_6a908c22	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	6a908c223f60c2c22dad04c3c65f058e	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 0c5728446d49cf4b34a02020fcf909f5c14e1b7db2adabc5aa92da7d196bf85c SHA1: fe0e796c56c07d9638495be0e14b45f931e38a52 MD5: 6a908c223f60c2c22dad04c3c65f058e
M20-tmf01	Kuluoz_c6b0d268	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	c6b0d26862a262936e43b641c9925630	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 05a92024686eeb71a6999750925231cbe3771816df8220a42cf665e686e55549 SHA1: 33e183f4e25ffcb7c526af6c03ce12153c9be98e MD5: c6b0d26862a262936e43b641c9925630
M20-jst01	Kwampirs_1320af98	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	1320af98b41c67c86a29dd62a183307a	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 281c2ad26346305dac90ce33c2c417b6a7271f990ba9fa5c7db65d6f2e501e94 SHA1: f6a555a62e38f52e5d8a42c56cc0f0d6cd3caeaa MD5: 1320af98b41c67c86a29dd62a183307a
M20-aku01	Kuluoz_6364f7cc	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	6364f7cc6dc9855eb522a5515e777418	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 112f8fc35b1f24a8b44d75350db81f0fe1cd394d2d144aafec7aa497449d8db1 SHA1: 0a20a36faf791acf4e10ef966bd0a7447b2814c1 MD5: 6364f7cc6dc9855eb522a5515e777418
M20-sdo01	PoetRAT_3aadbf7e	Mixed	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	3aadbf7e527fc1a050e1c97fea1cba4d	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: 208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407 SHA1: 2cf055b3ef60582ca72e77bc4693ea306360f611 MD5: 3aadbf7e527fc1a050e1c97fea1cba4d
M20-c6z01	AZORult_53392534	Windows	This strike sends a polymorphic malware sample known as AZORult Dropper. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the dropper. The binary has been packed using upx packer, with the default options.	5339253458f04ed8de07632db9482564	https://attack.mitre.org/techniques/T1045/ https://attack.mitre.org/techniques/T1045/ SHA256: 10967ea4f859d682a0486783224d9116acfa32ec011fb6665f0a7abf312abac1 PARENTID: M20-awj01 SSDEEP: 3072:b9W4lp3WuHAKC6DBpme8jnj5e8Achfdqpxp:b9LbzeWpm9n9eN4gpxp SHA1: 35f6030754878fe62f7384b6bfae78c4b5538f46 MD5: 5339253458f04ed8de07632db9482564
M20-n9201	Kuluoz_3d47b7b4	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	3d47b7b42bcf2d0f05c1a5a19aa29548	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 0d866b232bbc685700e356440283a98d71ed84fa0b3bedca5d7cf5d72b68a903 SHA1: 82c8317a0ffffcce0a00296860adf75786dee038 MD5: 3d47b7b42bcf2d0f05c1a5a19aa29548
M20-3ab01	Kwampirs_a73c9837	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	a73c98373bc3e803f1eece52e3aa92c0	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 7e5dff0f47d34a4042d76407c48e2ee8862f40f400431bbd4cdbcead8e7d94c7 SHA1: f9ddf240e87c7ec535983a0170f78212f5ffc825 MD5: a73c98373bc3e803f1eece52e3aa92c0
M20-d8201	Kwampirs_299a1264	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	299a1264c8650963d68b3990d699b204	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 6ef0564f3f8d557c9d1bf356f185aeea526c8da76eb31031149f9307dcb6315d SHA1: fd56b1df8f434297f1696f1e9e42a9a01a98d5bd MD5: 299a1264c8650963d68b3990d699b204
M20-0mi01	Kuluoz_c48e7c94	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has the timestamp field updated in the PE file header.	c48e7c941fbd7e7b9536e812ff279b62	https://attack.mitre.org/techniques/T1099/ SHA256: f4b1e476f5b9a416e9487c5372ce7ac8fcfc094e7b589f37a69b5d73d68532b2 SHA1: 40041b3525e181dd75726d1b5e864865d44addfc PARENTID: M20-lt401 SSDEEP: 3072:RWjNsGZ87NxszF4RdY5gahxL/ydhxi/ydhxi/yY904+S:UN5i0Z4gHbypsypsys MD5: c48e7c941fbd7e7b9536e812ff279b62
M20-fbe01	Kwampirs_bfc9cb5b	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	bfc9cb5baae165161c98cf23e379f8fe	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: affb49b9fbc05d8497a25639cc4c8dad86e1a48aa8528e3d5c4cf870fb73782a SHA1: e3cf2e942fb44f6553785f76285213236c1f6519 MD5: bfc9cb5baae165161c98cf23e379f8fe
M20-fr001	PoetRAT_c87273e7	Mixed	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	c87273e7175f9df7e52bab8a030fa22d	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: ca8492139c556eac6710fe73ba31b53302505a8cc57338e4d2146bdfa8f69bdb SHA1: bc53315b485f9f4324a8bc3ee86d0f79c1963228 MD5: c87273e7175f9df7e52bab8a030fa22d
