Malware Update 2020

Malware Monthly Strikes

Malware December
Malware November
Malware October
Malware September
Malware August
Malware July
Malware June
Malware May
Malware April
Malware March
Malware February
Malware January

Malware Strikes December - 2020

Back to top
Strike ID Malware Platform Info MD5 External References
M20-72zh1Gh0stRAT_34a648b5Windows This strike sends a polymorphic malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.The binary has random bytes appended at the end of the file.34a648b57683dd4d48a4123aee6542behttps://attack.mitre.org/techniques/T1009/
SHA256: f423b11021ce9175c79881f2988516428e9e80659f41105ae037cdedd5e0da8c
SHA1: 9d7b304bd8a65f1f788ab5e8a788e0f5e1748061
PARENTID: M20-gt381
SSDEEP: 1536:MbuXXlyLMFM6NRjebOZewU/R4kY6WpsQEYzQI4wb9DprLElnY+fsrcNgF0f2bb3C:lFyLM/NR+O8wl6usKH9DRJUyMrAny
MD5: 34a648b57683dd4d48a4123aee6542be
M20-lblq1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.cf1ad0f6c0f7dfe7b5940008ed27bc28https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: ea27862bd01ee8882817067f19df1e61edca7364ce649ae4d09e1a1cae14f7cc
SHA1: 6599794ea40f54656c8ac0d7c2efe1362ec8414d
MD5: cf1ad0f6c0f7dfe7b5940008ed27bc28
M20-hywt1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.ab109ced41f9be476da69b671d4e28cehttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: b2b3a199291c3651b1d7413c7dba92566a893010a50e770e1802f173f1c2c7a4
SHA1: f6085a9c93fd2ea75c1843a2bfc7b1e85f919d7a
MD5: ab109ced41f9be476da69b671d4e28ce
M20-wde71VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.9935435529057201dac86957275a43e9https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 3cd581621d9a16ebe724e9ba7445aa82162307ff6b2a31be572e87dbce2aa8ad
SHA1: 2201ebb6e819f38c080b252f7ae48accd78159be
MD5: 9935435529057201dac86957275a43e9
M20-vs2i1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.3b8c4e9f27a265c2ba4c39ee94e135a2https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 56e96ce15ebd90c197a1638a91e8634dbc5b0b4d8ef28891dcf470ca28d08078
SHA1: fa7f4b931dda6ece05a23d552a96c757127c3e0e
MD5: 3b8c4e9f27a265c2ba4c39ee94e135a2
M20-w8jx1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.1955375a3ba47f2d293aad78e2478edfhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 78471db16d7bd484932c8eb72f7001db510f4643b3449d71d637567911ca363b
SHA1: 006513670374228a112e15ed03e24089515d085b
MD5: 1955375a3ba47f2d293aad78e2478edf
M20-qzdx1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.af27bf67e462bf5ef61b15a0e160ea84https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 5736e167e234e06b33e8d8d6bb80e13b1bacca8d7cd3271695220cdec2e4a79e
SHA1: f5849ee6ab9de4be3024775cd2bf809b742f4bf5
MD5: af27bf67e462bf5ef61b15a0e160ea84
M20-4dqj1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.dba03b64b963b77fe966238c261aace4https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: d50f28cf5012e1ffde1cd28655e07519dadcf94218b15c701c526ab0f6acb915
SHA1: 009d4a6ab775f4d8ac0a3343adf5e5910a8747ec
MD5: dba03b64b963b77fe966238c261aace4
M20-98eh1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.c7e84d5c86f51a349445ad126c42fd89https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 4d39782ccdb902e8e5348b8b3ce92f0834c713c565cca82be67a0a8eb6468df6
SHA1: 5b13441e82f6964164e05ea3c92145b70d400201
MD5: c7e84d5c86f51a349445ad126c42fd89
M20-bkbm1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.86d297b262fb1e9f8c1cee271ceea40ehttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: f80bcc60e79b387f63edfe0f1fc66492af4ff201ad5eb8080b1249ca43f6f30f
SHA1: 62493be40396091164113e76c289df62ffeec90b
MD5: 86d297b262fb1e9f8c1cee271ceea40e
M20-2fqg1Barys_6a191144Windows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random bytes appended at the end of the file.6a191144dc2744c0d803461b8b35336bhttps://attack.mitre.org/techniques/T1009/
SHA256: 0fadbc1a6cbbdcf8c6dfef369ca47881d562813e5e4de984d16001eaed83692b
SHA1: 1a13b6c282d8ac31996a79e3cca2e18194d2568c
PARENTID: M20-rmoa1
SSDEEP: 384:/DLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEJdxg15GMIScho9meh:/gbT8MlIcdk+odC41HjmzZJmr0jeyE
MD5: 6a191144dc2744c0d803461b8b35336b
M20-hsdz1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.039e75cdd8787394789d11ca6d2c7711https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: a50b58e24eb261157c4f85d02412d80911abe8501b011493c7b393c1905fc234
SHA1: d940407a48bc4e0481b2790e89e58aa020b8887f
MD5: 039e75cdd8787394789d11ca6d2c7711
M20-qla01PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.3d89a7dfd0984f23c4ebd1931d029108https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: d271569d5557087aecc340bb570179b73265b29bed2e774d9a2403546c7dd5ff
SHA1: 39c6484c0ca69f2e98adad292436fadf80c3c12a
MD5: 3d89a7dfd0984f23c4ebd1931d029108
M20-20vf1Defray777_210f47c8Linux This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering.210f47c8f47ded8525da927710abc6adhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/
SHA256: 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d
SHA1: 50f191f04aa6cff1d8688a3c5d6cce96739ab6b3
MD5: 210f47c8f47ded8525da927710abc6ad
M20-yg4v1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.d0857462281df296b60a8814d4fa052fhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: b3c6f365819864340a8a8fe3076fb326c1debfdbbc826384cb2978aea82edc48
SHA1: 658c536d92c7b60e7c31bc4eeb43504c83204df7
MD5: d0857462281df296b60a8814d4fa052f
M20-mzle1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.440c46ace55eb539376c05dc03e98cd4https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 0da9e149ba324f20a390140e9d7913b13ababa07f5b65e4d25e3555c1119e768
SHA1: 038e505ed342a39766d034ffee1e87fdfc62930b
MD5: 440c46ace55eb539376c05dc03e98cd4
M20-exgu1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.0ea9b7a283e7d4601fb7dbd63493b342https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 56934547dcf0d7ecf61868ae2f620f60e94c094dbd5c3b5aaf3d3a904d20a693
SHA1: b655342769408e0bdd46449aa8968c4c362a222a
MD5: 0ea9b7a283e7d4601fb7dbd63493b342
M20-a54g1Chthonic_35e71926Windows This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has the timestamp field updated in the PE file header.35e7192617a5bfe4e3663f40610a7f11https://attack.mitre.org/techniques/T1099/
SHA256: 01785bc411c5f7c386ac0c155e9334a624750722911cb420bdd6ba9666c4a075
SHA1: e2363a3d1230c852837d19c13cc421ecfdd9f2af
PARENTID: M20-569e1
SSDEEP: 768:Ph1SGw0Nd6EF+MIi3hISRdJlDED1Anx3LScmjElP/Vc6+DxIamqtswYh/YY86AAx:iV0Nd6EF+eljbx3LSqt+GF82jco
MD5: 35e7192617a5bfe4e3663f40610a7f11
M20-keqo1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.6932dfcd3789f88e828d939174183446https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 5dc7f70a0d20f97c30c25bd927235deec713cde5d1c41916e23dd0c3431ffacd
SHA1: e289f6a347facc397402d63d36f70f58338d8ca8
MD5: 6932dfcd3789f88e828d939174183446
M20-jhm51VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.4ef817562dc042e616ae26a2c8773f23https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: a098b5455fd1e9d0dea067405cd891b94cc42a0067cbd21d385f9c1254c21fdd
SHA1: c1b9b376a54b08d5eae491f951b57d6bb04afa5a
MD5: 4ef817562dc042e616ae26a2c8773f23
M20-wlk11VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.b18ee982de606adc6715e7a52648b63chttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 8eef012c2eecb7f8a776464f52e12f62c466cfc85adf4eef0d2bc270e7a19212
SHA1: f3c97b56b85eb3a0009bf831e89a4cf57d4deb41
MD5: b18ee982de606adc6715e7a52648b63c
M20-vihm1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.aa64323c466ac0ae62ec6532bac30936https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 92a8b74cafa5eda3851cc494f26db70e5ef0259bc7926133902013e5d73fd285
SHA1: 007f198146686cf0bad9d8c5bb262f8e5c007706
MD5: aa64323c466ac0ae62ec6532bac30936
M20-75p01PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.5d2fd364769d12d26c83922e5e31e48ehttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 563dd5a95f439bc2b4170a74c8be565a1af076e6cbebd1d018b2809a1e8bc908
SHA1: 00263c910dcf67f7eaa37c48914c30b78261652c
MD5: 5d2fd364769d12d26c83922e5e31e48e
M20-o3n51VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.dcba8d6cf6b336ac96db500ad99b0013https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: fcdd72fd2e03badfac13eed5e2d17054bbdcea7c1743179095ce109bf40a7f0f
SHA1: 1bacc1afd4bd2d34279b39e9e2fc6099c49fa29f
MD5: dcba8d6cf6b336ac96db500ad99b0013
M20-4n511VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.31dc5267d3daf057baaa37f8d5d59229https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 608f34a79e5566593b284ef0d24f48ea89bc007e5654ae0969e6d9f92ec87d32
SHA1: 15c3985c14c98de4a7eabba3495b474f753923b7
MD5: 31dc5267d3daf057baaa37f8d5d59229
M20-727z1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.088d29b4a238a650e12f5ce97ec58289https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: e48e88542ec4cd6f1aa794abc846f336822b1104557c0dfe67cff63e5231c367
SHA1: 08a6b196e3a2d140314225ef8c88228aaea09ac5
MD5: 088d29b4a238a650e12f5ce97ec58289
M20-qxtk1Barys_2f511a1dWindows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random strings (lorem ipsum) appended at the end of the file.2f511a1df6582dea8340fd62e27c9f3ehttps://attack.mitre.org/techniques/T1009/
SHA256: 41a98f4a8ef76470d573c6daa9db027ee7cd76a957c669d7a30ebcfe01c5e1bd
SHA1: f812646cd54274420324b42801e6bca7dc128a88
PARENTID: M20-mxx31
SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMnL:MgbT8MlIcdk+odC41HjmzZX630nMnIU
MD5: 2f511a1df6582dea8340fd62e27c9f3e
M20-0xi41PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.f198217bafc00828a2f5bc7f816c8e1dhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 814357417aa8a57e43d50cb3347c9d287b99955b0b8aee4e53e12b463f7441a0
SHA1: 0342939f6ff3699c7528f4adfdad5a35d1353b88
MD5: f198217bafc00828a2f5bc7f816c8e1d
M20-129q1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.05d24dd80b9a39e2148e94c742f8f16bhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 350926c6bb7419330e55e687c9f00520a560c41f6013528cbb9ea42faeeb3201
SHA1: 1ca072554f6aa3a320587bff3ec200e61310654c
MD5: 05d24dd80b9a39e2148e94c742f8f16b
M20-c38p1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.ddf9e95123d9b585fa9e164236bfd338https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 8373be56ddab97188a8606eb5f529187bfb819f5cb5a50c56f6a7878c94c7f86
SHA1: f87c2ce9936da536fa7e229adb6d79800a9961fe
MD5: ddf9e95123d9b585fa9e164236bfd338
M20-g0121PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.1856d7d2a60bfc2da5c36781294e5033https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: c3b3f46a5c850971e1269d09870db755391dcbe575dc7976f90ccb1f3812d5ea
SHA1: e2ac158c425965b639b1ec5949e3c8300c278310
MD5: 1856d7d2a60bfc2da5c36781294e5033
M20-lalu1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.eb885e485049ee4516bbdf6d9c5f202dhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: e5fede5eb43732c7f098acf7b68b1350c6524962215b476de571819b6e5a71fc
SHA1: 90851164d3452929fd2567de72153d1c018de994
MD5: eb885e485049ee4516bbdf6d9c5f202d
M20-vrn11PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.54c11dcb706996a76976211c3685153dhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: c9400b2fff71c401fe752aba967fa8e7009b64114c9c431e9e91ac39e8f79497
SHA1: 74ab88499a9b8d77cd9a8820e2884e617fa9245a
MD5: 54c11dcb706996a76976211c3685153d
M20-q8081PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.2aac141539e4bac0320ce3992e632d97https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: f9290cd938d134a480b41d99ac2c5513a964de001602ed34c6383dfeb577b8f7
SHA1: dc53f9f9f7dac4fa1ba748b2fa7e6819187f2f8e
MD5: 2aac141539e4bac0320ce3992e632d97
M20-75a91VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.68cb520d2084020638790187e34638eahttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: e1653fe62e8d90153557324ffe4470d9c9262fe3bddad2bf555680b6078cf66a
SHA1: 94c14074d879fd773a1c331210cc4c6e282b9185
MD5: 68cb520d2084020638790187e34638ea
M20-qwgb1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.127aa359a279cb299b63bb720f35ed1dhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 4d0176e2d6e30e31352f420a4dec79d26cb00f1e6c789b31e84cd05eb4d50956
SHA1: b826c09b4e6dd84c5d74ce4af5545f13eba64811
MD5: 127aa359a279cb299b63bb720f35ed1d
M20-0l931PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.d76837f88a8d62351e2d551be2fe9893https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: de44656b4a3dde6e0acdc6f59f73114ce6bb6342bec0dcd45da8676d78b0042e
SHA1: 1aad813f52a7627c94e236f15d2ac3b1d090c15a
MD5: d76837f88a8d62351e2d551be2fe9893
M20-m1mi1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.e2b15234dee641b74ee7959df2ae2e43https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 625c22b21277c8a7e1b701da9c1c21b64bfa02baef5d7a530a38f6d70a7a16d0
SHA1: 27fd1c79ce0f8459ed201886512f38af5e466bba
MD5: e2b15234dee641b74ee7959df2ae2e43
M20-dozu1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.8357b48174b91644012b7969d2ae9597https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 510cf6e1c55a190490e93d222ea606ed888d222ecedda18bfb2f32bb73f33cab
SHA1: eb17b9cdce04f77428499afbb950f48249492a2a
MD5: 8357b48174b91644012b7969d2ae9597
M20-0tvr1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.164b162f8cd59acf9d3da0bec7ea1c52https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: ccc162d3a3d6136a9c472d7d2d07acbae47f88a9a7d9b2c9b97b331e7ab7605d
SHA1: fdb3289f239a06023842d90c0e5cf6f8f0aa1c99
MD5: 164b162f8cd59acf9d3da0bec7ea1c52
M20-rp6s1Sunburst_846e27a6Windows This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.846e27a652a5e1bfbd0ddd38a16dc865https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
SHA256: ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
SHA1: d130bd75645c2433f88ac03e73395fba172ef676
MD5: 846e27a652a5e1bfbd0ddd38a16dc865
M20-a1c21VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.225747a368357a5eafaac5337ee56c9ahttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 3a3b7b198769de3e5d81a92aa166f783b611a39a7fcea1b5ec762b54295dbc8d
SHA1: 49a8ab54ac1137b9fa2281a9fdbd1d7b50cf6cee
MD5: 225747a368357a5eafaac5337ee56c9a
M20-8etv1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.6f6a04e60af90862b2ced5864b6b23f9https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 95e5e83b10df32f06080bd6f8428592d81febbf55e72ec5f843dd6188bef25da
SHA1: ab96d796a4b394af911c5282446f61bcd94c1ae1
MD5: 6f6a04e60af90862b2ced5864b6b23f9
M20-rmoa1Barys_006a7221Windows This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.006a72219afabff2f56695f413ca43dbhttps://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: a98b443dab1373415ceefacf3be09bb209377827785a02e5f7d4a20c3badc01c
SHA1: 5e8f2e325a452ebfeeafeceb7ef6b1a8cbb186ad
MD5: 006a72219afabff2f56695f413ca43db
M20-4pvo1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.b90fbb7ae572eca2f64d14c0e0dc4a21https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: cb2619b7aab52d612012386d88a0d983c270d9346169b75d2a55010564efc55c
SHA1: 39289138cd3d75cbffe41172772cb40acde3972a
MD5: b90fbb7ae572eca2f64d14c0e0dc4a21
M20-bhso1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.2f6340654f5d07c7a5d19b9d228dabb1https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 80c9d6cf4e8119dc2d0e263f3f4d5c3bf4221715117505d9d6a02e3671337bf8
SHA1: 40e314bef8a7fb314b8dfb8b641fa2426d198488
MD5: 2f6340654f5d07c7a5d19b9d228dabb1
M20-r1rf1Barys_3c11a2bdWindows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random contents appended in one of the existing sections in the PE file format.3c11a2bd2d5f1c68588dd60b742008f1https://arxiv.org/abs/1801.08917
SHA256: e6ad8931d16e75beccc55f4706194876b6b13aaac6c291d453a981ccb20ff198
SHA1: 50b5f6ed2ab9c18b04ec24a6651ffbb7e162bcc7
PARENTID: M20-mxx31
SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMn:MgbT8MlIcdk+odC41HjmzZX630nMn
MD5: 3c11a2bd2d5f1c68588dd60b742008f1
M20-wnyb2VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.1d191d54cdd3adb4621b5c3a13d1ea91https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 01011bb45dec3b520ea09e5d9d3c9fb4acce74de72261f68ff1011f9ea6ccebb
SHA1: 3e6868e7359df4bddfdbd7575052431360c57dd9
MD5: 1d191d54cdd3adb4621b5c3a13d1ea91
M20-039f1Barys_d1365296Windows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has a random section name renamed according to the PE format specification.d1365296a329a50b6d389373aa50fa01https://arxiv.org/abs/1801.08917
SHA256: e30a372793ba1181082bb313a63f3c88e4075645d6fa30f84666e8feacb858eb
SHA1: 17525859a1efb97ad394092c0c561d43386ce9e1
PARENTID: M20-mxx31
SSDEEP: 384:ODLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMn:WgbT8MlIcdk+odC41HjmzZX630nMn
MD5: d1365296a329a50b6d389373aa50fa01
M20-19el1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.aa03fbbd932b6f57d26c53cf7a01ef1bhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: a765df03fffa343aa7a420a0a57d4b5c64366392ab6162c3561ff9f7b0ad5623
SHA1: ed495940c14db3067e841b1e1cd29724b4f8989c
MD5: aa03fbbd932b6f57d26c53cf7a01ef1b
M20-7twy1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.13cc74a4168aab6c63b5e44358f47604https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: c5ca45581da0bbb3e4d0c6e51d602512fa52833cd16eebed351397a9a0326518
SHA1: 74b9f153234306a4e0f5c0cfa7bebb68eb0d3890
MD5: 13cc74a4168aab6c63b5e44358f47604
M20-p6nd1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.9d4c4af4b600bb90e92a5c0b86551507https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: edecfdd2a26b4579ecacf453b9dff073233fb66d53c498632464bca8b3084dc5
SHA1: fb49d70aa78dae091a7fdf31d28a83d270e377bd
MD5: 9d4c4af4b600bb90e92a5c0b86551507
M20-kkm31VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.77e9031a6ba4afeecda915e914a352dfhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 840985b782648d57de302936257ba3d537d21616cb81f9dce000eaf1f76a56c8
SHA1: adcdeb818c9dfc9f1c17bf3af5ba9523927ca643
MD5: 77e9031a6ba4afeecda915e914a352df
M20-pmq11VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.e0d2c9aac9a8489a2154aff6e0abcb6ehttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 3928bd8f2fd2db4891b320fa85b37c2598706d27283818ad33a0eeac16d59192
SHA1: 2e489ff43e12c708430f3ea07024970a4d1ba737
MD5: e0d2c9aac9a8489a2154aff6e0abcb6e
M20-jzoq1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.988b54d62c2163cdb5398ff6571e3c80https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 75728bc96c934c1521ae08e03ec916e20628e000b056c55b6ee04ccc18c602f6
SHA1: e741885b90a4d6b4699948b9184cf38bf838b890
MD5: 988b54d62c2163cdb5398ff6571e3c80
M20-mynx1Chthonic_39a1430cWindows This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has a random section name renamed according to the PE format specification.39a1430c7d0bf12a9b42dad4e6b49ac6https://arxiv.org/abs/1801.08917
SHA256: 28dacb33875c738c866f6d41b16074f6ca48dee3aee14e8899f845912d02a50e
SHA1: eae617ce1247de24ce7caed9b13be5a2934f3c7c
PARENTID: M20-569e1
SSDEEP: 768:jh1SGw0Nd6EF+MIi3hISRdJlDED1Anx3LScmjElP/Vc6+DxIamqtswYh/YY86AAx:GV0Nd6EF+eljbx3LSqt+GF82jco
MD5: 39a1430c7d0bf12a9b42dad4e6b49ac6
M20-jyxn1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.a76db545952dcb01bdb966e656c3bacahttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: fe564fb38a99dbb94cc8a66d8955b0b7f8e67bf0a5eb820c4a5d0c3efb96c1e5
SHA1: 5b231d4361da177cfe4c3343a1ba75fb099db547
MD5: a76db545952dcb01bdb966e656c3baca
M20-qgfs1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.ed784123007890e3df70b2348779b007https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 61b9b7e1329eb540dd751d1db6c00cc45d91b6f58db75ab0212976d4ec4c848e
SHA1: 9512a8aa4835c0aab0999a9ba17b60b1b976aeae
MD5: ed784123007890e3df70b2348779b007
M20-luhr1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.fa8a1311b6488e40de471cc183ce50ebhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 1d970f2e7af9962ae6786c35fcd6bc48bb860e2c8ca74d3b81899c0d3a978b2b
SHA1: c7e544de0ca082cb13e68265914dc3bd7d22ed55
MD5: fa8a1311b6488e40de471cc183ce50eb
M20-910a1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.643fbcda0041c2b57a2740bb02e16db0https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: b1f54b88c9b7680877981f6bebde6aea9effbc38a0a8b27a565fb35331094680
SHA1: e90b6b2edb9171d28cac4f437b1fa6a03b39e546
MD5: 643fbcda0041c2b57a2740bb02e16db0
M20-aei21PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.9d3e12893fae7eb6c33682b5bbea6d93https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: edd1480fe3d83dc4dc59992fc8436bc1f33bc065504dccf4b14670e9e2c57a89
SHA1: 08868d9b1a31b59ab8e3f4ac38f210ac8e080106
MD5: 9d3e12893fae7eb6c33682b5bbea6d93
M20-w0u91VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.1f937cbae354345087860c7d33e0e61dhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: d7641089fd5d0474b835a633d6d852028b3481c18b3574023b021bfa1e3c1cc1
SHA1: 52c1795326e7704395450b07332c766fb0d1acc7
MD5: 1f937cbae354345087860c7d33e0e61d
M20-yp8y1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.fc2fefb951bfbfdb1e337c9019968c8dhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: bec5a3cfd7332241e3a7463d951b8f9a9e771d4f436d7776a426074a82d19a7d
SHA1: 1291b32719aef4f71732010263339e59726aaa90
MD5: fc2fefb951bfbfdb1e337c9019968c8d
M20-9ybb1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.81ba4107943bb4ad2ec351ba2417f987https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 2b13dae3c35eb3958253dbf945f6609e59978c2aedbd163608f03920d7d3623b
SHA1: 974dc36f9342391724f1e911e6fd92fccce7ef1a
MD5: 81ba4107943bb4ad2ec351ba2417f987
M20-xxco1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.a7da167512ae0077122e349e1cf54085https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: e0f22863c84ee634b2650b322e6def6e5bb74460952f72556715272c6c18fe8e
SHA1: a0c913a04254c65154013904d99ea90d574ab3a2
MD5: a7da167512ae0077122e349e1cf54085
M20-5r9z1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.e843170e564321228fc88b9291a4265chttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: ecf3f4ba8dd16551908488cfbf2afd18a55584dbf81c28623026a29b9fa4a62d
SHA1: 100baeffdf9be3002d4ff15785a28ed75c6c0f7e
MD5: e843170e564321228fc88b9291a4265c
M20-xmrm1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.615292e183cf11759b672148998bfa18https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: ddf83c02effea8ae9ec2c833bf40187bed23ec33c6b828af49632ef98004ea82
SHA1: 3a98e49010e7720abc5d5af43c6c1f665fe3dc0d
MD5: 615292e183cf11759b672148998bfa18
M20-oh7j1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.ca4682a32cdaaf2c0357a2a79e32ee9bhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: bd7da341a28a19618b53e649a27740dfeac13444ce0e0d505704b56335cc55bd
SHA1: 2418b3bb9690ff1f3b0ffbe3a7895800ba335903
MD5: ca4682a32cdaaf2c0357a2a79e32ee9b
M20-nbpl2PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.4eab40382656af8fa25fb23b6e6473a0https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 7330fa1ca4e40cdfea9492134636ef06cd999efb71f510074d185840ac16675d
SHA1: 64f0b82b09081cb1782f9f5dc5011306764cd8a9
MD5: 4eab40382656af8fa25fb23b6e6473a0
M20-wfqq1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.4201d7681dbbde038de0e5d3568363dahttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 3aa746bb94acee94c86a34cb0b355317de8404c91de3f00b40e8257b80c64741
SHA1: 54a06b7ec2dbf0db1976be14875ba8be0947fe70
MD5: 4201d7681dbbde038de0e5d3568363da
M20-qmya1Gh0stRAT_a5d16fe0Windows This strike sends a polymorphic malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.The binary has the timestamp field updated in the PE file header.a5d16fe034462a43c0ddb0b62a52121ehttps://attack.mitre.org/techniques/T1099/
SHA256: 004882c756bd37bc9fc49085b9fb6b1496a7deeabbf5849ff2e8a24dc519d7c7
SHA1: ade07b3275a20e1b42186e5563d1b32818b9874c
PARENTID: M20-gt381
SSDEEP: 1536:zbuXXlyLMFM6NRjebOZewU/R4kY6WpsQEYzQI4wb9DprLElnY+fsrcNgF0f2bb3X:WFyLM/NR+O8wl6usKH9DRJUyMrAn
MD5: a5d16fe034462a43c0ddb0b62a52121e
M20-zw841PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.a07761d3be0749c5ba7da3d8222f1d86https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: e03680e0af40a6fa1a12bed2f701c6137335d28b3d222579552658e951cbd13c
SHA1: dc3cf5372363cb5a0f5b8124386e548f38da24d4
MD5: a07761d3be0749c5ba7da3d8222f1d86
M20-w2oz1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.8041965231306e1c2dff3695d6327524https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 5aec2fa9e954473d9c6b5233512f833e63541965e2d2e4af2419a457676c440d
SHA1: d1df2aa545c341d512668fe82dfd067240d7d459
MD5: 8041965231306e1c2dff3695d6327524
M20-pceb1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.808c956808d1a47b50f51df08d45f391https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: b7fbbbdf7e8795022a41f4e6a94be1de432ae1911e49625f73555e01a5fdc719
SHA1: 631722e3bb67297c0d0af1e5390a0390a16cd99d
MD5: 808c956808d1a47b50f51df08d45f391
M20-gjhy1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.4f2c11ee45ce87eeee7789b43cc91ac3https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 3259dd0efed1d28a149d4e8c4f980a19199d9bead951ee1231e3a26521185f2f
SHA1: 5de46e1ae70c456d867c7807a7dab337d11a03f0
MD5: 4f2c11ee45ce87eeee7789b43cc91ac3
M20-y21h2VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.b5d6214c223b3f6bc4a77c47e0e2a864https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 6f1e8f91773609087a417cb34887f292a0be5c246dab667195854f979a45349a
SHA1: 61f4e7dff34352fd8d065e57abaa60b149ebaae3
MD5: b5d6214c223b3f6bc4a77c47e0e2a864
M20-p3ko1Gh0stRAT_58db1853Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.58db185381561f59c85b0f5eccb428afhttps://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: ad85f99b2d8de491c472aa7526dd02c4e788c2c7fbda519eb2e967c1419d3ec9
SHA1: ae744ee69906bc719a2db679f44ba288b9e9416d
MD5: 58db185381561f59c85b0f5eccb428af
M20-2wgr1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.571425452e7fa287ce283a4a4b479ff1https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 9847cea40cec394c947de06010ad1f3033316903b5c822ba16f9574acb30f0cd
SHA1: 518feab46fd17e85d685fe1b26bb3ff3eb7f499f
MD5: 571425452e7fa287ce283a4a4b479ff1
M20-adie1Sunburst_56ceb6d0Windows This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.56ceb6d0011d87b6e4d7023d7ef85676https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
SHA256: c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
SHA1: 75af292f34789a1c782ea36c7127bf6106f595e8
MD5: 56ceb6d0011d87b6e4d7023d7ef85676
M20-4h8j1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.49819f0eee4399ea309d83fea14acb69https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 6485bec374f255831b7ddbfed9925e988dcd7e893f610842809dd7cd1988cffc
SHA1: 6c0bc83620d82967d75bcfb64196cc89a5a8ac11
MD5: 49819f0eee4399ea309d83fea14acb69
M20-08jw1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.78038fcb760ec0d4a446e243f496f026https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: c7ddbc24a57d1353d73533c47a65e5e3a74e3b666c1fed685fc90de1f089c72b
SHA1: 427c91fe58a5b05e0c1e164e0c1cddff651f96da
MD5: 78038fcb760ec0d4a446e243f496f026
M20-k9va1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.7031a1138e1892fb09bfbdf518dba07bhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 2ceb5de547ad250140c7eb3c3d73e4331c94cf5a472e2806f93bf0d9df09d886
SHA1: fe14ed259e1125d6bec4d920af804cf0f6acf94b
MD5: 7031a1138e1892fb09bfbdf518dba07b
M20-46m51Barys_c594feb4Windows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has random bytes appended at the end of the file.c594feb41863cd0726eadf0e1c376ee6https://attack.mitre.org/techniques/T1009/
SHA256: b09f5955b5e0e1bdbe2e21af580b6d48baecf8362bbc9ca02010605b28ce4078
SHA1: a74fd87caf08b2e5710340312e19d5ccbdbdb8a1
PARENTID: M20-mxx31
SSDEEP: 384:UDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEXZxg15iMISchoyMnw:MgbT8MlIcdk+odC41HjmzZX630nMnw
MD5: c594feb41863cd0726eadf0e1c376ee6
M20-ybbq1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.e5b622b9864d3a2e31a4edac46c1cb0chttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: e07dd37c92d24ac20b94a183e1f0a22a4eec0f950f441761c065faf0afd2abdd
SHA1: e01af7b18c432fa352fea4a166e56c60e6895d0a
MD5: e5b622b9864d3a2e31a4edac46c1cb0c
M20-xo5t1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.38bb2a242823592548a6c6539d69e72ahttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: c58f5b3f7300a13fd9a0a61757e20399fc5e86544befdafae15e8809a02c2db0
SHA1: aaed6ef09b54137cb62bb55ec20f73407739537f
MD5: 38bb2a242823592548a6c6539d69e72a
M20-gt381Gh0stRAT_d2a67090Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.d2a67090e3a8b6d1ca55ff3f3f00c768https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: c10af0e4b2e6dd378d5c69d44cd61657dc96fa8facf5b61f45c9b49071208811
SHA1: e8cc4081e07c07c593424ccde149cd8782dd27e6
MD5: d2a67090e3a8b6d1ca55ff3f3f00c768
M20-f6xg1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.94b27b9de692308cdb07aa6cc31391f1https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 66c2038c6d86333cbc51726bc54d3b8a00162493b2c92ca7f839b50435eaa314
SHA1: 500719895a31db2d1a3e81b3c798e39a89f3dee2
MD5: 94b27b9de692308cdb07aa6cc31391f1
M20-lise1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.41eff4cd049a8b5debf437b229e7c044https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 91c62841844bde653e0357193a881a42c0bc9fcc798a69f451511c6e4c46fd18
SHA1: 0491a3d718b76aae5f81bb8dfac49eb0c427f8a2
MD5: 41eff4cd049a8b5debf437b229e7c044
M20-p32m1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.4b3064c24cb16361027233138fd539dchttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 87210d6f1773473d28b51de21ed55ecfb6a9bd34f56d2d37f483ed05a1d7efd8
SHA1: 8b1da0482b98f77f86f35e830a4a94b3d884e3a0
MD5: 4b3064c24cb16361027233138fd539dc
M20-569e1Chthonic_eda8ab97Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.eda8ab9741ff7b166c04d59e4c778a45https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: d999dc87b0d9c537f3182f9ec8b1b2e781f1690f08ab69be141404f9ee9b1ce3
SHA1: 6b07119eb7943251d43fbeb07195065189bc0dcd
MD5: eda8ab9741ff7b166c04d59e4c778a45
M20-m3881Defray777_aa1ddf0cLinux This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering.aa1ddf0c8312349be614ff43e80a262fhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/
SHA256: cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849
SHA1: 91ad089f5259845141dfb10145271553aa711a2b
MD5: aa1ddf0c8312349be614ff43e80a262f
M20-c9oj1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.23dae47577cda08dfc82e65e1217cbeehttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 47d6cc0a05218d0c1078dabf8d0ca7b7b424cdd73eaf3bf6261fa1b42f92fe0b
SHA1: 89372b60bcee0329e442e601a81766f88baf89e9
MD5: 23dae47577cda08dfc82e65e1217cbee
M20-p1491VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.23594ad0ba8ec37ad5eaec84aee9cecdhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 73609f8ebd14c6970d9162ec8d7786f5264e910573dff73881f85b03163bd40e
SHA1: 41ec57139e036ccbc7feb2d6485bc4456317cd7e
MD5: 23594ad0ba8ec37ad5eaec84aee9cecd
M20-r3of1Sunburst_2c4a910aWindows This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.2c4a910a1299cdae2a4e55988a2f102ehttps://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
SHA256: 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
SHA1: 2f1a5a7411d015d01aaee4535835400191645023
MD5: 2c4a910a1299cdae2a4e55988a2f102e
M20-bu5m1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.2133b1c7bb6145cdd121eb8c423d35a7https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 1309b052618c6301901ec75cf552e7b49f93d66fb47d4de59b82d37d6ac39039
SHA1: 15fdcf02b66f83c11f6d256e37ff9a901685e354
MD5: 2133b1c7bb6145cdd121eb8c423d35a7
M20-p99v1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.ae07f0b180bc52b39000f50353e4e97dhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 88565b4c707230eac34d4528205056264cd70d797b6b4eb7d891821b00187a69
SHA1: 682e5f116a0aea2b097f05c9a6009d6d499b71bc
MD5: ae07f0b180bc52b39000f50353e4e97d
M20-fvau1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.36ae75fd0c0afc7d6503f66880d6acf8https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 5e90a331bafd98e41bcf36419c44bd7ff8296ac18cce652e944ae22db15a5366
SHA1: d2aca69c9060161cfa20c4e3aa92d3633f1cf8ba
MD5: 36ae75fd0c0afc7d6503f66880d6acf8
M20-vrpk1Chthonic_7e665259Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.7e665259f4178cfc254d809d3acfc2b2https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: d5ed9e42ec45ed31455433272ab28baa6392ffbca83d787b272aae011ef5db13
SHA1: b55ca4aec4a079dc23f8b1842a743d201536bf8c
MD5: 7e665259f4178cfc254d809d3acfc2b2
M20-ziag1Barys_2775ccd0Windows This strike sends a polymorphic malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.The binary has a new section added in the PE file format with random contents.2775ccd010831c057c8d3c822adf7fc3https://arxiv.org/abs/1801.08917
SHA256: c76b574047bf0fd21da5256ba787faea64ad816d2d1af16a23548a101d449be0
SHA1: d551a54045ed0eeb686284f2cd3b9adb28431e2b
PARENTID: M20-rmoa1
SSDEEP: 384:DDLPVyLRFT8Mtls0IKJdhpEoa24+odbe419lZK38nmPsywEJdxg15GMIScho9me:jgbT8MlIcdk+odC41HjmzZJmr0je
MD5: 2775ccd010831c057c8d3c822adf7fc3
M20-runn1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.aa0bf0045c4faa988815117cebcacdebhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: c7f96f8b15c324bd6bf1aa16f6697d6d407f91ad2d7628a14d70f146334d34be
SHA1: e744a577e52d594342bb727ef268796553f2c0d3
MD5: aa0bf0045c4faa988815117cebcacdeb
M20-g4s61VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.4bee85530d15be0a9e6c8672e355ddc6https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: ce0936366976f07ea24e86733888e97e421393829ecfd0fde66bd943d4b992ab
SHA1: 69111b86feb35bc38f22f9cd3797144c3a154d2a
MD5: 4bee85530d15be0a9e6c8672e355ddc6
M20-mxx31Barys_f815281eWindows This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.f815281ed4b16169e0b474dbac612bbchttps://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: c88f7682caa26ce756341a27d45f3c6507641249b3b26e2381decf768930e43f
SHA1: 69174275cdef661c88060872d16f559726e391aa
MD5: f815281ed4b16169e0b474dbac612bbc
M20-bgsm1Chthonic_4ad3b625Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.4ad3b625ebadf92523edc1b0730dba9ahttps://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: ae2261cf8620e125ea3f5ca178ed304858db9aba288d8db81c066ba3e9b6b470
SHA1: 490e553b0a1697935d32489d30bf4b4c97939cc8
MD5: 4ad3b625ebadf92523edc1b0730dba9a
M20-ug9n1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.4d1b52e30629477a12dcf2bbbc196e88https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: d7d28af8af5be22ecca267bdc7e142667f584550cf8a3bbebdb1368725bb6469
SHA1: 2ff4fb871acd8e48b549a3c00df91c014ef1c0f7
MD5: 4d1b52e30629477a12dcf2bbbc196e88
M20-neon1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.4d9e184b5e67c83a4a9901ee43232934https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: e2faf6586f8ac70cd98e4ec648f79435bfabaf84d440044aedce0c5c59b662e8
SHA1: 2b2aeeda9282e1b924e228bae316d265d1eeacc9
MD5: 4d9e184b5e67c83a4a9901ee43232934
M20-qz1e1Defray777_fcd21c6fWindows This strike sends a malware sample known as Defray777. Defray777 is an elusive family of Ransomware also known as RansomX and RansomExx that has been active since 2018. It runs entirely in memory, and is typically delivered and executed by a loader such as Cobalt Strike. The malware has been ported to Linux, however unlike the Windows variant the Linux variant doesn't employ Anti-Analysis measures to hinder reverse engineering.fcd21c6fca3b9378961aa1865bee7ecbhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/
SHA256: 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
SHA1: 0abaa05da2a05977e0baf68838cff1712f1789e0
MD5: fcd21c6fca3b9378961aa1865bee7ecb
M20-5upn1Sunburst_b91ce2faWindows This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.b91ce2fa41029f6955bff20079468448https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
SHA256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
SHA1: 76640508b1e7759e548771a5359eaed353bf1eec
MD5: b91ce2fa41029f6955bff20079468448
M20-c3ej1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.111019f2333c79cd320b3acc474df34chttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: 84428ece8efcb6298435b15d3c4ea281592accf0990cc840ef3a7a0644191061
SHA1: 690e6e0067ca394b0f5177b398fe0e5563963adc
MD5: 111019f2333c79cd320b3acc474df34c
M20-aoa01Gh0stRAT_52729f8bWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.52729f8b7185d792be872d0821a251a0https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: b2bf5993d399a91c2ef2d3629a201c8f97702b9359c0bef119e3391eaf47acab
SHA1: 3f9087791230f65247e353f499d6a156dfc77ae6
MD5: 52729f8b7185d792be872d0821a251a0
M20-gl0j1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.1cae93d1e1ab2e6bb1db8b65d374b785https://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: ed675db1e7c93526141d40ba969bdc5bbdfd013932aaf1e644c66db66ff008e0
SHA1: 6a0a7e3a21888b87fde3323e0dc4fc085e71a8b7
MD5: 1cae93d1e1ab2e6bb1db8b65d374b785
M20-2de21VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.26e4a7443332461d330e6dc4e9a22f5bhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: a50a25a312adb9103e52e94018013ebdb6dbfe792a34122cacd53cfa3bbb26ac
SHA1: 9f98147977ce4afd45be30b05e6169ed3522a66e
MD5: 26e4a7443332461d330e6dc4e9a22f5b
M20-iilb1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.fe180737bfb5436a592581de52ed9368https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 0d14a1b5574dc12f6286d37d0a624232fb63079416b98c2e1cb5c61f8c2b66ff
SHA1: 4c8e2a76a08060d0bc727cb92962263d356d0e63
MD5: fe180737bfb5436a592581de52ed9368
M20-4zuy1PyXieWindows This strike sends a malware sample known as PyXie Lite. PyXie Lite is a variant of its predecessor PyXie, the Python RAT. It can be recognized by its much smaller code base and a few other noticeable changes in its functionality, which include a hardened interpreter, remapped opcode table, exfiltration of data through internal servers, and performing reconnaissance.e4940335c81b5bcd4713ad929027077ehttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
SHA256: a7affc0d93e27165ce44c55ae28189e8b55967443f9e464232f230ab4ba175ca
SHA1: f0f9bd7a786f3ea78ceada0749d36d802b20298f
MD5: e4940335c81b5bcd4713ad929027077e
M20-bkym1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.25e8d46d27e0a1034804aba00ba75d38https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: d612144c1f6d4a063530ba5bfae7ef4e4ae134bc55dcf067439471934b841b00
SHA1: c42bb245cddbaaeb80fe1b178600ca353161b9f0
MD5: 25e8d46d27e0a1034804aba00ba75d38
M20-mqub1Barys_1aeb9636Windows This strike sends a malware sample known as Barys. Barys is a trojan and downloader that will upload malicious files to the victim machine.1aeb9636011a15736fa535f7d3ba7f9dhttps://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html
SHA256: a404215539b7bc308e112222493ba4d59a41adeb5204e59ad14cd7836dd6a545
SHA1: 062caa4e2bda8b359cb6ff2ec160918b37ef1dcb
MD5: 1aeb9636011a15736fa535f7d3ba7f9d
M20-q0yy1Sunburst_d5aad0d2Windows This strike sends a malware sample known as Sunburst. Sunburst is a malware Trojan that has recently attacked many high profile government, technology, telecom, and consulting companies in numerous locations in North America, Asia, Europe, and the Middle East. It is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that allows for it to communicate with external servers to perform Command and Control functionality. The malware lays dormant for an extended period of time and then executes commands, that allow for the transfer and execution of files, profiling the system, and disabling services.d5aad0d248c237360cf39c054b654d69https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
SHA256: abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417
SHA1: b485953ed77caefe81bff0d9b349a33c5cea4cde
MD5: d5aad0d248c237360cf39c054b654d69
M20-fibd1PyXieWindows This strike sends a malware sample known as PyXie RAT. PyXie is a Python Remote Access Trojan. It has been seen in the wild since 2018, and is typically seen in conjunction with Cobalt Strike beacons. PyXie has been used to deliver ransomware attacks to the healthcare and education industries.837dda0135b0aa7628874b451c66b50fhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat
SHA256: 3a47e59c37dce42304b345a16ba6a3d78fc44b21c4d0e3a0332eee21f1d13845
SHA1: 3a196669ea458c4e9e3bc4272c7046c688fd63b3
MD5: 837dda0135b0aa7628874b451c66b50f
M20-npvg1VatetWindows This strike sends a malware sample known as Vatet Loader. Vatet is a loader that executes XOR encoded shellcode from the local disk or a network share. These loaders are often modified in order to execute the attacker's shellcode, which is usually Cobalt Strike beacons and/or stagers or as of lately the PyXie RAT payload. Vatet loader is often seen as the first stage in an Enterprise wide ransomware attack.6363cba1430bf8a617d789b49e275975https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
SHA256: 7ad92c9d63bd9ed305acbe217c40f9945deb98ed5ecced8b92b93332dc27d3c6
SHA1: 0f0966c832dcb143be60ce1f296f8b177e4f0220
MD5: 6363cba1430bf8a617d789b49e275975