M20-8is01	Kwampirs_2bb3fe6d	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	2bb3fe6d45d604ef4d96899c10e096b8	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 034056bdd36c0d4e3142b7dee58adbbbc1b0ec6b0c0a4494fbb1dc1f1bbdf9f7 SHA1: e923e2e9b009b21da711ffee85c09458f926ce43 MD5: 2bb3fe6d45d604ef4d96899c10e096b8
M20-4sa01	Kwampirs_fe813eca	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	fe813eca3b9c4ccf4045bc95698bfbce	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: f8538f8d85338666ce7cf6c236614f28c10bcd1622f2c75a51be04dd4ef3c400 SHA1: f5aff67a04385698c9914bc5f1752d6f616d5043 MD5: fe813eca3b9c4ccf4045bc95698bfbce
M20-4r901	Kwampirs_b4974525	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	b4974525aa971427195984618f81049d	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 1d5c7ba4432764c37ad7129d71683614ce6ff22e57f10283e7fb615d97097576 SHA1: eaa7f822a241e8a8d3bdead561fbe0e252e09b1e MD5: b4974525aa971427195984618f81049d
M20-bws01	Kwampirs_1eaac35f	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	1eaac35fb6b44baaeffcc78f6c604133	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 35650b22305d1f873bb42c6fa6c51735e0d111af70dc833e9e10f65fd58e9c64 SHA1: eaf90f9b077a83ef15c37b9010e10a5adb078d2c MD5: 1eaac35fb6b44baaeffcc78f6c604133
M20-0vi01	Kwampirs_92b23881	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	92b23881c5cbc0a25ef20c1d68503c1f	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: f550e303e4797d3c7172c763b54f99734823db60b654007030299a6a9ee7d1f9 SHA1: f8cb485931e312ff8669445eeb3056f003730b6d MD5: 92b23881c5cbc0a25ef20c1d68503c1f
M20-nt001	PoetRAT_ba1618a9	Mixed	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	ba1618a981f755eb752aa5dc90bd70a4	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: a703dc8819dca1bc5774de3b6151c355606e7fe93c760b56bc09bcb6f928ba2d SHA1: a3b6e33901ffc15d15e2f3abae98c6da48727454 MD5: ba1618a981f755eb752aa5dc90bd70a4
M20-58c01	Kwampirs_3b213939	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	3b213939ff31142f96b9bef13c0441cb	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 2d801f75a52f65ffb053ae052cad45a919afd431f5ca46e86abe3d9274c903e4 SHA1: f2f69f9ae77f4f3162e646662bce61593e5265b2 MD5: 3b213939ff31142f96b9bef13c0441cb
M20-lt401	Kuluoz_2441523b	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	2441523b665126cefd3634374e0a8463	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 0836030e21f3bfc2a9be077295b7e3bd1dba6d0492ee1be28d50893e34b9afc1 SHA1: 02d2537cdb592fb07240431738918be2f942932c MD5: 2441523b665126cefd3634374e0a8463
M20-cyn01	PoetRAT_213a4ab4	Mixed	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	213a4ab4cd98002144bfba75ff2ac67c	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: 5f1c268826ec0dd0aca8c89ab63a8a1de0b4e810ded96cdee4b28108f3476ce7 SHA1: d14c7ea0f4f7269dd1bf10f4f60a5495f3fdc3b2 MD5: 213a4ab4cd98002144bfba75ff2ac67c
M20-3h401	Kuluoz_9c0eeac9	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	9c0eeac9ffd34e9f36df6bbe2120afc2	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 054616f5a58998b56fd74c244b3403b750f850f51be74ffca96f85fda28d097e SHA1: 22d201544e548433a94aed72284babc8e3245c63 MD5: 9c0eeac9ffd34e9f36df6bbe2120afc2
M20-ezv01	Kuluoz_da853467	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	da8534671e54b7df3f2a89c4a75edac9	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 061608e7d36b4a319eaab7a8690ced8a911b74c703eebffe896879ba2542f513 SHA1: 94cd554739dffe72eea96b676396bfeb1bd284e5 MD5: da8534671e54b7df3f2a89c4a75edac9
M20-bwa01	Kwampirs_2774a055	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	2774a0550c668ddc9e73e03a5c9252cc	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: d7019f753c6f9aae8bca61ce19428b10a4db0f71bbdf59e880fdaf8fc5f2894d SHA1: eab75c1a9de7d6a58ea08d7e79b52e9eca3e3411 MD5: 2774a0550c668ddc9e73e03a5c9252cc