Malware Strikes November - 2020

Back to top
Strike ID Malware Platform Info MD5 External References
M20-be2v1Zegost_46762216Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.4676221611d727a8b2c54f6e78da92eehttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 00331272677a88d4775ab1a949ab287ac412aeaa182ed3d3561673d36d571198
SHA1: 6b4a24a51478936573579b6599cf5c08c19aff91
MD5: 4676221611d727a8b2c54f6e78da92ee
M20-sj181Scar_0f32fa41Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.0f32fa41e160bdb3ad0ce83daad79f75https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0e4c2e2cc046d82a2287ee3bcba656449660dadf6dba3bc9b1c3017f1fb650e9
SHA1: 7a0982cb7fc3cbf8752cebad1c1fbcbe90c3836a
MD5: 0f32fa41e160bdb3ad0ce83daad79f75
M20-98an1Kuluoz_a250b5c8Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.a250b5c892d7c5b73d1d37b5305b1898https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 052e0204d7d9aa823e6074db99c124911c1c3575026a12a2d0b3ed4edc313586
SHA1: 930cecb3e758784add6930e51652cbef129b9c1e
MD5: a250b5c892d7c5b73d1d37b5305b1898
M20-toh31Kuluoz_330ba1d3Windows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has the checksum removed in the PE file format.330ba1d383004c9ca6dca37fbbea2467https://arxiv.org/abs/1801.08917
SHA256: d15cc86f5308193f5eaeb02be97961cb850a6efcb26a9c60d640d40232f9decd
SHA1: 6e64e491d93f9c9e87d6a12e832f015a52be7975
PARENTID: M20-vqam1
SSDEEP: 3072:t+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9f:srRRyD5E7YZOCQY
MD5: 330ba1d383004c9ca6dca37fbbea2467
M20-1uls1Scar_0274c84cWindows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.0274c84cd3e88e0f60f8843f56b3a632https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0a0a9da107427744e53c7fe3b52ed7af370502197c3c301c32c0199ffc7e0ac8
SHA1: 4e7fd41dd1ec3b57647c8103157f2ed5242b416c
MD5: 0274c84cd3e88e0f60f8843f56b3a632
M20-a5n71Scar_33454c7fWindows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.33454c7f55343c4200bbf4f7b7fc767ehttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0a64542d9bb9dbc1264d80503b03aa119ac4f38cf8369f5e0d66a4e985e99b83
SHA1: 6902facb04325d6476dce00e0a5131a71ca227c5
MD5: 33454c7f55343c4200bbf4f7b7fc767e
M20-fv3k1Ruskill_b3a7b671Windows This strike sends a polymorphic malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.The binary file has one more imports added in the import table.b3a7b6717595d216675b92c351502193https://arxiv.org/abs/1702.05983
SHA256: efe951051689b8ca1913b2db392ad2bc32fcc63502e302960af50bb7ec444c03
SHA1: ca15aa98feefc81be7388049b14c063f5b4d9232
PARENTID: M20-b3zp1
SSDEEP: 3072:6eZAb3i+S4XAg0Fuh/oAu005l+x+fQ5UpkK3LIu78iPNH4jrsgd1zS+wL0/PMsVV:6efEAOZo3f78ENmrJdRS++0nn0uug
MD5: b3a7b6717595d216675b92c351502193
M20-j8yz1LokiBot_ce3ac223Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.ce3ac2236b1cdd0a2695dce6ba384477https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: 6dea1bdf016f1e88f6fedfa3b79d89ebfed8f1aa0db547a7d389bc59b589f18a
SHA1: c954f28aed0a616a68c19aa9aaa5a569dd7451ac
MD5: ce3ac2236b1cdd0a2695dce6ba384477
M20-exg71Zegost_1c449492Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.1c4494926a2b2555a13753a528bca733https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: d73e05c11d942abda55aaa50a6c96e235508777c89985208c8e0f94195df9d67
SHA1: 69197ebe64f7c9f0cd789be063822eea5239c767
MD5: 1c4494926a2b2555a13753a528bca733
M20-ta6w1Upatre_f0256ed3Windows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.f0256ed39ffdd70c0df59941538d041bhttps://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 14248c863bdaea2df1bde2d0a01f3d2506a2bcf5810fb651b27e2fe16b03b2e7
SHA1: 0634310f2401a7496b3c2db32dc70a3afc4a4ae8
MD5: f0256ed39ffdd70c0df59941538d041b
M20-4tpo1Ruskill_653db921Windows This strike sends a polymorphic malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.The binary has random contents appended in one of the existing sections in the PE file format.653db92104917aa366ce680b9ac563dchttps://arxiv.org/abs/1801.08917
SHA256: 5d0a7067f9f5275a256e1a45b2cbb815e0589ae28723d93b6aaf99184e138f1e
SHA1: 3227f0fd7b55813cbed5a0617117052f2656f620
PARENTID: M20-b3zp1
SSDEEP: 3072:KeZAb3i+SYngFAg0Fuh/oAOnge05l+x+fQ5UpkK3LIu78iPNH4jrsgd1zS+wL0/b:KefrFAOZoIPf78ENmrJdRS++0nn0u
MD5: 653db92104917aa366ce680b9ac563dc
M20-yhbo1Upatre_1ba36e0dWindows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.1ba36e0dd3b26bce1b1c9dabefb4fa96https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 0edaf9c336bb1123ed3dc419a54d483670352cb075c70bb8ed59cbe38048e482
SHA1: be5d59a67202cfb805cb82883ef476598bc20f04
MD5: 1ba36e0dd3b26bce1b1c9dabefb4fa96
M20-ps131Scar_628f4334Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.628f4334ccffc5726199ac0cdf0d31d1https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0104ced43c17c50d44ef5517e095d15d38cc922071a5370bd4526e40802e05a3
SHA1: 5ba7dc5f628f4afc4be883f10f10ec0206b88bc7
MD5: 628f4334ccffc5726199ac0cdf0d31d1
M20-0lxw1Kuluoz_4f2d6b2aWindows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary file has one more imports added in the import table.4f2d6b2ad873d6e30155a0dd44202d55https://arxiv.org/abs/1702.05983
SHA256: ac8f24adc539fd1255ed7b2a633ead7715a3c870a7cc531680b4beb2f3cf717e
SHA1: 0b1e4f86aeb9d95c9dac91ce7dc68d1c948ba3a6
PARENTID: M20-vqam1
SSDEEP: 3072:O+3rnRRy6Z296cjNZGIJtYYdftMdzsFGY9fs:RrRRyD5EbYZOCQY
MD5: 4f2d6b2ad873d6e30155a0dd44202d55
M20-a4tk1Zegost_88ae879aWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.88ae879afdc027bcb823d51dbb777d15https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: fcfebe1d5d63610ffff431cffda049582931c3c1dd7e6a2ca10258a230b8e21c
SHA1: 9b60a57c659b7b1365c969b694718e14de53a032
MD5: 88ae879afdc027bcb823d51dbb777d15
M20-vymy1LokiBot_298271a7Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.298271a724316ae773dfbebea4703038https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: 0204655a385df7ad8797bfc31f817e1208e7e62154c866a333683f35aa9a7d41
SHA1: 1aa220d1403461427f235ca5311be174686c9ba8
MD5: 298271a724316ae773dfbebea4703038
M20-6xmt1Upatre_8df21c17Windows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.8df21c177228404e4b420b9753f10f14https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 0fc901eb87412c4c4734827a0b220de9f6a5932600d1f15bfb643ef2b9eeb0e2
SHA1: 3fd85c6997e889a0dd35054673c60aeaf19ffcb7
MD5: 8df21c177228404e4b420b9753f10f14
M20-749i1TinyBanker_ebf2fb86Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.ebf2fb861086af8914d60d11d6451977https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 2d792d1df39ab0201d721c389eb4094568e2fbc96c6d1e9f6d8711c96669ed8d
SHA1: c34f81d4a9c1f8d364d6fbefa4b9bc86fc5c046b
MD5: ebf2fb861086af8914d60d11d6451977
M20-zpqj1LokiBot_cf156148Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.cf1561485f3bae2ae2e9ba8a09a28e3dhttps://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: baedd4452291763813c3fcb3129f1be226b33c5e2ccc8fb85bf6d614c57da29d
SHA1: 1249d133595c252eb5d0ad44c05e7e4e16c7ed15
MD5: cf1561485f3bae2ae2e9ba8a09a28e3d
M20-9c5o1LokiBot_754ba410Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.754ba4100095de1dfb830d226af267ebhttps://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: 1ab3437a50129edfc7fb6fb1117468f6166387e29e7b8b84123bc817fa80ec53
SHA1: f3efb9cb4392fbfc45fce0781090150dda5f2c28
MD5: 754ba4100095de1dfb830d226af267eb
M20-fi9r1Kuluoz_18ebe58aWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.18ebe58a606b06daac837db615ceb3aehttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 147f5d45e43693be523fb498df1a864fc7753454fa3842cddd682502e44b8703
SHA1: dfd98e9e859b983d1813201f3eb65ca2d92dfa15
MD5: 18ebe58a606b06daac837db615ceb3ae
M20-9h2k1Kuluoz_2470172cWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.2470172c7e9f2ead84917c01bb009992https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 102dc1c84b94f9f5e5723c544f34f737dc2c9ac54fa95c89942fdf2cefc3bff2
SHA1: b24b266fb003d9fbfff77517fe9ed0b53c3d292e
MD5: 2470172c7e9f2ead84917c01bb009992
M20-z22p1LokiBot_4d198d9cWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.4d198d9c0564a594ce46be7bce19edd6https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: 18885983795417170faf05d6f4c58dc6dc2ef4977f97d37a2b2c461cc3d0f4a2
SHA1: 343d81618c27bd77467ba7eca36e17e9012a9473
MD5: 4d198d9c0564a594ce46be7bce19edd6
M20-5ytn1LokiBot_47026fafWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.47026fafcb973ba3387e8c97f6871bb1https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: 26f747be5df0197b793030c61e5bdc84336057b7e40153e42e6f17b50cd420ec
SHA1: 99c019ef2bfd0ada44d57eb46f047faaf0a411fe
MD5: 47026fafcb973ba3387e8c97f6871bb1
M20-ehnu1Upatre_3affcb33Windows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.3affcb33be9245925725fac356b626c7https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 1339b417dc6a9fb2f4148ce0922d91b7dbfd16a18b23eddf45698e5859a21a28
SHA1: a8ed34c9fa381d8a9fd83e0da9c8ba3e8777e322
MD5: 3affcb33be9245925725fac356b626c7
M20-djld1LokiBot_9080d22eWindows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has been packed using upx packer, with the default options.9080d22e80227fff2e55c42ca53b4061https://attack.mitre.org/techniques/T1045/
SHA256: 0ec2524eedaa47e7b9be76a29a3d44e60b5ff9389ad5643ab5b2d64b0dc6f639
SHA1: b5326e2e9bd01342aa708f780367e5882a6fe0b9
PARENTID: M20-dkum1
SSDEEP: 6144:4NJcrNeJgEMtxC1B6WurrD0FpWvCmqD3C7uW/JPnkqpHCmVafem:Xxeoq1FuropW63CfJPkqpigZm
MD5: 9080d22e80227fff2e55c42ca53b4061
M20-x1ky1Scar_3171bbe3Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.3171bbe396ea5bec0d85042f7e891677https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 19e5a32971083cf05139a5440aa32ec245e382cf97b39c0dfd78d0517bd76156
SHA1: ce00c9f019a282fcc8e23e081f066ad936e40514
MD5: 3171bbe396ea5bec0d85042f7e891677
M20-b3zp1Ruskill_be5e43f2Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.be5e43f2786d628b7aa8689c2108247dhttps://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: e94e2513ae3d7d289ddd91e059554e0416a2e912e5153607c7f4de99a6a05282
SHA1: 03a7ec0e3607010cb872fd08b3b367fd6bb53cb3
MD5: be5e43f2786d628b7aa8689c2108247d
M20-1tr41Zegost_b4d81bd7Windows This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has been packed using upx packer, with the default options.b4d81bd727d1b0f197e83dfe045147f0https://attack.mitre.org/techniques/T1045/
SHA256: 5ee23b7541c85513df1d260ac7b25c2825a7cec5144ef7f86aef38066326af7e
SHA1: b6abda109dd932785b479312b106e47524320992
PARENTID: M20-a4tk1
SSDEEP: 1536:blncXusueq0pzMaJ5EK5ylBsmaGRrnGxBug2gVjiBIrAAsG6awM:pnk3q0LxK68
MD5: b4d81bd727d1b0f197e83dfe045147f0
M20-kuwr1Kuluoz_cdf5509fWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.cdf5509f6620ea3199e5bd0a34530435https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 05c69adb568ceccc1817572db5ce9b124614cad27e6bf61e09e370e86619d9e5
SHA1: 5547743d81d92b997224148ed71931925e6d2ba7
MD5: cdf5509f6620ea3199e5bd0a34530435
M20-rz9r1Zegost_114a0086Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.114a00861438a53af3626629f072c496https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 5d21dc1acd0a1dc1f3eee5da9a1fd8caa2830fc17cc1bbb7d48322c20c528e3b
SHA1: 58c10e0af3cc6ad9a02880ada017b5b95ac6fde7
MD5: 114a00861438a53af3626629f072c496
M20-yfho1Ruskill_4cc1fdf0Windows This strike sends a polymorphic malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.The binary has the checksum removed in the PE file format.4cc1fdf07ade397fe202ff10dcd9d1d3https://arxiv.org/abs/1801.08917
SHA256: 8fa14c7d8971a6ef7455fe3595f7bef89b1b58f814cf4cb4008e2138b6d79798
SHA1: f9bc211a993da5fbc0ac2cd59f513038606d828b
PARENTID: M20-b3zp1
SSDEEP: 3072:KeZAb3i+SYngFAg0Fuh/oAOnge05l+x+fQ5UpkK3LIu78iPNH4jrsgd1zS+wL0/b:KefrFAOZoIPf78ENmrJdRS++0nn0u
MD5: 4cc1fdf07ade397fe202ff10dcd9d1d3
M20-9r711Kuluoz_317767f7Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.317767f77668bbd3f31cf19b7c0bfb99https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 164d7067512529bc58a2c4f7559b2febe1adbf25a510229d180c6dc83f3c79d5
SHA1: b32e9ea71127d83027ae890a2e70a6fff06db829
MD5: 317767f77668bbd3f31cf19b7c0bfb99
M20-znq91Scar_0c6c38f7Windows This strike sends a polymorphic malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.The binary has random strings (lorem ipsum) appended at the end of the file.0c6c38f795d373fc8f5fc07f908903c4https://attack.mitre.org/techniques/T1009/
SHA256: 71cbe6f587485263adfb09cbe7d72ffa8ae4aad8010bd6861af1b8ae62313990
SHA1: 4ba4c168b6662702eaf96c1a4031b8a677cd985b
PARENTID: M20-z5lw1
SSDEEP: 1536:XeNCn/HB8HMNYDBbZDeNCn/HB8ir6Ze8qVgMXL5Vl:XeGOMNYPDeGR6vYfl
MD5: 0c6c38f795d373fc8f5fc07f908903c4
M20-8zgd1Scar_2008fa22Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.2008fa2210a7123f228d83616b5b206bhttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 044b16ad91fcea7968cf813f2f14978051f08420a85ef2adfc3b72e6710dd7b8
SHA1: a0742fa353a9580d99e8def64e49049a179cf005
MD5: 2008fa2210a7123f228d83616b5b206b
M20-md401Zegost_5bde8a69Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.5bde8a697c4ed4b020035278f48ebbcahttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 131daa7870f3dc8d2c2499a38930371595c86fbdf5394159b4a11c68eaac5c9d
SHA1: 600df1cb18a0153207ecda6f2e8b00b81768fa64
MD5: 5bde8a697c4ed4b020035278f48ebbca
M20-j2gg1Zegost_1e5b1708Windows This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has random strings (lorem ipsum) appended at the end of the file.1e5b1708147129aba1f46ffeae389376https://attack.mitre.org/techniques/T1009/
SHA256: 76641e4832354cce2faf6943a4db0c588cb64a1006f2046ce8dbfa31bd08ed92
SHA1: cd03e440dbdb9d6135a721575c45e80115b8192b
PARENTID: M20-a4tk1
SSDEEP: 1536:W7rQY+94cHoLdfTYfNXKFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHMf:z9nILR01XKvxrG8r
MD5: 1e5b1708147129aba1f46ffeae389376
M20-f9gt1Zegost_e8bea4b9Windows This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has random bytes appended at the end of the file.e8bea4b97c08b5123088e99497c4cdc7https://attack.mitre.org/techniques/T1009/
SHA256: f4ce6cb08e3e5bb097259d02ffb390a053065633f72eb3f22fd38829f16310fb
SHA1: 9093604b348cc3af6f1e3782f963be714c5f77e3
PARENTID: M20-a4tk1
SSDEEP: 1536:W7rQY+94cHoLdfTYfNXKFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHMj:z9nILR01XKvxrG8X
MD5: e8bea4b97c08b5123088e99497c4cdc7
M20-qcg81Scar_4139d679Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.4139d6792f8a47e5d9e0fe1b434cadb5https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0c3f298c88b8f94b587306a536b32644a8960994e7d9db810a0e5468bbc624e8
SHA1: 428781e02008259a6ef4d581050c9dbb4496de08
MD5: 4139d6792f8a47e5d9e0fe1b434cadb5
M20-enn51Zegost_9f52a0f4Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.9f52a0f4981acda5629b4281651eba9fhttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 04505dcb27c2849a8096879511fd5fec19af6cbc84b8399c96ee37006e8478b4
SHA1: 835740677fdfd9c301eb11d148ccedcc6f34e673
MD5: 9f52a0f4981acda5629b4281651eba9f
M20-b93g2Kuluoz_287f6409Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.287f6409bcbd54c59c175fece1abb995https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0033aace105fe8a25a363b73c0029b0a1608a1300267d02772e7478d04096b6e
SHA1: 0962aa36ed16417903891d8667fa5ebf3375692c
MD5: 287f6409bcbd54c59c175fece1abb995
M20-3lfv1LokiBot_e2f72215Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random contents appended in one of the existing sections in the PE file format.e2f7221545da3787b1ad45c0e245f0e1https://arxiv.org/abs/1801.08917
SHA256: a07dca7969782f0449b767aec9e79bb10b8b04d6a0899cc8220703c765a48b65
SHA1: cfb984b053b2f1974649027817739688e23b62c7
PARENTID: M20-dkum1
SSDEEP: 12288:l8lL+2DoylNo6ssspUiDKJqzisC+hez53Wc/U:ellsylm62KMO6C+0Vl8
MD5: e2f7221545da3787b1ad45c0e245f0e1
M20-usvx1Kuluoz_639147d6Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.639147d6eae567f8d88715bef315905chttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 01b866aac1fcf13c0b46057146b0ff5ffee55cc4512e892696c477430e4c93f4
SHA1: f9644e20dd81378e5efe3e2f6af941aa61bd2ad5
MD5: 639147d6eae567f8d88715bef315905c
M20-g25h1Scar_c5cc2b2bWindows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.c5cc2b2bd4979d83a23297389e7a66b8https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 04f37e9dac2d7e0c327576c20d9c6de2e7e25dfca39af8043a5eac12a1609c46
SHA1: 76f5521d946f3d303cc244de54aea5b6e1817d33
MD5: c5cc2b2bd4979d83a23297389e7a66b8
M20-lp4y1Kuluoz_5afe943aWindows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has random contents appended in one of the existing sections in the PE file format.5afe943a3fde584fcf5fed55ce5b1d79https://arxiv.org/abs/1801.08917
SHA256: 1b49af3213c7f64ec08cfd643c09af2571097ccea9e73a0418936da8cc27a476
SHA1: c834437df6f4054e0bb916a0290e47d0ac7b20f2
PARENTID: M20-vqam1
SSDEEP: 3072:B+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9f:orRRyD5E7YZOCQY
MD5: 5afe943a3fde584fcf5fed55ce5b1d79
M20-l8dw1Zegost_e4fb9690Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.e4fb9690e4d9fdf344b73d4196c18ef3https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 9413345aa7058c93e4c376adccb0e3107d76c18a8fd7fc598e27f3104e9b8031
SHA1: 4903253ffe990be3b45e337d95c6d0a6e099b72e
MD5: e4fb9690e4d9fdf344b73d4196c18ef3
M20-z1hj1Scar_e9bd79bbWindows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.e9bd79bb61fc7ac4f4ff2dea03751bc1https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 14096dde1b9c83ce19a9ed099cd8e3cbb05a463ffe1898fdc863328bc852fe5c
SHA1: 76d0192e280d6435900e50fed3f90106b0c3335c
MD5: e9bd79bb61fc7ac4f4ff2dea03751bc1
M20-qqw61Scar_91eb29c6Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.91eb29c6e9c065a0259b936101739b90https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0d896d314daf2f17200db696b73e43916fe35c2c02838557bba7aff3950cbc4c
SHA1: 3f8d7dcbe5ce17d04e9309825dd3f8b8c30c246b
MD5: 91eb29c6e9c065a0259b936101739b90
M20-uyvp1LokiBot_b16e4e70Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.b16e4e70f692bc53b71d54679e63af6ehttps://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: a2058e7365fff5315e1a1452e7d438d8e8149791293654ad0c3976bde76a1795
SHA1: 15600c670042ecb6449ef7b1308e693e0050cf1a
MD5: b16e4e70f692bc53b71d54679e63af6e
M20-2gm71Upatre_83392327Windows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.8339232735ecae5963462f7c4e73ef85https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 113eedd981dffbcb9039f646be991681a3be66069b0fe5bbef60135b2bd633a4
SHA1: 3234a1dbf3559348916f934c3d889ea06077c7d5
MD5: 8339232735ecae5963462f7c4e73ef85
M20-byum1TinyBanker_b20386f9Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.b20386f967f4214050b3c18f5d335f9chttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 3484dd48824bd7f55fd0e3e90f065c7a01b71c80110db34471e4064db306d7e3
SHA1: 2edb4f4c5a62ed0154df29d7afd6cdbb26039df8
MD5: b20386f967f4214050b3c18f5d335f9c
M20-4a4b1Ruskill_949c9314Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.949c93148b31f353b564ead90bc2644dhttps://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 3a6e951c5102c0b49619c9eaa4ac1a429cd3888a00ec385a4bd043b5913a569a
SHA1: ede073f0b49cb55ae0282d2fd26e9456f5e356e3
MD5: 949c93148b31f353b564ead90bc2644d
M20-7u2o1Ruskill_688624ddWindows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.688624ddab6d450d24a7a6c317de6cc3https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 5994380423f37b540168ac921c4b48dacbdb52bec45271bca8e14c1691e36810
SHA1: b345be0353ab925d58cdf7f62eca2849fe669b12
MD5: 688624ddab6d450d24a7a6c317de6cc3
M20-dkum1LokiBot_186e231bWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.186e231b1e4d0ff6626403f2c1f58906https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: ce9d8f4765b5204c63db281fb6f3124681ee66a75d236426027c71f1fc575b0f
SHA1: bfadab32ad8b781e80f8f760b94c1582bbda7918
MD5: 186e231b1e4d0ff6626403f2c1f58906
M20-z6661Upatre_c3e570fcWindows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.c3e570fc670c2c76e36a072f06740bd4https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 131da532114bed0cf7fb3fec6e07bce430dd81eea06ff1c37d5cae3e82345afc
SHA1: c74a952b7ab8e4875b2339cf6945a5755e99c102
MD5: c3e570fc670c2c76e36a072f06740bd4
M20-qzfp1Kuluoz_93af451aWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.93af451a9a9b7ce0b3f227ba2d6ad085https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 10ca01e9a958354e6cc4c199d4552faa328548a856a75eba90f8fc8555de053e
SHA1: e79d0d2e3ab9ec1397c77ac08870232eb62949ca
MD5: 93af451a9a9b7ce0b3f227ba2d6ad085
M20-aznu1Kuluoz_3e015babWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.3e015bab445cb8763636cd4a4c66d801https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 180430089f1befbe2aba2e1303dcba20d174f73421a80fdda7062a7ce936a9d5
SHA1: ca4f34f568457bd4e299bb0ce40c593e5ecf114e
MD5: 3e015bab445cb8763636cd4a4c66d801
M20-9iky1Kuluoz_77aca864Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.77aca864bb43d404baa9ecbfb97d130dhttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0b68e11e0ec63aa1598b7b1f4d3325a6200c9dcfb8ac03b335454345a8ad9cf1
SHA1: c230fd5bbbe91da61ced91b53d0d0ef17441daa8
MD5: 77aca864bb43d404baa9ecbfb97d130d
M20-cllo1Scar_27161106Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.271611065a218801f7869636ec844402https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 00e796f8000ef5caa26c673c7fad9bbe4f3877219dbc6ad4788638518a2bab8a
SHA1: 9f0148e2887daa9e5bac58b370e922d7b1cc0e0e
MD5: 271611065a218801f7869636ec844402
M20-b4hk1Scar_ebaed22bWindows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.ebaed22b81e90153fc2ad70098604ae2https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 01abd635501f74d0309ca806ea66b015f0665f4ba5e44e1aeb10a3fce67d91e5
SHA1: a4be8561e7c96cf6534a18d747ab95c227d55704
MD5: ebaed22b81e90153fc2ad70098604ae2
M20-ja2m1Upatre_d481d1ccWindows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.d481d1ccafdaec0da47049d151459e4ehttps://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 0a82b11e85126cb623e27a61726f74637e8c652187cf9a770bae47056ec823ef
SHA1: 14bbf233dbb539b6c977fba74fccab06911cc3e4
MD5: d481d1ccafdaec0da47049d151459e4e
M20-3v7z1Kuluoz_a8376144Windows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has been packed using upx packer, with the default options.a8376144472b76b3df8c4ab2aa626511https://attack.mitre.org/techniques/T1045/
SHA256: 800d3cace4d9179399af71f347b1cf32536ad6e43a2a88fb866f9e0dd45209ab
SHA1: 7b2af14b83ad7a7a76800d0b827e6ad3e7cdc455
PARENTID: M20-vqam1
SSDEEP: 1536:3cWVl7eWu9Gfqo2rRR3eloIVK5SItcZLyqffr9Rmmq7QvgQQruRYtLl5J6:M0lq2kr73eyIE5Z+FHmx7ZjOY1w
MD5: a8376144472b76b3df8c4ab2aa626511
M20-28bh1Scar_7e089601Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.7e089601c83340ebdbaaef2a9d4ebb45https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 07f4b5112399b282a12f5a503f7084f9c6c458d0ae6cf557b0c4b5397263b61d
SHA1: 6ccc6cfd4e5126ccb198273bcc105e853f8f5d3f
MD5: 7e089601c83340ebdbaaef2a9d4ebb45
M20-zmxi1Ruskill_08417575Windows This strike sends a malware sample known as Ruskill. Ruskill is a botnet that spreads via removable media and through messaging applications. It steals credentials and distributes denial of service attacks.0841757582ec90c1aa0b2e5dcfa18a10https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: cb213c083836d38c60732422b6bdd871018f8807458d3161a9ed669e0f4dfdd5
SHA1: 469a177e87877e02c012fb47138af07679d1510a
MD5: 0841757582ec90c1aa0b2e5dcfa18a10
M20-kpej1Scar_6664c718Windows This strike sends a polymorphic malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.The binary has a random section name renamed according to the PE format specification.6664c718d5bb1dc98f97a91013a9f017https://arxiv.org/abs/1801.08917
SHA256: c890f10146c4afbdece20da0f3999d26bbe5b5bf0bc4e60d3125d9473a2b1de2
SHA1: f78aaa4b181806e060f881cb97722feb1633a435
PARENTID: M20-z5lw1
SSDEEP: 1536:reNCn/HB8HMNYDBbZDeNCn/HB8ir6Ze8qVgMXL5V:reGOMNYPDeGR6vYf
MD5: 6664c718d5bb1dc98f97a91013a9f017
M20-j5ym1Kuluoz_f328c1a0Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.f328c1a0ab5d0bd50d346ffe5e4dcc5fhttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 100d6826120b96cb7eb3f3b645612a8c245909cc83fe84706dea4f4ecd79586f
SHA1: 902afcd1f4dc73ba4f21c4cdc13b7031d1acce50
MD5: f328c1a0ab5d0bd50d346ffe5e4dcc5f
M20-dnx71LokiBot_dcf9cbe7Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.dcf9cbe7ae9f37c58edc4f37821a44dahttps://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: 6020db3ccb630880906593dbdbe6c4487ec81e8dea4555114f33eef0ac16b62a
SHA1: d0fd4d0c4d7ab3eab2b366971be58c446cf99ddb
MD5: dcf9cbe7ae9f37c58edc4f37821a44da
M20-jwe71LokiBot_fd81a8e6Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random bytes appended at the end of the file.fd81a8e64de9f065551f77558849e86ehttps://attack.mitre.org/techniques/T1009/
SHA256: 8e6218dc85c15023cbe11fcc514aee6c22156dd076df8e0865b3ab8a46961a65
SHA1: 797f35b33b1501548cf740b5da18d7b081927103
PARENTID: M20-dkum1
SSDEEP: 12288:c8lL+2DoylNo6ssspUiDKJqzisC+hez53Wc/UI:Lllsylm62KMO6C+0Vl8I
MD5: fd81a8e64de9f065551f77558849e86e
M20-temi1Zegost_6538e4c9Windows This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has random contents appended in one of the existing sections in the PE file format.6538e4c9b1665b2aa256b625e2fb9fa2https://arxiv.org/abs/1801.08917
SHA256: 7dca88e8f6105127e23f66af5ceb90228921ca17d75e6fd2ad6ee9c5357813a5
SHA1: cdf1c17c3884357dda543ed9259f52062fb1f8eb
PARENTID: M20-a4tk1
SSDEEP: 1536:W7rQY+94cHoLdfTYfN8KFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHM:z9nILR018KvxrG8
MD5: 6538e4c9b1665b2aa256b625e2fb9fa2
M20-2mqg1Scar_30a527e1Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.30a527e1edc2815eafc93d038c755f3dhttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 14166b0c720afd84d38e577adb42521b7d61130cd23c4098ac8ca7fd19f7b6ee
SHA1: 30a77c17114ff69064b13be252dde2fdf1800d8d
MD5: 30a527e1edc2815eafc93d038c755f3d
M20-eslj1Upatre_3d374745Windows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.3d3747456ab3054f941ec41ebdc3ef1bhttps://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 1025f9c3232e2f5b318e5ea8f0cc586c91c161d254917d0491e6827309ffdab4
SHA1: ee7ce8237934b407952ba8ca5a54d5a86a439cfb
MD5: 3d3747456ab3054f941ec41ebdc3ef1b
M20-p9j01Upatre_45df574cWindows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.45df574c429c134460b49582c8d58b9chttps://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 146413516e7e49489e8e1ca7e56b9a3173173a18e5e9078f3ee9a004d9b18d70
SHA1: d15558ab1d1d24512215de60b8f815b5601369d2
MD5: 45df574c429c134460b49582c8d58b9c
M20-iwdf1Kuluoz_14d35354Windows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has a random section name renamed according to the PE format specification.14d35354a20f9a516b7225b6372b3af5https://arxiv.org/abs/1801.08917
SHA256: 8a6d102cc80ea5967522830de3fa96ec7f43d54a9eddaf8071786ae293659769
SHA1: 17030d672a9d278fe4de429a256dc55c99be587b
PARENTID: M20-vqam1
SSDEEP: 3072:K+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9fY:VrRRyD5E7YZOCQYO
MD5: 14d35354a20f9a516b7225b6372b3af5
M20-tvy51Kuluoz_7d34c334Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.7d34c334b27aa770df9ea753945cb4fbhttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 1acba8f21ef1494cbb3e66e51a54681d8f77f5c41e09b33e410ca52cb67b633d
SHA1: b05843047fda8da076b53cbe029389b3ba5d2c93
MD5: 7d34c334b27aa770df9ea753945cb4fb
M20-okyb1Upatre_d6ec3e39Windows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.d6ec3e39ce013ea0a2ea573d90445ff8https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 0e0fb83e04e675b809013f37d4af1ff31c36e4813c518b97dd395ec97dcbc92a
SHA1: 328d3ed68a767a9ccd8b86c75bdb2aaaa642bf75
MD5: d6ec3e39ce013ea0a2ea573d90445ff8
M20-tv741Scar_874499a9Windows This strike sends a polymorphic malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.The binary has been packed using upx packer, with the default options.874499a974acb34d4827b6e1a91143d6https://attack.mitre.org/techniques/T1045/
SHA256: bd878726d91fc43ed10cfc6cffe0f69c53cb4fe20874e04d3f1fbddfe1cae301
SHA1: 736f9f668ad0a021a84152391c26cff97a7072fd
PARENTID: M20-z5lw1
SSDEEP: 1536:YYBXhObiXs279wsGk/8TxC0Fo45gXeNCo/2B8:ZBREws2BwszETP5EeP
MD5: 874499a974acb34d4827b6e1a91143d6
M20-0fv31Kuluoz_7539c94bWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.7539c94b87c2f141589181e77b57d6b5https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 14f747e7d2fd0f8336ac7aa68a3fcdb213b3ddf8960078ab72c11a67cf1a2fdd
SHA1: f6ab1641f7534975a4886ab05942eb5c28bd84d7
MD5: 7539c94b87c2f141589181e77b57d6b5
M20-b81e1Scar_4d3e4ff9Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.4d3e4ff9f638ab8e9b6a23c372c107b6https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0720c05702858c2ef059400fe74cd0488e85dce1f60cb45d9e8ea51a84138251
SHA1: 521904746e0f238ab61c4f04448ffc31e0df9fc0
MD5: 4d3e4ff9f638ab8e9b6a23c372c107b6
M20-6r0p1LokiBot_c6582fc0Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.c6582fc0d09ccf4f8bb82b06b5c40935https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: 578527d2bad084c3e95629d1bf870074cdc7c88e857256da8884f3c16272a629
SHA1: 576c25f018f2e9dbdf2dea2cd4abbc149bb2c1da
MD5: c6582fc0d09ccf4f8bb82b06b5c40935
M20-9rzg1TinyBanker_10b587c2Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.10b587c21e9e11de2c9815423f035095https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 2e024b66655bbb942837d7b0a785597c29a73387a108f8cf45bca9c9a072736e
SHA1: a752159b5c632772e64ff99fb2a7e303d201f260
MD5: 10b587c21e9e11de2c9815423f035095
M20-8z9x1Kuluoz_f3f4fb94Windows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has random bytes appended at the end of the file.f3f4fb94b96c123a321d122c90b3380chttps://attack.mitre.org/techniques/T1009/
SHA256: 99f98a6d10d2456896018931914d5d1921003248d09826c8e71c8e84f355d4d3
SHA1: 288100a428665b4ef5f3fa86bd61dca2651da413
PARENTID: M20-vqam1
SSDEEP: 3072:B+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9fY:orRRyD5E7YZOCQYe
MD5: f3f4fb94b96c123a321d122c90b3380c
M20-ee7r1Scar_f740c3ddWindows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.f740c3dd1532b687d451dcc4f63ecfd3https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 1654a2fa288cb96cde4af7122b02945c1b50b8b9d7a5f3874b7855673c9e577d
SHA1: 871bbe7026584d462031e9698d894027ce531ec9
MD5: f740c3dd1532b687d451dcc4f63ecfd3
M20-75e41Kuluoz_d78697f6Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.d78697f62bbc18e4623fc6265668673chttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0d4231d10d29a8bfb15f3f2301b8aa912fded08a5d8cf5ca260c3f75037b9f6e
SHA1: c1009152e6daacef139f63e7fa8e599bb7a85c08
MD5: d78697f62bbc18e4623fc6265668673c
M20-h1tm1TinyBanker_2fc76498Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.2fc764982d67accb3b0f94fb7e19ef94https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 2a0b1b320e3a820e243d13306a5b7437da75fb2ec20bb6dcc72021ce3e38e9ae
SHA1: fbc8db05146c736a367ba9e7917f2013605ddb06
MD5: 2fc764982d67accb3b0f94fb7e19ef94
M20-8b8p1Kuluoz_a21740b0Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.a21740b03a097f9323dcf55887e372f4https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 106f3f6972ef655e90eb6b82fe1a06e54b5b9140355578ca455b10294956e121
SHA1: c398f3878117ad2aa9eca886e73eed4e0105f961
MD5: a21740b03a097f9323dcf55887e372f4
M20-vqam1Kuluoz_ea87a054Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.ea87a054f0f61ca41781c4a428d90070https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 1dbf4d454d75881e59fd5b10f8c2ba3b35a6120d8a4e2b90783d0625cdabf28e
SHA1: feee16c54c0a06c2ecc217453f9b52e7cd3cd4ed
MD5: ea87a054f0f61ca41781c4a428d90070
M20-t66f1Scar_01abda83Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.01abda83c026ff0fe5dedd293b9c12cbhttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 134ac830b48d951a7d40e4cecc6db14e7e4ccc77d4c4191f1adddca8288b97f5
SHA1: 90e2238c51a5530990e6856749f7830d5055f623
MD5: 01abda83c026ff0fe5dedd293b9c12cb
M20-gqd01LokiBot_c1579bc6Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.c1579bc69d2861973aae40e76fe10626https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: 89605a9bb702c8522e00bdf8a51a381eddda7ba3fa1bf2a195b05b2e4cd0c278
SHA1: 5ce80cf296cca8adbd1e2c5f38885ba29ee4b708
MD5: c1579bc69d2861973aae40e76fe10626
M20-0yiu1Scar_e4f3dfb4Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.e4f3dfb4b4fd91b082f8d58a6d25befchttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0e65e81fb294daff44d544beabf671be28b14605fc62c5f0e1fff4703af58cee
SHA1: e98349e358bdf858acbeb66a89372ca1a751238f
MD5: e4f3dfb4b4fd91b082f8d58a6d25befc
M20-s8401Kuluoz_c68b0470Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.c68b0470a04ba3eb2a42ebe8bf04f9aehttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 15c74ab7669eddbbae7c453187b161fa4c3d1511a236cc3045a243e09d7e8777
SHA1: c615ed327ca81764ffa253d813ec6be7a809d6ca
MD5: c68b0470a04ba3eb2a42ebe8bf04f9ae
M20-k57r1Zegost_582433daWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.582433da271d3f4c78027bbbebba4e4chttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 7348169666e09fb7a97643248db6c8dd42d6f05f51c27ded7d2fdf6cf5bc1c49
SHA1: 7ad90bb50f24bfe37fa1181cb172e59f2aabee7a
MD5: 582433da271d3f4c78027bbbebba4e4c
M20-vh7a1Kuluoz_f818a873Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.f818a8731476ae4471e348d2b6ecda94https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0b50a4bcd4dfe5a626f245156af61bfc97e6e3a5afba1363c4f4be23d3df6a92
SHA1: a698d408614126341917e1364a3f7eb2f2184fc6
MD5: f818a8731476ae4471e348d2b6ecda94
M20-vsx61Zegost_d9d34b56Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.d9d34b56a18544febb9acbca806cfad7https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 22e173179c12d1ebb141a91d20060747e1b3688d89a9b5569a95f3c88b433ee0
SHA1: c9a601361f00d83dd2f8e2d2e5fea585a4c37ac8
MD5: d9d34b56a18544febb9acbca806cfad7
M20-ztqi1Kuluoz_426e964bWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.426e964b0e2d38ea23e9f88093069c67https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 1182b65de57d6ecb62c5602e7fc967f0c8c1faf287b1d1feea934e549fe9a45e
SHA1: 1834526a29efe81fb4cedd2cf176e502afcfb5c0
MD5: 426e964b0e2d38ea23e9f88093069c67
M20-v3yx1Kuluoz_678fa6d7Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.678fa6d7254b0ab4ed2f895256f03c17https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 01e7a9362183d2f90aa7bfd9ed6e6c0654cc203185f2b531a7dfd930ff257c21
SHA1: d507870d7730158fef1fdcd3d00d7e27cf213273
MD5: 678fa6d7254b0ab4ed2f895256f03c17
M20-u0et1Upatre_b1de5235Windows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.b1de5235a3e3429f25828979ddfd0be7https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 0ae81273084ac32b25d8c604256e30fa4426711e5f9b525cb6979ded72886ec6
SHA1: c4140b466a86687d96c2d0bf9490f0250cbb51f7
MD5: b1de5235a3e3429f25828979ddfd0be7
M20-qsg01Upatre_14b99208Windows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.14b99208c98f98a9ee76b5f9d3eef207https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 11a20d7c6783209ed9f57dfa22d665144590ca8d296b40a1805c9269fbc7b82b
SHA1: 0b920898267269ec85af3cb0ed261d3bbdbe0048
MD5: 14b99208c98f98a9ee76b5f9d3eef207
M20-gbx21Scar_a3d952e7Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.a3d952e7057f8a0d89f6d846f46befa9https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 009ac8868badb96e5f1f5bbf293a3fc23c1ac221304f0ed372b660cf68f7bc16
SHA1: ecfd86518e6af9afcd36751f40455a52d54614da
MD5: a3d952e7057f8a0d89f6d846f46befa9
M20-fnau1Kuluoz_e0389d5eWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.e0389d5e1468addd772d596c39e3f58chttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0de03ee14c8b289d89d353aceab634dea2182b31418277371c19320748d58bdc
SHA1: 796ade862774c7c0a949575adbaaf8c79932e70b
MD5: e0389d5e1468addd772d596c39e3f58c
M20-z5lw1Scar_3786118bWindows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.3786118bba547421d900ad3c1136fabchttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 14c43fc15fc6df997335bdf209e9d0b4676069f5ae43621c853db2a43699266b
SHA1: 385a6879ed1061e0cb1ffda1f0206c584061f988
MD5: 3786118bba547421d900ad3c1136fabc
M20-junr1Kuluoz_11c108f7Windows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has random strings (lorem ipsum) appended at the end of the file.11c108f7a7e10c3b8c83b4822bc10a30https://attack.mitre.org/techniques/T1009/
SHA256: 6683aedb03b5c307697a51746408fbf540ac2af9da83a205eee15526356f5aa8
SHA1: 4df8f34f7cdc94e32a98c1510f5a9929eee5a9c1
PARENTID: M20-vqam1
SSDEEP: 3072:B+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9fx:orRRyD5E7YZOCQYf
MD5: 11c108f7a7e10c3b8c83b4822bc10a30
M20-l0ly1Kuluoz_4590a340Windows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has the timestamp field updated in the PE file header.4590a3401e47f5c6aec094babfff788ahttps://attack.mitre.org/techniques/T1099/
SHA256: 2d24eda33a2fc8674c659e205f5b555eeefb8a4401bd87fac1f0a02c169556de
SHA1: c980fdd11da7882cddd1339c79c6b208d6b2a294
PARENTID: M20-vqam1
SSDEEP: 3072:K+3rnRRy6Z296cjNZGI5pYYdftMdzsFGY9fY:VrRRyD5E7YZOCQYO
MD5: 4590a3401e47f5c6aec094babfff788a
M20-24ip1LokiBot_5885b5c9Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.5885b5c94d4e34a250d8e325a0727578https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: 5b0dae6508cd9af449f5462cdbe32c2550339d23c1e77028ab87659564be75de
SHA1: e1390850661b0e7e059667979907331b94d96545
MD5: 5885b5c94d4e34a250d8e325a0727578
M20-kmgo1Kuluoz_97765c75Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.97765c75f51e113c6acf427e006d4bb3https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 066bd86a49dc4218d4ad2cb1547616327bbea107438a124fdb425b6ac2c51161
SHA1: 551fb832830e1f69081fcbcda58f83ba1aaad9f2
MD5: 97765c75f51e113c6acf427e006d4bb3
M20-oz9j1Scar_35ab4641Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.35ab4641aa1904672a8b211ffcc45d4ehttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 106b06727fb72673e05e26957d4e567d56e98fd0aa1fb37d2479ebd0ced9964e
SHA1: 7b6bce0b90b0f1088d4a76756060373f148eb039
MD5: 35ab4641aa1904672a8b211ffcc45d4e
M20-cn3c1Zegost_0a9281d4Windows This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has a random section name renamed according to the PE format specification.0a9281d4c468831b6b946d43d2ebf16fhttps://arxiv.org/abs/1801.08917
SHA256: bafc798dacf46b7db329da1e189992a0139b69618e317a4982bb49a152009d16
SHA1: ecb829c3444f4764451e0374309906940139c240
PARENTID: M20-a4tk1
SSDEEP: 1536:u7rQY+94cHoLdfTYfNXKFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHMO:79nILR01XKvxrG8i
MD5: 0a9281d4c468831b6b946d43d2ebf16f
M20-054j1LokiBot_81ea5d32Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.81ea5d3263580f61029ac0c028f70e62https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html
SHA256: ea67e1e48066b1cffcc0af2693d8a38759b168d7b3334ccc9841b41403a8d2f6
SHA1: b294dffd724df2bc71034050b891543627da5cac
MD5: 81ea5d3263580f61029ac0c028f70e62
M20-g40s1Scar_d2522dc0Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.d2522dc08fd312cbd1104d7fe2086656https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 030eb42c179d1994f85727e41416ea798f485b6f3cfd1cab9d121f8c1f9621ea
SHA1: e2769c9ad9d6069b904487294efabafb6902af0a
MD5: d2522dc08fd312cbd1104d7fe2086656
M20-c5po1Zegost_5f51017fWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.5f51017f19491c2ac494eff70ea30279https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: abe76a08ea7127f7df5dbb8155fa4061c958628d4d07f3d90b3d92f7e20784f1
SHA1: 08473369ac82de40deb9081cfb013839b0525c24
MD5: 5f51017f19491c2ac494eff70ea30279
M20-exiq1Kuluoz_6302a1e7Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.6302a1e74ad439abe9f38f2d28ff846dhttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0380980aeade229e8992d75176996030e2043bf858e8740cb757389048e6039c
SHA1: 44a1a25a944301765ebaaf2a8c3a6ec4ebbefc02
MD5: 6302a1e74ad439abe9f38f2d28ff846d
M20-3y561Scar_db3b2e97Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.db3b2e97fdc5cb7c4c830d937475a0e5https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0e2eaaaa7d7919e1d0b01df0043b435c162371ba094f25f1f6963bb931815e59
SHA1: 483001d4a916c503ed05bf29c12a94cb1103258b
MD5: db3b2e97fdc5cb7c4c830d937475a0e5
M20-97321Upatre_12b8dbbaWindows This strike sends a malware sample known as Upatre. Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.12b8dbbacf6c077b871ae1c699abbf8bhttps://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html
SHA256: 0c0e4dd0566ca31d20d0cf43ee47b0d5af3e68e853f89f458c7358fe40980ab7
SHA1: 33fd7156e149effed73c4a37fea700731616c286
MD5: 12b8dbbacf6c077b871ae1c699abbf8b
M20-72w81Zegost_e12b647eWindows This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has the checksum removed in the PE file format.e12b647e05df25b0a8d0ec89c409969ehttps://arxiv.org/abs/1801.08917
SHA256: 5caa5853a7717924971b71b01ee1af1696902a3d93204120a0dd0bef4d70d78a
SHA1: 645162d0c2a377fc8dbefd44b9d41b08f807272a
PARENTID: M20-a4tk1
SSDEEP: 1536:W7rQY+94cHoLdfTYfNXKFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHM:z9nILR01XKvxrG8
MD5: e12b647e05df25b0a8d0ec89c409969e
M20-n4x11Scar_2033f6b7Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.2033f6b72b573bae14191c702d12bfabhttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 0d98df2243ea1123dc16eefffcb3b496a026c741a614d2cc7aad958281c1807e
SHA1: d121ae1c169e78e9daff2ceb21237b97a1d5b7fd
MD5: 2033f6b72b573bae14191c702d12bfab
M20-oxjr1Scar_a9b07c69Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.a9b07c698d3a6ef0e1b6fee12cd2abfchttps://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 078ed55ab87871d0694337af69acd378cbf1a27ee2eb2fcdeb9243bab60e6701
SHA1: 22e174a28ae97c012bf0077ad5cca600328b7bfc
MD5: a9b07c698d3a6ef0e1b6fee12cd2abfc
M20-g5t91Zegost_4b186588Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.4b186588668a181de87fd5520bf57219https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html
SHA256: 9f1104af5a05b0549a7dabf55e1d935e02d9e39a407bc03a9a97441141ece571
SHA1: f5a24541305eefe7d6b7f3ca9f9593710ee1165a
MD5: 4b186588668a181de87fd5520bf57219
M20-bkna1Zegost_2609f845Windows This strike sends a polymorphic malware sample known as Zegost. Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.The binary has the timestamp field updated in the PE file header.2609f845507a4ae9a9d2a32016498630https://attack.mitre.org/techniques/T1099/
SHA256: 621513c71ffdc7ff9f154fcad76da0a3ab649e0cad5ff9b10227358b5cbbdb21
SHA1: ef2149ee0a95920e481f60077e7945ce98e4af70
PARENTID: M20-a4tk1
SSDEEP: 1536:U7rQY+94cHoLdfTYfNXKFMaJ5EK5ylBsmatRrnGxBugOgVjiBarAAsG6aHMO:V9nILR01XKvxrG8i
MD5: 2609f845507a4ae9a9d2a32016498630