M20-vvy01	Kuluoz_a2690790	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has random strings (lorem ipsum) appended at the end of the file.	a26907903b88c866a9969bbf192dd893	https://attack.mitre.org/techniques/T1009/ SHA256: 30f1327429a525af74e6ccd89203eff1109081c301a96c146c5b4c40a3b15fe9 SHA1: d48fd29583f6e6f002723bece0a917cd7e1a1d7c PARENTID: M20-ig501 SSDEEP: 3072:lWjNsGZ87NxszF4RdY5VahxL/ydhxi/ydhxi/yY904+SV:QN5i0Z4g0bypsypsysb MD5: a26907903b88c866a9969bbf192dd893
M20-ig501	Kuluoz_01141958	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	01141958f63fffc30055c430d1a969d8	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 111c3fcca78f38d3e6e040e6508e63e912e357b525ffe4ddbae79ef9a462bdf4 SHA1: 8fe5894128e0a2703d4f22d59a5ad7ba56a377d4 MD5: 01141958f63fffc30055c430d1a969d8
M20-jzz01	Kwampirs_7edf826f	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	7edf826ffb45cff23654baf4d37b5a10	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 6268f98f907773ca2b56c0e63f3fbd36f49682c76895dc55baca925a9234ff98 SHA1: f71c1430ce202500d1c8352cdfe49e21dbcae930 MD5: 7edf826ffb45cff23654baf4d37b5a10
M20-bee01	Kuluoz_4e8220dd	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	4e8220dd5bde304e51244b94487964ce	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 091cd8e0f5e0a113493a9d62e063066ba2e5974b432100272454f7170d14be5b SHA1: bde99929091f9b0185a0b7b74e2aa13549195496 MD5: 4e8220dd5bde304e51244b94487964ce
M20-umm01	PoetRAT_1195eb1d	Windows	This strike sends a polymorphic malware sample known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.The binary has been packed using upx packer, with the default options.	1195eb1dcebb1e3dcc0f983a982458e9	https://attack.mitre.org/techniques/T1045/ SHA256: 8a12ea2668def050bdc3131e405f5b71d06fbc7eade18b8396ed82051167c27a SHA1: 6752ad98661766cecba075a02403b64d6937940e PARENTID: M20-zw101 SSDEEP: 98304:HtZjr5lMrxp0B1v7Cz/M9Aet17bjCma4WLB3w+vsR2pxSMDAgQwmDWOaKYOFWUZ1:HtB5lMNp01Gz/qthCmWLdi2Xk8mSOFYS MD5: 1195eb1dcebb1e3dcc0f983a982458e9
M20-jx001	Kwampirs_cab9736e	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	cab9736e0fdef8168353196094e1e0d7	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 92e1cd864e9e3206ef722990b35ad4a84c56b4d883811fea677b9a4c167ba6ac SHA1: eb5a10fbcbc1c3a64c088641084585468b984394 MD5: cab9736e0fdef8168353196094e1e0d7
M20-pzn02	Kwampirs_377cd2f0	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	377cd2f08184762391f3e92b057e5ea4	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 7b7174262aa74cf3690ca892ea2e600e48d0dc164cd9b9b3cbb04848dd5908a7 SHA1: e6b92e49eca38f59b14df474c48ea4f69e2d7ebd MD5: 377cd2f08184762391f3e92b057e5ea4
M20-00501	Kwampirs_12e4e952	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	12e4e9525f1aaed19d62565a0f33d565	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 83a4acacfbab52117f5a04f90ec9b257247b97b0946470f1de2f8d26bf48c3d6 SHA1: fc98cc0429a922f2af9c9363445970c8966800a7 MD5: 12e4e9525f1aaed19d62565a0f33d565
M20-6hf01	PoetRAT_5cbc8dbc	Windows	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	5cbc8dbc73e7c494c5b6ed154fe28f9f	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: 31c327a3be44e427ae062c600a3f64dd9125f67d997715b63df8d6effd609eb3 SHA1: 20fcedc3d6c84d431ffe284e27fc144028873ba7 MD5: 5cbc8dbc73e7c494c5b6ed154fe28f9f
M20-l4p01	Kuluoz_e96a58d4	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	e96a58d4e68386feb70fcc318470a44f	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 00e21648fa1bda81b6b37ce8e4ae1c1cc8511f5d4a185d8c6504d09885e74bc6 SHA1: c81d96861a94796cd30196933a7862ff2bf1e2c5 MD5: e96a58d4e68386feb70fcc318470a44f
M20-eew01	Kwampirs_9dbc26bf	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	9dbc26bf806f387403cf58176e6b7802	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: e727ac58f718e54647111cca49d27df7a998a0bea4354c9fd24e0223e01acac7 SHA1: e702b6aaa9120c655ff1abf3c1d4f88150d0879c MD5: 9dbc26bf806f387403cf58176e6b7802
M20-t9c01	Kwampirs_072c1260	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	072c12603ba32dd02ed1773cd867d4d2	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 156e199a58bd98f356785a584b8d9299d0355c51b2520e2262f11f31c521531d SHA1: f25a1a8b319fa840bf1448577a34fda2592031a0 MD5: 072c12603ba32dd02ed1773cd867d4d2