Malware Strikes October - 2020

Back to top
Strike ID Malware Platform Info MD5 External References
M20-7cze1Emotet_4e27e219Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.4e27e2197bda5e1318eb13ea06b18205https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: c127cf0ce097e22f9f1fe0ca565c77a111745b85b0e78b21d20833055bc821d5
SHA1: cc18b6c62a6e9b279fc4bf9a456778bf054aef34
MD5: 4e27e2197bda5e1318eb13ea06b18205
M20-pb731Nemty_5126b883Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.5126b88347c24245a9b141f76552064ehttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: d421d9b0cc9ce69fc4dea1d4bd230b666b15868e4778d227ead38b7572463253
SHA1: 9a121af9e0427a530ed12b72429fbc800d976623
MD5: 5126b88347c24245a9b141f76552064e
M20-3ytp1Nefilim_ce3cd1daWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.ce3cd1dab67814f5f153bccdaf502f4chttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020
SHA1: f246984193c927414e543d936d1fb643a2dff77b
MD5: ce3cd1dab67814f5f153bccdaf502f4c
M20-r7xs1Ryuk_3266352bWindows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.3266352bea7513ac3ead6e7d68661ad3https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: 68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218
SHA1: 2c8ea348cc80ed41737d3d2d8cb5487dcd49d040
MD5: 3266352bea7513ac3ead6e7d68661ad3
M20-2air1REvil_b67606d3Windows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.b67606d382f50ebf76848d023decee20https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556
SHA256: 372c8276ab7cad70ccf296722462d7b8727e8563c0bfe4344184e1bc3afc27fc
SHA1: 6c72756b12b03a2a594b8bb308944396438ec979
MD5: b67606d382f50ebf76848d023decee20
M20-zudz1Emotet_212ede8eMixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.212ede8ee978a5979b17d9d68a497d10https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: 939e9772cc64e88895365ccc1be8d7a6ef4b7c47b70165c35c79e2391ab50656
SHA1: 19763080a3c72c651224678eabadcdfca5d5cad1
MD5: 212ede8ee978a5979b17d9d68a497d10
M20-23qh1CLOP_d3ace85cWindows This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has random strings (lorem ipsum) appended at the end of the file.d3ace85c17df113fa90a92a541ff0ca7https://attack.mitre.org/techniques/T1009/
SHA256: fd34ac2360302f24752fc352e161ed54609f3942178663eb0f46ceac8d58b099
SHA1: 05d7b3e2f6646bcd3a46ee9ec718497898678a81
PARENTID: M20-eoc31
SSDEEP: 6144:JrazEX0203RegvjxnpGhu3BJMIp2CuvY63n:B+3JpGEBJMg2CuvY63
MD5: d3ace85c17df113fa90a92a541ff0ca7
M20-x0np1Sodinokibi_fb68a023Windows This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.fb68a02333431394a9a0cdbff3717b24https://www.acronis.com/en-us/articles/sodinokibi-ransomware/
SHA256: 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d
SHA1: 1399bf98a509adb07663476dee7f9fee571e09f3
MD5: fb68a02333431394a9a0cdbff3717b24
M20-f9w61Netwalker_5f55ac3dWindows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.5f55ac3dd18950583dadffc1970745c5https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 74fd9bbdd8a484640e4b0405a1da84734a0a9c2604ac1b0a39fa2e28b0c12614
SHA1: 6a13535190bdcd62af6b4930ea28664c13c6a6be
MD5: 5f55ac3dd18950583dadffc1970745c5
M20-c1v31Netwalker_608ac26eWindows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.608ac26ea80c189ed8e0f62dd4fd8adahttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b61e1c6f5f010
SHA1: c5b3fa421db00fe931f439af5df4f65f7f3d9a1a
MD5: 608ac26ea80c189ed8e0f62dd4fd8ada
M20-zvvm1Sekhmet_b7ad5f7eWindows This strike sends a malware sample known as Sekhmet. The Sekhmet ransomware was used in an attack against gas handling company SilPac in June 2020. This ransomware has been commonly spread via spam email. Once it encrypts the files on the targeted system it leaves behind a RECOVER-FILES.txt file that includes a ransom note with instructions on how to pay via TOR.b7ad5f7ec71dc812b4771950671b192ahttps://bazaar.abuse.ch/sample/fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d/
SHA256: 0a739f4ec3d096010d0cd9fc0c0631f0b080cc2aad1f720fd1883737b6a6a952
SHA1: cf02d630465eaf009db8bcc8a0dd4242a1d2dd82
MD5: b7ad5f7ec71dc812b4771950671b192a
M20-j8sq1Tycoon_ae037348Windows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.ae03734805e3b7ec0fa52c5a4f07a725https://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: 8587037c15463d10a17094ef8fa9f608cc20c99fa0206ce496b412f8c7f4a1b8
SHA1: e20a4cc7f13f517491e772ce9e5c236aad2785f0
MD5: ae03734805e3b7ec0fa52c5a4f07a725
M20-fbd41DoppelPaymer_66c11a6cWindows This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has the timestamp field updated in the PE file header.66c11a6cbbe59f2e580da1c75acd9ae8https://attack.mitre.org/techniques/T1099/
SHA256: 039f721ff06c6965e97417a480fca2220f45bce9c10b63e4d0e823842533a70f
SHA1: 36ce6b51c925a7a5f122e07ddd7d47916576e584
PARENTID: M20-zug71
SSDEEP: 98304:J56LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:JsLOqCkLzDouoOS36XV/
MD5: 66c11a6cbbe59f2e580da1c75acd9ae8
M20-4wbt1REvil_54079282Windows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has a random section name renamed according to the PE format specification.54079282596df0fff118c2cdf8c6cbe3https://arxiv.org/abs/1801.08917
SHA256: 20045aa54d765b77de371fba418505f38ece546cedd974c5cd2aebdf44a7b823
SHA1: d12e89ebbb638f16711318bf4e71aa16df7eb145
PARENTID: M20-du8w1
SSDEEP: 3072:hLFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCIm:1J0BXScFy2RsQJ8zgQ
MD5: 54079282596df0fff118c2cdf8c6cbe3
M20-p56a1Emotet_c730e1c3Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.c730e1c3cf2e54af08072778a7fd6f41https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: e218d7c8b3bd6e69065f2a2bee81c88865d2068a46c3997339a200318f7b82b4
SHA1: c868e42736238372f66d6a5bcedb636d28d15346
MD5: c730e1c3cf2e54af08072778a7fd6f41
M20-jbb31Emotet_699bd905Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.699bd9053663bbdeb39df9d6f4f2b483https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: cf9401d8bcbb01edf06c19509b572a26047b2788a41f0ffa5d52c2189fe5a125
SHA1: 24c615d82cfbd4b2a16cf03f0ce12c252b4c1eb5
MD5: 699bd9053663bbdeb39df9d6f4f2b483
M20-q7u81Emotet_74e9ae66Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.74e9ae66b4029ce403ef9a76d2dd1ec4https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: d366dfc971747d113549ee401fa6dc07dfa0f478c9b08109640f84151bd2da29
SHA1: c137dce76d338fe94c8efade25596c93c082c0e8
MD5: 74e9ae66b4029ce403ef9a76d2dd1ec4
M20-oxbt1Nefilim_3beb3d46Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.3beb3d466bcc0977ec2dd66d72ab6bb3https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: b227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17
SHA1: e94089137a41fd95c790f88cc9b57c2b4d5625ba
MD5: 3beb3d466bcc0977ec2dd66d72ab6bb3
M20-n54a1Ryuk_fca20e17Windows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.fca20e17ce8c0c3f3c78d82c953472edhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: 7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20
SHA1: c8ecc9b34184e7e1c15b4ed49fb838e7882dbfc6
MD5: fca20e17ce8c0c3f3c78d82c953472ed
M20-pqk51Maze_910aa498Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.910aa49813ee4cc7e4fa0074db5e454ahttps://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/
SHA256: 4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9a
SHA1: 45831987fabeb7b32c70f662be8cb24e2efef1dc
MD5: 910aa49813ee4cc7e4fa0074db5e454a
M20-zqyf1REvil_cce629dbWindows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.cce629db2606ae98ba6e931adbf1aeaehttps://malware.news/t/changes-in-revil-ransomware-version-2-2/39556
SHA256: 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d
SHA1: 2649ce761c00f4505758e20580e8bdf3e8d559d1
MD5: cce629db2606ae98ba6e931adbf1aeae
M20-iupe1Netwalker_f957f19cWindows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.f957f19cd9d71abe3cb980ebe7f75d72https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: b2d68a79a621c3f9e46f9df52ed19b8fec22c3cf5f4e3d8630a2bc68fd43d2ee
SHA1: 96432d979fdec055e4f40845a27cf4a9c0a0a34b
MD5: f957f19cd9d71abe3cb980ebe7f75d72
M20-jn451Maze_c043c153Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.c043c153237b334df2f2934f7640e802https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/
SHA256: fb5de69b222d81fea2f4b08fd5af612faf24b9e75698ac331af066fbc360a30a
SHA1: d5ef91b849122109615007329ec6548830f13bfc
MD5: c043c153237b334df2f2934f7640e802
M20-b7qt1Nefilim_ddc50d4aWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.ddc50d4ae0674d854a845b3eb32508c3https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2b
SHA1: c61f2cdb0faf31120e33e023b7b923b01bc97fbf
MD5: ddc50d4ae0674d854a845b3eb32508c3
M20-9e4q1Nefilim_dc88265cWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.dc88265c361d73540a31c19583271fb0https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5
SHA1: e99460b4e8759909d3bd4e385d7e3f9b67aa1242
MD5: dc88265c361d73540a31c19583271fb0
M20-kubx1Sodinokibi_177a571dWindows This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.177a571d7c6a6e4592c60a78b574fe0ehttps://www.acronis.com/en-us/articles/sodinokibi-ransomware/
SHA256: f0a16b0224a24647e9e8cf2f6f4479d93c8fb540a7ca656023a41f399e6c69c2
SHA1: 7f1b49c2946a9a036cf60e25e1a8452f6237a57d
MD5: 177a571d7c6a6e4592c60a78b574fe0e
M20-jzr31Netwalker_bc758596Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.bc75859695f6c2c5ceda7e3be68e5d5ahttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: a9a147313861a5a4e7abd76b3287ce5f6183966b89c5ca95c0e0cf587f40189d
SHA1: 5be2fb7adcfefd741e6b98b4beeadf9e24ea7423
MD5: bc75859695f6c2c5ceda7e3be68e5d5a
M20-d5741Nemty_f2708056Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.f270805668e8aecf13d27c09055bad5dhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 572b2dad5fca5f1dab7c18afa986fe7ef639e7892776593fc7636ff03ff783bc
SHA1: f0078a38d56384f9dbced7c0a9837cdb22c4daf0
MD5: f270805668e8aecf13d27c09055bad5d
M20-ocu81CLOP_9ec70a82Windows This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has been packed using upx packer, with the default options.9ec70a82f8b4797c4ad4fe646cfb6e10https://attack.mitre.org/techniques/T1045/
SHA256: ada51ae85a78dc3641bbe52505e3eaf670353477abbb77fb5c781713545b5f58
SHA1: 1a18c783bdcf3af6c52a9daaa712c56ee5816832
PARENTID: M20-eoc31
SSDEEP: 3072:m7QoN+AOSJUT5I/QN7lg3w0EIpRomDOhRJ+ZHNN9cY2ritPOFjy54:kQokAaT5gCg30SRBD07KH39cAPqx
MD5: 9ec70a82f8b4797c4ad4fe646cfb6e10
M20-iort1Nefilim_5ff20e2bWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.5ff20e2b723edb2d0fb27df4fc2c4468https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641
SHA1: e53d4b589f5c5ef6afd23299550f70c69bc2fe1c
MD5: 5ff20e2b723edb2d0fb27df4fc2c4468
M20-6ei91Nefilim_26c35850Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.26c35850483c877ee23f476b38d58debhttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599
SHA1: 0d339d08a546591aab246f3cf799f3e2aaee3889
MD5: 26c35850483c877ee23f476b38d58deb
M20-dzq81DoppelPaymer_4601ec39Windows This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random bytes appended at the end of the file.4601ec39e2934ba61651decf6d06de64https://attack.mitre.org/techniques/T1009/
SHA256: e9be48e03f80f6ef0bc5cbe36cbd4bcba30fb6d2b3a1a95e4f0e856816ef8cd4
SHA1: 86c6242cbdb9b45dd9028639c1bcf9dc07d664d0
PARENTID: M20-zug71
SSDEEP: 98304:556LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfNt:5sLOqCkLzDouoOS36XVt
MD5: 4601ec39e2934ba61651decf6d06de64
M20-jdde1Nefilim_8f90539cWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.8f90539c405672016c0dec7ac3574eeahttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3
SHA1: bd59d7c734ca2f9cbaf7f12bc851f7dce94955d4
MD5: 8f90539c405672016c0dec7ac3574eea
M20-xv3b1Nefilim_7354e71dWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.7354e71d9c28e0c150cea3377e5f70d9https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953
SHA1: 9770fb41be1af0e8c9e1a69b8f92f2a3a5ca9b1a
MD5: 7354e71d9c28e0c150cea3377e5f70d9
M20-1jg41Ryuk_5f7dd374Windows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.5f7dd3740a3a4ea74e2ee234f6de26aahttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: 235ab3857ba2d2cd09311d6cc7bf1139863022579ea98be2b503921104ee20ac
SHA1: d9f8eb52ce514d3dbf8f8e6a1ecb29c1dc46ea12
MD5: 5f7dd3740a3a4ea74e2ee234f6de26aa
M20-93le1CLOP_f2114603Windows This strike sends a malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.f21146030cbe2ebe5a8e3fd67df8e8f3https://www.trendmicro.com/vinfo/ae/security/news/cybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomware
SHA256: 2ceeedd2f389c6118b4e0a02a535ebb142d81d35f38cab9a3099b915b5c274cb
SHA1: c777107d839938da8c41beacc78802a0e05e8b74
MD5: f21146030cbe2ebe5a8e3fd67df8e8f3
M20-zug71DoppelPaymer_8c54bbe3Windows This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.8c54bbe3f191a8627bfeeb4cb02634a9https://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/
SHA256: f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555
SHA1: 2fc2ecbed153344557386e80a2fbd097bf795559
MD5: 8c54bbe3f191a8627bfeeb4cb02634a9
M20-3cxk1Nefilim_0790a7e0Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.0790a7e0a842e1de70de194054fa11b3https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377
SHA1: 4595cdd47b63a4ae256ed22590311f388bc7a2d8
MD5: 0790a7e0a842e1de70de194054fa11b3
M20-pe1b1Netwalker_93f91bfcMixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.93f91bfcc1bf0c858fc7f3bd4536eba6https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 59ba11aa5b9a4d2ef80d260b9e51f605d556781b8ce682443ad1e547898eb0a6
SHA1: 2ddf48174221371ad4f5d339353a3f998044d95d
MD5: 93f91bfcc1bf0c858fc7f3bd4536eba6
M20-hrde1Netwalker_0537d845Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.0537d845ba099c6f2b708124eda13f1chttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 12717add64ecf32d7bcb6b2662becbff6b516cf8073f399dc5e4d3615d452e89
SHA1: 3fb77d821ea7ec2b30fd3944c3d9361093a58cd6
MD5: 0537d845ba099c6f2b708124eda13f1c
M20-yqkh1Tycoon_80675f08Windows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.80675f08a4dad40a316865619f6adaaahttps://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: ac0882d87027ac22fc79cfe2d55d9a9d097d0f8eb425cf182de1b872080930ec
SHA1: 3d845a707f2825746637922d7dd10fab18558209
MD5: 80675f08a4dad40a316865619f6adaaa
M20-h4tt1Nefilim_80cfda61Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.80cfda61942eb4e71f286297a1158f48https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea
SHA1: 6c9ae388fa5d723a458de0d2bea3eb63bc921af7
MD5: 80cfda61942eb4e71f286297a1158f48
M20-t9wu1Tycoon_51a7822fWindows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.51a7822f388162ce1c66dd90da207545https://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: bd3fdf1b50911d537a97cb93db13f2b4026f109ed23a393f262621faed81dae1
SHA1: 03023d7e3a54d915cca82429dfeedb1bebd5c182
MD5: 51a7822f388162ce1c66dd90da207545
M20-ozkg1Tycoon_9c7befb1Windows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.9c7befb18ccbd63100a497fe7c1acc69https://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: 853fa18adc3f9263a0f98a9a257dd70d7e1aee0545ab47a114f44506482bd188
SHA1: 8e7a5500007c1552e1231bd1157433f7ef638672
MD5: 9c7befb18ccbd63100a497fe7c1acc69
M20-11ox1Netwalker_59b00f60Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.59b00f607a7550af9a2332c730892845https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 26dfa8512e892dc8397c4ccbbe10efbcf85029bc2ad7b6b6fe17d26f946a01bb
SHA1: 794589026bdc8b01cad097ffcd50be37a87e7c29
MD5: 59b00f607a7550af9a2332c730892845
M20-c0k61Nemty_0b33471bWindows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.0b33471bbd9fbbf08983eff34ee4ddc9https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: f3e0b5808c1394c884b4b2c7fa0c0955f7b544959a46b8839b76c8d8e2735413
SHA1: 42256ea23ee775e71702cc901c3632ef2fd53a02
MD5: 0b33471bbd9fbbf08983eff34ee4ddc9
M20-9vw62Nemty_4ca39c0aWindows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.4ca39c0aeb0daeb1be36173fa7c2a25ehttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: cc496cec38bbc72bae3cb64416baca38b3706443c4f360bd4ba8300d64b210d2
SHA1: afa8bc5c0a014e6202a8dd39f3f288bc927dacd0
MD5: 4ca39c0aeb0daeb1be36173fa7c2a25e
M20-5ca61Sodinokibi_858c29efWindows This strike sends a polymorphic malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.The binary has the timestamp field updated in the PE file header.858c29efee084e86616b21fdc4d2a3dehttps://attack.mitre.org/techniques/T1099/
SHA256: e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37
SHA1: d642f7ecda3fa135761d68eb20f44d66eba798fa
PARENTID: M20-u2sg1
SSDEEP: 3072:Or85CuLbi4eTMlwDCnuZ3puJ1ni8Iy8EytZ:O9ebnWJZ3P8IUyT
MD5: 858c29efee084e86616b21fdc4d2a3de
M20-otig1REvil_b26fbb99Windows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has random bytes appended at the end of the file.b26fbb999449caad351b18364a17bd6ehttps://attack.mitre.org/techniques/T1009/
SHA256: 6d9349a99d80e9003d3a01e0ad19c5f175e18b2dee7ef533b630772548f6c727
SHA1: 323135aa6987945df756cb9636ad72938d5a064f
PARENTID: M20-du8w1
SSDEEP: 3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCImk:ZJ0BXScFy2RsQJ8zgQP
MD5: b26fbb999449caad351b18364a17bd6e
M20-ghdx1Netwalker_239163e6Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.239163e6019670e326087aa59adb5007https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 92e4d38e17e4dc32519df7324013477908c9cb725ea29aea6e4fd8c27eb7087d
SHA1: c26d5fbe02f8b0e6a40672b12e69ee78343e9a41
MD5: 239163e6019670e326087aa59adb5007
M20-0hr01Maze_fba4cbb7Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.fba4cbb7167176990d5a8d24e9505f71https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/
SHA256: 5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
SHA1: aa6cd2698d4f9a7fa99f5807f4b6695a0bfd0124
MD5: fba4cbb7167176990d5a8d24e9505f71
M20-a7bi1Netwalker_cc113e42Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.cc113e42c52c6e4e7beca74829b89a68https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: eb1470786fda58fc8291e099c7fcd5d36a04de85d1f6fe8683c1950b7119314e
SHA1: 5b165601b8d0b13a8833c31cb36644aea8121f74
MD5: cc113e42c52c6e4e7beca74829b89a68
M20-kkmm1Sodinokibi_e713658bWindows This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.e713658b666ff04c9863ebecb458f174https://www.acronis.com/en-us/articles/sodinokibi-ransomware/
SHA256: e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec
SHA1: 8b1d4ae7cbc6c0fa0705122b9556745670863214
MD5: e713658b666ff04c9863ebecb458f174
M20-mc031DoppelPaymer_81f50e95Windows This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.81f50e95bfbbe7d86229ac9592febf2fhttps://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/
SHA256: 46254a390027a1708f6951f8af3da13d033dee9a71a4ee75f257087218676dd5
SHA1: 3b24602e453950a1391124f348bc897593ddfab9
MD5: 81f50e95bfbbe7d86229ac9592febf2f
M20-b1vh1Ryuk_3925ae7dWindows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.3925ae7df3328773be923f74d70555e3https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: 884efd1521e2fff9a05e7428239b3d9b92442ecef1248dd2bb295b253016dfb5
SHA1: 948af4614e8ff150fbe0bc38f40806b457acaf3a
MD5: 3925ae7df3328773be923f74d70555e3
M20-d9ti1DoppelPaymer_69061465Windows This strike sends a malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.69061465ae5067710402c832412e2daehttps://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/
SHA256: b9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9
SHA1: 963f6c4e2f7c202fd1676eee27c160de2ad2f774
MD5: 69061465ae5067710402c832412e2dae
M20-nx2s1CLOP_508a671cWindows This strike sends a polymorphic malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.The binary has the checksum removed in the PE file format.508a671cf24f381582459ccda863d520https://arxiv.org/abs/1801.08917
SHA256: f1884560d6384a695360251b63b465d12d52095e71bc1a073a1d32243bdd537a
SHA1: 5324545e7713fbb38ea01f825a14626c30b9f428
PARENTID: M20-eoc31
SSDEEP: 6144:rrazEX0203RegvjxnpGhu3BJMIp2CuvY63:/+3JpGEBJMg2CuvY6
MD5: 508a671cf24f381582459ccda863d520
M20-g3yi1Netwalker_dabbc5e5Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.dabbc5e50b9275cb2996c50fd81e64b4https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: e1a8a38dda16a7815bd20a96f46bd978ac41f2acf927993ad965abb258123d8c
SHA1: 79e6d0dbdfb89350fcf924c6554a5b7c79d4d66d
MD5: dabbc5e50b9275cb2996c50fd81e64b4
M20-oroy1Nemty_37aaba6bWindows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.37aaba6b18c9c1b8150dae4f1d31e97dhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 505c0ca5ad0552cce9e047c27120c681ddce127d13afa8a8ad96761b2487191b
SHA1: 02637179c597eaa821ff190ef89ba9eb013a6ea2
MD5: 37aaba6b18c9c1b8150dae4f1d31e97d
M20-nyqm1Tycoon_f28c603bWindows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.f28c603bbe75516372159bb79ef3eb63https://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: 868cb8251a245c416cd92fcbd3e30aa7b7ca7c271760fa120d2435fd3bf2fde9
SHA1: a2c17f04ce259125bc43c8d6227ef594df51f18a
MD5: f28c603bbe75516372159bb79ef3eb63
M20-4eyf1Netwalker_5ce75526Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.5ce75526a25c81d0178d8092251013f0https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 4df67a9e8abab33856a586cea38b0d365fbbe0d91ee848f270c65f0125d2d677
SHA1: 1e1b1c4ae648786fe429c9ddd2182e0d58bcf423
MD5: 5ce75526a25c81d0178d8092251013f0
M20-yq7k1Nemty_0e0b7b23Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.0e0b7b238a06a2a37a4de06a5ab5e615https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 267a9dcf77c33a1af362e2080aaacc01a7ca075658beb002ab41e0712ffe066e
SHA1: 703f5f6a5130868a7c3ec06b40b9f37656c86d24
MD5: 0e0b7b238a06a2a37a4de06a5ab5e615
M20-gc8v1Netwalker_3cfd36a7Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.3cfd36a72db703e25aecd51eb74f0febhttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 5daf828fd452f5325c28bc145a86d3d943cd86bb13ffe35c440ebf3cd2a45522
SHA1: 807d30f37bf2e052a253f64d102a7ab21933567b
MD5: 3cfd36a72db703e25aecd51eb74f0feb
M20-30im1Netwalker_645c720fWindows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.645c720ff0eb7d946ec3b4a6f609b7bchttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 29aef790399029029e0443455d72a8b928854a0706f2e211ae7a03bba0e3d4f4
SHA1: 16094d75f4bb593b196210e5d082a7abcdce1d8c
MD5: 645c720ff0eb7d946ec3b4a6f609b7bc
M20-37651Tycoon_b58476f6Windows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.b58476f659782f770854726847601fdahttps://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: 44b5d24e5e8fd8e8ee7141f970f76a13c89dd26c44b336dc9d6b61fda3abf335
SHA1: 77676865f875eff23699189f57c37c76b92ba2b9
MD5: b58476f659782f770854726847601fda
M20-86kc1REvil_3777f3e0Windows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.3777f3e092f2208c6670c01816562a7dhttps://malware.news/t/changes-in-revil-ransomware-version-2-2/39556
SHA256: 6953d86d09cb8ed34856b56f71421471718ea923cd12c1e72224356756db2ef1
SHA1: a7e6a0986b641d66b12d14752b20a470c9ba692e
MD5: 3777f3e092f2208c6670c01816562a7d
M20-suzd1DoppelPaymer_a6a31da6Windows This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has a random section name renamed according to the PE format specification.a6a31da60473168dc613b64c7a00fc5ehttps://arxiv.org/abs/1801.08917
SHA256: 692922af8eb58fda7ecf086937e02fd2cd0e89a233a19fa3a2bf531dde172c31
SHA1: 60858d68463e69043c7f118f8647974bb0cbba1d
PARENTID: M20-zug71
SSDEEP: 98304:z56LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:zsLOqCkLzDouoOS36XV/
MD5: a6a31da60473168dc613b64c7a00fc5e
M20-u36z1Nemty_348c3597Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.348c3597c7d31c72ea723d5f7082ff87https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 69a44e62abd294bb262906814ce385296eafaa8f0fab82c8c453c19796839549
SHA1: 71917d536b3418fd1ce005ecb96976d172e356c3
MD5: 348c3597c7d31c72ea723d5f7082ff87
M20-tv9r1Nemty_0f3deda4Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.0f3deda483df5e5f8043ea20297d243bhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: a5590a987d125a8ca6629e33e3ff1f3eb7d5f41f62133025d3476e1a6e4c6130
SHA1: 70dac7f3934659e583f962e7c5bff51a4b97dd11
MD5: 0f3deda483df5e5f8043ea20297d243b
M20-mcxn1DoppelPaymer_b2a0c322Windows This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random strings (lorem ipsum) appended at the end of the file.b2a0c322572d0f5f52d92dbd336ac14fhttps://attack.mitre.org/techniques/T1009/
SHA256: 7823b40d3a721e9fb556489f19f044009244ec9f2c69bd7b406bc603f475f99d
SHA1: 6fa2213a9f3429c0b0dae4cfab53d70737204219
PARENTID: M20-zug71
SSDEEP: 98304:556LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN2:5sLOqCkLzDouoOS36XV2
MD5: b2a0c322572d0f5f52d92dbd336ac14f
M20-u7vw1Nemty_5cc1bf61Windows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.5cc1bf6122d38de907d558ec6851377chttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 6a07996bc77bc6fe54acc8fd8d5551a00deaea3cc48f097f18955b06098c4bd3
SHA1: 5ba5abc14c4e756a679cbafbc41440458620b268
MD5: 5cc1bf6122d38de907d558ec6851377c
M20-ml6e1DoppelPaymer_2d1e555aWindows This strike sends a polymorphic malware sample known as DoppelPaymer. DoppelPaymer ransomware is a variant of the BitPaymer ransomware. It contains source code that can be found in both Dridex and BitPaymer. It has been delivered primarily by Dridex, however, it has also been used in numerous other methods like, malspam, botnets, exploits, etc.The binary has random contents appended in one of the existing sections in the PE file format.2d1e555aa68fcc2672e03c976203f96dhttps://arxiv.org/abs/1801.08917
SHA256: 7f53022212625070e4166c274634efe4023a23a1dc63c9fd14ca3e68082076ed
SHA1: d7200fe3bc2fb6b1b44fa4fbe485d7310c021af4
PARENTID: M20-zug71
SSDEEP: 98304:559LOFQCSMkpjLzCq37suo9LtkYzQi0YSUiBDXfN/:5LLOqCkLzDouoOS36XV/
MD5: 2d1e555aa68fcc2672e03c976203f96d
M20-83i11Emotet_ef389a78Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.ef389a7806af11a628bcce9be3897f72https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: e145443e68242815362d6737543409a1adb395879c75c43849abd5e401df522d
SHA1: 820b81f34cbb249ba29703ba85b9b658b6be8217
MD5: ef389a7806af11a628bcce9be3897f72
M20-9pt11Netwalker_8fbc17d6Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.8fbc17d634009cb1ce261b5b3b2f2ecbhttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: fd29001b8b635e6c51270788bab7af0bb5adba6917c278b93161cfc2bc7bd6ae
SHA1: d35cbad4163a967f66be460bac029895506917ed
MD5: 8fbc17d634009cb1ce261b5b3b2f2ecb
M20-du8w1REvil_9ecca170Windows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.9ecca170d0515fb14c8b78302b8053e7https://malware.news/t/changes-in-revil-ransomware-version-2-2/39556
SHA256: ec0c653d5e10fec936dae340bf97c88f153cc0cdf7079632a38a19c876f3c4fe
SHA1: 2b498759c83f05beda20adc991be476934ea0fa8
MD5: 9ecca170d0515fb14c8b78302b8053e7
M20-oz2x1REvil_63a945daWindows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.63a945da1a63a8e56e8220c4ccf7fd0chttps://malware.news/t/changes-in-revil-ransomware-version-2-2/39556
SHA256: ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195
SHA1: a99cf1a2426edeac97c789d0a4b7d38606d7aa45
MD5: 63a945da1a63a8e56e8220c4ccf7fd0c
M20-fmnm1Emotet_bd562cd9Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.bd562cd9ad0134eb4ad2600ff5f2a66ehttps://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: d7f2699f9b7e0c263fcbd73238a883871965586fad16985455a85498ce8b520a
SHA1: 3a251b9817e458d9f1283a324dfd7760757a6f18
MD5: bd562cd9ad0134eb4ad2600ff5f2a66e
M20-p3xt1Netwalker_4e59fba2Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.4e59fba21c5e9ec603f28a92d9efd8d0https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77
SHA1: e57731be1f15c323a7b55b914a0599722ff3985f
MD5: 4e59fba21c5e9ec603f28a92d9efd8d0
M20-ictz1Sekhmet_1343bd0eWindows This strike sends a malware sample known as Sekhmet. The Sekhmet ransomware was used in an attack against gas handling company SilPac in June 2020. This ransomware has been commonly spread via spam email. Once it encrypts the files on the targeted system it leaves behind a RECOVER-FILES.txt file that includes a ransom note with instructions on how to pay via TOR.1343bd0e55191ff224f2a5d4b30cdf3bhttps://bazaar.abuse.ch/sample/fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d/
SHA256: fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d
SHA1: 6412cbf10ac523452e051267afce4095d7f3d5ac
MD5: 1343bd0e55191ff224f2a5d4b30cdf3b
M20-pmmk1Emotet_c73019b6Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.c73019b6b6b46c63f6a45c38b8c2ebbfhttps://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: 9f2b84e3636d99a49ea3ae417c564253d9a351cc49c756a61c63acd530fd3748
SHA1: aab060435c36a7f930861f9e4fb8dd2d639f7388
MD5: c73019b6b6b46c63f6a45c38b8c2ebbf
M20-gt501Tycoon_12a47095Windows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.12a470956f7437a00d7bcf47f1995ea7https://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: ce399a2d07c0851164bd8cc9e940b84b88c43ef564846ca654df4abf36c278e6
SHA1: 7301382916d9f5274a4fb847579f75bc69c9c24b
MD5: 12a470956f7437a00d7bcf47f1995ea7
M20-mfyo1Tycoon_d3f44bfeWindows This strike sends a malware sample known as Tycoon. Tycoon is a multi-platform Java-based ransomware which targets Windows and Linux systems.d3f44bfe42b2e3c735e9df5bb793b9efhttps://cyberflorida.org/threat-advisory/tycoon-ransomware/
SHA256: 346fdff8d24cbb7ebd56f60933beca37a4437b5e1eb6e64f7ab21d48c862b5b7
SHA1: bf38aca2c659f9eb2b2fa2fad82ccf55b496b0cb
MD5: d3f44bfe42b2e3c735e9df5bb793b9ef
M20-ls811Netwalker_cb78a77eMixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.cb78a77e9ab26e4cf759e7d7b34bdbdchttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: f2b96f7d6f1bfd464507790120d07bba46cb4c9856399335748f93ebd52b5696
SHA1: b00710d529aefd25d8d51a2c0577bbb72191bc05
MD5: cb78a77e9ab26e4cf759e7d7b34bdbdc
M20-brxz1Emotet_46d69f8eMixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.46d69f8e1deebb60b276e62047b7ea8ehttps://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: 3f5284458a0d2d7d50d7487391aae521f625a8920bfe03a7c88d412f8c17699e
SHA1: bc3590512e097608b61118c4d7079153daa7a1c9
MD5: 46d69f8e1deebb60b276e62047b7ea8e
M20-g9yn1REvil_2019e63aWindows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has been packed using upx packer, with the default options.2019e63a90b551b369bf42ede3827002https://attack.mitre.org/techniques/T1045/
SHA256: cf533171a72bb7178de1e1c03635005893b7698602fe46f2fb37b01474820bb8
SHA1: 76bd674bf1265c82e3c9007f645aef4cb8d4b6e3
PARENTID: M20-du8w1
SSDEEP: 3072:j/3/CvLYtvOT3apvSfg+jhOUtp/yAQSHtRIKeMsTwV:j/IY64vSfg+jRp/JHQ0
MD5: 2019e63a90b551b369bf42ede3827002
M20-jype1Emotet_007a2eaeMixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.007a2eae29bc5bfa2eec17ae8104f61ehttps://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: b18241915f09540635b0cc900d7652b72af39fa16e4a3fb8a1e17264b3e0b3e0
SHA1: e31d39ca64d7257153201a783d0289852cf0ecb2
MD5: 007a2eae29bc5bfa2eec17ae8104f61e
M20-d64w1Netwalker_747dc998Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.747dc998c4cf60c6d40a77de18a9aa62https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 664a129052f024acaca3ca8df9b52a432e2172678b1f80af82fcd2ec9d642e18
SHA1: 0e76db2d2a61b5983c295bb325049b64e74b40ba
MD5: 747dc998c4cf60c6d40a77de18a9aa62
M20-lm8y1Nefilim_70e4b9b7Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.70e4b9b7a83473687e5784489d556c87https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
SHA1: 1f594456d88591d3a88e1cdd4e93c6c4e59b746c
MD5: 70e4b9b7a83473687e5784489d556c87
M20-q9iy1Ryuk_40492c17Windows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.40492c178079e65dfd5449bf899413b6https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: fe909d18cf0fde089594689f9a69fbc6d57b69291a09f3b9df1e9b1fb724222b
SHA1: f3fa5d5942e5085586d7fcc496d3fad7804abcc2
MD5: 40492c178079e65dfd5449bf899413b6
M20-qi7u1Nemty_dcec4fedWindows This strike sends a malware sample known as Nemty. Nemty is a Ransomware-as-a-Service. Once obtained a user is granted access to a web portal where they are able to create custom versions of the ransomware. It has been spotted being deeliverd via email spam (malspam) campaigns, botnets, exploit kits, pay-pal dummy sites, and by brute-forcing RDP endpoints.dcec4fed3b60705eafdc5cbff4062375https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
SHA256: 688994783ce56427f20e6e2d206e5eee009fcc157ba37737dce1b14a326cc612
SHA1: ef71426550dc3a3121746b475bf9a8416a73ca54
MD5: dcec4fed3b60705eafdc5cbff4062375
M20-u2sg1Sodinokibi_bf935904Windows This strike sends a malware sample known as Sodinokibi. Sodinokibi ransomware takes advantage of a Oracle WebLogic vulnerability to gain access to target system. Once inside, it attempts to elevate privileges in order to access all files and resources on the system without any restriction. It will then wipe out all files in the backup folder.bf9359046c4f5c24de0a9de28bbabd14https://www.acronis.com/en-us/articles/sodinokibi-ransomware/
SHA256: 963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e
SHA1: d1f7c41154cbbc9cd84203fe6067d1b93001dde6
MD5: bf9359046c4f5c24de0a9de28bbabd14
M20-23yc1Ryuk_db2766c6Windows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.db2766c6f43c25951cdd38304d328dc1https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: aacfc3e386ed12082923d03fa1120d5fa6bf7b8655ba77e04b96a45434fa9a83
SHA1: fc62460c6ddd671085cde0138cf3d999e1db08cf
MD5: db2766c6f43c25951cdd38304d328dc1
M20-vc5b2Netwalker_25c0fde0Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.25c0fde038e01fe84fd3df69c99e60a1https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d
SHA1: 147c1adc615daa93e84a5a9210ccc14ae86f6c55
MD5: 25c0fde038e01fe84fd3df69c99e60a1
M20-qr3q1Netwalker_d09cfda2Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.d09cfda29f178f57dbce6895cfb68372https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: f298725e197f974b7a8407c5d79114a4ac322c573813d543141ccf1d9119dd8b
SHA1: 82720e4d3fb83baff552ec25eea0fed2befe94fa
MD5: d09cfda29f178f57dbce6895cfb68372
M20-2sw81Netwalker_63eb7712Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.63eb7712d7c9d495e8a6be937bdb1960https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 0d0ed90929351c08c47dbd7541073d037240718c4a2fd63c09d2377090d4cd7a
SHA1: 1897bcfc7f3d4a36bdd29da61e87ba00812dca24
MD5: 63eb7712d7c9d495e8a6be937bdb1960
M20-wimr1Netwalker_b49ea177Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.b49ea17739f484b2ccccf79f245186f3https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 7a456f306593a051bea004493f073bb54c5135d8ce3c428f2433c877afd858f3
SHA1: 5c3aede31aaa0c77bfc56111ec39ac0503662dd7
MD5: b49ea17739f484b2ccccf79f245186f3
M20-m0cs1Maze_bd9838d8Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.bd9838d84fd77205011e8b0c2bd711e0https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/
SHA256: b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1
SHA1: c5938ec75e5b655be84eb94d73adec0f63fbce16
MD5: bd9838d84fd77205011e8b0c2bd711e0
M20-bbin1Ryuk_d7697d0dWindows This strike sends a malware sample known as Ryuk. Ryuk is a highly targeted ransomware attack that has infected numerous organizations world wide. The malware performs extensive network mapping, and hacking. Because it is targeted credential collection is required and takes place in advance.d7697d0d692bd883e53036b906108d56https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
SHA256: 5b1ab6fae05ca9005ee7026cc30fb79780c470d6a920a63383c3496381778fb5
SHA1: cbff9d66d68fa67e40ca4a295daed68f0d5f8383
MD5: d7697d0d692bd883e53036b906108d56
M20-vqz11Maze_a0dc59b0Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.a0dc59b0f4fdf6d4656946865433bccehttps://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/
SHA256: 9d86beb9d4b07dec9db6a692362ac3fce2275065194a3bda739fe1d1f4d9afc7
SHA1: c10fd0163c42f1149d5dcfb44e31b53a4fe6c6c9
MD5: a0dc59b0f4fdf6d4656946865433bcce
M20-eoc31CLOP_a04eb443Windows This strike sends a malware sample known as CLOP. CLOP ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.a04eb443870896fbe9a0b6468c4844f7https://www.trendmicro.com/vinfo/ae/security/news/cybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomware
SHA256: a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02
SHA1: e3001ef25b1386763caec9b5339ec6ddb0275a71
MD5: a04eb443870896fbe9a0b6468c4844f7
M20-7blu1REvil_1a0545bbWindows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi operates as a ransomware-as-a-service (RaaS), that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has random strings (lorem ipsum) appended at the end of the file.1a0545bbcac7a44a1406cdac135288cahttps://attack.mitre.org/techniques/T1009/
SHA256: 8c744fefa5d609f9c57eb147e22e74680585e19d27f49244dd4c629db21a7502
SHA1: 7f24239d5e392dffbca97c562bec63435a93858f
PARENTID: M20-du8w1
SSDEEP: 3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCImQ:ZJ0BXScFy2RsQJ8zgQX
MD5: 1a0545bbcac7a44a1406cdac135288ca
M20-fod61Netwalker_9172586cWindows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.9172586c2f870ab76eb0852d1f4dfaeahttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 167bf2356e65b04407cd2d8299a9b315f213808b04c341f6aad5820fc46a3c49
SHA1: 69e858f578fb0e7fdfb1d26db52dd6a95f5802ff
MD5: 9172586c2f870ab76eb0852d1f4dfaea
M20-v87c1Netwalker_2f720c55Mixed This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.2f720c55dc1969da5299a45e031816aehttps://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: 940d411e8f6c3aecfebc74614f856b892aaf0ad546b0aeec4152a75711a4267c
SHA1: 6da8ae1da95a0c96b432ad822076a0255e6744fd
MD5: 2f720c55dc1969da5299a45e031816ae
M20-ckxn1Nefilim_dfd4dbfdWindows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.dfd4dbfd7cbd6179fc371e5f887f189chttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5
SHA1: bbcb2354ef001f476025635741a6caa00818cbe7
MD5: dfd4dbfd7cbd6179fc371e5f887f189c
M20-vcwy1Netwalker_6528c101Windows This strike sends a malware sample known as Netwalker. Netwalker, also known as Mailto is Ransomware that encrypts Windows files on the compromised enterprise networks with the mailto extension. It uses the network of the victim to encrypt all Windows devices.6528c1013ddb23f6eeca08d02f3d7834https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
SHA256: c677014c312b87da89362fbd16f7abf7ba5546220000bfdaa0f77bba1edf5144
SHA1: 61905f80bd29b2bd0cd522a7e822aeb8733bb78c
MD5: 6528c1013ddb23f6eeca08d02f3d7834
M20-jyvy1Emotet_4247302fMixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.4247302ff7876d70434aa55bf65fe7e1https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: e3f75fa3896fe0551e1a892b0bf308e786326218836e5824fcfac7cd813c142e
SHA1: 39feb1450fe49ee8c82766f0f7d9e1ca6c3998cf
MD5: 4247302ff7876d70434aa55bf65fe7e1
M20-d4cb1Emotet_97e77c7dMixed This strike sends a malware sample known as Emotet. Emotet is one of the most distributed active malware families today. It is modular malware in that it can deliver various payloads. Emotet often comes from Microsoft Office document macros, that is sent with malicious emails.97e77c7db614b3304ea6ef7a598697fbhttps://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html
SHA256: 3dc27bfea129de80fabb8e5ec05816202ae50e9b182b9d1f67546491c7fbe01c
SHA1: 1744fd5bcb9e4162bcbf6a44a9da5cfbb698a7bd
MD5: 97e77c7db614b3304ea6ef7a598697fb
M20-rqxl1Nefilim_053ec539Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.053ec539c138afb99054bd362bb3ed71https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: b8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e
SHA1: d87847810db8af546698e47653452dcd089c113e
MD5: 053ec539c138afb99054bd362bb3ed71
M20-9hz81Nefilim_659c4b68Windows This strike sends a malware sample known as Nefilim. Nefilim ransomware shares much of its code with the popular RaaS known as Nemty, however, Nefilim instructs victims to contact the attackers via email rather than through a payment portal. Victims are mainly infected through vulnerable RDP services. Once the system has been infected, the malware establishes persistence and begins to exfiltrate credentials where possible. It will then deliver the ransomware payloads to the intended targets.659c4b68f2027905def1af9249feebb3https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
SHA256: 35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156f
SHA1: 2483dc7273b8004ecc0403fbb25d8972470c4ee4
MD5: 659c4b68f2027905def1af9249feebb3