M20-qef01	Kuluoz_2c42c950	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	2c42c950c9cbd8c8a9951b5676dd33d0	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 10f71eb066e8340bcdd742d714d4a67278073c7f30e61f4bdc3f4747b3442116 SHA1: 6987fb02c6383d0e327df4a49196da965afddfc0 MD5: 2c42c950c9cbd8c8a9951b5676dd33d0
M20-9m101	PoetRAT_471b1d3d	Mixed	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	471b1d3d04b1a582d236a033c0c9cac2	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: 312f54943ebfd68e927e9aa95a98ca6f2d3572bf99da6b448c5144864824c04d SHA1: 1b13b772a43cb39441aee4ca70991f0200d8e3cb MD5: 471b1d3d04b1a582d236a033c0c9cac2
M20-2h501	Kwampirs_e0e99f75	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	e0e99f75cc1990a163d39e8e8c191f52	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 64defebf7e600d92685672c4b4d3d2ed3fc6cca27663a65c42df61843573297b SHA1: e930e417905c95d9ce2be065a2dd0c379e1db4a1 MD5: e0e99f75cc1990a163d39e8e8c191f52
M20-hyz01	Kwampirs_b78ed8a8	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	b78ed8a8a5013f34ed3438a7c12db81c	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 8561fc624e3b34959344ad9ef25f97077273927862a28bd8a00d45501ac27b0c SHA1: f147a318b9a07f99824aeb66896e91fb60541609 MD5: b78ed8a8a5013f34ed3438a7c12db81c
M20-s7e01	Kuluoz_731c6cf9	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has the checksum removed in the PE file format.	731c6cf9c6513aaa7d7f81b8b992cd30	https://arxiv.org/abs/1801.08917 SHA256: 8863b59c48bec84fbce4b35f2a753a05c4c3a67c6fff918dcc703aed0693ea02 SHA1: 1eeeb8e441d6f7c786be6d2661e10af847345516 PARENTID: M20-lt401 SSDEEP: 3072:FWjNsGZ87NxszF4RdY5gahxL/ydhxi/ydhxi/yY904+S:wN5i0Z4gHbypsypsys MD5: 731c6cf9c6513aaa7d7f81b8b992cd30
M20-fhu01	Kwampirs_7eb2086c	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	7eb2086cd94b67a10c1abb4f02ab86ba	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 1b48b8fe01efacc64afb326d09514115b080331dfba53ef22488c2eebc9568e6 SHA1: eecfab1e245aa826c86a357bb1cf22ca14a582de MD5: 7eb2086cd94b67a10c1abb4f02ab86ba
M20-2ts02	Kuluoz_825da4d7	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	825da4d704877825a81b8f4f74ada66f	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 0cbd4967ca139aba6ebd08e9ba3532cefbe1be59d479ec2f79c56497e4ca4908 SHA1: 8d17b09e7073cc57c0645e2b74d12b55df9335be MD5: 825da4d704877825a81b8f4f74ada66f
M20-4tc01	Kwampirs_faff1cbb	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	faff1cbb7bbffeb67a3f3a2393c48767	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: f2237535f48995737471a51f2f73f8799614d71a6e37175b9fe906e02e46be23 SHA1: f2924534a0168f2bae52ead985b9a51dd3cdc624 MD5: faff1cbb7bbffeb67a3f3a2393c48767
M20-xit01	Kwampirs_3428ce48	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	3428ce488a329e50bb4e6f08f1977518	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 38cbf6f4386c4878ac4f4f0e6e892d8b92f3742213e8a25d7a6c2a68c6308771 SHA1: e3aa62e01529e8715181a3a6ddee7185488124a3 MD5: 3428ce488a329e50bb4e6f08f1977518
M20-awj01	AZORult	Windows	This strike sends a malware sample known as AZORult Dropper. This malware is know as AZORult. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the dropper.	d1cb11dd9be78a9b1ff40603fa887dd0	https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html https://securityintelligence.com/news/azorult-variant-other-malware-payloads-delivered-by-multi-pronged-attack-campaign/ SHA256: 598c61da8e0932b910ce686a4ab2fae83fa3f1b2a4292accad33ca91aa9bd256 SHA1: ebe689ffc352db0e0ae79188f697e1418e4fafaa MD5: d1cb11dd9be78a9b1ff40603fa887dd0
M20-n8l01	AZORult_85eac862	Windows	This strike sends a polymorphic malware sample known as AZORult Dropper. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the dropper. The binary has the timestamp field updated in the PE file header.	85eac8626017db9d7ec04c83b236f758	https://attack.mitre.org/techniques/T1099/ https://attack.mitre.org/techniques/T1099/ SHA256: dc664214a1e0a863e61c071e10a592dfcbae8aa9f88d6cfe29f2749be9ba64cf PARENTID: M20-awj01 SSDEEP: 6144:I1bB0Miice2VaKYsLrdIpbs5j378oAUn:W+BUKfZIpQx7 SHA1: dc44b59c20892e8ed07c5fb5f06aa77d8d6a3ec6 MD5: 85eac8626017db9d7ec04c83b236f758