Malware Strikes September - 2020

Back to top
Strike ID Malware Platform Info MD5 External References
M20-3a671Emotet_c703787aMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.c703787ab240e6a6959b267c71b4927dhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 1aa92916074cf5c819de2ea8b9ca9b5f04e1afd1f6ccfeae0a8849c3e8153e46
SHA1: 01dae25c32a749e277e3db4d6251d65b6f2fd5f1
MD5: c703787ab240e6a6959b267c71b4927d
M20-xzln1Gandcrab_fc157cd5Windows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.fc157cd5d8a9c32ecaec8a273b064296https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 119bd50529bb4cfefcf102346d4f14ec741f48c72ecab7b65417f76fbeae8bc1
SHA1: 10720df03005d7fee3e4bcd9e86732ea89f8b7ce
MD5: fc157cd5d8a9c32ecaec8a273b064296
M20-c7nd1Arkei_f3a4bb8fWindows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.f3a4bb8fca6d399c3a1a9ff750c48441https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 2296a27b28562b0f72ac638106fa1cbdee429c7261412afcf8ce1820a6bc8e73
SHA1: d50d34dd5e2651ad18b87b4595ea2cb95f334624
MD5: f3a4bb8fca6d399c3a1a9ff750c48441
M20-25ct1Arkei_3dc6ef89Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.3dc6ef8923433a89af4bab1e54ccdc02https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 272d4ca5a9e6bf8647e8ac6cb0d426f1f8fdbed0fdb8cf5ceadfe351517d3364
SHA1: cbc2f9e47eb2f58d32fe8befb9b75f62bc46a183
MD5: 3dc6ef8923433a89af4bab1e54ccdc02
M20-y6qp1Arkei_e63543c9Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.e63543c93b4d214c80e8c589582a7acbhttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 0f1dc323161ce0b22e510945d2b69f3d4bde2cbbf892761d426ff61735ab8177
SHA1: 7dc1f304ff8cb49664e763c7a57f04c1fa748d05
MD5: e63543c93b4d214c80e8c589582a7acb
M20-vvdu1Expiro_b6200879Windows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.b62008793dce122676720498b66b9a14https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 00cae541f806bef35e8b7056c18f0fbfcf4271b5041194773f6ab07af8c17855
SHA1: 960b43d2c75ac4184d92ea68e4c946797049dee7
MD5: b62008793dce122676720498b66b9a14
M20-lo9a1Gandcrab_c78096f0Windows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.c78096f041d994cc2e007a1a0c09a357https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 12cdd2a84ecd40578e34c33ba6530200e1fdd243e30bfc15e074251b0bbb5e03
SHA1: 2cdd146d664eb7a9b0523a4c3b5e04eb0d2883b7
MD5: c78096f041d994cc2e007a1a0c09a357
M20-wqmk1Razy_b42a8425Windows This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.b42a842553913cbac45effdc053e9696https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 2af8f1dff3ccc5fa0be79b89473e08a3c30732770cb3c3e529ee6815dd6ad53e
SHA1: 7a41fe8baec119b3aea23e9b2981c198eb32b4bf
MD5: b42a842553913cbac45effdc053e9696
M20-qx671Emotet_68b36e7eMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.68b36e7efd2a6f2b24893650e30e15eahttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 2455308d12306b5b5ecb3c4de58a0cc1f09f1cfda7b69c936fe447b619e9cddb
SHA1: 07287cbee6e005eec05efb3f1556acffeda10e33
MD5: 68b36e7efd2a6f2b24893650e30e15ea
M20-6i181Expiro_cb601c51Windows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.cb601c51cd742f846c50e3feddceb789https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: cdfadce2ce67b7448c509d6e9b6a5d7e23aab7b5b4c7659cb83327ea2eb5ebc0
SHA1: 6c5ab487e9f0d24ab5d49aa2e383e273881e25f2
MD5: cb601c51cd742f846c50e3feddceb789
M20-6s511Shiz_d072d816Windows This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.d072d816a7fd9b22d226fe4e27289e5ahttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 71b52dfe10bf2ce5a88d06e4c66cdc3b34d933070a7b8e984f9b5ed1cb36a227
SHA1: 9b6ffd470343c4406b0a2c159cd5b51c728a0638
MD5: d072d816a7fd9b22d226fe4e27289e5a
M20-qmpg1Arkei_8edaee6dWindows This strike sends a polymorphic malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.The binary has random strings (lorem ipsum) appended at the end of the file.8edaee6d0a70ed278c0dbc435d957d31https://attack.mitre.org/techniques/T1009/
SHA256: 38800a65afe22c6aa96c06530e18f48f423eb9cdeb45450190c4d61597b140e6
SHA1: 0de58fa1f5bb619e3b98a1bb98601eff3b6c1268
PARENTID: M20-c7nd1
SSDEEP: 3072:AjBiNsFBUawG9dY5AfhTQavJckkZ/p3dyBnf76hoPRO/t:0iyxwG9C5AuaWXP3IBnjNPRO/t
MD5: 8edaee6d0a70ed278c0dbc435d957d31
M20-ygg91Shiz_a47a581fWindows This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.a47a581f94f93bef024f2f9c099ac15ehttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: c6e223d9a20a0f4f21c4c0dd21d6a6fa094b51688322171aa54d7c7a996003db
SHA1: 195a1429cb187fc179806c86d65d75f49b88b4a5
MD5: a47a581f94f93bef024f2f9c099ac15e
M20-5mec1Gandcrab_81740cc0Windows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.81740cc0d01c2b9841f1946dadab4263https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 0c80f42e2d6af784935e2804e124e5d5cee2ce62bf7bd19996fb81d3dc121b0e
SHA1: 4bada265a65396b59040944d3ad2f72a58246ce2
MD5: 81740cc0d01c2b9841f1946dadab4263
M20-qmkg1Shlayer_4d86ae25Mixed This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.4d86ae25913374cfcb80a8d798b9016ehttps://securelist.com/shlayer-for-macos/95724/
https://objective-see.com/blog/blog_0x4E.html
SHA256: 05a3b34be443c7fabcb89a489c78fb7f27c896da29d125162c8b87f2d2128010
SHA1: f95055be76b834ae61c7d2b077a0639a9d68cf64
MD5: 4d86ae25913374cfcb80a8d798b9016e
M20-rzxv1Expiro_b08ad0e8Windows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.b08ad0e8469c891ff4f71ba623e18d01https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: bbb8bf6f5c8ff6d1028ba95bd64ddf19175e8a78ef6cea48eabf7fe125112d2e
SHA1: 317e2de8b044605ab31aa37178cf7e4d5931d04c
MD5: b08ad0e8469c891ff4f71ba623e18d01
M20-89ow1Razy_f6be4584Windows This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.f6be458489923d7fa91bf8d6f28aa5afhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 03e97e16c8724c33270953be58da27091a18725edfed7ebb596fa051b029329f
SHA1: 8566b0163fda63052deee03a7139db0063da4178
MD5: f6be458489923d7fa91bf8d6f28aa5af
M20-xxlu1KryptoCibule_47a12663Windows This strike sends a malware sample known as KryptoCibule. KryptoCibule is a new malware family that uses the victim resources to mine coins. It tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection.47a12663fce9b7ad2238f768ba482f49https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/
https://www.zdnet.com/article/new-kryptocibule-windows-malware-is-a-triple-threat-for-cryptocurrency-users/
SHA256: 04f3aa4152f3d9a0a9443c2adce00717a7ca4432bf9ced35aa9135ba8067714d
SHA1: 70480d5f4cb10de42dd2c863ddf57102be6fa9e0
MD5: 47a12663fce9b7ad2238f768ba482f49
M20-w8b51Arkei_249acf68Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.249acf68b841fb953571ab1ef246b497https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 2cb29b407451530fbf07c2afb72eab72a937df43563073f566a8fcbf6342c8de
SHA1: 5f5799593986ee25b3cef3e7df939e3066fd862b
MD5: 249acf68b841fb953571ab1ef246b497
M20-3v3y1Expiro_c71fb079Windows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.c71fb07961cd7b69347f2cb2a6d8a30ahttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 2478553b39a47ac319550e9bf65c12cc08944bb61d60e8aabb8e48a751f94359
SHA1: 1a00426e5e5120087c7e7b2f39f44e8d4626f2a9
MD5: c71fb07961cd7b69347f2cb2a6d8a30a
M20-pbml1Expiro_ca95f186Windows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.ca95f18632c18edea8580ffd5443bb57https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: ddb9c3a37b16026ae097ded0b9209c6927bf31e616a18a4649651eb9fc7e07a2
SHA1: 94dd0461eb199aa827389b9f54d7dc5e60565712
MD5: ca95f18632c18edea8580ffd5443bb57
M20-1o0u1Shiz_4f199253Windows This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random strings (lorem ipsum) appended at the end of the file.4f199253542d306639e414eececcefbahttps://attack.mitre.org/techniques/T1009/
SHA256: b57f882e4f082c078a104ca8bb52c202a83f3f04bc54d6c6e73f38a222ce4a25
SHA1: cb143ed1001bd317550f025b63bec576a0d0478d
PARENTID: M20-i59h1
SSDEEP: 6144:HZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtfi9jcxm6rPIXTTX:HZwUUUUUUUUUUUUUUUmg46jIXv
MD5: 4f199253542d306639e414eececcefba
M20-qggl1Razy_201dd9a3Windows This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.201dd9a3dac6d9fc554914615c5944adhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 3b72a6c6452e71e537e8d3aa4310d57abfb2a1bd39f3808ef222ccb4af2c35e4
SHA1: 1030d3459f11f9da8b2f93bb043ce0d1d710cd68
MD5: 201dd9a3dac6d9fc554914615c5944ad
M20-toxh1Shlayer_1c859729Mixed This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.1c859729bde4b392eaa1694c19ba5f9chttps://securelist.com/shlayer-for-macos/95724/
https://objective-see.com/blog/blog_0x4E.html
SHA256: f2ca257139e4c20a975f10ee86633e980ae3417e74f05db4c461d60f69bd840c
SHA1: d8a35dfa14623a7d3e034d336ec24c499027c09a
MD5: 1c859729bde4b392eaa1694c19ba5f9c
M20-vk3t1Arkei_f7359ffdWindows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.f7359ffdc1b165863867f00046c03bd1https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 27a35d3565bf6bef2ec1f80a8604456458d306dbee60bb0dc727e0297002f972
SHA1: 36664016072d469743d538c9f70218bf7b8bc0ae
MD5: f7359ffdc1b165863867f00046c03bd1
M20-r7cy1Razy_bb99864dWindows This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.bb99864d4aef505915898a5b42db891bhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 88f398002b7b629049adf26a9838bdaad15ab3d69f1cb44b6fd8c6db9a65d3d9
SHA1: 94096bcdf96703fb89fc590f9f3a9d30ec1cce45
MD5: bb99864d4aef505915898a5b42db891b
M20-5ifk1Arkei_f2ef1fc0Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.f2ef1fc097d3805815d0f1db06db6c2fhttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 075c993e56b48fe87c24c0b58b21c8f8b45213073c32606b222b0e5c60854d21
SHA1: 5ddd4886f2dd0b2574cf0321733da8aec154fe8d
MD5: f2ef1fc097d3805815d0f1db06db6c2f
M20-5nro1Shiz_d4a279b2Windows This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random contents appended in one of the existing sections in the PE file format.d4a279b2c8c86d8434c24de05f041252https://arxiv.org/abs/1801.08917
SHA256: 9229bcc25b746bb789987b3ed450c5003d078f542bf1e374e384d694e6b18090
SHA1: aca889763f115f6b515262bea5909d232b206b28
PARENTID: M20-a5wv1
SSDEEP: 6144:lZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtmMTYf+3jvneAasScLyzGqiO0z/O8kO/:lZwUUUUUUUUUUUUUUUmpMTYf+3jveA52
MD5: d4a279b2c8c86d8434c24de05f041252
M20-g1en1Arkei_8cd00f75Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.8cd00f759280f034e02f6e58720bda7dhttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 29f2fc13f37a5d7d9acd4819b0e87158b3ffa897d5e3e211e1a251d0334c3332
SHA1: 34e527ae6326b3c4736489da4d3f0e2b0232cdbe
MD5: 8cd00f759280f034e02f6e58720bda7d
M20-nx4m1KryptoCibule_437d1461Windows This strike sends a malware sample known as KryptoCibule. KryptoCibule is a new malware family that uses the victim resources to mine coins. It tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection.437d14610738f18977cefaac1af84686https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/
https://www.zdnet.com/article/new-kryptocibule-windows-malware-is-a-triple-threat-for-cryptocurrency-users/
SHA256: 8c32a47ca925c8e424ed86c42257132ab2b381943b10c6d798e9b7b532db0a40
SHA1: 352743ebe6a0638cc0614216ad000b6a43c4d46e
MD5: 437d14610738f18977cefaac1af84686
M20-smg51Emotet_e3740306Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.e37403061d0fc0c796f6d107b7c79492https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 129b85aaa1cb31320bf74ea541452331d8e7a6b5bec9a9e7a5f36d761f60b328
SHA1: 8907d90e248489a4a11b96f44f4714fb71a7c04d
MD5: e37403061d0fc0c796f6d107b7c79492
M20-n4ft1Arkei_cf64deaaWindows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.cf64deaaefbcb00ff53e14bcfd9a86e4https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 26d2ebaa52fa0042dac17c6c29d6a530b70c2b82166df16a62aad1295c124562
SHA1: fb8676a1b7e523c45056019f316b5c7bbc82a53d
MD5: cf64deaaefbcb00ff53e14bcfd9a86e4
M20-yqub1Shiz_28329ecdWindows This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.28329ecd0afc07c18ab89730c81e7790https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 18a1852a601d618c6172869c36b27c6cb36ae15436c654335dfe84954504898e
SHA1: 1977bc9f0043e69b32813a1e07eb2549f2efbc66
MD5: 28329ecd0afc07c18ab89730c81e7790
M20-bypj1Expiro_ae1693e9Windows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.ae1693e916245a7cbe94536db6c2dfb9https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: cba09cb5056c6ea03b6d42d0528df900ae55b41a47dc211f44163c8ef250d06a
SHA1: a3c48335634ee2f555ab6195635dc7c9301112c2
MD5: ae1693e916245a7cbe94536db6c2dfb9
M20-2q1m2Emotet_a6ae4aafMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.a6ae4aaf85b21a4b811504d50054bb13https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 219d1f3a929f192d379292bea355e8f4dac85ab3802f603eb9509560fc845b5f
SHA1: dbd79af174a06a35c37c9555f99aebb976485f26
MD5: a6ae4aaf85b21a4b811504d50054bb13
M20-nqew1Expiro_a1a42c4cWindows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.a1a42c4c4f8e99f18e9dac5e0195a117https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 5b70fd5e886fc50ce1339c79843adb520e5197f9c759c7c00f15bfce1b946b4f
SHA1: 19c4c0df7276a7d7a3c61c570c6d6230f39fa9d1
MD5: a1a42c4c4f8e99f18e9dac5e0195a117
M20-4mf61Shiz_485acf5bWindows This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random bytes appended at the end of the file.485acf5b5c53e4b6f61c4add87c6373fhttps://attack.mitre.org/techniques/T1009/
SHA256: d24f04886f30642e82e358b3f0c7b2fa35ec5951adee126500b466784913aa1e
SHA1: f0e6e9e4a30792bac1420b774fbd2e9a15f2642e
PARENTID: M20-a5wv1
SSDEEP: 6144:xZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtmMTYf+3jvneAasScLyzGqiO0z/O8kOs:xZwUUUUUUUUUUUUUUUmpMTYf+3jveA5W
MD5: 485acf5b5c53e4b6f61c4add87c6373f
M20-aray1Shlayer_594aa050Mixed This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.594aa050742406db04a8e07b5d247cddhttps://securelist.com/shlayer-for-macos/95724/
https://objective-see.com/blog/blog_0x4E.html
SHA256: 26e791a54b0397f07b6ba2ea7dc3c0db37381ec56e2349574546494a2c99ea77
SHA1: b35a29862550316e84fa095b7b418d2e09842ab5
MD5: 594aa050742406db04a8e07b5d247cdd
M20-e5uo1Arkei_2da317a6Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.2da317a6e7600b40a419eb788608191fhttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 121a41530bcd85d027a3b3a9f5f011b2d79de054ba8589041de21385b480af81
SHA1: 4f2c56fdbaf68ebc5f7b0137a8a685c384a0599e
MD5: 2da317a6e7600b40a419eb788608191f
M20-9v4j1Emotet_9a45c567Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.9a45c5675acd860cd45950be5f300546https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 2a6a8755b93ac09b7aff0d03f2743c1bd9e01823dc6cd4811ba0ee492b2414c0
SHA1: 0cd3d86fcb11dd33b9e42df5a8adb72bd645c147
MD5: 9a45c5675acd860cd45950be5f300546
M20-c2rb1Arkei_10a38d0aWindows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.10a38d0ae84dc819e4e91bdc307ed3dchttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 0c7aabd1a63fe9d74b77819c9f0ed4a05309c062ed4ebe7591cf309d593c0e5e
SHA1: 1b450c3423057492ff87f1c666d1cbc54f6d24a8
MD5: 10a38d0ae84dc819e4e91bdc307ed3dc
M20-3w5h1Gandcrab_7dc8699eWindows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.7dc8699e71e067f3cd4600c2c4fd4a9fhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 1598fbecd257a923af9074477c0439991ee8f88e62f2a9544a4f03cb692e9ea3
SHA1: 9eb47f2f69966d710e52269666e858daf50d1dd6
MD5: 7dc8699e71e067f3cd4600c2c4fd4a9f
M20-7x3a1Emotet_a0c0c876Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.a0c0c876217f30ee39fd06de0fcb8f57https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 200af4cf86eaf071d6dca59f9678feccf9f024da48ea982fe9ed3a230ae32fc0
SHA1: 72d6192d447ca4cf4bb4e403c2e5312696b0b889
MD5: a0c0c876217f30ee39fd06de0fcb8f57
M20-i8r51Gandcrab_1c6b014eWindows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.1c6b014e86d887ef235adbdce8c23a7fhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 142ee3a78064f1c5da3798744113f522c0a95dc842a5cf1c1346c6d67cd54c0a
SHA1: 433ff78ab4c1c0079462aa4b59510e7d49d12a94
MD5: 1c6b014e86d887ef235adbdce8c23a7f
M20-1tqy1Arkei_b119465cWindows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.b119465c150e0173b6b184448b5cf088https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 1610453727cf82bf981deb05041c2a0655cac62aa9bbf341bbb1b0a46d83b059
SHA1: 4b3d28b3cb13522624075375629179df760fb685
MD5: b119465c150e0173b6b184448b5cf088
M20-1jux1Expiro_c3a4c6fcWindows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.c3a4c6fc3924bea9ff0af427a1595380https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 6737302d9422c8720861a818d7b042682c9f7b5b04a409b1f7dfc81b6e41381e
SHA1: a52b6309e530659c8403704c02203f577c7b6b99
MD5: c3a4c6fc3924bea9ff0af427a1595380
M20-2dci1Emotet_e4de4b24Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.e4de4b24bf98b3af0b5732a10e5a159fhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 15deba69044594e12348428dccd3451e2b8c78df74daac11f16a6cd29a75874d
SHA1: 1dde153f0cf904671832a8741126d7d7350bd45e
MD5: e4de4b24bf98b3af0b5732a10e5a159f
M20-1s5l1Shiz_a15fbb32Windows This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random strings (lorem ipsum) appended at the end of the file.a15fbb32ccf830baf1c4adbc32c871b6https://attack.mitre.org/techniques/T1009/
SHA256: d8380b323612d496e4ffac68c39dbe9fa35fceebf063c5d1ce0dab6184bbda83
SHA1: 6ec4caa465e140897c429c9fdc2fc208aa0ce201
PARENTID: M20-a5wv1
SSDEEP: 6144:xZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtmMTYf+3jvneAasScLyzGqiO0z/O8kOd:xZwUUUUUUUUUUUUUUUmpMTYf+3jveA53
MD5: a15fbb32ccf830baf1c4adbc32c871b6
M20-dzlc1Expiro_ceb637aaWindows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.ceb637aa93f653ec7fd14dfec80ddec2https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 1da9498f9d75574bdbb6969ab423b559c370d61603e7c66ef7dd34efc168af71
SHA1: d19f9f2cc49322fe984ae7ee8d4b2853cca529db
MD5: ceb637aa93f653ec7fd14dfec80ddec2
M20-t75k1Emotet_9db82b4eMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.9db82b4e3957bf1d62d7526821b12d62https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 17c72fae234cbcd5593919d234d5e5be0f10f357cb64076810efb0f0e41f9578
SHA1: 2344e1c4b08c92a043ccba80b7ff44cc689f7f96
MD5: 9db82b4e3957bf1d62d7526821b12d62
M20-ltkk1Gandcrab_6704dc8fWindows This strike sends a polymorphic malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.The binary has random strings (lorem ipsum) appended at the end of the file.6704dc8f351350724184257996f9066bhttps://attack.mitre.org/techniques/T1009/
SHA256: 9daa713127b5e3192e388a4b5eb62ccbf5a27edf6849555b815e05b327c3b0c5
SHA1: 8779e69762ede4b7f196e22fe4c66e245dc0c0fd
PARENTID: M20-xzln1
SSDEEP: 3072:cgzlmnQjGjtA77nRw3u04PbvZDV/y9afXqTXnCBNcESnrbieOVL5M:ci777Rw2hpy9afajnCBwrbTO9M
MD5: 6704dc8f351350724184257996f9066b
M20-yq3v1Joker_baa1ecddMixed This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.baa1ecdd95d6a13551f783b715cb19aehttps://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/
SHA256: 2dba603773fee05232a9d21cbf6690c97172496f3bde2b456d687d920b160404
SHA1: 8376ac9d586f60759d4954d7ce00519931e38091
MD5: baa1ecdd95d6a13551f783b715cb19ae
M20-a5wv1Shiz_d662f757Windows This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.d662f75719f02414a66a17b16a2c721dhttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: dafbe2d5b3334c81504712162eaf3b333330d5a100deb68ce6a9033df764782c
SHA1: 0b2566be9347d2a47b75ec1dedec641a9a736a9e
MD5: d662f75719f02414a66a17b16a2c721d
M20-mm4h1Shlayer_fa124ed3Mixed This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.fa124ed3905a9075517f497531779f92https://securelist.com/shlayer-for-macos/95724/
https://objective-see.com/blog/blog_0x4E.html
SHA256: 734166ee7958d06ea63659ff0315de39181966884e204d3c6031887adcbfa505
SHA1: 1ecce6aa9615937471359bdb72b0df719277d694
MD5: fa124ed3905a9075517f497531779f92
M20-fyoo1Joker_0b9911ccMixed This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.0b9911ccb089c7ab5ad8a0cbbe25c700https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/
SHA256: f6c37577afa37d085fb68fe365e1076363821d241fe48be1a27ae5edd2a35c4d
SHA1: c7e850256ba1d67fbaaa8b2d1e92c2acfb317e68
MD5: 0b9911ccb089c7ab5ad8a0cbbe25c700
M20-r0d21Emotet_debd3b52Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.debd3b52b96f9903d5b877d39aebe3f4https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 209e9056d13fee66177c3a5afaf80a077875e5b59f0247cc0a6a024e6ae92bad
SHA1: 70808f8b9ec7bbd24d749e4bdf6784120ae992d8
MD5: debd3b52b96f9903d5b877d39aebe3f4
M20-mut81Emotet_571ad3e0Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.571ad3e0d627ea0b6acb95f9e35e0661https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 24e66606dd42fb259e7ed01e81b054c21190a9ea60adc8b7be387e05b04b303b
SHA1: c6d01d22ccd75739716bc9a14b4145fd1bc1e088
MD5: 571ad3e0d627ea0b6acb95f9e35e0661
M20-hy3i1Razy_fcd67c80Windows This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.fcd67c8088b3a39fab73c9cb47a86713https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 47fc91290b2d99a471a62d5390e13369fcbde2d7820e08c209fb3a5cbb5713e4
SHA1: e5438961a1eae144c51513d7358d4aaf92b4a1d4
MD5: fcd67c8088b3a39fab73c9cb47a86713
M20-epm11Shiz_47de3e4fWindows This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random contents appended in one of the existing sections in the PE file format.47de3e4f669440589fe34532ad9114b2https://arxiv.org/abs/1801.08917
SHA256: 335695d906c1dd9b13a6e7d51c78a8bf4f70f575f17e66f8619686c3a76ab556
SHA1: 5d3221e198ce7c632d322435f0e33b9d3f833fdf
PARENTID: M20-i59h1
SSDEEP: 6144:BZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtfi9jcxm6rPIXTT:BZwUUUUUUUUUUUUUUUmg46jIX
MD5: 47de3e4f669440589fe34532ad9114b2
M20-rbjk1Arkei_00befcd0Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.00befcd06035d0bb7f4256c22145e077https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 08641de04bd051e43e72527006a3cf1d799ff394d5a5a75b219b3171c4666a11
SHA1: e4d19fac6412c140e7f0c60beccf237c2fc4c33d
MD5: 00befcd06035d0bb7f4256c22145e077
M20-nfap1Arkei_568b477bWindows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.568b477bb674e07132eefd19d5c45a56https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 132e2edbf9a97eb30b59d2fa9dde82d8e8d80440e35b23dee73b8df6db748ddc
SHA1: 4556618327c4b955f828f5245e718f18fea2b5e2
MD5: 568b477bb674e07132eefd19d5c45a56
M20-t9hu1Shlayer_9c88732fMixed This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.9c88732f4a04c10ec4853f871de6b5ebhttps://securelist.com/shlayer-for-macos/95724/
https://objective-see.com/blog/blog_0x4E.html
SHA256: b274f9f28fe11e14f5f3d4724e2396d206965714527929502102f1d10c2259f6
SHA1: 52873957878e37d412cd5dabddfb770bcbdf5783
MD5: 9c88732f4a04c10ec4853f871de6b5eb
M20-oukt1Arkei_a4b38793Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.a4b387930e6081c7739f28bf77f2ce4ahttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 1bf99f63bb8bba5e8d3c7338e0c9338fcf0d170bb567f0c6ce8dc063c6c0c72a
SHA1: 85bdfb271923dcd97d006180d1d68acd76eb8633
MD5: a4b387930e6081c7739f28bf77f2ce4a
M20-cm0l1Gandcrab_a1458bf8Windows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.a1458bf8e676667471b8ebddc42123abhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 0ba338f0917356577dc6c00217ef973395e83f952031ca3df1bd2a1f14ffce89
SHA1: 7402e469dfd8e8832b3e7b9500adba37dfd9c58d
MD5: a1458bf8e676667471b8ebddc42123ab
M20-ya871Arkei_05fdf040Windows This strike sends a polymorphic malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.The binary has random contents appended in one of the existing sections in the PE file format.05fdf0408dd7e5ba480e1d62a5843466https://arxiv.org/abs/1801.08917
SHA256: 947c426d720811188724ac0ed0bc5ea7c32f512d8650cc8564943e7a89134dfd
SHA1: 2b0d4081816af66a5bbcaf262216b6d1528135ea
PARENTID: M20-c7nd1
SSDEEP: 3072:AjBiNsFBUawG9dY5AfhTQavJckkZ/p3dyBnfJ6hoPRO/:0iyxwG9C5AuaWXP3IBnBNPRO/
MD5: 05fdf0408dd7e5ba480e1d62a5843466
M20-jzqb1Razy_48693a04Windows This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.48693a04e8279cf484232dddda0373ebhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 225a8e97056d1f80ce1ff761b5826fdaa5f1e302ee6a1187cf0cd46298d7c37a
SHA1: 714af9dfa8407513104aa600ca88496b368cfc2f
MD5: 48693a04e8279cf484232dddda0373eb
M20-6n4t1Shiz_6d3cbc15Windows This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.6d3cbc15a8831097e04672b19add433fhttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: f3457979390343ca08458f68005cc84af0ed08b9594e65d45d3a6b8e5c287376
SHA1: c15ab40e0d101b106bbb0cdbfc019c13e4f6e9ef
MD5: 6d3cbc15a8831097e04672b19add433f
M20-ruot1Emotet_3da98789Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.3da9878997705570052d1a3ae3270671https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 17922392a72894af5fc275928a401d843f296d08934821be606ef25268767162
SHA1: 9a9c79c2c556129209f075f62f6605efa8f2c0dc
MD5: 3da9878997705570052d1a3ae3270671
M20-mrsf1Joker_b0dce678Mixed This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.b0dce6785bb79f271611b69a7ea81f71https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/
SHA256: 0d9a5dc012078ef41ae9112554cefbc4d88133f1e40a4c4d52decf41b54fc830
SHA1: 9a75fa84f5eb357111077b86e4c6f68cc5348e31
MD5: b0dce6785bb79f271611b69a7ea81f71
M20-8yqz1Arkei_55a7ecd0Windows This strike sends a polymorphic malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.The binary has random bytes appended at the end of the file.55a7ecd0c065b3f57347ab2737a44295https://attack.mitre.org/techniques/T1009/
SHA256: 88e0c77c0e0079cee4b29c787dbdefcc3d0b7c271e14942d7a0106746e906776
SHA1: 10ad133d20bed4fd15e27f5e85a0f71479f9e851
PARENTID: M20-c7nd1
SSDEEP: 3072:AjBiNsFBUawG9dY5AfhTQavJckkZ/p3dyBnf76hoPRO/3:0iyxwG9C5AuaWXP3IBnjNPRO/3
MD5: 55a7ecd0c065b3f57347ab2737a44295
M20-uqsm1Arkei_0f6b5657Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.0f6b5657da0ffc54ac13fc4ce414cf4dhttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 0f29e3c9e5d0d3440649e9f742081b278be83c5b9f76cb65bf06049f180d09ae
SHA1: 25fe88adfc55e0d63ed8f3253fd948ae6f2ffa27
MD5: 0f6b5657da0ffc54ac13fc4ce414cf4d
M20-htrl1Gandcrab_e34a5f17Windows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.e34a5f177d5bb5b8012024708d3f0217https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 0c80a368fc9d5320b676f065c7fe95d4b2560b7fc557c3b5cd2d52d6cbc107ef
SHA1: b58f68e5a557a19c3c3eeee04eb82d53d37627d5
MD5: e34a5f177d5bb5b8012024708d3f0217
M20-llvo1Emotet_e1c97191Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.e1c97191eae9b1537778fc88220c44edhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 149a3d53f6065bd1885682a82148193582f678bc6bbeef4c27c0fc96a6112dd7
SHA1: f5c39b475824a439640e71958536aaae30873863
MD5: e1c97191eae9b1537778fc88220c44ed
M20-gsa91Arkei_167af7b6Windows This strike sends a polymorphic malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.The binary has random bytes appended at the end of the file.167af7b6ea9eccb08d2071e78ded9c47https://attack.mitre.org/techniques/T1009/
SHA256: f043effc89970cac58a72b1e4ae6cd60115111ee30ac177d5e48acb35f4a8764
SHA1: 08d1172afe6a323dd4adbdfae60e030f999e53af
PARENTID: M20-ovtg1
SSDEEP: 3072:6q3YsRrXrUf3RFh2XintmrKYkv/pacEzDvVROz4:BYsJU3RFKinUOT5aPz5ROz4
MD5: 167af7b6ea9eccb08d2071e78ded9c47
M20-u0ou1Shiz_277b47f8Windows This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.277b47f81244411d20903be4d78dd5d9https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: e8688040a73b6393ca931129ac30aa24af9be6e5571f10e01203cb71810147bd
SHA1: ca1ff1c161cb11084b74a2ed52da9038144a7192
MD5: 277b47f81244411d20903be4d78dd5d9
M20-yygu1Shlayer_6ac3ae1cMixed This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.6ac3ae1ccb9038388e492a64ef08e5echttps://securelist.com/shlayer-for-macos/95724/
https://objective-see.com/blog/blog_0x4E.html
SHA256: e530ea35295e9b990e536297637c532e98f32a2de58514cbce0fee625ccc8da6
SHA1: b801963a180d253741be08dfbb7a5ed27964ac14
MD5: 6ac3ae1ccb9038388e492a64ef08e5ec
M20-iyd31Expiro_c3e02b8eWindows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.c3e02b8ec2aee25f4ceac1773696b924https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: a178d3644ef3f1d41b93ccf94aaab483fb87a80aeb1fcf4d944b0cc3d5d80c73
SHA1: 18a9d8a32ac8e952034a4b86d7838988a06ca6cc
MD5: c3e02b8ec2aee25f4ceac1773696b924
M20-ej8l1Razy_77b5096dWindows This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.77b5096d8ae7e182bf8a36d2349a64e0https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 48058f6425b28d82fec96109d9371a8c30bb2fdac8c448370ab455013da0edd3
SHA1: 695c0b1897de68bbadd3961dbdeaaa080d5a6f3c
MD5: 77b5096d8ae7e182bf8a36d2349a64e0
M20-6g761Shiz_228ee144Windows This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.228ee1443e6f972d2cb502a4a030aac5https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 421fb4e60b5ddf11d5456170224ba935bf033689c1a679d3ace07fea5b00041c
SHA1: 87510e0a0ef635a4a7932fd3e6042ca1c729553b
MD5: 228ee1443e6f972d2cb502a4a030aac5
M20-2n3f1Shlayer_b2b51960Mixed This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.b2b519602673e27aa40085deb8827bd1https://securelist.com/shlayer-for-macos/95724/
https://objective-see.com/blog/blog_0x4E.html
SHA256: 852ff1b97c1155fc28b14f5633a17de02dcace17bdc5aadf42e2f60226479eaf
SHA1: e827f4c1a1790c13cd761cdbf31cd2c0d7b25e55
MD5: b2b519602673e27aa40085deb8827bd1
M20-fon51Shiz_e7e1bd55Windows This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.e7e1bd5531ca3ad87a051bac9d1a80d3https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 5bad643662584c558d2a1d65621928e8681dd9770382820863c9f6d0b4e8ad73
SHA1: 54193aff5385a99dca3312606e76f2df38266d8e
MD5: e7e1bd5531ca3ad87a051bac9d1a80d3
M20-sxxu1Gandcrab_eb5f7771Windows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.eb5f77715eb2a50f1aaf03074f3ad388https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 0e5a46c96a9ddd3a61f68c19ffda0f9b12c76e1c3e7f2a4c4528d56c498f7828
SHA1: f903a47a0f9fd6d5008d4f1eeda832dd717061e0
MD5: eb5f77715eb2a50f1aaf03074f3ad388
M20-e8k21Expiro_b947b154Windows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.b947b15406b13614d0f8cdeec8564d05https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: b5e655696e1807c5f4ce0f7f86cfe988f92206a5cc0960c9d4d871922551a1bc
SHA1: a6d72116bf4f5a1802c3e5ac88c9581e236c23c3
MD5: b947b15406b13614d0f8cdeec8564d05
M20-jl5d1Shlayer_fefcfc50Mixed This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.fefcfc50214786bbbd33ee67abd7f1f3https://securelist.com/shlayer-for-macos/95724/
https://objective-see.com/blog/blog_0x4E.html
SHA256: 97b11ae80b8d4de5c6875de2cc7c164d837f94f8ae313a57fb45cee6c6a1fef8
SHA1: d28d75c9f61d20aa990e80e88ed8f3deb37b7f7f
MD5: fefcfc50214786bbbd33ee67abd7f1f3
M20-1rhx1Joker_87d70b11Mixed This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.87d70b118d68b5b8630d09ca3c2083aehttps://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/
SHA256: f90acfa650db3e859a2862033ea1536e2d7a9ff5020b18b19f2b5dfd8dd323b3
SHA1: 9b279a8ee3d1002f9b012fa5105fcbe81be3b6b5
MD5: 87d70b118d68b5b8630d09ca3c2083ae
M20-ukd81Gandcrab_a01269b3Windows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.a01269b36a5f153ef7c210001e2b071ahttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 0d6b3d50621831eb2ba716d92d91eed97fa6fb3d194175cb2fc59bb6e50b8d3b
SHA1: 5e845005c5095019c2c55707c748fc60cefd5e2b
MD5: a01269b36a5f153ef7c210001e2b071a
M20-ovtg1Arkei_f52cb089Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.f52cb0892baaab89703ab9d4f42a5483https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 33965321082bfc45696ef27b8aa84b58d0b35cb62bfd6f2d9b499696bd447484
SHA1: 250cd94354b8ec3c66bd3dde0abbe68bc7ff7018
MD5: f52cb0892baaab89703ab9d4f42a5483
M20-3xou1Gandcrab_8b73329eWindows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.8b73329e7fbe4ea24e9b814c6fe3c61dhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 11c7e045e19f6a53ff5e904d7250b3218a14431ed5c7ad299668f11717dce3d8
SHA1: bca4f701c34c26a39cdd9d4cfd7156a2e4823ce4
MD5: 8b73329e7fbe4ea24e9b814c6fe3c61d
M20-hfwk1Shiz_59a089a2Windows This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has the checksum removed in the PE file format.59a089a2c1cab2bd3f9c733cdc4f96cdhttps://arxiv.org/abs/1801.08917
SHA256: d1a41a674b3c71215faa51660c6387ea0bf8d14ec043041011868b58138afacb
SHA1: 30513c0d32228fa6d62ad9eb969f57a824ac6596
PARENTID: M20-a5wv1
SSDEEP: 6144:zZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtmMTYf+3jvneAasScLyzGqiO0z/O8kO/:zZwUUUUUUUUUUUUUUUmpMTYf+3jveA52
MD5: 59a089a2c1cab2bd3f9c733cdc4f96cd
M20-kgyh1Gandcrab_9c8a7882Windows This strike sends a polymorphic malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.The binary has random strings (lorem ipsum) appended at the end of the file.9c8a788266cfa8884798ea6bf37b1b10https://attack.mitre.org/techniques/T1009/
SHA256: b4ad2e1bbd01656e7c5b37693600dcc23344a5f1488baf54b5c781daccdad6a6
SHA1: 6e27f82b083b88c60f4b9b58e39c5bb2d3f289df
PARENTID: M20-sxxu1
SSDEEP: 3072:fgzlmnQjGjtA77nRw3u04PbvZDV/y9afXqTXnCBNcESnrbieOVL5M:fi777Rw2hpy9afajnCBwrbTO9M
MD5: 9c8a788266cfa8884798ea6bf37b1b10
M20-mc6o1Emotet_d206510eMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.d206510eee9c015251b40bdb0b3af3c5https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 220732c38506e7c51e3f0c1f27a142052b52c1a5306c0991acf7de311b7c8e2a
SHA1: 9a75a512f40c5bd5eb5ddefd80a765d683086f0c
MD5: d206510eee9c015251b40bdb0b3af3c5
M20-m4981KryptoCibule_3165d2f5Windows This strike sends a malware sample known as KryptoCibule. KryptoCibule is a new malware family that uses the victim resources to mine coins. It tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection.3165d2f5d802226b0dd8d3ccc8336110https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/
https://www.zdnet.com/article/new-kryptocibule-windows-malware-is-a-triple-threat-for-cryptocurrency-users/
SHA256: 5ee586a836049b22a90d5cabf3c2a29a2626ce96c55397bf36cc9024a2e6b430
SHA1: 3bcef852639f85803974943fc34eff2d6d7d916d
MD5: 3165d2f5d802226b0dd8d3ccc8336110
M20-s1ve1Arkei_1df03fa3Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.1df03fa342958648b48b9369be8ff9b3https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 0fd077d6c5fa7bc948c64262b0f277bc7152b6ca9b05958af7f059a6a9bf1f35
SHA1: d4e335c2bb11332ee86e53be87c8967e6c286985
MD5: 1df03fa342958648b48b9369be8ff9b3
M20-5twq1Emotet_20ad8937Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.20ad893754a3df823fa368fe84e51a8ahttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 2de44ef1df4fcc293491c9c21c8c5a42a0f335f6383ae96e0ef06ea76ba13c6c
SHA1: 3db8d8ba1bf2573edd0cf1ef297ecda9f5c07269
MD5: 20ad893754a3df823fa368fe84e51a8a
M20-e91o1Shiz_36cda7c7Windows This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.36cda7c70419a9c2d08cb110dd58b099https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 80b48015c935dd1a4f3ce47e896c74321de60510b11b171ac937afd983c3e4a3
SHA1: 0e014b38f0d85852f736b848c362fb8caf4df5bb
MD5: 36cda7c70419a9c2d08cb110dd58b099
M20-0jak1Gandcrab_a2ea3a19Windows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.a2ea3a1987942abe4d79b75d8676d2adhttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 08db1e474efd740dcbf6a0fac4dc93ca77bc803eef8e5ebdf85ff5495800d007
SHA1: 189763719ab2a36e82d38f9a1322781565fc39bc
MD5: a2ea3a1987942abe4d79b75d8676d2ad
M20-5uzi1Gandcrab_9bfb2b63Windows This strike sends a polymorphic malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.The binary has random contents appended in one of the existing sections in the PE file format.9bfb2b6312ba962055b988777e1ee99chttps://arxiv.org/abs/1801.08917
SHA256: 42e6312dadf15c1215d67ffda85374b3b80f802b524a6075559d8ea5e12feb3f
SHA1: 83cc7f73ecb9f241c61f8b300a04ed9684d7cb8e
PARENTID: M20-sxxu1
SSDEEP: 3072:fgzlmnQjGjtA77nRw3u0qPbvZDV/y9afXqTXnCBNcESnrbieOVL5:fi777RwYhpy9afajnCBwrbTO9
MD5: 9bfb2b6312ba962055b988777e1ee99c
M20-3osl1Joker_c8e8080cMixed This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.c8e8080c1365da6dc340edc17d86f674https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/
SHA256: 5ada05f5c6bbabb5474338084565893afa624e0115f494e1c91f48111cbe99f3
SHA1: f90e3487177dc8556c54b836e74e6419ea0f533b
MD5: c8e8080c1365da6dc340edc17d86f674
M20-3txg1Gandcrab_e7a61e47Windows This strike sends a polymorphic malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.The binary has a random section name renamed according to the PE format specification.e7a61e4706cc30fd9fce858d4461a7fbhttps://arxiv.org/abs/1801.08917
SHA256: 393df63d9d9325f174819d5dc1a7a974dd16d3bfabd03aa2cddc4ff3bc7ef0f8
SHA1: ab83543bae1c0bb13eaee1789d7f1ad9e1bffb08
PARENTID: M20-xzln1
SSDEEP: 3072:MgzlmnQjGjtA77nRw3u04PbvZDV/y9afXqTXnCBNcESnrbieOVL5:Mi777Rw2hpy9afajnCBwrbTO9
MD5: e7a61e4706cc30fd9fce858d4461a7fb
M20-dtna1Expiro_c54812ffWindows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.c54812ffecccb9d42b6af9d85329fb10https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 38ee02819c5d7d6a0336730be9aee691c42d12d09b5982197a4bbc7fc411374e
SHA1: 7a1dcb967dd970f5555eda86079e41a8c8c7e18e
MD5: c54812ffecccb9d42b6af9d85329fb10
M20-gbfr1Expiro_c47b8c02Windows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.c47b8c02e838398bf9a3afc757fdb802https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 21a5c373438de8a85a6bf798b24406a7658c0ac376d8820341dc5b973fb6bfde
SHA1: 0940b3a6ee7e4e4bea27c361ef6e85108b41101e
MD5: c47b8c02e838398bf9a3afc757fdb802
M20-ut1e1Shiz_4cc39df1Windows This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.4cc39df1f7950b7883fd861af127afd4https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: ffbc0f6d023ed357af6eeb674e3c451831068403a52bc7fe94a67c99356c4ca3
SHA1: 1d2532c626b052b4504a353ae0bf7457f0128211
MD5: 4cc39df1f7950b7883fd861af127afd4
M20-0ege1Joker_d1a2ee8aMixed This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.d1a2ee8a66fa0d90477e29cc35a84ba9https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/
SHA256: 46a5fb5d44e126bc9758a57e9c80e013cac31b3b57d98eae66e898a264251f47
SHA1: 873d72701d49676c4bf8e70eefc9394fecbe3b8d
MD5: d1a2ee8a66fa0d90477e29cc35a84ba9
M20-ij2p1Gandcrab_dd6e6968Windows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.dd6e6968b41bfe67b1eb6ca06009e029https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 0a6b83a865695ba7a5baf6337c115cd06358085cd2c174806fbd75837ffb49d7
SHA1: b363633bdfb62b19e8b048f415703d92bbd0d559
MD5: dd6e6968b41bfe67b1eb6ca06009e029
M20-yxpi1Expiro_a96008e0Windows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.a96008e0c13b46ba555464e1b9fc681fhttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: cb08c29f457ad766d086cff777eed87baa4796c4f29bb92239f99107ecaded91
SHA1: 77b9462650e927b00c1f696e11349c3196397281
MD5: a96008e0c13b46ba555464e1b9fc681f
M20-1rp32Emotet_0b422cc0Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.0b422cc0719a274d2da0e23d68091b41https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 274602404a722f0dc7b82c61d520573d1f9a010d174f4685b59899a4158cde5b
SHA1: ade83fdb62a61f10f6d7563c29c924f9c31b2cdf
MD5: 0b422cc0719a274d2da0e23d68091b41
M20-ciyx1Razy_faffdf7cWindows This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.faffdf7c523de20379785fdbebf179f0https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 62ac5775145716be2f3799face7ac9c5229122b93b3839e03f63334f548f0cac
SHA1: 524c510d4e91b12e725fa3607397ad3ef13aa309
MD5: faffdf7c523de20379785fdbebf179f0
M20-1cs11Shiz_5bc37cddWindows This strike sends a polymorphic malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.The binary has random bytes appended at the end of the file.5bc37cddf1f3be9ad2f6d194a7206879https://attack.mitre.org/techniques/T1009/
SHA256: 5d383bcaccf72ffdee57e36e02181b46bfb319ff0708878a2415bbbcf5a01172
SHA1: b5e66c9f96c85513af91dfe7c2f1fce0c1990f25
PARENTID: M20-i59h1
SSDEEP: 6144:HZRSUUUUUUUUUUUUUUUm7XQgOraXQgOrtfi9jcxm6rPIXTTW:HZwUUUUUUUUUUUUUUUmg46jIX+
MD5: 5bc37cddf1f3be9ad2f6d194a7206879
M20-gcg91Arkei_d73ec126Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.d73ec12627a319b61bf8f248c6516262https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 039d7013364ec66261347c7f055ced54bf256ea3f5a018d31b066449bf4b014b
SHA1: 7e5fd6bb1f293845584e4cd7decae53ccad88829
MD5: d73ec12627a319b61bf8f248c6516262
M20-7qwp1Shlayer_04e7bae9Mixed This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.04e7bae95f86118fd5e347ee43537b06https://securelist.com/shlayer-for-macos/95724/
https://objective-see.com/blog/blog_0x4E.html
SHA256: 1afcea3625c2725a95e87df1d660130a374c29e98624cb9b51b415c9f5c9e305
SHA1: 7f79800951160875b94df94bb834c30ad11a9021
MD5: 04e7bae95f86118fd5e347ee43537b06
M20-v5m81Gandcrab_e45f0c5dWindows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.e45f0c5d59ce9f66ecbf7f1207e010fchttps://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 13909277ca03cbd8231fa197f36486c7b12f9cc78e0a3cfffe735fb2ec0f2909
SHA1: 4f828e2cbcfa45c480f90b3a73f710e7f6f7ecda
MD5: e45f0c5d59ce9f66ecbf7f1207e010fc
M20-qom31Expiro_b167581fWindows This strike sends a malware sample known as Expiro. Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.b167581fcb856d403e0c2163ced4a080https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: b9b702693b83d22988ae375b1b080128155c9e36cdb949c261797f2c4960f99b
SHA1: 069bb8aea83b059c75aafbfcd9f4e74bc33b58bf
MD5: b167581fcb856d403e0c2163ced4a080
M20-h5uq1Joker_966daec1Mixed This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.966daec16869c8bbdfb1243dfc115712https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/
SHA256: 2a12084a4195239e67e783888003a6433631359498a6b08941d695c65c05ecc4
SHA1: ab0e7e6ea3c8a77e67f643400d709826092ec770
MD5: 966daec16869c8bbdfb1243dfc115712
M20-hnuo1Razy_0206fb01Windows This strike sends a malware sample known as Razy. Razy is often used as a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.0206fb018cf06a3876e7694ccae14151https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 10544c9619839680f12a58ebf5f9b96468cd311bf05a27ada2362986ccd493e5
SHA1: 9c305334e32f6efdca153f1f1f015ae76795b428
MD5: 0206fb018cf06a3876e7694ccae14151
M20-djt51Joker_6d0e6a88Mixed This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.6d0e6a88f5ec092de6045ac4a5e6219dhttps://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/
SHA256: 044514ed2aeb7c0f90e7a9daf60c1562dc21114f29276136036d878ce8f652ca
SHA1: c14b4e6e4bce7aab292f3cdd9805ffb1a5cf5209
MD5: 6d0e6a88f5ec092de6045ac4a5e6219d
M20-8dqb1Gandcrab_22bc40bdWindows This strike sends a malware sample known as Gandcrab. GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB," ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.22bc40bd16d93b14848a4e49b708c8a0https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
SHA256: 08e8ac381eab35c6f8fedef1c921b3ca0c1fbc862cc8482aa817220fd1800c65
SHA1: 3cb6f2c8cf82bafece5342f46745292ffa662a97
MD5: 22bc40bd16d93b14848a4e49b708c8a0
M20-738i1Arkei_307dbc09Windows This strike sends a polymorphic malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.The binary has random strings (lorem ipsum) appended at the end of the file.307dbc0918a2ee073c645d4882f3552bhttps://attack.mitre.org/techniques/T1009/
SHA256: c732c4b1a163072ccc6fe37a6c96b65d3147b3c1261979e92af2e2a93a126ea1
SHA1: 42a586337fe5e5485bb6e70ddaa22e57f6fba98c
PARENTID: M20-ovtg1
SSDEEP: 3072:6q3YsRrXrUf3RFh2XintmrKYkv/pacEzDvVROzt:BYsJU3RFKinUOT5aPz5ROzt
MD5: 307dbc0918a2ee073c645d4882f3552b
M20-0oiu1Joker_3c5abec5Mixed This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.3c5abec5b685809a670dee9b729a9096https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/
SHA256: d54dd3ccfc4f0ed5fa6f3449f8ddc37a5eff2a176590e627f9be92933da32926
SHA1: 2cbdd5f9d8ff6f36d3c6bde5232a654025492d86
MD5: 3c5abec5b685809a670dee9b729a9096
M20-i59h1Shiz_ba522ceaWindows This strike sends a malware sample known as Shiz. Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information like application passwords and browser cookies.ba522ceacf187c3aee16f32af3031aa4https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 74bcf9d958ffb06408a4e01aacedfb503f2e484ebf2026ae10c0708132332c6a
SHA1: 0048eeb3abec0ed99ca3346462e832aac7ddc508
MD5: ba522ceacf187c3aee16f32af3031aa4
M20-11ij1Joker_2a7d3d07Mixed This strike sends a malware sample known as Joker. Joker is a billing fraud family of malware. It looks like a legitimate app, and often times bypasses Google Play's security protections. Once executed it steals SMS messages, contact lists and device information; as well as signs the victim up for premium service subscriptions to siphon money. Recent variants hide malicious code inside the Android Manifest of a legitimate application.2a7d3d0734f31eb11397cef2b49225c7https://threatpost.com/joker-android-malware-dupes-its-way-back-onto-google-play/157307/
SHA256: db43287d1a5ed249c4376ff6eb4a5ae65c63ceade7100229555aebf4a13cebf7
SHA1: e853c6ad4af6a4e3459b9690b64e72a8c59ad9c5
MD5: 2a7d3d0734f31eb11397cef2b49225c7
M20-bhpa1Arkei_0eed4e7bWindows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.0eed4e7bb0e7e3e84b119e1e623b427fhttps://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 201cc587859c40b56250f600b450274d9e7a083f35391d863cd579e9e4fc378c
SHA1: ef49822b5cbb38d460c806e9965f9e8515eb0c94
MD5: 0eed4e7bb0e7e3e84b119e1e623b427f
M20-fmfl1Shlayer_c4e8f038Mixed This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.c4e8f03892756086e9813db09485b0bchttps://securelist.com/shlayer-for-macos/95724/
https://objective-see.com/blog/blog_0x4E.html
SHA256: f5e6b93eb5979518df4bb5e9edadd2630317da0986da771c085b653a52f8fcd8
SHA1: b76ed43c69ee366cf653461a735bddf9dfec2027
MD5: c4e8f03892756086e9813db09485b0bc
M20-t5791Arkei_15712005Windows This strike sends a malware sample known as Arkei. Arkei is an information-stealing malware that collects passwords, credit card information and web browser cookies.157120055c4f2922c52bd5efebf090b7https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
SHA256: 30522dedbbb52e22c5a663bd9754ba14aaf0f7130a05660566f96f1475611f2a
SHA1: 9d0b9f8b74b0e273d00dde8c62c0cbe75633cbb7
MD5: 157120055c4f2922c52bd5efebf090b7
M20-vo3b1Shlayer_e8a9e861Mixed This strike sends a malware sample known as Shlayer. Shlayer is a Trojan family of malware that targets the Mac OS platform. Its main purpose is to infect a system and retrieve additional malware most typically adware. Like most adware, it displays unwanted advertising on the system. Most recently Shlayer has been delivered with Apple notarized applications.e8a9e8617f6f83729e5c4bec46ad1c77https://securelist.com/shlayer-for-macos/95724/
https://objective-see.com/blog/blog_0x4E.html
SHA256: 3b62518db961771c6028f1cd43257e6efa0c2a6b330e088aa1300841e00c7abb
SHA1: 43a44d4f58774157857d04d67a9fef7045dacb2f
MD5: e8a9e8617f6f83729e5c4bec46ad1c77

Malware Strikes August - 2020

Back to top
Strike ID Malware Platform Info MD5 External References
M20-g0r31ZeroAccess_8426c0cfWindows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.8426c0cfafeb261c69b5c08d63724c70https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 1d5d89235918c062861e244103fa8bc5717edae77286ee15d39c3e83890ff0a0
SHA1: 967bd4f8a2a60e43265dbc8132c835eeb58cfe81
MD5: 8426c0cfafeb261c69b5c08d63724c70
M20-7u8i1HawkEye_3eb89430Windows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.3eb89430ad1c97dc03a85175299a5a37https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 9830b084b68d05603ee40063017f69e4044897e2311d9bcaf11e1af6041ad93b
SHA1: 09887d2df4e36dba3293946aa728e09c253bfefd
MD5: 3eb89430ad1c97dc03a85175299a5a37
M20-bcb41Cerber_41732f62Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.41732f6244f7d05554fe973021aefcc7https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 1f2161956d8bb447845b0ef70b514edc31f6f01b1007ee6c7a5ebd77e4331439
SHA1: 83397fbeacff9cef1d1aacbcf87b0b531375cc00
MD5: 41732f6244f7d05554fe973021aefcc7
M20-6g8w1Cerber_af19eac8Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.af19eac84be5efd362b46e15930cc538https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 27343c1b2124a0767c1513d568c8cc25aec07ccbe9b136ee7005c63be965e354
SHA1: f09fa67a7c8c3eb5d58547d40d77e36b535844e2
MD5: af19eac84be5efd362b46e15930cc538
M20-u3tc1HawkEye_9ea93fd1Windows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.9ea93fd1175bb07b354c496ee3a04664https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 3997379d4c182f45f93e3d7172922a95b5d83de0611134f301760bf6be4cb1e0
SHA1: ad8d53e647840971fd9523411254d1037572d97c
MD5: 9ea93fd1175bb07b354c496ee3a04664
M20-t2vk1ZeroAccess_95ddece9Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.95ddece98d72b8ef206cbcdeb9436653https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 282c84cd4ab3afc6cff3d5f6e980b6b6430b27c3768841aaf086edb69d98249f
SHA1: 536063c15bfe781d48efd10cf53d4d3c711b281d
MD5: 95ddece98d72b8ef206cbcdeb9436653
M20-pu4v1ZeroAccess_cba44d1aWindows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.cba44d1ad8632bbc2beccf7ff27b743ehttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 15ec244569c18762a6a8e45c3b3ffed7fd9ec1081d67695a5f96c8a8d9f3f58b
SHA1: 04658a802887e1a4a9e21457b450c390f6ed8ec7
MD5: cba44d1ad8632bbc2beccf7ff27b743e
M20-bl5b1ZeroAccess_ffd533f2Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.ffd533f2f95fa70144abf171e18665dehttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 32cc788c4b705b9bed78e2b60c1215276b064f1992781c0910e47804a1f75b51
SHA1: ace077cfef975464ad6332415690135535490366
MD5: ffd533f2f95fa70144abf171e18665de
M20-7q8k1VHD_e29a03dbWindows This strike sends a polymorphic malware sample known as VHD.The binary has random contents appended in one of the existing sections in the PE file format. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.e29a03dbec644238fa5257311d428694https://arxiv.org/abs/1801.08917
SHA256: 7b664a13de55f60ed25edd6c1e9a7eadff00d6d15a0a0aceaa9bd9e3bec5ebb4
SHA1: f45c9fb784cc92fa2acd16e2389c61f7961c8452
PARENTID: M20-rpz71
SSDEEP: 1536:CN5P9xb8ZqPbKx3U58YjdZqV355b38poNqa8tCBwFn5B1qMqqU+7upOu4:CN4aEU58oqZ5jT8s+1qMqqD7upOu4
MD5: e29a03dbec644238fa5257311d428694
M20-wvo01Cerber_d1d5145dWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.d1d5145da3dde367f9a84b3f23c0e399https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 3de3161efe34122601f3865aff18e56cb873ddcc2adb6b7a8b6c4afaa38ec3e4
SHA1: 412a8cc61864eb67645d212f326159de07ef1e10
MD5: d1d5145da3dde367f9a84b3f23c0e399
M20-y9591LATENTBOT_d349806eWindows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.d349806ea1f2af0f447b2c9e20cb88f0https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: 77a2389bc9ff7425e3e6a93f2102149c8fea6be51d41d8719fe0a73defeb15e7
SHA1: 5c13fe64b667062b7c97cc079cf364b0fe636b32
MD5: d349806ea1f2af0f447b2c9e20cb88f0
M20-346a1LATENTBOT_08bb5f82Windows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.08bb5f82dec4957ad9da12239f606a00https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: cd525c392d35a43166b75f1fa578a2d3b6a9a015b6e78da8615756b6afc717ee
SHA1: 26296927a32d3de0eb92b1b1d72ce88c2e7c7ba8
MD5: 08bb5f82dec4957ad9da12239f606a00
M20-e7g21LATENTBOT_a11362a8Windows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.a11362a8e32b5641e90920729d61b3d4https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: 1d3ff6cf195488bdb76d53b21361cd7f948d86199b00db8f506d415cdff690cf
SHA1: 8c1381dc44f1aca6768a11f0b489b2f435b99f03
MD5: a11362a8e32b5641e90920729d61b3d4
M20-mvh71LATENTBOT_56ba76cfWindows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.56ba76cf35a1121bf83920003c2af825https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: c218eeff26478878f93e0f92c47e95f30a9a26c75cef0160557e287ebdc2ce2e
SHA1: ef600bf662acea7511178e460985a08e89f8858c
MD5: 56ba76cf35a1121bf83920003c2af825
M20-bu9q1LATENTBOT_1dd0854aWindows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.1dd0854a73288e833966fde139ffe385https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: 39af310076282129e6a38ec5bf784ff9305b5a1787446f01c06992b359a19c05
SHA1: 3abdaa765769195a495f72fd71cd9037e03dd33c
MD5: 1dd0854a73288e833966fde139ffe385
M20-82aj1Cerber_1cb05585Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.1cb05585c3264a6c3c70d9c56c4792cehttps://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 4fb0907454e2b6faa947003184878d70555be3073132e677b4606032907ca91f
SHA1: fa54cde378d2f45ce09e3eb72eb13369a6575b4b
MD5: 1cb05585c3264a6c3c70d9c56c4792ce
M20-2yl01DOGcall_dc6c2033Windows This strike sends a polymorphic malware sample known as DOGcall. DOGcall aslo known as ROKRat is a family of malware that was initially seen from attackers originating from North Korea. The malware has a loader that drops the core payload. This sample is the final payload, and it is a Remote Access Trojan that provides the attacker with a number of functions including data exfiltration, credential harvesting, screenshots of the system, and communicating with a remote C2 server for additional received commands.The binary has random contents appended in one of the existing sections in the PE file format.dc6c20333f94a04c6cdea4fe9211ac09https://arxiv.org/abs/1801.08917
SHA256: 3c79fbaaa59377075068e6f0d6a8835c558e396bf4c3604ce7a431be67b424eb
SHA1: ebc79c9c4b1a59f1f59fe59006446938f0fa04de
PARENTID: M20-hccx1
SSDEEP: 12288:cbeQm0+6dUlyAcdqfAkMvGpns9gKYLd+NjhzZkZf75:ADuJGv2ns9XRkZfV
MD5: dc6c20333f94a04c6cdea4fe9211ac09
M20-iyxr1ZeroAccess_b5b0b385Windows This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random strings (lorem ipsum) appended at the end of the file.b5b0b385842df2d28e13532b05996e7bhttps://attack.mitre.org/techniques/T1009/
SHA256: 956d07d44f0da1a9356da1a99a6962fef3ea6b3547a0e5acad43389006109a6f
SHA1: 37f13f10c94efc9648155a98b987fd70a7743fba
PARENTID: M20-slow1
SSDEEP: 3072:rEUIFarjgd+x6FNCYkvRBjtAWyUOJQydy/x0NZDTwb2Rl:rEU8qjc+8DCYGBjtLqHM0Ndb/
MD5: b5b0b385842df2d28e13532b05996e7b
M20-npww1ZeroAccess_98f3a2abWindows This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has the timestamp field updated in the PE file header.98f3a2ab6191279de94de7a956c53dc5https://attack.mitre.org/techniques/T1099/
SHA256: 7027f4196799de02cc3e5690d984ac9f1b85d30b77497079a3449f936dfb6c42
SHA1: da00cf1eb1266c084042c067f21dc02401a3a296
PARENTID: M20-vt1r1
SSDEEP: 3072:8ENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2Im:8ENUxovX8mwoLt/LUP0Id4DZ0tdb
MD5: 98f3a2ab6191279de94de7a956c53dc5
M20-7qok1HawkEye_65e73f93Windows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.65e73f938774b6dfadea69ac7cb37193https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: cc967f71c2e3a2c54ce25312ed1087cc34a7e0d42606b4f0d401a7a391f47ecc
SHA1: e8564295f82b85875cf89c21d78cc33fce81f1b8
MD5: 65e73f938774b6dfadea69ac7cb37193
M20-ay8h1ZeroAccess_569b2af9Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.569b2af985cb1f4b9b368444889d13c4https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 13c49095c22376a2ccb73ebc18e57b8ad8d8fd58997007115b70bb116244d763
SHA1: 63666fdf40ce1f3f68152295ac31b707dcd6562c
MD5: 569b2af985cb1f4b9b368444889d13c4
M20-u1nq1Exorcist_7e415d5aWindows This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.7e415d5a1b1235491cb698eb14817d31https://twitter.com/VK_Intel/status/1286028389518901248
SHA256: a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351da8813d7d
SHA1: ca1a94c1be4e51da577e51957428263ca9c0c0ab
MD5: 7e415d5a1b1235491cb698eb14817d31
M20-orul1Cerber_8baa9694Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.8baa96945edfd47b00622762f66af5ffhttps://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 18c4f60df01b00809a5affabfa5ba04a724e4d4a98ab7e9fb83e9f627aa789e1
SHA1: 5e83b0b872cc03d0d0294145eb5b9539b6392fdc
MD5: 8baa96945edfd47b00622762f66af5ff
M20-9mq21ZeroAccess_0d6be0aeWindows This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random bytes appended at the end of the file.0d6be0aedd9217ecd67e329f37479768https://attack.mitre.org/techniques/T1009/
SHA256: 7b38f0975be4bd43c06298c88d31ceee10747423943a9346763dfdaf1887eb9a
SHA1: cd3575b62884a79f8c0edce461f1aa435195c62e
PARENTID: M20-vt1r1
SSDEEP: 3072:5ENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2ImE:5ENUxovX8mwoLt/LUP0Id4DZ0tdb0
MD5: 0d6be0aedd9217ecd67e329f37479768
M20-ojwy1HawkEye_f0d75fb8Windows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.f0d75fb839b44dc8d064b7bf8295f94dhttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 544f6d58158bbc5e36692c74722101571e167a65fe72c70a9d13522b5e72c18a
SHA1: 69a163a71a33da5348b70e1e9c4c52c9d0390f21
MD5: f0d75fb839b44dc8d064b7bf8295f94d
M20-zhk41Cerber_e122bb15Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.e122bb15a9fe5912c2812e5517760477https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 5adf50576a375547c4775341535461d49078234283379e17bba88465cd286f7c
SHA1: aa9f6a4fcf623b89023da83c23882643cba9b5be
MD5: e122bb15a9fe5912c2812e5517760477
M20-vrgu1ZeroAccess_9be94e1aWindows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.9be94e1ac5349f1265c0627b48fd0fa6https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 32444739f82129df10cb9ec20b0efff24fde19415e4829edfad35d0eca9e37bf
SHA1: a75278c4f71417018528369df3365954971ca9b4
MD5: 9be94e1ac5349f1265c0627b48fd0fa6
M20-hrez1Cerber_ae6e64f2Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.ae6e64f2fe99eea396b7167192c091f8https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 6959e3521c3ce4a39a250cfb899f52cc74b6bd1a7a1ba4ee03d4766210346fa3
SHA1: f9cda58cf62557085ac86bf0ced62570644a0a66
MD5: ae6e64f2fe99eea396b7167192c091f8
M20-xvpr1ZeroAccess_194fc911Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.194fc911595fb4024d0e008946ec6b18https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 1cce1a38e7ded5ab7d23928b730f514ac05c6c97107e89e293ac7590cc84b455
SHA1: fe986ea201862dff2bef345418835052910a502a
MD5: 194fc911595fb4024d0e008946ec6b18
M20-0dl21LATENTBOT_5446022cWindows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.5446022c6d14a45fd6ef412a2d6601c5https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: cb2c0ea31f33540ea223b777888d3580d32ba8ed73519ea6fafcda5238a0772d
SHA1: 08fb0245cadb2a0ee74aec2b7099d0377308993c
MD5: 5446022c6d14a45fd6ef412a2d6601c5
M20-vt1r1ZeroAccess_9ea002e2Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.9ea002e2ac906ab1aeaa2c85486955bdhttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 3730b1bedfa415b29e894ec046500518632997a3891757b70bf3d78d2c4bc879
SHA1: ed42de3f8149f331326198a0b4d29a3c197cd358
MD5: 9ea002e2ac906ab1aeaa2c85486955bd
M20-e4ls1ZeroAccess_2d3ecd00Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.2d3ecd0011581f113735ffd46ef8fc22https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 2bf2b2f2b05ce861866ce6037f249676386d188a9167690cccc80ecc2bcc84c6
SHA1: 94527d0d3644cf701459bcc337a7208be0af2f8c
MD5: 2d3ecd0011581f113735ffd46ef8fc22
M20-rrh02ZeroAccess_8f15b013Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.8f15b0136b3fbc214755ac1fa2f3347ehttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 30748c87416d2c5f6a711a2f2f84d585062f709225ccf691f86ea498cdeacba3
SHA1: 5d9dd74e93e1adfe33683d33e3ae04db099997ed
MD5: 8f15b0136b3fbc214755ac1fa2f3347e
M20-qkxm1Exorcist_cb3a1463Windows This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.cb3a1463f4fd3e74b8f1ca5e73b81816https://twitter.com/VK_Intel/status/1286028389518901248
SHA256: 8da469200a4b3899b23a34232eec537f12c621aa3c8766a9745d8ff721ef5296
SHA1: 2007db72d68b6c63e906aa625196a3b4ddd01a51
MD5: cb3a1463f4fd3e74b8f1ca5e73b81816
M20-i5sh1ZeroAccess_49158788Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.49158788220d59f7692de831f7e64175https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 13459c39decf77e6570f70a4452ca88b44b890800970bff0ca8b4ccf168db12e
SHA1: b9c7532182724ddde73eb8005f1813fb906aecb4
MD5: 49158788220d59f7692de831f7e64175
M20-tytl1Cerber_d08b6626Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.d08b6626b95874a16a0b4aee087b9536https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 29b05e9f79e56a480421ca565d2ae57b6db6e6b54e15d603534686bbde6c5759
SHA1: 0fbca35bbdbf0037802c1b1be663f5bf606a69f8
MD5: d08b6626b95874a16a0b4aee087b9536
M20-j69i1Exorcist_8cc13feaWindows This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.8cc13fea61cc0ba1382a779ee46726f0https://twitter.com/VK_Intel/status/1286028389518901248
SHA256: eeb8a83d7532797d39d060ffb2a65562e8d803c4dbd8379289f99367cac2f850
SHA1: bd8ef46a02085153605a87fcc047f7ef3d0c4131
MD5: 8cc13fea61cc0ba1382a779ee46726f0
M20-g7mg1VHD_2d5da841Windows This strike sends a polymorphic malware sample known as VHD.The binary has a random section name renamed according to the PE format specification. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.2d5da841280f2544e0516cfb40f2a0a9https://arxiv.org/abs/1801.08917
SHA256: 484f0943385861d91cc0e8bdc7128dacc1b5e367edea906d8fcd1ddf1a268c3d
SHA1: 0d4847681799f5aa38876d033156720c44354bb4
PARENTID: M20-rpz71
SSDEEP: 1536:YN5P9xb8ZqPbKx3U58YjdZqV355b38poNqa8tCBwFn5BcqMqqU+7upEu4:YN4aEU58oqZ5jT8s+cqMqqD7upEu4
MD5: 2d5da841280f2544e0516cfb40f2a0a9
M20-ke151LATENTBOT_af15076aWindows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.af15076a22576f270af0111b93fe6e03https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: 46aaea7273e79f046f7f938941a90c09fa3c04af677ef52f9ce7b1b8a3e40938
SHA1: 02d17707c6f98d84d8d18bc023a2fc5b7529e33e
MD5: af15076a22576f270af0111b93fe6e03
M20-wyxj1LATENTBOT_6ea9d27dWindows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.6ea9d27d23646fc94e05b8c5e921db99https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: 99573b10c10277d3b695f55fa7f0a6dbfd74a5c14393b2fd9edb56a94a6dab2a
SHA1: fb7f88abe94b4a0bd31a4bfaffad80db9fca678b
MD5: 6ea9d27d23646fc94e05b8c5e921db99
M20-aty01ZeroAccess_e30a52b5Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.e30a52b5e3ba0ead21a352895e02f83ahttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 06b5a57ea7803b52eb7f6cec3af051dd37127327d060e5247f10f2f31a1a10f2
SHA1: 6fb9a827174baa672fe74cfd9d20185d0e3c8ead
MD5: e30a52b5e3ba0ead21a352895e02f83a
M20-vtg21ZeroAccess_c4c69c5aWindows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.c4c69c5acd63a6d9be8c893b56b43434https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 2f8ca4f09c3ae69627663fdcabaf70eb71d1860a6959e8a76c8c80f58690f727
SHA1: c962d49d63a572f20fadc677f305a0371e4fea3c
MD5: c4c69c5acd63a6d9be8c893b56b43434
M20-szh91Cerber_de77b672Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.de77b6722ec5f99fc2e5d562ebb6e864https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 0712fdbf593406d803bfc4638264b7a5d8dc95316d4988079828106e6f6925e3
SHA1: 446963841c3cea1c203afe003ee7e6108116d9cc
MD5: de77b6722ec5f99fc2e5d562ebb6e864
M20-2r9f1Cerber_a6fe0fdaWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a6fe0fda24d5a34b151ba42d11d3af2bhttps://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 34959098859ac166ece6bf7c8edc1f28feefa4cec1f26eeb531466449ee4345d
SHA1: 1b74e9cb36473bb8c1b7839c708199ccab5fb4c1
MD5: a6fe0fda24d5a34b151ba42d11d3af2b
M20-2k0f1ZeroAccess_9aa64232Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.9aa64232ca7425b4831bb10687293399https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 39f354ab2ab87d5232a50faf54945c1d135bacda212cb3e21b8e3707eb5f8372
SHA1: 04fd8e73b0b4483c9bd0e9f14be45c8c05017713
MD5: 9aa64232ca7425b4831bb10687293399
M20-rpz71VHD_dd00a861Windows This strike sends a malware sample known as VHD. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.dd00a8610bb84b54e99ae8099db1fc20https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
SHA256: 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473
SHA1: 3d31b2f6a6c59194cad3347d08197bd79f020274
MD5: dd00a8610bb84b54e99ae8099db1fc20
M20-ez7x1ZeroAccess_ba15b25fWindows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.ba15b25f7eac496cc69525ac079338ffhttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 05b4adf6c681db28bbef8e60349a6763df7be81bcd6e137f90ddbe0856f9cd4d
SHA1: 583b68aeca848c03bbd4f8bcafe84876fbb47821
MD5: ba15b25f7eac496cc69525ac079338ff
M20-qtuh1Cerber_dbe1d59aWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.dbe1d59af02ee4e9ad739f6261b01648https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 350cafe8a66a3bebfc84fe7c9fc5533a976a476354583e840364e8c9d0ee1cb9
SHA1: e7ed5e94e94faab732346ae8baa1589cf1092d37
MD5: dbe1d59af02ee4e9ad739f6261b01648
M20-x4gi1HawkEye_a818e1edWindows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.a818e1ed86f7fa07ac47954694bc91fehttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: aba452ab6580b4ec6182fc8a662c8197496792b5d19af680ccc155d56c36b465
SHA1: 770bf25d96a36b04de90cea8b97526660edb0442
MD5: a818e1ed86f7fa07ac47954694bc91fe
M20-63f21HawkEye_88b882aaWindows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.88b882aacd9a1ca0f1f7304c21aaae66https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 249eb266faaf08964a5da1f666a9f0ba2f2dd645a6fd3787c168d7a6e5d4d7b3
SHA1: 0bb017c67f760f747e40be53771201e3141b763d
MD5: 88b882aacd9a1ca0f1f7304c21aaae66
M20-m6zl1LATENTBOT_fa20c7f3Windows This strike sends a polymorphic malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.The binary has a random section name renamed according to the PE format specification.fa20c7f3e1091c12dde319acf4b75b9ahttps://arxiv.org/abs/1801.08917
SHA256: f82f5652d0a825a04313512c84f7f806f15d7c375ec3169e7384ed6ff60af1a5
SHA1: 9e0d78cccc353741c0c0a9fa06f3a624bd673ecc
PARENTID: M20-5u4k1
SSDEEP: 49152:prG2NAFop+qvBOedFLib4cz8kneCdpUz+P:pWFodvBOaFLiEfoe9z+P
MD5: fa20c7f3e1091c12dde319acf4b75b9a
M20-b17z1ZeroAccess_4c6089f9Windows This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random contents appended in one of the existing sections in the PE file format.4c6089f91462f9f07d0de266688420e1https://arxiv.org/abs/1801.08917
SHA256: 1f86e137f43a4c4cd2bd5e647adc1ddd6afea0bea5e1940d9049507d73d63c00
SHA1: f79e25add7b9aded6e062346eefcc26150837999
PARENTID: M20-vt1r1
SSDEEP: 3072:vENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2Iw:vENUxovX8mwoLt/LUP0Id4DZ0tdb
MD5: 4c6089f91462f9f07d0de266688420e1
M20-zdt31Exorcist_f4009abeWindows This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.f4009abe9f41da41e48340c96e29d62chttps://twitter.com/VK_Intel/status/1286028389518901248
SHA256: 6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01
SHA1: 01636cd2ab7eada533ded51728acd8cd99020c57
MD5: f4009abe9f41da41e48340c96e29d62c
M20-4nn91ZeroAccess_079c063fWindows This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random bytes appended at the end of the file.079c063f97182ef3c31dfa5707c9909fhttps://attack.mitre.org/techniques/T1009/
SHA256: db38744989f553084e95a5ab04f2a98d1b9f2919d374e8d9a4e2654e0872a875
SHA1: f6310a9a0b2aec8671958c3e2eb8c1c37148b6e9
PARENTID: M20-slow1
SSDEEP: 3072:rEUIFarjgd+x6FNCYkvRBjtAWyUOJQydy/x0NZDTwb2Rj:rEU8qjc+8DCYGBjtLqHM0NdbF
MD5: 079c063f97182ef3c31dfa5707c9909f
M20-kykt1Cerber_4d71d738Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.4d71d738887d2bc046f732bf1f13391chttps://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 6edbea75b6b0904f0cbebda821805eeb3af462cde35d9af3d3ecdb6e8145e860
SHA1: 988f8c67b7a4a92dfdfd5c5a045e9441aa11122a
MD5: 4d71d738887d2bc046f732bf1f13391c
M20-9x9l1Exorcist_5a63e7d3Windows This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.5a63e7d371dd69c5625f5b48da426c14https://twitter.com/VK_Intel/status/1286028389518901248
SHA256: b1bcc54ef15f91d9291357eca02862174bd6158e95813eff1ab0c16ba48ff10e
SHA1: 63a5bd8b7ed922ad5fe498d2a15a57d1d552055a
MD5: 5a63e7d371dd69c5625f5b48da426c14
M20-c42m1Cerber_b7549aeeWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.b7549aee594d32bcc4a8389b77ae412bhttps://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 413eeaef11563646ef90407e4fdd8e0078f95dfd309fb2ada8728e45befbb313
SHA1: 287f714064835f8b47f20b185194010f4cb27810
MD5: b7549aee594d32bcc4a8389b77ae412b
M20-wnru1ZeroAccess_539f9f37Windows This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random strings (lorem ipsum) appended at the end of the file.539f9f377347a58ffde24c5bf659697bhttps://attack.mitre.org/techniques/T1009/
SHA256: c2c964b5dd8fe884122198891327bd5e76c5ef32e3e465ae80032f6272fb5995
SHA1: 669642065b1c423d4639d5343d6f57a5c7fd53d0
PARENTID: M20-vt1r1
SSDEEP: 3072:5ENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2Im8:5ENUxovX8mwoLt/LUP0Id4DZ0tdbs
MD5: 539f9f377347a58ffde24c5bf659697b
M20-71wv1Exorcist_79385ed9Windows This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.79385ed97732aee0036e67824de18e28https://twitter.com/VK_Intel/status/1286028389518901248
SHA256: 8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf
SHA1: 2f65a2b8ac21b3505855f7b89551cc1f31bf636e
MD5: 79385ed97732aee0036e67824de18e28
M20-98en1ZeroAccess_218c68ceWindows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.218c68ce147d4b49365e643806d0b1cbhttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 37762286cb02f4c93d6735764fc0c9c727f8886129a0b017f727c339b08cb39a
SHA1: 48a4804b435dd0bd3befe2bfadb7d2587a35b3ec
MD5: 218c68ce147d4b49365e643806d0b1cb
M20-rx3d1Cerber_9f2a535dWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.9f2a535d3d35f990f291c3bbb0c0fc8ahttps://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 2778aa52eaf8d8fa2950cd2ef50faae6f49c9d7e0c55d813a36613fe63a3be73
SHA1: 12346271cbfebcf4da42e4cbce118eff9455fe61
MD5: 9f2a535d3d35f990f291c3bbb0c0fc8a
M20-k95s1Cerber_8e3ff00eWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.8e3ff00e2f4ffb177b991b68f8975001https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 24f656fed8bb0ea0e5cca4422dd61a3b7a2eeeccff942403429f722cfcdef5a3
SHA1: 85cf77cc1d7dd3d3e133f764ae025e8f0fc03e83
MD5: 8e3ff00e2f4ffb177b991b68f8975001
M20-wde81HawkEye_bc66e2a1Windows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.bc66e2a191d06f12b1a035975660052bhttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 4a3197916ff9e336d191baf4e284407d6774119b733bc194ddc89e649ec1db33
SHA1: d99332f2f99d2ef34cf3b47e2749e63c80237ad7
MD5: bc66e2a191d06f12b1a035975660052b
M20-ebbi1HawkEye_f4274360Windows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.f4274360fefd50fb219f0ec648bf015ehttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 6f0f235b4b8977922739508a3cda37cb80662f5e3114e9aeb85ff61b60164a3d
SHA1: 3faadaf938bd586fe9756a8d123569da5f29e64e
MD5: f4274360fefd50fb219f0ec648bf015e
M20-hccx1DOGcall_394e52e2Windows This strike sends a malware sample known as DOGcall. DOGcall aslo known as ROKRat is a family of malware that was initially seen from attackers originating from North Korea. The malware has a loader that drops the core payload. This sample is the final payload, and it is a Remote Access Trojan that provides the attacker with a number of functions including data exfiltration, credential harvesting, screenshots of the system, and communicating with a remote C2 server for additional received commands.394e52e219feb1a5c403714154048728https://www.carbonblack.com/blog/threat-analysis-rokrat-malware/
SHA256: 2ca7c2048f247b871e455a9ac8bcb97927dd284477e7c2c4d2454509f97413b5
SHA1: 16468fbc241be27b32ececa645898915e2e4ec94
MD5: 394e52e219feb1a5c403714154048728
M20-n1e61ZeroAccess_c4e7f9c9Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.c4e7f9c9224801d1811880efb64d1398https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 0613e2173bfb29e045412fa140712fcefd84c630544d3c56ecab662bc5fcd983
SHA1: f41b58d9e41327b756aa5cf14ed9c56df8248442
MD5: c4e7f9c9224801d1811880efb64d1398
M20-y9411VHD_fa1f20d9Windows This strike sends a polymorphic malware sample known as VHD.The binary has random bytes appended at the end of the file. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.fa1f20d928ae60a5dedcd3522dde2252https://attack.mitre.org/techniques/T1009/
SHA256: 824936d626c2bbfc30da6a6767411ee84a1df8c98b6ac4ea24d5a59ec799a637
SHA1: fac5ca38e4b0152ea6de2cfa4f3c4a47881889ba
PARENTID: M20-rpz71
SSDEEP: 1536:CN5P9xb8ZqPbKx3U58YjdZqV355b38poNqa8tCBwFn5BcqMqqU+7upEu46B1:CN4aEU58oqZ5jT8s+cqMqqD7upEu46X
MD5: fa1f20d928ae60a5dedcd3522dde2252
M20-sagy1Cerber_f6486529Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.f6486529e6ae82d03dca5889ff20e8d7https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 6a49ffcb3ddb3a8912c3f75ae35b846913b6d3cc6303c395f251b3e66ee1621c
SHA1: 7327dbc4d9b2315e382fd2b7bbf7614ddf048245
MD5: f6486529e6ae82d03dca5889ff20e8d7
M20-xjvr1LATENTBOT_4135552bWindows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.4135552b0045e7d67b26167f43b88a30https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: 370ea3f098df7064faf4ee7456588d023b35c497a362add49853e90090f8b6df
SHA1: 8f571ebb8b8ca739dade2d0cad262d18db506df7
MD5: 4135552b0045e7d67b26167f43b88a30
M20-opj91VHD_ccc6026aWindows This strike sends a malware sample known as VHD. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.ccc6026acf7eadada9adaccab70ca4d6https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
SHA256: 73a10be31832c9f1cbbd798590411009da0881592a90feb472e80025dfb0ea79
SHA1: 800c8a12ac05459197256940e32234b9bc2db08b
MD5: ccc6026acf7eadada9adaccab70ca4d6
M20-5u4k1LATENTBOT_47f220f6Windows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.47f220f6110ecba74a69928c20ce9d3ehttps://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: 45aefcd50e62d9d5a9535d9d99f78a5c6725fd7ffcd378ef181d3dbbf2a115a5
SHA1: e88679c01bba1a880e54ce699e1555285ada3619
MD5: 47f220f6110ecba74a69928c20ce9d3e
M20-07gu1ZeroAccess_49570ea4Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.49570ea4a111bb82d2ae773164f58c04https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 31cecd5a427756b23d5fc757b7307df03157b53947dd737d345b8e7864ee44ca
SHA1: 321c875113e77896a7f415abb4860e2a40742f4f
MD5: 49570ea4a111bb82d2ae773164f58c04
M20-ikwy1ZeroAccess_b2401b9bWindows This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has the checksum removed in the PE file format.b2401b9b875c7259ca8ed1b833c63deahttps://arxiv.org/abs/1801.08917
SHA256: 7ea363fc7e7ff355d212a74b8ff48609b64a0365320fa48ae4df854aca117375
SHA1: 3cc75e0f862c425cd5632daa02869a31e82fb306
PARENTID: M20-vt1r1
SSDEEP: 3072:PENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2Im:PENUxovX8mwoLt/LUP0Id4DZ0tdb
MD5: b2401b9b875c7259ca8ed1b833c63dea
M20-cafi1HawkEye_3ba7171cWindows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.3ba7171c8836de935a74799291ebca46https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 15b0c6331f2eff371e176e24c3fe3f30c40c56e56f19412e89718f5f6ad91eda
SHA1: 535d5c232fba95d042b3986f82af578edc1b45fb
MD5: 3ba7171c8836de935a74799291ebca46
M20-dlsc1Cerber_aae16290Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.aae16290207f1251b6b9510a50760323https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 3f92bd7f208dafca5d89a7ba1145836f264336baab457f62269129028eb53ecd
SHA1: 76c3fdcc8feb1846b61d2520ccaefbdcea691d10
MD5: aae16290207f1251b6b9510a50760323
M20-2uua1ZeroAccess_353353e7Windows This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has random contents appended in one of the existing sections in the PE file format.353353e771ca42fea2cb01005485fd8fhttps://arxiv.org/abs/1801.08917
SHA256: 3f94f98176abf4ba7545ef1afeed5ba3964dc09fdf31e8c2a5c5d15aff21790e
SHA1: e8a636393698a263fcdb92b3171dc34e50cf146b
PARENTID: M20-slow1
SSDEEP: 3072:tEUIFarjgd+x6FNCYkvRBjtAWyUOJQydy/x0uZDTwb2R:tEU8qjc+8DCYGBjtLqHM0udb
MD5: 353353e771ca42fea2cb01005485fd8f
M20-j5ka1LATENTBOT_4d0b1402Windows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.4d0b14024d4a7ffcff25f2a3ce337af8https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: b43b45748709d4c332f0487c10cb4e97dfcad63db4d74acce6d85fe90787dcc3
SHA1: 8dc665e939c9f5e301a54ed542b5f01280b266fd
MD5: 4d0b14024d4a7ffcff25f2a3ce337af8
M20-8au81Exorcist_55e43a8aWindows This strike sends a polymorphic malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.The binary has a random section name renamed according to the PE format specification.55e43a8a489e4c9756a6375a15b2f102https://arxiv.org/abs/1801.08917
SHA256: 9d53b77ca6527237bfa47486e9805b2171144fc41ecf38b11db9d9bb538bcf58
SHA1: 44921473ec4473a3e59ce32a45a166a38bf43da2
PARENTID: M20-vxhj1
SSDEEP: 768:Y/w63PwCrEBP+2XES4nrr+nsUeO3za+7dqqtDbruFBT8QFJFmxCTXY+PNqHliQyW:KWQRnrUZJrCgahY+PY1/z
MD5: 55e43a8a489e4c9756a6375a15b2f102
M20-than1ZeroAccess_3a328207Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.3a3282073f5d36d0e2edd18fa20bcb5dhttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 264b224641e979ede2e2c2fdf41a29db5419184e1c589864193fbb373c1bb72b
SHA1: fc25611cb856308715e4751d33e6e55e199f9287
MD5: 3a3282073f5d36d0e2edd18fa20bcb5d
M20-u46p1Exorcist_0d256ab0Windows This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.0d256ab0a8b8b7a3b3d4aaf566189ca6https://twitter.com/VK_Intel/status/1286028389518901248
SHA256: f86e27e58356c554269b93713ea53b797d92359f0abb25bf70fe2de278278f7f
SHA1: 2f0142e0f5a21822fd9e391246b6cc470f4089a1
MD5: 0d256ab0a8b8b7a3b3d4aaf566189ca6
M20-9jhi1Cerber_047b31baWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.047b31ba3dfe6a21c2249f646b178cc7https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 03c87da71be399ace0ed9a4ebf95e2b95d32060f273fd8ea8001e25d08cd54dd
SHA1: 6266e9c5396a5e8c15b08950ecc46d29eb95c67b
MD5: 047b31ba3dfe6a21c2249f646b178cc7
M20-pkgi1ZeroAccess_c352fae2Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.c352fae2894124a4c4e7e9c5ff99f8e5https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 3000d4944b8ddc0a992c63129028c40ea1639faf48abc2054e5ca11304fbf7b6
SHA1: 021339ec1dc3850503bbda1c181816d98711ca98
MD5: c352fae2894124a4c4e7e9c5ff99f8e5
M20-d0js1Exorcist_e763b9a8Windows This strike sends a polymorphic malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.The binary has been packed using upx packer, with the default options.e763b9a8460c2dc9a1229d0c8bf71ab4https://attack.mitre.org/techniques/T1045/
SHA256: a48fec2cd9b43646537f03028cf69c809d6914cc63a36535bd80adae5bb936aa
SHA1: 7772956346d9cfbb099f07f82ac12a92cc49d36f
PARENTID: M20-vxhj1
SSDEEP: 384:SfGS/SzuVgu+vufbo8YUSCw1et0HXSZFbSSfkZw51VBahZ26UcoUzOpq6:St/3+vuDzzSCw1HXkFiQVB6oUqpp
MD5: e763b9a8460c2dc9a1229d0c8bf71ab4
M20-ppaq1Cerber_53d0d6a8Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.53d0d6a85e1c7722ab507955473438ddhttps://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 2b2acc6a166aa30ff190af2b95ccbe0b31596f5ddf24661a062630a2eaafe516
SHA1: 2c86944641394951b8ef45046268874ba107c917
MD5: 53d0d6a85e1c7722ab507955473438dd
M20-mkl51Exorcist_fa4c4ac8Windows This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.fa4c4ac8b9c1b14951ae8add855f34e8https://twitter.com/VK_Intel/status/1286028389518901248
SHA256: bf6e5f9d060ebc5bb70144ca6e795bfc249c6590ab9f45e258ec9b5f3d49eeb6
SHA1: c5049dbdee3aaaf3a794edda02554789a25389bf
MD5: fa4c4ac8b9c1b14951ae8add855f34e8
M20-q6ds1ZeroAccess_7dbfa1f4Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.7dbfa1f42d8fb465ebdf98f564196984https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 1f261e7108e46792076ed1231596ad584c25f8bd72e000cda3359562f24cbcb6
SHA1: 9ade43d292ccfeea258b7caa954f511cb50177ef
MD5: 7dbfa1f42d8fb465ebdf98f564196984
M20-e87q1ZeroAccess_55d36baaWindows This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has the checksum removed in the PE file format.55d36baac8bea015ef59279f331b6c88https://arxiv.org/abs/1801.08917
SHA256: 5c7e88ff6a86bb1cf5066b24a48618e09b769c580a0d73a5fcf2388e6a6ce9a4
SHA1: 2cf7aa9f9f6c55b863f839a79306f4c65a282b2d
PARENTID: M20-slow1
SSDEEP: 3072:rEUIFarjgd+x6FNCYkvRBjtAWyUOJQydy/x0NZDTwb2R:rEU8qjc+8DCYGBjtLqHM0Ndb
MD5: 55d36baac8bea015ef59279f331b6c88
M20-d8pc1LATENTBOT_5eaf2d54Windows This strike sends a polymorphic malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.The binary has the timestamp field updated in the PE file header.5eaf2d547323c5bbb89290ae1cbf9ab5https://attack.mitre.org/techniques/T1099/
SHA256: 6fab9d6547e7947cc42bc5e3bae8a8330c1d6d2531d64dc92decd78d52a8e6c6
SHA1: 67fa5dbd25279219127a0a75e10af9152b5200ac
PARENTID: M20-bu9q1
SSDEEP: 6144:C6oO0wbHincoS1kM5sLrJwIZHjX9FbjoyS:C6oO0eHacwMSLm0z9lVS
MD5: 5eaf2d547323c5bbb89290ae1cbf9ab5
M20-71zh1ZeroAccess_51d0091fWindows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.51d0091fd150543df73799749056996fhttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 039f37371da4173924ee5fdaa33dd7429cd56bdc35045c42167f7eed9efb2005
SHA1: 927cb43156cdeafa36c91a14fa41da02e1432da8
MD5: 51d0091fd150543df73799749056996f
M20-lcy71ZeroAccess_11451aa1Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.11451aa12c105af614f8271381983400https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 1d9ce6eedd04b81f61b96f3537214e290efef23a3aa2f31a55744a3feaadf4e1
SHA1: e392aff11c833b98bb69022618999c1f49fb19a6
MD5: 11451aa12c105af614f8271381983400
M20-vxhj1Exorcist_d4d32e75Windows This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.d4d32e7583b3fd8363ded73c91ed3d08https://twitter.com/VK_Intel/status/1286028389518901248
SHA256: 2b37a372626063afce9e08199342a41bbe4183b0d5ba7864ff61eb6e6f7c4fdf
SHA1: 4079602dce0fb495ed0ec97c5aea5988127fb50c
MD5: d4d32e7583b3fd8363ded73c91ed3d08
M20-kztm1ZeroAccess_e8a0eeafWindows This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has the timestamp field updated in the PE file header.e8a0eeaf2c2ef871660694530020cec6https://attack.mitre.org/techniques/T1099/
SHA256: 7fdf01aa47db1607ba8768155ad497ba5b395cb7692e573cabdaff57775d3e4c
SHA1: da0f71420d45f7b8cfcc518d0a5155b70dd0b10a
PARENTID: M20-slow1
SSDEEP: 3072:dEUIFarjgd+x6FNCYkvRBjtAWyUOJQydy/x0NZDTwb2R:dEU8qjc+8DCYGBjtLqHM0Ndb
MD5: e8a0eeaf2c2ef871660694530020cec6
M20-snny1ZeroAccess_5752712fWindows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.5752712ff20c633b34db7207cee893d2https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 1cbc12777b9265341a1bcb4a4897d875577a7c3dccefda23c0b7c30d78dda71a
SHA1: ffe140cbc76c17c2276a9ecd9b15d3aed4d3f938
MD5: 5752712ff20c633b34db7207cee893d2
M20-7dxa1Cerber_5a381543Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.5a3815434730fab61a38265930c678f9https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 5ab3a63e8d334368280d566f526718a2a10c95073059a53a9707af0bb74eeb9b
SHA1: 6c3e803fa996f51358fbe21cb52e901b76981bf8
MD5: 5a3815434730fab61a38265930c678f9
M20-kl1w1HawkEye_bd568bcaWindows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.bd568bcacc3b34646de7676d03ff741ehttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 705b0cc2a09c0e5c34ad6eb5940263bf281285cdd99078e8766690de3aa28f54
SHA1: 9aa3b889459f717f2cb6e81ef7151867b59630e6
MD5: bd568bcacc3b34646de7676d03ff741e
M20-wqis1Cerber_c48a35cfWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.c48a35cf1626e9cd2f2a4e5b2493790ehttps://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 2eeab773c4cc1760a51cf0e0dee6e0fdb0b1e2c5ee81e14a297e379bf4f75fd4
SHA1: 6778da03fbd9e08efce7148e05e9355fd19cf992
MD5: c48a35cf1626e9cd2f2a4e5b2493790e
M20-5s9t1VHD_efd4a87eWindows This strike sends a malware sample known as VHD. VHD is believed to be a high profile targeted ransomware owned and operated by the Lazarus Group. It encrypts all files on connected devices and deletes folders named "System Volume Information". The program also employs some interesting techniques such as, the ability to stop processes that could be locking important files, a mechanism to resume operations if the encryption process is interrupted, and it's copied and executed through WMI calls.efd4a87e7c5dcbb64b7313a13b4b1012https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
SHA256: 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306
SHA1: 6a7296f56410d3ee007587020ad6864d5781b4bc
MD5: efd4a87e7c5dcbb64b7313a13b4b1012
M20-j4kf1LATENTBOT_2d2484d5Windows This strike sends a malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.2d2484d578bfcd983acb151c89e5a120https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
SHA256: 295bc1a9feb90d0e882f6293832c37754b66a1263257ba1266a3bfc0b4bb7eee
SHA1: 4973ea0ed99aa37278a563b5be0c381601d34182
MD5: 2d2484d578bfcd983acb151c89e5a120
M20-5vbk1HawkEye_f5968828Windows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.f59688280c0e7c9122ba24ae6c1274b9https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 71986aa0789a34b51fc2c4c4170bcb93b0237820434f2b15a69ddbae17aeaa77
SHA1: 71d47298f1a8c055dd34d8c23dc7b802bf6f64b0
MD5: f59688280c0e7c9122ba24ae6c1274b9
M20-zr9u1HawkEye_ed31cc34Windows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.ed31cc349fffdc64e35ad4b149c06d55https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: be9dfabe29a6c6b8cbbfbac2d813eb30ced6d53e88d861eae595dd9d5bad03a6
SHA1: 4725a37fdae0fbc499f3f0a06b283cf59607533d
MD5: ed31cc349fffdc64e35ad4b149c06d55
M20-2fvi1Exorcist_f188cf26Windows This strike sends a malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.f188cf267d209a0209a25bda4bb75b86https://twitter.com/VK_Intel/status/1286028389518901248
SHA256: 027d99aaaa6803a07d07ce0ba1fa66964388129d3b26dcf8621a3310692b0a61
SHA1: 3ef4c199d1b5187784f4d709ab8e1cc6901716e8
MD5: f188cf267d209a0209a25bda4bb75b86
M20-wl8v1LATENTBOT_2aaa53ceWindows This strike sends a polymorphic malware sample known as LATENTBOT. LATENTBOT is a malware which may be used to harvest credentials, encrypt and ransom an infected target, or wipe the infected hard drive. It has been found in the wild since 2013.The binary has random strings (lorem ipsum) appended at the end of the file.2aaa53ce895c64e5c1e168f0b2d7ce2fhttps://attack.mitre.org/techniques/T1009/
SHA256: d8fe14a2801a429b90cb9027bd8437e5802d4db8d560957aa277d1ee02608685
SHA1: 7faa14bdacf629c5959f2b1e9548150d59879d9c
PARENTID: M20-5u4k1
SSDEEP: 49152:prG2NAFop+qvBOedFLib4cz8kneCdpUz+PR:pWFodvBOaFLiEfoe9z+PR
MD5: 2aaa53ce895c64e5c1e168f0b2d7ce2f
M20-h9b31HawkEye_2a759d9cWindows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.2a759d9cc498a190f3f8c71f57e65644https://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 136da8040b3d50523033e3054cb4e7aa63a3055e0d8b03d40d7fe376dfb9d7f2
SHA1: 9b43a30662df0c827334b949caea8c69a4990319
MD5: 2a759d9cc498a190f3f8c71f57e65644
M20-grmc1HawkEye_600fb168Windows This strike sends a malware sample known as HawkEye. HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.600fb1681d639f913b70884da6996d5ahttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: e12d967791f4c0b92202edcb1ff79ded976b543e22df3f5dbeb8d552533474bb
SHA1: ecce15dc7ae33a40a5a2b63d93d93d3ae60266b6
MD5: 600fb1681d639f913b70884da6996d5a
M20-ek801ZeroAccess_1b80880fWindows This strike sends a polymorphic malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.The binary has a random section name renamed according to the PE format specification.1b80880fd0c401f7a25e47e56105cf7bhttps://arxiv.org/abs/1801.08917
SHA256: 1130073e510f520a6a94abcc967049277dfa460cddd98416cb094f98398e6d34
SHA1: e448a3ba5a277a7f4f21c3182889e1ae86028512
PARENTID: M20-vt1r1
SSDEEP: 3072:oENUaxmelEAzhZ8mwoLt/JVUP0ef3obqHHO4Zmw8yP/40tZDTwb2Im:oENUxovX8mwoLt/LUP0Id4DZ0tdb
MD5: 1b80880fd0c401f7a25e47e56105cf7b
M20-1qn21Cerber_d8aaf63dWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.d8aaf63dd0d7e7a646e8edc7fcc09f87https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 40bc0cd77874e7fff3d9c3fccf64ce3676d870af88ea27caafb4b650aabe7593
SHA1: 336472b3866a582098f266bd200f43727941b899
MD5: d8aaf63dd0d7e7a646e8edc7fcc09f87
M20-slow1ZeroAccess_ff795bd8Windows This strike sends a malware sample known as ZeroAccess. ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.ff795bd814b0102b9d01ebd74b1f2b9bhttps://blog.talosintelligence.com/2020/08/threat-roundup-0807-0814.html
SHA256: 38346650fafdeb425ad7fd1bcffe6d2ecc88d55fccb8924b1d2133be11a05eab
SHA1: b160b18ef3de43fdb9ae808ada41f4a1f57becf7
MD5: ff795bd814b0102b9d01ebd74b1f2b9b
M20-aooa1Cerber_ebf48e14Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.ebf48e14acaa333bc1049b9fd09838f0https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 01a392328bde81495f6682e728034b82556d4019bcceb8e9fd7337525370ca82
SHA1: e0e1a1ecd728d74e592bead0d7a7e71161aaa15a
MD5: ebf48e14acaa333bc1049b9fd09838f0
M20-adfg1Exorcist_4908a364Windows This strike sends a polymorphic malware sample known as Exorcist. Exorcist is a new ransomware as a service that is distributed through Pastebin embedded in a Powershell script that loads itself directly in memory.The binary has the debug flag removed in the PE file format.4908a364b1d9467f2c9c3fcecccba202https://arxiv.org/abs/1801.08917
SHA256: f1cff1473246a59b1eb1250c8028567bf298e32f776ba4f06fa5d1c5941f15fa
SHA1: d8c24281221f1003502f37f7da45e8924c530be8
PARENTID: M20-vxhj1
SSDEEP: 768:D/w63PwCrEBP+2XES4nrr+nsUeO3za+7dqqtDbruFBT8QFJFmxCTXY+PNqHliQyW:/WQRnrUZJrCgahY+PY1/z
MD5: 4908a364b1d9467f2c9c3fcecccba202
M20-sjx01Cerber_7c4d7506Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.7c4d7506133b8cd8d584c703ff5364d2https://blog.talosintelligence.com/2020/08/threat-roundup-0814-0821.html
SHA256: 68e5aaea215f94b30d9bfafc8f62cda3460e7f230edffc66d8902cbbb513b53c
SHA1: 208cad38cb7888a1cc84d3c259c426af3ea50da7
MD5: 7c4d7506133b8cd8d584c703ff5364d2

Malware Strikes July - 2020

Back to top
Strike ID Malware Platform Info MD5 External References
M20-ysaj1WellMess_ae7a4652Linux This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.ae7a46529a0f74fb83beeb1ab2c68c5chttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950
SHA1: a57c896486564d7663a4dce6fbf723a1deb81378
MD5: ae7a46529a0f74fb83beeb1ab2c68c5c
M20-60oe1TinyBanker_3b97508bWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.3b97508b20857a70120a3ae571ce8abchttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 1be832d22e4a3c920076ff78eeb08e73d0077b04d29b29c2347c5de170b425d4
SHA1: 0be8014136efed974c83cdad29cf22d023f95538
MD5: 3b97508b20857a70120a3ae571ce8abc
M20-ou7j1TinyBanker_02b612beWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.02b612be794b972b9aa5a3edf461680ehttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 02f714d9530681ca2b5de1651c8e71a29c0bef9fc570a2d54eeb24d8ffcf02be
SHA1: ed76f0d9db122bc079de1eb49e704e0d1be77a55
MD5: 02b612be794b972b9aa5a3edf461680e
M20-shxr1TinyBanker_1d646810Windows This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has a random section name renamed according to the PE format specification.1d646810d3fbc4b2e3f332481f160798https://arxiv.org/abs/1801.08917
SHA256: b30c8bee53959b6c17a8838676b5a55716b63acfa5b69ad5d1e3b82cb0c289dc
SHA1: bd8ad94876509125653bad3a5b513c2416c25551
PARENTID: M20-ou7j1
SSDEEP: 768:F/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtL:m4QUbHM3PC8Q1Hn417sNPy+L
MD5: 1d646810d3fbc4b2e3f332481f160798
M20-mt3r1NetWire_01281973Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.012819731462ea2ad6234817a040d7afhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 005d4ba8835d3554bebf46c7910bbf3b8823c08abec4270b9096dd22ecf295a4
SHA1: 575db9cf2121110f36fe934e56be71c49332426b
MD5: 012819731462ea2ad6234817a040d7af
M20-9qvu1NetWire_53abe793Windows This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has random strings (lorem ipsum) appended at the end of the file.53abe793f2805e7aabf5b6422a4e7ac5https://attack.mitre.org/techniques/T1009/
SHA256: 9cae09583a2584c4e58bc67ed8f17b78f6e4b8f0470e1112ad56814fa8a2fa6d
SHA1: 9afbfc8108f3af6e7d68b0c636d2c26e878aca34
PARENTID: M20-mt3r1
SSDEEP: 1536:3UEd6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JF+:3QT8svpbqFK6AV
MD5: 53abe793f2805e7aabf5b6422a4e7ac5
M20-8ojj1WastedLocker_bceb4f44Windows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.bceb4f44d73f1a784e0af50e233eb1b4https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 97a1e14988672f7381d54e70785994ed45c2efe3da37e07be251a627f25078a7
SHA1: b99090009cf758fa7551b197990494768cd58687
MD5: bceb4f44d73f1a784e0af50e233eb1b4
M20-zl9k1WellMess_e7caca72Windows This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random contents appended in one of the existing sections in the PE file format.e7caca722341bff3e4fe32ac6609874bhttps://arxiv.org/abs/1801.08917
SHA256: f572ef4a9e7118f9c34196b769e6d627a106a5663199a2252439d30dd8408db4
SHA1: e32c320359b6c29bcd01333a2f3b8a80eee60776
PARENTID: M20-n8yw1
SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4U:oc6qkt5vdU6ECe4U
MD5: e7caca722341bff3e4fe32ac6609874b
M20-e4431WastedLocker_d7eefcceWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.d7eefcce371e3deec178a2a1c12f2c22https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 9056ec1ee8d1b0124110e9798700e473fb7c31bc0656d9fc83ed0ac241746064
SHA1: e13f75f25f5830008a4830a75c8ccacb22cebe7b
MD5: d7eefcce371e3deec178a2a1c12f2c22
M20-bvxf1DarkComet_75a0a9c2Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.75a0a9c29a1af4867e318fa63c79b056https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 1899e0b8e3b986a5de287ba23c6e81b287078d7d17eecf30eb10b8013633f709
SHA1: 24827e97f23017121572c363d515bf3f65bbb7ec
MD5: 75a0a9c29a1af4867e318fa63c79b056
M20-amc21Emotet_86e76726Windows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has the checksum removed in the PE file format.86e76726bffb79bf1ef261c8cea56510https://arxiv.org/abs/1801.08917
SHA256: 337241ed419d172fd9aca0dbce8892307682de1ad2adff179d1f3b0525935e64
SHA1: 83214658e8833682921a50f3bbf594366aaecf90
PARENTID: M20-75mm1
SSDEEP: 6144:JjNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2g5cvAtyKZD:JRX3wK9rybO3AlLBeTWi+eO6e23AtyK
MD5: 86e76726bffb79bf1ef261c8cea56510
M20-cyes1SoreFang_01d322dcLinux This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine.01d322dcac438d2bb6bce2bae8d613cbhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a
SHA256: 0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494
SHA1: 8830e9d90c508adf9053e9803c64375bc9b5161a
MD5: 01d322dcac438d2bb6bce2bae8d613cb
M20-qcbv1DarkComet_de957930Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.de95793098522775a222b0b874bcacc9https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 152d31444542e5096b757127ed11c3aa8aa75869c7bed47c110251d6e4dc73de
SHA1: e4058766d3b0d672b843840cd267dfd1246c0c18
MD5: de95793098522775a222b0b874bcacc9
M20-3il91NetWire_4e05cb20Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.4e05cb209291091b7263c7d4f5c31103https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 83ab262d766c76a413251c5b7f7598eac14e6a273580ef388be2f1856baed52c
SHA1: e36f2685995d242b593de10a7e70905c6ead90f7
MD5: 4e05cb209291091b7263c7d4f5c31103
M20-g2pn1TinyBanker_038d0f48Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.038d0f48cf53443817f515263b5f4709https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: b853ec7bf8d69a2ea7203a8881c2671c8e2a546e7a9a299e6062275e52f10cb2
SHA1: a944cb8530194a7fe293ea6faaddf912d1d2be83
MD5: 038d0f48cf53443817f515263b5f4709
M20-v6ck1TinyBanker_02ef97cdWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.02ef97cd7f61f4dec5ea52276eb7d776https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 7b4bc90a5a8ebd89b6dd4b804257ec8c0c3b6bc2565a6c6f1e24f77f4b33fca5
SHA1: f5b7f7401110a5304477042d816812d3c7d883ba
MD5: 02ef97cd7f61f4dec5ea52276eb7d776
M20-6gzv1SoreFang_c5d5cb99Windows This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine.c5d5cb99291fa4b2a68b5ea3ff9d9f9ahttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a
SHA256: 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75
SHA1: a1b5d50fe87f9c69a0e4da447f8d56155ce59e47
MD5: c5d5cb99291fa4b2a68b5ea3ff9d9f9a
M20-bx2o1DarkComet_94450dbeWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.94450dbefcfdf11eb85fec5a2e9e79c4https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 3b765b6d85b21b8304c2287d2ede993082455f64d904529dd8eb03482b5cf3b3
SHA1: 8bf0af36f38d01b3a8f4de82c1ce7ed18b2ad5ae
MD5: 94450dbefcfdf11eb85fec5a2e9e79c4
M20-rt3f1NetWire_a297dff6Windows This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has random bytes appended at the end of the file.a297dff6004ac5e1ce577f9b0474cb3bhttps://attack.mitre.org/techniques/T1009/
SHA256: e2bcc45e934d72f16d87d299278d1c507b0a7fe4b351df9943b8647bcb6f893d
SHA1: 2db18eaa442052a0eb0d3b2936b391a5342b60e3
PARENTID: M20-mt3r1
SSDEEP: 1536:3UEd6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JFm:3QT8svpbqFK6Al
MD5: a297dff6004ac5e1ce577f9b0474cb3b
M20-9klw1Emotet_91fb4712Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.91fb471283081bd2960ad253d14aa2abhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 338b14380a84844b2e8773ba6846e2a8a23fe266b5d079dc3efbb17f9473a250
SHA1: b4aab2d7bcc50737276b1e89a18e19ec356a41c7
MD5: 91fb471283081bd2960ad253d14aa2ab
M20-flcr1NetWire_796cbb64Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.796cbb6400d4f1e1290374a0fcc8c4a0https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 11f841dcd0ffd44e32bbfaf6ee2e3e4c47efc0ae80ab95a4b4f6f0cd4f9fbb2a
SHA1: 82959fc4042c193ab5afb7c1f15e3d410147bcc3
MD5: 796cbb6400d4f1e1290374a0fcc8c4a0
M20-pk0z1WastedLocker_13e623cdWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.13e623cdfb75d99ea7e04c6157ca8ae6https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772
SHA1: f25f0b369a355f30f5e11ac11a7f644bcfefd963
MD5: 13e623cdfb75d99ea7e04c6157ca8ae6
M20-ekw01DarkComet_d96a9a72Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.d96a9a72a8e2b99d4d2674e849631db1https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 63935268c3fd6806fc5de779b5f72358721f7dd537de53f019f3baa1cbdb3451
SHA1: ae8972c472806faa87599cae7fbea22ba0cf9d59
MD5: d96a9a72a8e2b99d4d2674e849631db1
M20-zyb81WastedLocker_572fea5fWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.572fea5f025df78f2d316216fbeee52ehttps://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
SHA1: 91b2bf44b1f9282c09f07f16631deaa3ad9d956d
MD5: 572fea5f025df78f2d316216fbeee52e
M20-8m231WastedLocker_2000de39Windows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.2000de399f4c0ad50a26780700ed6cachttps://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
SHA1: 70c0d6b0a8485df01ed893a7919009f099591083
MD5: 2000de399f4c0ad50a26780700ed6cac
M20-i6gz1Emotet_86ecac07Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.86ecac07b0e42617b45835cc31ad9af0https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 1dafb532cac149ced3cb5f6bcaef801208d8de38c3f6b7a8a69ba2277d90e5fb
SHA1: 65c7fd2314fa8d8f3776f62d1e9409619340732f
MD5: 86ecac07b0e42617b45835cc31ad9af0
M20-l8661WastedLocker_0ed2ca53Windows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.0ed2ca539a01cdb86c88a9a1604b2005https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
SHA1: 4fed7eae00bfa21938e49f33b7c6794fd7d0750c
MD5: 0ed2ca539a01cdb86c88a9a1604b2005
M20-h6ig1Emotet_d89d6736Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.d89d673631c11ce32a05b1e36bcb6735https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: dd5048f55ce7d16e2cce8ba707b66ae2c8c7ae64549b98fdcdb0f3ecf2874f17
SHA1: 5a1de3a9350a210999e84c305bfa03f40a2ae6e1
MD5: d89d673631c11ce32a05b1e36bcb6735
M20-e6fw1Emotet_d9b152c6Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.d9b152c6297363628706d37d3b85d8edhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 1b1c8d35b6dff722f9439985f78da06098d5bad82e7d0b5d1fa41dcc6b3c432b
SHA1: 651726ab4329a51e51babd5a9021f1de823b9c74
MD5: d9b152c6297363628706d37d3b85d8ed
M20-bf2g1WellMess_8f1e36bbWindows This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random strings (lorem ipsum) appended at the end of the file.8f1e36bb3bc44914eb13465471400063https://attack.mitre.org/techniques/T1009/
SHA256: 67c72f8eaff6c96b4b70be02cf0e571321fabb8bbe50d8f15f5eca8c73895e5f
SHA1: e5f74991182ae58a09892cfe406b93da51a1944a
PARENTID: M20-n8yw1
SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4UL:oc6qkt5vdU6ECe4UL
MD5: 8f1e36bb3bc44914eb13465471400063
M20-dzyd1DarkComet_a5361ce7Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.a5361ce78de87cfd962242da00f11662https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 3ee0145434048bb9dbff5a92a2083b3baae1c539a459668e34316bb75ad318de
SHA1: c1b8bf7f8ab9fa35155497b7757482883e7074aa
MD5: a5361ce78de87cfd962242da00f11662
M20-yewi1TinyBanker_729a37e0Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.729a37e05315e8179d16169168a667ebhttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 4015c1917edbb2e1b9db30a3c02f3ae4e8f9ba7015f3c3c0a4274c281e508f7d
SHA1: 8da80e6a453f89e0e2026660b1938aed69330c39
MD5: 729a37e05315e8179d16169168a667eb
M20-27lf1TinyBanker_31dc4cc0Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.31dc4cc040d13f9b06bae2bd61426372https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 47381ffb76fa60172fe273eba6dbb66ac6ebe05c1e6b6a7af863be2b990482c0
SHA1: 84a16b9420bcf817a462700f5ef0be2f6947bbc5
MD5: 31dc4cc040d13f9b06bae2bd61426372
M20-po0s1NetWire_350b809aWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.350b809a45dfe3dca55870d8f994333fhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 4be38ea855bd9088282cd6afbb6b2698aa45fc1f507a609a66af4894a8a3eaf3
SHA1: 5f04765f73bdd55acf606e7acd65469449773845
MD5: 350b809a45dfe3dca55870d8f994333f
M20-eyn31NetWire_1b524f5dWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.1b524f5db5738143efbd54f6a5a56573https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 2e86be5c9c364bd944b4823b9191f217c181bb6c980e1708800be13dac953cd5
SHA1: 1c096168f6db961ba445dd31004532a0684292eb
MD5: 1b524f5db5738143efbd54f6a5a56573
M20-l4nx1Emotet_3292ce99Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.3292ce99235f89437fdf33c0227df4fahttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 4b953167cdee60b1fda17ce2293590c05b26db580e93ce93fb0ffee08527ac2a
SHA1: 96dc6429f3432dec156030e0234ccb776b2d93dd
MD5: 3292ce99235f89437fdf33c0227df4fa
M20-b9xh1NetWire_9fd86dafWindows This strike sends a polymorphic malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.The binary has a random section name renamed according to the PE format specification.9fd86daf25d2498d84395bfc9ad5dcachttps://arxiv.org/abs/1801.08917
SHA256: 67c92144dc4444d9a3c486fd9e3d0c8df2825dd96d5a74f87461c7987bf354f1
SHA1: ffc6523cdb858118e0815e3f8846b279f32beb21
PARENTID: M20-mt3r1
SSDEEP: 1536:30Ed6yGrbtK9aao4svmGOKt7dZ+tjFKRgA+JF:3wT8svpbqFK6A
MD5: 9fd86daf25d2498d84395bfc9ad5dcac
M20-blce1WastedLocker_ecb00e9aWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.ecb00e9a61f99a7d4c90723294986bbchttps://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
SHA1: be59c867da75e2a66b8c2519e950254f817cd4ad
MD5: ecb00e9a61f99a7d4c90723294986bbc
M20-ddcg1Emotet_74fb55f5Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.74fb55f5f7bbf504228af8e136c4b8e7https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: e66da3958ee12be370fb6e1e429611f98d575b21b5e555d9f8dee58eb2481def
SHA1: 34228506df007ad3ec1672b01ce6abf7293598b7
MD5: 74fb55f5f7bbf504228af8e136c4b8e7
M20-rils1TinyBanker_42d34ef5Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.42d34ef5b4a2e9637fa0b7cdfdbf7d2chttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 0ebaddef17527ae1f59121ac7ae05fcb2806fc36fd4ea5e3a8d63999d1ef8245
SHA1: 2ada07cade8d09a3fdf74f3764542fe052ee523a
MD5: 42d34ef5b4a2e9637fa0b7cdfdbf7d2c
M20-e29i1TinyBanker_ea88c8a1Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.ea88c8a14f624a0069719a609bfb93b1https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 9d76af39b9de6fc9f58ca5d7a83798f37790d2193ff88a71cccad19092009a5c
SHA1: 2f4786eef36db3cd34a569759ded38b94144cfcd
MD5: ea88c8a14f624a0069719a609bfb93b1
M20-dazc1NetWire_86b2dc6bWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.86b2dc6b035832b396832ee96498b557https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 9d163b8e00e7574fb1609b2ee8db2b07d3b6aafa233f3add788dda1baf5b3322
SHA1: 9a3e9da47404aa4817ba301976d0e5211b444ead
MD5: 86b2dc6b035832b396832ee96498b557
M20-0rye1WastedLocker_edbf07eaWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.edbf07eaca4fff5f2d3f045567a9dc6fhttps://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3
SHA1: 9292fa66c917bfa47e8012d302a69bec48e9b98c
MD5: edbf07eaca4fff5f2d3f045567a9dc6f
M20-vnec1Emotet_3c0c754aWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.3c0c754a38f8f750b53ebf2d81d5b897https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 539f218904629efd90df998b1704cdfc101543b74c6d8afab2204e325d1e8bb0
SHA1: 7becb502bb543a46ef515e6037208b793a613af3
MD5: 3c0c754a38f8f750b53ebf2d81d5b897
M20-72n11DarkComet_c3c2764dWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.c3c2764dbe9ec6f4d9207c84ca5b8201https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 0f6a595d6bfd0dc514dbde0b8be7cdb2aa1dba94a103f1c79205f0bcf9856e7f
SHA1: 6e90e4c6a099f38a6810c37711cca2739cf22772
MD5: c3c2764dbe9ec6f4d9207c84ca5b8201
M20-jxz11TinyBanker_4be2f390Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.4be2f39094acef6d9791f7604219d4f4https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 36d265d452dd91cfc0640b59f3184112c0e3e20f1c5f1e6409452881458083b5
SHA1: b08f3a3326bb484322a6fbba16dd28db4c7bf7d7
MD5: 4be2f39094acef6d9791f7604219d4f4
M20-8eet1TinyBanker_19edfc7fWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.19edfc7f229677c5cd9fd8327a197745https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 9a21d7ef4b6f50a4e4ce47791bf2231a523884cf58e4d94e2089464967fd6e25
SHA1: 4b48bb99acd79c445f55b4d3eedccdb7cb2bc49a
MD5: 19edfc7f229677c5cd9fd8327a197745
M20-p4zi1DarkComet_bd4b11b9Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.bd4b11b929ec3f25c1caf63bc889d5fchttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 8167bea409789e03d3483aa7497762f2c3f33ed25122fcd8b7e7b45cb9b3e919
SHA1: f21c9217461452eab05e990e8b2ff20fde524c4a
MD5: bd4b11b929ec3f25c1caf63bc889d5fc
M20-z9p41NetWire_83f66181Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.83f66181010a41f2a47d4c7bd7d6296bhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 79dbd028f2768d0874fce30c00b227e6af46080727503918bc09ef965949edc4
SHA1: 5af13ebbc629d1dc062933a75577272c5016b1f3
MD5: 83f66181010a41f2a47d4c7bd7d6296b
M20-1dr31NetWire_f74d7e56Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.f74d7e560926fdb7802e4b13d0c10e7ahttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 9648d53a1276cdd0d3d170ba0c13a9c140b13c4ef3d3d4790164ca98f8f71a5d
SHA1: 1fdaba3131e83a0e5b22d0a312dbb8f0c0d35bb2
MD5: f74d7e560926fdb7802e4b13d0c10e7a
M20-x2o41TinyBanker_2752e633Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.2752e6339bbbbbc032826808cedc5d32https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 14398c45f2dc4d5c6d4c16ba9f276888eee4eb396863a355d059b55795d606e3
SHA1: 597850e0f0162bcbd571ab892fc3652d87c1de5c
MD5: 2752e6339bbbbbc032826808cedc5d32
M20-gan91Emotet_cfa658c9Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.cfa658c993fd56dd81a370e286163770https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: cb8a434442b33d664405f2191c9f57d7e04f97bb3a98116000d82a5967bd2868
SHA1: 897e9c21c02952020f9f3ef56f3154ab4b1afe38
MD5: cfa658c993fd56dd81a370e286163770
M20-980h1DarkComet_03183a1aWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.03183a1a2b8381ecfdb47ba4cc824191https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 08039ef764c01600b0b21b33fb9c45031fecacfbc62ac1400a2604783c513e4d
SHA1: 03787807f2e0b449abd3ebaf2d9945d738f2f130
MD5: 03183a1a2b8381ecfdb47ba4cc824191
M20-l83m1DarkComet_12976937Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.12976937fbeef378e9b64d237991c45ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 6557faee4a706e851f0aa28785e38dc56bfd422c4d8864c754c884163ab8ab3d
SHA1: 29d586610d388065debc1f88cd19a8bc393431f4
MD5: 12976937fbeef378e9b64d237991c45a
M20-ands1NetWire_edc2afa3Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.edc2afa36a416f93aa4e763e8660f933https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 51164673a792e1f214b69b1f21bf714ce289ddf8d898f7499f07aafb7a692e9a
SHA1: c362a783af0b84241c16ef22eebf2811f8a57c1a
MD5: edc2afa36a416f93aa4e763e8660f933
M20-tlrb1SoreFang_861879f4Linux This strike sends a malware sample known as SoreFang. This sample is a Trojan implant designed to exploit Sangfor SSL VPN servers. It has been seen targeting organizations involved in COVID-19 research and vaccine development. It replaces the legitimate Sangfor VPN software distributed to VPN clients. The malware gives the attacker remote control over the infected machine.861879f402fe3080ab058c0c88536be4https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a
SHA256: 14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2
SHA1: db4f07ecefd1e290d727379ded4f15a0d4a59f88
MD5: 861879f402fe3080ab058c0c88536be4
M20-tk1k1Emotet_6aa9aaedWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.6aa9aaed9e0281f98c4d178d9388b9afhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: ab87b202217c59a3d0346f4bdaa549813191ff25df57ad8a616b40647cb4c028
SHA1: 273a09c6320a70961371fba4cce6bf98f72c6ae6
MD5: 6aa9aaed9e0281f98c4d178d9388b9af
M20-ykkn1TinyBanker_494744edWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.494744ed921005e57d1495d1b3f23260https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 40c0d24f854db3548f0d9ef8fef3cfc7463fae25e690f426e044042e35f46a48
SHA1: 46fc9fdd01ce7b0cc2a9a7d3fa4f73d9a2c2faad
MD5: 494744ed921005e57d1495d1b3f23260
M20-z1so1NetWire_c5c68c05Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.c5c68c052096dd76f2dd85c322d950f1https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 1e7b37a04208f94239a05244352ae5bf45793f83bdcb4aaadbfa7ef4c48d805d
SHA1: 4c7b85c0dfc53e3cc9cb79add07b4bf95c40fcda
MD5: c5c68c052096dd76f2dd85c322d950f1
M20-jy701NetWire_1d030db3Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.1d030db358ba16c4ea8ba4a928eb583bhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 255c6efe9551fd5b6381adb440b94af65aee2286465c76c8fdb596c6e7a90b1a
SHA1: 321487b8c7827cc87d3a8bfacb912e0fb519d3a1
MD5: 1d030db358ba16c4ea8ba4a928eb583b
M20-ajbu1DarkComet_d65fc205Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.d65fc2053dd33571ebb55a1b49bb03bdhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 57f94f852f1a625bebfe96a57be5c6cbcb17016f786ebe1991265c442dc42103
SHA1: 5de1d9dc4cd3fb5b3370cd8303a16838c0a97c39
MD5: d65fc2053dd33571ebb55a1b49bb03bd
M20-8r8e1NetWire_9b7a4904Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.9b7a4904810d28f35158bb99cbd5df6bhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 7e6898b47574bbdb8b7c27bc392eab836bcd810e048fdc6b880537e3c7fb701d
SHA1: 864a414d4d11cb57994e9efefbf494ef0b072a1e
MD5: 9b7a4904810d28f35158bb99cbd5df6b
M20-uod41NetWire_1a085a8fWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.1a085a8f86d2a2ed0e9f81c67f696d2ehttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 62b6d90b250056d556971b7066e827eb03bbe2cb0b70848a98cb21fadc27d500
SHA1: fd065edaaec8a6d57cc225674249e03d6f65f5c5
MD5: 1a085a8f86d2a2ed0e9f81c67f696d2e
M20-h5qb1Emotet_62f09a7eWindows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has been packed using upx packer, with the default options.62f09a7e9cbfeae4335ebeaa40b1358ahttps://attack.mitre.org/techniques/T1045/
SHA256: cf2d015be5779753daceaab47e8745bb9deef81b646aa59313a365bf383ec6cf
SHA1: dc28fb3e20309a27641d88acf8e9b0c459f9e363
PARENTID: M20-8ev91
SSDEEP: 3072:J61oDDSj+vIq7SELcPrra8pB87lTAEYE1u3MJSAt1TKjUMK6x08Uj:JZGj+vIq7SEIPfws79AtyKZD
MD5: 62f09a7e9cbfeae4335ebeaa40b1358a
M20-jvax1WellMess_967fcf18Windows This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.967fcf185634def5177f74b0f703bdc0https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
SHA1: 152189b62c546d6297a7083778fba62dcec576be
MD5: 967fcf185634def5177f74b0f703bdc0
M20-4c7z2NetWire_234465efWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.234465efb8b8e3341f6d5736cb81cde2https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 28181484a3ef4f4f3ab8fc07388aa109b49f2e02bcfe65b819a4341369e5b4fc
SHA1: 59bfeacd950b124ee4e30a6d2e5f41351b00f6b0
MD5: 234465efb8b8e3341f6d5736cb81cde2
M20-0nw31DarkComet_aabfef70Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.aabfef7012a8afef5a38e48a2ecc3e66https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 73e47ae090f62b5723ccc7a1b452e8c8b305f22734f7efac6402c9edbd49bc5c
SHA1: 0afdc73e16c8f8c3a84af9edc0cb710afc7929f6
MD5: aabfef7012a8afef5a38e48a2ecc3e66
M20-y1mn1DarkComet_fd6af5f9Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.fd6af5f98b2b68add91fd43c0e9e2aaehttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 50e76d4936b183bf0c03761a38bf0d74e037ce72b59df8a28764b7f446675f51
SHA1: 68a6a226909396bb31d2b88fdc0c1513514b1a2a
MD5: fd6af5f98b2b68add91fd43c0e9e2aae
M20-wl4k1WellMess_f18ced87Windows This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.f18ced8772e9d1a640b8b4a731dfb6e0https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a
SHA1: 92f7b470c5a2c95a4df04c2c5cd50780f6dbdda1
MD5: f18ced8772e9d1a640b8b4a731dfb6e0
M20-k1gk1Emotet_15cbe4fdWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.15cbe4fdac2c40d14c0e5cc325a46c26https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 019cb08d08f8512b3a6af74bf8f1f4c99c8a9691af2775183c95e67c10388e74
SHA1: 1e7967ff30f173c2f990a1d3052a8acfc42f9733
MD5: 15cbe4fdac2c40d14c0e5cc325a46c26
M20-8ue71NetWire_06008156Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.06008156d85ad3dfeea6abdb65eea5c3https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 22c07b60b192d882381a9e4e5c1cefff80c7bdcf12efa66d19765625b9ea7d00
SHA1: cfa7fca227843cff5c7d5c12e591cb8669da452d
MD5: 06008156d85ad3dfeea6abdb65eea5c3
M20-obtk1NetWire_ad08c13aWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.ad08c13afea59519ec36163c9942c44dhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 483b6c1fc090a248beb40574446a998c3af6a8f3c42df5f0e95a162fd4b9b534
SHA1: 4d0e8803552159d436ed5d4264aa58644a4542f7
MD5: ad08c13afea59519ec36163c9942c44d
M20-4n931TinyBanker_0f1da9b6Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.0f1da9b6fffc07884725e9eec9dbe85chttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: b47214f748eef3fdd27388c1d59b4a308910d442f78cead2dee6895169ae9e76
SHA1: 8f67bb887c3e84f063dcd402614495198f9e538f
MD5: 0f1da9b6fffc07884725e9eec9dbe85c
M20-7osy1DarkComet_9faa5a31Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.9faa5a3166dc6fbc745d085d154ddd93https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 5d0671d8aa8a4c3eaeca7d73c197f20fa5e3698f97d9f99abf50b4e43ab1d113
SHA1: 9d424326bd59695cd59295f06a861a01fc5e4839
MD5: 9faa5a3166dc6fbc745d085d154ddd93
M20-9xaa1TinyBanker_13d1b1f5Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.13d1b1f5afe9d95a5d3a67243b15bbf6https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 3c21cb07d0391719918fa40c59ac02b1d0444813bff01aa57ed0173ea17907fe
SHA1: fc4680ad54ce3dbb7e382467f3795c97da4470de
MD5: 13d1b1f5afe9d95a5d3a67243b15bbf6
M20-5ge01DarkComet_0d3a2129Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.0d3a2129a486493974d845cbb5ff41e4https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 31535bfd8856f9497076a79fc6bac118901275a4928e9c31bfd42641aa624a98
SHA1: eb72bc690b2be5033faca68820ecc0388c89df26
MD5: 0d3a2129a486493974d845cbb5ff41e4
M20-n44n1TinyBanker_e20a97a6Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.e20a97a65ec439978dba244cb67a9a48https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 43b909534495841ca1ca6d5a16b4a8ced3c611ae84114d150731c9606cb1b574
SHA1: f86353352ebd92bb10bfab1fd694e8966502261f
MD5: e20a97a65ec439978dba244cb67a9a48
M20-9oew1NetWire_f17dc7f4Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.f17dc7f4fe64200ef073b064ee74a4ebhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 400dc0e03ffdbe53b008300711d2490e94f7b9eab93ac16ae49b39abd28a48ac
SHA1: 574a1e1c54a143915983aa45e525ebad612bbca2
MD5: f17dc7f4fe64200ef073b064ee74a4eb
M20-2i2a1TinyBanker_290ba91bWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.290ba91b81e92f59bb9174cce41d97d3https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 4d060e479439e757e3472f81a15da6ae38c7cbf9155c7de9817bf30552088b22
SHA1: fa84aa97a4e15d4ad4435ade518538942c227a6d
MD5: 290ba91b81e92f59bb9174cce41d97d3
M20-ndtq1Emotet_07d8ff0aWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.07d8ff0ad28c47ecce6cd3a7b1f86bbdhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: bdb054e3f565c5bf244417609322ccebcab26fdbc74c31516ce66ffd2aed2268
SHA1: beed57f3be93af3b49a3c905299e856e788e4622
MD5: 07d8ff0ad28c47ecce6cd3a7b1f86bbd
M20-i5ni1DarkComet_2b04df87Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.2b04df87d237933c7e71774904fc6e0chttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 1be1d57117ab25b16d4d17176062dc0cb469e25dcf2ec8c751c2104365697ae6
SHA1: bd7199a08b3aebe0a080965a517fb6599ff500d2
MD5: 2b04df87d237933c7e71774904fc6e0c
M20-vy0h1TinyBanker_3bb35a94Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.3bb35a94356e2fc3083256ad8ef0ff0fhttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 200a2c5eaa6ce90cc3f825ec4f4f3d8de444282dbd558a9dd0698a9520db2a58
SHA1: 65abe6f5a75658e03e43529c65092e8da386d813
MD5: 3bb35a94356e2fc3083256ad8ef0ff0f
M20-kz851WastedLocker_2cc4534bWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.2cc4534b0dd0e1c8d5b89644274a10c1https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
SHA1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653
MD5: 2cc4534b0dd0e1c8d5b89644274a10c1
M20-tiib1TinyBanker_28f303b6Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.28f303b61050866816ddde0597134e83https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 40789d2be55ca929fe9e9ebdf084b84a42ec88d166744d06bbda41e24bb98e39
SHA1: 90ef73f984ae4cf09e19f0a69138d75544e5d9fe
MD5: 28f303b61050866816ddde0597134e83
M20-i6tl1Emotet_daca8565Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.daca8565d4e8c131ad95e2ed744f7e46https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 887226f61b841051a606edd1ced5ad1c1919e71fae4583afea1d995fd027ad08
SHA1: d1fdd23ec6d48d9718c23104c02725dc45473193
MD5: daca8565d4e8c131ad95e2ed744f7e46
M20-0yd11TinyBanker_958dd51eWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.958dd51e24b8d9f1df8470f971ef5726https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 645dafa65eec41b157e7dd205b07df97148105950dea2d0722f02f53f449e2a0
SHA1: c4e3d6b2ee15d4cbffc5c8266df9304ad1dc4a8d
MD5: 958dd51e24b8d9f1df8470f971ef5726
M20-k6al1NetWire_bbb734f7Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.bbb734f7ac43646319d4148e58a2dcf4https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 045ed6c11f72b1a11803a205abcd7ea82b2ad478a8a795984c322f540d159a79
SHA1: 2490ce8e8266b559e3b0b0c54dd35f3b33e8ae2b
MD5: bbb734f7ac43646319d4148e58a2dcf4
M20-ww611NetWire_5479b76dWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.5479b76dc7294f003d4e793c80f22311https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 492c1e4ae807107b8792e9e4a0c619f92dbb9f0a1fd457ac79fa0e07292354b0
SHA1: ce4fe8c69974ac451aa03cb2e3d95a8530334258
MD5: 5479b76dc7294f003d4e793c80f22311
M20-kvrs1NetWire_c92888b3Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.c92888b389f779e39804aef0244ff8e4https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 387109054b3a59071d6ca8af6656eaa223fa4d1825efbcc4213bd192c5d6e29e
SHA1: 62961686c78694a227c04b867dd343fe5bea25ca
MD5: c92888b389f779e39804aef0244ff8e4
M20-ifta1DarkComet_07b77b6dWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.07b77b6d48e99b5c94040411f2f42d06https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 70ba4783c12ca57a129c5f3ab9d85ee34f5dc753952d15b49f5c54c6f067909e
SHA1: 319d8c6e96c8df82943367186359bbdd364cf2ee
MD5: 07b77b6d48e99b5c94040411f2f42d06
M20-ksew1NetWire_68cd8d68Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.68cd8d68115f9d46805a4aaccee773fdhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 229d7221c71a16c1b2d8bd1f74dded37d27dec2dcc713150d7657837c6c67be0
SHA1: ddfead21af149214c0eaa128e56b0bf7aae279b7
MD5: 68cd8d68115f9d46805a4aaccee773fd
M20-n8yw1WellMess_a32e1202Windows This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.a32e1202257a2945bf0f878c58490af8https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064
SHA1: 416df2d22338f412571cdaedb40ab33eb38977af
MD5: a32e1202257a2945bf0f878c58490af8
M20-lmfw1NetWire_41f2edd9Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.41f2edd93e423aa2c29c97de03e63fedhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 523e3d1fda9eb37098ae774b20f87e5552c5f38228dcf311298caf4bc5c2d086
SHA1: 70925ffb54be19c5e82d4abceba592f5a3f91be6
MD5: 41f2edd93e423aa2c29c97de03e63fed
M20-96d71DarkComet_e0034c04Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.e0034c046f1581fb729c4ddd2a91cd5ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 5e59a550cc3f18a66b663286b2ad08a5612fdd34e8e1667f5229c05e3053d48d
SHA1: 64058e220af6fb681b9a47519de2cf3b7ef5fd68
MD5: e0034c046f1581fb729c4ddd2a91cd5e
M20-6u8y1DarkComet_a98f3960Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.a98f3960268e9543cc989dade3f4242bhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 833d572bc5d010513b2db0ddf8585146717626ca0b1ed31afcf2c060a85532fc
SHA1: bbace94ff7787114a74cd015637dd75fa4960e1d
MD5: a98f3960268e9543cc989dade3f4242b
M20-thb61WellMail_8777a979Linux This strike sends a malware sample known as WellMail. This sample of malware has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It provides encrypted channels for the attacker to communicate with c2 servers, and the ability to dynamically run scripts on the infected machines.8777a9796565effa01b03cf1cea9d24dhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
SHA256: 83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18
SHA1: 53098b025a3f469ebc3e522f7b0999011cafb943
MD5: 8777a9796565effa01b03cf1cea9d24d
M20-8ev91Emotet_12a8067aWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.12a8067a952be3e9264d69b401b3628ehttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 1d225e3a3c3f52cadbf07a4ed069b4467c4618310d2f41678584f3704f95d19c
SHA1: f442314dc8a12391233a24a6625cff6f046b9ef5
MD5: 12a8067a952be3e9264d69b401b3628e
M20-fo301TinyBanker_38edfc34Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.38edfc343314d3f858e2e02cd2144461https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 292daa2b85d6423471ab688bf3dcaa91661f9e930ecdf88d9ae8cefdfe8e76fb
SHA1: 37e26707457e8d82fd385c9a5a0348fbd2bd7721
MD5: 38edfc343314d3f858e2e02cd2144461
M20-tkow1Emotet_ae09fceeWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.ae09fceed70fd9b510641b63be5a6502https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: d8e201ed2ca53622f1ca4cd4b794879ab2b6dc6d52e5e4e12540da1c3d588e0c
SHA1: 9a73530f8671914be4b317080e0b7b559ac267e8
MD5: ae09fceed70fd9b510641b63be5a6502
M20-xhwd1NetWire_c3925b82Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.c3925b82df0463c9329a0557f457540dhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 542d5b4e9100882a16a6ce60c6ff8532b1f0a22a7bdcda84c35cd7a1b49df664
SHA1: 6b89b78ce1d4b4dfb49386425ba2dc9ccb9e5211
MD5: c3925b82df0463c9329a0557f457540d
M20-qqc01WellMess_7b9a439cWindows This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has a random section name renamed according to the PE format specification.7b9a439ca58e3f76cbd60dcc60f77446https://arxiv.org/abs/1801.08917
SHA256: 8ec45abe4179a22a739bcd48325ac1dd148c2d8c8a501c73dc8b7d2c28cb1b77
SHA1: ab974869f02a8f3e400e24955c7375bcf154a7b2
PARENTID: M20-n8yw1
SSDEEP: 6144:Yt4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4U:Ic6qkt5vdU6ECe4U
MD5: 7b9a439ca58e3f76cbd60dcc60f77446
M20-efew1TinyBanker_f77992ebWindows This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has a random section name renamed according to the PE format specification.f77992eb5a494bdcd8dcda9bf5652937https://arxiv.org/abs/1801.08917
SHA256: b30fb527393d891d28ccd413e119ea309a13749c38e5b661a21c519323febd29
SHA1: 0f177e999846f3fbfaa1591c139977d78ad31816
PARENTID: M20-cbuc1
SSDEEP: 768:r/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtL:44QUbHM3PC8Q1Hn417sNPy+L
MD5: f77992eb5a494bdcd8dcda9bf5652937
M20-hks71Emotet_7fba0b9aWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.7fba0b9afbf7a224224b3ce6be675f0dhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 633bed3b02759cc36b1e72c124d298607e68697a75f61f221b5b59decde14ecb
SHA1: 6bb10b0e1a416ad0b66bd90ad6f3e472a10922d0
MD5: 7fba0b9afbf7a224224b3ce6be675f0d
M20-vws91TinyBanker_0ed39328Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.0ed39328beae48e12b4dc877064b30d1https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 8cf7d553e27a5c642812bb040f97bc92746d64b9909bddbb38916d36fbeb8c0f
SHA1: 89048b155b57f9824f6e20fad4e6b2a09d851441
MD5: 0ed39328beae48e12b4dc877064b30d1
M20-ifi31DarkComet_8e003595Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.8e003595d3f489e4776c97c8aabfa7b9https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 0e473f4bdc3a37ef888a4f44616e0c09c38b8d7fcdb617736aa8f294dd99e920
SHA1: 94afe765dcabc9b2d0b5edef418d6f7caa8cc3ec
MD5: 8e003595d3f489e4776c97c8aabfa7b9
M20-yzp81WastedLocker_6b20ef8fWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.6b20ef8fb494cc6e455220356de298d0https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d
SHA1: 763d356d30e81d1cd15f6bc6a31f96181edb0b8f
MD5: 6b20ef8fb494cc6e455220356de298d0
M20-c9tb1WastedLocker_f67ea8e4Windows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.f67ea8e471e827e4b7b65b65647d1d46https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb
SHA1: e62d3a4fe0da1b1b8e9bcff3148becd6d02bcb07
MD5: f67ea8e471e827e4b7b65b65647d1d46
M20-7cqt1Emotet_2ed2b0d2Windows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has the timestamp field updated in the PE file header.2ed2b0d2f3f9662f99381c5bd18118f0https://attack.mitre.org/techniques/T1099/
SHA256: 16e03f284d8a56db4fa112d46edd50537e35125c91086d68362ab8892e4f5a62
SHA1: bdcb584762443fee90ce2582a03750cd9408f5fd
PARENTID: M20-75mm1
SSDEEP: 6144:QjNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2gFcvAtyKZDG:QRX3wK9rybO3AlLBeTWi+eO6e2zAtyKI
MD5: 2ed2b0d2f3f9662f99381c5bd18118f0
M20-75mm1Emotet_88e9eabcWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.88e9eabc35088da3b3b31d5134dc1b49https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 0622420430e3559c1a5175e77584feebbeac977922c0a5b72d52d996e8ba6707
SHA1: 03cfa8f152e83166b76db5ebafcd8211d92fe31c
MD5: 88e9eabc35088da3b3b31d5134dc1b49
M20-k6mq1Emotet_b612a63cWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.b612a63c45a0bbd1370572e19382bb18https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: c4339507d79d74a6260ee7769b98c58d3b5289a470bee7c5a87f96c78efc3851
SHA1: 089c8fa399a89bc7668c956f1dca854131ea2617
MD5: b612a63c45a0bbd1370572e19382bb18
M20-ekjm1TinyBanker_2b2ac146Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.2b2ac1463040f9809c34d776e7fb5e6ahttps://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: b43794417fec9191f8700df446b20875bb753c9380c70e0c7c6869502fa16282
SHA1: 98e69cb347d4966573ee9b3295251f51ca3c8e37
MD5: 2b2ac1463040f9809c34d776e7fb5e6a
M20-2wjp1WastedLocker_3208a14cWindows This strike sends a malware sample known as WastedLocker. WastedLocker is a new targeted ransomware that was created by the organization known as Evil Corp. Recently it has been seen in the wild attacking mostly US based Fortune 500 companies. Once infected PsExec runs the WastedLocker binary, and it begins to encrypt data on the system as well as deleting shadow volumes. The encrypted files include a combination of the company's name and the string "wasted". Additionally files with the appended string "_info" contain the left behind ransom note.3208a14c9bad334e331febe00f1e9734https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
SHA256: 85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb
SHA1: 809fbd450e1a484a5af4ec05c345b2a7072723e7
MD5: 3208a14c9bad334e331febe00f1e9734
M20-evht1TinyBanker_0c0b91dfWindows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.0c0b91df5d347924d0efa649e9f7ca63https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 15b502a449d911c76cce06cd378d291e8039619a06ace593abbdd2cebe3add27
SHA1: 23070b82c6a5fb619a3e8f38f96f4fda366ef24b
MD5: 0c0b91df5d347924d0efa649e9f7ca63
M20-cbuc1TinyBanker_13c2cce6Windows This strike sends a malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.13c2cce63f1e8ae54c4b2f15770e69f3https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html
SHA256: 141731282c5378b959ee12a97d564b58bacae43a50ffbca289a5df8ba8d0771d
SHA1: 89a90ff4f2fb186cff3d691998cd9ba461ffb05b
MD5: 13c2cce63f1e8ae54c4b2f15770e69f3
M20-zeeo1TinyBanker_40ad77d0Windows This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has random strings (lorem ipsum) appended at the end of the file.40ad77d0de2dae24d1c942ba7f5e7c2ehttps://attack.mitre.org/techniques/T1009/
SHA256: 4fe168b7028b1ad9985943474862f09b093915de233836d49e5a661c010af344
SHA1: a8577e727471ef1d6e239dd3c7ebc39af79f3bb6
PARENTID: M20-cbuc1
SSDEEP: 768:D/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtNU:w4QUbHM3PC8Q1Hn417sNPy+a
MD5: 40ad77d0de2dae24d1c942ba7f5e7c2e
M20-6vdo1WellMess_a2f5614fWindows This strike sends a polymorphic malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.The binary has random bytes appended at the end of the file.a2f5614fa377753a02eed40056aa2459https://attack.mitre.org/techniques/T1009/
SHA256: b67d856656e58e34b41086f4b0be823dd56b75af60485cc563c01b95711286be
SHA1: 143ca415e9321b8b89e162fa9f06cfd6de33ce2d
PARENTID: M20-n8yw1
SSDEEP: 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4Ufa:oc6qkt5vdU6ECe4Ufa
MD5: a2f5614fa377753a02eed40056aa2459
M20-j2ia1NetWire_bf8079deWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.bf8079de4a89e0a0ebd154d99d05b91ehttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 26fe99cf61903d3dd464b96e87bc8640dd1d1ba9df2c795e2f27db6dfb74522d
SHA1: da92d8768be7a4a977802495f67f96b8ee591218
MD5: bf8079de4a89e0a0ebd154d99d05b91e
M20-0uff1DarkComet_848fc1faWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.848fc1fa772f49d8f4563f38b3f4f002https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 18bc76cc05f305549fbee7757c01f897110effac971738af751815589036d5dc
SHA1: 200be1cad6d7234ce468d6743ff27c79f490ec92
MD5: 848fc1fa772f49d8f4563f38b3f4f002
M20-rhxa1Emotet_932a3448Windows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has random contents appended in one of the existing sections in the PE file format.932a344809bbabf777916b63e4e4e9cahttps://arxiv.org/abs/1801.08917
SHA256: 8add6324ff072fa544e73a8a300c9d8c20b251b8af6d449f2d9e3a1c11509311
SHA1: 6a98e51d8fb40ffcf73c815d9d537294a373e1b0
PARENTID: M20-8ev91
SSDEEP: 6144:+jNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qz2g5cvAtyKZD:+RX3wK9rybO3AlLBeTWi+eO6e23AtyK
MD5: 932a344809bbabf777916b63e4e4e9ca
M20-ekzf1WellMess_4d38ac33Linux This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.4d38ac3319b167f6c8acb16b70297111https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: 7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee
SHA1: 01a71390892fad77987aa09a630b04ff72e37d5d
MD5: 4d38ac3319b167f6c8acb16b70297111
M20-i73r1Emotet_8b14c2ffWindows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary file has one more imports added in the import table.8b14c2ffbe2dd64f0a1937148e73c836https://arxiv.org/abs/1702.05983
SHA256: 76accf214074a7c84309e275fa7d7fa18a22bdf6ddbcc86885e197a6bb647ff3
SHA1: f7b990444fb49812622fb675116e3a7b267a319c
PARENTID: M20-75mm1
SSDEEP: 6144:njNX3w7TC9rybQb3AnUpBlvKLB6bVlWi+e6k46qL205cvAtyKZDZ:nRX3wK9rybO3AlLBeTWi+eO6K2rAtyK
MD5: 8b14c2ffbe2dd64f0a1937148e73c836
M20-7x081NetWire_c4166c5fWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.c4166c5f4bd570cd999f41474b664e4bhttps://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: 44fd21ec687bfbecc1002f1a5e640f0d782b9aa9beff7e4822704fe1a09907b5
SHA1: 79090473cfdb6953da7fa188f4382e9a85ae5070
MD5: c4166c5f4bd570cd999f41474b664e4b
M20-jv5u1TinyBanker_a862c24dWindows This strike sends a polymorphic malware sample known as TinyBanker. The malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses a javascript injected form to steal banking information. When executed, it injects itself into Windows processes like "explorer.exe" and "winver.exe.The binary has random bytes appended at the end of the file.a862c24d8824f88826ed42e5654a6088https://attack.mitre.org/techniques/T1009/
SHA256: 2c94212a010e8fc70c1c52fa64eded136f09964713a82ef9cf73802f5e1314d4
SHA1: 70c7e8f13e4442332029f87a422e2445e16f7234
PARENTID: M20-ou7j1
SSDEEP: 768:V/g94T0zUb/PnM3PC8Q8MVUgiCn4Pd3r9PLjpoNPydMUgtf:24QUbHM3PC8Q1Hn417sNPy+f
MD5: a862c24d8824f88826ed42e5654a6088
M20-o7xc1Emotet_f1a41902Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.f1a419027bbe163301f856c793e8dc48https://blog.talosintelligence.com/2020/07/threat-roundup-0703-0710.html
SHA256: f21aaec6dab4428d5462f0a917908556054093fa9b94f386c94abc572c9d9e0e
SHA1: 1468f82412c45be51b51619d9788b2a55bfe4e4f
MD5: f1a419027bbe163301f856c793e8dc48
M20-vvs51WellMess_3a9cdd8aLinux This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.3a9cdd8a5cbc3ab10ad64c4bb641b41fhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb
SHA1: e45f89c923d0361ce8f9c64a63031860a76b2d10
MD5: 3a9cdd8a5cbc3ab10ad64c4bb641b41f
M20-3lhg1WellMess_2f9f4f2aLinux This strike sends a malware sample known as WellMess. WellMess is a lightweight malware written in either Golang or .NET. It has been seen in the wild targeting organizations involved in COVID-19 research and vaccine development. It is designed to execute arbitrary shell commands, upload and download files. These samples are implants that allow a remote operator to establish encrypted communication with c2 servers to send and retrieve malicious scripts on an infected system.2f9f4f2a9d438cdc944f79bdf44a18f8https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
SHA256: e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09
SHA1: 709878e13633e44b45ad1ab569ad34e3dc1efd3b
MD5: 2f9f4f2a9d438cdc944f79bdf44a18f8