M20-7x001	Kwampirs_c8e57849	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	c8e578494f9fd282b24a931cabe8bf2f	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: bffed9502fa54fb5c30214d0900596f4f14fc8064b21b296cfae0b62ac5df146 SHA1: fa84b4cfebfe8268a5120da14abffb4c6f263288 MD5: c8e578494f9fd282b24a931cabe8bf2f
M20-1iy01	Kwampirs_0367615f	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	0367615fcc1022e2273e9940db4c6b0b	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 55bab82950dc63d82ac4c9b77e3138d3c661b2cae7fc8ae5e60e39a838b33275 SHA1: f599c05a1ed120a1627d8c5db8f0fe5ca876113a MD5: 0367615fcc1022e2273e9940db4c6b0b
M20-jkm01	Kwampirs_0ffcd190	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	0ffcd1908fff1e41fb02a2bf5b9434d3	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 74c7cf70a0a02fdc1fe98f4eab3cae63ce6ec6fa7b4d5756ef153e63bf5b4c58 SHA1: f0cad35dbdb72616464223cb8c75ab49c831ac78 MD5: 0ffcd1908fff1e41fb02a2bf5b9434d3
M20-jfh01	Kuluoz_dec3d03e	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	dec3d03e421e7702baf224a1f1e31b85	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 0bc668db27503131656da06c8a4263f0c6a2e986ce16f9a3cdfa21478c903369 SHA1: 801dc14584f06e3557a4a071385d27c60e4b94f2 MD5: dec3d03e421e7702baf224a1f1e31b85
M20-twr01	Kwampirs_8a9f412d	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	8a9f412d75b60ff3086cb690c59495f9	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 79458dd957430eb6cae99339873d8bd243731adc03f3ec573f9313e072c20744 SHA1: e11918165c25aee4330955c55ea0ee12cebf2829 MD5: 8a9f412d75b60ff3086cb690c59495f9
M20-lzy01	Kuluoz_6a4bbf18	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	6a4bbf1852425e909378cfbb12e55a4f	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 0f13a52c4037425fcf3597c0d5e2904b437cb5a5bb8710be853a2af38e4650ab SHA1: 3527aaad63aefbe6a7d0867b16aac2e81a909c26 MD5: 6a4bbf1852425e909378cfbb12e55a4f
M20-z1l01	Kwampirs_2e506824	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	2e506824e12ebdbf7d535f91bd2ff41e	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 1ba619eb584481121d6d56fd2ddb7d16d393bb24ccffda5ab938bde6f404093c SHA1: fa76c5b0e06a90def0a4a062af6d0ca36b5f6b8c MD5: 2e506824e12ebdbf7d535f91bd2ff41e
M20-02501	Kuluoz_5f7145de	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	5f7145de44c54a10083c12f5e673cc09	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 09b064b27cba3d8229d703bbe70c91be7b5dced5ffd953b4826bb9d17725fafe SHA1: 9f23e958d889f3cba0ac6f0f3402470a4a02b6b0 MD5: 5f7145de44c54a10083c12f5e673cc09
M20-qud01	Kwampirs_95752da1	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	95752da1e16832b4ff23a2ecac43b371	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 114ec9bb38a0239d59f8ae868fab6ddadc38421be614c9fe99092b1e48df5b27 SHA1: f4abbb8edd32cc91290e27ca621885d0edfb3c22 MD5: 95752da1e16832b4ff23a2ecac43b371
M20-rjm01	Kwampirs_8a482852	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	8a482852b2bc97d9c1de896460892c70	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 99601c00c48b1abc2ff792f9e4a363c04b7f937f1600744bcb752ec7b1cdc27b SHA1: ef42a946e54be39e8bd9f59e3e6e1936f9bee34a MD5: 8a482852b2bc97d9c1de896460892c70
M20-twz01	Kwampirs_4dc04314	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	4dc043142ad2c71cef7202cbafa19d0c	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 66c1ac7cab1d7cc21fa7d0de35691aa3906646f216c48a6f6b02838e1e1f2681 SHA1: e9253b35b0718d69714f5498e416df789e30ab01 MD5: 4dc043142ad2c71cef7202cbafa19d0c
M20-6py01	Kwampirs_2ba0a652	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	2ba0a65204b246c0aed74ef7b1f6f523	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: ced9a61ebaa8de7aa360ad2d24be26e2474fa4164118f8e32f4e2b2aba6ce511 SHA1: fd4949a4ebafefb5a34a21d892d2407099b0e6ca MD5: 2ba0a65204b246c0aed74ef7b1f6f523
M20-zjn01	Kwampirs_05a12a44	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	05a12a4416e3ca9ce7515cc83f7c27b3	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: c76371100153252534cdab622f855b764c02b8d213fee28662df04245eb61589 SHA1: e55eb5b0ea6aa55af22e348e2e18ce9da089c9bc MD5: 05a12a4416e3ca9ce7515cc83f7c27b3