Malware Strikes June - 2020

Back to top
Strike ID Malware Platform Info MD5 External References
M20-2ej01Cybergate_dbb05d12Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.dbb05d1214a55a1519b0ca816704452fhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1cc729e873bc0ccc68b2cef59562a5196793c0511b05f952a096ce87c27bb02f
SHA1: 9e9ea3f6ba4ecfa74c18ecd355e83f7e98dfb835
MD5: dbb05d1214a55a1519b0ca816704452f
M20-hdw11Fareit_12113af5Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.12113af567bb825035e81fd73ff83d0bhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 10d0eaec661c9ec08bc6b28810666956ac6a76b054de73c6b8de46dec6147de4
SHA1: 90732a9aac12e720eb2ca1b806398a4e0e94a794
MD5: 12113af567bb825035e81fd73ff83d0b
M20-wfai1Dridex_29ace502Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.29ace5025e0662d3c30e4ca96ec38eebhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: fe6fad62d3e63eed458d33cfec58e20468d685bc21f69161f5f036bd5eb3c926
SHA1: c84383a51034b045093c049b6d689ec9f37d75c9
MD5: 29ace5025e0662d3c30e4ca96ec38eeb
M20-oh6y1Cybergate_b5e64476Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.b5e64476b8c7ecfa37c3ec3374934018https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 3851caf965504e6d99ad2d541af43f8f4213c6ddaa460b8e7b812e2fdb299316
SHA1: e23f969c44621b3b29d18eabe323c68c873aaafb
MD5: b5e64476b8c7ecfa37c3ec3374934018
M20-09up1Zbot_dd17daf4Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.dd17daf4e28133d0fb052ba229b80342https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 476ce28be8b7576a3b0576e7dd8f90f2aa1cfc59ad90adb5abf14a9d5d866b84
SHA1: 89754b05c5a57b3ac78723a5ae394476beaededd
MD5: dd17daf4e28133d0fb052ba229b80342
M20-foy31Dridex_56afa171Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.56afa1715bfa03bdf47e45c9a12b9ddahttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 15c213fa11b0440a690133df83c63e7f2729eb1b41e7143291f98a4b9d29f7a5
SHA1: 10b13d36e90c92b4ecb80c96fae504d974372fa9
MD5: 56afa1715bfa03bdf47e45c9a12b9dda
M20-zj661Zbot_0b8b4771Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.0b8b477194321fb2547deae4afd052ebhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 5e15c7ef36f861bd967c4b7cf7b4476d37be287e3b1e18cc41168810b9e36f3f
SHA1: 93991b30b6587bb3ad740c3713947ba4662e8d25
MD5: 0b8b477194321fb2547deae4afd052eb
M20-dbms1Zbot_61bb1504Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.61bb1504fe867ab02734aaaa7683343fhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2240fb081176a4811088f5818d0b5d6a60a2ffd64a8202fdd46b4e05f694ac2d
SHA1: 8168c5aea69f349881944535695282e22b5b700a
MD5: 61bb1504fe867ab02734aaaa7683343f
M20-n2a51Dridex_b78246faWindows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.b78246fa73a6cc9b69cb41a2ca68fe4ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 9366c5124ceb956ef97059b5b649707c0732a85e6912232294d5e3bcb078dd7f
SHA1: d9290d34eed824e23b32418276c2e900063bddd3
MD5: b78246fa73a6cc9b69cb41a2ca68fe4a
M20-7b0c1Ramnit_d211c6baWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.d211c6bae76231b80b3ad3f80edd9dd3https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 6a793585958d4db348868417923c49a74d6b0e053c8a914669e980a9f06901c6
SHA1: 305ba2cdf7e78be0d63f76c31041825f5df53141
MD5: d211c6bae76231b80b3ad3f80edd9dd3
M20-0yl41Cybergate_8ba4005bWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.8ba4005b996edcb379796e9d70137847https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 21d5baf434ba1e61c0d24cc2c49d91e7bae8204d4a69a614dd81193ba2901a1d
SHA1: e386e51f52711b6a96c49c260e2fb6f9976bbcdb
MD5: 8ba4005b996edcb379796e9d70137847
M20-tycd1Ramnit_cef48a53Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.cef48a53f568fb3649dfc109541a5b42https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 151f0e9786d903c3831e7555a64b980ae7fb8514f58d1044017b82276aae0d08
SHA1: 30c9c0c2ddfb774f1069671821d24c953296dc51
MD5: cef48a53f568fb3649dfc109541a5b42
M20-n6pb1Cybergate_2c68199dWindows This strike sends a polymorphic malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.The binary has the timestamp field updated in the PE file header.2c68199d84a6acaea4a0924e338f70c8https://attack.mitre.org/techniques/T1099/
SHA256: a1dd7ddecbe9de6d58fb108b837a88967becbafb152e429197e56f047a9848d1
SHA1: 4f26f1f9fe04f48f41ab74b8d3988646729b3c91
PARENTID: M20-e7ik1
SSDEEP: 12288:haH6uGURWHTrbPq6US47zWfXkkctzkbpfPFNIKDGZfM/B35aI:0HbGMKT/Pq6USazkkkkopPFNI/fI5aI
MD5: 2c68199d84a6acaea4a0924e338f70c8
M20-1mpd1Zbot_fa39fd7bWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.fa39fd7b7bc3c8b3023c848ee4e6e8f0https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2760e4f5c5119988b6c83907da6a3cf60e62c2425456ebf1e06893a00c04b91b
SHA1: 0bcdffab5a6fb56b9877607a940319b597a16087
MD5: fa39fd7b7bc3c8b3023c848ee4e6e8f0
M20-cc0t1Zbot_63a63e4aWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.63a63e4afbcccea6f3d8a3adcdf012b5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 356b7cfcc87425f08c9ad492d272b5ac6e0476389193c20ebd37cf95e1215825
SHA1: 19080581f31ce285caa1df2160c16416755958a7
MD5: 63a63e4afbcccea6f3d8a3adcdf012b5
M20-lqct1Cybergate_3b77c273Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.3b77c27302c72442400739d02483d874https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 243344e8c4defcf6d918ac46233381c21f2530f162962e8bf8fb384c341035be
SHA1: 0216272dd6f1256f7fa68bef0843e2990f1cd083
MD5: 3b77c27302c72442400739d02483d874
M20-8j1p1Fareit_32468feaWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.32468feac377c04df3a3c8232b2d9a1ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 0264313435657e607a5edca952c8d6c6b49a067d889ea1b47861eca0c2151bc8
SHA1: 0c29d8ab76973553995de9600263bb6196ce16c4
MD5: 32468feac377c04df3a3c8232b2d9a1a
M20-rc2c1Fareit_2b3e69fcWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.2b3e69fccb583599f5c0a11ecb336cb4https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 9d5f6d8d0ed7cf4af9424f57c34d95ba7a59057cc525ac51698d81c85987855a
SHA1: 7a03cbfc9d1014f7cef67c600b6d4fb5e6a1e02c
MD5: 2b3e69fccb583599f5c0a11ecb336cb4
M20-68d21Cybergate_a7fcef42Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.a7fcef4218781bb5375871367d69a035https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2fd297ddc4fb433b09adb0894aa7752fc3433a360597e23c5025250cd062e801
SHA1: 6b4524aeea301e29fc9221814069530bde21bbf7
MD5: a7fcef4218781bb5375871367d69a035
M20-ad7l1Cybergate_86e26de8Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.86e26de88289bf179bdc51a9df320b6dhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 3b2a0d95b9643dcb1dfa555d9e79fbfbc27e98667014bdd79ff5b9e5c2f72c79
SHA1: 0ae0740bc781e5644b440df514e4fd5adafbf0ca
MD5: 86e26de88289bf179bdc51a9df320b6d
M20-4g0r1Fareit_3e7c67b6Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.3e7c67b6508b90cf7d85110d9a81e1c3https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 648bbe158a7dafc05b3ac0095ca3eec926970d11054f023c1a4c700069e43883
SHA1: a3348285010f66f1e25474833b436312e5b1a5e1
MD5: 3e7c67b6508b90cf7d85110d9a81e1c3
M20-3bm51Zbot_b22dbff3Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.b22dbff35d41d361434211f4def02bbahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 5c0c7d1e7e52685b82c1d170368db66fbfbe06ab3e05c7a8243d9bad5500a64c
SHA1: b3187b5d331c652924769220d62bda7a85c69d9f
MD5: b22dbff35d41d361434211f4def02bba
M20-nqke1Fareit_4a65c9c3Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.4a65c9c31cbe443d7fda091cfb29aacfhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 8e8933daed91bf2a385c9c49d572d9102ae959a582e3c6ea81219ef424951f58
SHA1: 24c85e09a8d8edd31c4609defe2da7341130bcab
MD5: 4a65c9c31cbe443d7fda091cfb29aacf
M20-aipe1Cybergate_accfb8ccWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.accfb8cc51a3e7447436e9f4d5f6584dhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 01b133f5e10b71f33f117a59e78836294341f26318747f5a504aa2bf2af7869c
SHA1: 31480c9ec31d176a4e7e2c3b00dbc02a862b453a
MD5: accfb8cc51a3e7447436e9f4d5f6584d
M20-m58m1Zbot_2d0f9799Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.2d0f9799daa391a41d43691582ff510ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 0649a007c9e7e7abc08fcfa53cfbc0a11c3119792b04d2ff6a47f8f53cdc5514
SHA1: e721b10afe61e65d2d3340741381b7c6789f5ad1
MD5: 2d0f9799daa391a41d43691582ff510a
M20-b6mw1Zbot_668a40a5Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.668a40a5c4156c6b784cd7abce595134https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 0b9297a648aba6ee27b8a96cc95974be328547141e1b5a3e13e544f71bc045e0
SHA1: 94954457060a1a6c9936f16b77113257451e5b17
MD5: 668a40a5c4156c6b784cd7abce595134
M20-wdo31Dridex_9659c150Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.9659c150b6e6dbb515fb5a7fe2fd38a5https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 846c29654222d6d540794abb5adff6da8aee5ecbc0f40ec9aec75610ff75f9d2
SHA1: 5f4004a4ea9f3401350efa8483b4a27fc89ed498
MD5: 9659c150b6e6dbb515fb5a7fe2fd38a5
M20-wyrp1Fareit_cf67ef85Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.cf67ef8577d94f3dde6bb03a178d77a2https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4fe440cf3713df731f2e7eb210eb70575978821b2862dc7161107d8de197824f
SHA1: f7b5ca9bef871300c43fd559533a26000933d408
MD5: cf67ef8577d94f3dde6bb03a178d77a2
M20-kybi1Ramnit_5c2f6dd1Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.5c2f6dd17f36c78511975c9bc90bac40https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: ab71e50d7620b1a0563f8a088d7bbc7c8bbe110ec067dc872ffabce155ba6060
SHA1: ad437bb752e1eb9039535065e9d70408b49ef0f9
MD5: 5c2f6dd17f36c78511975c9bc90bac40
M20-ea6i1Fareit_fed439b3Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.fed439b3cf045e7d40cb6bb3c2631c2ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: d90afab18a64702ce68aae194c7e73833ab8329e8e9f89013b0195b13123b2ec
SHA1: cdbc70b72e3efd0871977d7b3ebc098de4fcb6cd
MD5: fed439b3cf045e7d40cb6bb3c2631c2e
M20-zyb41Zbot_096e0ebaWindows This strike sends a polymorphic malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.The binary has random strings (lorem ipsum) appended at the end of the file.096e0eba8eb233f6bf5fbee0fb6cb093https://attack.mitre.org/techniques/T1009/
SHA256: 7fa7687c7509f526a9f4e96c3ed852ca4462097e5007c6515cf733b5f4eb814d
SHA1: 91c83f81dc16fae89aa424dfca901de2ca38c8a8
PARENTID: M20-qrni1
SSDEEP: 6144:5/IZqkiisqNuNWyD+lLo9lvh1GhI30EfNqyF:IqJXqNuNLDyLo9lvhI40S9F
MD5: 096e0eba8eb233f6bf5fbee0fb6cb093
M20-8buv1Cybergate_b450cc20Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.b450cc209f0e230ff9549c962dd6163ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 06dd14844f1219660dd4f18b30ff70289ece23be61938842299cbb0bdfe2cba6
SHA1: 72d522c9f2baa9c94ffb28e7a21311927668160e
MD5: b450cc209f0e230ff9549c962dd6163a
M20-jztn1Cybergate_0c689268Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.0c6892685ec8b806453a9ceb44335705https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 029d9e96045543dde92fcfc3e0850a1056bfe04f583d9d83c3f187d5db2d30a6
SHA1: c6b162774887cac646050e2ebf21913a92378eaf
MD5: 0c6892685ec8b806453a9ceb44335705
M20-pz4p1Ramnit_db4b4a6eWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.db4b4a6e729d1214ad33688f4167fffchttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: e1b4dc1a419e73795e791969e0a11770e52adb5ed58414b51ba9e16e46ce906b
SHA1: ca05c6f232f14433bb2a9dc63ef4b49d4cdbb2ec
MD5: db4b4a6e729d1214ad33688f4167fffc
M20-wtwy1Ramnit_f8ce6bd4Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.f8ce6bd44f51a7d11538d2d7c504ea68https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 7a77148fafd2bb5a47ccb12d800e9d9e190554c5cb774e62dd519d19639723b4
SHA1: bf8bbef654f89d7c2dddcc3bd0ce7c78a450cab6
MD5: f8ce6bd44f51a7d11538d2d7c504ea68
M20-e7ik1Cybergate_e30e91e2Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.e30e91e26dd5899759a809ffb26a390ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1e7963141202ea5535603b0239828a6e77613948e8e73b56f48a8d9e958c5744
SHA1: c3975ce610e8fd82efe4e6042749bf05667dda01
MD5: e30e91e26dd5899759a809ffb26a390a
M20-h4io1Fareit_5c696072Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.5c6960726c52dbd3ef4b88cdc8a5df79https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1312c2175d4037228e113c1cdb3893484396a4d5c399052543bcd3546908f342
SHA1: 8aa2e11f51e44b81fc9b0946374b83bc4c0cbfb8
MD5: 5c6960726c52dbd3ef4b88cdc8a5df79
M20-6y4i1Cybergate_9ad9aa84Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.9ad9aa8439043c07a84c18e7e0724c15https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4876314e5d223a296b8aa95fb5eb97859da5bcbf78da9e78674b28f4536cd591
SHA1: 333067aeca3842e1ae73b30c2f4799eb2dde68fb
MD5: 9ad9aa8439043c07a84c18e7e0724c15
M20-0nxd1Fareit_86a16f76Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.86a16f76020ed00029eed02a69156dd5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 78f418bcdd925f56eabedaae6e092d993a245fde048606a680539cff6bcc54c1
SHA1: f5f32175eaad230c51e2992fc825a4b30be7e118
MD5: 86a16f76020ed00029eed02a69156dd5
M20-canz1Ramnit_59c999dbWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.59c999dba2f22a75f73ce59cb9ce4b25https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: cf42f89f988611c1beb42230e001c0eb871322950ca10cd50fb1796cdf95920a
SHA1: a206ccabfa93a0568c6188783adbbb171379ae96
MD5: 59c999dba2f22a75f73ce59cb9ce4b25
M20-1ewp1Fareit_5aec2111Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.5aec2111cc64271fe58feb1a07ac20f5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 99b6a34cb8ad06ca530f7bde87b957c97c1526bb70f0540eba8da58a77b7f319
SHA1: 234c976c6aae3915dde5e9396738c875dbaae498
MD5: 5aec2111cc64271fe58feb1a07ac20f5
M20-gl0s1Dridex_d27a1214Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.d27a12141e0cf90f3db2b32d4f1832b4https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 031f4d2eb9e330adfbe2767c568c49a45f8feada9d466b2f09f5cfa6c321760a
SHA1: 7c34ab0c972128294d751e93d76190fa901bf4da
MD5: d27a12141e0cf90f3db2b32d4f1832b4
M20-pt8o1Dridex_b10d2503Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.b10d25034bb65fd14e70c3238a44412ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: d5f3c9eab2e825b6e670dd529d1bb2212baf54437bd56915ecd6932b1745328a
SHA1: 0b8cfefb16cf5eb0ce8cb6a2ba7572c2e7c73f91
MD5: b10d25034bb65fd14e70c3238a44412e
M20-u5x11Zbot_a498a3daWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.a498a3dad481b39e4197428e2fb80100https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 0e475d4c0f6ff5e453668f962c6a7d78d218582a46d3d2f7ab36b221face4631
SHA1: 81f3701d0627176edbf308ade9433cfabc1cc47b
MD5: a498a3dad481b39e4197428e2fb80100
M20-7jo71Zbot_cf2941daWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.cf2941da39524cfcbee3398736ad6e13https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 67187b9ebc578ae12c06cddff756160d741eafd53440efd6756c646e4d9e7594
SHA1: 9870afda75d0e59b720e2e11c46f28fa622f4962
MD5: cf2941da39524cfcbee3398736ad6e13
M20-gxuw1Ramnit_f3f4c192Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.f3f4c192482a755b8e4592e8577a3d29https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 9e8e5e20c1ac022c559a68d8ed67a7879ad68a917d4f97459bff72840bdba457
SHA1: d6ccf3e395f6a9687aefefe2920ad75df58c5019
MD5: f3f4c192482a755b8e4592e8577a3d29
M20-no5b1Cybergate_bd8ea22bWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.bd8ea22bf277db93ce8113c27b217ab3https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4dcb2bd6dc558fb9290f40656e630190658787f29455d5c73d459f0dee312c15
SHA1: e2ec17612da8210c4bdd16b01bc09d511908522f
MD5: bd8ea22bf277db93ce8113c27b217ab3
M20-wah41Zbot_f34d5023Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.f34d50230ee7e2db4899a6a88d40dc6ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 498438a69aa744934cd33f6219709b3fb1531e3e89e95cef805f494ba8be938b
SHA1: 24775b083870bd350025ae9d20b977e0afeab155
MD5: f34d50230ee7e2db4899a6a88d40dc6a
M20-yztx1Fareit_bf975fa9Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.bf975fa90aa5cfa21b9f13e83138a605https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: bdf44a59073f52b5b4bada6afbeccd9410ce8ca0a46441149b66d4b97b305572
SHA1: 0f7abd44fce1da85112d9aaec189496eaa21651c
MD5: bf975fa90aa5cfa21b9f13e83138a605
M20-60d01Ramnit_d0f5c342Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.d0f5c342434f34b55eabccc6564a378bhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 7dec40a48b029de50868b1a85573fd1d566084d0ee4935acfb30887e30d1de06
SHA1: ce6049fb88ae1c6c2fd4a3c490d678360aaf04fd
MD5: d0f5c342434f34b55eabccc6564a378b
M20-x9nv1Ramnit_f0f74c6fWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.f0f74c6f873a9c19994af1c8b9af9775https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 11f697b19a583973236c5deacfc31dd9ff441045d495a68857373b14e95f449e
SHA1: 478037ddbcaf904c6dc77146014cc8cd5c29eebd
MD5: f0f74c6f873a9c19994af1c8b9af9775
M20-28yf1Ramnit_d831b191Windows This strike sends a polymorphic malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.The binary has been packed using upx packer, with the default options.d831b1911812a9093cf646871b9e5130https://attack.mitre.org/techniques/T1045/
SHA256: 3d96c032b11bef9a4e67536d129f06f7b3063fb005cde1a425280641c1b04602
SHA1: 59ab94ae07b7671eed559e8670efe03ed490edc3
PARENTID: M20-668s1
SSDEEP: 1536:GlfMUc1eJMiSosL8/Zu+2fH/bRFz64KqPikiucOw4ZOryejmqn3BjtQM:GfQj4AhXm4KqPiY44ZgjT3Jz
MD5: d831b1911812a9093cf646871b9e5130
M20-tp6r1Fareit_cf2e03ecWindows This strike sends a polymorphic malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.The binary has random bytes appended at the end of the file.cf2e03ec985d204a054788269665cfe0https://attack.mitre.org/techniques/T1009/
SHA256: 1058a78aa8a27121459344f6c9fc70a6946af062abad30ba06f9a3a2b3a03a36
SHA1: abcc5eae47bd9bbc19b527d2c10acccf63e875bb
PARENTID: M20-yztx1
SSDEEP: 3072:YyqX75fvyv3gYq7fhvFGErUVAMhqalOR/aukQ:f45fvigYqbhBrUVThqaqau5
MD5: cf2e03ec985d204a054788269665cfe0
M20-x9901Fareit_64c39dd5Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.64c39dd59e30e965b6650bc5cb517675https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 9b54a9a9fde24c8634c47c950dcb7218d4e1ae1d7c4771f4abd3b92a12e9c686
SHA1: 93a02c721463fc26015d469a4f465b7ece2cb9d1
MD5: 64c39dd59e30e965b6650bc5cb517675
M20-7uax1Dridex_224eac52Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.224eac52bf474257192ab18869dd7aabhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: a098e6f2a14908c4220bcc59c872d331841b3d7beaaea945717439be15778a23
SHA1: 8b32bc110b4e0a113b6a78877a9d5dfd770168cd
MD5: 224eac52bf474257192ab18869dd7aab
M20-pnek1Zbot_f9317eabWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.f9317eab06ef5c50754003c89b7f311dhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 058051ccc05ed076f17535e744f385290eda9c2e0912ed7c460e5b571b3e26dc
SHA1: 269cca202ce7af7875e7fe9802a6a37854a209f9
MD5: f9317eab06ef5c50754003c89b7f311d
M20-3y2b1Ramnit_6d9e71cfWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.6d9e71cf42d1e2afc45b2f0c3d4cd599https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 75d9881c6670d6e23fc962532a6c4ae2d23f816f59f88d93131d81400dcea15b
SHA1: 9e88ef8ecb97fb2ef7ad74d73c647e15ebb9b5bf
MD5: 6d9e71cf42d1e2afc45b2f0c3d4cd599
M20-ovf71Fareit_cbecde1eWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.cbecde1ed1427e330fb19878a13c064chttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: b02eaf95b97c81f56eaddded473b0c66668ff4f55bb84c929c28af1b502b3b7d
SHA1: f91c19abe19bfd4b1709e0441bb4f7d2288fdbd0
MD5: cbecde1ed1427e330fb19878a13c064c
M20-h66j1Ramnit_3388c00aWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.3388c00abcea3960d9bd561627508021https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 7fe04f0111eebfeb1d602a42d78c80a48c2d4e9f139a1b432822ce2e549eb2ba
SHA1: 41cba0d3b58bcd8de65e8476311a934301f7c6b2
MD5: 3388c00abcea3960d9bd561627508021
M20-u2u11Cybergate_7c80cf1fWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.7c80cf1f754e32d3ca703e59cb8c8aa5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 36806975e01188ab35484d5b3e119fa74fc8feebf99d400ed5fa9ac9fbf250f6
SHA1: 046d75ad03662cd3fe9780f3bf324b17849f3c9d
MD5: 7c80cf1f754e32d3ca703e59cb8c8aa5
M20-wer81Fareit_6ba7111fWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.6ba7111f3090b7449e50a10829b42ce6https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 887cbd08236e1dcdc582789a9fd1122cfe3a2729010a79efd9b48e50d0a290d5
SHA1: 387df9942e31049f1ea9448aa14fcadc11f145b3
MD5: 6ba7111f3090b7449e50a10829b42ce6
M20-ze9b1Cybergate_0285f99bWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.0285f99b75d249de405ee6c97da381b8https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 497cebdc6a2b1b3a3948f94871de8ef1c2ac64e14a4d35c73e136b1f9ed12405
SHA1: c78a87c7e7ba0c73a8129112ee4332caf8fb5bd5
MD5: 0285f99b75d249de405ee6c97da381b8
M20-jhtf1Dridex_26459aa8Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.26459aa8286195619b2345fe66cce7dbhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 6dde7661cbe3990f93ec05bfbd95f587bc857d576e79144f8c65cf9a36ae6c0c
SHA1: 356c9cb6e9ba8d64c0c9810d1e50b0418e12f6b3
MD5: 26459aa8286195619b2345fe66cce7db
M20-3sz41Dridex_98f3f103Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.98f3f1033cf5e4381f0052d5fd9df795https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 5978e277d535ae6803d988ec03a5bb068a9930f4daf85ab966ac92278f59dabc
SHA1: 13082431a67f99bbb9cba24cb1eb46e84943ab37
MD5: 98f3f1033cf5e4381f0052d5fd9df795
M20-p3dp1Cybergate_33c634edWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.33c634ed9e170734fef2d6344e25519chttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1fc80523bb4a2290e683303ddad3f413079a320c0f23e055531b6ea543dcfc9c
SHA1: d24e73de61e7e480563b04f87362fa5222612ff5
MD5: 33c634ed9e170734fef2d6344e25519c
M20-noos1Dridex_42af089aWindows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.42af089ac1e30ee892aab97a952bbeb4https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 24770b17a0dff8ff2f9f2e593b7268a7626908c4753fa2dcae27535dc58442c3
SHA1: 5d2be766137505a3c545e1d9f51b4a95e717bae4
MD5: 42af089ac1e30ee892aab97a952bbeb4
M20-5i5u1Zbot_8d845fadWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.8d845fade3fee728e50265a0c9ef7b2dhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4de13fa0580a6f7f315652cfe448493336db4cbcbcc31fa15caf5016ce11aa72
SHA1: 825ae2fd158e6feec06d7f09a031ce30c9a21e6d
MD5: 8d845fade3fee728e50265a0c9ef7b2d
M20-g0kb1Fareit_8303126eWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.8303126e1baff7096a62462273a43b7chttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1f22e636178472cd432cf834efadd3f231d868030c640d45bc7b319095f280f9
SHA1: c476963e37e0c05a4b31801ca82787dcad7ba8e4
MD5: 8303126e1baff7096a62462273a43b7c
M20-za8o1Zbot_b02da2d3Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.b02da2d36283a5588c57da2f0753812ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 29561a21de4d716de129ff67f4504feee5232e932dc7925d8acf2fd6220b7ba6
SHA1: 43fac469a5f19ca8b5c472714d636acfefdb78f0
MD5: b02da2d36283a5588c57da2f0753812a
M20-bgrl1Zbot_108af110Windows This strike sends a polymorphic malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.The binary has a random section name renamed according to the PE format specification.108af11013d29a29c7f8e374032b5eadhttps://arxiv.org/abs/1801.08917
SHA256: 7a3fcddf51d036f5747cd050d6d93465f18558b45fb94908cc3c13f070bde408
SHA1: 73df8df6593ec5d07a0843272de4ac6f83c74f09
PARENTID: M20-qrni1
SSDEEP: 6144:O/IZqkiisqNuNWyD+lLo9lvh1GhI30EfNqy0:RqJXqNuNLDyLo9lvhI40S90
MD5: 108af11013d29a29c7f8e374032b5ead
M20-668s1Ramnit_f0a3e4ecWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.f0a3e4eca113df7d09bbff6c3678ff27https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: d1cabff331de0b05c7ca7deae3f63eb272dfdd9e1a343c87c7f197eec40b218d
SHA1: 913f7be2e737da1c2e6afdb239e2cc28808b1058
MD5: f0a3e4eca113df7d09bbff6c3678ff27
M20-xadb1Fareit_e4a83956Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.e4a8395660df09d4e5855fe98d4e10e5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 073eca66e8a691e4feb067ea9be6be2f860a37a16c0e4e2d82cbe0d9d6bcf626
SHA1: d2e5e9f9ee8b0d8d91304551cc547017769bf64c
MD5: e4a8395660df09d4e5855fe98d4e10e5
M20-ypf51Dridex_bb919215Windows This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary has random bytes appended at the end of the file.bb919215a7a8d6b9dd58fe14ddbd2914https://attack.mitre.org/techniques/T1009/
SHA256: 5ccebf9594479c285fe17ed737654992981e74f54cc2105c4cbcc593d9c0692e
SHA1: bcd7696f083166022174882dd917665f5c4f9a29
PARENTID: M20-noos1
SSDEEP: 12288:7vT0ZFbuLSXE3SokMYdwfpM7S4hfs3TJRdQZ:WFCLSXNbMYyRMko
MD5: bb919215a7a8d6b9dd58fe14ddbd2914
M20-oexa1Ramnit_aab389b4Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.aab389b44733084ec9ab58b7f7f13a04https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 21925ad39855bfa10ffc15fb35dcbfaf652ceb2b72d247b3d04e17a370bb5124
SHA1: 25b317a85530aa31dc4cf8f328bd49758021f883
MD5: aab389b44733084ec9ab58b7f7f13a04
M20-c9sp1Dridex_2794388cWindows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.2794388cf801e19b2e67e1e05565962bhttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 43704d85c99c81841be1ecef92ad63d70050dda717ae6e176b62fa3133c52de2
SHA1: bf0e3772ec9f91b139eed6f71a8d88ecbfdf8006
MD5: 2794388cf801e19b2e67e1e05565962b
M20-sarj1Ramnit_6a9c5deaWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.6a9c5dea5eed27a993cd13041c567fe2https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: b3636289fe8f2f0879c295edc278595c6b881a594c247504fa3f83ff8bbf6592
SHA1: e01dc036b738181582a558c8727838c9db6c4a2d
MD5: 6a9c5dea5eed27a993cd13041c567fe2
M20-9grz1Cybergate_67129895Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.671298951b1620412c95092891cf9f1ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 612f9221336c5c7673f1fa6ae3e720d154089cb01a5c15265645bb89cc2b038a
SHA1: 7d8d4de499ef0c13deee151fc97c18777cfb229a
MD5: 671298951b1620412c95092891cf9f1e
M20-od361Ramnit_091e4a66Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.091e4a6652bc3b65c5b03c36253a917fhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: c59dcd9cbd7ed3580a1172d749b6b9559b9cc68cd254741efba5b89ac4943db7
SHA1: 94dc381f6df4cd0861543fc12342fdd8d5f0c260
MD5: 091e4a6652bc3b65c5b03c36253a917f
M20-gci31Zbot_c6a0593aWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.c6a0593a78d89a28044fc87f0986539ahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 07905ece0c4747aad1bf4b7f11693e319140a4e55f1b40308209f4ccf3c16dfb
SHA1: 0dda24d77d4e7055f0065289104cce047f3c4050
MD5: c6a0593a78d89a28044fc87f0986539a
M20-jfox1Cybergate_74c167beWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.74c167be7228f444eee933d7fca4001chttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 5b3adb4375bd0075be28205ca71ddbf4276b83bbca9b66cdb9ee82bed8682891
SHA1: eaf5f5f28b9da7bc8c1523e03a0ddedec3a06f25
MD5: 74c167be7228f444eee933d7fca4001c
M20-ew4h1Dridex_f528adceWindows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.f528adce9b5cc0d37984d27682080241https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: 9f0ab6f0b08a40138b4de3be8cd9c40333c4a5e30f476e632bfd715c20e7e1ba
SHA1: 13fcbae9a26eecd20676d45fba349d6281450e35
MD5: f528adce9b5cc0d37984d27682080241
M20-00pn1Cybergate_192d1422Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.192d142254d76a2b78d11c0be27d9998https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 6b53e1a9fb4188b1440725ffa1f282fdf9676942729324a33870461c1cfa1915
SHA1: 4465a0be53715f42007a51a6c46d78c868b9a237
MD5: 192d142254d76a2b78d11c0be27d9998
M20-5i131Fareit_5566bf3cWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.5566bf3c6508e9b23603ba5442a8102ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2a4dab5fa66737060a150cdab44506efcd2c33651cbe10a383d5a19e41e0ceb2
SHA1: cc11fc9c842ad9458702c66ade9f75c78800c0a1
MD5: 5566bf3c6508e9b23603ba5442a8102e
M20-uxkw1Cybergate_2131e30bWindows This strike sends a polymorphic malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.The binary has random contents appended in one of the existing sections in the PE file format.2131e30be3c45b6605db9341528f6d20https://arxiv.org/abs/1801.08917
SHA256: 3b9660a4e1e9f2e6f9cd991a2550559a21e1598ecb2280d9474d904cd18130b7
SHA1: 6603276352dcec90b2b4cf30fd2a46f8a56bc96c
PARENTID: M20-lqct1
SSDEEP: 12288:KaH6uGURWHTrbPq6US47zWfXkkctzkbpfPFNIKDGZfM/B35aQ:5HbGMKT/Pq6USazkkkkopPFNI/fI5aQ
MD5: 2131e30be3c45b6605db9341528f6d20
M20-aw8m1Zbot_51f30b00Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.51f30b009f64c9f8a6f9dba91ab58676https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 01f24045d18c966d195d0934ac6bc801652a5908a9ef50124c0557f6d03d42c3
SHA1: eadacf5cc009dd7a682e9a0feb55e91a8bdd3d81
MD5: 51f30b009f64c9f8a6f9dba91ab58676
M20-lyjh1Ramnit_e06e8adcWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.e06e8adcd544f9cec8abb63e0ff34544https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 84ec757a84f0b5da11955b24486d1be60e7c6eeb2f5b8b4de656a2e498e9184b
SHA1: 061bd0536a38f253c3a46a640d80ba64ad9a9d57
MD5: e06e8adcd544f9cec8abb63e0ff34544
M20-g3mn1Fareit_142e6397Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.142e6397c9f16295e4075416f3bb8c93https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1f1dccb65ab0390f7c11c5d022b19d2a082b7602f09273a7022a9cfaadf703f4
SHA1: d4e789b4a827364b460d3909b74d8b12cec1179d
MD5: 142e6397c9f16295e4075416f3bb8c93
M20-846e1Cybergate_d92780efWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.d92780efdd7560ff9ab6fc4eaa7b12cdhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1a6c0121d371ad7225ec0fd2c524979e30a57b3eef24676781cf631d704f0ec4
SHA1: e49dacf721f2c3b7db6312eaecdb4586fe799855
MD5: d92780efdd7560ff9ab6fc4eaa7b12cd
M20-e0an1Dridex_0638b38cWindows This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary has random strings (lorem ipsum) appended at the end of the file.0638b38ce1a6c57e05724a06af1d7fbehttps://attack.mitre.org/techniques/T1009/
SHA256: 66cb646f096d32ec982762055397f999b615949529e3ffbbade0f94778764767
SHA1: 2a00153bc737272d72d20643b28e6ebe4defe255
PARENTID: M20-n2a51
SSDEEP: 12288:7vT0kFbuLSXE3SokMYdwfpM7S4hfs3TJRdH:rFCLSXNbMYyRMkx
MD5: 0638b38ce1a6c57e05724a06af1d7fbe
M20-zbur1Ramnit_5beccf1aWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.5beccf1ad7af841b8a677c0de6a1a6fahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2e95a39f9ecc3f8c22b7fe785393eccc37326ccb84f984eaca9f06c51120ab1d
SHA1: ab933176b3066273e776c44d59bd46df095a8e4d
MD5: 5beccf1ad7af841b8a677c0de6a1a6fa
M20-jtet1Dridex_a95370f4Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.a95370f484d8b485e874d860ee6b0e4ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: f9db0f7f33191a91a6a4acc1593d696b62c2a6c927c1144937e58793e2249f78
SHA1: 2d01191bc8d7c9d0e9d44acac5d65baa86a9eb9e
MD5: a95370f484d8b485e874d860ee6b0e4e
M20-mnok1Zbot_aa126de1Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.aa126de1618733ecf610e28d875b9c29https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2e8882116694efbb6b57355f7f3e6b79b77cfbae42b5204b3d3172497f7e327d
SHA1: 81ba23af6ab955ccb583f4deadd56ff0cb9c6e49
MD5: aa126de1618733ecf610e28d875b9c29
M20-qrni1Zbot_2be7af03Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.2be7af03eae4214b068bd65ae62f8e70https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 29114a3a6b05e119245d93373f8776a086a9018016238a3300ed93700d7f2f32
SHA1: fa8c2f9fc61a8f6752d0cf5cd4cfc6c443d86648
MD5: 2be7af03eae4214b068bd65ae62f8e70
M20-kxgs1Dridex_ea6c06f1Windows This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary has the checksum removed in the PE file format.ea6c06f15c61e2bed4d1aa3fee5c5914https://arxiv.org/abs/1801.08917
SHA256: d8b27b6d492af215ed496e54d71447fad2d03017d3d81b8a21115e2bac61336e
SHA1: 85a5cbeaab2d0ae5f74fbd64f3d1bb9268c02284
PARENTID: M20-n2a51
SSDEEP: 12288:7vT0kFbuLSXE3SokMYdwfpM7S4hfs3TJRd:rFCLSXNbMYyRMk
MD5: ea6c06f15c61e2bed4d1aa3fee5c5914
M20-zrhw1Fareit_a02acdb9Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.a02acdb96532b76691d5b1aafd9d2164https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 3fd16c2e53560649e0b1c79be0e86403887d50588700e66bac1dabbb2b99b753
SHA1: 7373ebe1342d377ff23f034d40ca9aca56239372
MD5: a02acdb96532b76691d5b1aafd9d2164
M20-64im1Fareit_a87ec883Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.a87ec883548bd0e72239fe2953ffec20https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 8096baab22457c9fc3087dd93e90a0f4db9be9ecebead32f0f33c965e4b153dc
SHA1: 1f84aca57eacfee5667a22b9eacbe982cb5e3a39
MD5: a87ec883548bd0e72239fe2953ffec20
M20-jdau1Ramnit_d9ab842cWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.d9ab842ce16ca8f14fae8f075d8bdb1fhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: c052401b1d61a37fad733e4e178ac084ae44067c7e88ef834d35a09c70ca39e4
SHA1: ac86b0a61de7ca956a2f744248bd462ffc45c668
MD5: d9ab842ce16ca8f14fae8f075d8bdb1f
M20-nafe1Ramnit_698ce9c2Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.698ce9c280a4f25f37d443b056ec3f97https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: a8ccbc5df926b0a2afdeab0344b55c93b5469237350634a4f8b170d3cc40e44e
SHA1: 3cf455039f1621c7b0c9f2dbd24555406e37c034
MD5: 698ce9c280a4f25f37d443b056ec3f97
M20-keng1Zbot_cf646bf9Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.cf646bf9541e8f6a394a6dbbfb10e3aahttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4ea79444f67c2c5ef753e785887a9181ae17eb984c7f37a3113cad6a2b2e6ccd
SHA1: 0864a1c222eaf8487ac9b2d2ee5237a4c3941ea8
MD5: cf646bf9541e8f6a394a6dbbfb10e3aa
M20-jeyj1Dridex_179b0e16Windows This strike sends a polymorphic malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.The binary file has one more imports added in the import table.179b0e16cc2dab63398de7b890da23f9https://arxiv.org/abs/1702.05983
SHA256: 7e80399a12479a3f12db97ad30dd2f8c0bd8edb8405061ad38a36496c5df3601
SHA1: e2bd57e065a8522acc8c7381c0dc9b2c5f8619ea
PARENTID: M20-noos1
SSDEEP: 12288:uvT0ZFbuLSXE3SokMYdwfpM7S4hfs3TJRd:5FCLSXNbMYyRMk
MD5: 179b0e16cc2dab63398de7b890da23f9
M20-yft61Fareit_1d226204Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.1d226204037b664cc2130ce6aab28830https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 2cf78102a3bc75a331abf49f6b46fa27546b0a33f4e937e05fed54d53499073c
SHA1: 84d7b1748d4b293d6bbdf9d03d79ed5f1130097d
MD5: 1d226204037b664cc2130ce6aab28830
M20-5imw1Ramnit_8f11eb4cWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.8f11eb4c5d64f69d1eadabec2d9238d0https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 75350b7659af658758e04bf2d15172e405e8cc2158dfda64bcd6a513aeee9269
SHA1: 26d1a1461ec328888e75c12a01e28a91f9438b40
MD5: 8f11eb4c5d64f69d1eadabec2d9238d0
M20-3zrs1Fareit_ab194d87Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.ab194d8704ff74eb3b6a7e3a72861ab1https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 3a3502534442c75174835e423e8571477269145b153c77b492156a06e9c47f05
SHA1: 404f354b11f5482c50d325b869e79ea19285e527
MD5: ab194d8704ff74eb3b6a7e3a72861ab1
M20-lxtx1Dridex_03970801Windows This strike sends a malware sample known as Dridex. Dridex is an online banking malware that steals personal information through HTML injections. It was first spotted at the end of 2014 and its inventors keep improving it periodically since then. The latest improvement is the addition of AtomBombing technique (does not exploit any vulnerabilities but uses a design flaw in Windows related to system-level Atom Tables) which makes Dridex harder to detect by antiviruses.039708012057689e82f5e51fcb1f7ea8https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html
SHA256: d63b9fcd6e2a3da9965cd991c2280c0297f0ddf9b38000eda95181e4f02736f7
SHA1: c63a876ffdde033ec6e1b374e8bc8121c6c9b29a
MD5: 039708012057689e82f5e51fcb1f7ea8
M20-gun81Fareit_9e4c920bWindows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.9e4c920b2480b5383e3ecf70d8f44ca5https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 1f816d531d333287dfd5728657cbb223f891addd28e628fb1cd9bfcfb3216825
SHA1: 72e55ba6323b6757d1db8287cda36e5c593d1eac
MD5: 9e4c920b2480b5383e3ecf70d8f44ca5
M20-nurb1Cybergate_6135e514Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.6135e51450700ceda22f9b729975d521https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 11cd8e3e83744af76e4e3906f7f06a549fe7e49a6ec61a14678f25d7d01509be
SHA1: b7b615cfa3cf28726c14ff1f21ad0f1a74dab923
MD5: 6135e51450700ceda22f9b729975d521
M20-bq071Fareit_d59b4589Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.d59b4589b612901efb782f8043871bb6https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: b8dd63abc6d1dee062cf5f5b68e8e91f748e29c354e19b66d119e04849f51083
SHA1: 3d402c2a72268973b9bb5fc399a773a2672fe107
MD5: d59b4589b612901efb782f8043871bb6
M20-pg911Cybergate_d2378c47Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.d2378c479458df3f17211d4c272f2d94https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 6d0ce22174d45918ad313403aaeba8d38bbe59df1af2c09d8abb00d549251458
SHA1: 26e87f6e1ad2fd3142b270332fe3ea8fa2e76b07
MD5: d2378c479458df3f17211d4c272f2d94
M20-ge1m1Cybergate_6fcde4d9Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.6fcde4d947efe58c76af4e816cac33bbhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 5a18e22eefd2d2492491d9001ea3d258f56cb8735576b021bc1e5bc2e6a0f3da
SHA1: 866bb7f3a21dec50c98eb9129f618ea5eb3e1013
MD5: 6fcde4d947efe58c76af4e816cac33bb
M20-ljgk1Zbot_edafffe2Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.edafffe2b082e31de90dd3fb83a220fchttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 115dd57d8c7887820eba732e628879f34693791da1cc8f4b270ef954e8a56b2b
SHA1: 3164612cd3595b8cdc376fed133d4fd2f51c1989
MD5: edafffe2b082e31de90dd3fb83a220fc
M20-2rt71Cybergate_9ffdc603Windows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.9ffdc6033e95cecd90f932c06a46d77ehttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 64fa90ed57415dc00be6733a81c531f028324e897bc17e8b4de16f8085c4a113
SHA1: 2c279820e064d767a4a46bb3a4b8e705affbc7ed
MD5: 9ffdc6033e95cecd90f932c06a46d77e
M20-mt621Ramnit_4df42fbaWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.4df42fba00af749db9a9be1e9d13ba5fhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: a9ea99bbe80da5f7c8bd97eadc8630831812480afdf2827d57a6620589f67ce1
SHA1: 83f12d8fade8c6f3a572800188290e7db9305682
MD5: 4df42fba00af749db9a9be1e9d13ba5f
M20-ahea1Ramnit_0de235f0Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.0de235f06a9908d37b440a714bc83e4dhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 6c3e1a2ae98ec30890ef5a8640f0130fa0ead136852ed5a9fe452f6ac3c01dba
SHA1: 1a1c46edae72fe36efc05e0507e5d3647c3ea0f2
MD5: 0de235f06a9908d37b440a714bc83e4d
M20-33zo1Fareit_dbd0c574Windows This strike sends a polymorphic malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.The binary has the timestamp field updated in the PE file header.dbd0c5748695321c966793651fc92702https://attack.mitre.org/techniques/T1099/
SHA256: a3215c5eb44752feceeb3e301a7184c59508554dd34def23da1b4d5d414c7308
SHA1: d884b62adb2dbc736f18041d41b06949a195aa6b
PARENTID: M20-yztx1
SSDEEP: 3072:8yqX75fvyv3gYq7fhvFGErUVAMhqalOR/aukG:L45fvigYqbhBrUVThqaqauj
MD5: dbd0c5748695321c966793651fc92702
M20-gtjj1Fareit_a2cbaa32Windows This strike sends a malware sample known as Fareit. Fareit steals and harvests credentials from the targeted system. This information is then exfiltrated to a C2 server.a2cbaa320fce0eaf8618816f522b0988https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 6e51b6e88a1962263b754210c4eaf76a422575d1b9c8495fa2885f3ccd164a7c
SHA1: 66793e8c57d6bf787b986ba98cab3787778d9263
MD5: a2cbaa320fce0eaf8618816f522b0988
M20-fugs1Ramnit_e15c3c1dWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.e15c3c1db02ac76fb3ef4cc3da611411https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 7952e478a1c6df2378e2174e83c69608401c46526efff974484c719ba44f19dc
SHA1: 2ce19d82c3aba2b9f61e83171c5b17f18d51d653
MD5: e15c3c1db02ac76fb3ef4cc3da611411
M20-luni1Cybergate_5103ceacWindows This strike sends a malware sample known as Cybergate. Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.5103ceacc2fcd2ef558292edc98df7cdhttps://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 06c9eeaf4b22ccc75f29da153dfa87ca1c3759a5bfb3b688813a07c78cf9cf5a
SHA1: a8d88b9b7237ead3751800caa83d4eb95251ec58
MD5: 5103ceacc2fcd2ef558292edc98df7cd
M20-ysrp1Ramnit_a5729a0dWindows This strike sends a polymorphic malware sample known as Ramnit. Ramnit is a banking trojan that's been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as wallet, passwords, or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.The binary has random bytes appended at the end of the file.a5729a0deb510677662e26c3e4cd288dhttps://attack.mitre.org/techniques/T1009/
SHA256: 4bcc84f50103644d8412f28302b264151588db1be40a2172f919ba32a6a4708f
SHA1: 84e3e2314b5c457b5d9480f4110fce52c4be1c97
PARENTID: M20-3y2b1
SSDEEP: 1536:04OfRSikTjHw8/VhTqi4EqjCrCKfrSL2TtpdhJ/b+RuA6Tj1qNQaeIiYqpb11CT0:Jmi4VCrHXT1bfA6uFqpb1ys+Y
MD5: a5729a0deb510677662e26c3e4cd288d
M20-y2io2Zbot_8b1c2ad3Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.8b1c2ad3137857f1cd122d5ac9db86c9https://blog.talosintelligence.com/2020/06/threat-roundup-0605-0612.html
SHA256: 4fbf3416adf96620028b3f92f661d24708aff0c83651868dddbbddae11110b9d
SHA1: c0c6fa972e1a49dec5513c21f0ffca78a93bf528
MD5: 8b1c2ad3137857f1cd122d5ac9db86c9

Malware Strikes May - 2020

Back to top
Strike ID Malware Platform Info MD5 External References
M20-ybm01Cerber_58fcc751Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.58fcc751acce8ded997a7d2348e8a29bhttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 0de40a567ebe34116450658eef3d6a81bf8fa350aa3b6a808f236a603202aa13
SHA1: 0dc33a22227214fb816d0c6fb4d5b1c8efdaf0f7
MD5: 58fcc751acce8ded997a7d2348e8a29b
M20-wea01Chthonic_f2e342f0Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.f2e342f039eca55972cfa02b3564091fhttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 7c9f6e39190124804994315278d5451dc80f0c59994778d7c1ee22d2f6903021
SHA1: 8f89731df7d712435765e3cb4a44b93eba0d93d5
MD5: f2e342f039eca55972cfa02b3564091f
M20-mrh01Cerber_bcf1716eWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.bcf1716e2a2e75529bbf4de69b1159c2https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 15c5d4adfd697ea53278ad1cdc1128cbc96b808071fe06b8f5fdcbe847cd5fe5
SHA1: e506a27a5af061b47918810cd1e081cbe31a7187
MD5: bcf1716e2a2e75529bbf4de69b1159c2
M20-mge01GenericKidz_433e70f1Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.433e70f1e417b54f3991c5480ba49629https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 0c9ca5ead3a092e8c36983821e2059b6107906467e3d74095780da026e53e1d5
SHA1: c873cf6a7b717166cb2b8ea17b909ccdb783d00b
MD5: 433e70f1e417b54f3991c5480ba49629
M20-7z801RagnarWindows This strike sends a polymorphic malware sample known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.The binary has random bytes appended at the end of the file.1e9104a4d587cd8483cda90b234a3780https://attack.mitre.org/techniques/T1009/
SHA256: 5245f57c0cb21998d52b980fb326fd3ce73699772d85f7da0492d61fe7daced5
SHA1: 5528f8b16ae06f546e28a5f99d0a796481fd6f55
PARENTID: M20-kcc01
SSDEEP: 768:BpBsvKMNyoq65co7Bjd/3oqab0k3R2pXlj+BnkP7Z:BpPM4o4qFoqaXC+6N
MD5: 1e9104a4d587cd8483cda90b234a3780
M20-oud01Cerber_a6775e17Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a6775e1725ee8b2ef02576bff56f2098https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 07265644f5a634d235c9c33eef1deaca73689d5d8123bfb22b31a662cc9e2643
SHA1: 2aa77bc40bbafb4c0815d7e98b4aaf8e2c259f9c
MD5: a6775e1725ee8b2ef02576bff56f2098
M20-76o01Chthonic_4491185aWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.4491185a608e1b581122f1f2ff31f80bhttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 3c86595e1e7c456c182e0093475c5fce6656b44899ef23dff1badfa87a161468
SHA1: 4ca6b3c39c097b89e4e95dff5f21e0e039eea13d
MD5: 4491185a608e1b581122f1f2ff31f80b
M20-gd301RagnarWindows This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.f7c48ee1f3ee1b18d255ad98703a5896https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/
SHA256: c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6
SHA1: 7c3a082237504d3bf36e47b986e02e014a2b8abc
MD5: f7c48ee1f3ee1b18d255ad98703a5896
M20-6kb01Maze_064058cfWindows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.064058cf092063a5b69ed8fd2a1a04fehttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 24da3ccf131b8236d3c4a8cc29482709531232ef9c9cba38266b908439dea063
SHA1: 92b44e52f13bcb097f412a6a61bdc46ac19584c6
MD5: 064058cf092063a5b69ed8fd2a1a04fe
M20-q5e01GenericKidz_47d43093Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.47d430933b20724e741367fbc471ef4chttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 23af63321f9d1c310c14cc894f301d4c7dcb33fd06d4de84f2b3c8422fb83c06
SHA1: 41537f088cdbd42e0b3d5e8c6613f1ca60c66336
MD5: 47d430933b20724e741367fbc471ef4c
M20-4m201Chthonic_f8b7320bWindows This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has been packed using upx packer, with the default options.f8b7320bd389415d399e4ea8a30af167https://attack.mitre.org/techniques/T1045/
SHA256: 5cb82d40e5b47c2396319700877f43a9f2fee3b6e68330cf4e12a786d96e526a
SHA1: 73875a6320d05d26b1dd4caf7c16b932821c898a
PARENTID: M20-wea01
SSDEEP: 3072:rhRPp1xigEkAJiUM9x5SAlYSzYrJTbCbK2jO8POnAWENw:rhJxisATM9x09iYrJTbCm2qE/WENw
MD5: f8b7320bd389415d399e4ea8a30af167
M20-4jj01GenericKidz_4cc4db0eWindows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.4cc4db0ea7cbf30b9401edbda75fcd55https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 1e0654a998adda2207a909a02f5f89e039ebbf107b16d77a6148f3caf23f07cd
SHA1: 33c1d65f89dab800c20deb41cdb931daa6b1f7e3
MD5: 4cc4db0ea7cbf30b9401edbda75fcd55
M20-f3k01Chthonic_aab84bb8Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.aab84bb852fafd609314abe64403d04chttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 73dbdd15d5aeba77d61b723e1f8eafc2b161679c61ca1aeb3de9e397faafcb6d
SHA1: 2b28cd85d19b7b7cc63bfa999a14b3001434d64f
MD5: aab84bb852fafd609314abe64403d04c
M20-rr801Maze_80043a5bMixed This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.80043a5b285da88fb63d469243655751https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bed
SHA1: 434e02e197cf7352ef01a8e44f1a64e0a49cd66e
MD5: 80043a5b285da88fb63d469243655751
M20-yhz01Maze_f04d404dWindows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.f04d404d84be66e64a584d425844b926https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
SHA1: 34584e01a7208b6aa150cccd5d855ec37fd129ea
MD5: f04d404d84be66e64a584d425844b926
M20-yry01Maze_ad30987aMixed This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.ad30987a53b1b0264d806805ce1a2561https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639
SHA1: e7da9cac8fc6a30c2879ddb1ab97422e59979591
MD5: ad30987a53b1b0264d806805ce1a2561
M20-1uc01Maze_d2dda72fWindows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.d2dda72ff2fbbb89bd871c5fc21ee96ahttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2
SHA1: 7c928fdd5954ba9da5788453ce43a0ff440bf281
MD5: d2dda72ff2fbbb89bd871c5fc21ee96a
M20-4qg01GenericKidz_4110f169Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.4110f169b8e3525a0dec5faa7086d171https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: c07aa81c90d9e55f10cbc16f268b12cd1f2c2e4e65942221169398238b70ccb7
SHA1: ad287121e708355b1e37b0b3f5fa6b81fc31a1a3
MD5: 4110f169b8e3525a0dec5faa7086d171
M20-fds01Maze_ef95c48eWindows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.ef95c48e750c1a3b1af8f5446fa04f54https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0
SHA1: 8ea5950ffefa2b7193a40682513e80a28d743175
MD5: ef95c48e750c1a3b1af8f5446fa04f54
M20-25501Chthonic_8a4e14edWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.8a4e14ed621b815a3233071ed247918ahttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 58962d2b0dbb2d469a15ce8fb8695014c733c750d0a61ada0595189d64c769c0
SHA1: 89ca538592113e753b6108cd791dc31a7efa7df7
MD5: 8a4e14ed621b815a3233071ed247918a
M20-hfw01RagnarWindows This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.77e84f1baf2b6d0dba6ad7169dab07adhttps://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/
SHA256: 1472f5f559f90988f886d515f6d6c52e5d30283141ee2f13f92f7e1f7e6b8e9e
SHA1: 5938b9900e0c1978802319dc1cbababd70abf597
MD5: 77e84f1baf2b6d0dba6ad7169dab07ad
M20-nbe01Chthonic_01c6db88Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.01c6db88b0aa86533073836d1bd8cf04https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 4d2c216c4ba2cec5e28324fbffc77479db4321862ef98fc2f6edbfa11c91b4be
SHA1: 6be70b68b7af98d0d955e629d0bff83b153b0505
MD5: 01c6db88b0aa86533073836d1bd8cf04
M20-o5001Cerber_9379c0cdWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.9379c0cd8e0b04c9326e9276be77e280https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 1abc5f123d1e92a151c9ffecd863cfaeaec589a4cb21c28b7667f9e6e62e2b21
SHA1: a068cfb5165e5a8b81e7a674a82ed6226c9adc8e
MD5: 9379c0cd8e0b04c9326e9276be77e280
M20-17d01Chthonic_1d4738a3Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.1d4738a31855c758963b3e4d8e192c2dhttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 3780f9d56d95218a3a1e526c05aaf127d22d14093ee06bcf7fc9e3b78f87253e
SHA1: f4006455e06ab52e3b5dd328726c9a6d3cef0d86
MD5: 1d4738a31855c758963b3e4d8e192c2d
M20-wvh01GenericKidz_962468ebWindows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.962468eb7478581b08ac99444ab951eahttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 4044a3631fdbc686898028995532444f662d0a78be5a530d226239782445b4d8
SHA1: b4370cef329747da2d266002c84491abf8364d1f
MD5: 962468eb7478581b08ac99444ab951ea
M20-jj001Maze_02c0ba2aWindows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.02c0ba2a97617497e7089bb900ffdc0chttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 04d006f5c8498cc5a987a5c9379a0a117342d654d639fbf19fb8e050e85abb7d
SHA1: bb684e83eb3740cde6afa61cb926ce2bf4d0be7a
MD5: 02c0ba2a97617497e7089bb900ffdc0c
M20-umd01Maze_53d5bdc6Mixed This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.53d5bdc6bd7904b44078cf80e239d42bhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: cfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2a
SHA1: 761910e01ca991434775bcbe40b56c2aa1fff029
MD5: 53d5bdc6bd7904b44078cf80e239d42b
M20-rug01Chthonic_fb6acc3dWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.fb6acc3da250c5db470492f2790dc221https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 311ce91b0bacedf64d500efe57c919eef18865107d73420bc59967d121077cc8
SHA1: d514cfd7b0ff5221d12091a0810e78e4be245ba4
MD5: fb6acc3da250c5db470492f2790dc221
M20-1os01Cerber_1295a615Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.1295a61551be8bb3fabd9403889eaac9https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 064579ef28c82acb6935b75fe3a2408b354a0d4d9004d3beb444045fb8ba1b9d
SHA1: efd2175c782b5de133be6f7cb7245c60acd76016
MD5: 1295a61551be8bb3fabd9403889eaac9
M20-3re01GenericKidz_988cd895Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.988cd895960f21183c83c298c4bb007chttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 47bf9eeb164237e0fc322125052d65783fa809bd804c8a9dbd6b4db210b24f92
SHA1: 4d468ea149bbe886b2602f2234e091cd2813665e
MD5: 988cd895960f21183c83c298c4bb007c
M20-vc901Maze_ee26e337Mixed This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.ee26e33725b14850b1776a67bd8f2d0ahttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: d617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8
SHA1: 7e4b1fd3a82448e9dd3422487aa8d2488f95bf26
MD5: ee26e33725b14850b1776a67bd8f2d0a
M20-m4t01Cerber_177b8bcaWindows This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber".The binary file has one more imports added in the import table.177b8bcaa38f1fc024b2b02203ce3278https://arxiv.org/abs/1702.05983
SHA256: 9b8c28c7bd3d3c643a9f56d7f9e8cd6b277cb42f75471ebabd12136a92d70be2
SHA1: e9a21d3a8a0e65c380f2d9540f31af00e5139339
PARENTID: M20-qcm01
SSDEEP: 6144:aPvsAaRn+h+/qM5gEZGmJ4swsCTUrHvHP/jvHbfbUsRtwI5Mg8QC1N1e:uGRn+4d57ZGy4D32wcMgile
MD5: 177b8bcaa38f1fc024b2b02203ce3278
M20-yqt01Cerber_af672b3dWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.af672b3d1f4c6f019e0e17d227087607https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 11018a64eeae53e33d66193676705e49ab658d04f5e2f8471ab896fbda96b1d5
SHA1: d0052224dd0a116507a60887ace1a55ae708df84
MD5: af672b3d1f4c6f019e0e17d227087607
M20-0vw01Maze_d6e2396dWindows This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has a random section name renamed according to the PE format specification.d6e2396df72ada10e2bbf0f48cb70462https://arxiv.org/abs/1801.08917
SHA256: 18f03c65bf58549e8e230b8ef8595287fe51db0e5e411adfeaf261f87574543e
SHA1: 27b1fa00a1a1edce9d2aa976aff216466042c930
PARENTID: M20-igj01
SSDEEP: 6144:kx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErNNg/ydlb4fQ6wFMvMK:EMAwmlDYNg6dNoQl+vD
MD5: d6e2396df72ada10e2bbf0f48cb70462
M20-h0j01Chthonic_35bc4e7eWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.35bc4e7e59b96ba08e6fde8a805868a0https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 356e8479fb35f301fe0f578726fe072ecec12d2d1074d20bafd9b107a0f2fa62
SHA1: 1444678488bd4463b196ada2e729a89986302120
MD5: 35bc4e7e59b96ba08e6fde8a805868a0
M20-vf301GenericKidz_f27a8207Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.f27a8207eab1b5be953da9cde9e504eehttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 68fb0d69411cceecd15f52ab04953034ef20310d46df3fcb3afa01ef9815dfda
SHA1: b687bef3d7452273ad42918629b24da1ffc89ad9
MD5: f27a8207eab1b5be953da9cde9e504ee
M20-acp01Cerber_1c0de3d5Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.1c0de3d521d3fd02949cdb53d3b5334ahttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 0e446d8cb2f076a30441b95278c77badff0a2814ed16ca59e5767795aff0729e
SHA1: 0f0d261d3c3470bbb2eca065a9685a9b62ef7110
MD5: 1c0de3d521d3fd02949cdb53d3b5334a
M20-t7b01Maze_1ffecd46Mixed This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.1ffecd461b3d4b65e44faff8537f68d6https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4
SHA1: 8e6df1166afaae4aa5335aaee6a63f98a4613024
MD5: 1ffecd461b3d4b65e44faff8537f68d6
M20-tqc01RagnarWindows This strike sends a polymorphic malware sample known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.The binary has the debug flag removed in the PE file format.453b78931f1856b9295117ef3b9db30ehttps://arxiv.org/abs/1801.08917
SHA256: dc1c31a0e2ff3b048a875e2c1373e9836baa96250db547c7270a4bf4f599a5d6
SHA1: 85278411ede936ce43602f8a36abb10d97aea6f9
PARENTID: M20-kcc01
SSDEEP: 768:KpBsvKMNyoq65co7Bjd/3oqab0k3R2pXlj+Bnk:KpPM4o4qFoqaXC+6
MD5: 453b78931f1856b9295117ef3b9db30e
M20-sb501Chthonic_06683c12Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.06683c12ede3b376d05d461be84a48adhttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 49f30782a139a159f630022bffa0cd2aef80149efa80436791807270954dda51
SHA1: 4bd1845860073e6aeb791e1d617b68690c140d04
MD5: 06683c12ede3b376d05d461be84a48ad
M20-8r101GenericKidz_f12dd048Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.f12dd048ef5d97a4fdc97c983a8d1478https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 4004df1bf42ff674d7cb4a526e3af694302d6d8bdaceeee88dc8b4135fc7594c
SHA1: 6deb902ed6d6da53f983d71bcb32c4e670ab45b7
MD5: f12dd048ef5d97a4fdc97c983a8d1478
M20-b4z01GenericKidz_bd742339Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.bd742339bb527c17f0a07c19ec36cea3https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 78ab5f5da002769f5104e87bf633930d4218f9c764699427a01384d15e7ed43f
SHA1: ebc728c74a1f63ebd370a8693d069afdc3c234e7
MD5: bd742339bb527c17f0a07c19ec36cea3
M20-9az01Chthonic_c7844c3fWindows This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has a random section name renamed according to the PE format specification.c7844c3f89c00041a31a6704ef8a4ef5https://arxiv.org/abs/1801.08917
SHA256: 1a178c2abeb207f1c9b4ae5bb52e3a4d2b8d5c3953622c7721c6d7a7e7c8d30d
SHA1: aaf1bd5308ba0592e2c7bb2aef4fd8987749935c
PARENTID: M20-9l601
SSDEEP: 3072:DAUvnyA6tx3W7c4iFyLN1oGpVOfZaIHmmC8J26HuJzCc0:Nvn0xz4bB1trYmmCI2U2mj
MD5: c7844c3f89c00041a31a6704ef8a4ef5
M20-4ik01Chthonic_2306b513Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.2306b513b6283cf5c017dbf7240a7c19https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 3fa1d611262596bc923fc1e6ac7f44b5ad1c3d574270e588041f379c1b38b679
SHA1: bfd9403ec23512e453bad0ed0ceac99fcc1b75d9
MD5: 2306b513b6283cf5c017dbf7240a7c19
M20-o8301Maze_be537a66Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.be537a66d01c67076c8491b05866c894https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
SHA1: 8614c5aa7abe3b91ffbc5637dd53bdff886aa1c1
MD5: be537a66d01c67076c8491b05866c894
M20-yle01Cerber_3feda6e4Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.3feda6e4ba4db978fe9b8533df206722https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 1177ecb326246585b0b1a3f3664969325eb3017d6ae93e8340fd04497391f41d
SHA1: c5c7ed08900d9973f258097b0594c2da8f45d707
MD5: 3feda6e4ba4db978fe9b8533df206722
M20-af201Cerber_b6ddcba9Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.b6ddcba95312ff109ba53049dd3df5afhttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 15bcfa2a7f4a8446b9044b31ac577e75ceca42d8d47b7441f86e97610df7fb30
SHA1: c177741641cf582b05b9470d62830af1f2943e01
MD5: b6ddcba95312ff109ba53049dd3df5af
M20-7vn01Chthonic_c663f470Windows This strike sends a polymorphic malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.The binary has random bytes appended at the end of the file.c663f470475adcec85d53ae121a28befhttps://attack.mitre.org/techniques/T1009/
SHA256: c26f64f5b77ff1aebb388055e18376e36b5795444dd3efc524b95d96a0d11b2e
SHA1: 4f4e40f9283332d7c497c449157c86f5bf09d494
PARENTID: M20-9l601
SSDEEP: 3072:5AUvnyA6tx3W7c4iFyLN1oGpVOfZaIHmmC8J26HuJzCc9F:rvn0xz4bB1trYmmCI2U2mEF
MD5: c663f470475adcec85d53ae121a28bef
M20-g3c01RagnarWindows This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.9b2a874de86f10ff992a30febdb6f9e8https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/
SHA256: a8ee0fafbd7b84417c0fb31709b2d9c25b2b8a16381b36756ca94609e2a6fcf6
SHA1: 01fff32c5e016bfd3692072ef0ef5b943f2da110
MD5: 9b2a874de86f10ff992a30febdb6f9e8
M20-rh201Chthonic_ed8b7d43Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.ed8b7d43f752748610116d9c2ec2ad17https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 706c37e3dbf83e01206b37a4c3fc1f39611cd05b7f8df8ebe2456efd8a6970ac
SHA1: 872b6e77f28602bd4af0b22f9ebe2d02b3429480
MD5: ed8b7d43f752748610116d9c2ec2ad17
M20-igj01Maze_57e3d794Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.57e3d794b333f6ba4d2a968a54c7f7d8https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 78fb8d34cf3e034fbbaefd8f7587bd364a000a1e12c4a6fa45e192d56b93a25a
SHA1: e850e2963deaea7e6d43c1390f4d69b20ed62a67
MD5: 57e3d794b333f6ba4d2a968a54c7f7d8
M20-kcc01RagnarWindows This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.3ca359f5085bb96a7950d4735b089ffehttps://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/
SHA256: 7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929
SHA1: 60747604d54a18c4e4dc1a2c209e77a793e64dde
MD5: 3ca359f5085bb96a7950d4735b089ffe
M20-g7601Cerber_d9456755Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.d9456755be7622b653eeb66cbe992c30https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 1263a68800e384bee88a29156b3240a4f5bd7c207d7bb3994ee42d9f8e3104b0
SHA1: 4ed16dcd3ff7d91cf073fcb091137a9ba3d26dec
MD5: d9456755be7622b653eeb66cbe992c30
M20-r4901Chthonic_5dc71fc5Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.5dc71fc5408d7749d25459cacc54c4d6https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 6e6d5dbe3d497750383b5b50ceb17a8cdb67eeb2c923af97219ef25f0d3f8274
SHA1: 04ce1a31b804ca5e100f2ddc6340c706a55df726
MD5: 5dc71fc5408d7749d25459cacc54c4d6
M20-f5p01Maze_1d746808Windows This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has random strings (lorem ipsum) appended at the end of the file.1d74680891b4955ff98287f689d23016https://attack.mitre.org/techniques/T1009/
SHA256: fda037a68cb707b4609ae9d9f609ac73a3a2a53f279840983d1131eb04b5da9f
SHA1: 7a297b8a73f34d9600e0942b9e79ea03825d43bc
PARENTID: M20-igj01
SSDEEP: 6144:Sx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErNNg/ydlb4fQ6wFMvMD:mMAwmlDYNg6dNoQl+vC
MD5: 1d74680891b4955ff98287f689d23016
M20-zlj01Cerber_97c2f3bbWindows This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber".The binary has been packed using upx packer, with the default options.97c2f3bb7328316b257cc6f319b32bd9https://attack.mitre.org/techniques/T1045/
SHA256: 89c08b1ee24e19d5697f09bd3c1f6b8d146ab2b43b6d1949f367fb2a91f60b24
SHA1: 637c8a7737c59f7e2cfb3dc2ea48f4cfb7a3961e
PARENTID: M20-qcm01
SSDEEP: 6144:QtHxDeGTNkEm3tLP09Kt1Y1yBnFi1Jg7q5EPQf2ZZBZvHZuV:QtR1R0tLF7B8g7q549ZZHvHZuV
MD5: 97c2f3bb7328316b257cc6f319b32bd9
M20-7a801Cerber_3507a8e8Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.3507a8e8633d46b72971e691189a62d1https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 03f07c9b09741428f840403a193a1dd7f0216371e3f8d159ccabdf7a4629bb9e
SHA1: a987fab8c3dea79c4e37c24658a5a84297803ba9
MD5: 3507a8e8633d46b72971e691189a62d1
M20-z7h01Chthonic_029263b3Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.029263b342d655892fee9634dc699c50https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 4bd6b56bad8e51cf3187d822dfdd6919382d338999df524dbb99c32495c20d7b
SHA1: 3d48854abd5494e72fb77eac64b63d4a31b9ab0d
MD5: 029263b342d655892fee9634dc699c50
M20-bg501Maze_35a4ba50Windows This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has random bytes appended at the end of the file.35a4ba50a7d6aac61fc36980a6153df2https://attack.mitre.org/techniques/T1009/
SHA256: 33d489bbcc6f10df8c67eae9712d07c45ae7ca3d6405aa5814fa6edd7ae58181
SHA1: e51368fbd2c00cb84b84ef65aad179848d9bd564
PARENTID: M20-igj01
SSDEEP: 6144:Sx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErNNg/ydlb4fQ6wFMvMO:mMAwmlDYNg6dNoQl+vP
MD5: 35a4ba50a7d6aac61fc36980a6153df2
M20-m1n01Maze_4cdd275bWindows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.4cdd275bc7d6bf28c5691c1ee1b37eachttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 0b9c99276ed36110afc58b3fb59ada135146180189c25d99618ca5897537ee21
SHA1: b908dfc77cd01a03f1be1270e7ae570bef6b89f3
MD5: 4cdd275bc7d6bf28c5691c1ee1b37eac
M20-zb301Chthonic_66f43845Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.66f43845fdd3fa7414b5d772806e7e26https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 2e434122795ce60847385431e28d8e96e0a63ced780a48d9acdbad149c262074
SHA1: 1d88592c20f7b850e61461ac9c64a728e41c14d5
MD5: 66f43845fdd3fa7414b5d772806e7e26
M20-6xe01Maze_b9078b6dWindows This strike sends a polymorphic malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has random contents appended in one of the existing sections in the PE file format.b9078b6db33deb83201c8d2cbb3ced4ehttps://arxiv.org/abs/1801.08917
SHA256: 8e2e8b266bf451bce36445ef9fe0284f2d171518b61ed4dc2e025799c7949e6e
SHA1: f4767c509c5c6b5b0ba97931f810bbf8a4d3e02b
PARENTID: M20-igj01
SSDEEP: 6144:Sx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd198V50DErjNg/ydlb4fQ6wFMvMK:mMAwmlD2Ng6dNoQl+vD
MD5: b9078b6db33deb83201c8d2cbb3ced4e
M20-3o801Chthonic_d39d63cdWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.d39d63cdd5965a342f6465585fcf3bd4https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 4b255914b1ee12886e4dee4745799d21fcefcf2c95466d2ee5c4af056a280809
SHA1: 8782804d58d23f1c1c15783f29b1f6bb94ba78c8
MD5: d39d63cdd5965a342f6465585fcf3bd4
M20-7xg01Chthonic_79a423d4Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.79a423d4b36a9f38cafd7402d3bf6708https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 6f22d50967bd631b8cf5fa77b96267817ae25c4f1de75998ce5a6046c74aee01
SHA1: 9effc7a23f15569d250d3ce3f21f556bb3204eaf
MD5: 79a423d4b36a9f38cafd7402d3bf6708
M20-zwj01Cerber_7a9698ccWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.7a9698cc75dc079ec4186faae460d4cahttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 17d48b5318fc9d45eb21d19793e3a699c5c95bd67bb8ca8cc240db9d69f6c770
SHA1: 3b82fd1201a89500c86b457e416a21446df90032
MD5: 7a9698cc75dc079ec4186faae460d4ca
M20-4th01Chthonic_b678aff5Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.b678aff5be1fff867d80ca4a0c8309f7https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 031a584697feeecc9014a8d021576b1964545a96bf652a4102179b405aa4cf5c
SHA1: ef8965cfb68984a1c3544ac758af8ee357be3d3b
MD5: b678aff5be1fff867d80ca4a0c8309f7
M20-nuu01Maze_5a568b2aWindows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.5a568b2a5e62e7889f1a8dfaf64d3a7chttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 0d8b74e1e9eb07e3e0c1c480153cc138ffb13fb0e2bb417b20f7ba9b5186e571
SHA1: 31fd982ba7e08d81e9c59b91afb7c023958dbdec
MD5: 5a568b2a5e62e7889f1a8dfaf64d3a7c
M20-qqx01GenericKidz_1faca9c8Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.1faca9c8ed5d600cc1972c17943507b7https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 2ce6928f41662856507bed0a7073b80e8504b7760f3c8b787543d25db7d5c1ed
SHA1: 6bd30b6d6dc44d2881f87f200776e09a260dfdb0
MD5: 1faca9c8ed5d600cc1972c17943507b7
M20-b0501Cerber_3441dcf7Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.3441dcf7cae2b362ed94147259d95977https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 09029946caf0de395b14a26364354dd32679aee7c7eb22c5e8c04775c0d3d538
SHA1: 31ab7d939d7eac34b658146e9a02c002dd6fe3f3
MD5: 3441dcf7cae2b362ed94147259d95977
M20-2iv01Cerber_14dea99aWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.14dea99adcd67477f247c9dd1a8189c3https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 1b10ca8a96db74c1748019566edeca9b8967665c12264f5969ee30bd11ef1504
SHA1: 6fc55c7d36c0b714f00d946d5b8f050671addbf5
MD5: 14dea99adcd67477f247c9dd1a8189c3
M20-gxx01Chthonic_c1d322b8Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.c1d322b838b40a2f040e3f22e1fb4f41https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 1fbb6393e4cf576e0f11b615e0990a8b2134b0ea0e9ec58374f7e7f49125d6f4
SHA1: b1245503bd123de66e2a1183b6c08010f2a03194
MD5: c1d322b838b40a2f040e3f22e1fb4f41
M20-5sp01Cerber_a968db00Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a968db00332971d364e7a17386ce7ad8https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 10ab9740564dc471636c8006f6bd36c3f6762e87859f912e337709b26dab6c15
SHA1: 09ca57c61961025212d4219986b4e3639410f517
MD5: a968db00332971d364e7a17386ce7ad8
M20-shy01RagnarWindows This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.1ee5456c1226affd7b72bcdf3db443b7https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/
SHA256: dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4
SHA1: e22344a92c91b567a6cba7eb66686c438d479462
MD5: 1ee5456c1226affd7b72bcdf3db443b7
M20-hxt01RagnarWindows This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.6d122b4bfab5e75f3ae903805cbbc641https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/
SHA256: 68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3
SHA1: 5197d1b54494f8cb043759b35e097c660a9e09ac
MD5: 6d122b4bfab5e75f3ae903805cbbc641
M20-zsv01RagnarWindows This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.00fb3f27bccef7c5658ff9f5ce487cechttps://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/
SHA256: b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186
SHA1: c24fedb9b8a592722d5a9adb34d276fc3b329d6f
MD5: 00fb3f27bccef7c5658ff9f5ce487cec
M20-c3c01Maze_8bb9bf4bWindows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.8bb9bf4b8be1141c4cdc4d435bfe7d0ehttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 0fb01d846e2682ed2507367d2d4537c45800304410b270a13e94f1ca778d161e
SHA1: dfc77a86fb58c2aa04b6b0399eea6dd0d642baa0
MD5: 8bb9bf4b8be1141c4cdc4d435bfe7d0e
M20-lx201Maze_8540030aWindows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.8540030a0ea3e18e84af7ce026ab9cadhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: a6ac82fc87e552476a77c8d22e2d1d64fa17cc3dea9f428a53776354c97825b2
SHA1: 4ccfe4cf5839024e768520c63e3a1982eee092f0
MD5: 8540030a0ea3e18e84af7ce026ab9cad
M20-nwz01Maze_2fbd1097Mixed This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.2fbd10975ee65845a18af6b7488a5236https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695a
SHA1: 9806dfc1cf337f4f27c3469ba40f6c189b6d20c8
MD5: 2fbd10975ee65845a18af6b7488a5236
M20-69e01GenericKidz_c2896bc7Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.c2896bc7bc97a3d4b93539403649fa9dhttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: ce44dd760f7ac7402279368416c194c993f454ddb2e88a72bb73354f454c4d40
SHA1: 5b3c86aa0cc8431f583885933db61c13c4e35b69
MD5: c2896bc7bc97a3d4b93539403649fa9d
M20-2bn01Cerber_690b5684Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.690b5684c5a82b42b22d54e3691903d4https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 15c3a3254008702641bdf20c7e32bd5afd317bde685c21a38a6e00eabd9d91a7
SHA1: 717bd79ba156d417694c95a8570174a615a601d2
MD5: 690b5684c5a82b42b22d54e3691903d4
M20-5uy01Cerber_694d096aWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.694d096af90e04bf409c0633179789f7https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 072a4c4b5d8d97d3d9c678aacf7d9a73609e346ae563b330098ac20c4dd3945d
SHA1: 4c4c0bd798b9556ebb18e2248f37284dc71438a2
MD5: 694d096af90e04bf409c0633179789f7
M20-dys01Cerber_f3b921b7Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.f3b921b7d63f3f99bef732169ed4dfdehttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 0b4eaa008cf3fa9b5b9e2413d520fc8e20c9f826976a1c48040644148a9d176a
SHA1: c1b39c48d31fa2cc8401a9bf8aa79890217bc6b9
MD5: f3b921b7d63f3f99bef732169ed4dfde
M20-u2w01Cerber_fffc65baWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.fffc65baf12eaa1897d15d4cb99dd885https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 081992320357213e05b0c14f914f85dc108ccd96c442ed01c2e0a929c28081ba
SHA1: 4ff489628198bb7380b3dfd365a4e9672c0b58b8
MD5: fffc65baf12eaa1897d15d4cb99dd885
M20-dkg01Maze_c09af442Mixed This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.c09af442e8c808c953f4fa461956a30fhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506
SHA1: 7b0b06069aca88f8d13176be5b285194f546904a
MD5: c09af442e8c808c953f4fa461956a30f
M20-uv601Maze_e5f4b224Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.e5f4b2242a57b3f00c2c4feee2df9671https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 042273f30363405ee416ca4dae6f0279668dfc5ea742c0e265b9553798a90ae5
SHA1: a62d4bf7b4d0e04b681f18ffaa2b904caf47920d
MD5: e5f4b2242a57b3f00c2c4feee2df9671
M20-0qk01Cerber_57a5aaecWindows This strike sends a polymorphic malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber".The binary has random contents appended in one of the existing sections in the PE file format.57a5aaecd4fd8261c9d527599d42a9b0https://arxiv.org/abs/1801.08917
SHA256: 710a4e7339bbe22a8cf32d5eb626846893f6900ff508e2c883cde8ab6a92edcf
SHA1: a0e198df945392f5ec4d38436fa422322bb61eca
PARENTID: M20-qcm01
SSDEEP: 6144:qPvsAaRn+h+/qM5gEZGmJ4swsCTUrHvHP/jvHbfbU4RtwI5Mg8QC1N1u:eGRn+4d57ZGy4D3KwcMgilu
MD5: 57a5aaecd4fd8261c9d527599d42a9b0
M20-a6d01Cerber_2fc84f19Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.2fc84f19ff76dbd2eb9ea2a66167ed29https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 18f9701f2516d860384b0796815c163f2c7b2dd5cde6d8d1b479a3d68d65a194
SHA1: 1e202a09cc2f384e14bae9ca44b739ed273d5e00
MD5: 2fc84f19ff76dbd2eb9ea2a66167ed29
M20-ey101Maze_b02be7a3Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.b02be7a336dcc6635172e0d6ec24c554https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: 0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f
SHA1: a58b45f6ac4c4fbcf938de01ee1e585fe3715fd6
MD5: b02be7a336dcc6635172e0d6ec24c554
M20-9l601Chthonic_431bae5bWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.431bae5bc5941c98f202be23a406a073https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 781a3db07da4ed20bbcfa7c481c525cf6282b0f9eb3fbdfff0baa2356294bb34
SHA1: 2c68a36590f77ef2c3a8f46e95faff59f58225ea
MD5: 431bae5bc5941c98f202be23a406a073
M20-rgm01RagnarWindows This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.6171000983cf3896d167e0d8aa9b94bahttps://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/
SHA256: 9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376
SHA1: b155264bbfbad7226b5eb3be2ab38c3ecd9f3e18
MD5: 6171000983cf3896d167e0d8aa9b94ba
M20-wlr01GenericKidz_3c885353Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.3c885353717f05e99153623439feda5ehttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 47083ad7c0c9741e69eb4575f4b89b999519e80e044839edf3cc3fb228b9733b
SHA1: a1dba065907f493429ee9e62f85eaed8ba57a654
MD5: 3c885353717f05e99153623439feda5e
M20-8lt01GenericKidz_7bb5c3feWindows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.7bb5c3fed88c6e84f6d6f731d4de6210https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 7902a68c192bef55edd8429d07c6bbcbe30c601a3fc41d35186eb4cb0592f1f1
SHA1: a4897fa9bd44e46e1415c77a0e0fa54ebb93455e
MD5: 7bb5c3fed88c6e84f6d6f731d4de6210
M20-hji01SNAKE_3d1cc4efWindows This strike sends a malware sample known as SNAKE. SNAKE, also known as EKANS, is a ransomware that encrypts all processes related to SCADA Systems, Virtual Machines, Industrial Control Systems, Remote Management Tools, and other various Network Software on a system. The purpose of this ransomware is to go after all devices that are connected to the target and not one speciifc machine. The malware is written in GOLANG and contains a higher level of obfuscation than typically seen in ransomware.3d1cc4ef33bad0e39c757fce317ef82ahttps://www.tripwire.com/state-of-security/security-data-protection/massive-spike-in-snake-ransomware-activity-attributed-to-new-campaign/
https://twitter.com/VK_Intel/status/1214333066245812224
SHA256: e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60
SHA1: f34e4b7080aa2ee5cfee2dac38ec0c306203b4ac
MD5: 3d1cc4ef33bad0e39c757fce317ef82a
M20-uy601Maze_b6786f14Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.b6786f141148925010122819047d1882https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: c84b2c7ec20dd835ece13d5ae42b30e02a9e67cc13c831ae81d85b49518387b9
SHA1: 9e6e19c145cbf359c0a151b38d17e30ccbad6f4b
MD5: b6786f141148925010122819047d1882
M20-p4x01RagnarWindows This strike sends a polymorphic malware sample known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.The binary has random contents appended in one of the existing sections in the PE file format.f64a645f4d106e30cfbf076d43b40528https://arxiv.org/abs/1801.08917
SHA256: f462c3d2797b8d9b580a5749cae74c92f5841e6bf80100fdaaad976cf60c2aad
SHA1: c584c9a6ade80fd1f890b70fd288c9365487f0bd
PARENTID: M20-kcc01
SSDEEP: 768:BpBsvKMNyoq65co7Bjd/3oqab0k3R2pXlj+Cnk:BpPM4o4qFoqaXC+L
MD5: f64a645f4d106e30cfbf076d43b40528
M20-her01Cerber_f53c055cWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.f53c055c2838d768ef530df3825188e2https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 078398933742904fe3bf5aeb856505bac9a255a1c1eeddf9705c29d411a7bee8
SHA1: 3303ae2218362ad4012d24369eda1e35e066f604
MD5: f53c055c2838d768ef530df3825188e2
M20-0i501Maze_c9ea6430Windows This strike sends a malware sample known as Maze. Maze malware also known as ChaCha ransomware is known for not only encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.c9ea6430da4e72b672ce29e56ecad603https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
SHA256: dee863ffa251717b8e56a96e2f9f0b41b09897d3c7cb2e8159fcb0ac0783611b
SHA1: 31c3f7b523e1e406d330958e28882227765c3c5e
MD5: c9ea6430da4e72b672ce29e56ecad603
M20-bnh01GenericKidz_f70fe9f1Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.f70fe9f15d99e75b4151878b2a529d7chttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 1844b3b59e94ea263279fe882a6652fe936a0b0b13bbd21f1d3cd609aacf9b07
SHA1: b82f782be065a159f6fe77b374071635a9ddfe0c
MD5: f70fe9f15d99e75b4151878b2a529d7c
M20-onw01RagnarWindows This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.0fbbc59d4fe280a55c1fb6f5502c1e73https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/
SHA256: 63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059
SHA1: af53890ed1d4753e7493d48862bdd7d18a2b11f6
MD5: 0fbbc59d4fe280a55c1fb6f5502c1e73
M20-qsb01RagnarWindows This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.7529e3c83618f5e3a4cc6dbf3a8534a6https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/
SHA256: ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597
SHA1: 0f944504eebfca5466b6113853b0d83e38cf885a
MD5: 7529e3c83618f5e3a4cc6dbf3a8534a6
M20-bc001Cerber_608b841cWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.608b841c52758d52facc067c443706fchttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 0a280fb6afce1778478df3f8b1f962ea46aa865b27c88d7ca75368029580773e
SHA1: 767621b4d4c9d31074a670ed747becfce0cfc386
MD5: 608b841c52758d52facc067c443706fc
M20-a3d01GenericKidz_5a99a2ddWindows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.5a99a2dd0525714396061c7504ea20fehttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: ab5d820fc7e40a39109653d0601d337487ed8b329a9a98fef128d29dd86d0a02
SHA1: 272d1ba756bff3795113d6d8c09fabb184b34667
MD5: 5a99a2dd0525714396061c7504ea20fe
M20-u9801Chthonic_c8bba81eWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.c8bba81ea0611dbc891c3758147b6faehttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 5dd350e1e1f1ed234d2c90e8b5f67e5e101362e03ae00f10b824c7f00f8660cd
SHA1: c741bd252b54ea2f4cf485777c19acfc74e8792a
MD5: c8bba81ea0611dbc891c3758147b6fae
M20-gie01Chthonic_502b1b65Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.502b1b65f1c1a4fd2361d099e974a898https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 7e5bc9f6c66a319309e81857b8232fc05acc203522d9114b9e3cc5f54c1b9986
SHA1: c31e6f03bfe79598958b22c773d621104a89bd64
MD5: 502b1b65f1c1a4fd2361d099e974a898
M20-tw901Chthonic_370baeffWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.370baeff15dcd74c3ed1b9fd1128a962https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 63394c768a993b74c0e06aabda3fee9a9a67571764ffe60353347b0315e6c87c
SHA1: e1f7316b11a02b3bea58d02fe05a53bc8a903e36
MD5: 370baeff15dcd74c3ed1b9fd1128a962
M20-dw101GenericKidz_e3c0bf52Windows This strike sends a malware sample known as GenericKidz. GenericKidz is a Delphi application that installs the Hawkeye spyware. It utilizes the Windows Autostart registry key to achieve persistence upon a system reboot.e3c0bf52abab62e7f6427d7984a30509https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 454100af51eec868d71d2994dc370aad164375d4b640bfddce831ee3fa940b8f
SHA1: 40c5576699e1c003a3a9c12da8a173729d31af07
MD5: e3c0bf52abab62e7f6427d7984a30509
M20-daf01Cerber_af3cc204Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.af3cc2049b1c06a001a456e2bb2caf66https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 0230d78c972d399f627b228776f2d8e96b717da068a128ace4b69067419708d6
SHA1: b1f164a36fab8cde80f2dc3fa04554558e27519d
MD5: af3cc2049b1c06a001a456e2bb2caf66
M20-m2h01Chthonic_bb5fbb93Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose is to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.bb5fbb9372ad0247b0bbdff420a0a477https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 2ff4747e01031d470d5feae7e5073aa34aff489f29cbed18502960baf7dcfebe
SHA1: bdf60ae370120d75a827ea8e85833cab106b9d34
MD5: bb5fbb9372ad0247b0bbdff420a0a477
M20-qcm01Cerber_a209900fWindows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.a209900fe0ec106ab8c651a7cbc99aa5https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 1ba1f09c7e2fd18f2577a62a3103461c1f09610304571e1eb055687a65b03fae
SHA1: 11a4e53f43e2f5a3fc3596862822b9e527f99990
MD5: a209900fe0ec106ab8c651a7cbc99aa5
M20-dk201Cerber_3af67275Windows This strike sends a malware sample known as Cerber. Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber.3af672751c54a91f1175397ee62e536dhttps://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html
SHA256: 11bc5389a0c2d2f5a5fd68630cd8e46f3fdcb3ba434492e7ee71544a70986930
SHA1: ea6cc3dfb1248ba82d270a5024f416fb322cb95a
MD5: 3af672751c54a91f1175397ee62e536d
M20-ogi01RagnarWindows This strike sends a malware sample known as Ragnar Locker. This malware is known as Ragnar Locker. Ragnar Locker is a ransomware that encrypts infected systems and demands a bitcoin ransom in order to decrypt the data. It infects these systems through unsecured RDP connections, and then uses MSP tools to push Powershell scripts to all available endpoints. Next these scripts will download a payload from Pastebin, that executes the ransomware.5b06303cdf191dae161e849841f8aff4https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/
SHA256: 5fc6f4cfb0d11e99c439a13b6c247ec3202a9a343df63576ce9f31cffcdbaf76
SHA1: 64b99b55f0a1ec4f8f30897a460c574300a8acbd
MD5: 5b06303cdf191dae161e849841f8aff4

Malware Strikes April - 2020

Back to top
Strike ID Malware Platform Info MD5 External References
M20-mjm01Kwampirs_bfc12d23Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.bfc12d23196ea7bfd712955dde3d2d85https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 425080dcf9901b5e6f195858c2191aba39892feedfd4955fc6fa9cfb42004b80
SHA1: fa8da972bc926d76cc817e3770a971278c4ce724
MD5: bfc12d23196ea7bfd712955dde3d2d85
M20-8yb01Kuluoz_4f01e4bfWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.4f01e4bf0820972e5de9a7acfdb38e5fhttps://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 11f515b2c3e828864f0067242ffc9f27439c3f978f9a5a21303c44942946aa65
SHA1: 62f31f77480e9ecd9f8759cdcf762aca867c99d8
MD5: 4f01e4bf0820972e5de9a7acfdb38e5f
M20-7ua01Kwampirs_348410b4Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.348410b4d1610db75dd21935425fd9cfhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 8634fb9a62244dfc9aa9d657e1b120519fb560a1c7472e4b072a694db8d8759e
SHA1: e33afdbbbb7a31d9f4ad659d7d7b2417dcbc3081
MD5: 348410b4d1610db75dd21935425fd9cf
M20-hri01Kwampirs_2e616c67Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.2e616c67365340079d96e8319025c78bhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: bb88c94b719f226f871d5e537386316a2bfe13be5f326685d7399d53666fb5c4
SHA1: e1e1598167489aafde1ea2cd9004ee73eff40bb6
MD5: 2e616c67365340079d96e8319025c78b
M20-tkb01Kwampirs_bc2d6299Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.bc2d6299417def3b7a8360b3c86809echttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 9c531de46386e7435d40a9c81365874181696adb42ff38af4350b69ec53f6456
SHA1: e19b5a0c8f1acd01feaf7cf9bd91bea0c9da38c0
MD5: bc2d6299417def3b7a8360b3c86809ec
M20-qm101Kuluoz_f168c072Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.f168c072cd2e59fd7dbbb9cfe0316bc1https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 13c78ebcfe7cb52b9a3dd8324b761585e99a96761ecf1f70d4f7370163597384
SHA1: cc3dbf850931e54260da77385385e8c88221ada2
MD5: f168c072cd2e59fd7dbbb9cfe0316bc1
M20-6cw01Kwampirs_c26b8d93Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.c26b8d939c03328b14e3f13e754d5ca2https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 450aad84166d9a9d64e4f7d0db161057f88fd167154e4bde2da43a2fd67910ba
SHA1: f0ce612f2a1ef0273b14bed12d3440864c13f995
MD5: c26b8d939c03328b14e3f13e754d5ca2
M20-7j901Kwampirs_b3ebaa04Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.b3ebaa0495777a8e5f06ef931174a500https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 99e88408894b61903d57c8c10ebb806ddb8ca4b530a8778e8cb2fae0294243ac
SHA1: e4b51cd8b5a29cc26079a1e7d4fb8e2e94393676
MD5: b3ebaa0495777a8e5f06ef931174a500
M20-c0i01Kwampirs_463a1632Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.463a1632907f80e7598f42a7c5071be5https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: e3bc08f7a12f9b68a73de99ecd0aaef1447bbbba9e35f518d42fd0e751be858f
SHA1: ef3c670cb2d5b05fcd5d2e1bb9f049ea1e2f5ed9
MD5: 463a1632907f80e7598f42a7c5071be5
M20-z8b01Kwampirs_56dd0e33Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.56dd0e334ee817730e41b64b4306599ehttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: a5e5b4e6caf7ac3ac8d9b7b3527f767ff011d138246686822fea213a3b0597fc
SHA1: a2a7b97eded34a1df262933e985355e0ba7625bd
MD5: 56dd0e334ee817730e41b64b4306599e
M20-gwq01Kwampirs_40fe7da3Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.40fe7da3625ae67e51743b93dd5b6a13https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 871735d4fd0909ef5cd4873576871c55bb1b2836432ed84f36653076e8b14dd9
SHA1: fcb1540ddcff5ae7c606714a14df898d026e523a
MD5: 40fe7da3625ae67e51743b93dd5b6a13
M20-pjy01Kwampirs_955baf08Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.955baf084fa19f5eff933b676bfed3afhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 14efd1770406b3a76b6134d1f950458cb8cf2a2e60f43c54b6ad23874dc2f7e2
SHA1: fb4bf17060f1bf39ea742dc0549046b8fa446384
MD5: 955baf084fa19f5eff933b676bfed3af
M20-sq901Kwampirs_6769be86Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.6769be8698af885b91e6fcf0f771a1aahttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 0d99096acbf2e894850b02223bab135d1689d4948ac0612cd37fc78a92ee8f6b
SHA1: e96b3fa9a78876b2b8dc06cbd1fce60fb023a6fe
MD5: 6769be8698af885b91e6fcf0f771a1aa
M20-d0h02AZORult_cba6b081Windows This strike sends a polymorphic malware sample known as AZORult PE Payload. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the portable executable payload. The binary has random bytes appended at the end of the file.cba6b081ddffbb34405b400812642d3dhttps://attack.mitre.org/techniques/T1009/
https://attack.mitre.org/techniques/T1009/
SHA256: 4ce18913eeb53439349215fb83c639d7b40fcc98eb8974345cedac3c6aae3301
PARENTID: M20-ukj01
SSDEEP: 3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/rxg/g:Zzx7ZApszolIo7lf/ipT/rN
SHA1: f2f36265101396b644622b26c5d38fcac3574c64
MD5: cba6b081ddffbb34405b400812642d3d
M20-idv01Kuluoz_69eeb7c4Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.69eeb7c456f01b25c53bddac3e29b9b6https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 063fd1f568e4e29c08cfdc2f811467fda5c04f50bdce08942f4b606750de1183
SHA1: f9c95147a4371ff2f3d1c2c69e8745c314f0e2fc
MD5: 69eeb7c456f01b25c53bddac3e29b9b6
M20-b4q01Kwampirs_0ce38c97Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.0ce38c97cc477dc03787c25069c48739https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 19583601fe70c9cf9f0803d43021a3cf381fb84504c9e993f37cb28d93772d5f
SHA1: ead29ee24e4171626cf605dd57e73c6e85540510
MD5: 0ce38c97cc477dc03787c25069c48739
M20-w4u01Kuluoz_caefc5b0Windows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has a random section name renamed according to the PE format specification.caefc5b0fd7c57a74436864ee5e46511https://arxiv.org/abs/1801.08917
SHA256: dd785f9f99ba2fb7f83364b08215f4ffbea8e4599421ac45f7d6d8219a0f99e7
SHA1: 2166f6a49f698255dd520862cebef9f0de3f6e8c
PARENTID: M20-ig501
SSDEEP: 3072:JWjNsGZ87NxszF4RdY5VahxL/ydhxi/ydhxi/yY904+S:cN5i0Z4g0bypsypsys
MD5: caefc5b0fd7c57a74436864ee5e46511
M20-dpf01Kwampirs_92bbf4b7Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.92bbf4b7efe77048e5abe51c3120b525https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: bdd81db9aba8e46d5209193db64c12ed76845243c2a7af68f84eb9002852099b
SHA1: faa09555242edb2cdfcfa4e5513086efbe0ccbf4
MD5: 92bbf4b7efe77048e5abe51c3120b525
M20-ukj01AZORultWindows This strike sends a malware sample known as AZORult PE Payload. This malware is know as AZORult. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the portable executable payload.4b984851567f9b9a3c3d67669e3ccbc0https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html
https://securityintelligence.com/news/azorult-variant-other-malware-payloads-delivered-by-multi-pronged-attack-campaign/
SHA256: 42525551155fd6f242a62e3202fa3ce8f514a0f9dbe93dff68dcd46c99eaab06
SHA1: 31034e29c3c46fd61c69228cde96ad021a9fcea6
MD5: 4b984851567f9b9a3c3d67669e3ccbc0
M20-kxq01Kuluoz_6a908c22Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.6a908c223f60c2c22dad04c3c65f058ehttps://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 0c5728446d49cf4b34a02020fcf909f5c14e1b7db2adabc5aa92da7d196bf85c
SHA1: fe0e796c56c07d9638495be0e14b45f931e38a52
MD5: 6a908c223f60c2c22dad04c3c65f058e
M20-tmf01Kuluoz_c6b0d268Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.c6b0d26862a262936e43b641c9925630https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 05a92024686eeb71a6999750925231cbe3771816df8220a42cf665e686e55549
SHA1: 33e183f4e25ffcb7c526af6c03ce12153c9be98e
MD5: c6b0d26862a262936e43b641c9925630
M20-jst01Kwampirs_1320af98Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.1320af98b41c67c86a29dd62a183307ahttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 281c2ad26346305dac90ce33c2c417b6a7271f990ba9fa5c7db65d6f2e501e94
SHA1: f6a555a62e38f52e5d8a42c56cc0f0d6cd3caeaa
MD5: 1320af98b41c67c86a29dd62a183307a
M20-aku01Kuluoz_6364f7ccWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.6364f7cc6dc9855eb522a5515e777418https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 112f8fc35b1f24a8b44d75350db81f0fe1cd394d2d144aafec7aa497449d8db1
SHA1: 0a20a36faf791acf4e10ef966bd0a7447b2814c1
MD5: 6364f7cc6dc9855eb522a5515e777418
M20-sdo01PoetRAT_3aadbf7eMixed This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.3aadbf7e527fc1a050e1c97fea1cba4dhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: 208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407
SHA1: 2cf055b3ef60582ca72e77bc4693ea306360f611
MD5: 3aadbf7e527fc1a050e1c97fea1cba4d
M20-c6z01AZORult_53392534Windows This strike sends a polymorphic malware sample known as AZORult Dropper. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the dropper. The binary has been packed using upx packer, with the default options.5339253458f04ed8de07632db9482564https://attack.mitre.org/techniques/T1045/
https://attack.mitre.org/techniques/T1045/
SHA256: 10967ea4f859d682a0486783224d9116acfa32ec011fb6665f0a7abf312abac1
PARENTID: M20-awj01
SSDEEP: 3072:b9W4lp3WuHAKC6DBpme8jnj5e8Achfdqpxp:b9LbzeWpm9n9eN4gpxp
SHA1: 35f6030754878fe62f7384b6bfae78c4b5538f46
MD5: 5339253458f04ed8de07632db9482564
M20-n9201Kuluoz_3d47b7b4Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.3d47b7b42bcf2d0f05c1a5a19aa29548https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 0d866b232bbc685700e356440283a98d71ed84fa0b3bedca5d7cf5d72b68a903
SHA1: 82c8317a0ffffcce0a00296860adf75786dee038
MD5: 3d47b7b42bcf2d0f05c1a5a19aa29548
M20-3ab01Kwampirs_a73c9837Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.a73c98373bc3e803f1eece52e3aa92c0https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 7e5dff0f47d34a4042d76407c48e2ee8862f40f400431bbd4cdbcead8e7d94c7
SHA1: f9ddf240e87c7ec535983a0170f78212f5ffc825
MD5: a73c98373bc3e803f1eece52e3aa92c0
M20-d8201Kwampirs_299a1264Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.299a1264c8650963d68b3990d699b204https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 6ef0564f3f8d557c9d1bf356f185aeea526c8da76eb31031149f9307dcb6315d
SHA1: fd56b1df8f434297f1696f1e9e42a9a01a98d5bd
MD5: 299a1264c8650963d68b3990d699b204
M20-0mi01Kuluoz_c48e7c94Windows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has the timestamp field updated in the PE file header.c48e7c941fbd7e7b9536e812ff279b62https://attack.mitre.org/techniques/T1099/
SHA256: f4b1e476f5b9a416e9487c5372ce7ac8fcfc094e7b589f37a69b5d73d68532b2
SHA1: 40041b3525e181dd75726d1b5e864865d44addfc
PARENTID: M20-lt401
SSDEEP: 3072:RWjNsGZ87NxszF4RdY5gahxL/ydhxi/ydhxi/yY904+S:UN5i0Z4gHbypsypsys
MD5: c48e7c941fbd7e7b9536e812ff279b62
M20-fbe01Kwampirs_bfc9cb5bWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.bfc9cb5baae165161c98cf23e379f8fehttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: affb49b9fbc05d8497a25639cc4c8dad86e1a48aa8528e3d5c4cf870fb73782a
SHA1: e3cf2e942fb44f6553785f76285213236c1f6519
MD5: bfc9cb5baae165161c98cf23e379f8fe
M20-fr001PoetRAT_c87273e7Mixed This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.c87273e7175f9df7e52bab8a030fa22dhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: ca8492139c556eac6710fe73ba31b53302505a8cc57338e4d2146bdfa8f69bdb
SHA1: bc53315b485f9f4324a8bc3ee86d0f79c1963228
MD5: c87273e7175f9df7e52bab8a030fa22d
M20-8is01Kwampirs_2bb3fe6dWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.2bb3fe6d45d604ef4d96899c10e096b8https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 034056bdd36c0d4e3142b7dee58adbbbc1b0ec6b0c0a4494fbb1dc1f1bbdf9f7
SHA1: e923e2e9b009b21da711ffee85c09458f926ce43
MD5: 2bb3fe6d45d604ef4d96899c10e096b8
M20-4sa01Kwampirs_fe813ecaWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.fe813eca3b9c4ccf4045bc95698bfbcehttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: f8538f8d85338666ce7cf6c236614f28c10bcd1622f2c75a51be04dd4ef3c400
SHA1: f5aff67a04385698c9914bc5f1752d6f616d5043
MD5: fe813eca3b9c4ccf4045bc95698bfbce
M20-4r901Kwampirs_b4974525Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.b4974525aa971427195984618f81049dhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 1d5c7ba4432764c37ad7129d71683614ce6ff22e57f10283e7fb615d97097576
SHA1: eaa7f822a241e8a8d3bdead561fbe0e252e09b1e
MD5: b4974525aa971427195984618f81049d
M20-bws01Kwampirs_1eaac35fWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.1eaac35fb6b44baaeffcc78f6c604133https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 35650b22305d1f873bb42c6fa6c51735e0d111af70dc833e9e10f65fd58e9c64
SHA1: eaf90f9b077a83ef15c37b9010e10a5adb078d2c
MD5: 1eaac35fb6b44baaeffcc78f6c604133
M20-0vi01Kwampirs_92b23881Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.92b23881c5cbc0a25ef20c1d68503c1fhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: f550e303e4797d3c7172c763b54f99734823db60b654007030299a6a9ee7d1f9
SHA1: f8cb485931e312ff8669445eeb3056f003730b6d
MD5: 92b23881c5cbc0a25ef20c1d68503c1f
M20-nt001PoetRAT_ba1618a9Mixed This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.ba1618a981f755eb752aa5dc90bd70a4https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: a703dc8819dca1bc5774de3b6151c355606e7fe93c760b56bc09bcb6f928ba2d
SHA1: a3b6e33901ffc15d15e2f3abae98c6da48727454
MD5: ba1618a981f755eb752aa5dc90bd70a4
M20-58c01Kwampirs_3b213939Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.3b213939ff31142f96b9bef13c0441cbhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 2d801f75a52f65ffb053ae052cad45a919afd431f5ca46e86abe3d9274c903e4
SHA1: f2f69f9ae77f4f3162e646662bce61593e5265b2
MD5: 3b213939ff31142f96b9bef13c0441cb
M20-lt401Kuluoz_2441523bWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.2441523b665126cefd3634374e0a8463https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 0836030e21f3bfc2a9be077295b7e3bd1dba6d0492ee1be28d50893e34b9afc1
SHA1: 02d2537cdb592fb07240431738918be2f942932c
MD5: 2441523b665126cefd3634374e0a8463
M20-cyn01PoetRAT_213a4ab4Mixed This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.213a4ab4cd98002144bfba75ff2ac67chttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: 5f1c268826ec0dd0aca8c89ab63a8a1de0b4e810ded96cdee4b28108f3476ce7
SHA1: d14c7ea0f4f7269dd1bf10f4f60a5495f3fdc3b2
MD5: 213a4ab4cd98002144bfba75ff2ac67c
M20-3h401Kuluoz_9c0eeac9Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.9c0eeac9ffd34e9f36df6bbe2120afc2https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 054616f5a58998b56fd74c244b3403b750f850f51be74ffca96f85fda28d097e
SHA1: 22d201544e548433a94aed72284babc8e3245c63
MD5: 9c0eeac9ffd34e9f36df6bbe2120afc2
M20-ezv01Kuluoz_da853467Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.da8534671e54b7df3f2a89c4a75edac9https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 061608e7d36b4a319eaab7a8690ced8a911b74c703eebffe896879ba2542f513
SHA1: 94cd554739dffe72eea96b676396bfeb1bd284e5
MD5: da8534671e54b7df3f2a89c4a75edac9
M20-bwa01Kwampirs_2774a055Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.2774a0550c668ddc9e73e03a5c9252cchttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: d7019f753c6f9aae8bca61ce19428b10a4db0f71bbdf59e880fdaf8fc5f2894d
SHA1: eab75c1a9de7d6a58ea08d7e79b52e9eca3e3411
MD5: 2774a0550c668ddc9e73e03a5c9252cc
M20-vvy01Kuluoz_a2690790Windows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has random strings (lorem ipsum) appended at the end of the file.a26907903b88c866a9969bbf192dd893https://attack.mitre.org/techniques/T1009/
SHA256: 30f1327429a525af74e6ccd89203eff1109081c301a96c146c5b4c40a3b15fe9
SHA1: d48fd29583f6e6f002723bece0a917cd7e1a1d7c
PARENTID: M20-ig501
SSDEEP: 3072:lWjNsGZ87NxszF4RdY5VahxL/ydhxi/ydhxi/yY904+SV:QN5i0Z4g0bypsypsysb
MD5: a26907903b88c866a9969bbf192dd893
M20-ig501Kuluoz_01141958Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.01141958f63fffc30055c430d1a969d8https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 111c3fcca78f38d3e6e040e6508e63e912e357b525ffe4ddbae79ef9a462bdf4
SHA1: 8fe5894128e0a2703d4f22d59a5ad7ba56a377d4
MD5: 01141958f63fffc30055c430d1a969d8
M20-jzz01Kwampirs_7edf826fWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.7edf826ffb45cff23654baf4d37b5a10https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 6268f98f907773ca2b56c0e63f3fbd36f49682c76895dc55baca925a9234ff98
SHA1: f71c1430ce202500d1c8352cdfe49e21dbcae930
MD5: 7edf826ffb45cff23654baf4d37b5a10
M20-bee01Kuluoz_4e8220ddWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.4e8220dd5bde304e51244b94487964cehttps://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 091cd8e0f5e0a113493a9d62e063066ba2e5974b432100272454f7170d14be5b
SHA1: bde99929091f9b0185a0b7b74e2aa13549195496
MD5: 4e8220dd5bde304e51244b94487964ce
M20-umm01PoetRAT_1195eb1dWindows This strike sends a polymorphic malware sample known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.The binary has been packed using upx packer, with the default options.1195eb1dcebb1e3dcc0f983a982458e9https://attack.mitre.org/techniques/T1045/
SHA256: 8a12ea2668def050bdc3131e405f5b71d06fbc7eade18b8396ed82051167c27a
SHA1: 6752ad98661766cecba075a02403b64d6937940e
PARENTID: M20-zw101
SSDEEP: 98304:HtZjr5lMrxp0B1v7Cz/M9Aet17bjCma4WLB3w+vsR2pxSMDAgQwmDWOaKYOFWUZ1:HtB5lMNp01Gz/qthCmWLdi2Xk8mSOFYS
MD5: 1195eb1dcebb1e3dcc0f983a982458e9
M20-jx001Kwampirs_cab9736eWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.cab9736e0fdef8168353196094e1e0d7https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 92e1cd864e9e3206ef722990b35ad4a84c56b4d883811fea677b9a4c167ba6ac
SHA1: eb5a10fbcbc1c3a64c088641084585468b984394
MD5: cab9736e0fdef8168353196094e1e0d7
M20-pzn02Kwampirs_377cd2f0Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.377cd2f08184762391f3e92b057e5ea4https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 7b7174262aa74cf3690ca892ea2e600e48d0dc164cd9b9b3cbb04848dd5908a7
SHA1: e6b92e49eca38f59b14df474c48ea4f69e2d7ebd
MD5: 377cd2f08184762391f3e92b057e5ea4
M20-00501Kwampirs_12e4e952Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.12e4e9525f1aaed19d62565a0f33d565https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 83a4acacfbab52117f5a04f90ec9b257247b97b0946470f1de2f8d26bf48c3d6
SHA1: fc98cc0429a922f2af9c9363445970c8966800a7
MD5: 12e4e9525f1aaed19d62565a0f33d565
M20-6hf01PoetRAT_5cbc8dbcWindows This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.5cbc8dbc73e7c494c5b6ed154fe28f9fhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: 31c327a3be44e427ae062c600a3f64dd9125f67d997715b63df8d6effd609eb3
SHA1: 20fcedc3d6c84d431ffe284e27fc144028873ba7
MD5: 5cbc8dbc73e7c494c5b6ed154fe28f9f
M20-l4p01Kuluoz_e96a58d4Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.e96a58d4e68386feb70fcc318470a44fhttps://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 00e21648fa1bda81b6b37ce8e4ae1c1cc8511f5d4a185d8c6504d09885e74bc6
SHA1: c81d96861a94796cd30196933a7862ff2bf1e2c5
MD5: e96a58d4e68386feb70fcc318470a44f
M20-eew01Kwampirs_9dbc26bfWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.9dbc26bf806f387403cf58176e6b7802https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: e727ac58f718e54647111cca49d27df7a998a0bea4354c9fd24e0223e01acac7
SHA1: e702b6aaa9120c655ff1abf3c1d4f88150d0879c
MD5: 9dbc26bf806f387403cf58176e6b7802
M20-t9c01Kwampirs_072c1260Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.072c12603ba32dd02ed1773cd867d4d2https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 156e199a58bd98f356785a584b8d9299d0355c51b2520e2262f11f31c521531d
SHA1: f25a1a8b319fa840bf1448577a34fda2592031a0
MD5: 072c12603ba32dd02ed1773cd867d4d2
M20-qef01Kuluoz_2c42c950Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.2c42c950c9cbd8c8a9951b5676dd33d0https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 10f71eb066e8340bcdd742d714d4a67278073c7f30e61f4bdc3f4747b3442116
SHA1: 6987fb02c6383d0e327df4a49196da965afddfc0
MD5: 2c42c950c9cbd8c8a9951b5676dd33d0
M20-9m101PoetRAT_471b1d3dMixed This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.471b1d3d04b1a582d236a033c0c9cac2https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: 312f54943ebfd68e927e9aa95a98ca6f2d3572bf99da6b448c5144864824c04d
SHA1: 1b13b772a43cb39441aee4ca70991f0200d8e3cb
MD5: 471b1d3d04b1a582d236a033c0c9cac2
M20-2h501Kwampirs_e0e99f75Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.e0e99f75cc1990a163d39e8e8c191f52https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 64defebf7e600d92685672c4b4d3d2ed3fc6cca27663a65c42df61843573297b
SHA1: e930e417905c95d9ce2be065a2dd0c379e1db4a1
MD5: e0e99f75cc1990a163d39e8e8c191f52
M20-hyz01Kwampirs_b78ed8a8Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.b78ed8a8a5013f34ed3438a7c12db81chttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 8561fc624e3b34959344ad9ef25f97077273927862a28bd8a00d45501ac27b0c
SHA1: f147a318b9a07f99824aeb66896e91fb60541609
MD5: b78ed8a8a5013f34ed3438a7c12db81c
M20-s7e01Kuluoz_731c6cf9Windows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has the checksum removed in the PE file format.731c6cf9c6513aaa7d7f81b8b992cd30https://arxiv.org/abs/1801.08917
SHA256: 8863b59c48bec84fbce4b35f2a753a05c4c3a67c6fff918dcc703aed0693ea02
SHA1: 1eeeb8e441d6f7c786be6d2661e10af847345516
PARENTID: M20-lt401
SSDEEP: 3072:FWjNsGZ87NxszF4RdY5gahxL/ydhxi/ydhxi/yY904+S:wN5i0Z4gHbypsypsys
MD5: 731c6cf9c6513aaa7d7f81b8b992cd30
M20-fhu01Kwampirs_7eb2086cWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.7eb2086cd94b67a10c1abb4f02ab86bahttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 1b48b8fe01efacc64afb326d09514115b080331dfba53ef22488c2eebc9568e6
SHA1: eecfab1e245aa826c86a357bb1cf22ca14a582de
MD5: 7eb2086cd94b67a10c1abb4f02ab86ba
M20-2ts02Kuluoz_825da4d7Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.825da4d704877825a81b8f4f74ada66fhttps://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 0cbd4967ca139aba6ebd08e9ba3532cefbe1be59d479ec2f79c56497e4ca4908
SHA1: 8d17b09e7073cc57c0645e2b74d12b55df9335be
MD5: 825da4d704877825a81b8f4f74ada66f
M20-4tc01Kwampirs_faff1cbbWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.faff1cbb7bbffeb67a3f3a2393c48767https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: f2237535f48995737471a51f2f73f8799614d71a6e37175b9fe906e02e46be23
SHA1: f2924534a0168f2bae52ead985b9a51dd3cdc624
MD5: faff1cbb7bbffeb67a3f3a2393c48767
M20-xit01Kwampirs_3428ce48Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.3428ce488a329e50bb4e6f08f1977518https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 38cbf6f4386c4878ac4f4f0e6e892d8b92f3742213e8a25d7a6c2a68c6308771
SHA1: e3aa62e01529e8715181a3a6ddee7185488124a3
MD5: 3428ce488a329e50bb4e6f08f1977518
M20-awj01AZORultWindows This strike sends a malware sample known as AZORult Dropper. This malware is know as AZORult. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the dropper.d1cb11dd9be78a9b1ff40603fa887dd0https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html
https://securityintelligence.com/news/azorult-variant-other-malware-payloads-delivered-by-multi-pronged-attack-campaign/
SHA256: 598c61da8e0932b910ce686a4ab2fae83fa3f1b2a4292accad33ca91aa9bd256
SHA1: ebe689ffc352db0e0ae79188f697e1418e4fafaa
MD5: d1cb11dd9be78a9b1ff40603fa887dd0
M20-n8l01AZORult_85eac862Windows This strike sends a polymorphic malware sample known as AZORult Dropper. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the dropper. The binary has the timestamp field updated in the PE file header.85eac8626017db9d7ec04c83b236f758https://attack.mitre.org/techniques/T1099/
https://attack.mitre.org/techniques/T1099/
SHA256: dc664214a1e0a863e61c071e10a592dfcbae8aa9f88d6cfe29f2749be9ba64cf
PARENTID: M20-awj01
SSDEEP: 6144:I1bB0Miice2VaKYsLrdIpbs5j378oAUn:W+BUKfZIpQx7
SHA1: dc44b59c20892e8ed07c5fb5f06aa77d8d6a3ec6
MD5: 85eac8626017db9d7ec04c83b236f758
M20-7x001Kwampirs_c8e57849Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.c8e578494f9fd282b24a931cabe8bf2fhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: bffed9502fa54fb5c30214d0900596f4f14fc8064b21b296cfae0b62ac5df146
SHA1: fa84b4cfebfe8268a5120da14abffb4c6f263288
MD5: c8e578494f9fd282b24a931cabe8bf2f
M20-1iy01Kwampirs_0367615fWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.0367615fcc1022e2273e9940db4c6b0bhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 55bab82950dc63d82ac4c9b77e3138d3c661b2cae7fc8ae5e60e39a838b33275
SHA1: f599c05a1ed120a1627d8c5db8f0fe5ca876113a
MD5: 0367615fcc1022e2273e9940db4c6b0b
M20-jkm01Kwampirs_0ffcd190Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.0ffcd1908fff1e41fb02a2bf5b9434d3https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 74c7cf70a0a02fdc1fe98f4eab3cae63ce6ec6fa7b4d5756ef153e63bf5b4c58
SHA1: f0cad35dbdb72616464223cb8c75ab49c831ac78
MD5: 0ffcd1908fff1e41fb02a2bf5b9434d3
M20-jfh01Kuluoz_dec3d03eWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.dec3d03e421e7702baf224a1f1e31b85https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 0bc668db27503131656da06c8a4263f0c6a2e986ce16f9a3cdfa21478c903369
SHA1: 801dc14584f06e3557a4a071385d27c60e4b94f2
MD5: dec3d03e421e7702baf224a1f1e31b85
M20-twr01Kwampirs_8a9f412dWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.8a9f412d75b60ff3086cb690c59495f9https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 79458dd957430eb6cae99339873d8bd243731adc03f3ec573f9313e072c20744
SHA1: e11918165c25aee4330955c55ea0ee12cebf2829
MD5: 8a9f412d75b60ff3086cb690c59495f9
M20-lzy01Kuluoz_6a4bbf18Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.6a4bbf1852425e909378cfbb12e55a4fhttps://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 0f13a52c4037425fcf3597c0d5e2904b437cb5a5bb8710be853a2af38e4650ab
SHA1: 3527aaad63aefbe6a7d0867b16aac2e81a909c26
MD5: 6a4bbf1852425e909378cfbb12e55a4f
M20-z1l01Kwampirs_2e506824Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.2e506824e12ebdbf7d535f91bd2ff41ehttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 1ba619eb584481121d6d56fd2ddb7d16d393bb24ccffda5ab938bde6f404093c
SHA1: fa76c5b0e06a90def0a4a062af6d0ca36b5f6b8c
MD5: 2e506824e12ebdbf7d535f91bd2ff41e
M20-02501Kuluoz_5f7145deWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.5f7145de44c54a10083c12f5e673cc09https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 09b064b27cba3d8229d703bbe70c91be7b5dced5ffd953b4826bb9d17725fafe
SHA1: 9f23e958d889f3cba0ac6f0f3402470a4a02b6b0
MD5: 5f7145de44c54a10083c12f5e673cc09
M20-qud01Kwampirs_95752da1Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.95752da1e16832b4ff23a2ecac43b371https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 114ec9bb38a0239d59f8ae868fab6ddadc38421be614c9fe99092b1e48df5b27
SHA1: f4abbb8edd32cc91290e27ca621885d0edfb3c22
MD5: 95752da1e16832b4ff23a2ecac43b371
M20-rjm01Kwampirs_8a482852Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.8a482852b2bc97d9c1de896460892c70https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 99601c00c48b1abc2ff792f9e4a363c04b7f937f1600744bcb752ec7b1cdc27b
SHA1: ef42a946e54be39e8bd9f59e3e6e1936f9bee34a
MD5: 8a482852b2bc97d9c1de896460892c70
M20-twz01Kwampirs_4dc04314Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.4dc043142ad2c71cef7202cbafa19d0chttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 66c1ac7cab1d7cc21fa7d0de35691aa3906646f216c48a6f6b02838e1e1f2681
SHA1: e9253b35b0718d69714f5498e416df789e30ab01
MD5: 4dc043142ad2c71cef7202cbafa19d0c
M20-6py01Kwampirs_2ba0a652Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.2ba0a65204b246c0aed74ef7b1f6f523https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: ced9a61ebaa8de7aa360ad2d24be26e2474fa4164118f8e32f4e2b2aba6ce511
SHA1: fd4949a4ebafefb5a34a21d892d2407099b0e6ca
MD5: 2ba0a65204b246c0aed74ef7b1f6f523
M20-zjn01Kwampirs_05a12a44Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.05a12a4416e3ca9ce7515cc83f7c27b3https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: c76371100153252534cdab622f855b764c02b8d213fee28662df04245eb61589
SHA1: e55eb5b0ea6aa55af22e348e2e18ce9da089c9bc
MD5: 05a12a4416e3ca9ce7515cc83f7c27b3
M20-fm101Kuluoz_cf96ffbaWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.cf96ffbaee7afe73ec36944c998152f8https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 05cfe7a11dd83fb71d7197b7ce06a484a60a7e0e87295c67345d57ee99c44eb7
SHA1: 39be987491ff984ea13b551c1c1a216fe101e500
MD5: cf96ffbaee7afe73ec36944c998152f8
M20-bri01AZORult_a5d2e2a9Windows This strike sends a polymorphic malware sample known as AZORult PE Payload. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the portable executable payload. The binary has a random section name renamed according to the PE format specification.a5d2e2a909b26f87d2910e3ba9d5024fhttps://arxiv.org/abs/1801.08917
https://arxiv.org/abs/1801.08917
SHA256: 465e154e29171cfcc35ba3398e71659dadb06c7222dc2fd6b004e81581d25cfe
PARENTID: M20-ukj01
SSDEEP: 3072:juOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/rxg/:Tzx7ZApszolIo7lf/ipT/r
SHA1: 048934e26495a74f73a8061db39646acb5abbb62
MD5: a5d2e2a909b26f87d2910e3ba9d5024f
M20-zw101PoetRAT_4f794eebWindows This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.4f794eeb5cc1faa346f1155c96342e77https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: a3405cc1fcc6b6b96a1d6604f587aee6aafe54f8beba5dcbaa7322ac8589ffde
SHA1: 422e7b1dfd10f80971d5331ca2bc436d1efba046
MD5: 4f794eeb5cc1faa346f1155c96342e77
M20-e8d01Kwampirs_b0d3976dWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.b0d3976d10919aeb0adef60a54a2f593https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 1fc307804ff2c70a2754c0ef83d87dd38a533be3f53c744d0685f0bed6d165c9
SHA1: e3ad723bfe061a3fcd17a9132d1baf948f9fcde2
MD5: b0d3976d10919aeb0adef60a54a2f593
M20-fvl02Kuluoz_cd4e6fefWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.cd4e6fefaa158b8899fc78c20748147ahttps://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 07d3e4aa9819dd1bec9a9a5f80e1defb3cad07e2827fceae2fff3fe2c5474389
SHA1: 01f544ae551f0de1e1dbe889d061f17c1da2def2
MD5: cd4e6fefaa158b8899fc78c20748147a
M20-fey01AZORult_13123a46Windows This strike sends a polymorphic malware sample known as AZORult Dropper. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the dropper. The binary file has one more imports added in the import table.13123a46de0b959bc9341fdc8c5e8046https://arxiv.org/abs/1702.05983
https://arxiv.org/abs/1702.05983
SHA256: 23b9143c705132dd1bfe7a78f8419ad3a2afd9fe3d4430119f1de1b31e4375a6
PARENTID: M20-awj01
SSDEEP: 6144:P1bB0Miice2VaKYsLrdIpbs5j378oAUn:9+BUKfZIpQx7
SHA1: 708b6fcadcf838e2317de9555e3f36d59d5e7ede
MD5: 13123a46de0b959bc9341fdc8c5e8046
M20-spz01Kuluoz_6ab1c95eWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.6ab1c95ef0ebe2d7568d2e8fc29810d4https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 1363243f57bc04ff383387c358785d8f43e2ec0765f7bc1676c1de820ac618d1
SHA1: 2bfa9979914a72140e8f59cd2621f4cc58cb7545
MD5: 6ab1c95ef0ebe2d7568d2e8fc29810d4
M20-4k701Kwampirs_59770034Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.597700341ffc5e24203170386b133875https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 3b9991b5b3f73ec41ca644a043f1fb1144d063502d3889aad6b774867debb7f9
SHA1: e96ac141ec2fd92f1d2fb9f5956bab792bfa0170
MD5: 597700341ffc5e24203170386b133875
M20-02o01Kwampirs_27e60d36Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.27e60d36b7264f969541c05dfdcb357chttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: b9581f9a9d79d03305ee378cb166afea8d1e0120a359a036d6592eac8074e5c6
SHA1: ea92d298390b85aae92fc7b8f3cd86cf15a51240
MD5: 27e60d36b7264f969541c05dfdcb357c
M20-ovs01PoetRAT_429d409cMixed This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.429d409ceb6b7988c2de41c2aa578735https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: d4b7e4870795e6f593c9b3143e2ba083cf12ac0c79d2dd64b869278b0247c247
SHA1: e499d21c4eb97b53ef3ecad0dbbfe8cfc3678ef1
MD5: 429d409ceb6b7988c2de41c2aa578735
M20-wiw01Kwampirs_7d5e5cd0Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.7d5e5cd056589f1be94f62b0b5efd28fhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 209adf00c00ab4e47a064d5092c7387720c6e198066d33d270f9cbaddacf52ae
SHA1: e7a3c649d53f293ba5865622ed60d3da3a2bec7a
MD5: 7d5e5cd056589f1be94f62b0b5efd28f
M20-5ao01Kwampirs_c1fb62eaWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.c1fb62eafd77bfc6d4a32b3637e0bf37https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 0cb55887786c26b91bcc7da071b7350451c138a43cf0c33cb9762edab77e3e00
SHA1: edb43ec758edf49bc857e609fa7ab0f0e5e0f049
MD5: c1fb62eafd77bfc6d4a32b3637e0bf37
M20-yhq01Kwampirs_40bee457Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.40bee457f54aba0617d0c11047bc8427https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 6a2a592e1d83c946810ee3f700d2f2dadf517bd450b125ed0a250fe8f22d66ff
SHA1: e0a021166d4d2ddb9f5f3c261841aad4f211d9ef
MD5: 40bee457f54aba0617d0c11047bc8427
M20-c0e01Kuluoz_a14ac7d4Windows This strike sends a polymorphic malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.The binary has been packed using upx packer, with the default options.a14ac7d4a42ea7cf2d1aed32ca78ba26https://attack.mitre.org/techniques/T1045/
SHA256: 6a52a43a26852d18600e7acc5f79af63077a57e13915bdb4cf41b88cad0692eb
SHA1: d1f4d40a6ee16fd07f52fa0971b5bf0d485c65d1
PARENTID: M20-ig501
SSDEEP: 1536:Ldsg/4AyY0mDPwCxLdRJZ9rgZjJsaSPRcsbuct+WihG/8/0u4afs:L5/Y1mDhxLdJZgZ1saiRtbus+WiX/z
MD5: a14ac7d4a42ea7cf2d1aed32ca78ba26
M20-r3x01PoetRAT_04cecf70Mixed This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.04cecf70d049a8f0de360aa6bd9da434https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: e4e99dc07fae55f2fa8884c586f8006774fe0f16232bd4e13660a8610b1850a2
SHA1: 4966916c66d6742d1ee7bf3823ab8e7e6bb9b012
MD5: 04cecf70d049a8f0de360aa6bd9da434
M20-jou01Kwampirs_2895bb78Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.2895bb7849b6dce0bccf6947cf4c1d04https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 208fd32462cf3358c0a76a8e7e4b9a9ed681027f0cdd26f404e516b25daadb8c
SHA1: ff7233ca387a02095dbbd32a61a5a188e2ad521c
MD5: 2895bb7849b6dce0bccf6947cf4c1d04
M20-aav01Kwampirs_1565df72Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.1565df72abfaa21ceb8b86fa11d3ac47https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 4824911c0778c89af1849d5c4c77b13bc3891a1fcff12741e4627907bd84db3a
SHA1: f9911c9bed571540f22c0ea45622844c580ba898
MD5: 1565df72abfaa21ceb8b86fa11d3ac47
M20-2fz01Kuluoz_eafdcea5Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.eafdcea53785df89f522a1d3ce285c3ehttps://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 02a8287d7190e0fce91f58073c57d3637b7f1a79a5de300cc9cabfc11e0e6530
SHA1: 79e8f18b3e61a629397b554bfe211b2582daea70
MD5: eafdcea53785df89f522a1d3ce285c3e
M20-mch01Kuluoz_f7a08642Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.f7a086429a192bbd9902c593d360cc9chttps://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 1233484d1a7d2cd2ca7118ab42c7a60e77490536ad8304c148a0721ff22ab005
SHA1: a5a0effcd586487d02ae62f9c97b98302d8638d5
MD5: f7a086429a192bbd9902c593d360cc9c
M20-dqv01Kwampirs_cd554e3eWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.cd554e3e8a3a50823243452c0c2425f4https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 833d5d438893a73cbaac611b214f6be7c569f52b9a37b2a06a8c8eba8892709f
SHA1: fbd50f5bdad08802d908388567059f9bb32869c5
MD5: cd554e3e8a3a50823243452c0c2425f4
M20-fe501PoetRAT_7e9d3fe8Mixed This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.7e9d3fe81c528d9729bc03a805460642https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: 252c5d491747a42175c7c57ccc5965e3a7b83eb5f964776ef108539b0a29b2ee
SHA1: 298974d7e3efef0cad81ba039b2e1a38f543454a
MD5: 7e9d3fe81c528d9729bc03a805460642
M20-95p01Kuluoz_c26f3f05Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.c26f3f052333299b1571828596a6528chttps://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 021801898d4aa508ee85f53fe4e4a28e06ce91795fc0073eae241c0c34c7babb
SHA1: a5cfa344ab313beabb090337ece2453efb6eef54
MD5: c26f3f052333299b1571828596a6528c
M20-a4001Kwampirs_cf314c8cWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.cf314c8c6daaa9dd2e733387f4aabf91https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: bfa71ed720938c5b47ade695c82df67833dc6f1c10bc36fcc51a6764e35800d2
SHA1: e99b23e5560d7f9896b64054b1a6fb2333cae92a
MD5: cf314c8c6daaa9dd2e733387f4aabf91
M20-ct301PoetRAT_2696574aMixed This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.2696574ad1b897f569a48d74425c706bhttps://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: ac4e621cc5895f63a226f8ef183fe69e1ae631e12a5dbef97dd16a6dfafd1bfc
SHA1: 89374563520fd4d24c5fad4703c8c173a910eb1c
MD5: 2696574ad1b897f569a48d74425c706b
M20-zkj01Kwampirs_db904a6bWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.db904a6b55ec340645d4dc3bef3ee57bhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: ac5a9630b5efe7b936840641a8ab9433f589fbd8562d62c642b2e4d417f91277
SHA1: f9bfff4be43e365bbcc40cc6ece537b7b9f2ae74
MD5: db904a6b55ec340645d4dc3bef3ee57b
M20-c2r02Kwampirs_053b96d7Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.053b96d7b0fef8ea3d812690d9747e3chttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: c69c1b75d7d9c8fd823ea6c2de670426e8360d0763f0a0384472cd16437909c1
SHA1: e2e03d1d85fe5e65820d6526eab53dd6bf1a076a
MD5: 053b96d7b0fef8ea3d812690d9747e3c
M20-v2101PoetRAT_69cbec46Mixed This strike sends a malware sample known as PoetRAT. This malware sample is known as PoetRAT. PoetRAT utilizes a Microsoft Word document to drop a Python based RAT. The RAT uses several tools and features to control the system including keyloggers, browser-focused password stealers, camera control applications, credential stealers, and a tool to monitor the hard disk and exfiltrate data automatically.69cbec46220c781797d6d35ab70bae02https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
SHA256: b1e7dc16e24ebeb60bc6753c54e940c3e7664e9fcb130bd663129ecdb5818fcd
SHA1: 7fbe5c8524b9a914f7f60d463c7d4add8a0c57e4
MD5: 69cbec46220c781797d6d35ab70bae02
M20-6ij01Kuluoz_ca1c35f5Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.ca1c35f5dd08f34c21e49d0cd3af3d24https://blog.talosintelligence.com/2020/04/threat-roundup-0326-0403.html
SHA256: 01e5d6d17f47209d9ab025ea6d9fc76fab6db7a789ae7e0012e053518592483e
SHA1: 40a3fbcf79bd3a374879cd7a05145a44245fcf71
MD5: ca1c35f5dd08f34c21e49d0cd3af3d24
M20-ri001Kwampirs_ec7a5b11Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.ec7a5b119ebfefbb827720997036743bhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: d0ad2e0f2d68da676dcc8f0cad03dd1a6a5dbf834499ef94746be8ce32ea6ac0
SHA1: e5e79e329cd3f7f40ba887f771b7782abb41b108
MD5: ec7a5b119ebfefbb827720997036743b
M20-nvj01Kwampirs_001c21aeWindows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.001c21aea873767894bb125a135b15efhttps://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 23640833d0c552a328ffca27f6f78b10e7dfadaa5d9e485c8c9c3d2968b7c23a
SHA1: e5e0120ebc937396d02c0d69c9e49a08cea941d8
MD5: 001c21aea873767894bb125a135b15ef
M20-jmi01Kwampirs_90985356Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.90985356349d41929c2de328629e24e4https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 9cc91b2a46c29b022e64a317b9b7c33a9caaaa76962315e48305365fdd3b4829
SHA1: e4b0a7190d219ede8f60a4189cb52351cba43307
MD5: 90985356349d41929c2de328629e24e4
M20-sc601Kwampirs_8c1bdf67Windows This strike sends a malware sample known as Kwampirs. Kwampirs is a modular RAT that creates a back door on the victim machine. Once infected it attempts to propagate itself within the target network, gather information, and provide the attacker with remote access. It then communicates with a command and control server to perform additional functionality. Recently it has been seen targeting the public health care sector during the COVID19 pandemic.8c1bdf67c3bb36654979cb606994a342https://www.bankinfosecurity.com/fbi-warns-kwampirs-malware-supply-chain-attacks-a-14037
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
SHA256: 300c8c76205336366d75fac07a5e03f0d39db9a778f21023640ea6c81ee73a8d
SHA1: e8a2b685da9a03402a71c5f110264a4eb946461d
MD5: 8c1bdf67c3bb36654979cb606994a342
M20-h9101AZORult_dc79833dWindows This strike sends a polymorphic malware sample known as AZORult PE Payload. AZORult is an information stealer that goes after user credentials stored information of available applications and other useful system information. It has also been seen running backdoor commands and exploits. This sample is the portable executable payload. The binary has random contents appended in one of the existing sections in the PE file format.dc79833d8f6ca74d8b84672d7062c136https://arxiv.org/abs/1801.08917
https://arxiv.org/abs/1801.08917
SHA256: 653208bc3c188910dcb8a22f2f3187eb99aaa83bcf6d9d03948c22696b747759
PARENTID: M20-ukj01
SSDEEP: 3072:IuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/Gxg/:Izx7ZApszolIo7lf/ipT/G
SHA1: 9d5091bc94a13e322daf366c7aa431d0a285d289
MD5: dc79833d8f6ca74d8b84672d7062c136

Malware Strikes March - 2020

Back to top
Strike ID Malware Platform Info MD5 External References
M20-9r501Nymaim_3613236cWindows This strike sends a malware sample known as Nymaim. Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.3613236c5516bd3695b6715b415d7bffhttps://blog.talosintelligence.com/2020/03/threat-roundup-0306-0313.html
SHA256: 7a081e847f783ca398362fb4172a266e8387fef4d860ce25c4bc2986a25ce690
SHA1: 685cf25785aab6989f4e8421cfba87226809972c
MD5: 3613236c5516bd3695b6715b415d7bff
M20-qzv01ViciousWindows This strike sends a malware sample known as Vicious Panda Loader DLL. This malware sample is called Vicious Panda. This malicious sample targets the Mongolian Public sector during the Coronavirus scare in 2020. This DLL file serves as the main loader of the malware framework in the infection chain that communicates with the C2 framework to gather a