M20-fm101	Kuluoz_cf96ffba	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	cf96ffbaee7afe73ec36944c998152f8	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 05cfe7a11dd83fb71d7197b7ce06a484a60a7e0e87295c67345d57ee99c44eb7 SHA1: 39be987491ff984ea13b551c1c1a216fe101e500 MD5: cf96ffbaee7afe73ec36944c998152f8
M20-bri01	AZORult_a5d2e2a9	Windows	This strike sends a polymorphic malware sample known as AZORult PE Payload. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the portable executable payload. The binary has a random section name renamed according to the PE format specification.	a5d2e2a909b26f87d2910e3ba9d5024f	https://arxiv.org/abs/1801.08917 https://arxiv.org/abs/1801.08917 SHA256: 465e154e29171cfcc35ba3398e71659dadb06c7222dc2fd6b004e81581d25cfe PARENTID: M20-ukj01 SSDEEP: 3072:juOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/rxg/:Tzx7ZApszolIo7lf/ipT/r SHA1: 048934e26495a74f73a8061db39646acb5abbb62 MD5: a5d2e2a909b26f87d2910e3ba9d5024f
M20-zw101	PoetRAT_4f794eeb	Windows	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	4f794eeb5cc1faa346f1155c96342e77	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: a3405cc1fcc6b6b96a1d6604f587aee6aafe54f8beba5dcbaa7322ac8589ffde SHA1: 422e7b1dfd10f80971d5331ca2bc436d1efba046 MD5: 4f794eeb5cc1faa346f1155c96342e77
M20-e8d01	Kwampirs_b0d3976d	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	b0d3976d10919aeb0adef60a54a2f593	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 1fc307804ff2c70a2754c0ef83d87dd38a533be3f53c744d0685f0bed6d165c9 SHA1: e3ad723bfe061a3fcd17a9132d1baf948f9fcde2 MD5: b0d3976d10919aeb0adef60a54a2f593
M20-fvl02	Kuluoz_cd4e6fef	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	cd4e6fefaa158b8899fc78c20748147a	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 07d3e4aa9819dd1bec9a9a5f80e1defb3cad07e2827fceae2fff3fe2c5474389 SHA1: 01f544ae551f0de1e1dbe889d061f17c1da2def2 MD5: cd4e6fefaa158b8899fc78c20748147a
M20-fey01	AZORult_13123a46	Windows	This strike sends a polymorphic malware sample known as AZORult Dropper. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the dropper. The binary file has one more imports added in the import table.	13123a46de0b959bc9341fdc8c5e8046	https://arxiv.org/abs/1702.05983 https://arxiv.org/abs/1702.05983 SHA256: 23b9143c705132dd1bfe7a78f8419ad3a2afd9fe3d4430119f1de1b31e4375a6 PARENTID: M20-awj01 SSDEEP: 6144:P1bB0Miice2VaKYsLrdIpbs5j378oAUn:9+BUKfZIpQx7 SHA1: 708b6fcadcf838e2317de9555e3f36d59d5e7ede MD5: 13123a46de0b959bc9341fdc8c5e8046
M20-spz01	Kuluoz_6ab1c95e	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	6ab1c95ef0ebe2d7568d2e8fc29810d4	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 1363243f57bc04ff383387c358785d8f43e2ec0765f7bc1676c1de820ac618d1 SHA1: 2bfa9979914a72140e8f59cd2621f4cc58cb7545 MD5: 6ab1c95ef0ebe2d7568d2e8fc29810d4
M20-4k701	Kwampirs_59770034	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	597700341ffc5e24203170386b133875	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 3b9991b5b3f73ec41ca644a043f1fb1144d063502d3889aad6b774867debb7f9 SHA1: e96ac141ec2fd92f1d2fb9f5956bab792bfa0170 MD5: 597700341ffc5e24203170386b133875
M20-02o01	Kwampirs_27e60d36	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	27e60d36b7264f969541c05dfdcb357c	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: b9581f9a9d79d03305ee378cb166afea8d1e0120a359a036d6592eac8074e5c6 SHA1: ea92d298390b85aae92fc7b8f3cd86cf15a51240 MD5: 27e60d36b7264f969541c05dfdcb357c
M20-ovs01	PoetRAT_429d409c	Mixed	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	429d409ceb6b7988c2de41c2aa578735	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: d4b7e4870795e6f593c9b3143e2ba083cf12ac0c79d2dd64b869278b0247c247 SHA1: e499d21c4eb97b53ef3ecad0dbbfe8cfc3678ef1 MD5: 429d409ceb6b7988c2de41c2aa578735
M20-wiw01	Kwampirs_7d5e5cd0	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	7d5e5cd056589f1be94f62b0b5efd28f	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 209adf00c00ab4e47a064d5092c7387720c6e198066d33d270f9cbaddacf52ae SHA1: e7a3c649d53f293ba5865622ed60d3da3a2bec7a MD5: 7d5e5cd056589f1be94f62b0b5efd28f
M20-5ao01	Kwampirs_c1fb62ea	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	c1fb62eafd77bfc6d4a32b3637e0bf37	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 0cb55887786c26b91bcc7da071b7350451c138a43cf0c33cb9762edab77e3e00 SHA1: edb43ec758edf49bc857e609fa7ab0f0e5e0f049 MD5: c1fb62eafd77bfc6d4a32b3637e0bf37
M20-yhq01	Kwampirs_40bee457	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	40bee457f54aba0617d0c11047bc8427	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 6a2a592e1d83c946810ee3f700d2f2dadf517bd450b125ed0a250fe8f22d66ff SHA1: e0a021166d4d2ddb9f5f3c261841aad4f211d9ef MD5: 40bee457f54aba0617d0c11047bc8427
M20-c0e01	Kuluoz_a14ac7d4	Windows	This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has been packed using upx packer, with the default options.	a14ac7d4a42ea7cf2d1aed32ca78ba26	https://attack.mitre.org/techniques/T1045/ SHA256: 6a52a43a26852d18600e7acc5f79af63077a57e13915bdb4cf41b88cad0692eb SHA1: d1f4d40a6ee16fd07f52fa0971b5bf0d485c65d1 PARENTID: M20-ig501 SSDEEP: 1536:Ldsg/4AyY0mDPwCxLdRJZ9rgZjJsaSPRcsbuct+WihG/8/0u4afs:L5/Y1mDhxLdJZgZ1saiRtbus+WiX/z MD5: a14ac7d4a42ea7cf2d1aed32ca78ba26
M20-r3x01	PoetRAT_04cecf70	Mixed	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	04cecf70d049a8f0de360aa6bd9da434	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: e4e99dc07fae55f2fa8884c586f8006774fe0f16232bd4e13660a8610b1850a2 SHA1: 4966916c66d6742d1ee7bf3823ab8e7e6bb9b012 MD5: 04cecf70d049a8f0de360aa6bd9da434
M20-jou01	Kwampirs_2895bb78	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	2895bb7849b6dce0bccf6947cf4c1d04	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 208fd32462cf3358c0a76a8e7e4b9a9ed681027f0cdd26f404e516b25daadb8c SHA1: ff7233ca387a02095dbbd32a61a5a188e2ad521c MD5: 2895bb7849b6dce0bccf6947cf4c1d04
M20-aav01	Kwampirs_1565df72	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	1565df72abfaa21ceb8b86fa11d3ac47	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 4824911c0778c89af1849d5c4c77b13bc3891a1fcff12741e4627907bd84db3a SHA1: f9911c9bed571540f22c0ea45622844c580ba898 MD5: 1565df72abfaa21ceb8b86fa11d3ac47
M20-2fz01	Kuluoz_eafdcea5	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	eafdcea53785df89f522a1d3ce285c3e	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 02a8287d7190e0fce91f58073c57d3637b7f1a79a5de300cc9cabfc11e0e6530 SHA1: 79e8f18b3e61a629397b554bfe211b2582daea70 MD5: eafdcea53785df89f522a1d3ce285c3e
M20-mch01	Kuluoz_f7a08642	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	f7a086429a192bbd9902c593d360cc9c	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 1233484d1a7d2cd2ca7118ab42c7a60e77490536ad8304c148a0721ff22ab005 SHA1: a5a0effcd586487d02ae62f9c97b98302d8638d5 MD5: f7a086429a192bbd9902c593d360cc9c
M20-dqv01	Kwampirs_cd554e3e	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	cd554e3e8a3a50823243452c0c2425f4	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 833d5d438893a73cbaac611b214f6be7c569f52b9a37b2a06a8c8eba8892709f SHA1: fbd50f5bdad08802d908388567059f9bb32869c5 MD5: cd554e3e8a3a50823243452c0c2425f4
M20-fe501	PoetRAT_7e9d3fe8	Mixed	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	7e9d3fe81c528d9729bc03a805460642	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: 252c5d491747a42175c7c57ccc5965e3a7b83eb5f964776ef108539b0a29b2ee SHA1: 298974d7e3efef0cad81ba039b2e1a38f543454a MD5: 7e9d3fe81c528d9729bc03a805460642
M20-95p01	Kuluoz_c26f3f05	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	c26f3f052333299b1571828596a6528c	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 021801898d4aa508ee85f53fe4e4a28e06ce91795fc0073eae241c0c34c7babb SHA1: a5cfa344ab313beabb090337ece2453efb6eef54 MD5: c26f3f052333299b1571828596a6528c
M20-a4001	Kwampirs_cf314c8c	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	cf314c8c6daaa9dd2e733387f4aabf91	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: bfa71ed720938c5b47ade695c82df67833dc6f1c10bc36fcc51a6764e35800d2 SHA1: e99b23e5560d7f9896b64054b1a6fb2333cae92a MD5: cf314c8c6daaa9dd2e733387f4aabf91
M20-ct301	PoetRAT_2696574a	Mixed	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	2696574ad1b897f569a48d74425c706b	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: ac4e621cc5895f63a226f8ef183fe69e1ae631e12a5dbef97dd16a6dfafd1bfc SHA1: 89374563520fd4d24c5fad4703c8c173a910eb1c MD5: 2696574ad1b897f569a48d74425c706b
M20-zkj01	Kwampirs_db904a6b	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	db904a6b55ec340645d4dc3bef3ee57b	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: ac5a9630b5efe7b936840641a8ab9433f589fbd8562d62c642b2e4d417f91277 SHA1: f9bfff4be43e365bbcc40cc6ece537b7b9f2ae74 MD5: db904a6b55ec340645d4dc3bef3ee57b
M20-c2r02	Kwampirs_053b96d7	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	053b96d7b0fef8ea3d812690d9747e3c	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: c69c1b75d7d9c8fd823ea6c2de670426e8360d0763f0a0384472cd16437909c1 SHA1: e2e03d1d85fe5e65820d6526eab53dd6bf1a076a MD5: 053b96d7b0fef8ea3d812690d9747e3c
M20-v2101	PoetRAT_69cbec46	Mixed	This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.	69cbec46220c781797d6d35ab70bae02	https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html SHA256: b1e7dc16e24ebeb60bc6753c54e940c3e7664e9fcb130bd663129ecdb5818fcd SHA1: 7fbe5c8524b9a914f7f60d463c7d4add8a0c57e4 MD5: 69cbec46220c781797d6d35ab70bae02
M20-6ij01	Kuluoz_ca1c35f5	Windows	This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.	ca1c35f5dd08f34c21e49d0cd3af3d24	https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html SHA256: 01e5d6d17f47209d9ab025ea6d9fc76fab6db7a789ae7e0012e053518592483e SHA1: 40a3fbcf79bd3a374879cd7a05145a44245fcf71 MD5: ca1c35f5dd08f34c21e49d0cd3af3d24
M20-ri001	Kwampirs_ec7a5b11	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	ec7a5b119ebfefbb827720997036743b	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: d0ad2e0f2d68da676dcc8f0cad03dd1a6a5dbf834499ef94746be8ce32ea6ac0 SHA1: e5e79e329cd3f7f40ba887f771b7782abb41b108 MD5: ec7a5b119ebfefbb827720997036743b
M20-nvj01	Kwampirs_001c21ae	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	001c21aea873767894bb125a135b15ef	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 23640833d0c552a328ffca27f6f78b10e7dfadaa5d9e485c8c9c3d2968b7c23a SHA1: e5e0120ebc937396d02c0d69c9e49a08cea941d8 MD5: 001c21aea873767894bb125a135b15ef
M20-jmi01	Kwampirs_90985356	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	90985356349d41929c2de328629e24e4	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 9cc91b2a46c29b022e64a317b9b7c33a9caaaa76962315e48305365fdd3b4829 SHA1: e4b0a7190d219ede8f60a4189cb52351cba43307 MD5: 90985356349d41929c2de328629e24e4
M20-sc601	Kwampirs_8c1bdf67	Windows	This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.	8c1bdf67c3bb36654979cb606994a342	https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037 https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat SHA256: 300c8c76205336366d75fac07a5e03f0d39db9a778f21023640ea6c81ee73a8d SHA1: e8a2b685da9a03402a71c5f110264a4eb946461d MD5: 8c1bdf67c3bb36654979cb606994a342
M20-h9101	AZORult_dc79833d	Windows	This strike sends a polymorphic malware sample known as AZORult PE Payload. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the portable executable payload. The binary has random contents appended in one of the existing sections in the PE file format.	dc79833d8f6ca74d8b84672d7062c136	https://arxiv.org/abs/1801.08917 https://arxiv.org/abs/1801.08917 SHA256: 653208bc3c188910dcb8a22f2f3187eb99aaa83bcf6d9d03948c22696b747759 PARENTID: M20-ukj01 SSDEEP: 3072:IuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/Gxg/:Izx7ZApszolIo7lf/ipT/G SHA1: 9d5091bc94a13e322daf366c7aa431d0a285d289 MD5: dc79833d8f6ca74d8b84672d7062c136

Malware Strikes March - 2020

Strike ID	Malware	Platform	Info	MD5	External References
M20-9r501	Nymaim_3613236c	Windows	This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.	3613236c5516bd3695b6715b415d7bff	https://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html SHA256: 7a081e847f783ca398362fb4172a266e8387fef4d860ce25c4bc2986a25ce690 SHA1: 685cf25785aab6989f4e8421cfba87226809972c MD5: 3613236c5516bd3695b6715b415d7bff
M20-qzv01	Vicious	Windows	This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather a