Malware Update 2021

Malware Monthly Strikes

Malware December
Malware November
Malware October
Malware September
Malware August
Malware July
Malware June
Malware May
Malware April
Malware March
Malware February
Malware January

Malware Strikes December - 2021

Back to top
Strike ID Malware Platform Info MD5 External References
M21-MC048Tedy_fdba3070Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.fdba30700880887d2c8234c93121e460https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 016cce17e492255ee9db52cab4a6c2d3162eb5b6f04d080429f489a6c2ac2cd6
SHA1: 28ae045c17d5efe3f7ddc79b85f02d8e34aaf77a
MD5: fdba30700880887d2c8234c93121e460
M21-MC00fTedy_3b417b51Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.3b417b51e1d7c4289a47fb07cfa309fdhttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 571ceac5dd11fe60083b88c775f26091c48c38ddf2c9d0939063aef462454512
SHA1: 04f58701ee306411cc60a90f4da4ab505932174c
MD5: 3b417b51e1d7c4289a47fb07cfa309fd
M21-MC042Noon_e6de7580Windows This strike sends a malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.e6de7580d7646c8b3f2cfb317734512ahttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 7f0e528f9a870f6b7ac18d5aedca145dc2faf633cf9f6a1235ee3e563f8999a3
SHA1: b2e3ec9c5fd40ce413bf0ea38c20abe9a1e42da3
MD5: e6de7580d7646c8b3f2cfb317734512a
M21-MC004Injuke_07407dfbWindows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.07407dfb83110fef2c515d9a3058bf2chttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 16731e02270a59c185fefc1043a50f2fc81f08380cf027b4e34b5fa23b8a0844
SHA1: 16dde3951143ffdc4c360a3f1932d4c68c51469d
MD5: 07407dfb83110fef2c515d9a3058bf2c
M21-MC008Tedy_1eaf7811Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.1eaf7811e69828815b4f507ed2e0202ehttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: ed07bf5af05a0dd77e9daf32bc5c856845dbae5aa767acacd6532278d430214c
SHA1: 0ccf2cd336b9b52a81212c2c2394be1172588e1a
MD5: 1eaf7811e69828815b4f507ed2e0202e
M21-MC045Injuke_f1fd1462Windows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.f1fd1462c56f822ccba61454ab7d44edhttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 121e4245a20a25423d50a142c175246f04f337b53dcd48f3e08b07bec3341fda
SHA1: 86d6e3cd18130562933a94c5bb327d363ed539ca
MD5: f1fd1462c56f822ccba61454ab7d44ed
M21-MC043Tedy_e7b47211Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.e7b4721184f98f7e6548938f4495eaabhttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 7b4cf6864e76aa012c9fe23a184c2e828f880e6eab50588391b417d19976a474
SHA1: 7544d9df017d6e68d5ab3fcf9eb093ba99a34a02
MD5: e7b4721184f98f7e6548938f4495eaab
M21-MC009NetWire_2564306cWindows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.2564306c1854be464cf1ee8d502d239chttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: ec7fc918af533aa9249987b2086987491b233e659c5bf799c73385dd82f511fb
SHA1: db8e19d7706daf756c7e4c2a12879cc6b3b50270
MD5: 2564306c1854be464cf1ee8d502d239c
M21-MC04eNoon_3bacdeaeWindows This strike sends a polymorphic malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.The binary has random strings (lorem ipsum) appended at the end of the file.3bacdeaee83ff868acbac771dfbaeae1https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 9a8eb72ec52916d3b7165ac6d4d99accf96adcd38af4134e16956b1cf2da8cca
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MC02c
SSDEEP: 12288:18gwyq2B1qGbuPWnnwy5C9Rm3r0I4SBybR:m2B1qGbuPWw/9A3Y1
SHA1: 47b3ef36a5debd09946467337943e3cda1193494
MD5: 3bacdeaee83ff868acbac771dfbaeae1
M21-MC024Tedy_81141b39Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.81141b395d0b88a14e99f8000cbad627https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 3f68f133c4a7886ae2e51120945f02931f6ba4ae0ea5eb3d2cc90cef27865d44
SHA1: 8884e723614d908d9ea337386e96381298eff231
MD5: 81141b395d0b88a14e99f8000cbad627
M21-MC02cNoon_9beb8ed7Windows This strike sends a malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.9beb8ed71c0c19c8172511b0f54db154https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: f07612364bbd203ff93512679f46c4cb83eda3e6452a2d56f4a0191eaea84aae
SHA1: b10872ff312101f10085990ab5bd6ce5e593d444
MD5: 9beb8ed71c0c19c8172511b0f54db154
M21-MC012Zbot_46800190Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.46800190931451e5cae956f112696a64https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: a35d3a135daf833155ea33feba1252fd197da2980d4e6ffb817f67987bd7380e
SHA1: 281b57f0422f9f1a050f9075a0030c6136300c39
MD5: 46800190931451e5cae956f112696a64
M21-MC02dEmotet_9c270b9aWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.9c270b9a074f8e866af32a369e65aa87https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 1cf2b88aae1e141e1791b3914d18b048b2617ce86265fcb10fea0840a08c0599
SHA1: 6f89ba5efeb9af983a5e18dca2655599390efd6a
MD5: 9c270b9a074f8e866af32a369e65aa87
M21-MC03bZbot_d87c8524Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.d87c85244e51ed71b942fff9a15158a4https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 3a8322bed57d7a37a256fe87bcb37b810ac5d5b747a5647acc91f012e61e54a5
SHA1: 6d01b36c8a6f5579dbd880ef425bd939902c2c0a
MD5: d87c85244e51ed71b942fff9a15158a4
M21-MC026Emotet_88cc1c60Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.88cc1c601c28901033abec4389854884https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 9d1e941eedd7a6a442e885c10ef844ca4b1ffdbf0b7c061cc11f91f5b28c81bb
SHA1: 1b9957c090734e2b6cec65e972296e5fa9478c41
MD5: 88cc1c601c28901033abec4389854884
M21-MC037Injuke_c6eb0bd1Windows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.c6eb0bd166bc638bbdbcc7bc053f37dahttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 3a9efea761f7da930b32f9fe2e20ac7eaf988f3edcbba048b6a136600634d788
SHA1: 9d961e79fae9279610f38c69e28cefb9f845a932
MD5: c6eb0bd166bc638bbdbcc7bc053f37da
M21-MC002Injuke_04484ae9Windows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.04484ae93a15a6a6a8752bd960d15b1dhttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: e700e73d5cf3ac08f9fb69b331f24b15eacb710fbe37d414ac7df4c2fd5cde67
SHA1: b38a1c8cfad62612f333895666b55a02508d75af
MD5: 04484ae93a15a6a6a8752bd960d15b1d
M21-MC00dInjuke_37bae635Windows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.37bae6357002a097632e925435bd0166https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 6e1eef6df33659b87361af759bda87121117dd89956f2d06afc53b407f98ca15
SHA1: eefe1001a23f0e890cbf5f2387ded0d200ae7780
MD5: 37bae6357002a097632e925435bd0166
M21-MC031NetWire_ab72b9d6Windows This strike sends a malware sample known as NetWire. Netwire is a Remote Access Trojan that lets attackers execute commands on the infected host.ab72b9d6a7017d9072cb33deb9d9d05dhttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: e2c70790e6c577fc0d42dc3b6c2616b4da65e204918d613664bd433a97d8b225
SHA1: 839504bc8cf6c654887e7ba8692480c2407f4d47
MD5: ab72b9d6a7017d9072cb33deb9d9d05d
M21-MC013Tedy_4b0fc06eWindows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.4b0fc06e26def68687a31f8c73cd6832https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 77935b203920b169a901b8e12147867c5b5851e14d16d569ac37ee22131294a9
SHA1: 6e0009921b2900ddbcf82b5f96357390141fb6a4
MD5: 4b0fc06e26def68687a31f8c73cd6832
M21-MC04dNoon_2e86611aWindows This strike sends a polymorphic malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.The binary has a random section name renamed according to the PE format specification.2e86611af6e0724df48c91b5e4da4c7fhttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 3730a7adcd12d5ecd0569f4a552d9096f9bbc281c877b468b7a35bc166e21e9f
https://arxiv.org/abs/1801.08917
PARENTID: M21-MC02c
SSDEEP: 12288:q8gwyq2B1qGbuPWnnwy5C9Rm3r0I4SByb:V2B1qGbuPWw/9A3Y
SHA1: b92c0345a6d4ceb2651a20f4e56133abd53a4da3
MD5: 2e86611af6e0724df48c91b5e4da4c7f
M21-MC00cTedy_33d2ff5eWindows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.33d2ff5e884ddedf8e1317c439ed39c0https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 54b4463e986991dd95f8b4856758e3f3e5bce081306ff4cc32fa8dd2b10fb492
SHA1: 0947139327a9bba96357ca3decad07c7837cd35c
MD5: 33d2ff5e884ddedf8e1317c439ed39c0
M21-MC001Tedy_00c66c0cWindows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.00c66c0c82d5c8320949e460113b4dadhttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: c56fa67e0c95435dec573e68e596f45a968c7725673928bb329aae69eb5aca26
SHA1: ce6fe335bd9234546da9b05cb3751bebfaa7232d
MD5: 00c66c0c82d5c8320949e460113b4dad
M21-MC052Noon_c95289acWindows This strike sends a polymorphic malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.The binary has random bytes appended at the end of the file.c95289ac71d9a39056073a533ac87c9ehttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 1b34dd0a2ddb5ef38c30475e742fb814c8fd043fd076eec217bf5b1db1fc6544
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MC02c
SSDEEP: 12288:18gwyq2B1qGbuPWnnwy5C9Rm3r0I4SBybP:m2B1qGbuPWw/9A3Yr
SHA1: 52c3bbb5249b63ea13170bf70353284dca254593
MD5: c95289ac71d9a39056073a533ac87c9e
M21-MC041Zbot_e285f10cWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.e285f10c95c30b4807282c16269dbb33https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 5abfbd891f64ca1431f5c10ba24c8a721087d9f32c7900e45601a69ab6d770d9
SHA1: cef6d729d933e0cfb3747f92ab029e649166095e
MD5: e285f10c95c30b4807282c16269dbb33
M21-MC038Zbot_c76096ddWindows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.c76096ddd9e001457bd5f9a688e577f1https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 90cfecaa03130aae7d0fb6c8d37cc5bc674693868be632cee100bd4689766d28
SHA1: f18cb1c620e16f89d02dbb2e62855a869b20178a
MD5: c76096ddd9e001457bd5f9a688e577f1
M21-MC02eTedy_9ecdc144Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.9ecdc14407aa3de63172279327098314https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 2b4709e5dcf79e67df8410740636d64d6267fb2ed5c1236b5f97b79ef7b8eb3a
SHA1: 50a664c80667595255610ecdb4244d3d698edc64
MD5: 9ecdc14407aa3de63172279327098314
M21-MC040Zbot_e14e0d98Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.e14e0d98cfbdca65f37e7d1fa1448d33https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: a92b197a2682b97ffb2a11a67bdd986fc2a2543a3c455b6f24172df8be010af7
SHA1: a80d8e4dba5406b9c581ecb75b361304496bb68a
MD5: e14e0d98cfbdca65f37e7d1fa1448d33
M21-MC021Tedy_7e054d33Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.7e054d3383a3c9c12872fa981270c6b8https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 757d2740fc54ffe77ce2956669e926cb5a050032963b40abd4af79b3d5c946aa
SHA1: 28a7bcb9e7e76839c9ba7c08bb80c2c9f8ac864d
MD5: 7e054d3383a3c9c12872fa981270c6b8
M21-MC033Noon_af6c6478Windows This strike sends a malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.af6c647815066e4fe89f71a761e0219chttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: e3443324e3aab23a1ad0c7918862744a2614fad85aa702aab1fd8abea01a26c7
SHA1: b7fa3ba771ccc38faa72fb701bf7ca077373779d
MD5: af6c647815066e4fe89f71a761e0219c
M21-MC030Injuke_a6b60939Windows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.a6b60939fd4519c50856072670b82648https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 732fd0bc032bd04625c92cfb150c0df625bd91032354d6f3ac723ca6e181f79d
SHA1: fc9591ad173bfe09b8bd3037fa7ded4a8dc510e5
MD5: a6b60939fd4519c50856072670b82648
M21-MC007Nanocore_0e643852Windows This strike sends a malware sample known as Nanocore. Nanocore is a .NET Remote Access Trojan. It has become widely available. This trojan has many capabilities including monitoring the system audio and video, controlling the desktop, and logging the user's keystrokes.0e643852c47f9850cc74bf5cdcc59291https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: c2c3d65dceecbc8b67d4c03c6a8fd426f6ee1d1fb391beba2c9189197b818f66
SHA1: 681e433b115c5e00ba0118fda6edd575498f8805
MD5: 0e643852c47f9850cc74bf5cdcc59291
M21-MC03eTedy_dcead5a2Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.dcead5a20776ab7d56c7be346905a6b9https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 5df4434df82d09fea4a0b18bdc625ae5c63d44f9ec1f0a1e724d1ec0424ef44d
SHA1: c65ad72929b304a9bbf4921daf5c6ef8c41f3c1c
MD5: dcead5a20776ab7d56c7be346905a6b9
M21-MC014Tedy_4be22ca0Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.4be22ca0bab2e1a0f4c021886f2ab8cfhttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 96c0fb436d03279475c4631cb95984371dcee3b405ad10e79cd628287ab087ec
SHA1: 850c2cbdd9e605766db744cb09f4ae3b9d1ebd63
MD5: 4be22ca0bab2e1a0f4c021886f2ab8cf
M21-MC027Nanocore_8c38d68aWindows This strike sends a malware sample known as Nanocore. Nanocore is a .NET Remote Access Trojan. It has become widely available. This trojan has many capabilities including monitoring the system audio and video, controlling the desktop, and logging the user's keystrokes.8c38d68a667c25d9688350f6e6d483eehttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 67dbe5f4a3ee536d6c2676788d77ee22e1ac6a605897db745e88882a03f44b09
SHA1: aa752d6865e1a51189c6289b78ccf2ca7ca08526
MD5: 8c38d68a667c25d9688350f6e6d483ee
M21-MC003Tedy_05a256feWindows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.05a256fed9a630fd019f8058cacd6671https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 850c19c8cb037a84196d7d7fd206ee7c1fed529a6d6ff891f269700b85c9cf94
SHA1: 85f515e8eac7ee1553c404c360cfd924ba005b88
MD5: 05a256fed9a630fd019f8058cacd6671
M21-MC034Noon_bb90be3cWindows This strike sends a malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.bb90be3c58d26db5800b87cc6e3c79f5https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 8c4fa6b225ecffd0811ca8a4380491a9ec375a1a40ca0bde1f6e793f41b1887b
SHA1: 94ef8277f2799ef0dd1dc38df926ab01bbdb6743
MD5: bb90be3c58d26db5800b87cc6e3c79f5
M21-MC04bNoon_1e30ab4cWindows This strike sends a polymorphic malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.The binary has been packed using upx packer, with the default options.1e30ab4cdfe0dd94844d6c98421747d4https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 09492639ad3eaa89c5b594675f1e0ea421b4a025823293199c6fcfea0e52e4a2
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-MC01e
SSDEEP: 6144:IIIGSQk3J0uEi/CIoSfFy67liRGu8KTOWO:Izqk3bqYFyZRB6WO
SHA1: f3fa743aa3632b6da70757ac8a3378e9be28e0e4
MD5: 1e30ab4cdfe0dd94844d6c98421747d4
M21-MC011Emotet_43464293Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.4346429384893a6f9d4a25e2abae8bc2https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 6b13b8d682d852b45fbbb1c2427e56076e9fd389e1191ee9b35a9b9d0a6ae568
SHA1: f567f9f988ac2756772c7b312e2ffe4cd9e20bda
MD5: 4346429384893a6f9d4a25e2abae8bc2
M21-MC025Noon_82eae68bWindows This strike sends a malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.82eae68b59dd0160dab6531cb4a33190https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: dbede3eb210f3ac5a9f5691a35a9eb568e56537d0471e097fa396731d4a0bbf7
SHA1: a30e481681181dcf973da8dc1b776f2e5b9317b9
MD5: 82eae68b59dd0160dab6531cb4a33190
M21-MC00aTedy_264c080fWindows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.264c080f99eaef56529cfcbf70253b2bhttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: b8d09e8869ba3cac87c5aafad119511b215825ef491602352c2ba5059548b35d
SHA1: bc8099f7dfbadeaef64d692d51d903788e224b6a
MD5: 264c080f99eaef56529cfcbf70253b2b
M21-MC047Tedy_f9f1fd79Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.f9f1fd79bb53bf281c89cc03e3ce315fhttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: edf7e403cf5aa13b08a8cd63bc475b5c2e2ea0435d2025562ff0cf84b9f5c20b
SHA1: bcb803635ad6086dcc657a27f7db7bd11d6eb177
MD5: f9f1fd79bb53bf281c89cc03e3ce315f
M21-MC016Emotet_4db1818eWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.4db1818e989157ec2477fa8587d69033https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 407f0c771bd93e70bd172fb6271aea77be8db9c47fe339f7c8847058c27100c1
SHA1: 81b4323ff867991937c768dee509462022b0af6a
MD5: 4db1818e989157ec2477fa8587d69033
M21-MC018Tedy_56feb85dWindows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.56feb85d714c7948276a75e602456870https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 7607104686a12ef037def4fe022d6e33d807116ad479be2e84c31f348814bc43
SHA1: f270087f58ab2690093ff572833795d20b2baf1a
MD5: 56feb85d714c7948276a75e602456870
M21-MC04fNoon_4f67bb15Windows This strike sends a polymorphic malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.The binary has random strings (lorem ipsum) appended at the end of the file.4f67bb159e04ca79e524bf27b4786999https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 69853d2cf9e0affb871e167e0c5554e8536d620afce607c7164ab648e417a14b
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MC01e
SSDEEP: 12288:O8gwyq2B1qGbuPWnnwy5C9Rm3r0I4SByMR:J2B1qGbuPWw/9A3Ye
SHA1: 7a207d1f4a843a8ebdcf0aba15b51b1db3f28500
MD5: 4f67bb159e04ca79e524bf27b4786999
M21-MC028Noon_8c8f0ecdWindows This strike sends a malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.8c8f0ecdc72cc10548bc34282dca3131https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 4b3351257f81139ff08e3ea250279ec3efee399dcc96ef3791ca2589e04f9c58
SHA1: 2601b00069b51c320fec5c403661e611f255c615
MD5: 8c8f0ecdc72cc10548bc34282dca3131
M21-MC036Noon_c2193a36Windows This strike sends a malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.c2193a3639998662a87d53d77295edaehttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 08db2ec0fb9b9052029230826baf4681a399f11512b3a7669ac38095c374d7bf
SHA1: c1150e2a7ba0e4f29035e4127e807f80ee24855a
MD5: c2193a3639998662a87d53d77295edae
M21-MC029Noon_8d377ac9Windows This strike sends a malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.8d377ac907cbb773d6a7065397c5248chttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: cf39ba4cae7bfe2bca412bb58130f0e3d610aaa1540a2991a5f1346a0c9d0d32
SHA1: b421040ff45a151e596d2c094d291b5b1c025f5f
MD5: 8d377ac907cbb773d6a7065397c5248c
M21-MC023Zbot_80a79ad8Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.80a79ad839870daeb6b3bce92d25b9cdhttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 747ccb42faa8c7f1c97f4fe3518e68dedfd63900197b0336f53e5bd1461f5a3b
SHA1: da46bf500ed0e4dd4698110a5754392322782bad
MD5: 80a79ad839870daeb6b3bce92d25b9cd
M21-MC01dEmotet_686123fcWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.686123fcce69aac06a9d4d3aa0c9a84bhttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: e85ef6ce609d239ab83e9b5e6087c0abaf0055ecac0b8e3dba832233e10ebadf
SHA1: 4af427322558315ac5c9a5eda989452083938846
MD5: 686123fcce69aac06a9d4d3aa0c9a84b
M21-MC019Injuke_5a771c67Windows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.5a771c67b82cf9cd1778d87ad88b6cb2https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: b4c95de919eefc95b05c40e0561851c8b428471c84485165e00fd316419a9ea4
SHA1: 69eb307ef7c0ae07efa3c2cdcb5891bee6734450
MD5: 5a771c67b82cf9cd1778d87ad88b6cb2
M21-MC015Injuke_4beed454Windows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.4beed454091bb6a752d12e7a658287eehttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: df4300eb0872615a6c415c1b56c71b3e8d71dabcfb281d2c69cc728fa21fdd10
SHA1: 1cb75730e3ef62d624ded1bfa1f2f6abc97243de
MD5: 4beed454091bb6a752d12e7a658287ee
M21-MC03fTedy_dfe16a95Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.dfe16a95cca72acb7ef3557af0fb5703https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 351818e29009f7d23a7985bec44c706d16c5f3e297e8d5db9f25c29dba8c6e1e
SHA1: 7f62bf3dc0e51fbbf6f8a77a87f5cb470ff930df
MD5: dfe16a95cca72acb7ef3557af0fb5703
M21-MC04aEmotet_1cf9f32eWindows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has a random section name renamed according to the PE format specification.1cf9f32e7c95143df2125a20cb8d5ffchttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 14b0f53d5a3ac4e0b04941f4255a988afc1a13a72bc1764b141ec69748fe6eeb
https://arxiv.org/abs/1801.08917
PARENTID: M21-MC01b
SSDEEP: 6144:UF7XITF7XIUF7XIi6nTN0iUAF7XIUF7XITF7XIVfB:NONi6nR0/NO5B
SHA1: 163c9951ac7aedd5f5cd800a098131d12ebb617c
MD5: 1cf9f32e7c95143df2125a20cb8d5ffc
M21-MC035Injuke_be7e7bc0Windows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.be7e7bc0b0025b091457629493d1a982https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: a9e5c4e08ed33168ec7771c4e486017dcd1aa19518b2fe1644d64f1c532a2367
SHA1: 62fb02368a91ceab6424db3ec9f97843c352c26b
MD5: be7e7bc0b0025b091457629493d1a982
M21-MC01cEmotet_6828a7a0Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.6828a7a021d602c0866f83ad82404ab2https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 675cd37b67f1014ce4eb06169a02f4ec177803ccd853f9ecc0926f91ce4a46c0
SHA1: 1db5889b699197f2edde80cb8a3b1d3ae4e4c91d
MD5: 6828a7a021d602c0866f83ad82404ab2
M21-MC005Injuke_07d3c1d9Windows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.07d3c1d92bf0edcfcdc8ba71e3a130ffhttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 04257a5b8ff1223d9a240769c0ec4e045f08f7a870f54b8fbb73dc7c919b2b62
SHA1: 40069b73661949b18dac51c8a68d965bcc57cb17
MD5: 07d3c1d92bf0edcfcdc8ba71e3a130ff
M21-MC020Tedy_7abbdaa5Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.7abbdaa5255631386ebae72be3116241https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 3742dd894dd36988ade82fd58da680db61c6addfe15561b2e02574982552d6f9
SHA1: f40c8de6c70c1c147d48f2c6c8773089b7b5b23a
MD5: 7abbdaa5255631386ebae72be3116241
M21-MC01aNanocore_5fd23435Windows This strike sends a malware sample known as Nanocore. Nanocore is a .NET Remote Access Trojan. It has become widely available. This trojan has many capabilities including monitoring the system audio and video, controlling the desktop, and logging the user's keystrokes.5fd23435c94a809ec2351a44137fcbfchttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 017e4463cfea82299117b714946be4cc7609d404e36219f6ce848029fff0ddd1
SHA1: 6993525d44dde0b3e67ad241dc552aba4fd333ef
MD5: 5fd23435c94a809ec2351a44137fcbfc
M21-MC022Zbot_7fffdd12Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.7fffdd12a34a3016695ee2de18e9d387https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 805dfd2e228c7d832a4e761532c0c1b937a2732eca88122340d3981f95ca0827
SHA1: 959d84f0ec8100090bdb77d47d1c26ce0ef53a18
MD5: 7fffdd12a34a3016695ee2de18e9d387
M21-MC03cEmotet_d8df851bWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.d8df851b1507deccf075c7838edb9a40https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 61e30ba6304ab7ae641d26b7118eaf9346f055ab5eafa0995e99f82d4ef9fdf0
SHA1: a05e05bdcd05275fc3d0e2a495a7306ddcb5cee8
MD5: d8df851b1507deccf075c7838edb9a40
M21-MC01eNoon_6ab1cb55Windows This strike sends a malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.6ab1cb55076059871d68ebd5504b28b3https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: f8ac56b0353b483941529bac80767353c499be61fc5a6d76fe1a2a11a058bc8a
SHA1: 4ea637cbff679a56cf385142357088fdcfa3d5bb
MD5: 6ab1cb55076059871d68ebd5504b28b3
M21-MC017Emotet_51e25f03Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.51e25f0318a7870bafa3ca4e6e419024https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 6887a0687741fd333775f3b9d78dd41bab1b23fbd4e7830e61df37ecb18e592d
SHA1: f48ec7c591fea43656582a44bb65c9bc6b167bee
MD5: 51e25f0318a7870bafa3ca4e6e419024
M21-MC050Emotet_62ff36abWindows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has a random section name renamed according to the PE format specification.62ff36ab8ff180c7e849bf2b70cbe858https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 567fb7669e6362e25791f8470ed763995e802f03a027022ad5ebee0b43369a7d
https://arxiv.org/abs/1801.08917
PARENTID: M21-MC01d
SSDEEP: 6144:wF7XITF7XIUF7XIi6nTN0iUAF7XIUF7XITF7XIVfO:xONi6nR0/NO5O
SHA1: 031566a8febe305896f68b409fff729aef11b246
MD5: 62ff36ab8ff180c7e849bf2b70cbe858
M21-MC01bEmotet_6213f591Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.6213f5911227d1c1a3e16c44734ecd61https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: f55b13230edc9e93d209f709e21740657f63a54251bdf345abda1d24b62d5cf7
SHA1: 85a04a6770f62382895dc19be7fa054d7b1f248c
MD5: 6213f5911227d1c1a3e16c44734ecd61
M21-MC032Tedy_ac3fe0efWindows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.ac3fe0efb8de93015be67721acafc50ahttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 9d6f55a3db927b1a852c42b1c158df1c5f4d32f4e27be5fa619ee2463cb0e110
SHA1: c8990e84abff352448b701b2c4c65420b95b1ca5
MD5: ac3fe0efb8de93015be67721acafc50a
M21-MC010Emotet_3d0b6c5cWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.3d0b6c5cb6699ab80d09a35dc8ff7195https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: ab73322cbf2d7b93c8643be65fffd1249fc5b9d644e37936b69925a7ced64f35
SHA1: 51162c5f2331abbfff78254065f1d49ebe199158
MD5: 3d0b6c5cb6699ab80d09a35dc8ff7195
M21-MC006Emotet_087117e5Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.087117e537d3c15a3d74a240e07c632chttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 5a7ea3648dcc1b648aab3bad91d05df3719d775f184b34bff0c4b1937cf0ed37
SHA1: e5a025f653263b70b3a8f4251efaaa5d996ac7d7
MD5: 087117e537d3c15a3d74a240e07c632c
M21-MC02aTedy_8f3acb97Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.8f3acb97f557779e8077c770fd4dbf24https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 494309b5b88455c186124cd3d560f2302a33dec4bfe39f7233f30487f75da391
SHA1: 1716a39d9a23039b03cdbd25c2239585b965b03a
MD5: 8f3acb97f557779e8077c770fd4dbf24
M21-MC04cZbot_26f59367Windows This strike sends a polymorphic malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.The binary has been packed using upx packer, with the default options.26f593677b2cca80b74d2195ca3255e6https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 4ff4f038c2a0a20c581b3cb97e640f391d09e9fb60d1560ed4fbd0a43b2d8cc8
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-MC040
SSDEEP: 6144:4hHqN8eQZj1mSNcN3JSw8cn7R1L4RWZwLuGFZe7o6kWY5G3/:4hHDj1mODvk1yWZwLuGFZeCWr
SHA1: c86934893247687bef8d0026ff2fecf49093131f
MD5: 26f593677b2cca80b74d2195ca3255e6
M21-MC03aEmotet_cf646280Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.cf6462805439b4d988e6a1f3c0c5ac32https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: c034132940163b6ac4be7ca63aa004bd07964dd3d3d0f1a0714bee89e07b7999
SHA1: 9950de6aea85e9591425788ed0810b66310e5069
MD5: cf6462805439b4d988e6a1f3c0c5ac32
M21-MC00bNoon_2874228aWindows This strike sends a malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.2874228a62abe22aa666e86fde09ab32https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 83bd22db707b355135348bb20fadeabb132781027164e78e01490722da255b78
SHA1: b9a34853b4710d903c1ca0ef96934043989e4f05
MD5: 2874228a62abe22aa666e86fde09ab32
M21-MC03dInjuke_d997417eWindows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.d997417e7acf295ab65d445ee3a8789chttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 85c10c7042157a98f854e63ebf5aad5c37d7690633c54d6a71eabe4e324c68d9
SHA1: c6afae04033bb7509fb54e2a692b27a40c9fe2f4
MD5: d997417e7acf295ab65d445ee3a8789c
M21-MC046Emotet_f889195dWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.f889195d7fb07a26bb6597e61d659257https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: c2e477543265bc5733eef0be5cbbe433824066f2fc03c94ada2ae75046fb69e1
SHA1: e81a329b75e962ebef17faf72f2b7d4d0f391589
MD5: f889195d7fb07a26bb6597e61d659257
M21-MC049Zbot_fe56fc37Windows This strike sends a malware sample known as Zbot. Zbot also known as Zeus is a trojan often associated with stealing banking information by keystroke logging and form grabbing techniques.fe56fc379bd393a225923b588e3ce27bhttps://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: fa0094afa2d08c83f24c8e4d8386c503528e4fa75fbd9aecd84baed67d93019f
SHA1: 3060d4766f8880aac36407a4bf3465c186aee8fd
MD5: fe56fc379bd393a225923b588e3ce27b
M21-MC044Tedy_f07edfcdWindows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.f07edfcd02e0bd17ccfc5c24cbe41466https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: cad9802c019445abc5fe863a5bf136f7ad0fe1ce689694bc855d9d68a3c165d7
SHA1: b578859484005250657e41c6ee98381363d74a80
MD5: f07edfcd02e0bd17ccfc5c24cbe41466
M21-MC01fTedy_761f7e63Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.761f7e6376a6a9c40d23b3200f4ca1f8https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: a5c255ac6e59b49ea536049ff5817f40cd80f59e142eedce31b97725bf2c6b02
SHA1: ce7db9ae2fbfa84b5e5392fb86d422a7a2e5da4f
MD5: 761f7e6376a6a9c40d23b3200f4ca1f8
M21-MC02fTedy_a4231b7bWindows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.a4231b7b84af3176630d8c43c42c841bhttps://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: c7606a3ad6858cecbdcecda8d624a3614ba55d38eaee755e061b6589fe09c027
SHA1: aa6e24a30c771bc27b18414c12603e72148986ad
MD5: a4231b7b84af3176630d8c43c42c841b
M21-MC039Tedy_ccdf896fWindows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.ccdf896feed2fd8914380666c415edc2https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: f48c7bfe059453b5b507a1081e1511dcbd5532ff763a5e4b77abdd3c6c99285e
SHA1: eac3abf42596d9d49646e72aaae71fc9ebc48c6a
MD5: ccdf896feed2fd8914380666c415edc2
M21-MC00eInjuke_39247ac6Windows This strike sends a malware sample known as Injuke. Injuke is a dropper that is known for retrieving other malware binaries. It can also communicate with remote servers to exfiltrate information from the victim machine.39247ac6c0ada1e0a2fbb038c24182b4https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 1e45e954295474e3dab12d24dad2e63d41a45e2ff4fe968735739c7296d21245
SHA1: 6215a8384880c520d0e0a74ff2e71ac48022a2d5
MD5: 39247ac6c0ada1e0a2fbb038c24182b4
M21-MC053Noon_d16f93d2Windows This strike sends a polymorphic malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.The binary has random bytes appended at the end of the file.d16f93d2d6b85ee93bae643c08367058https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: ea37844743c11f519ac022b91fa6b493c060763ae00bc5056c9e4cb6780171d2
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MC01e
SSDEEP: 12288:O8gwyq2B1qGbuPWnnwy5C9Rm3r0I4SByM8:J2B1qGbuPWw/9A3Y3
SHA1: a25c4747a6d8662e9ced78cc03437657b7930c04
MD5: d16f93d2d6b85ee93bae643c08367058
M21-MC051Noon_b1f1ad58Windows This strike sends a polymorphic malware sample known as Noon. Noon malware can execute other malware binaries. Once deployed it will connect to remote servers and push sensitive information to the attackers. This malware also maintains persistence on the victim machines.The binary has been packed using upx packer, with the default options.b1f1ad58fab8c4f1e61c7a27ff40e970https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
SHA256: 44988031e67411a7b6230adae19bd648097dbe91804c5b206119feb4bf9bb48b
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-MC02c
SSDEEP: 6144:InEyaSBG7qEoF8UqorP1JiAkcS2IvSkCFAE4:IEybGmTIorP1JiAjY
SHA1: 4785819a238eadabe1c7a6d146fcf174a3cd7d78
MD5: b1f1ad58fab8c4f1e61c7a27ff40e970
M21-MC02bTedy_91a577d1Windows This strike sends a malware sample known as Tedy. Tedy malware will modify the system registry keys. This malware may also download additional malware. This sample may have been compressed with a packer.91a577d1062878b7c876df4e50aa32e6https://blog.talosintelligence.com/2021/12/threat-roundup-1203-1210.html
SHA256: 0acf7ecc034ebce61bde342aaf346cf5cad268acac62192fabdf608594538198
SHA1: 8bcb94ec20e0d1a5aa90092923eba8231b13444d
MD5: 91a577d1062878b7c876df4e50aa32e6

Malware Strikes November - 2021

Back to top
Strike ID Malware Platform Info MD5 External References
M21-MB008Remcos_1188b7f5Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.1188b7f59772b41af3f9d5e9dd6070f2https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 6cf3404ffd23fda2f1d2339562cabd005cf5dd1630f31495c5a23bb18a6d6a63
SHA1: f9411fe5b4b1b70d23b6a6489d706b03544aa1f1
MD5: 1188b7f59772b41af3f9d5e9dd6070f2
M21-MB00cKuluoz_20aa747fWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.20aa747fa92e691e0e46e09bcf7a83c3https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 037e90d5a83ea1360c1c74b34e3d648ba8645b32d9de456756e8ba6acac86d6d
SHA1: 6f7798295bd78c1829821845eef59f6851a88bcd
MD5: 20aa747fa92e691e0e46e09bcf7a83c3
M21-MB02aRemcos_85374450Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.853744502b68e50e6cbaf81ffb3f5cc0https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a
SHA1: ea748baebe70d7c6d3da9d1a2a34b76051425962
MD5: 853744502b68e50e6cbaf81ffb3f5cc0
M21-MB04eKuluoz_f1ac4923Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.f1ac4923d1e326a32f3036cdf8d16509https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 1f18d7fcd14fa41d8256a373437ccfd3e0d0d4f80c41daeda99cfd493735acc8
SHA1: efe97b13c8c2085bba928689d1adba417e7c40ae
MD5: f1ac4923d1e326a32f3036cdf8d16509
M21-MB02cSwisyn_8e804a33Windows This strike sends a malware sample known as Swisyn. Swisyn is a loader that installs malicious software on the system, including remote access tool functionality, allowing the controller to perform any malicious action.8e804a339c9161bc85356fc84016b7b5https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 4bfab196ae66dbdb3eb4908bbeca38876f92e154e7d20d9094ba94cb0db5466a
SHA1: 171a236d8e03129c52fdee6165ec0888aaff9496
MD5: 8e804a339c9161bc85356fc84016b7b5
M21-MB034Swisyn_b19d3c9aWindows This strike sends a malware sample known as Swisyn. Swisyn is a loader that installs malicious software on the system, including remote access tool functionality, allowing the controller to perform any malicious action.b19d3c9a48265ce37b1d246dd7ef76a7https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: d7f8f77dd1fb4538f7008d669e13e058fc4c5f07ae8352920b6475e4a4600907
SHA1: d3fa1f0eebdd894246ac1f5fd537182ad5bd01ea
MD5: b19d3c9a48265ce37b1d246dd7ef76a7
M21-MB03dKuluoz_c8984053Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.c8984053c52f9c5aa349cc2023d482bbhttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 410c8127cf6d7bac2cb13d84dd8415aabc5831bdb617b49e8d28d024db906c51
SHA1: cb95f7ba614d28038846f96d01d9aa04132d4b82
MD5: c8984053c52f9c5aa349cc2023d482bb
M21-MB040Kuluoz_ce5d9471Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.ce5d9471ef2eb0a7af34c71b55a74ed6https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 36971d72adc866b317be68ddf5b3471825049a81231b53c5cfdacb292d49b4d6
SHA1: 179d5510d3761d29c1da5a7159e54d3967aef9cf
MD5: ce5d9471ef2eb0a7af34c71b55a74ed6
M21-MB016Remcos_4afbe606Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.4afbe6063218a676ba3b745d71b6797chttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 3a313dc1c76508f2922fd0a39d7b3dfef483db53269112a752447334ac6cb776
SHA1: c57bc3eeb2ef467f5a43e1ba18732408068d9fab
MD5: 4afbe6063218a676ba3b745d71b6797c
M21-MB033Trickbot_b0bcb4bdWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.b0bcb4bd33305efe3787f572f6c64032https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 1a3cd06480513c10bd6c487e9bb015111ec4e17bfe26312f769233ab7e22f7f7
SHA1: cabe90fca01acf9a726aaa21cb72cb9303674a33
MD5: b0bcb4bd33305efe3787f572f6c64032
M21-MB019Kuluoz_52cc3435Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.52cc34357dd39b32c6f2ebbefa472986https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 08de3a669a95eab65d9b95ecf7ed4085e162badd7b11b3ad126be4d9836d33e4
SHA1: 8d8ae9fed4c5b04ae1eb5e794d8182b89ccbc4ed
MD5: 52cc34357dd39b32c6f2ebbefa472986
M21-MB067Trickbot_c57e344bWindows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has the timestamp field updated in the PE file header.c57e344baa928eba318a00f38a934b20https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 531334ca07b877fd892c8fd9ea8359fe61f3351fd2e4f137827fbb531a6deec4
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-MB023
SSDEEP: 12288:lhLFKkDDlOXRHxA78sIiGnwsgQ6uCsS4pwRCg15f8DadcZm:lhFKkDDlOXRRAvIEsjyqe/rf8WdcQ
SHA1: 3b09ccd52e7d0e7bc2aae3f6c03f0c8522f96e58
MD5: c57e344baa928eba318a00f38a934b20
M21-MB02dTrickbot_90ef6c70Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.90ef6c70c349f6d735351468b95e2681https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: a3bf700a4f33a7852820daa9d580c2e9f8a9e21e04670212d64a9a4884ae065c
SHA1: 41206b48a6ea31a787d8c893e488fc6d43fc7522
MD5: 90ef6c70c349f6d735351468b95e2681
M21-MB055Trickbot_06154c88Windows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has the timestamp field updated in the PE file header.06154c88f3a599cc261ecf19c4c69454https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: b76069ee6f291b3f8c6407ca17a6187d7fd2189bac43e5d571a86b173abb1ad9
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-MB011
SSDEEP: 12288:HhLFKkDDlOXRHxA78sIiGnwsgQ6uCsS4Esm5i0bN:HhFKkDDlOXRRAvIEsjyqEsm5i0bN
SHA1: 23c4cab9f666a8d8d5190e9095d29827df67f642
MD5: 06154c88f3a599cc261ecf19c4c69454
M21-MB068Remcos_cb7772f1Windows This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has random strings (lorem ipsum) appended at the end of the file.cb7772f18d7998fb440e4a7531a1da64https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: e32c41384d9a30e1611c892deae49e8f068248a22e62fd9a20fa82c2355a0d08
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MB005
SSDEEP: 3072:Jz1kdkpUNcsTlxWqEfGBpQ2JyB92mTZP9ds/3HloXsG0XZDZm0YIVE4pC:bkapOJxWqEfGBpQ2JyB92mTZP9dsvoIm
SHA1: d81e24ab643abea5113c3e6764e4363dba6de5b3
MD5: cb7772f18d7998fb440e4a7531a1da64
M21-MB018Kuluoz_4e33b0d1Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.4e33b0d1758bd93b08eea3da59dc068ehttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 00e8fa17d90f77afadd8f255dca53b15d7f4c91719452d616b0cf663f9aeea99
SHA1: 1af6f3f61cccff98de4d7511c81e475e9bcb002d
MD5: 4e33b0d1758bd93b08eea3da59dc068e
M21-MB05aTrickbot_4110c4dfWindows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has been packed using upx packer, with the default options.4110c4dfe514caf5697ae9509b2934c3https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 8db0d8d57b92bd377d686f978d347128bb0ab41c7c20d806d14b30bfedc5525d
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-MB023
SSDEEP: 12288:k7rV34EUl9TJIvGB+cD6MitGmdRHwRCg15f8DadcZm:k7rVI971OGB7pity/rf8WdcQ
SHA1: 96254f65378c6d22ce110e92a88e9d52c728db5a
MD5: 4110c4dfe514caf5697ae9509b2934c3
M21-MB003Swisyn_0bbf4eebWindows This strike sends a malware sample known as Swisyn. Swisyn is a loader that installs malicious software on the system, including remote access tool functionality, allowing the controller to perform any malicious action.0bbf4eeb3156b94827c8aecff920cf4ehttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 422a0f8315b7feafd2cf278a5033f1b19ae24a7dece95494785ee19507774bf8
SHA1: 502f666a5836268e0962732ba589b73a45381276
MD5: 0bbf4eeb3156b94827c8aecff920cf4e
M21-MB059Remcos_3798b258Windows This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has the timestamp field updated in the PE file header.3798b25824964c133494cb323d6f8e44https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 0220e5bd07491f0e3ddc443dccda5ae7ee8e6f95f4c664724f2b4ad07b185322
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-MB037
SSDEEP: 3072:zqvw04zMT7ZXS3HdEnpTXnxWqEfGBpQ2JyB92mTZP9dsjEhlNX+iAWZJ5W+1VhNA:GvwtzMT7ZXaHdo1XnxWqEfGBpQ2JyB9z
SHA1: 76557e56ade522739e9db96ef1b6e0bfed10f255
MD5: 3798b25824964c133494cb323d6f8e44
M21-MB054Trickbot_06071333Windows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has a random section name renamed according to the PE format specification.06071333ff6320ebdbb5ad09ccace217https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: ff8c8668895b5c06819d26e5b890310174ac45692e293dea53ecd4cd4128ffd6
https://arxiv.org/abs/1801.08917
PARENTID: M21-MB049
SSDEEP: 12288:AHUzoSmkrkZbuXRokz2vhhTEj+NrTe2NXOy8:AH2oSmkrkZ6XR3z2vhF/BOy8
SHA1: da1607b50cf13719b0dc399d0cdec7e2d9fa433f
MD5: 06071333ff6320ebdbb5ad09ccace217
M21-MB069Remcos_d51f3fb7Windows This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has been packed using upx packer, with the default options.d51f3fb7d1a86142f95423241b76abf8https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 8a58baf789ce2ec24f592f9041d46d46f4e44b0ec83d9d38d7b733093eef6897
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-MB005
SSDEEP: 1536:QcsrK5Ms435F0A0eFLvN8W1peHTK4J+Ah:QcsrK5MsCZNvpeHTZxh
SHA1: dba27a982168b931b12135128bfab2bd9d0d4c60
MD5: d51f3fb7d1a86142f95423241b76abf8
M21-MB03bKuluoz_c6f79921Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.c6f7992199f83d089e6c108b6b0896ffhttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 50fd2544836d5623d86f94307583fe7a4c88b11cdaa84f3f6b5a03a8631e8c0a
SHA1: 891099c424dfb3cc6b87137267330bb2353fdcdd
MD5: c6f7992199f83d089e6c108b6b0896ff
M21-MB066Trickbot_c5382471Windows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random strings (lorem ipsum) appended at the end of the file.c53824718379f0e3cf0844a6ad8cee2ahttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 2919a01139444dadb1c3527f95f3649fd3453316ab91ca562721b62ac9bf9988
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MB049
SSDEEP: 12288:jHUzoSmkrkZbuXRokz2vhhTEj+NrTe2NXOy8s:jH2oSmkrkZ6XR3z2vhF/BOy8s
SHA1: b7f90047d2835207102fda20d9ac8eee6a5cf055
MD5: c53824718379f0e3cf0844a6ad8cee2a
M21-MB025Remcos_78d368e7Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.78d368e75f05884ee1bc41eaae669a5dhttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 83abc3d26ce461e8fbedade06fb4cdc677e24696cca810303ff44f51c53d71e0
SHA1: 73a1b855afa51f121c212552b56b4e617b93ba60
MD5: 78d368e75f05884ee1bc41eaae669a5d
M21-MB05cRemcos_451e8bc3Windows This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has the timestamp field updated in the PE file header.451e8bc36e5cc304223cd137651a2ed8https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 6a6067a557d6de6be5ae74b08aad57792cfadab59340def6a06235c856a40ca8
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-MB005
SSDEEP: 3072:cz1kdkpUNcsTlxWqEfGBpQ2JyB92mTZP9ds/3HloXsG0XZDZm0YIVE4p:wkapOJxWqEfGBpQ2JyB92mTZP9dsvoIN
SHA1: 437c89a5163a25567bc377898f35a48aecf35eea
MD5: 451e8bc36e5cc304223cd137651a2ed8
M21-MB061Trickbot_76f47ca7Windows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random strings (lorem ipsum) appended at the end of the file.76f47ca74627e26f8ddfdd9add7d9042https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 34694baa80cc2685eb698be6b5b6367e5d1602ef8ae04989adb93182ec6127ca
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MB011
SSDEEP: 12288:chLFKkDDlOXRHxA78sIiGnwsgQ6uCsS4Esm5i0bs:chFKkDDlOXRRAvIEsjyqEsm5i0bs
SHA1: b66aee51693fa3bc1107e1251c5d5a03210e3470
MD5: 76f47ca74627e26f8ddfdd9add7d9042
M21-MB045Trickbot_de14d450Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.de14d450a6ce8140bbd5db0f62e38f94https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: a412aa575f67c189ea62191942acbe30db28548f2a900019c8a3368ce8d3ec81
SHA1: 03ad0de9c8cb3eb13d39e9f823bd7644e466de4e
MD5: de14d450a6ce8140bbd5db0f62e38f94
M21-MB00aKuluoz_1f26d68aWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.1f26d68a92fc1c144bc6297e982eba37https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 033755fcc85dad80db7a94ea2dc178dc2cc823fe7b46084fd0ed20645b593290
SHA1: 502211ad1e4417320e9a459b2b8ba73b3d0b7a0b
MD5: 1f26d68a92fc1c144bc6297e982eba37
M21-MB052Trickbot_fe4d51a8Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.fe4d51a8e7b27afedd8cca6e894b7aabhttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 442cf13192bc89185839b955a2a21f6a16a1ca028208cb332f930a33367e2814
SHA1: 6e0de0b3715fc943b8fac30cb327efc3c7c35888
MD5: fe4d51a8e7b27afedd8cca6e894b7aab
M21-MB03cRemcos_c836f9a2Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.c836f9a28457c02bff3369ee5f1c4c8ehttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: a88a88b707fef354c6dc029a0ea9f95a616371d80702b2fdf756bca6d02fc6a4
SHA1: c9d02e2d4cfdbac319261b33cb160606abe92e51
MD5: c836f9a28457c02bff3369ee5f1c4c8e
M21-MB01dKuluoz_65d19829Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.65d19829875f1513eea13f0bbe2947c8https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 27862adbd6ba16a82915102b7cfbf36f25c7be6b7e0464a7bcd731c9c5c67316
SHA1: 67a3a05cdd81d604a676ecd6b5b30095cc733e3e
MD5: 65d19829875f1513eea13f0bbe2947c8
M21-MB002Kuluoz_039cff92Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.039cff9230fcffba3694edf15ae0a6d9https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 3a36245e815538d2f84d05af6b1d71f81dd9c284cac1c0ceb2145d9f1bb9a7e9
SHA1: 4b60336521a6921e95f142ef128e015239c587fe
MD5: 039cff9230fcffba3694edf15ae0a6d9
M21-MB01eRemcos_66e37191Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.66e3719194f12a5f4636ce5010361d55https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 3dcc4eb394443b54be23c25fec161ea925a303a42e082bf3fa42246ec781a494
SHA1: 38559b060d93a5c1726547faa24d17965343c0c5
MD5: 66e3719194f12a5f4636ce5010361d55
M21-MB015Trickbot_42d57d6eWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.42d57d6e4462240e0995d9deed584047https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: c082233374ed32db6a234c6901cda079466eb9e0746a07c4625c1e68d2ffbccc
SHA1: c6a63098d68d74c9ba4fe527d2b8e458648bf313
MD5: 42d57d6e4462240e0995d9deed584047
M21-MB01fRemcos_66e4497cWindows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.66e4497cda52ee1af35ec3bb0c54070fhttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: af28f875488f17679ca3886d16f53eccc3d0a610f8904ce047dbd3581a9d904e
SHA1: 7e8cf079955074b705ed0b7e89c966f22450bc76
MD5: 66e4497cda52ee1af35ec3bb0c54070f
M21-MB014Trickbot_40f7e200Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.40f7e2005a638d80076d9c8b440e8317https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: c4c1ced7f088f61260705540b870ffe4e33af54ef4a1e86f1ef5729ef349bb75
SHA1: 8ea13028701d9ca6b6bb7ad5c457acc7a1d98801
MD5: 40f7e2005a638d80076d9c8b440e8317
M21-MB01aSwisyn_5dbec059Windows This strike sends a malware sample known as Swisyn. Swisyn is a loader that installs malicious software on the system, including remote access tool functionality, allowing the controller to perform any malicious action.5dbec059892d83ce640453b4696187ebhttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 26b847b9d63e7293e69bc8e98737441b4ee86b9f03bbec2ee7fd8d00fb1586d8
SHA1: e12c51e5012441edbc0feee989a61d249e96207b
MD5: 5dbec059892d83ce640453b4696187eb
M21-MB00eKuluoz_291eb74dWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.291eb74d506802c09985eefcd7b55f43https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 3ca7c310670af06b7e57e5317283e03c2aa630b72f2d99f93734d960bf19040b
SHA1: ce01696570bebd9ef4f7d2f64e5738ab89a59d4a
MD5: 291eb74d506802c09985eefcd7b55f43
M21-MB00fTrickbot_2e207b8bWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.2e207b8b85296c23051cd185a936228fhttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 2413d734d5844c4bda1641d3a06669c6918f22308f45fef63e0b3a3d32c815a6
SHA1: fe8a37e600d72439b8373b2a258bdf9356f2b46d
MD5: 2e207b8b85296c23051cd185a936228f
M21-MB009Kuluoz_1d5c1d91Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.1d5c1d91765a64808c6ee8452b3ad55ehttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 04c74fa81fdd718c985fde6a502f1ed93a0d34255dc21b546fcc25425da9f31e
SHA1: d278e6c4952919cdf39b2ece5161605039499e4b
MD5: 1d5c1d91765a64808c6ee8452b3ad55e
M21-MB004Remcos_0bdcea75Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.0bdcea756c30f97ad5181bd29bbb032ahttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 54ba2cac83253cb5c7944bb31fbac74df60ca8beb12641efedb244a6167eeebe
SHA1: a14592e24ad8ad1e0e8d6cf1db58540358f08982
MD5: 0bdcea756c30f97ad5181bd29bbb032a
M21-MB035Remcos_b8215d5aWindows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.b8215d5a8fbe30b59212bdde97e70c73https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: d826a201446c0767ceee153350aab548ed53eb1090ebd0c749e50f5ac9a58ae7
SHA1: 6315a8ade01f60dcb57a5bef9c2e95975eaef616
MD5: b8215d5a8fbe30b59212bdde97e70c73
M21-MB05dTrickbot_4b92c81dWindows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has a random section name renamed according to the PE format specification.4b92c81d68490a386f0b75722125c5d9https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 1da7de19f0cc048af6e5c92982307996b2665213bc3e4f6ecbdecb0c0865ab25
https://arxiv.org/abs/1801.08917
PARENTID: M21-MB011
SSDEEP: 12288:HhLFKkDDlOXRHxA78sIiGnwsgQ6uCsS4Esm5i0bN:HhFKkDDlOXRRAvIEsjyqEsm5i0bN
SHA1: 1432244469b256f08623497fea0c202d08b8df70
MD5: 4b92c81d68490a386f0b75722125c5d9
M21-MB04fRemcos_f64bc692Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.f64bc6923c8051b1cb7e9126c4725bf1https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 1094247cfc3c21cc1d92530ceec27ff222b2726c0adc1f3f3729718c096c9a1b
SHA1: 405246a51ddb0f4ceb801e1736334cc90c88e62d
MD5: f64bc6923c8051b1cb7e9126c4725bf1
M21-MB00dSwisyn_25a9aeb7Windows This strike sends a malware sample known as Swisyn. Swisyn is a loader that installs malicious software on the system, including remote access tool functionality, allowing the controller to perform any malicious action.25a9aeb787c07a0e6a664bf3d40bf5dahttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 2aa74e8aa589bf82e32e808be028fb01fec3478a5bff7bc00a7add8210327a30
SHA1: 372be182211d0ec126627ea3f552865d39acc778
MD5: 25a9aeb787c07a0e6a664bf3d40bf5da
M21-MB048Kuluoz_e4c1130bWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.e4c1130b2e0c2b07ddd4ff633be95408https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 656ee6200af32f34de24c591ebb45d5652f30a435ce84abb6c8c04cd91e07500
SHA1: 72447c238a3a0e13a3a2e9c153134bd77a3a687e
MD5: e4c1130b2e0c2b07ddd4ff633be95408
M21-MB03eTrickbot_ca0235caWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.ca0235ca7cf2c01fb3cea65902fa7d1chttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: d32532cc718758d511caf22a6238049d422c0e12b60a0146a845e760b34e2d1a
SHA1: 3eb65d107e62537cde8db91501446a4787ecab96
MD5: ca0235ca7cf2c01fb3cea65902fa7d1c
M21-MB017Kuluoz_4d652077Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.4d6520775f6625f851647fa3b747743chttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 44837ce7705a1c03338d220d186564930bcb1e739af90f04cd415b37b5719b90
SHA1: 486a1769a1cd41d6d131550965829e8bce0cc195
MD5: 4d6520775f6625f851647fa3b747743c
M21-MB006Kuluoz_0fec7e00Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.0fec7e00c7c25b6100c1486bdccc90aehttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 1fb1390e6f86cc5eb108a6a38484fa91baf867622e7384d4777b7b12215cab8c
SHA1: 335c0728d579613f50c621dc05d9b2894cd0fc25
MD5: 0fec7e00c7c25b6100c1486bdccc90ae
M21-MB056Trickbot_0ac117ffWindows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random strings (lorem ipsum) appended at the end of the file.0ac117ff4a3932cb4852872f845359echttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: ea7b54847db4dc397febac9d7c872908a69f835c5c1b8096ce3af67b75ec14ac
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MB023
SSDEEP: 12288:chLFKkDDlOXRHxA78sIiGnwsgQ6uCsS4pwRCg15f8DadcZH:chFKkDDlOXRRAvIEsjyqe/rf8WdcZ
SHA1: 5592eb7eea6e7c49f1752f275acd36b1b9b78975
MD5: 0ac117ff4a3932cb4852872f845359ec
M21-MB060Remcos_75923cf6Windows This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has a random section name renamed according to the PE format specification.75923cf648fa5660efe85589465266f9https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 46cfd15e4017614417bdc4ee53daf2c74fa69f00921e089998378e30abf2817a
https://arxiv.org/abs/1801.08917
PARENTID: M21-MB005
SSDEEP: 3072:Zz1kdkpUNcsTlxWqEfGBpQ2JyB92mTZP9ds/3HloXsG0XZDZm0YIVE4p:rkapOJxWqEfGBpQ2JyB92mTZP9dsvoIN
SHA1: a19a5967a59071ff1fa673fcfe541eee222bc4c0
MD5: 75923cf648fa5660efe85589465266f9
M21-MB04aRemcos_e6423276Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.e6423276771b55ea6c6fe28880a9a31dhttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: d9646a5d9e2ac0eb2a28dfd33d900d0b7559d4879854fc454c74ab9f59ea934f
SHA1: cc9e81ae0ec9ddd7c14372ff3a2f3fb753ceb7c6
MD5: e6423276771b55ea6c6fe28880a9a31d
M21-MB05bRemcos_439ef69bWindows This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has a random section name renamed according to the PE format specification.439ef69b62fefbe0324b799782f6ab7fhttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 7a5b6df88f2a68c34bc698726ba993546306d03ede9b96c6ece4b6431c7f822b
https://arxiv.org/abs/1801.08917
PARENTID: M21-MB037
SSDEEP: 3072:sqvw04zMT7ZXS3HdEnpTXnxWqEfGBpQ2JyB92mTZP9dsjEhlNX+iAWZJ5W+1VhNA:BvwtzMT7ZXaHdo1XnxWqEfGBpQ2JyB9z
SHA1: 46f1fb39d15847977ff37c6a43dedd99fdc6f0eb
MD5: 439ef69b62fefbe0324b799782f6ab7f
M21-MB038Trickbot_bd704697Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.bd704697b8fece91346d861844017808https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 967366fbebcf26142423b0df333ea09ae01cc728d5ab54edbcd387030afcccde
SHA1: b365538b81b77dd5a34794b5f5b16f37b91c3441
MD5: bd704697b8fece91346d861844017808
M21-MB023Trickbot_7825d484Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.7825d484da37921be1141cde49d1b9c8https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 0295aa15b36df5df2c8beba2e056a50efe5a88bcc8d07adefaf262a54d27ac18
SHA1: d6c81ccd4d40a00d7b79f289435a680c576fe477
MD5: 7825d484da37921be1141cde49d1b9c8
M21-MB020Swisyn_6949648fWindows This strike sends a malware sample known as Swisyn. Swisyn is a loader that installs malicious software on the system, including remote access tool functionality, allowing the controller to perform any malicious action.6949648f8c2740ed5ea0ab9fe95b0326https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 7f7cf8bc35996c89e1a8eb117715108463a72944825e06d8ffb3c1caaf2aa3b9
SHA1: d5c0d195552cac7d6d634f3794e70c8b76a2594d
MD5: 6949648f8c2740ed5ea0ab9fe95b0326
M21-MB029Kuluoz_82e0eb26Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.82e0eb2601aaed8c2c86905f4011a68ahttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 48179cd3f777d239fb1f14ac8ed1472dd8c9dec65414b92953b5d67faad4f9b7
SHA1: f1d741f2e9dfdef0aae2eae0187aaa56a931805d
MD5: 82e0eb2601aaed8c2c86905f4011a68a
M21-MB058Remcos_18eeb788Windows This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has random bytes appended at the end of the file.18eeb7888348eafcffa5024cec82b279https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 62dab8b76964311641c8beb9cbd298797a13d1a14d32601a8547bea3d9f804d2
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MB005
SSDEEP: 3072:Jz1kdkpUNcsTlxWqEfGBpQ2JyB92mTZP9ds/3HloXsG0XZDZm0YIVE4pa:bkapOJxWqEfGBpQ2JyB92mTZP9dsvoIe
SHA1: 3a7d792190999cd2b779ae3221648f724135ec0a
MD5: 18eeb7888348eafcffa5024cec82b279
M21-MB041Trickbot_ce9ffaf0Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.ce9ffaf024b3279572607c8512dbd1a0https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 4bb1d3c102a9319ee88afed519dea172735f763b55859085ca0a145ceeee6b82
SHA1: 40319c8f0552ec7672153dfd5a1b218d90c22325
MD5: ce9ffaf024b3279572607c8512dbd1a0
M21-MB03fRemcos_cbca03f7Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.cbca03f7d4b73b42caf9d613050dc414https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 3cc8a5d01c2700633580b4b2613fb7199081aa3242d1dcbcda273e582f018fbf
SHA1: 00e9f27037ec5ae3ca13294c97411a42be730d86
MD5: cbca03f7d4b73b42caf9d613050dc414
M21-MB026Swisyn_7954f536Windows This strike sends a malware sample known as Swisyn. Swisyn is a loader that installs malicious software on the system, including remote access tool functionality, allowing the controller to perform any malicious action.7954f536503d9016dadaf9ae06f5a5efhttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 59a5fb406458285dd568918fea5b9f04cee62550035c57fdf27b03266e7f6ae1
SHA1: 30e6ca3555876520b41955a9a1929d13ea16f311
MD5: 7954f536503d9016dadaf9ae06f5a5ef
M21-MB032Remcos_abdd03ceWindows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.abdd03cef2d854d4caa2b633d633bfe1https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 0372c4577e460311ff3ab589fca7377f9f7aec6f1c00006eacf470fdef8baee2
SHA1: 5be0858d536bbcfd2d96beb2cc124b27a8f9027d
MD5: abdd03cef2d854d4caa2b633d633bfe1
M21-MB037Remcos_baf812e1Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.baf812e1e971741fb5e0f66611632683https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 082fd3d3e84f4fc56f39e33daef815ec8c7391610e82b06bfe6dec0ad3e9f899
SHA1: 535c7c77f59076298b7421047e0aecde252b2078
MD5: baf812e1e971741fb5e0f66611632683
M21-MB028Trickbot_81a23fecWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.81a23fec84b88a2a03d9275e0e234ca4https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: cd133a17f8aeaa36f510595c5fc11e22fb40fbb88150fab1971d1094e75e7611
SHA1: c51e762b15ad8f69645448ec9813e80b5e0ab9b9
MD5: 81a23fec84b88a2a03d9275e0e234ca4
M21-MB046Remcos_e3eb514aWindows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.e3eb514abb6b01dac51031b00c9426b8https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: b4c74c0a33b127033fa1d807c13740a943c23cf3a3a20c9b0491968c63112fa6
SHA1: 3ca79c1b65d9de5bd518f390d66b932af06a995b
MD5: e3eb514abb6b01dac51031b00c9426b8
M21-MB06bTrickbot_f41121ebWindows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has a random section name renamed according to the PE format specification.f41121eb8348e32778f16d1866a71409https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: dc64d78cc1e6e45622f6559e47482432d6d29f5dbbe479b0ceb8e58be3a7e256
https://arxiv.org/abs/1801.08917
PARENTID: M21-MB023
SSDEEP: 12288:qhLFKkDDlOXRHxA78sIiGnwsgQ6uCsS4pwRCg15f8DadcZm:qhFKkDDlOXRRAvIEsjyqe/rf8WdcQ
SHA1: 9a3dced3929332f076e9e34d65fbec883948c3d8
MD5: f41121eb8348e32778f16d1866a71409
M21-MB05fTrickbot_68579257Windows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has the timestamp field updated in the PE file header.68579257c3a277be06202b8568e6dae7https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: ae8e0c256dd02bd7e06108df35a725ffc917eaaf58a92f7fcaaecfb50a046f22
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-MB049
SSDEEP: 12288:gHUzoSmkrkZbuXRokz2vhhTEj+NrTe2NXOy8:gH2oSmkrkZ6XR3z2vhF/BOy8
SHA1: 0c24c6ebf3383b5812e1567d3d651b76e37c5b17
MD5: 68579257c3a277be06202b8568e6dae7
M21-MB047Kuluoz_e492fc18Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.e492fc1829fdd76ba7a8a0092f0a8b2ahttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 000bea950f66052cf937547d1f18bc47a1c6ff6d2d7d03bc09d60aa9c9b1c770
SHA1: e82651c2c99477a0de721e9f81fc046cc69eb7d3
MD5: e492fc1829fdd76ba7a8a0092f0a8b2a
M21-MB064Trickbot_c28b0c2cWindows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary file has one more imports added in the import table.c28b0c2ce985e674ee49551f0bd9647bhttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 990fc82a8c58c1e876577685c8a072aef2f75a97a3119b58e0b940afdf5c1cf4
https://arxiv.org/abs/1702.05983
PARENTID: M21-MB011
SSDEEP: 12288:XhLFKkDDlOXRHxA78sIiGnwsgQ6uCsS4msm5i0bN:XhFKkDDlOXRRAvIEsjyqmsm5i0bN
SHA1: 3a0dcfac6f8f0a29dcc8c97d89dacd4560992dc8
MD5: c28b0c2ce985e674ee49551f0bd9647b
M21-MB011Trickbot_30559bfbWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.30559bfb94b2a673067d6dfbb21d42c0https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 157958a490ec7591a3318c783691ce26e8f525f5c88367341cbfa5aca577586e
SHA1: 8f22b7aa4e5c3bfdb76ac0ed15b14650c395b226
MD5: 30559bfb94b2a673067d6dfbb21d42c0
M21-MB02eKuluoz_93793281Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.937932817fad19389760ab3a9880d0fehttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 40023d8e643d0c49199f1d34beb4c79856f30cc155ff8f93300b9cca70affb0c
SHA1: d437cb978dde4faac96e2840d6d237f2fc2743b2
MD5: 937932817fad19389760ab3a9880d0fe
M21-MB039Remcos_bde02894Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.bde0289473fa5ed70ff343254bbb5c76https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: af67aa98f71ce8f9f4b467bc6f280b9c86147bbbfe0125bb0e6c75f4dd0ec7db
SHA1: 3bbe10236198ff73834f53501870f02c703867e1
MD5: bde0289473fa5ed70ff343254bbb5c76
M21-MB062Remcos_a902c80fWindows This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has random strings (lorem ipsum) appended at the end of the file.a902c80fcb532b5baf357a4b6a6583echttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: db1752b31c31178fd4d0d2639321adef67b143d8f58959bbf13784668026ccb1
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MB037
SSDEEP: 3072:lqvw04zMT7ZXS3HdEnpTXnxWqEfGBpQ2JyB92mTZP9dsjEhlNX+iAWZJ5W+1VhNG:UvwtzMT7ZXaHdo1XnxWqEfGBpQ2JyB9K
SHA1: ccf5f4d05024795c736245a4059769eab031b06a
MD5: a902c80fcb532b5baf357a4b6a6583ec
M21-MB043Kuluoz_dc03588fWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.dc03588f2f3ff5a9797f2ee2e23c1473https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 696629d6b4f9965ec8cf1cc9cefe973f907731e8c6fadd1189413d63f4390b30
SHA1: e0788f6de0095cb9f1dc2cc9cf9e3a89fb469835
MD5: dc03588f2f3ff5a9797f2ee2e23c1473
M21-MB049Trickbot_e526b5b1Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.e526b5b1a4d463faec53a88294345d62https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 0205f7cb31c95adeab976245edd2808d58a066e39f8bc953a3e10347189f61ca
SHA1: 8f3aebe3db94c04ca64c4ed079106e0610d823c9
MD5: e526b5b1a4d463faec53a88294345d62
M21-MB057Trickbot_1238acdaWindows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random bytes appended at the end of the file.1238acda60f0780986850f48f7dd27a3https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 6fa319448ec33366e90ba65105c9744fdbc038a1e3c3f7590e3d1f2692750b79
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MB049
SSDEEP: 12288:jHUzoSmkrkZbuXRokz2vhhTEj+NrTe2NXOy8a:jH2oSmkrkZ6XR3z2vhF/BOy8a
SHA1: 6d38a788eba6120d41cb07d5e2982165c9885859
MD5: 1238acda60f0780986850f48f7dd27a3
M21-MB022Kuluoz_6c605ebfWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.6c605ebf5c50898355ad69027897198fhttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 64d3d27a53d3cde1729f8897a09aac19557121ede477e4a1d18a86ef33b2d675
SHA1: 77b4bd57ed6efbf4bbf5be064d5a54dbfae57bb7
MD5: 6c605ebf5c50898355ad69027897198f
M21-MB030Swisyn_980749e4Windows This strike sends a malware sample known as Swisyn. Swisyn is a loader that installs malicious software on the system, including remote access tool functionality, allowing the controller to perform any malicious action.980749e4a0ed0362d66b12a26471e807https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: d4da3ff1cc052027bab7ad61dbfc0e5a1b76b638568824de0a2c0c37d5d52133
SHA1: 3f529033256342f7d029a426113703bd9dcfae25
MD5: 980749e4a0ed0362d66b12a26471e807
M21-MB010Kuluoz_2ebfec62Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.2ebfec626dce31ca659db6d32b3baabchttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 1ba2d5d15ede307fa5a969eb66654f4d485fc144e370531451c43dc6409737d9
SHA1: 363a02b6f388e8c8a4ebb1094973599556ad1b05
MD5: 2ebfec626dce31ca659db6d32b3baabc
M21-MB065Trickbot_c4fb25bbWindows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random bytes appended at the end of the file.c4fb25bb17180a18dd8bd1cb5097f9bbhttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: ae13471fca5cb88c5c1b95b8c61badde2f4ef17cdb6b62010416ca74f020148c
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MB011
SSDEEP: 12288:chLFKkDDlOXRHxA78sIiGnwsgQ6uCsS4Esm5i0b1:chFKkDDlOXRRAvIEsjyqEsm5i0b1
SHA1: 12577b0123961a7045a1c12847653f3a5b2a8ef9
MD5: c4fb25bb17180a18dd8bd1cb5097f9bb
M21-MB01bRemcos_5f4b0a0fWindows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.5f4b0a0fc9e6d760a09f5b87826e6212https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: a50fc8cfea747c35e62bc8639a07a33d4d184278e3f9cea036e1c54d9a4d5fdd
SHA1: b5a13cc21a2d564f036c56d6b01e588277005dfe
MD5: 5f4b0a0fc9e6d760a09f5b87826e6212
M21-MB051Trickbot_f8a79cd8Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.f8a79cd887e6074e77e258bdd86f6913https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: bc775c4705a8724ff10e0a946b510017c5e762ea1877a22a1897db34a1e6fabe
SHA1: bf5859cd6857e43f94d9b954f1be83d34b22d6a8
MD5: f8a79cd887e6074e77e258bdd86f6913
M21-MB06cTrickbot_ffeec37fWindows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has been packed using upx packer, with the default options.ffeec37f8f562ecddf5c61ca964e8a28https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: f2abee589be3cf83c27907c029c91179eabc546fec46e08e330c2dc8a7805dd2
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-MB011
SSDEEP: 12288:FuNHyKeZPNH5adAJyCSezQqpcGyzXsm5i0bN:EHW/H5ad5ezQqyGYsm5i0bN
SHA1: d6b3074728e8b162caf4cd36cc219da0e3648198
MD5: ffeec37f8f562ecddf5c61ca964e8a28
M21-MB001Trickbot_014f1585Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.014f15859e3ac522851e19e0b2d2786ahttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: d294e9b17cbda134bfe607cc2e214d2c689c582bc7a94f24588df028814bd928
SHA1: ce38f224fc7a7fc781da8544217da8972bddda89
MD5: 014f15859e3ac522851e19e0b2d2786a
M21-MB042Swisyn_d6a8e57aWindows This strike sends a malware sample known as Swisyn. Swisyn is a loader that installs malicious software on the system, including remote access tool functionality, allowing the controller to perform any malicious action.d6a8e57addc7e4c4075435d7b5318364https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 5e28c3f2f8fa2c3a5bfda0f20a1a637aa6440cffb9cfc23301c08d76de31ce97
SHA1: 843b39b883140de918c787afe4ef0e429fee88e5
MD5: d6a8e57addc7e4c4075435d7b5318364
M21-MB044Trickbot_dd7c7075Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.dd7c70750e4d8dd50603766b1e8aa184https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 6086f48f02196b9db367b87819e0d4b8ecc381971c63fde3b8dbb871341a2e5a
SHA1: 46574f2ee8f54496e43f59a5d5c63dfd4fc3e6b7
MD5: dd7c70750e4d8dd50603766b1e8aa184
M21-MB03aTrickbot_c5fd8aa7Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.c5fd8aa7309fd0cc9ad0ecaabbeccadehttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: a36b2cac421b101c599d704dd66407e652cc056e9d58abf52d46b5f8b23f20f1
SHA1: 814aaceb836e465bfcaedcf31a515986e04e1b52
MD5: c5fd8aa7309fd0cc9ad0ecaabbeccade
M21-MB013Remcos_35629d91Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.35629d91d42d813e3bd6940439fb9ef2https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 1bbc90ce190a6dded22f8b6a4d2495651ec47f0c6e24ba56c3b2c6fea90c7f56
SHA1: d183fc08506b842e39f2b316d5aae30cde3b1215
MD5: 35629d91d42d813e3bd6940439fb9ef2
M21-MB063Trickbot_b01b3b95Windows This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has been packed using upx packer, with the default options.b01b3b951840d8635e5577f901f1ddb8https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 2940d0b7eeeb311a6eba45473908461b0c18a31929db604a92ad51d5a1d44abf
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-MB049
SSDEEP: 6144:yKyFtrQJHaQKKuNTDjL1SlmypHMccbMolyZWsv8K+jGAQtFsl:CtMRKzfn1SdpH+bVQv/A0k
SHA1: a9524745b0ae80063d5210793b1739378770317c
MD5: b01b3b951840d8635e5577f901f1ddb8
M21-MB024Trickbot_785973f0Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.785973f0d3f93c1cbc1909bab2b24231https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: ba1ff4f69508562ea2c62a39861c7281176b979e200d1ebb95e32338f936a490
SHA1: 24a0c65b3db44d3c194ad8490bc18d35520b3e4d
MD5: 785973f0d3f93c1cbc1909bab2b24231
M21-MB036Remcos_b894f153Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.b894f153a0709c763352d3fd05c0bb19https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 7a304dc213507863958e88b90bff3d9bfbc334ed92e21f708916ec6dd3c72212
SHA1: 3939a7dd1b1d761626820b9fcd113cc0cf9af30f
MD5: b894f153a0709c763352d3fd05c0bb19
M21-MB031Kuluoz_9887fa9eWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.9887fa9e47fed89b74599c387907b794https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 086985abecc0ee9c6b4caa28e74d3190994dbddae40524eb955526ad5be9f067
SHA1: c15e6d20dfa1d4e982756fecb82e97af3c42298d
MD5: 9887fa9e47fed89b74599c387907b794
M21-MB02fTrickbot_94bedf3bWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.94bedf3bc4df2227f439e7322141fd49https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 7fc8d238f3ff3bd7d77e18111763ac554c2d289643dc077b2253f8ee1d575926
SHA1: 31e29ea9fe500adc367c9b8c8001b7c05c93db24
MD5: 94bedf3bc4df2227f439e7322141fd49
M21-MB04cKuluoz_e9431443Windows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.e9431443b0061f5e1ed3ca59bf265c23https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 42ca7b17fa816bf7dfdee073fd077f2327e31ae15f386c087912757894e2ac0a
SHA1: 47d55e5de7a879366f5401a75d41a24de2af8b36
MD5: e9431443b0061f5e1ed3ca59bf265c23
M21-MB01cTrickbot_625a79a0Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.625a79a068b8b3db62e08db1ec21e7f4https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 586126be0b9bf36790dfbd9dea8ceb927df1d4c94745c306e93062aec647b0b0
SHA1: 0ebac8e2cb4d27fc9de14e31fae24b070c45c534
MD5: 625a79a068b8b3db62e08db1ec21e7f4
M21-MB007Trickbot_10047340Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.1004734029c09ec474f332590033643ahttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 54eec51d0cc063797c45dc68f4a0b4376246893b8c799cabaa62be3b288947b7
SHA1: dd31ef8fb4bc5cfd6e5451700238580e9805b09a
MD5: 1004734029c09ec474f332590033643a
M21-MB050Kuluoz_f777c82eWindows This strike sends a malware sample known as Kuluoz. Kuluoz also called Asprox is a remote access trojan that has been known to download and execute additional malware like fake antivirus software.f777c82e0d45432bef27b57baa74dc48https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 39781b0d4b88226ae7cc4711c9d4724ee9010e9f543be7fbd3d31564d89546dd
SHA1: 7dd9bd97be6962561f39b3d3115624a0188fe37d
MD5: f777c82e0d45432bef27b57baa74dc48
M21-MB021Remcos_6aa873eeWindows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.6aa873ee68b60704e3d00f5c885a90f7https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 32dcdbac829f1b6607c1581488a6cf95541fba686f5f81c23b9e1e79761a971b
SHA1: c1a1601ce429cf7cb2d4c255325bf408fe69b1d5
MD5: 6aa873ee68b60704e3d00f5c885a90f7
M21-MB012Remcos_31bbac78Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.31bbac78b447abc5a1138f5b0f3bb1aehttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 9f07b7d90dc159c18619741bbbe05a2eb512a53865ba5101ba9f5668ec01c427
SHA1: 50789a694efffdf13bed58cd0173bf9233992036
MD5: 31bbac78b447abc5a1138f5b0f3bb1ae
M21-MB04dSwisyn_edf4bc30Windows This strike sends a malware sample known as Swisyn. Swisyn is a loader that installs malicious software on the system, including remote access tool functionality, allowing the controller to perform any malicious action.edf4bc30b9c905890317079156c84fbbhttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 4e09b8baf48d1342c0c3cac68be48e92afcef53ce8c0bbb6551fb8a0536c0d3b
SHA1: 0a6a42e50ede12a4e51aafb0ad497e03eeb4ca66
MD5: edf4bc30b9c905890317079156c84fbb
M21-MB02bTrickbot_8a0b7742Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.8a0b7742d05cd9c6b0584c00d6650d79https://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 342477e56614066942a58b31dfb00f2dbaddc041738bde17bb701eb7c2a6c012
SHA1: a5780b2619a41b2c5bc9bd8292f681f97f9506dd
MD5: 8a0b7742d05cd9c6b0584c00d6650d79
M21-MB04bRemcos_e8ded79aWindows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.e8ded79af9b2b51bce510aeced4bef18https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 3fc0249dff863f528fe5e4cd17b0a5de1d8228d4e5aa3a154b5bf1806b4e1da0
SHA1: 06fe98353970ee4ff0f8d9f86909db5413f9301d
MD5: e8ded79af9b2b51bce510aeced4bef18
M21-MB05eRemcos_524d430aWindows This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has random bytes appended at the end of the file.524d430a8844f33d9a054530d5a14cb2https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 0b9d7e3a8dfd3c35c65298b4cb4b2c7f050282b415c35d17b3c00eac3f09f396
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-MB037
SSDEEP: 3072:lqvw04zMT7ZXS3HdEnpTXnxWqEfGBpQ2JyB92mTZP9dsjEhlNX+iAWZJ5W+1VhN0:UvwtzMT7ZXaHdo1XnxWqEfGBpQ2JyB94
SHA1: 74f8f6383e8bed378e8d99e660df53100bc373fa
MD5: 524d430a8844f33d9a054530d5a14cb2
M21-MB06aRemcos_e9564e92Windows This strike sends a polymorphic malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.The binary has been packed using upx packer, with the default options.e9564e9206c1d3172dec7f0100e4ea5fhttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 4b40d3e9161b62022172c0c0367ff12a371dc1e2f0b7286127c885d522f524a4
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-MB037
SSDEEP: 1536:A5Ny+Q3IawEpEfUoMmirzIDOWlrR3SUFTQ:1++Iahp8bKzbWlV9
SHA1: de4738da70dc145e5de3d37311542de7099fb1a3
MD5: e9564e9206c1d3172dec7f0100e4ea5f
M21-MB005Remcos_0da7c74eWindows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.0da7c74ea5d4521529b9c921529082b2https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: 151670dc1d668f2c83d8f565cdd1d11b7b6df66fd00b98b7335760b5c8a8f372
SHA1: a0b84e7c2ba0dfbf9cebf8f58ae2770ef459c989
MD5: 0da7c74ea5d4521529b9c921529082b2
M21-MB053Trickbot_ffed0c2aWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.ffed0c2a620dee39b6ea0148189a291ahttps://blog.talosintelligence.com/2021/11/threat-roundup-1105-1112.html
SHA256: 94b83154ffbc39c28cd5a461ad264bb5cea73822d7d1a4ca5471a6ff8b28569c
SHA1: 6002f714fd9b2c729abdf1fb27fb5c9e8ffd5da5
MD5: ffed0c2a620dee39b6ea0148189a291a
M21-MB00bRemcos_1f768b7dWindows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.1f768b7d743917bc837c5c354992181bhttps://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: d7f219ba7d6878ea3ae04c18c5cba9e7adeb857ba14c39414dd79913ade54053
SHA1: 84bda9161023c6904f38e04d4b785a7a8611ccec
MD5: 1f768b7d743917bc837c5c354992181b
M21-MB027Remcos_7faf8334Windows This strike sends a malware sample known as Remcos. Remcos is a RAT that logs keystrokes, and performs other interactions with the host like capturing screenshots. It is typically delivered via documents with macros in phishing emails.7faf83341e5db899efe051b69a718045https://blog.talosintelligence.com/2021/11/threat-roundup-1112-1119.html
SHA256: c03b1078cfa67fff8fc51ef2f1289dcb770670ff762022276c40508837088972
SHA1: f4ee4bab8a0ef821ed5130d470efbe9802cb55fe
MD5: 7faf83341e5db899efe051b69a718045

Malware Strikes October - 2021

Back to top
Strike ID Malware Platform Info MD5 External References
M21-al6u1Formbook_c1930047Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.c1930047f21a89ddfba5a2e2db2d5485https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: a1b21077e09e0021aeabaea974f7a304f3b5f89b34bd19eb9045a67451f63f79
SHA1: f7013b3e2a9ee04c2dc392ee50624b76fce4bb86
MD5: c1930047f21a89ddfba5a2e2db2d5485
M21-okj91Formbook_09832f42Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.09832f42326e63a715e22cc8c54b0600https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 970a9e6833244c70bef835b3bcdcaca5d4ba325509fd8264f7a901bfd9a1c4c0
SHA1: 0fd078696d89f8290f321974689fa8f331181c97
MD5: 09832f42326e63a715e22cc8c54b0600
M21-hhg01QuasarRAT_bc6f3340Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.bc6f33402000b952549176b98b8005b5https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: b177784454f0880728a9317d058b28976f6206b1de1aaaa82830849be9a7b6ed
SHA1: 9e42be8b66e150b31a456a741358883c265bafd6
MD5: bc6f33402000b952549176b98b8005b5
M21-oxef1QuasarRAT_81ea33aeWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random bytes appended at the end of the file.81ea33ae15c07aa80d3329c63e9fb1b5https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: c3e71572c1b646c2686ea5c994290c44d171b7f999a174c817e1fc851fedeecf
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-0bw81
SSDEEP: 6144:YxVZBEBzEys5BkB3N4ZU4x4gZFRx6leNGZiq+6pOGbr2HIsSkqIAiwOZLtbNT/YE:WVZ0MEN124gV9O+QljQtB
SHA1: e2ae9c55c28a2008f53b3a07b171150a702bd31f
MD5: 81ea33ae15c07aa80d3329c63e9fb1b5
M21-5nvl1Expiro_8080128dWindows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.8080128da1c704c1a3ef2f1cd8f7bc2chttps://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 033bd1f617ca2e15357131d1f5fd4e505664bf46e3bb9dcb560c3bf8bf568a17
SHA1: 156155f15155d504cfb57b771adc44c7265ac61b
MD5: 8080128da1c704c1a3ef2f1cd8f7bc2c
M21-6dun1LokiBot_deee41bfWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.deee41bfad6e302d1a7ceebb22f66abbhttps://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: 43c427a102f9c7e0ed68e03627bab7f07f59d2079ef19614e4336ddfb08e0b2d
SHA1: 4b31365afc1378797b446c423632c60e0c6cdf3f
MD5: deee41bfad6e302d1a7ceebb22f66abb
M21-rhg21QuasarRAT_b7bd6ac3Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random bytes appended at the end of the file.b7bd6ac3f31f11a1330993773294c996https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: a0fdaf595211692495e89b66c914796b9af35c5eb40aa3c38acb218efb73cf82
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-8i981
SSDEEP: 6144:wB/P7uwS0bJqgs5A5yb5z+iq+6pOGbr2HIwY27:wpG0d+R2+Qy
SHA1: 10782b35765ad85b277ab5d2b61f58e3739df06e
MD5: b7bd6ac3f31f11a1330993773294c996
M21-z66f1QuasarRAT_c5589254Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random bytes appended at the end of the file.c5589254f6eac99eb1f27b2ac71041e2https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: d81756d24ad92d3c276b36b999eff732f194a7d88633cdc5412281f7feb197e0
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-xb051
SSDEEP: 6144:g0Aabjn9CZwgNGDlP/qoQd4ub4V1h4JUiq+6pOG0Y2x:g0Rb9uKqoQ6GJE+QG
SHA1: d37cd6ebf2cc087647589795c5b7908f7f1bb11d
MD5: c5589254f6eac99eb1f27b2ac71041e2
M21-0bw81QuasarRAT_dc96dcbdWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.dc96dcbd794bc860f109be49eb740896https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 14a03d84a8e47fb2fc7db25a2c011b58deff2af2bfa4b6c9df0473e1b4e82e5d
SHA1: 3eca7c68bcecaa3d3762a689db980e9de69a4264
MD5: dc96dcbd794bc860f109be49eb740896
M21-i5h81QuasarRAT_2c52c5edWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has the timestamp field updated in the PE file header.2c52c5edd47b86f3a6aa21782cd3ec87https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 4ff670ba9d080327d0ed21a4b00b2792c4575e571563453846ffbbff7a729f53
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-chag1
SSDEEP: 6144:aApRn7cBmyt4ffD2fX7rlg20Q9RuXQw8vzlc59Tiq+6pOGtEAjjB5I91PbeOY2:7ppemxDmdxLC95+Q0Sy
SHA1: 108625450c7aaae8801b63bb35b0787254560828
MD5: 2c52c5edd47b86f3a6aa21782cd3ec87
M21-5b2a1Formbook_f049eeb6Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.f049eeb6a65e3730356fe9f64948feadhttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: d4f68d6197e020ae43c75b2a27fd8b5285c3c7dee32ca1f17a205602ab6cb33a
SHA1: b215f64165e3c5a537c39223f1519d2356cd5e0e
MD5: f049eeb6a65e3730356fe9f64948fead
M21-xl8i1LokiBot_353c4d62Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.353c4d6259b7f63eb1a723d2ee125bb1https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: b23f6c80aecb4d77b0968d98e0fb2442d05cec35f4d0850d17c7dfc899ada367
SHA1: ac6c69a73017c4514606647d6a4da011b9e93794
MD5: 353c4d6259b7f63eb1a723d2ee125bb1
M21-sf1e1LokiBot_9d420f07Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.9d420f07ba12c973e525b788c36341a3https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: 5dd5ae19ed3633a2cc1f25c7147ed83f689b52c560e501d792c4c04497786974
SHA1: a82c636b0efc06d7a5956c77f7b325eb46594bfb
MD5: 9d420f07ba12c973e525b788c36341a3
M21-oljr1Formbook_3e1ffccbWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.3e1ffccb84319f3691ca70978d0133dahttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: b05d244488d629ef3c2dc85ada466ffc16afdf0c69bf48453f9df84e6711994f
SHA1: 35ff2608a0a92574260aa61b6c1c453c810455ff
MD5: 3e1ffccb84319f3691ca70978d0133da
M21-abs61QuasarRAT_68cc339eWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.68cc339ee818164424b8b383149fcad8https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 8a2b422c68afd27e07fa7ca9ba03e3773981bfa46b07a3a5a2f96fc99c153f1e
SHA1: 69f26737639b9f5b485c1a8fee7d6fa7e8676f86
MD5: 68cc339ee818164424b8b383149fcad8
M21-q1nx1QuasarRAT_3753a53aWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random strings (lorem ipsum) appended at the end of the file.3753a53aea4d763ce54a0c65ba7382bchttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 440f85d1a891a397576e613a7e9746e7b395fbc704db071b79141d1d019f41a3
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-i55u1
SSDEEP: 6144:WBbPpkuPpFOjPDTKRVOoueMByMBtnIQwGup0POu+UOL7v6gz93y9xsaF7Dc673UB:Wrkd38Hp
SHA1: e6efd8c988d7f935443350551090e8a8fb26861a
MD5: 3753a53aea4d763ce54a0c65ba7382bc
M21-jo281dcRAT_46614cb5Windows This strike sends a polymorphic malware sample known as dcRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is dcRAT.The binary has a random section name renamed according to the PE format specification.46614cb5a9fd99be0b24f4b094698aefhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 8c17348b7ec9d015ada0b4b1f3e4e03efc7f83f5b04cb82a0b9c7aa23dd7f869
https://arxiv.org/abs/1801.08917
PARENTID: M21-fesw1
SSDEEP: 1536:+Fn2xjknLg8sYFY8a+xBRS9n9lpx9qgIIPxA9kxbbUhtkL3mtpaBGVclN:4pPH8oh9kxbbU40aBcY
SHA1: 7127356f23af06ada64b2041adb95e9fdd64c816
MD5: 46614cb5a9fd99be0b24f4b094698aef
M21-tswi1LokiBot_933cb353Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.933cb35362f832513bd168c62ef1eb1fhttps://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: 534bd1f89febfc1ef3854e4da59987896dbd6aae60d2428d7821c49cff1a8a70
SHA1: 03428e5554682feaf2810a7c015f0deaf3e835b4
MD5: 933cb35362f832513bd168c62ef1eb1f
M21-e7zu1Expiro_af6d133bWindows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.af6d133b00f8311005ff302f03e2f93fhttps://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 066c9e3c5d45399cb40177bb57d9c9db1e350319622fa7f9013b54e3276ae612
SHA1: d8649c1c5e12d57ab4c76d2999018610c89e6122
MD5: af6d133b00f8311005ff302f03e2f93f
M21-tdtu1QuasarRAT_511d30b3Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random strings (lorem ipsum) appended at the end of the file.511d30b3170d515982d85451255f2482https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: a3cfc908fc41ef0b16c49522e87a5787b06e0daa0109e856edaef6c9cf7c336e
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-0bw81
SSDEEP: 6144:YxVZBEBzEys5BkB3N4ZU4x4gZFRx6leNGZiq+6pOGbr2HIsSkqIAiwOZLtbNT/Yr:WVZ0MEN124gV9O+QljQtG
SHA1: ab8ab0cb2a6feb90715ff4c09d085aab44de06e6
MD5: 511d30b3170d515982d85451255f2482
M21-xb051QuasarRAT_1777246dWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.1777246de3428b757c2e4d4e9052b3e8https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 147fb17fc4a0255095c243634dc6813ad63f7ab0089f7e4193eb2cd15f02c08a
SHA1: 184f012720beade07aab04415faa6a3a808f501d
MD5: 1777246de3428b757c2e4d4e9052b3e8
M21-zeta1QuasarRAT_056650c9Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has a random section name renamed according to the PE format specification.056650c9d1938bd86d574771509a2abfhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 7bf7e92172075483b3afaa3cebc3644848d870a5921d9c5cf4951446a420fdf9
https://arxiv.org/abs/1801.08917
PARENTID: M21-0bw81
SSDEEP: 6144:vxVZBEBzEys5BkB3N4ZU4x4gZFRx6leNGZiq+6pOGbr2HIsSkqIAiwOZLtbNT/Y2:pVZ0MEN124gV9O+QljQt
SHA1: 2d55566893d7830ea9f1bcedce33f20345c5b3b4
MD5: 056650c9d1938bd86d574771509a2abf
M21-x0m41QuasarRAT_85bb3da3Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random bytes appended at the end of the file.85bb3da33068aa8b38124344ffc9b19bhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 683acbd05662491fe914eba99c968fd4c1afa5eb3e4567d40e0b790e68a1e897
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-5op71
SSDEEP: 6144:f0Aabjn9CZMRyZeEvNybqo4pv4ubbqjh4JUiq+6pOG3Y25:f0RbRReNybqoUvxJE+Qh
SHA1: b89b33eb87ff21fc933e573098da8e9109d85d2e
MD5: 85bb3da33068aa8b38124344ffc9b19b
M21-fesw1dcRAT_37255857Windows This strike sends a malware sample known as dcRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is dcRAT.37255857bd1fc48c7fcc2a3fa8af86a5https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 21b7cc1980d15aa84b3476eb04e4ff1bb5b37fb16d7fe0c3a51c8b0b76434634
SHA1: 3073bc7fc19b7f5d7bcf15ab06869b65543ae600
MD5: 37255857bd1fc48c7fcc2a3fa8af86a5
M21-5d811QuasarRAT_68c08f0cWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random strings (lorem ipsum) appended at the end of the file.68c08f0c831b24170da8cb0060be8642https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: c10d20fabb1eb7f3a70cb13093c9dcc78b0ac1e1d17d62c821663b813de1e1d1
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-8i981
SSDEEP: 6144:wB/P7uwS0bJqgs5A5yb5z+iq+6pOGbr2HIwY2M:wpG0d+R2+QJ
SHA1: 371f89faa8557c7bd247b309a0514cfeeaf77297
MD5: 68c08f0c831b24170da8cb0060be8642
M21-n8l41QuasarRAT_1d4a4ff2Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.1d4a4ff2adfa153b1035dd729c4f0bedhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 5ddf54d9189d1d87b400b3102f538591d70059ada264ef2eafdc0e222df66bb8
SHA1: aab41e22f26a185a0449444031615ba3fd674808
MD5: 1d4a4ff2adfa153b1035dd729c4f0bed
M21-uha41QuasarRAT_094dc708Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.094dc708a3feae65dab33f44c984b6f0https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 7a9581bf43592d26e283ced1e9efa4c8e703bed1ecff749191a67010f1e1c8d3
SHA1: 77fc3d56c688e276be679dbcfa550ef4e7203a80
MD5: 094dc708a3feae65dab33f44c984b6f0
M21-ea5y1LokiBot_4b043d0fWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.4b043d0fccca4bea612f21dd3a4d7fd9https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: 54231653fed288990289da541317a03ece89cbe74beaf553c81b22fed7ca1f6d
SHA1: bca6c4866c2d29bdc065d2101899f85b1c8febef
MD5: 4b043d0fccca4bea612f21dd3a4d7fd9
M21-oiq11Formbook_ea291e84Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.ea291e8474afb136488146a924348693https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: acdd6834ed905603a968ba017285e27238e8817d1b211d7f5a2e8a51e7d06e93
SHA1: 199b612bc7f0a3ceb4d759a10b29319d1db0857c
MD5: ea291e8474afb136488146a924348693
M21-sf3m1AndroidRAT_0ac539e2Mixed This strike sends a malware sample known as AndroidRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is AndroidRAT.0ac539e23e9befbbc96b874719fceb50https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: d7b7a18ef6f15061c9d24367671e1e78a29e8b6f1c4b15939420654108cfe3bf
SHA1: a72223155e12442242bd0ecfdae90df5e2fd4530
MD5: 0ac539e23e9befbbc96b874719fceb50
M21-8jug1QuasarRAT_cdd96af0Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.cdd96af015b85cf0a9279fa9b0af4454https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 2ebdf8e6753dcedde81f9203400a2f42b5fe5f5bb82105bad3c60b3e26a1c891
SHA1: fe4b5638b16d5bef4c845b5ca8dc894c37c631d2
MD5: cdd96af015b85cf0a9279fa9b0af4454
M21-q5qr1QuasarRAT_36a4df9bWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has a random section name renamed according to the PE format specification.36a4df9b0ab0f2d3a615f775d3dba9c0https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 3c5adb32f14e2e41755935c7d03baf1de899ad6961cadc39c1464ae448ee1a4d
https://arxiv.org/abs/1801.08917
PARENTID: M21-i55u1
SSDEEP: 6144:QBbPpkuPpFOjPDTKRVOoueMByMBtnIQwGup0POu+UOL7v6gz93y9xsaF7Dc673Un:Qrkd38H
SHA1: 3476decfb41a4149508b583b0f1e387bb7bde1ed
MD5: 36a4df9b0ab0f2d3a615f775d3dba9c0
M21-85ma1dcRAT_033ee7d8Windows This strike sends a polymorphic malware sample known as dcRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is dcRAT.The binary has the timestamp field updated in the PE file header.033ee7d8c8e304c5925d551f6c12b665https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 41210e91c0dafbebbc829fcec31e843e5396a043469233b0750d9fba8f4df237
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-fesw1
SSDEEP: 1536:UFn2xjknLg8sYFY8a+xBRS9n9lpx9qgIIPxA9kxbbUhtkL3mtpaBGVclN:qpPH8oh9kxbbU40aBcY
SHA1: 6efb33f36c5b0c343db17cf562f124358cef0d02
MD5: 033ee7d8c8e304c5925d551f6c12b665
M21-omsw2Formbook_2a414be7Windows This strike sends a polymorphic malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.The binary has the checksum removed in the PE file format.2a414be7c6dea6d4d1bfd77c3e9c9b25https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: bfbd3fe75368b2fe71d081d0d6eaa7a8fa69061e2ec64414613b2b08854e14df
https://arxiv.org/abs/1801.08917
PARENTID: M21-57ek1
SSDEEP: 12288:Q71aIFXG0LBXveSLxZrJuGmxXQUTcQvPPRK2mQgMM4/YGu1qh:Qs6RL9veYLrJlIrTtnA9HGEM
SHA1: 0119cde3372829a2c42ce1d1d51ebd94300cd0f0
MD5: 2a414be7c6dea6d4d1bfd77c3e9c9b25
M21-ag1h1LokiBot_f696499bWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.f696499b3888e3cedefce687917c127dhttps://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: 15b6c12ca88a2a31a267dd9c824ba7f491c23306fb40c8b2f04d5afd61e1875d
SHA1: 4748da340001410c19ac84e56eae0e11947ccae7
MD5: f696499b3888e3cedefce687917c127d
M21-aknp1QuasarRAT_2dcc12bfWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.2dcc12bffd9566cfb1e7d78bb0fb9d4bhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: f1a49367115f445ec9fc5bdcf6d2bc0192e8f84a0a8825f85689a2552755ee98
SHA1: 02ceef48a0010f7bbc95e7622a53fe9c34bab101
MD5: 2dcc12bffd9566cfb1e7d78bb0fb9d4b
M21-5lsl1dcRAT_757005d3Windows This strike sends a malware sample known as dcRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is dcRAT.757005d3bb12ce3f9146d8027b236c9bhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 1ecb36c5f4179eca6c13af16fbb05ce377a406d75cc4b93c54063a1088b1e0b3
SHA1: 08e21eebdfcdf4e128dee562fc57cb0da2845077
MD5: 757005d3bb12ce3f9146d8027b236c9b
M21-mr521LokiBot_1f5c9cb5Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.1f5c9cb59a3821f4343188b99f7437c2https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: c3d67ac3416635d4fa9a5f98ff598a6210338322cbdc66347c2a7ddb2526ae41
SHA1: 5ef9d8c17f28f2673ab363e6479db5bb145dda98
MD5: 1f5c9cb59a3821f4343188b99f7437c2
M21-3n4c1QuasarRAT_1ea755c0Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has the timestamp field updated in the PE file header.1ea755c0f9fea7bde48a62db3fc30e4ahttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 3f3a1bed77054012018c05f0978811f1eb0d529ec7fc6b652b5b257eee6e9314
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-zhl11
SSDEEP: 6144:2p/yD4w3p/mpcDYdkXtEj5cWrubOQNchU1p4CMgiq+6pOGbr2HIYxLZNjrvDJPbP:IUp0dkXt3bj3Np+QS3
SHA1: 0273634d38bb64b0e92a33b09693dec576c750a0
MD5: 1ea755c0f9fea7bde48a62db3fc30e4a
M21-8ac91Expiro_62474ba0Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.62474ba004c093fb91c6a58b6d5a7c35https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 02c5c3722753f5199e764a1a7401ef2169e4a04b120adfb3fcfa8fa8e573479c
SHA1: f8d6c7dfd37d3236e36f350fd05dc40b50dd5afe
MD5: 62474ba004c093fb91c6a58b6d5a7c35
M21-0o3v1Formbook_b93a2f5eWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.b93a2f5eb85ed74a4a3483fe63f2efe2https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 8bc32885f532e286073afa7781733d97338f3bab7b22f55680b38fe1926d103b
SHA1: 12317fddd8b32f7cc235a5d63578a7d4d98d1131
MD5: b93a2f5eb85ed74a4a3483fe63f2efe2
M21-43th1QuasarRAT_3d92b0b9Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has the timestamp field updated in the PE file header.3d92b0b95ab85217746c2c8015526285https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 0dd302751c9b396ae8bb1dd04e70095f2b12ed369b8ac0e1efbf0895e02ad1c1
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-0bw81
SSDEEP: 6144:kxVZBEBzEys5BkB3N4ZU4x4gZFRx6leNGZiq+6pOGbr2HIsSkqIAiwOZLtbNT/Y2:yVZ0MEN124gV9O+QljQt
SHA1: b8d61f41d8d609788aabd45a8e999c40348706a1
MD5: 3d92b0b95ab85217746c2c8015526285
M21-rogu1QuasarRAT_b349748bWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.b349748b015823ebd96917fed666f603https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: bad7a4e8f9e26c4972901ffe5a15750df7d3ab64b96ade6f855171b73a5368a0
SHA1: 0ec0bf2c8af807edec43034376a38aa6d0cd2910
MD5: b349748b015823ebd96917fed666f603
M21-ec6o1QuasarRAT_d957d99cWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.d957d99c41734479e375e58ff68dfdb2https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 358ae4b3e360804d67c2994a35f1ef724f9ab5889d12307a12202ae3d40e6277
SHA1: a015af814805adeb51ed0185e31f326e45329a6e
MD5: d957d99c41734479e375e58ff68dfdb2
M21-ka111QuasarRAT_ead5e826Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random bytes appended at the end of the file.ead5e82626333cf1195f1c58374edf64https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 02526672660439a8777e1db15c992ba3da277aaec37e2454b5fbd9a8517a98a0
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-1xqj1
SSDEEP: 6144:8BbPpkuPpFOjPDTRmDb0DbdMh47MVCTP2kb5RVOoueMByMBtnIQwGup0POu+UOLY:8rkd3VJHA
SHA1: 021b37aae3247ba22c474821a858cb63651a26c9
MD5: ead5e82626333cf1195f1c58374edf64
M21-d37r1QuasarRAT_2e65ec5fWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random strings (lorem ipsum) appended at the end of the file.2e65ec5ff812465296e3ad8ef4511428https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: a3c92e50953f619d2798c9c1fc0ce40fa73b48612b4f899d7a6522d386f1d38b
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-xb051
SSDEEP: 6144:g0Aabjn9CZwgNGDlP/qoQd4ub4V1h4JUiq+6pOG0Y2Y:g0Rb9uKqoQ6GJE+QT
SHA1: f4a913a0c9296a5dfe7f95d7ba8e2af816e0bee7
MD5: 2e65ec5ff812465296e3ad8ef4511428
M21-melo1Expiro_128f886fWindows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.128f886f38ce715bfbe08fedd12e0173https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 05fe3f283fdaaf87c10739474f229f4ff4e4fb3faf27a2599bcc0e877126e7e0
SHA1: 0def3614de64424235b6c023afeb04356d3884ee
MD5: 128f886f38ce715bfbe08fedd12e0173
M21-1h3t1LokiBot_502187ceWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.502187ce6d5d1f537c244b90435e9ca9https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: 90eed2f3f5c8478d6f7c41c9f8fab7751f7b56761e118eb89daf4eca8ea1f3c3
SHA1: 19e36c5afe3c634b8f4732a894807e0eb75d0169
MD5: 502187ce6d5d1f537c244b90435e9ca9
M21-v4lv1LokiBot_b4db3566Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.b4db3566b4b1e540025a20a3e826ad71https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: af4eb8fb340cc741dc6b0268c6913cf66e2e326027d3d1aa7d35c18c80498bb8
SHA1: 1182a493bc1c3ab72a10afa715b2616d3ba21e9a
MD5: b4db3566b4b1e540025a20a3e826ad71
M21-echl1QuasarRAT_f206ab0dWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.f206ab0defeb1bf6c9272d5b1a052985https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 628ada289a2920ed1da23ec9cd70f7e092468eba1fd6346a813e55e90a00565b
SHA1: 2cb1ed00962fc7d30dc49d9efa7a8e43756cb1ea
MD5: f206ab0defeb1bf6c9272d5b1a052985
M21-1qxa1LokiBot_3d61b1e8Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.3d61b1e8349089f3db639532f9afcc70https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: aa789ba2c3414a3ec6bd26a430957c8c2b2c32793cd6a7867e0c6961fd68ec62
SHA1: 360dca19ba0de794d0e781b33a17456c0735e118
MD5: 3d61b1e8349089f3db639532f9afcc70
M21-zhl11QuasarRAT_fe7eb6b5Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.fe7eb6b506959310e438d94910422c1chttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 0b333e127c273d2c86ed8f3b842ff0f955f7dee2c077434a95d834a729193952
SHA1: db4a006c33cc91310cca80737ff0a4f20ec49989
MD5: fe7eb6b506959310e438d94910422c1c
M21-39bj1dcRAT_a982d253Windows This strike sends a polymorphic malware sample known as dcRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is dcRAT.The binary has random strings (lorem ipsum) appended at the end of the file.a982d253aad5976b951ecb1a48933fdehttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 76995332ca28452ce22feae4e9b2bc7afff428afc4cff8407b254565c31fa51b
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-fesw1
SSDEEP: 1536:JFn2xjknLg8sYFY8a+xBRS9n9lpx9qgIIPxA9kxbbUhtkL3mtpaBGVclNX:npPH8oh9kxbbU40aBcYp
SHA1: 0db770f7a9ac52abd8b279a5e8f5b8ccba8ad399
MD5: a982d253aad5976b951ecb1a48933fde
M21-rapm1Expiro_c30aa578Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.c30aa5781932f3368e1f53d285433873https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 06b2bda5827d59b5e5a5d5b9216a73670074077a48560a0c80451fbd347f3af4
SHA1: 68493b2b1952acd9486d55e47d1923de12ca8826
MD5: c30aa5781932f3368e1f53d285433873
M21-b48m1LokiBot_88f32078Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.88f320782e23977a4877c517646c3ff8https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: a286cfb5d372f21f2e2a8da8c69a032e1dedc7d8ef582657ce20a1d9e7150238
SHA1: 04dafd38329fdd9fb18d35926c261e15a3f8230d
MD5: 88f320782e23977a4877c517646c3ff8
M21-7quj1QuasarRAT_caf8166eWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.caf8166e2f177e5e40ddfb61f5140465https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: a891bd8356e604faeef041ba060321f660dd7a480b749b91b1524f211fe09e9c
SHA1: 7f907aa0f069ea6ad98d03441b5bac7198f5ad1c
MD5: caf8166e2f177e5e40ddfb61f5140465
M21-rbua1Expiro_e0522340Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.e0522340e4567dd1e9ec2f381826a019https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 13d6aae7db9cb703fb07542815bd732ee8911a28de3c8c244c3c515fa4effdfe
SHA1: 6739cf06107b2521ece281c9eda0ae871f3138db
MD5: e0522340e4567dd1e9ec2f381826a019
M21-prwj1Expiro_42647244Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.42647244735a032629d454fb2c70326ehttps://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 0bf25e929d01e2970e95cad27b7d0cc88635e33d2f6afb4f3ac2a4e6281f3a4f
SHA1: 8cc66b43a8a7027054f5698f5af5f1c7f0351f39
MD5: 42647244735a032629d454fb2c70326e
M21-nwla1QuasarRAT_793a3daaWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has a random section name renamed according to the PE format specification.793a3daa210d66facd326f6919d0545dhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 93b1d044cf6874c994f4a263d082d6a656e6f2d144fffeca365ca4a3c11254ed
https://arxiv.org/abs/1801.08917
PARENTID: M21-xb051
SSDEEP: 6144:n0Aabjn9CZwgNGDlP/qoQd4ub4V1h4JUiq+6pOG0Y2:n0Rb9uKqoQ6GJE+Q
SHA1: bd11a8a245b74b9252ef4ad88a7f1b1fe6f51e18
MD5: 793a3daa210d66facd326f6919d0545d
M21-jds11dcRAT_915b0fbbWindows This strike sends a polymorphic malware sample known as dcRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is dcRAT.The binary has random bytes appended at the end of the file.915b0fbb556fe6f8a48c3f5da0cb28echttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: fee907eb6a1aa1bdee15580e6adb62d864c7937689a32dfb837846c7abc210e2
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-fesw1
SSDEEP: 1536:JFn2xjknLg8sYFY8a+xBRS9n9lpx9qgIIPxA9kxbbUhtkL3mtpaBGVclN6:npPH8oh9kxbbU40aBcYo
SHA1: 5e864100b9a25caca4b9f011a6573d7b29824f01
MD5: 915b0fbb556fe6f8a48c3f5da0cb28ec
M21-c3ii1Expiro_d16af927Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.d16af927c910abff809b2a9f5372d855https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 0e6cfeb5410e04e85319aefb89a2042ae74437d49ac8f8239eec199309216bfe
SHA1: 0620b833fda55da844b4c8589307e894b6418c66
MD5: d16af927c910abff809b2a9f5372d855
M21-6uvd1QuasarRAT_ab22a163Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.ab22a163f052e16dd29e5d1a1beae1e7https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: b10850f3e0590e2f49ffc3feea41b67328611021bcea2c0d11668593c2df8146
SHA1: ca94925ee4d97978a1abea04700d92d08cf5ad21
MD5: ab22a163f052e16dd29e5d1a1beae1e7
M21-k5l41Formbook_bb9c642bWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.bb9c642b4346962dd8e0ffd60c227862https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: c58d5b907f0eb1e164f6416a122ae8177bae14a6a4ab2f00cffa2dc72a328068
SHA1: 74ed0ca331e16fd4f73b9c16c18e7973e909832b
MD5: bb9c642b4346962dd8e0ffd60c227862
M21-lhhs1QuasarRAT_ce004fd2Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has a random section name renamed according to the PE format specification.ce004fd23972989dcbcda5543c744f39https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 16beb1b2a6b8702f318002d1215e274cf5c62f80310ad8ea81ae5153053bca0e
https://arxiv.org/abs/1801.08917
PARENTID: M21-1xqj1
SSDEEP: 6144:rBbPpkuPpFOjPDTRmDb0DbdMh47MVCTP2kb5RVOoueMByMBtnIQwGup0POu+UOL3:rrkd3VJH
SHA1: 9ab546f70dce1ddfdcf7f3b10f24cfb269d520ca
MD5: ce004fd23972989dcbcda5543c744f39
M21-j1eu1QuasarRAT_62db37deWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.62db37de46ba0bcca9411ba2a2a35827https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 8568677d00cae752bf245be89932ede2c1f7f1ea354f02a728b24d2037f040df
SHA1: bc751fd91e43820ec2482fdf4f823631ca1faba0
MD5: 62db37de46ba0bcca9411ba2a2a35827
M21-9sin1QuasarRAT_e7427799Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.e74277995df7ebf0aca7aa48f718c25dhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 422ac1a0e213aa1e14dd636f918a7d6c8406c549e9edc74fd76ee2e04df9daf4
SHA1: 2e6863366ec0a86e975d506015b90207c5843a1e
MD5: e74277995df7ebf0aca7aa48f718c25d
M21-3sp41LokiBot_a862611cWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.a862611c1be0659cbde96a3d3f79ba61https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: d52fae57110e31af1cec5987170f7f2cc1cc4b79ad89d745518d5765f96902ba
SHA1: 7062b5c6f8c16dbe8070f1f10226fe0b8bb180b0
MD5: a862611c1be0659cbde96a3d3f79ba61
M21-4le91Formbook_0c8e247eWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.0c8e247e7049fe06bfccec96aa48de0fhttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 8a39968eafe739591b3506c908fe5efc9ebc97654d8d2bde8f22299b6fdf0d3f
SHA1: a62633f65a50d388dc5b8b1e3421e47c399249db
MD5: 0c8e247e7049fe06bfccec96aa48de0f
M21-fkec1Formbook_905d5725Windows This strike sends a polymorphic malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.The binary has random contents appended in one of the existing sections in the PE file format.905d5725cd20bea4c5024f456c07f59ahttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 85269c7be7ab3844896c72f31ffd9bf68a46703d7ded8ba98a2a3edf2c002ca7
https://arxiv.org/abs/1801.08917
PARENTID: M21-fm4y1
SSDEEP: 12288:Q71aIFXG0LBXveSLxZrJuGmxXQUTcQvPPRKKmQgMM4/YGu1q:Qs6RL9veYLrJlIrTtnAZHGE
SHA1: d00535159b60f9e6865229d42f548b611da5e588
MD5: 905d5725cd20bea4c5024f456c07f59a
M21-l7up1Expiro_c6367980Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.c636798029addfe9cd1dfb144182ff2dhttps://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 0e3db161751946523aeccd553b666e7e5524885b463ee04124065835dcc6f53d
SHA1: bed47af57536b98ad1a9f0cf38c9a14296952065
MD5: c636798029addfe9cd1dfb144182ff2d
M21-1xqj1QuasarRAT_8d0e2631Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.8d0e2631138907c09cf3f07f9c8aa26chttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 10343c6ddc8ca86fa456b256d0d8f01f99c00edbdac22a7690235274e7304c0b
SHA1: 036da01689b181bb5450f72f883cd20e842ade35
MD5: 8d0e2631138907c09cf3f07f9c8aa26c
M21-2d3i1Formbook_a2b2a436Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.a2b2a436dbc3040c0689bb915d8d03achttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 1ddb357041ae22e5c39f309d8432bf9b64e5b07ee9fcf578b7d94543005714fa
SHA1: 77f844007a02ab0142126225e3e4591db61d294e
MD5: a2b2a436dbc3040c0689bb915d8d03ac
M21-j99i1LokiBot_bd8d5c28Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.bd8d5c28da2adb86149bf00a3ea71ca9https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: 6dc77546c2242b37c67fc3107086ec18458b18fd44f8ee61146630b526e999b5
SHA1: 7fbbf4364eab9f304b82ad46272824a74af84a54
MD5: bd8d5c28da2adb86149bf00a3ea71ca9
M21-l1bq1Expiro_53489e71Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.53489e7181fa238fb2161a26487cbd56https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 14a41d2df64f28c8abfc6ac2ad4e19a8fc7fc21171b61c38d9b9058a4e913bb1
SHA1: 1eb6b79f8a672d63971a5f3b4c3549adc87570c2
MD5: 53489e7181fa238fb2161a26487cbd56
M21-omsw1Formbook_2a414be7Windows This strike sends a polymorphic malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.The binary has random contents appended in one of the existing sections in the PE file format.2a414be7c6dea6d4d1bfd77c3e9c9b25https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: bfbd3fe75368b2fe71d081d0d6eaa7a8fa69061e2ec64414613b2b08854e14df
https://arxiv.org/abs/1801.08917
PARENTID: M21-57ek1
SSDEEP: 12288:Q71aIFXG0LBXveSLxZrJuGmxXQUTcQvPPRK2mQgMM4/YGu1qh:Qs6RL9veYLrJlIrTtnA9HGEM
SHA1: 0119cde3372829a2c42ce1d1d51ebd94300cd0f0
MD5: 2a414be7c6dea6d4d1bfd77c3e9c9b25
M21-x7df1QuasarRAT_99643fddWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has a random section name renamed according to the PE format specification.99643fddadebf383c3541121edd2d6d7https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: c78ae433ee5a1c69e08d16a1e5a99d947d49fe164548f15a6fcdf39550e905ce
https://arxiv.org/abs/1801.08917
PARENTID: M21-chag1
SSDEEP: 6144:0ApRn7cBmyt4ffD2fX7rlg20Q9RuXQw8vzlc59Tiq+6pOGtEAjjB5I91PbeOY2:hppemxDmdxLC95+Q0Sy
SHA1: 9d53c6b1bee63af84b8c451902ac9e9e3c8958d7
MD5: 99643fddadebf383c3541121edd2d6d7
M21-ap5i1QuasarRAT_8c18dae0Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has the timestamp field updated in the PE file header.8c18dae0cea12938476f51238ebc6eabhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 85bf163b8560029177201ca9cf234ad99765320d2116f126a6d61b5a8b9765de
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-8i981
SSDEEP: 6144:uB/P7uwS0bJqgs5A5yb5z+iq+6pOGbr2HIwY2:upG0d+R2+Q
SHA1: b951ac8ad389892bbb7d31b76dcfa158e95701c4
MD5: 8c18dae0cea12938476f51238ebc6eab
M21-o8up1LokiBot_630f9c03Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.630f9c038b9d219998a29dda39680060https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: 206c6eefae5bd720d295427fac6fc5a32b66376c549f85517d61d3af7f1c9af7
SHA1: 40c7ac27b983430d9ed4ec35e1f6e6d2eabef5cc
MD5: 630f9c038b9d219998a29dda39680060
M21-u2xd1QuasarRAT_a242ae56Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.a242ae568af1fedc9d7540da878e817chttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 3b759b0c552cdc18c3d64e678e03c8a7996e07826b43f006344491cbba9f8c6a
SHA1: a509ff1fa5a7649275ada5172d713857f10bdeb5
MD5: a242ae568af1fedc9d7540da878e817c
M21-8i981QuasarRAT_b2880400Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.b288040040a839a5bffe8b5e1dc60a89https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 225b3fc01fa15d641e7f9fc67029e5fe8aefe0907f559d4f8c2802aa22235a36
SHA1: 94ec19dfb0e925ddc37009bfadf6803516c5dc24
MD5: b288040040a839a5bffe8b5e1dc60a89
M21-zfa41Formbook_01808133Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.01808133083391521ebac24a87e78dd7https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: d105b717b7320c3f5da89c8faabba236d360688d44d76e0a2fc2d62620ba0de6
SHA1: 75b7ae449dec3590d22251311b789fcec08b2908
MD5: 01808133083391521ebac24a87e78dd7
M21-u62u1Expiro_17661350Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.1766135009a50699dd4746150e78d14dhttps://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 04bcabb185bce64e2f16947523abd4af7ad708d5ae78565f0eb73f5541054376
SHA1: b00e1021145fb5599b1dd684b2eaea3329f0e94e
MD5: 1766135009a50699dd4746150e78d14d
M21-216v1QuasarRAT_97398d7fWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has the timestamp field updated in the PE file header.97398d7f8cf3ecd255a79daa0688090bhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 01b266de5cf663870209b726995588ea284d8ee027ea6fb6842e00032d89af47
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-5op71
SSDEEP: 6144:A0Aabjn9CZMRyZeEvNybqo4pv4ubbqjh4JUiq+6pOG3Y2:A0RbRReNybqoUvxJE+Q
SHA1: 60890e97aafadcfe03cdcd8b402e2975d06cc6f3
MD5: 97398d7f8cf3ecd255a79daa0688090b
M21-kfv11LokiBot_91b4e621Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.91b4e6212de5a3db83fee9d1c0c9ca56https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: a46a5b4af1c83f1d59b970569dedeaa89c0c66affff2c36aa97332dc7e3372e9
SHA1: 67222c116ae23cfe17aa34093bccaa018b45a581
MD5: 91b4e6212de5a3db83fee9d1c0c9ca56
M21-3smz1Formbook_b002ce46Windows This strike sends a polymorphic malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.The binary has a random section name renamed according to the PE format specification.b002ce46b1e46169da575d284a9b9656https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 345da7ba925eae85eef80a844bffa52f0470e283fdb9070ff1e02bd7bc568903
https://arxiv.org/abs/1801.08917
PARENTID: M21-57ek1
SSDEEP: 12288:q71aIFXG0LBXveSLxZrJuGmxXQUTcQvPPRK2mQgMM4/YGu1qh:qs6RL9veYLrJlIrTtnA9HGEM
SHA1: 902ff1959662401e8d66f4c3903e5356282d19ee
MD5: b002ce46b1e46169da575d284a9b9656
M21-agm61QuasarRAT_e5f4b2c5Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.e5f4b2c5841de93eef284a02d0532c13https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 559e72b06747efd927ff20e593885af781230e0c1003b733b2edc4784c5c5179
SHA1: 6d2e06f50978f75fe9365757c4f174fb88d0b30a
MD5: e5f4b2c5841de93eef284a02d0532c13
M21-ddhq1Expiro_7361a96fWindows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.7361a96fa8f72eb7d6b27ce60d10dacahttps://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 170f54318a5984774331059eb0bc5e6f3675f52ef6e8c2ff55d0d2a5aba7efa6
SHA1: 142de00939eef4b48deb988e52e9518785e4fa2a
MD5: 7361a96fa8f72eb7d6b27ce60d10daca
M21-5op71QuasarRAT_7bec66edWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.7bec66ed971abfbff9b25447a39fcaeehttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 2285ebca868523744c2093e1b70c9ecd9189926799bf3719bc3eb345ca4ae91c
SHA1: 69499427adafcf0979cbbe0b151624a78b5901e9
MD5: 7bec66ed971abfbff9b25447a39fcaee
M21-y4sg1Formbook_546b3cc7Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.546b3cc7640a0c3105f6674fd9e2debfhttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 198a6c69303e222c1e37be51ff9cf68615b4879fb2b152f96aad90daf49c7df1
SHA1: 896625ab412bdf70ed2adff44ef021fba9fd5e2f
MD5: 546b3cc7640a0c3105f6674fd9e2debf
M21-6xpg1Expiro_a303b393Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.a303b3938a88af0faf21b8877085d7b5https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 080e5a3a63eded752c945560de8d9c0ee483d4644475ef3f991a7f659f7c1089
SHA1: 6587fa6258353a7547b5f6768f5010f2cbe1eb2d
MD5: a303b3938a88af0faf21b8877085d7b5
M21-z7wp1QuasarRAT_a0eab09bWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.a0eab09b2095854612d931e2bdb3280dhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 9d26f6aec963e33c40856c52985322bbd2b84b284d6faf845bab9f8172c820e9
SHA1: 5ea224b2fdfb9502316199d99c1282703ad27a77
MD5: a0eab09b2095854612d931e2bdb3280d
M21-25s41Formbook_d16bb207Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.d16bb20744b2d89ed3bd10f146dec18bhttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 3bd6a9adf74441ad24715295a3a63d76cb6ea26139b4f60de88dfe642129faf0
SHA1: aaf1a4be94494fe9316274974687b0c581e188be
MD5: d16bb20744b2d89ed3bd10f146dec18b
M21-dcvg1Formbook_d09e6818Windows This strike sends a polymorphic malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.The binary has random strings (lorem ipsum) appended at the end of the file.d09e6818c698e74122c673c14082c603https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 52e75ac49fbba726abbf18e2a136a7ec0ac7997251ee6fc026a59366f4c5d8a7
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-fm4y1
SSDEEP: 12288:b71aIFXG0LBXveSLxZrJuGmxXQUTcQvPPRKKmQgMM4/YGu1qB:bs6RL9veYLrJlIrTtnAZHGEI
SHA1: 82388fdab78de0e557c05c8f2df551d24f0e76af
MD5: d09e6818c698e74122c673c14082c603
M21-tx7t1QuasarRAT_2a8d7552Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random strings (lorem ipsum) appended at the end of the file.2a8d7552b36e57aaa1bfa00abaf39d17https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: b6c024c4f1801ddcae1e7cf804467120a4bcfbf6e582a09c6ef795e9c41cf478
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-zhl11
SSDEEP: 6144:7p/yD4w3p/mpcDYdkXtEj5cWrubOQNchU1p4CMgiq+6pOGbr2HIYxLZNjrvDJPbj:dUp0dkXt3bj3Np+QS3l
SHA1: 400eccc7378a4d1673f8258176fb0dc157f88d57
MD5: 2a8d7552b36e57aaa1bfa00abaf39d17
M21-s2i31Formbook_b143497eWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.b143497e7326cd491c695b556640192bhttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: d4a0c2c9e8f7e470b0fcf5e575f51ac83cd4be6ad1c188b2509672016ae8675a
SHA1: 4bd3bee623082ff28035695c54e920522bf4363e
MD5: b143497e7326cd491c695b556640192b
M21-ejhl1QuasarRAT_49423ccfWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.49423ccf65f8582c9c7ff7cab20ac285https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 3fdc641c6b0f01df5dea67bedc1e31cd58bd1606f03264a0c59096a0054101d6
SHA1: 2ec2d1a5661ea1fa0f3f4bcd077e44d8a810ad5b
MD5: 49423ccf65f8582c9c7ff7cab20ac285
M21-zy9o1Expiro_21c224a0Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.21c224a0e05ba44213104e8f4ae66132https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 0e3f0782a244e2d5c6a4157bf48bbf2be3002f20039d7358221c376634767f5f
SHA1: 32963358bfe3c34714cd7823cb5160f23c4d3c00
MD5: 21c224a0e05ba44213104e8f4ae66132
M21-e1so1dcRAT_f3c91609Windows This strike sends a polymorphic malware sample known as dcRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is dcRAT.The binary has a new section added in the PE file format with random contents.f3c91609bffe4ac5814a5bf0324467bdhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 67af8cb08bebe6ff9854847fff33faa7471fc91890c2c9f923b4c3db86aa403f
https://arxiv.org/abs/1801.08917
PARENTID: M21-5lsl1
SSDEEP: 1536:R19ao+g4jNgOqFPOKXm9eQt3UvZ3VTKnXYVwmuIKXGypF30l2qupqKmY7F:Nao+g4WZjSWscwmCXl07dzI
SHA1: 2075822c1faad71a44d1d77844b35025deea3b04
MD5: f3c91609bffe4ac5814a5bf0324467bd
M21-hsjy1Expiro_1abac5c7Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.1abac5c78347e86a9b1969037cad5e5ehttps://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 15c30a22113a5b3bf858d2f165d2e3f419193d481c20e8776be3b3c3f897b856
SHA1: b9932e8b4f1157ccdd0c89f1b493bd0298088654
MD5: 1abac5c78347e86a9b1969037cad5e5e
M21-xv0v1Expiro_e4b2e04eWindows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.e4b2e04e617e3ccdb4bb5397fc9d04d5https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 0d0e5dc20240ceceb5a0b05eacf1b8b487740e6c5c90d9c8934ae7183048b783
SHA1: 1e84e403270b0ae0d2be4f1e079fedeeee31b983
MD5: e4b2e04e617e3ccdb4bb5397fc9d04d5
M21-z8u41Expiro_3f328551Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.3f328551144c693d7e93d15929b61f73https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 0668e8eb649e50f45514bba3828861883ea2fde549f4f029dd3f0d8a25bf85b1
SHA1: 00a289caca9aed04814bede827e1d646f90b2652
MD5: 3f328551144c693d7e93d15929b61f73
M21-f7em1Formbook_2ba0a2a0Windows This strike sends a polymorphic malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.The binary has random bytes appended at the end of the file.2ba0a2a0b3fb79d8a72b992860e00c10https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: a4a80ab9abf3e1399040a4829058c2514ec92033c6e389eccde10d28dd63e346
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-fm4y1
SSDEEP: 12288:b71aIFXG0LBXveSLxZrJuGmxXQUTcQvPPRKKmQgMM4/YGu1qp:bs6RL9veYLrJlIrTtnAZHGEs
SHA1: f1d175ca29df0408afc58af599155a8efb9c74ca
MD5: 2ba0a2a0b3fb79d8a72b992860e00c10
M21-xzzb1QuasarRAT_4ac627aeWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has a random section name renamed according to the PE format specification.4ac627ae8786300915337a8833e87824https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 669c11b84f0b6eb06c6b0f0074d6b43c81ea036bbdcb289f694d2c81bf7d18e1
https://arxiv.org/abs/1801.08917
PARENTID: M21-8i981
SSDEEP: 6144:rB/P7uwS0bJqgs5A5yb5z+iq+6pOGbr2HIwY2:rpG0d+R2+Q
SHA1: 3297b322799c287f1a2210013444aabe899235b9
MD5: 4ac627ae8786300915337a8833e87824
M21-72qi1Expiro_84a0b33bWindows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.84a0b33bd84b06b696919b48c0a4498bhttps://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 0eb6f8335e6aeb57fd17cc34c6fb00548837093741461342672406677b9defb8
SHA1: f55e6388c776ee131ca3f810aa3e3597916eac2e
MD5: 84a0b33bd84b06b696919b48c0a4498b
M21-k60q1AndroidRAT_a0e72ce4Mixed This strike sends a malware sample known as AndroidRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is AndroidRAT.a0e72ce4f88f7f8dcccce31db8ace8a2https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: df4c1437b82b09b734858e5316b736e57aca7e459d8323e1681843f56f7d5470
SHA1: faf2f8bb14d1f831cfdf8fa25a4002e42b7b9162
MD5: a0e72ce4f88f7f8dcccce31db8ace8a2
M21-fm4y1Formbook_da8413deWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.da8413de8d3e993911acbc14f04a5881https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 03811a474b07747d26379d33ee6788366f0d49bf993334d16607b361093463af
SHA1: dae4220aebf17fda27db3dd270ce76ed4a638f26
MD5: da8413de8d3e993911acbc14f04a5881
M21-3kj21QuasarRAT_165309afWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.165309afb44362dd069f640c225fe8c3https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 41b1deef9bd97206302d2a5caf585043b65651242cdf752f818527cf7a5c1162
SHA1: 7e3a205ec45fb65d5e8422eb5524122ff3a69454
MD5: 165309afb44362dd069f640c225fe8c3
M21-chag1QuasarRAT_42660126Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.4266012612ff2990cc08534ea0fefd32https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 05b956e5614b120ece30d6574a0d19f47cb9f9806c87b7df77efaecf9afc8867
SHA1: e80fcf823d655f3f1f9bae9a5c35de1ef9240efb
MD5: 4266012612ff2990cc08534ea0fefd32
M21-ywth1QuasarRAT_4803127bWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.4803127b429a1ed759c2b9709bd213bchttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 41a6a66be0ce44df094a8f4b6588960dda403701dd9105724e6dce2a429c4901
SHA1: a419541abf7f3d8fe4d78db38066c29286688f37
MD5: 4803127b429a1ed759c2b9709bd213bc
M21-fkec2Formbook_905d5725Windows This strike sends a polymorphic malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.The binary has the checksum removed in the PE file format.905d5725cd20bea4c5024f456c07f59ahttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 85269c7be7ab3844896c72f31ffd9bf68a46703d7ded8ba98a2a3edf2c002ca7
https://arxiv.org/abs/1801.08917
PARENTID: M21-fm4y1
SSDEEP: 12288:Q71aIFXG0LBXveSLxZrJuGmxXQUTcQvPPRKKmQgMM4/YGu1q:Qs6RL9veYLrJlIrTtnAZHGE
SHA1: d00535159b60f9e6865229d42f548b611da5e588
MD5: 905d5725cd20bea4c5024f456c07f59a
M21-k7a41Formbook_51d38940Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.51d38940d12472a0c3eb710fa8aa48e2https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 68fc6fbd664578701fb3567897a5c7d94b8973b4085324b7dce91a9b123b5ff8
SHA1: 0bcd39bb133196f3dfd0ba30edbd65e124d63836
MD5: 51d38940d12472a0c3eb710fa8aa48e2
M21-dpxz1Formbook_88bf6373Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.88bf6373c1b7134bccd4b734f81f67behttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: f81a53f5f0190d7d896949a8c28a1fd9d67736c060e779f430c5aa1b8b963acf
SHA1: a0b01a8c6d077a05eb915a465e5d8f995f4ea3cd
MD5: 88bf6373c1b7134bccd4b734f81f67be
M21-9v4d1QuasarRAT_0554ce06Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.0554ce06b4125e7910a5eeab7dd7a630https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: eeaa2388a49efc4f60f9681986e79159047758189cbda03a4d8a0f5f95d18f62
SHA1: 4e15912f2e3748ac9b287a5804d819d0778c37ea
MD5: 0554ce06b4125e7910a5eeab7dd7a630
M21-2zt11QuasarRAT_90f22ffdWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has a random section name renamed according to the PE format specification.90f22ffd06c929d7b576dae1226abbe5https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 4414a26f5d3ee64713fdea21412c5f2322b8941424b53affa82284db3d21c14c
https://arxiv.org/abs/1801.08917
PARENTID: M21-zhl11
SSDEEP: 6144:zp/yD4w3p/mpcDYdkXtEj5cWrubOQNchU1p4CMgiq+6pOGbr2HIYxLZNjrvDJPbP:1Up0dkXt3bj3Np+QS3
SHA1: 24c66bf8c6f466836d2c6f47f8bd874e3c87ddd7
MD5: 90f22ffd06c929d7b576dae1226abbe5
M21-gifq1QuasarRAT_1a2eca4fWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random bytes appended at the end of the file.1a2eca4f46165b8a4047642cc5bcdb79https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 83ab0740d3f6739be1a1aec774145387e6030896c701ec4c57d0152ceec97803
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-zhl11
SSDEEP: 6144:7p/yD4w3p/mpcDYdkXtEj5cWrubOQNchU1p4CMgiq+6pOGbr2HIYxLZNjrvDJPb/:dUp0dkXt3bj3Np+QS31
SHA1: c89caf63764d6c2fd1a8cacae8e6d399f47b1cf0
MD5: 1a2eca4f46165b8a4047642cc5bcdb79
M21-rqfj1Formbook_a08ca774Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.a08ca774bbbc6f7f42aa7b4fede272b0https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 4479f2a8ba10224ab48953c468ece2bf5fcb1ebc3f2546681bbd4de5f5d286dd
SHA1: d5f01c7e60aaf990f19218a69c413d9872a91d1a
MD5: a08ca774bbbc6f7f42aa7b4fede272b0
M21-pk101QuasarRAT_2ac240b3Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.2ac240b39360eaf3ee309439b71d5e98https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 7fd4de65688a3f9545a86b950f84885681952a3712ac35ab11b94b2dfb756400
SHA1: 068c1d46b9d651095a988b7bd94a2b3773bfb8e0
MD5: 2ac240b39360eaf3ee309439b71d5e98
M21-qd5r1Formbook_e1884f7bWindows This strike sends a polymorphic malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.The binary has random bytes appended at the end of the file.e1884f7ba2ea239be6cecbffb1c5ba1bhttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 95caa0432abde621f3798afa8bdefb829ab4716d0b262525802cbd0abcff1ac3
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-57ek1
SSDEEP: 12288:b71aIFXG0LBXveSLxZrJuGmxXQUTcQvPPRK2mQgMM4/YGu1qy:bs6RL9veYLrJlIrTtnA9HGEb
SHA1: 0cf3963434a0445f5e011951c65090fe6eb67b83
MD5: e1884f7ba2ea239be6cecbffb1c5ba1b
M21-i3gc1Formbook_530ed7baWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.530ed7ba1cd9425cc5bf2a8be3727305https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 90e9c971939cb7168124cf0fb865d1166e6218608ccfeea19bd507b6df20bb5f
SHA1: af70062e4eccecd69e4e836607c5c3ae4c0d76ff
MD5: 530ed7ba1cd9425cc5bf2a8be3727305
M21-1etf1Expiro_a519ccd4Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.a519ccd41237377fd6ff189fc34aa4a2https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 1672f8ebf942084f8f81542c5811097cb9f06aee42a6401028bdbbd618fe0d6e
SHA1: 79193e03f74a84f556309b135da942d61617a31a
MD5: a519ccd41237377fd6ff189fc34aa4a2
M21-yqgm1Expiro_e3f00ec8Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.e3f00ec88a61678f7aacdbd1d2a01bf4https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 11045cab7fff44d58d71b788c797dafda423cd72e4d1741154601ae9ffcdd579
SHA1: 5e0c38bdad553507b33032733b435be16530eef2
MD5: e3f00ec88a61678f7aacdbd1d2a01bf4
M21-57ek1Formbook_457f3c74Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.457f3c7400382ec8ebe7885d1c666aebhttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 1dcfdd6b6b25255658faf41cae5b9177ca760d249b95342100a09c9794004485
SHA1: f86ae1de55707181b6a0d03138b1cae646cf68ec
MD5: 457f3c7400382ec8ebe7885d1c666aeb
M21-w8371Expiro_31b46deeWindows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.31b46dee8917e8d73638bc3cca7c64cehttps://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 126444ca53c5cee76d16c6d2506568c9fde305a107b5df5aa9b5143a0e3804a3
SHA1: 11322a557da2ac56d36e1c863d4a5499a67b2e3e
MD5: 31b46dee8917e8d73638bc3cca7c64ce
M21-pyjk1QuasarRAT_ff5bd55cWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has a random section name renamed according to the PE format specification.ff5bd55cedfe5f35a62108bbd71cad99https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 1d2df4a0a47b8d47a157c3c4b6dfed67631ea950b141ce681516e4736dac7346
https://arxiv.org/abs/1801.08917
PARENTID: M21-5op71
SSDEEP: 6144:50Aabjn9CZMRyZeEvNybqo4pv4ubbqjh4JUiq+6pOG3Y2:50RbRReNybqoUvxJE+Q
SHA1: b803a2a87d52d17403ebcbdb56d325f662f620a8
MD5: ff5bd55cedfe5f35a62108bbd71cad99
M21-o7661QuasarRAT_7978edcbWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.7978edcbad9f05433cc5ad31f5d789e5https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 2bb1d5abf8a662b406ddbb259695015c03c5f6c57e5d6716e71a6adcc8ad25b4
SHA1: fec7077318de6074886228b1b404f30c935aa82c
MD5: 7978edcbad9f05433cc5ad31f5d789e5
M21-ihgu1QuasarRAT_403b8d6aWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.403b8d6ab089c03181e2d5e32ea809fehttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: b4877b8501aeb3c67d074c0a1756cede3ada9c48c183db9524cb2f0735f7a2a7
SHA1: 8631c1173222216c2b78fa5fedb30e110e56f46f
MD5: 403b8d6ab089c03181e2d5e32ea809fe
M21-oxj11QuasarRAT_4d80fa7cWindows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.4d80fa7c54645ad2d89c122a8ff4c00bhttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: bd063b4e3ba52aea9126447ad5ed19859b78f1b7e4337ce13b0092ead053aa69
SHA1: af30f4eb9a9d0145b7436693d637b36cd5c2157e
MD5: 4d80fa7c54645ad2d89c122a8ff4c00b
M21-i55u1QuasarRAT_afae38a2Windows This strike sends a malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.afae38a2c92cbec37c3ef6b1414e1f4ehttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 288d62e90b0ba8f9f64ea9db3b0e3831391d53c7149e8cebd0bfa712a4fc0387
SHA1: 78a2af54dad1f459e60fa5845bc997b6b4a957b0
MD5: afae38a2c92cbec37c3ef6b1414e1f4e
M21-g76i1QuasarRAT_c8ec00d8Windows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has the timestamp field updated in the PE file header.c8ec00d82b59bcfae34b249ac3892358https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 8f40f7791949370fdc98674d5a158dd67ca57c95b42cc2d337f11b31351e7bb3
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-xb051
SSDEEP: 6144:00Aabjn9CZwgNGDlP/qoQd4ub4V1h4JUiq+6pOG0Y2:00Rb9uKqoQ6GJE+Q
SHA1: c676985f968d97189919de900986a173b9f77690
MD5: c8ec00d82b59bcfae34b249ac3892358
M21-7se01QuasarRAT_cc7d5e4bWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random strings (lorem ipsum) appended at the end of the file.cc7d5e4b2155c483ec3e3b4d71b871dchttps://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: a64e1f47e36b5336ebdbf713b0ccbb085a1cfee93c7ebca5cd76f2146b6ddb74
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-1xqj1
SSDEEP: 6144:8BbPpkuPpFOjPDTRmDb0DbdMh47MVCTP2kb5RVOoueMByMBtnIQwGup0POu+UOLR:8rkd3VJHp
SHA1: 00069781fa9cc486f3fd92d0a2de2f3ab19fe28d
MD5: cc7d5e4b2155c483ec3e3b4d71b871dc
M21-om3m1Expiro_93dd0e8cWindows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.93dd0e8c12fdb1d378825a5a290cb39bhttps://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 0abad4d1c7523a6632bd44cbd1743d46e76ec15ce086cb45d946deb9a1ce78a7
SHA1: 55b076403a716952a21287e946daf01bbffe1362
MD5: 93dd0e8c12fdb1d378825a5a290cb39b
M21-ukyq1QuasarRAT_cc484d6fWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has random strings (lorem ipsum) appended at the end of the file.cc484d6f5f4742f3a355567db9261d84https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 5d7b2fc38cc97338814c89ac0840bb62955354a75d6e7c157526fe23467852b9
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-5op71
SSDEEP: 6144:f0Aabjn9CZMRyZeEvNybqo4pv4ubbqjh4JUiq+6pOG3Y2E:f0RbRReNybqoUvxJE+Qs
SHA1: dfcec4f42e06c1cfcddc33bf891889d7a8614690
MD5: cc484d6f5f4742f3a355567db9261d84
M21-itaz1Expiro_006d69c5Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.006d69c55af445e249fa154e4f31e55ahttps://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
SHA256: 0a9f501b1ba5c895dd52b15dfc4bdd02400e8af17ae5bb0b8b0dc89cde3a0dc8
SHA1: f975e55cc39cb625032aae8aa8371368406f235a
MD5: 006d69c55af445e249fa154e4f31e55a
M21-986a1QuasarRAT_18d698fcWindows This strike sends a polymorphic malware sample known as QuasarRAT. In Oct 2021 Cisco Talos detected a campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver malware to its victims. This campaign used CVE-2017-11882, a vulnerability in Microsoft Office, to deliver QuasarRAT and dcRAT to Windows and AndroidRAT to mobile devices. This sample is QuasarRAT.The binary has the timestamp field updated in the PE file header.18d698fc8ffe2818994d411d2edc89e7https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html
SHA256: 5b379e5283c05ac7ceb69924fc0edb916420cfd334a80055b4b3b07d561a3c59
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-i55u1
SSDEEP: 6144:MBbPpkuPpFOjPDTKRVOoueMByMBtnIQwGup0POu+UOL7v6gz93y9xsaF7Dc673Un:Mrkd38H
SHA1: 53b3f1c2109b9d1b07b4fe202392e9ca204f13d0
MD5: 18d698fc8ffe2818994d411d2edc89e7
M21-lyrv1LokiBot_2cd7b4b2Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.2cd7b4b2357cc3a9f632f2c6efd120echttps://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
SHA256: 95bebad60ef380056aa1a3bf89487f7e498facddd6001a485a9b4344258151e8
SHA1: 33a2c43b15579d9de0ac3f7f0dca06e7ec1239a5
MD5: 2cd7b4b2357cc3a9f632f2c6efd120ec
M21-0kp01Formbook_2983786eWindows This strike sends a polymorphic malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.The binary has the timestamp field updated in the PE file header.2983786eb8a2877879dd7bbb2bafc8aehttps://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
SHA256: 47fedb5cba8fbd0f85db9add20870151886a051ed859f6fce1571c08cfde621e
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-fm4y1
SSDEEP: 12288:A71aIFXG0LBXveSLxZrJuGmxXQUTcQvPPRKKmQgMM4/YGu1q:As6RL9veYLrJlIrTtnAZHGE
SHA1: cecc092e6cdd7219e0c889c18f01ecf6229b828d
MD5: 2983786eb8a2877879dd7bbb2bafc8ae

Malware Strikes September - 2021

Back to top
Strike ID Malware Platform Info MD5 External References
M21-dmla1DarkComet_c42a46b5Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.c42a46b589226ebe80a14412b6fef211https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 2df2e7bc6ece168068b0bbad79f4341505b4a6476a149b959a3d2fff32284b22
SHA1: c977641e3d28ccd6a66c759f2e67d5c04ad7838a
MD5: c42a46b589226ebe80a14412b6fef211
M21-uepc1DarkComet_83530a3bWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.83530a3bb89f17a0fd991f7813c97cd3https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 3aa47ba611ca682157f941f6ca6a8162cd52fbfe48af41364d2e833ac2dd1e0c
SHA1: 5c053dee327595cb914701cdaa9ecd9e60ba048c
MD5: 83530a3bb89f17a0fd991f7813c97cd3
M21-d5kc1Ramnit_72acc4b7Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.72acc4b7e3fba55ed74b0f9a4defad94https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 1f53b2bb2cdf231025629d111b3cbce1a2e24888eaf1a746d63e8db1ad1d9ac9
SHA1: 9b810a0eb1adf3c51da615e7c7457f1be1fe9084
MD5: 72acc4b7e3fba55ed74b0f9a4defad94
M21-p9zv1Ramnit_80d7449cWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.80d7449c3200c92e5018a8c6d83125a3https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 4b44aa099d46daca89e2f7d5b1305daed3d520c2d771140dde297954f9de7bcb
SHA1: 4ec6dd3188f6c6121665a936392344f7ac7019ba
MD5: 80d7449c3200c92e5018a8c6d83125a3
M21-dbxw1Gh0stRAT_a61ffb11Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.a61ffb1143f1c6bf04d41dff02e93edehttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 09465f394cac6a0c1b4940b17e4976bb5d5fbe81aa1959eefaeba65685de9b47
SHA1: ee59e32a2c8d660fc4a7736d92f297f62ef20852
MD5: a61ffb1143f1c6bf04d41dff02e93ede
M21-gb3o1Conti_9152cb45Windows This strike sends a malware sample known as Conti. Conti is a Ransomware-as-a-Service, that in the past has been associated with TrickBot, and is being called the successor to Ryuk. Most recently it has been seen attacking large organizations and government agencies. Conti not only encrypts the victim's files, but also steals their data and threatens to publish the stolen data. It uses known vulnerabilities like in Microsoft SMB and MS Print Spooler CVE-2021-34527 to escalate privileges and move laterally throughout the network. Conti deploys Cobalt Strike beacons to perform C2 functionality, but also installs remote management software like AnyDesk and Atera to maintain persistence.9152cb45994adab4dc27c33ee72a66e1https://us-cert.cisa.gov/ncas/alerts/aa21-265a
https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware
https://labs.vipre.com/how-conti-ransomware-works-and-our-analysis/
SHA256: d21c71a090cd6759efc1f258b4d087e82c281ce65a9d76f20a24857901e694fc
SHA1: ab0c3361bf3ab8b7c40883b2d3107aa7f1d7428b
MD5: 9152cb45994adab4dc27c33ee72a66e1
M21-vzya1LokiBot_eb6e6f02Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.eb6e6f029fb992c914f3ef7ec14ac26dhttps://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: 775677d40c4ca9b67ab6e7e752aa8feb19e1070a7c83efb8c8a4274e9fb62655
SHA1: 6dfd96cd8bb431883d1587e9d4e43e3c37aa6fe2
MD5: eb6e6f029fb992c914f3ef7ec14ac26d
M21-kcpb1Conti_90c44980Windows This strike sends a malware sample known as Conti. Conti is a Ransomware-as-a-Service, that in the past has been associated with TrickBot, and is being called the successor to Ryuk. Most recently it has been seen attacking large organizations and government agencies. Conti not only encrypts the victim's files, but also steals their data and threatens to publish the stolen data. It uses known vulnerabilities like in Microsoft SMB and MS Print Spooler CVE-2021-34527 to escalate privileges and move laterally throughout the network. Conti deploys Cobalt Strike beacons to perform C2 functionality, but also installs remote management software like AnyDesk and Atera to maintain persistence.90c449800919d3905466e7baf739ad6dhttps://us-cert.cisa.gov/ncas/alerts/aa21-265a
https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware
https://labs.vipre.com/how-conti-ransomware-works-and-our-analysis/
SHA256: a79dcac3753c055d7b46b5ffa27b1b4bb55516180966f20a2878698b81638137
SHA1: 9247da6bc1064ce559e3cb55f32b446377def75a
MD5: 90c449800919d3905466e7baf739ad6d
M21-fvpa1DarkComet_82ca4f6eWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.82ca4f6e2a35aa52ff49aa5c61a905b5https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 915986e9f6ecb814d4c5321fc9f74bfe3436e7d4d79428922e7257ea9d8c2c77
SHA1: 8e1f86e60d88f6df9155aa21e550c30bf35c50ed
MD5: 82ca4f6e2a35aa52ff49aa5c61a905b5
M21-e6tp1Gh0stRAT_b56ebb9aWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.b56ebb9adf9bc7f6105082f9b9d93b3bhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 00e3b8e69aa44067b54bc1ae6782ba0516f12e8a52ac179d570f034f4f2b51b0
SHA1: 3a113dd4110107e111dab86c815aedc5676d29fb
MD5: b56ebb9adf9bc7f6105082f9b9d93b3b
M21-b5bh1Chthonic_adb1e861Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.adb1e8619419ccaf530aa03e709d670ahttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: df84b3ea23c8e53476c50b91d199332de986cd4d7569d0a96a9072809f5d339b
SHA1: a3c53db8088d522051d63b970c51896d779acf97
MD5: adb1e8619419ccaf530aa03e709d670a
M21-fj681Gh0stRAT_16b909eaWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.16b909ea39f0a1f22a176bf3418ab148https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 03ab20c8652f04a14665d13d317320d5ee52adc585aac02a8effeb82911b96e4
SHA1: 4d419a33d1cd956688b50d713aba4c5bcc00816e
MD5: 16b909ea39f0a1f22a176bf3418ab148
M21-1s0v1DarkComet_e439db25Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.e439db25dd10f03b22cedc55b1e47b90https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: b9d58b8be3dcb3408db5959914c745f33b2d4799255f280b783c833e0aa8882f
SHA1: 20555c68b4a9756e7a1c2933a0d3be2ee22e07be
MD5: e439db25dd10f03b22cedc55b1e47b90
M21-t9f71Ramnit_64823e3aWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.64823e3ac192f97854cbecc718b7812ehttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 4487b05f45126990d83bf85ece9881d322f8e838199a480c262739a56662571a
SHA1: 847fbbf229a403ab5ae69a3c54213c26061f9a5e
MD5: 64823e3ac192f97854cbecc718b7812e
M21-qe5k1Gh0stRAT_10733ef1Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.10733ef18028d94596776413baba9920https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 069b0ae9a78de0f715079166410e5f19a149b3afeb42f24de28c9261c62d22ba
SHA1: 469e7eebb7697b26a5e522f34a3a3fec53b7f320
MD5: 10733ef18028d94596776413baba9920
M21-pa711Ramnit_f8224fd6Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.f8224fd6a29b1ca1258840c26cddaab3https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 17b87bb0177b06186af0d002812a5729b718a9552f445dd6d91787a3a6d9711a
SHA1: 91e6370918ab9f319d70fa8c310610c7e6da1d3a
MD5: f8224fd6a29b1ca1258840c26cddaab3
M21-zy5u1LokiBot_123f0bb7Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.123f0bb70e58dae81a3398cbe049c132https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: e956610f17d065cecb6aabbc5b60fb410bfcd1f2f0a1b1120f0fa93a4a129298
SHA1: a4f3efc23fae2b5ce72dab0cb675c38de3c7746c
MD5: 123f0bb70e58dae81a3398cbe049c132
M21-53f71Ramnit_97fdbb3cWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.97fdbb3c51dc510b5f5a18310deabaf3https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 0808e5eb801b4c296859668c62510ffc7bcafe3af8cb2c7db2318adf311089f7
SHA1: 987dc4d5eb95e27a88983c294186207dcd65ce63
MD5: 97fdbb3c51dc510b5f5a18310deabaf3
M21-agot1Gh0stRAT_fb38fdbfWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.fb38fdbf6527cfa784a8f9d6dde56a3fhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 0959881479eec075100f34b708776e3039a89f4660428962a30bc4c82c9b0b44
SHA1: eac82c7bcad8cb8a07023efff6a243a1c22cbca9
MD5: fb38fdbf6527cfa784a8f9d6dde56a3f
M21-ap9a1Gh0stRAT_5544f188Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.5544f188c207c2b04e07f9f74f18874bhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 0142aff97cb54fa7374cd2bcdf4b5d5c7d9a248888102fa0212570e79d7c5159
SHA1: a7d4fcdc90d66e229f5b8f968735142806767a8f
MD5: 5544f188c207c2b04e07f9f74f18874b
M21-tm0n1Ramnit_072ba4daWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.072ba4daab79f726d03cd3276339f31ahttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 7656fe348d4f3c1d28e02d2dabd32f3aea6f448b57a47b0a3e134fdeef2af0d4
SHA1: 0b504902391c0a8d5cd53e6bcc51c3dcee42e263
MD5: 072ba4daab79f726d03cd3276339f31a
M21-qbe01DarkComet_b8a44c83Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has random bytes appended at the end of the file.b8a44c83650a1416fa661c9ed44529eahttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 0d90496dce90bd779ec34fb1b97553e3f5649aac030c0d21a9e232f99136e97f
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-rp7r1
SSDEEP: 24576:1vbw2K+J+ZsLgRadoasbwegPK5Tc98+oeT7HBK+karr87cR17zMW1AeVFH2:1vbNsRadx+wpec9T7HNP8Q7XR72
SHA1: c958618f818a25d1c30ce570f6349c4a25a44af8
MD5: b8a44c83650a1416fa661c9ed44529ea
M21-b8tr1DarkComet_084b0f16Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has the timestamp field updated in the PE file header.084b0f165368df6f048a0aac03c55240https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 56df93d03b5388160545dc4b5352fbc82beb945f1bca562eaa7f4e99945ee0f2
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-f4jk1
SSDEEP: 24576:0vbw2K+J+ZsLgRaYoaleftcYulSoCjn1AeVFH:0vbNsRaYxlYMlSoCjx7
SHA1: 2422da34f9e871a8522d7f5c5acf311e7d551aec
MD5: 084b0f165368df6f048a0aac03c55240
M21-xoia1DarkComet_4a7e069eWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.4a7e069efb5972d4d99a9161b6b36f40https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 6b9364e52522220fed5f2c2dce530c5817ed50542a9d00893434fcf4dd1b6f31
SHA1: 50dc31d4d3176ad28ddca8e903e513e6e13b7554
MD5: 4a7e069efb5972d4d99a9161b6b36f40
M21-n1ch1DarkComet_5bd6a495Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has random bytes appended at the end of the file.5bd6a4959e85dc87e9fcd0da98bd36abhttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 7cbf201a5edf3bd268a36d0ca8828ebbb6c988dc78616e11e5e7687ac5942175
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-1s0v1
SSDEEP: 24576:fvbw2K+J+ZsLgRacoapbwegPK5Tc98+oeT7HBK+karr87cR17zMue1AeVFHo:fvbNsRacxVwpec9T7HNP8Q7X5s7o
SHA1: d17ee4bccd3d7a5c24f13627b823a297edbef681
MD5: 5bd6a4959e85dc87e9fcd0da98bd36ab
M21-wkcz1LokiBot_7eecfc0dWindows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random strings (lorem ipsum) appended at the end of the file.7eecfc0d8fff84b306e0bbade7c6c6a3https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: 9f199d932b5828a5ba993bf4952377bbb19449dac9b74096e43c27a74a24a059
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-zy5u1
SSDEEP: 12288:1PZxZrNJqkIGTtjOrn85QMORn01GG53MHGkXuccGLpcyL:1PFNJqZGTtj2OROC1/MmUucci
SHA1: 69d347938b2e9f96635816e1934501ce42fcd9e1
MD5: 7eecfc0d8fff84b306e0bbade7c6c6a3
M21-o97p1Gh0stRAT_9a04833eWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.9a04833e6ac8a5bf621fcc492e88ee83https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 02f8f3df8431ebfd94883a4371db149bd56a0be361119917e110e8525592bcd3
SHA1: 61882fcc4b7445244f744997e5773e96c6c4f5de
MD5: 9a04833e6ac8a5bf621fcc492e88ee83
M21-h0n01Gh0stRAT_84de5fb9Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.84de5fb9b9067e63fd51f44777d898f0https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 01cae7f89b08cdbc638d9877287ed1446cb0cbf6ec4f02623d6560d1d4a0fb88
SHA1: 3b5a5a7a7c7af102ee143d1182766f15b54dbdb8
MD5: 84de5fb9b9067e63fd51f44777d898f0
M21-h13v1Gh0stRAT_be41f5c4Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.be41f5c41e8594602a405b72a5b23060https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 13162af2f183acdc8c986dead1d6cd0094cafa755ec581b1c7aa658b49b4e3cb
SHA1: b32affbf9286fb2a5460b5d386fc10118592475d
MD5: be41f5c41e8594602a405b72a5b23060
M21-bmvf1DarkComet_3384f056Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.3384f05676215c2d78e9c66a11ee47a0https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 63de8e57cde2b28aafe98139387edd337ad9cf2ff6bd6b6dd2f23e0fa8c6d2d7
SHA1: 0856a0101caeab7ee2465b1cd6910f99e2423c5d
MD5: 3384f05676215c2d78e9c66a11ee47a0
M21-1eko1LokiBot_84f21713Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.84f21713a93c0c1da2be63ca7ee14815https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: ce37853230e3c31906b943729a29ac2dac5b4eaba25dc5df32dde1f16a050937
SHA1: 3183d66b4257fafd7ee8b05f905233784161af36
MD5: 84f21713a93c0c1da2be63ca7ee14815
M21-chxf1Gh0stRAT_6524e285Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.6524e285d22bb93b6cf2f210c6b9eb7bhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 0e8a6f4037adca10232d11c3c48a7f6f2057c2714df35a31a7e1a8679e8780c3
SHA1: 4ccb63f5e31a43e6a1280ba738cf861475af5779
MD5: 6524e285d22bb93b6cf2f210c6b9eb7b
M21-x4k21Ramnit_ecd995ebWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.ecd995ebc8f0278728cd44682da5bcedhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 780006fe63156c3a35c02dcf99dab725c0888ebafc305098a8c9003b60569b6a
SHA1: f4833b68d5d9ba66b2bc6611f8f64176d0ff85b0
MD5: ecd995ebc8f0278728cd44682da5bced
M21-7ky71Chthonic_a5cdcf1bWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.a5cdcf1b8a826d3fba2b892ae203d366https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: acbb1798102314cda754c7ebc6616734493e5ab373fd58bd0d1cc7e4b1fef622
SHA1: 752a74d2bb57453c362082f112494a3306cc703c
MD5: a5cdcf1b8a826d3fba2b892ae203d366
M21-7prg1Gh0stRAT_f05288d0Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.f05288d0c72b65c0cf71852454a17fcfhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 0962146c22ddd339bed084393f6e7294db073be111bfac00274029c63cd39b62
SHA1: 4df30f8c92a216d900fc21c556a3f3f39b05dc2a
MD5: f05288d0c72b65c0cf71852454a17fcf
M21-pcf11DarkComet_1219a18cWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.1219a18c7f3e406d8599bbab3b962e2ehttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 0c9e25ae663a02c16684fc6117211d541047cf581b41712b336ee5c75be623d2
SHA1: 8e326dec551e3d1d9eb8a7f2278caf6e1d27ce7f
MD5: 1219a18c7f3e406d8599bbab3b962e2e
M21-s8su1Chthonic_6f3520ecWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.6f3520ece3ccbfb8011b9545fd8dfd0chttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: f162f87ff7167b24f33b6cf0065ba0864f6fec34a4a027857b2f17cee547df69
SHA1: ce1d6486cf5f967c450641405f2ea943a2cf4bf6
MD5: 6f3520ece3ccbfb8011b9545fd8dfd0c
M21-f2pg1Gh0stRAT_b5b8cfa2Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.b5b8cfa2a4e8978f64149d17da577b6dhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 14eb700b0ec085ece8a58189c001c3b31505ef4f4bd9d5d1b224ce3b6c3812e9
SHA1: 36a8395c3695a16b46faf8f72870e37ee4441076
MD5: b5b8cfa2a4e8978f64149d17da577b6d
M21-6jo51DarkComet_c2245f15Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.c2245f152402595fa0591418cf55d290https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: a03c55746fdfca47e1d330fbbde77a0f88de57501af179a1a7fab5b5d9eea74e
SHA1: 6d0563ed6ca14fe4940bb4aae6bf4cf8e1a77685
MD5: c2245f152402595fa0591418cf55d290
M21-rp7r1DarkComet_3020a3cfWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.3020a3cf445d52f1e270be0f61154dcehttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: f302cacd51bba40b0cc019c29cdbb5dc41ab023b9d90c174788d44397d6689fc
SHA1: b9db9191e592184e293cd6ba8eb3a870e8aef23c
MD5: 3020a3cf445d52f1e270be0f61154dce
M21-coq31Chthonic_d3bd502bWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.d3bd502b5eb378de043d15938f730b75https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 2686c83169d3e2c5caacb08d3e4c6a1efae37d36d40ed4d8a5b4382022fea305
SHA1: c887003fff00124804d5cd19d319f9ab04fd0d43
MD5: d3bd502b5eb378de043d15938f730b75
M21-vde61LokiBot_5cc22a11Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random strings (lorem ipsum) appended at the end of the file.5cc22a110c449112b320edf81f3b3330https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: 3b7f9de42a862358900ea01963f701a5f51b18c43757f82f99c1dc9f3b76d7bc
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-b08w1
SSDEEP: 12288:VPZxZrNJqkIGTtjOrn85QMORn01GG53MHGkXuccGLpcyP:VPFNJqZGTtj2OROC1/MmUuccC
SHA1: 8c87f1f983d647172eee3659f9a02705e2fcf94b
MD5: 5cc22a110c449112b320edf81f3b3330
M21-udr31DarkComet_0ea9e3daWindows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has been packed using upx packer, with the default options.0ea9e3daf54f3bce7e88362025bfc2c1https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 1a50da2e34fef481942d33f0275690b7e76c8fa7a6734a3581bccd6cbf4537ef
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-f4jk1
SSDEEP: 12288:/cecuDQJNJxxC41O3xZccHJgTMCfRwq8juJq3OO43JZi9lrJyiMyU+uQbq6jbFkp:/cebDuNJfC41O37gTnwq8juUez3rifFw
SHA1: 510da5065efcf29be427e4588e525b88f34c23cc
MD5: 0ea9e3daf54f3bce7e88362025bfc2c1
M21-t70s1LokiBot_ad5b37cfWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.ad5b37cf2635524bfb9111057c593b57https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: 2e7f2c37cf935b53e9ab894b0a5a4ff6108ebec7ec113b9d6c103c226b750a6e
SHA1: 8c803c23ef708e80a89e2847370e62f737a30b04
MD5: ad5b37cf2635524bfb9111057c593b57
M21-75gl1Chthonic_b4f83819Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.b4f8381988ce8b623949a5a64e547560https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 110258afe7180e835a6388f63f44e2be5df5859610eba3306e2968ec8e9625fd
SHA1: 8ac3c8555d7b443fc84477b4ea878f157a92cd5a
MD5: b4f8381988ce8b623949a5a64e547560
M21-zixx1Gh0stRAT_572f5ee8Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.572f5ee8ebf9b86c48906dbbb928a78ahttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 13bbdcab4d1a21467e8507e805d5299bee0d222718501ecf8460c339efef3d1b
SHA1: 207cef1c5072ec180dfd12a431d34dc5b29fde65
MD5: 572f5ee8ebf9b86c48906dbbb928a78a
M21-fn0j1Gh0stRAT_ac8b5f9bWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.ac8b5f9b4ad83be4f596bb5c953f1dd8https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 13788db1bc609b910137b380e51bbd0bde0938d92a3faf8520c4690aa566b2a1
SHA1: 25a80378742594108e6410a323687d302b925c47
MD5: ac8b5f9b4ad83be4f596bb5c953f1dd8
M21-648m1Ramnit_acb95321Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.acb95321ac7ff2b0ea2ca2519e376113https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 6468a6014427f9472da81bedf7379a6321548c50e4906a7837b40e2711e6a80d
SHA1: b4bada5ab3da12f42c7902bcbe9a032f8dedbea6
MD5: acb95321ac7ff2b0ea2ca2519e376113
M21-9av11Ramnit_10c4d29bWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.10c4d29b442948f91cb8b507866db58ehttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 3c02b84a2059ebd7e4fffc0cd54d129b6cd9d2211b4df27edf2330abf1d96801
SHA1: b1d0766b8408828e592b3748c8ad83ddd74a3e7c
MD5: 10c4d29b442948f91cb8b507866db58e
M21-26251DarkComet_638854bfWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.638854bf5d54769e559abdd901b40579https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: a6d87dcde17345d9a5758b0b6abff41c16fd02f2db4c615a8dff1a1bc86b09f1
SHA1: 5ad0a937bdd97eb95f9e48bf3501f4405eed4c21
MD5: 638854bf5d54769e559abdd901b40579
M21-b08w1LokiBot_83c8c724Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.83c8c724740f88b6f565cf5698764a3fhttps://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: d841c38e0b3b01a10e13eb2317f483d4ea941d584733921db572023786f9a8cd
SHA1: 1869987857ceb85b8dc9a157e1f9a1d08be3ed52
MD5: 83c8c724740f88b6f565cf5698764a3f
M21-laen1Ramnit_58eeb6a2Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.58eeb6a25c267ee5121a1fa8c5b06737https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 3b25e7b0604abf38f9f2667229996b22701bc8a3d7083d34c34f9bcac0f40a21
SHA1: 372dfdba43a0f6f635baba9928d17e2d10bb8d63
MD5: 58eeb6a25c267ee5121a1fa8c5b06737
M21-sfg21Gh0stRAT_b3869d2eWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.b3869d2e835647c3081587f8b9cd7eabhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 0a9904a30f8447ae35f9c3428e29436442d04d38cbf4d064a74fe5ab13331336
SHA1: cf5d52d9de7ba7535f23f5dfe6d5d73ee463e5c4
MD5: b3869d2e835647c3081587f8b9cd7eab
M21-47cx1DarkComet_17874dacWindows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has random strings (lorem ipsum) appended at the end of the file.17874dac85b06738e1a3bedf24c327fahttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 0df8c5eec82a57a523471be4a908397d5fc4377c58e8b96c0dea57ca5eee6658
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-f4jk1
SSDEEP: 24576:tvbw2K+J+ZsLgRaYoaleftcYulSoCjn1AeVFHY:tvbNsRaYxlYMlSoCjx7Y
SHA1: fc5998e83d34fb27afaf3c1266d4c7f60f07bb05
MD5: 17874dac85b06738e1a3bedf24c327fa
M21-nshu1LokiBot_35208fcfWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.35208fcf5f72ad26feffc3c77f0b53d9https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: 4f0c48e921d3a71d96e4460aebd6abbd87640b54fb5287659c0873bcc7bfd059
SHA1: f294e614511006a7fe3a4e31fd55451990f349a0
MD5: 35208fcf5f72ad26feffc3c77f0b53d9
M21-z0xd1DarkComet_653637f3Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has the timestamp field updated in the PE file header.653637f3f83f6d22682cca41ff86c6d5https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: cf801bd2c26b45c69f6eb7cb8d514f5d0c6470e5b1718360b91e1888803b300b
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-rp7r1
SSDEEP: 24576:4vbw2K+J+ZsLgRadoasbwegPK5Tc98+oeT7HBK+karr87cR17zMW1AeVFH:4vbNsRadx+wpec9T7HNP8Q7XR7
SHA1: 48bccc42c91becac2b896fac74ff2c5e631f8de5
MD5: 653637f3f83f6d22682cca41ff86c6d5
M21-gskz1DarkComet_b55b6a3cWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.b55b6a3cda5fc405305550d50b5fa817https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 59a3dbaaef20f2e7e6db5f12815e3a8fdaa514a8ad469affb508a15ff2a6cb1b
SHA1: 8b05bf8233eccb309d544429ed4b2788cb5c3fb1
MD5: b55b6a3cda5fc405305550d50b5fa817
M21-zadf1Ramnit_39cedb55Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.39cedb556b1eb185090954d43ffcfbd6https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 5a0086bba6889e5c1ae1cea31d508689713c30966ae5a98fea2a9833a04120a8
SHA1: 787707df3ef15556839c8fa858d822bffa781507
MD5: 39cedb556b1eb185090954d43ffcfbd6
M21-f4jk1DarkComet_52a36eb8Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.52a36eb898a816a12e52f81c2160adb3https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: d41d5255fe1387ddaa4dadd14e57254fe4d77385862a8306874facd9ba50178f
SHA1: f011e3febd12a524d553ee3dc1d1c8a3c3536bee
MD5: 52a36eb898a816a12e52f81c2160adb3
M21-kts01Gh0stRAT_e80c46e8Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.e80c46e8291322e25085beded0fca16ahttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 06dfe51c5242f7cd9b3d7292f7fa6bc41125b3284de59e472c5834965a9d31e2
SHA1: a089af8770e1443c2ff6156c905d64f5f71072ff
MD5: e80c46e8291322e25085beded0fca16a
M21-4xmn1Gh0stRAT_ab8205afWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.ab8205af204ef7cbf98a20ee0fdb4960https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 10e0ba595b81b05fe6156fa42b53540e50cf624f8dd56544353af0ceff0aa6ce
SHA1: 285dc4541ce0e3570766c07aff69c40f60f0a639
MD5: ab8205af204ef7cbf98a20ee0fdb4960
M21-i4ig1Chthonic_07db0094Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.07db009460cbefb77763f3dcf7559b89https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 25d12fa4832dec302a7c4f8ea9242d2236dc50c19ad1fb2d8981df380f5b0a85
SHA1: 13572f11e00c9de991000bde7dc760fffa7637a6
MD5: 07db009460cbefb77763f3dcf7559b89
M21-yxkn1Ramnit_932314dfWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.932314dfc7c4f74f1ab12d906964874ehttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 75c6dfdf32f830bd6e789a2bce16d4a4bbb8bf60afcc6653e43800acd97f6c03
SHA1: 34a9d7e51f5d39401d6857ce0162dfc647f415cd
MD5: 932314dfc7c4f74f1ab12d906964874e
M21-9k9d1Ramnit_959c6743Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.959c67436d11558210e610bf14d9d04bhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 4e682566a59f6f619398e927a155453418734b7bd0f0e84675f9ea670d50c135
SHA1: 7524f7fd59f9cf5b1d3e27ccd5590fa9c70d0f65
MD5: 959c67436d11558210e610bf14d9d04b
M21-k2mv1Ramnit_55ff5d7eWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.55ff5d7e137dd97103613126e086b026https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 707344cfd6580bc7bbf4dd9504ca16472cef2b1e4fe97c41c6f57cd088cc0397
SHA1: 509b53f69de8d4b2f91dfbe4d8d12d2ab4d89175
MD5: 55ff5d7e137dd97103613126e086b026
M21-me1r1Chthonic_af6c53eaWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.af6c53ea36ebdd113728e86798e930afhttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: d4afe8e25d9226571ad91c8ce3c2a4c58a793e548d92ebb4a074dc05c185f538
SHA1: e2ba60fd11dfceecbf923b03025a26bcbd1adb11
MD5: af6c53ea36ebdd113728e86798e930af
M21-u0nc1DarkComet_646128deWindows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has a random section name renamed according to the PE format specification.646128de2317254aec6537a834acc16ehttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: e0e0aac3bd552503b1a46e20c9eda7d996ca8105a199e2ff29e95f85e4fe2fb5
https://arxiv.org/abs/1801.08917
PARENTID: M21-f4jk1
SSDEEP: 24576:evbw2K+J+ZsLgRaYoaleftcYulSoCjn1AeVFH:evbNsRaYxlYMlSoCjx7
SHA1: 96e39aed41091626f031d95a6167e7c115dd336f
MD5: 646128de2317254aec6537a834acc16e
M21-u5q51Gh0stRAT_46fda509Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.46fda5099af718be6fec6710916decb8https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 0d84f84b2ea7e345579083dfd01ef66078349305de2d6bf1ae06f9d5a2d8312d
SHA1: 00dfb85310ea67c9d9232cfdd7883f78ff329de3
MD5: 46fda5099af718be6fec6710916decb8
M21-epyu1Ramnit_b0a9e215Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.b0a9e215276bfe98a7df9cf2d771326ehttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 07d7a173f1b2ad8026634f986973b91ffe419a34c0fcfb8c5c383cf92346ef9e
SHA1: 6ecb19891f610114bc22102990242d4cb7a54d2a
MD5: b0a9e215276bfe98a7df9cf2d771326e
M21-o8uy1Conti_e099a53fWindows This strike sends a malware sample known as Conti. Conti is a Ransomware-as-a-Service, that in the past has been associated with TrickBot, and is being called the successor to Ryuk. Most recently it has been seen attacking large organizations and government agencies. Conti not only encrypts the victim's files, but also steals their data and threatens to publish the stolen data. It uses known vulnerabilities like in Microsoft SMB and MS Print Spooler CVE-2021-34527 to escalate privileges and move laterally throughout the network. Conti deploys Cobalt Strike beacons to perform C2 functionality, but also installs remote management software like AnyDesk and Atera to maintain persistence.e099a53fdcef7bdfb58b3a7b4f42e4d2https://us-cert.cisa.gov/ncas/alerts/aa21-265a
https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware
https://labs.vipre.com/how-conti-ransomware-works-and-our-analysis/
SHA256: bc413e02defccc55f1c9925e9cf4fde4a714db1e06c6e021ddbd4b15cf2613d7
SHA1: 1b3611aae8621f1d135950841d6a6a8edab7ea4f
MD5: e099a53fdcef7bdfb58b3a7b4f42e4d2
M21-6rez1LokiBot_b7469cbeWindows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has a random section name renamed according to the PE format specification.b7469cbefbbfec180dff5419489b8e5ahttps://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: 8c1a6189d4a7ad532f7ffcc5d754eb57af937ca2b37c0b1a924237a64c1f3f9f
https://arxiv.org/abs/1801.08917
PARENTID: M21-b08w1
SSDEEP: 12288:PPZxZrNJqkIGTtjOrn85QMORn01GG53MHGkXuccGLpcy+:PPFNJqZGTtj2OROC1/MmUuccD
SHA1: 5030e6113eb4ff13cbfd7988d99531f09a18219e
MD5: b7469cbefbbfec180dff5419489b8e5a
M21-zqrb1DarkComet_55f9fbdfWindows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has random strings (lorem ipsum) appended at the end of the file.55f9fbdfbec0c1160c66e97c6e9b93e8https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: dd92046ac6467b5f8102ea4930e4ce8e74d9abe63a33ed2b9556dc347898c512
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-rp7r1
SSDEEP: 24576:1vbw2K+J+ZsLgRadoasbwegPK5Tc98+oeT7HBK+karr87cR17zMW1AeVFHY:1vbNsRadx+wpec9T7HNP8Q7XR7Y
SHA1: 5215547d362776d0cec0ddae8bd4950c9a25e3c5
MD5: 55f9fbdfbec0c1160c66e97c6e9b93e8
M21-sk5k1Conti_617ccca7Windows This strike sends a malware sample known as Conti. Conti is a Ransomware-as-a-Service, that in the past has been associated with TrickBot, and is being called the successor to Ryuk. Most recently it has been seen attacking large organizations and government agencies. Conti not only encrypts the victim's files, but also steals their data and threatens to publish the stolen data. It uses known vulnerabilities like in Microsoft SMB and MS Print Spooler CVE-2021-34527 to escalate privileges and move laterally throughout the network. Conti deploys Cobalt Strike beacons to perform C2 functionality, but also installs remote management software like AnyDesk and Atera to maintain persistence.617ccca7d5753993cbfd1309d1a18e1chttps://us-cert.cisa.gov/ncas/alerts/aa21-265a
https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware
https://labs.vipre.com/how-conti-ransomware-works-and-our-analysis/
SHA256: 4bfd58d4e4a6fe5e91b408bc190a24d352124902085f9c2da948ad7d79b72618
SHA1: 246813f9a57e030f109bb77742809e32bac89c04
MD5: 617ccca7d5753993cbfd1309d1a18e1c
M21-f5151Gh0stRAT_f2c25eabWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.f2c25eab5b6be1a11948729709af7da6https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 12a9239bf0ca4be571ebcd1a99cf4821fc00011784f35e929ef666c4fc3cbff8
SHA1: e57d9a44db8341103798967fac090c16189d497a
MD5: f2c25eab5b6be1a11948729709af7da6
M21-3xxj1Ramnit_7bbe1db6Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.7bbe1db690fcd36ae9801c66034bb326https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 20c08af253aad222bb0fb48865c40ab39d9b68e9827c6178dc41a95928890f00
SHA1: 61c82b4f8d6e54c584db9706bc08c54a6ae752f7
MD5: 7bbe1db690fcd36ae9801c66034bb326
M21-88yp1Chthonic_df156d22Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.df156d229e2f94fa017882015dae6129https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 8b618395e700e9115431a420755748089d303ce55bd5d00f0beb2f1052a73c70
SHA1: 888387ebea07701017594c80e6ddd8daf71ef137
MD5: df156d229e2f94fa017882015dae6129
M21-jy681Gh0stRAT_cbfbfe8aWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.cbfbfe8ae5f45d5cc06bd15f639397e4https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 0cb596d6c40ec8da569102b07fae1d2aa54ca74f909366e11cabd4c87cd9918e
SHA1: 7d716bf67c5743388ad6b54c3ff791d05f47abe2
MD5: cbfbfe8ae5f45d5cc06bd15f639397e4
M21-i1141Ramnit_d88b7c70Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.d88b7c7005b6159d6cef5c6f2c19b8a6https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 6c228fe25f33f517696373445d3b7fdc5705827047ad61bfdfd17307e47762b2
SHA1: b07c40c17757bc30beadd710530ec75caf1a6c72
MD5: d88b7c7005b6159d6cef5c6f2c19b8a6
M21-9nl91Chthonic_c020bae7Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.c020bae796d8a22ea7e7bf7985b3bb5fhttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: db223583f0f58ed0f9dff5626ed818446984323c54c016eee43f5fb8abf3c2ed
SHA1: b9b7d37686f326f386328a15e57889841f3d2be5
MD5: c020bae796d8a22ea7e7bf7985b3bb5f
M21-dje61Ramnit_f874de55Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.f874de5541c3e154c13c0c9a5fe9797dhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 3800b722b732d64d8e802feaee98c86754ad0cd59074ff246afe5198dea925ed
SHA1: 1dd9f5a1335b2ada9afb4efdd0a62b628f875118
MD5: f874de5541c3e154c13c0c9a5fe9797d
M21-6c2e1Ramnit_ef24a361Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.ef24a361def1b7142a346afbcda9aafdhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 3cf2ba04aefdb855d6d16cb80ea8127d649c9ed1900159f1f7e8829e6c63a217
SHA1: 0228c5146a171619717ab712012cbf3ba53960a6
MD5: ef24a361def1b7142a346afbcda9aafd
M21-vnnr1Ramnit_3703f175Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.3703f175acfc146e4269949a95dd5aa8https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 0d84b7d0ea14ed1d6e7c3633458727e9b5073c5969ce82f6e38c85261e59ce90
SHA1: a92e7156b4fbf027fbd6ca860fb2ab33212a2ae3
MD5: 3703f175acfc146e4269949a95dd5aa8
M21-jv1j1Chthonic_562f8c4aWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.562f8c4a3657b2afbd72f667965cf816https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 12c2fefe3b7c233f3f08ccd95cb956ebeee5ad5ccad26cef41f036bc8ffe1d63
SHA1: dfeb6d78ff01b1d9e0c6046274c3a760c99ce59a
MD5: 562f8c4a3657b2afbd72f667965cf816
M21-o5jx1Ramnit_e00b89edWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.e00b89ed3e888871c868c9551c670eb2https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 0f95acdc1356b68c1b5d3e8f5c8ae90fcd6fc0ade02e179e0881d77f84f24f50
SHA1: cd336abc2514d88e045844030d8f8f54c25ea437
MD5: e00b89ed3e888871c868c9551c670eb2
M21-cjrg1Ramnit_5f93cc93Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.5f93cc93468bc848f78e9e643a3e8607https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 2801ade4a33e8995d105ca7c8f2357b89743b3dc14eafabf2939e4785e1e2abc
SHA1: 4a2ee80506deb4259b07d9c2db776a91be1a4cc8
MD5: 5f93cc93468bc848f78e9e643a3e8607
M21-5p491Conti_d7bf01f9Windows This strike sends a malware sample known as Conti. Conti is a Ransomware-as-a-Service, that in the past has been associated with TrickBot, and is being called the successor to Ryuk. Most recently it has been seen attacking large organizations and government agencies. Conti not only encrypts the victim's files, but also steals their data and threatens to publish the stolen data. It uses known vulnerabilities like in Microsoft SMB and MS Print Spooler CVE-2021-34527 to escalate privileges and move laterally throughout the network. Conti deploys Cobalt Strike beacons to perform C2 functionality, but also installs remote management software like AnyDesk and Atera to maintain persistence.d7bf01f9fb24176f2d42d770d79e8c2chttps://us-cert.cisa.gov/ncas/alerts/aa21-265a
https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware
https://labs.vipre.com/how-conti-ransomware-works-and-our-analysis/
SHA256: 6f7043b24d9b4c30006781402f0cef2543c8f3e9087d79f6bcff43b1418ad21d
SHA1: 9b8eeaf746cd5d903f70c3b245b9466c40b74c5d
MD5: d7bf01f9fb24176f2d42d770d79e8c2c
M21-um5u1LokiBot_985dcd1fWindows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random bytes appended at the end of the file.985dcd1f24eba6bb96148752cc35bd28https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: e28d6f0e618087dc246c754be6eef8b6fec18af011abd0ced1ba5443de25ae66
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-b08w1
SSDEEP: 12288:VPZxZrNJqkIGTtjOrn85QMORn01GG53MHGkXuccGLpcyC:VPFNJqZGTtj2OROC1/MmUucc/
SHA1: 0da441618c83be8b7cf0a7f7b4d54310d373ed62
MD5: 985dcd1f24eba6bb96148752cc35bd28
M21-s3bx1Gh0stRAT_e9694748Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.e969474837b9cd28ffbc4f1ffc62e973https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 02e4ef88864634e6dc5e6116fbcf7b48e9fb9ec00b147e30bb83502bfe926cd6
SHA1: d894cf25013b3836bcde96a706b1a11e4f3fcf33
MD5: e969474837b9cd28ffbc4f1ffc62e973
M21-98gn1DarkComet_c86fdaf2Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has been packed using upx packer, with the default options.c86fdaf22f4d47641972808993f183b9https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 818c3fd7d287f8611f974dde04fde611f1aca07d8bce631d5dce71b2e529f5a4
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-rp7r1
SSDEEP: 24576:DT/i2c5wXWuoakbwegPK5Tc98+oeT7HBK+karr87cR17zMJyxeVmQ:Dnc8xGwpec9T7HNP8Q7X0R
SHA1: 6d70d1a537d13f917b4f21698a6fd250efc4cdb7
MD5: c86fdaf22f4d47641972808993f183b9
M21-y0f41DarkComet_69f9e1ecWindows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has random strings (lorem ipsum) appended at the end of the file.69f9e1ec5caa6b033f9a7f4eb65c3d52https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: bb95a585acd3f3e58c396f7607e4fc1fa10de6c9f6b7564839fbd1e0ae463fdb
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-1s0v1
SSDEEP: 24576:fvbw2K+J+ZsLgRacoapbwegPK5Tc98+oeT7HBK+karr87cR17zMue1AeVFHY:fvbNsRacxVwpec9T7HNP8Q7X5s7Y
SHA1: 915e87a9c54dccfab01a9bb20b43688620de8160
MD5: 69f9e1ec5caa6b033f9a7f4eb65c3d52
M21-8daq1Chthonic_39e3d389Windows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.39e3d389fa34b594117f49b38d602584https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 3f84ff7a71d5b9f465a4b9a9d440f4f801f5a9eac7de6ae21f09acff9395c609
SHA1: dcc10234759ed6f7bf119e9e78f8e23cbc2d2a74
MD5: 39e3d389fa34b594117f49b38d602584
M21-49ze1Gh0stRAT_f7031eebWindows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.f7031eeb4c7a87b72cd6432524e46849https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 04e659e9643b0b8dd2051264b89cdc745f080247257ac4686853496ddcebdb7f
SHA1: af92f84b65e1b53324e5bef405fa3e9e6fd64010
MD5: f7031eeb4c7a87b72cd6432524e46849
M21-f0oi1DarkComet_2448bdd7Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has been packed using upx packer, with the default options.2448bdd7d08f59fcf33a1de8b3f6fefdhttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 4fbf1eb516628cc24d6e5c7d0445b97f63aa1166ab0be17df7e090c5c397f95a
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-1s0v1
SSDEEP: 24576:3ceb+49XTKZ90++Nj2ylsGCwaobYiBAurquchnzAoNXYt/46oOYvsA/sPsQH0eoE:3ceJ92X0++QylsG7axiBeuchnFYN46oc
SHA1: d08f968ebea9f5ac9803649d1f282d0d5fcb61f8
MD5: 2448bdd7d08f59fcf33a1de8b3f6fefd
M21-l19t1Conti_290c7dfbWindows This strike sends a malware sample known as Conti. Conti is a Ransomware-as-a-Service, that in the past has been associated with TrickBot, and is being called the successor to Ryuk. Most recently it has been seen attacking large organizations and government agencies. Conti not only encrypts the victim's files, but also steals their data and threatens to publish the stolen data. It uses known vulnerabilities like in Microsoft SMB and MS Print Spooler CVE-2021-34527 to escalate privileges and move laterally throughout the network. Conti deploys Cobalt Strike beacons to perform C2 functionality, but also installs remote management software like AnyDesk and Atera to maintain persistence.290c7dfb01e50cea9e19da81a781af2chttps://us-cert.cisa.gov/ncas/alerts/aa21-265a
https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware
https://labs.vipre.com/how-conti-ransomware-works-and-our-analysis/
SHA256: 53b1c1b2f41a7fc300e97d036e57539453ff82001dd3f6abf07f4896b1f9ca22
SHA1: 8a52c7645ec8fd6c217dfe5491461372acc4e849
MD5: 290c7dfb01e50cea9e19da81a781af2c
M21-e42c1Gh0stRAT_b11e4378Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.b11e4378225a2a99a988621260902551https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 14503b5c22c4ac81a1e4424da30b12907e49c739a29096f41179d7eb2ae329d8
SHA1: 48563cde96b9ab65328be3b9845306b8918018e0
MD5: b11e4378225a2a99a988621260902551
M21-yzfo1LokiBot_97351713Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random bytes appended at the end of the file.97351713c1c618911aedc95981242a15https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: a9b5230391dd17dd071042e73803421efc624c71b9a568d731a890532bb58b6a
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-zy5u1
SSDEEP: 12288:1PZxZrNJqkIGTtjOrn85QMORn01GG53MHGkXuccGLpcyr:1PFNJqZGTtj2OROC1/MmUuccm
SHA1: 2e7c4fa9323a7c82e8460fbf693479423e4e34e0
MD5: 97351713c1c618911aedc95981242a15
M21-dqm11Ramnit_abb242e9Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.abb242e98dd7d6971cdfa83d9f448e0ehttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 45a323dcc0a6da70ab782a7815ea6b2c321ec475af298dc615df8ca61bd8235e
SHA1: f67fede8d5c43da45badedc812f0e49f1d07449d
MD5: abb242e98dd7d6971cdfa83d9f448e0e
M21-1lrd1Gh0stRAT_b7d08f31Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.b7d08f31c8ec29a6273035e657ce3afahttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 0e66e1af7f8452aead25bf0660232efb0f03eb53fefa16334ab05d345834f962
SHA1: 3d75eb41260180b2fe183d03ee9c6d151a65ac7c
MD5: b7d08f31c8ec29a6273035e657ce3afa
M21-67lc1Ramnit_4f5e5502Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.4f5e5502685c22b184d3069621e4df93https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 1080edc42f5770f54fb08a763c4e6dd0673e98a47cd2472ecb1971d685048e8d
SHA1: c695b4683b04d33994740ea23e3eae7452107bf2
MD5: 4f5e5502685c22b184d3069621e4df93
M21-8m6d1Conti_50e767c6Mixed This strike sends a malware sample known as Conti. Conti is a Ransomware-as-a-Service, that in the past has been associated with TrickBot, and is being called the successor to Ryuk. Most recently it has been seen attacking large organizations and government agencies. Conti not only encrypts the victim's files, but also steals their data and threatens to publish the stolen data. It uses known vulnerabilities like in Microsoft SMB and MS Print Spooler CVE-2021-34527 to escalate privileges and move laterally throughout the network. Conti deploys Cobalt Strike beacons to perform C2 functionality, but also installs remote management software like AnyDesk and Atera to maintain persistence.50e767c614b48b05c6d6574edfcacb2ahttps://us-cert.cisa.gov/ncas/alerts/aa21-265a
https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware
https://labs.vipre.com/how-conti-ransomware-works-and-our-analysis/
SHA256: aacd1be17ca3aaca13d0c9f0366bcb28bdccd621cbde2f38b4a33321cba8a7df
SHA1: 3550b898ce86982019ef380deb2f24522707d7dc
MD5: 50e767c614b48b05c6d6574edfcacb2a
M21-skqm1DarkComet_ea184546Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has a random section name renamed according to the PE format specification.ea1845464d317ae08f1f994797df1340https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 4ecc88df89e02057aa9092c1252d9d37ca21f6334bf8cc577d737fdba726df53
https://arxiv.org/abs/1801.08917
PARENTID: M21-1s0v1
SSDEEP: 24576:2vbw2K+J+ZsLgRacoapbwegPK5Tc98+oeT7HBK+karr87cR17zMue1AeVFH:2vbNsRacxVwpec9T7HNP8Q7X5s7
SHA1: 12ad23618e0e00009e11c8475f32735b4a0f60e6
MD5: ea1845464d317ae08f1f994797df1340
M21-cgfw1LokiBot_53b771d0Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.53b771d049bacdd030fe2424b9f7a7efhttps://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
SHA256: b86b82199660b2153a038ef0c2219fbd970a5e28df3c16b4f5ef4f0232757def
SHA1: a5be03013522845f3c8ca1deb32c39bab1fa00dd
MD5: 53b771d049bacdd030fe2424b9f7a7ef
M21-gc1l1DarkComet_fac38e7aWindows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has random bytes appended at the end of the file.fac38e7afa79375ca964db486879bfebhttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 72c32d3efdc1e74e141377cd33f5a18f97761182cd11760a147ccf6f7b5c3a5a
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-f4jk1
SSDEEP: 24576:tvbw2K+J+ZsLgRaYoaleftcYulSoCjn1AeVFH0:tvbNsRaYxlYMlSoCjx70
SHA1: 73adf475ba7aa6a6e63093d7088c3be76f608505
MD5: fac38e7afa79375ca964db486879bfeb
M21-ka5t1Chthonic_5e4a3caaWindows This strike sends a malware sample known as Chthonic. Chthonic is a banking trojan that is normally delivered by the attacker via phishing emails. Its purpose to to exfiltrate sensitive credentials from the victim machine, and has also been seen delivering other malware like AZORult to perform additional functionality.5e4a3caaa954f755e77cb2e704abc62chttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 73e2ec59f6d0faad114ea452e9173cf0e77ebb120feea0c1a535c3d58e770caa
SHA1: c8e2c77f4605fa67277be377fea95a50d9ff1f05
MD5: 5e4a3caaa954f755e77cb2e704abc62c
M21-ys9p1DarkComet_1d84bf5fWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.1d84bf5fdfd13591e97963da8e127463https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 207ef9516ae65918a1f0b7cefe61b88bd50f573620552b4fc55f3e353652c655
SHA1: 96640a45f5319eb061160c54f1834b51ee378333
MD5: 1d84bf5fdfd13591e97963da8e127463
M21-d6it1DarkComet_24a5869bWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.24a5869bf2848684addfaa275b43b777https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 3fb315bf129311f7d2049e6389e579d2ffba05c8475507e4c9175a254d0cd66d
SHA1: 58f316c69391061f7d459a527fefe9f65d709f49
MD5: 24a5869bf2848684addfaa275b43b777
M21-jl3h1Gh0stRAT_bc93f615Windows This strike sends a malware sample known as Gh0stRAT. Gh0stRAT is a remote access Trojan that provides control over an infected system. Some of its known functions include the ability to record keystrokes, record screenshots and download additional malicious payloads.bc93f6154632f07d17bf00e82849201dhttps://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 11a50d21d76c028607820ac421b954ef6b18e0faffd950e815ede4700892ad3d
SHA1: 7e05d42834a8c14692477d4d70d5bb5504567437
MD5: bc93f6154632f07d17bf00e82849201d
M21-a6ee1DarkComet_2508af1bWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.2508af1b010d477b414cca621649e4ddhttps://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
SHA256: 1d5d6219a7cba722842dc9fda70563ae5a1e98ce8eae0c039950978842ae5239
SHA1: 3b5dcda34bc346d5f51312c612c1c20dc0d38efd
MD5: 2508af1b010d477b414cca621649e4dd
M21-okm71Ramnit_c5e9c5a8Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", orthe names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.c5e9c5a84aa05ff1d389d5ed0d4d97d6https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
SHA256: 1edcf85e20407c0e4fe253c29108c552d5909f7254326dec3862cb447571fdc3
SHA1: 375c48c54ea0f2d9c1f44e63aace721cb046ceb3
MD5: c5e9c5a84aa05ff1d389d5ed0d4d97d6

Malware Strikes August - 2021

Back to top
Strike ID Malware Platform Info MD5 External References
M21-jlzp1BlackMatter_e6b0276bWindows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.e6b0276bc3f541d8ff1ebb1b59c8bd29https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720
SHA1: 295de44a0adbef57c51458978ccd71437aff0bf1
MD5: e6b0276bc3f541d8ff1ebb1b59c8bd29
M21-rby71DarkComet_eb1de375Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.eb1de375f155cf314cd6f41f754ce930https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 302085c4d19e84b33f64b7f177dcb5bdf31a919917e27c54691e599b65ec550f
SHA1: d561ebb09ec070733d63b8313554687451a4e55a
MD5: eb1de375f155cf314cd6f41f754ce930
M21-ngxa1Trickbot_654b1a59Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.654b1a591b182b0665352dde68720652https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 2224cc59bb76c875cfcf04df8ad82f6c3c4c5418ab0a281bd0cd1ba73d685a1f
SHA1: 77a416f2f7898d7c5c542d8dff00aecc23b6be62
MD5: 654b1a591b182b0665352dde68720652
M21-6oee1Qakbot_a3d6462cWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.a3d6462cdc162149e22502c694a7427chttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 07f0e31106f56a2af7eb4e283625b4b3408f0eeb74c09b1ade3840daa4d1b8bb
SHA1: f99af91f1fd4cc539eb1d552f9160245a071a4b2
MD5: a3d6462cdc162149e22502c694a7427c
M21-sbf81Qakbot_4f2e59b6Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.4f2e59b6050e873fd41a0b369b354243https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 240e331b52966de8e05cea16155fb5cbf97ccc934af991f7d794107302665b4c
SHA1: a603a8d095d6e0e95c1323b77e9fc748b05320c4
MD5: 4f2e59b6050e873fd41a0b369b354243
M21-qp9u1Haron_731797d3Windows This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.731797d30d8ff6eaf901e788bd4e6048https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
SHA256: 66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2
SHA1: 9d38ce8e4c3ca5fbdfdfbed3ec452151041189c0
MD5: 731797d30d8ff6eaf901e788bd4e6048
M21-ksoe1Qakbot_4989af5bWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.4989af5b16f7fdb9de808337dbdc0b3ahttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 3383b0672661207be263722ba4cd2341bb90f680819359cb07c26c6b7dfcaa9b
SHA1: 4357873c9c578632bc76a180a10d60002570b542
MD5: 4989af5b16f7fdb9de808337dbdc0b3a
M21-s16t1Ramnit_52efe8c8Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.52efe8c8b4205a6c099ade4e32aeea32https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 72d4e7805d94785b9c95147f8a42e3700f2bfa56a79a46dfcf0791bd3a0f090d
SHA1: c8d7c5629cf6775d7e6361c5756a0b3561f35429
MD5: 52efe8c8b4205a6c099ade4e32aeea32
M21-ijkd1BlackMatter_98a3bee4Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has been packed using upx packer, with the default options.98a3bee4399116289036d0224aac78d7https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 5475378077eb6a5841515dd35c5b8e0ca9181000e3a06da4cb30f02c66fb1408
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-mfzl1
SSDEEP: 768:PNETtdX7D3UKhRmr6GRfIC7uSj9UBiXUO8vR3V8YZaAQ0hMTndaN/:qp1arxxum94eU1pnVQ0qdaN
SHA1: 4bffcde1b205b8aba0b648006b89958891175a7c
MD5: 98a3bee4399116289036d0224aac78d7
M21-obcm1BlackMatter_ac50d0bcWindows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the checksum removed in the PE file format.ac50d0bc460a702822ebae99a86761b5https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 473e2f87064a676a943f2c62d25deb42032cdb1a31c0b765683da0c75f221d91
https://arxiv.org/abs/1801.08917
PARENTID: M21-73ke1
SSDEEP: 1536:aICS4AgxwhjEO3r825exqkHYnKeGsXqsMt:Z2SN3mxYnKr
SHA1: 4fcada52709b935f0bf968eaf52a806acfb006ce
MD5: ac50d0bc460a702822ebae99a86761b5
M21-s1371Ramnit_4a7a546cWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.4a7a546c94e0918c95ae5a4cc9575042https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 38953969ed21113318984529205154f47908974d18e791e04955386aaf4dadaf
SHA1: f5ead2a3a942288e4f1f80870eb64e97b6ca00d3
MD5: 4a7a546c94e0918c95ae5a4cc9575042
M21-85jk1Qakbot_8f46946bWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.8f46946bc6fe6cd5843ca93c5b7d3045https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 03cb6dc235578dd1562851d4d06555af1cf9382353ba3f54306a27e37a5305a1
SHA1: aeea21e79394c7cea389e818f55731563c589d28
MD5: 8f46946bc6fe6cd5843ca93c5b7d3045
M21-ah8i1Trickbot_64a8dfe6Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.64a8dfe64ee1298325a8af441ae6abefhttps://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 3359b593b46b2c55971ab4f5a10228ffd462a8f5fd8b9357a71955b6a1e1e477
SHA1: cbf88ed990eebeb0f4179b70f126309b8b2b6aae
MD5: 64a8dfe64ee1298325a8af441ae6abef
M21-45971BlackMatter_b73ff289Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary file has one more imports added in the import table.b73ff289f910386f378a9b0a86b82fe9https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 2137b44db4676a8a9ccf838bb415cff759bfde9a116f894c99b72b9c7ad99779
https://arxiv.org/abs/1702.05983
PARENTID: M21-do2n1
SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKvwZg3klyDV:qR7auJXSYZg3CO
SHA1: e42e493ca6e748ef4ea9f3548575a4be779ddcef
MD5: b73ff289f910386f378a9b0a86b82fe9
M21-zsjp1BlackMatter_9d047a42Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random bytes appended at the end of the file.9d047a4230a677be7daf5268a075d7e2https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 9e2f23be87942756483bec3d374f6405dc77cb2f458e3f4d9439ac5e603dd15d
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-73ke1
SSDEEP: 1536:yICS4AgxwhjEO3r825exqkHYnKeGsXqsMtn:R2SN3mxYnKr5
SHA1: f9ebc7f793d5ae05f058274ca1d993d03e968e5f
MD5: 9d047a4230a677be7daf5268a075d7e2
M21-52731Qakbot_3f7f4d66Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.3f7f4d669ff9f912a8bceafc89f2b924https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 03fe14caddbd6902e265a566efcbeacda1a413065a98b66b4e74fa59cea083e4
SHA1: 0ffd77b60f25c3324e79c1772615370c773c8b55
MD5: 3f7f4d669ff9f912a8bceafc89f2b924
M21-mvvm1Qakbot_a896b96aWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.a896b96a31d0ece9e401e1d77b7d6567https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 1502723beda5c3fc95c3532d89ee16bdd3ad5ead9f323ee48be4d653474110bc
SHA1: ca8bf9a73c90dbbbb8a202d7361327245b1554df
MD5: a896b96a31d0ece9e401e1d77b7d6567
M21-ienp1Ramnit_68464084Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.68464084c82fbd09faebcbf040dfc7c4https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 01b7940f00b1fe720244be50cb1eaa65cf41d91d387b0009d7c3c02332c6d90a
SHA1: 6d8c13cd8c7f1e0626e9e574204bc6f8495685c3
MD5: 68464084c82fbd09faebcbf040dfc7c4
M21-taw21Qakbot_e5a95f5fWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.e5a95f5f45d3afd5f9f3d0f27692def5https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 3337b985888559a139cd62e925156264e64b8a1a8943bbb08ccb7a8c2684b570
SHA1: e2011d84269cfa7ad06f4808ff5f5988259ff938
MD5: e5a95f5f45d3afd5f9f3d0f27692def5
M21-78tz1Qakbot_86c75973Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.86c7597356d5b2a7e1c664b83d703efdhttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 0d2aad6da1068580e457b85c1df14497b1f66870c73d9c7b60d387a8ecc587ba
SHA1: 187a83576f0e430af77e6e3243c498138d05687e
MD5: 86c7597356d5b2a7e1c664b83d703efd
M21-auio1Haron_af79a121Windows This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.af79a121a5c315f5a7b8a2180ccbea0fhttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
SHA256: caf815381680cfa6afedcd7c7af5a5c838788b1c7ec593ce817114a25ab63441
SHA1: 5a1ffabbcb8709c5c29911a4bd09b48a79731968
MD5: af79a121a5c315f5a7b8a2180ccbea0f
M21-cvnq1Ramnit_bbb2d2c7Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.bbb2d2c7a02bb20e476ef9ea2483d575https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 191a8a81de6aee304ac908fccad0c138abccf5baf851714d8e28a3879300500f
SHA1: 32921fe5277fd747d68567dc98fcef7b77863c0e
MD5: bbb2d2c7a02bb20e476ef9ea2483d575
M21-oouo1Ramnit_ccbf0c65Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.ccbf0c6561f9f4cbd092bbcab0455734https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 03edf7d9493484932879614edd7f0649c8bbcf2a19cef53f602c3f28d92905ab
SHA1: 1dcced722886a65bb349c9208d05bdc9fb3de44f
MD5: ccbf0c6561f9f4cbd092bbcab0455734
M21-exv21Ramnit_520c2909Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.520c2909c35be0ed73fa17fc56f43aa4https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 5d5d522c80d90a077cedc1701b69bba4a0ec3b5c607de6802143f334a448d3c8
SHA1: b1609b7be37aee877cc110073a0278eec6bcb3f8
MD5: 520c2909c35be0ed73fa17fc56f43aa4
M21-lmo31Qakbot_b6f8b13cWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.b6f8b13c020450d5218ed523754b1b56https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 2c4541a8d520b195f8dda3f731584e6391f714e2c4b01f4f97523728511dfb5c
SHA1: 4d0345630121c30d7536fcb1ae8ffebb3d8f1e1e
MD5: b6f8b13c020450d5218ed523754b1b56
M21-3qpg1BlackMatter_50c49700Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.50c4970003a84cab1bf2634631fe39d7https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57
SHA1: 721a749cbd6afcd765e07902c17d5ab949b04e4a
MD5: 50c4970003a84cab1bf2634631fe39d7
M21-2x1j1BlackMatter_48f3e009Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random contents appended in one of the existing sections in the PE file format.48f3e0096689e5b981a7494f9373c466https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: a5ba6d746e383918f8e9177e0de823e843295fc52612679ed7aa31ef624dabfa
https://arxiv.org/abs/1801.08917
PARENTID: M21-do2n1
SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8ZgXkl/:qR7auJXSkZgXC/
SHA1: 6cebe28f484bbc42da23e0051cf0cd1c5cfbdaff
MD5: 48f3e0096689e5b981a7494f9373c466
M21-03o11BlackMatter_687e5999Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has a random section name renamed according to the PE format specification.687e599972236164dbcbd1c229d27087https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: b91a54d32e5f4625c25d1e0c2f24a9bab29140cad871a44a04ebb9f50c11b4a0
https://arxiv.org/abs/1801.08917
PARENTID: M21-73ke1
SSDEEP: 1536:2ICS4AgxwhjEO3r825exqkHYnKeGsXqsMt:92SN3mxYnKr
SHA1: 1dbace88ee6dc7d55657e3ce2dd0149a8263697e
MD5: 687e599972236164dbcbd1c229d27087
M21-agjt1BlackMatter_4c146e1fWindows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the debug flag removed in the PE file format.4c146e1f99bbdc09ef5fcc8780b5b844https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 984192ecd4ddbbf484f7d26c4b63db9c79b1d0c2e08d969133ebea61f9a58491
https://arxiv.org/abs/1801.08917
PARENTID: M21-mfzl1
SSDEEP: 1536:1zICS4AT6GxdEe+TOdincJXvKv8Zg3kl:WR7auJXSkZg3C
SHA1: c31affeb0609eba44ef0af3983fd29293959a3da
MD5: 4c146e1f99bbdc09ef5fcc8780b5b844
M21-ga7a1DarkComet_71be9b56Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.71be9b56b5d518b855fefbd3514bbc09https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 001276dd30093a56534c93cf39335eb23943ab0b532c9ab4bfac250485355b8e
SHA1: 470a908d399dae1af0768726b3091e931b2f2470
MD5: 71be9b56b5d518b855fefbd3514bbc09
M21-60ge1Ramnit_cf99487aWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.cf99487abb258b230c1ff2b484a6161ahttps://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 604724f5db4975c1aa1eb88eaf1931e674a506b7da0e29f10344b8bb7ce7c15c
SHA1: 8ed68926fd12bd3f4e4efd1ffeb156109b26dbb2
MD5: cf99487abb258b230c1ff2b484a6161a
M21-2oar1Ramnit_5e135573Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.5e13557300fce99cd3f4176946f55461https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: ff7ca617a730a8d1f245142054b09a76341dc6b543a239ff7e1d3be28287d902
SHA1: dac07404d30a5736072c5fa76e7e1777f3de95b5
MD5: 5e13557300fce99cd3f4176946f55461
M21-gskn1DarkComet_eab4cfa5Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.eab4cfa5c8a4af29ee1727f9814dc806https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 4bff08590e863279e04681f752fac6770a3863b7000e8a49c0e9c9e1fd3c1863
SHA1: bd5dfec9e308d9bb5345cfcea54850e3d46a6da3
MD5: eab4cfa5c8a4af29ee1727f9814dc806
M21-m3q21Ramnit_04cbcba0Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.04cbcba0a0651a66cdcca68366862617https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 5b2ca117e7bfddd8863b6a61520433488e50155db71f9c681f174819ff975034
SHA1: bcbb4198cb7eb1f453b88acde49b3d50f86cc98d
MD5: 04cbcba0a0651a66cdcca68366862617
M21-2pw31BlackMatter_ba375d06Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.ba375d0625001102fc1f2ccb6f582d91https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99
SHA1: 379ebd1eff6f8685f4ff72657626bf6df5383d87
MD5: ba375d0625001102fc1f2ccb6f582d91
M21-tnzs1Trickbot_22409c5aWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.22409c5a370a8bb00faace48c76f67fbhttps://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 27acdc8a6518e083365a5cebd518a98f5755fb2a4b588257b3f052ed3aca2b47
SHA1: ff65f20a80b425ed1e773629a9738dd277c778e4
MD5: 22409c5a370a8bb00faace48c76f67fb
M21-0bby1DarkComet_eda137e5Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.eda137e5ecbae3a6e14adc9266ccf038https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 1845ebdef56daeb7edebc6677864436a036d3b043b7e1923b75c65594d4345a9
SHA1: 7922c27a57c22667d03eb0aa1c62075b1c1d64b6
MD5: eda137e5ecbae3a6e14adc9266ccf038
M21-xntt1Thanos_e01e11dcWindows This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.e01e11dca5e8b08fc8231b1cb6e2048chttps://unit42.paloaltonetworks.com/thanos-ransomware/
SHA256: 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
SHA1: 4983d07f004436caa3f10b38adacbba6a4ede01a
MD5: e01e11dca5e8b08fc8231b1cb6e2048c
M21-b4tj1Trickbot_12b50245Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.12b5024549eb5412d5211cf9848b1bfbhttps://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 14c0fd429ed69daddb8b66b41cc4d1630f7dbf5951b52ab1ced2289449fa1b55
SHA1: 2957f592cebf00ce6fc41cddaa2edad4f6314e3a
MD5: 12b5024549eb5412d5211cf9848b1bfb
M21-3ft71Trickbot_68037c38Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.68037c38f6b16cdf60c8c2b0d29bfeabhttps://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 284b939dbd6258063b3a4d43911635e28926667947435a9697b93661417884e8
SHA1: 2814f8f46f27626301f34204d57df0c0d528a843
MD5: 68037c38f6b16cdf60c8c2b0d29bfeab
M21-hhwg1Ramnit_f457f41aWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.f457f41a6bd5a0a1e4608c8a097d6a43https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 731fc49dabea5962c6a00ef142a75a507415e2aae14d426e063f9e53a60355ca
SHA1: 35c5df0b662cf6093c5a2891f9e27e31728a09a6
MD5: f457f41a6bd5a0a1e4608c8a097d6a43
M21-73ke1BlackMatter_1dd464cbWindows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.1dd464cbb3fbd6881eef3f05b8b1fbd5https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f
SHA1: cafd8d20f2abaebbbfc367b4b4512107362f3758
MD5: 1dd464cbb3fbd6881eef3f05b8b1fbd5
M21-6n8o1BlackMatter_c5ef4711Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has been packed using upx packer, with the default options.c5ef4711b1b6303b622a8c73f4704430https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 5864517605fcaa6416bd2a4241b9f3a2b96c12a35f320859a95dabd9caaefbc6
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-73ke1
SSDEEP: 768:9Esd1Xkoqgm1lGG9MsmWpIowIx0Uko82MrKdzW5F8hMoZQUJkwjbP+9:BB8JlGUMlBho82RE38/ZQdub
SHA1: 1be04991c3d57c641fd1e40e7ae37f12f744d744
MD5: c5ef4711b1b6303b622a8c73f4704430
M21-rp6e1Thanos_d6d95626Windows This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.d6d956267a268c9dcf48445629d2803ehttps://unit42.paloaltonetworks.com/thanos-ransomware/
SHA256: c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
SHA1: cc0feae505dad9c140dd21d1b40b518d8e61b3a4
MD5: d6d956267a268c9dcf48445629d2803e
M21-gscf1Ramnit_3eb1a18bWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.3eb1a18b4c1516e434c54d6ef8a151cchttps://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 021dc00f29097bae2e878dadd5aef152f6deb540b0cc7220cc61e9f782990f23
SHA1: 581ffa02cee0ed85800d7437b4c23a97c7bd087a
MD5: 3eb1a18b4c1516e434c54d6ef8a151cc
M21-2hr11Trickbot_ea8ace01Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.ea8ace0142ab9a30a140134d558a43dfhttps://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 14c64c9047b71fce74225216653b3491861d8f9274afa3519ae1976f2b8d76a0
SHA1: 952e147614595fc84fdf68a3a65eaf1c1698b013
MD5: ea8ace0142ab9a30a140134d558a43df
M21-w90c1Trickbot_b638dabcWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.b638dabcf64b3233ea43318c981c536bhttps://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 1afc3ee244bda23d65c3495c30a3ebad2b7a716f6eb62bc02b6ac036082af227
SHA1: 5e3ec28c9c57af4defc98db4384d3c9517d340ae
MD5: b638dabcf64b3233ea43318c981c536b
M21-he5b1BlackMatter_1019e015Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the checksum removed in the PE file format.1019e0151d6c55eeecf06443fa6197c7https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f
https://arxiv.org/abs/1801.08917
PARENTID: M21-mfzl1
SSDEEP: 1536:jzICS4AT6GxdEe+TOdincJXvKv8Zg3kl:8R7auJXSkZg3C
SHA1: 369445caaca7ba44bc684f9d9fd7651467ed5167
MD5: 1019e0151d6c55eeecf06443fa6197c7
M21-y6d41DarkComet_096522f8Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.096522f8c09e14d2e70723bd8d0ecd21https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 4efae949b98bf76d42f3613a7864e3d70ada3d1b2824149b3a40a07a3654160d
SHA1: d746956c2ef6a1756829efdaab0ce3defd519416
MD5: 096522f8c09e14d2e70723bd8d0ecd21
M21-0iu61Qakbot_40155b0fWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.40155b0fba5d52eb6c3dc9b1164e6404https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 20d724fc562fa14b107c292020f6d03cb3c958d90a79ce3476e3f877f46ea0e8
SHA1: 5b11840b071e4e69a021d10a8349b9c60768094f
MD5: 40155b0fba5d52eb6c3dc9b1164e6404
M21-2vcp1BlackMatter_b492d118Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random bytes appended at the end of the file.b492d118edc1f091d3371012c2463e57https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: bd2b55ffb7c8a10662e0946d3f0124294b421b2eafb82fd4f13dab95de6ae385
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-mfzl1
SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kl1:qR7auJXSkZg3C1
SHA1: 52a17b1a3525365b6c84b6f28b42d9df20c68d41
MD5: b492d118edc1f091d3371012c2463e57
M21-51dw1Thanos_1d45efc7Windows This strike sends a polymorphic malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.The binary has random strings (lorem ipsum) appended at the end of the file.1d45efc7078b10c28a1d606053d066afhttps://unit42.paloaltonetworks.com/thanos-ransomware/
SHA256: 36f584b8d76e4ddb40b3af735b9fc275783d7e0f27e1f238b9642cc23081eb77
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-rp6e1
SSDEEP: 1536:OXMLuZQG3KJ3QaIH9shR4fZcvr4C9u3MTIdD9mtthd9JovrgmqhtvM4CoLT6QPb4:gMLuZraJ3a0ehcvv9sM+9mtthd0gmWkH
SHA1: 846fcbbbbcf1152b1c93dfa6583533b001e5b556
MD5: 1d45efc7078b10c28a1d606053d066af
M21-kwps1Qakbot_925bb382Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.925bb382d450c773a5585ccdf6f13884https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 16ad7701d366ef3dab53c0979741279b684f2f94fb52398a788071438921b31d
SHA1: 6717f38fc8d211e7c2afa917030f2f1eff91a6d8
MD5: 925bb382d450c773a5585ccdf6f13884
M21-bkdk1Thanos_18cec1f1Windows This strike sends a polymorphic malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.The binary has a random section name renamed according to the PE format specification.18cec1f15061129aff9fa49bc639dbbehttps://unit42.paloaltonetworks.com/thanos-ransomware/
SHA256: 5fc581f02abb01a666d8fb9200ad2d3fa11e9d0f4aaf11e5e26ba0fe463892b4
https://arxiv.org/abs/1801.08917
PARENTID: M21-ogcu1
SSDEEP: 1536:TguHLgeS6umiCp31W4qYXgsLlOqrgB9GpF7LXdarTkCAKL5dsluhtvM4CoLT6QPg:86seqCp31Hgsp9a9GTrda8CAKLTsWkyI
SHA1: 497d83dff7465190d640b10e015024d4aeb45c20
MD5: 18cec1f15061129aff9fa49bc639dbbe
M21-vom11Qakbot_55abb44eWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.55abb44e737b2a7a27b0f424bb5d2ba5https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 3c4e2eb21f26dee76e957a5c46b0492a43bf4dd53651615b2a84940011257929
SHA1: f403de4fc77e457f3a695dba08dc1376b7cd769c
MD5: 55abb44e737b2a7a27b0f424bb5d2ba5
M21-r04g1Haron_e8f8e4ebWindows This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.e8f8e4eb0d2c03f0b12fb1cf09932bbdhttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
SHA256: 81411c9010f2adcb4758bac5ed6128d5a76b24689d477f6ed2c3003fd57e4f3b
SHA1: 8ae409a74a209c304233ce6c6f778915fc59264f
MD5: e8f8e4eb0d2c03f0b12fb1cf09932bbd
M21-4w111BlackMatter_cfacfde5Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the debug flag removed in the PE file format.cfacfde557d2762c0b7932b03c683b8ahttps://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: e05c2049e12dda3a36a21f6fa2acd3cb532743e61d5d11a2503f3069b38de3be
https://arxiv.org/abs/1801.08917
PARENTID: M21-do2n1
SSDEEP: 1536:1zICS4AT6GxdEe+TOdincJXvKv8Zg3kl/:WR7auJXSkZg3C/
SHA1: ca9147e7086940b8520b6c8565d20e7452445bf3
MD5: cfacfde557d2762c0b7932b03c683b8a
M21-oig31Trickbot_c0f61798Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.c0f6179824cdd74331aa36aea17315a3https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 19e74a92942859c1f9d23cf1a924d5232663226e44a64f90712f6d7653d03f25
SHA1: 413cf8a13c6ca782a827dbf51d655e236ed1827e
MD5: c0f6179824cdd74331aa36aea17315a3
M21-67v01BlackMatter_3317daacWindows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.3317daace715dc332622d883091cf68bhttps://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: e4fd947a781611c85ea2e5afa51b186de7f351026c28eb067ad70028acd72cda
SHA1: 02fa74523198ebc1db490bdc6f10a78a44c4e28b
MD5: 3317daace715dc332622d883091cf68b
M21-wlko1Haron_dedad693Windows This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.dedad693898bba0e4964e6c9a749d380https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
SHA256: 6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c
SHA1: 0475d9d3485583090f00b1c37450771ccd0df00e
MD5: dedad693898bba0e4964e6c9a749d380
M21-4x901Qakbot_70011104Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.70011104f678ba095188b3975d29aa6bhttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 3136bf60107ecc6bcf659edd6e60cf01b3228fc7098a4bf2acf7d5a250ac3f29
SHA1: 591a90474b8bfae7ddd33cf9620b827f7f13a876
MD5: 70011104f678ba095188b3975d29aa6b
M21-xeda1Qakbot_5b656068Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.5b6560682dbd9b107b0b8d3acb1f6267https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 40934bae7c322b0d6ae26a5a90dc17ad28f5d964a9c2032de0243043781c586d
SHA1: faee87cf8b22bc93f93f8ce5ec9edd19fea9b8ea
MD5: 5b6560682dbd9b107b0b8d3acb1f6267
M21-3ary1Ramnit_b4a403f5Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.b4a403f53da0d72524dd7600b7d68dcahttps://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 70c417fcdd20459484733bc71379e11b17dbea93b4848e1a990dc68e928c04ce
SHA1: 8b2906600c9c5e692ee1fbab39c7d816c008a4f6
MD5: b4a403f53da0d72524dd7600b7d68dca
M21-3h6h1BlackMatter_bff66be9Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has a random section name renamed according to the PE format specification.bff66be9812f514e2ba8bd00746ef5cfhttps://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 9bb22043e0551eaaa84efc99d21c0da1732d12f153104c72ccdbe0975d344d91
https://arxiv.org/abs/1801.08917
PARENTID: M21-do2n1
SSDEEP: 1536:MzICS4AT6GxdEe+TOdincJXvKv8Zg3kl/:jR7auJXSkZg3C/
SHA1: a69a48bd9004440b3bd9103424687da259b4e361
MD5: bff66be9812f514e2ba8bd00746ef5cf
M21-59y61DarkComet_0024d4dfWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.0024d4df650a7d03dae83d24097cfa10https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 445d9223cdc386994df6089ab69340c195b06125cf30b9424d44c0eb24b0d502
SHA1: b3cce32d5fcdcbc1d1b8413877a8d6a1a986ec86
MD5: 0024d4df650a7d03dae83d24097cfa10
M21-np1r1Trickbot_b1313c41Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.b1313c41c879457c5c15bfefcce64f66https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 057ffc3a33d129bbb509f49bbff396c750f0a5186b30633fee9b05ac544a1a52
SHA1: b5e428ca952f590db676494799584e81be8b0a63
MD5: b1313c41c879457c5c15bfefcce64f66
M21-xdp41Trickbot_11975ca9Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.11975ca9e9ebb3f66129e59d490fc257https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 02dd2fe1cd74b60e822ae700a1c4be45139a6aa88a5f81ce5e9a6644d6b2d2d8
SHA1: ff090427e7118382924b765e0ef1605b5b2ea8ee
MD5: 11975ca9e9ebb3f66129e59d490fc257
M21-s87e1Haron_04ef9ed3Windows This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.04ef9ed3902dadccabb678c9dad53f19https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
SHA256: cbdb04d23e395b270e16d7ca81cc6b734039fa069932989d4e4f4d4d266df28b
SHA1: 39e30adae70f605e09db5c5a359a53e4e6f3a14a
MD5: 04ef9ed3902dadccabb678c9dad53f19
M21-j7tl1Thanos_03b76a51Windows This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.03b76a5130d0df8134a6bdea7fe97bcdhttps://unit42.paloaltonetworks.com/thanos-ransomware/
SHA256: ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75
SHA1: 60053d661ed03cd2a07f6750532e6ef11abcc4e5
MD5: 03b76a5130d0df8134a6bdea7fe97bcd
M21-5e5r1Ramnit_b3632d95Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.b3632d958616bac3b775d19f3347f6cdhttps://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 888368daa079dad1ba47d59f2ef8d7a5f9352f09004e59aea1e3c1118b72c524
SHA1: fdd23efa8685d25ace96387d793a1822681f4c3b
MD5: b3632d958616bac3b775d19f3347f6cd
M21-vpb91BlackMatter_b5c9d7c1Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has a random section name renamed according to the PE format specification.b5c9d7c157a3fffd0cab340313f1c5echttps://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: da9d5213bc40b956f306b161eaa859b09bd9fe88101ee5d27503d9656337a4d7
https://arxiv.org/abs/1801.08917
PARENTID: M21-mfzl1
SSDEEP: 1536:tzICS4AT6GxdEe+TOdincJXvKv8Zg3kl:+R7auJXSkZg3C
SHA1: e7e1080eaaafc88cdc21f11e2e32283875b3aa01
MD5: b5c9d7c157a3fffd0cab340313f1c5ec
M21-jcvm1DarkComet_6d0ab127Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.6d0ab12741204e06e5b8ddcf1ebd4e76https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 0063112e85dfaf4331c73ad5a73856cfa5a29911ef8d80c12250a874f60c48ba
SHA1: 3288c15f4dafb1732150eb28e976d76dc7a5d122
MD5: 6d0ab12741204e06e5b8ddcf1ebd4e76
M21-ds931BlackMatter_61d0a6a7Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has been packed using upx packer, with the default options.61d0a6a753435fdae8993473c083b872https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 83c0a6a905be917cac1c56b0a3688763543acade02ab73882e0f62782a661ebf
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-do2n1
SSDEEP: 768:BgwSZTs5PurwdYuWMni9LO7Tl76j/4T+m5CrfR:mPTs5Pur35Mn6S+8Cr5
SHA1: 316d6a6f18272839eacb8a346be986cb8858a3dd
MD5: 61d0a6a753435fdae8993473c083b872
M21-do2n1BlackMatter_d0512f20Windows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.d0512f2063cbd79fb0f770817cc81ab3https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984
SHA1: e324a2c8fae0d26b12f00ac859340f8d9945a9c1
MD5: d0512f2063cbd79fb0f770817cc81ab3
M21-fp7f1DarkComet_e9398ac5Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.e9398ac53c135781e952477e91fbb02chttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 06cc9a66099e3a7b1cfb87a005501ec3410a280521e02fe39674bf31d4bc4c17
SHA1: 7fbf8fbf093958a5d55a79e03465bffcb0263131
MD5: e9398ac53c135781e952477e91fbb02c
M21-3ba01Ramnit_c6d47278Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.c6d472784b73e47ea8af9f50ce45fb58https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 6788c4a2c0bc6d5f80dc8b5ecb7b37100f6c37d231a389ec906aae784cff529e
SHA1: f9ce1342a8b5762c5b2125025a231eac28bbb536
MD5: c6d472784b73e47ea8af9f50ce45fb58
M21-rws11Trickbot_11364049Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.11364049a6159e255dc03eae0dec6dafhttps://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 0909cc85312268a10d2705100ea2ed5b95eb7ab5f765e41a3a6eb7e4dc5eeaf0
SHA1: 150c97ce4733f82c4dfa7683c889a6ee50ff4c1e
MD5: 11364049a6159e255dc03eae0dec6daf
M21-fio31Trickbot_69f7682dWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.69f7682d754f01aecd9658f57f8670d0https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 0abccd961e1dd93ab520cd88c2e07a7a2ec4e8a6138f7bcd714cd1cd2743be6f
SHA1: f4f66df1861350bcbfdbadc2ea3afe9b46c4f259
MD5: 69f7682d754f01aecd9658f57f8670d0
M21-yef71BlackMatter_3f9a28e8Linux This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.3f9a28e8c057e7ea7ccf15a4db81f362https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502
SHA1: 10d6d3c957facf06098771bf409b9593eea58c75
MD5: 3f9a28e8c057e7ea7ccf15a4db81f362
M21-hg7r1Haron_6da3c779Windows This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.6da3c7796bca2f47f11e8711a945cf1dhttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
SHA256: d29abe6ed086a5508c54df31010c36cc19fea3bdc5d521ee7c0d7063a51bb131
SHA1: e65df27b70ba3206d216a49b43f6beb2095cfe1b
MD5: 6da3c7796bca2f47f11e8711a945cf1d
M21-0et61Qakbot_140712edWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.140712ed211d973de5a3274608cf28c0https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 35150a082f7fc90418facbde01f262cee672ae4dfd34b0aae06da95ec064b580
SHA1: 112bb65dbedbe728082bdd8988ca4c9e21a3a38e
MD5: 140712ed211d973de5a3274608cf28c0
M21-ogcu1Thanos_be60e389Windows This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.be60e389a0108b2871dff12dfbb542achttps://unit42.paloaltonetworks.com/thanos-ransomware/
SHA256: 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d
SHA1: 14b4e0bfac64ec0f837f84ab1780ca7ced8d670d
MD5: be60e389a0108b2871dff12dfbb542ac
M21-ef1j1BlackMatter_9fa3cafbWindows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary file has one more imports added in the import table.9fa3cafbc2f1ded8fe92007408e7625dhttps://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 6d4406e0636511dcff4e24aac5075e09c576e9198d53f0d1d7aa86b08d033f76
https://arxiv.org/abs/1702.05983
PARENTID: M21-mfzl1
SSDEEP: 1536:xzICS4AT6GxdEe+TOdincJXvKvYZg3kl:KR7auJXSgZg3C
SHA1: fcacc83dcf30b91634690ecc1d73d2df591760d7
MD5: 9fa3cafbc2f1ded8fe92007408e7625d
M21-2gx61Ramnit_0a48bae2Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.0a48bae2ff4780521936d8b94d3b0ce0https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 8836d87dec16f04560a0ba2f9ab1423bbedcc69031a7b5d7a11cf4fed024a984
SHA1: 851052f212450b674c34ad78a3f8dcfd490730a6
MD5: 0a48bae2ff4780521936d8b94d3b0ce0
M21-b4y11Qakbot_e0c23898Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.e0c23898f4acf8a0fae7b430a3891b62https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 357be50930bd829907a4068b1017b945263a56bc12cc9728977d3c866c9a68a6
SHA1: 08b63275867ae22788bafc5a0ed34b95b1efceb3
MD5: e0c23898f4acf8a0fae7b430a3891b62
M21-ccj91Qakbot_5c00db17Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.5c00db1760ffd163c86597a1ac93a20bhttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 209b3eeabd048f7cb2c634bf1e7414262ded407ae41b25d00db5db86008aa84f
SHA1: 10b05f3ef3ca5703e397584d0df52e0b9fa8c165
MD5: 5c00db1760ffd163c86597a1ac93a20b
M21-wdry1Ramnit_d475fd84Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.d475fd848f01340ad4219ff55b6bc52ehttps://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 42f1e9f830ef80f92e5abd3e2463e01c4bbce62342247c76c0ee4f1d87ec28b5
SHA1: 331767d919e206de45a46fde3c2a6bbb70ff06bd
MD5: d475fd848f01340ad4219ff55b6bc52e
M21-cexl1Trickbot_4813b76aWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.4813b76a9400b62a0acaab0cb5c09bfehttps://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 27e3ba58cbb7ab7628e97dab88836edf3525a0137360056fc05e869dac57711a
SHA1: f153407ef869810bd869a58b0d2b175d867d545d
MD5: 4813b76a9400b62a0acaab0cb5c09bfe
M21-vykk1Ramnit_3123ff95Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.3123ff955e554c6ddfaaae2619fbf997https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 3ca3e6ac1fad0e004643a5512be7282935d6dbe98e088e256846ee6de2c390ce
SHA1: 21f2a926592de040280c4557345e1238f033d32e
MD5: 3123ff955e554c6ddfaaae2619fbf997
M21-mfzl1BlackMatter_598c53bfWindows This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.598c53bfef81e489375f09792e487f1ahttps://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
SHA1: 80a29bd2c349a8588edf42653ed739054f9a10f5
MD5: 598c53bfef81e489375f09792e487f1a
M21-pf5o1BlackMatter_da66726cWindows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random strings (lorem ipsum) appended at the end of the file.da66726c18cecc87d776623fb1a26344https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 978b92cde2fae00e5c49f0bd1ffca9f8d35b505bbf1436692979d6e07e243ab6
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-do2n1
SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kl2:qR7auJXSkZg3C2
SHA1: 9dc8c171793421e9973d8dce9bc63670ca655c6f
MD5: da66726c18cecc87d776623fb1a26344
M21-klix1Qakbot_672e642aWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.672e642af35cac2735e19f1e488be72fhttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 2edf0dabcb16bde79ecddafaaa52644de1229db74ba8e1abf6fe868e8e1c4447
SHA1: aa4bc6c41c710217bfceb2adad5b49482e54a65e
MD5: 672e642af35cac2735e19f1e488be72f
M21-go3s1DarkComet_5de32a2eWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.5de32a2ef97290585b28f4409384251ahttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 0a4acb875e2052335654082e77210a8a30001d2847532ae2a58066efafb37c5e
SHA1: b30660ce3aec157199736c9f47d127eef891e976
MD5: 5de32a2ef97290585b28f4409384251a
M21-kusc1DarkComet_7a7a2615Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.7a7a261530db35879c9c080cc46084dehttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 615453b9561c9c612ae38166917e9a34f67d5012ce0ed946a0eff07dbb9a7ae1
SHA1: 23c16f29432cf04c87a587f8ae8a31633b753308
MD5: 7a7a261530db35879c9c080cc46084de
M21-ehog1Trickbot_d9ce38bcWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.d9ce38bc0aeac55de3ee8b579a68e177https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 287a910ea787f13609d4c8002a0ac86b8068a6fca8bfadb0c1d2b1fb63436b96
SHA1: 9ff572bcb26693f810c6763403e3feb8f8e12672
MD5: d9ce38bc0aeac55de3ee8b579a68e177
M21-ji551Qakbot_a2f1f09dWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.a2f1f09d1bbe5bfc8630fab2187811eehttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 3b06eecb334b5f57bde24eeb0a7c4147fc01713c8c3e8f0a660a4e8a9a5df3e1
SHA1: b6b1892d0180b9f2b255a1f9a15d2e370d66393b
MD5: a2f1f09d1bbe5bfc8630fab2187811ee
M21-vvac1Qakbot_9e4bb7c2Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.9e4bb7c2bff8cc4245bf1327e84f125bhttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 23c3b45782c70bccb1ca807e59486247c5b9074228e14ce9b3994003b354919f
SHA1: 4a261263c86c5c1182312f6264260071003ce940
MD5: 9e4bb7c2bff8cc4245bf1327e84f125b
M21-o9xj1Haron_92c2e2f6Windows This strike sends a polymorphic malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.The binary has the timestamp field updated in the PE file header.92c2e2f66b9717304aa67c9114b959c2https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
SHA256: da105ee43fb48770f296a5b325dc29c57a992f5ac36ee815ac88663571bef3b4
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-wlko1
SSDEEP: 1536:E3wWdw/3oHK8pEzgfIdmedUqPkYRzHKS396Fn2Y+aYxc13TpNw:EgWM32MOuPkc96Fnr+eQ
SHA1: 08834c273c66cfec1ed7b5433eaba575f2a2e6f3
MD5: 92c2e2f66b9717304aa67c9114b959c2
M21-tl2b1Haron_27757047Windows This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.277570474740f06232e009b5ff15d47ahttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
SHA256: 4852f22df095db43f2a92e99384ff7667020413e74f67fcbd42fca16f8f96f4c
SHA1: 9cd9dee39f132cb398a3408cd16a53b98dafea7e
MD5: 277570474740f06232e009b5ff15d47a
M21-kg3n1Trickbot_fc0c2d9dWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.fc0c2d9dcb18806606d6e2673db4380ahttps://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 32ed191361a69cf8d93f2431fe449a822e812a5f08c9c7e8bb04acc543443a92
SHA1: e1bd9054f400bf10cf7d2baffe9643cd481feca9
MD5: fc0c2d9dcb18806606d6e2673db4380a
M21-g8w11Trickbot_713bb022Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.713bb022f264a713db52286227714a58https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 2d465c82cfcd0f6121a68ff352d9f97aaa74c7c74527b6d8a9df2514a9ae0797
SHA1: b7f5ad8b97687f791e8c04bab5423302543361df
MD5: 713bb022f264a713db52286227714a58
M21-zvav1Qakbot_d867d6d9Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.d867d6d9a9b8a1fdf2467f27088f5230https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 0ea2f761e10efb2a635185671de8ca90837745f5da186d84e6a3c564bd020903
SHA1: 7dfa6639d37a754e7097fec864568847fb658551
MD5: d867d6d9a9b8a1fdf2467f27088f5230
M21-e17h1Ramnit_2bef963cWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.2bef963c0d8b3c5d796dac3541489c08https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 0da2d59d76684e3912a82d88c978e16b65e3a9f8aea0c43d269953cff6956a7e
SHA1: 861a7e9a9dcc20911775b8c9e33f221826dfe9ee
MD5: 2bef963c0d8b3c5d796dac3541489c08
M21-ujrx1Qakbot_76f0cfb3Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.76f0cfb3c8143fe677dae170a9804c66https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 0b77fdf610d7444d1fe1a7f5098d45152936fc48ca601b929281c587bb5133b8
SHA1: 2f230e16fe8e3ac4726e627add2439a92a9ae8a9
MD5: 76f0cfb3c8143fe677dae170a9804c66
M21-cjnm1DarkComet_d619583bWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.d619583b03bae980edca49feede8579chttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 42c2c565e5844ee30f45e046984956949aa7b4268fa79fa3bca325079a0199b5
SHA1: c305d614c71d66208bf5bc3a378af9df5448b3e4
MD5: d619583b03bae980edca49feede8579c
M21-z2da1Trickbot_d9547c4fWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.d9547c4f1c13fac1a1c7e8f8f67df45bhttps://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
SHA256: 307e3804d8a677f1c176534c8eb85e63f89421e6a1bf4477485c0a4e3eb9e9d1
SHA1: df765949f9714454985b29c770e92a2b06ce014a
MD5: d9547c4f1c13fac1a1c7e8f8f67df45b
M21-lmxx1Qakbot_9d0ed878Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.9d0ed8785c88f732ebfc7d11637a57c7https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 3a1e5884cf079fdca3cb5b8385c53f780dd4c17a3165ccb4148f9916c3740614
SHA1: 4f046eb7ce469d0e97c98b54759b1cef56a3a365
MD5: 9d0ed8785c88f732ebfc7d11637a57c7
M21-5wpg1Qakbot_988e391aWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.988e391a7bd88b2d362e44d57e97a778https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 06d5ca9ab245e57ad65d2afa9633a2b7e11eca16555f5c5bf9f7a92d8f78e87d
SHA1: e39f6a5faa08af6176494604a3a3d6f4ccab9876
MD5: 988e391a7bd88b2d362e44d57e97a778
M21-rxic1BlackMatter_6fd84253Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random strings (lorem ipsum) appended at the end of the file.6fd842539aa3f5fd2e0474f3b48f877ahttps://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 234fb77f708ef2e34bff04de92e9b6e1995b54ebb083d1b8805a494d25617c94
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-mfzl1
SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kla:qR7auJXSkZg3Ca
SHA1: 790e12fea4dd5c10bda6b51eabd8f2a24eff3b6d
MD5: 6fd842539aa3f5fd2e0474f3b48f877a
M21-df611DarkComet_eceac426Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.eceac426ece31db82c011c3925d1561ahttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 5174169e7a1ef4ba358189dafac7eb4c514e4c12ecdc9525e2fe6cb5b35265ad
SHA1: b0580608e253b296b588823f0ee9704a2c9a53dd
MD5: eceac426ece31db82c011c3925d1561a
M21-kt8f1Ramnit_156ff7edWindows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.156ff7ed174247ad7a7132fa51664949https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: d1f95a5223c6f4dc954e4ccbab6d58fa9e54ff9037c88f06c9814ab4a7877058
SHA1: 5347f3766750fe3e4968fdee3230f8e364cb5951
MD5: 156ff7ed174247ad7a7132fa51664949
M21-o1sv1BlackMatter_720f6799Windows This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the checksum removed in the PE file format.720f6799e6befa45cb4233b9631f4c82https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
SHA256: 9e18f6ebb169f6bc7ae18526f71e132f96b678809e7873df7c3bbb35d4d694ee
https://arxiv.org/abs/1801.08917
PARENTID: M21-do2n1
SSDEEP: 1536:jzICS4AT6GxdEe+TOdincJXvKv8Zg3kl/:8R7auJXSkZg3C/
SHA1: 514b2d4a0747143989ec5458216723b78a93c919
MD5: 720f6799e6befa45cb4233b9631f4c82
M21-8qhl1Ramnit_bf70c723Windows This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler.bf70c7230fb57e3732a87cc5b09defa3https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
SHA256: 011597cdbf40d1f08a644d42c20e19175574a433a735eef887283c719ef8e63e
SHA1: 9aae7d0c871579f122eb55b16aac785ef4c4e665
MD5: bf70c7230fb57e3732a87cc5b09defa3
M21-2ddo1DarkComet_b84ab2c0Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.b84ab2c079ef2e9dad478abc81e3dee0https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 0d08e3c0b2f6668387b90dc0d21ebd8fec5de6393580cff145cdff8a32c10ea6
SHA1: b82b92d9f80fcf6e0196adac066ed123de3f2fc4
MD5: b84ab2c079ef2e9dad478abc81e3dee0
M21-ew801Qakbot_ba811d0bWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.ba811d0b025160b8c7766be010784dcahttps://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
SHA256: 172b6ada107441489b8abc961f2548486487a15d5e3375417b9c6981e5d676e9
SHA1: 410146de3cd295234c2a6b5a13a322ebf4be0ab0
MD5: ba811d0b025160b8c7766be010784dca
M21-wd911Haron_7806efeaWindows This strike sends a polymorphic malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.The binary has a random section name renamed according to the PE format specification.7806efea649a3b312be91e609541359bhttps://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
SHA256: ae2168018a6b48e4e6bc61a042e40facc4260b138594cc22b0810e1b57e30803
https://arxiv.org/abs/1801.08917
PARENTID: M21-wlko1
SSDEEP: 1536:13wWdw/3oHK8pEzgfIdmedUqPkYRzHKS396Fn2Y+aYxc13TpNw:1gWM32MOuPkc96Fnr+eQ
SHA1: 1c02c91cc5d63bf06e4c38965f6ec043d5fe221f
MD5: 7806efea649a3b312be91e609541359b

Malware Strikes July - 2021

Back to top
Strike ID Malware Platform Info MD5 External References
M21-hzro1BabukWindows This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.024382eef9abab8edd804548f94b78fchttps://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: c4282e9040cdc1df92b722568a8b4c42ce9f6533fed0bd34b7fdbae264947784
SHA1: b69a5385d880f4d0acd3358df002aba42b12820f
MD5: 024382eef9abab8edd804548f94b78fc
M21-syed1REvil_a47cf00aWindows This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.a47cf00aedf769d60d58bfe00c0b5421https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
SHA256: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
SHA1: 656c4d285ea518d90c1b669b79af475db31e30b1
MD5: a47cf00aedf769d60d58bfe00c0b5421
M21-2klg1Bandidos_038de761Windows This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.038de761c002ae546870035be143a736https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 435fa80c1088c8e2b821cf86d5f5a6c2cebf41e3b12d067473c79ab5773d3862
SHA1: af1f08a0d2e0d40e99fcaba6c1c090b093ac0756
MD5: 038de761c002ae546870035be143a736
M21-xhga1Bandidos_64acb89aWindows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has a random section name renamed according to the PE format specification.64acb89ad84db2d5f2bad354ad547417https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: d5ac969a01842b7f5e01aae02bfee66a8d70985b9935c8f4e346c8c7fb68f524
https://arxiv.org/abs/1801.08917
PARENTID: M21-2klg1
SSDEEP: 49152:y435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz:yhEfwk18A
SHA1: bc226a175b62eb6c022a97b2e1f0cf35e0b5f306
MD5: 64acb89ad84db2d5f2bad354ad547417
M21-ehw71Formbook_4f631559Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.4f6315593f81cee989d2d2c376869e5ahttps://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 9f086d1b80984ca1a1026f47f5d9a84dccf7a0b758bf46643a2d967f24ebaefb
SHA1: ded97ce60117970dc4e715a1247cae62e0c119ba
MD5: 4f6315593f81cee989d2d2c376869e5a
M21-77on1Bandidos_3015f878Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the timestamp field updated in the PE file header.3015f8785e0aa11d0cc1eadfe6112916https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: c8c9fe06c5ad3b0041a7e04b7d1aa7df343a872a1b7f38bc58b76b58be759330
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-wp9r1
SSDEEP: 24576:UEZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:UEFQ6k0TVkQxPQo9
SHA1: 7af5e775abc01c8befce15b6aac0ef48aa528f7c
MD5: 3015f8785e0aa11d0cc1eadfe6112916
M21-p9lw1Bandidos_78cb7d1eWindows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random strings (lorem ipsum) appended at the end of the file.78cb7d1e62e3340825e8db41e752bdb8https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 3590b35fe256a567278c716fb25d2eb874c93928764820086553c2119e429f97
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-wp9r1
SSDEEP: 24576:5EZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSbp:5EFQ6k0TVkQxPQo9u
SHA1: cf5ebfbde9fa159f7ebb699fe04b5a42b10ced28
MD5: 78cb7d1e62e3340825e8db41e752bdb8
M21-yljf1Bandidos_86657996Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random strings (lorem ipsum) appended at the end of the file.866579961556526d991a5917a5adc665https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: c19ea1ace8cf4e46b4a46f5650efc7c6db0855b54fe2302a05d4c16a67d754a1
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-2klg1
SSDEEP: 49152:u435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnzT:uhEfwk18Ah
SHA1: 163661d0286971eb3920038e3d68738be98b3f5b
MD5: 866579961556526d991a5917a5adc665
M21-ml221Hupigon_9c25b770Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.9c25b77077f44d79fc5366eb54b22bbdhttps://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 2e1c1fe7a5c150297ae4a0bda84d89fba054acc8eb1b516be5153fbfe0e9e986
SHA1: 7b64e9d1ef65e090a0845d1abab600fae2e5d8d6
MD5: 9c25b77077f44d79fc5366eb54b22bbd
M21-ovts1DarkSide_f587adbdWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines in 2021 when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.f587adbd83ff3f4d2985453cd45c7ab1https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a
SHA256: 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673
SHA1: 2715340f82426f840cf7e460f53a36fc3aad52aa
MD5: f587adbd83ff3f4d2985453cd45c7ab1
M21-zycs1LokiBot_495fff18Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.495fff18bc8c631e44c00b273d0742d2https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 234be2e9be73a8a2ff9da5a7231c37da2bb95fc229b7ddc24f5324576a5c34e1
SHA1: d6c516d97545bb74f307858f91b91596d20eda4c
MD5: 495fff18bc8c631e44c00b273d0742d2
M21-cd5g1LokiBot_589813a9Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.589813a949474184438f1b7117457913https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 59aed575bdae0ef8204a771d9d3282cc41880ed9c98305c02213e0b746117654
SHA1: 0fd1fb82e38760a819f506b8fbb85c9abaee2532
MD5: 589813a949474184438f1b7117457913
M21-5xer1LockBit_889328e2Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.889328e2cf5f5d74531b9b0a25c1871chttps://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f
SHA1: d14a6e699a1f0805bd1248c80c2dc9dfccf0f403
MD5: 889328e2cf5f5d74531b9b0a25c1871c
M21-xf2x1REvil_8c26763dWindows This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has random strings (lorem ipsum) appended at the end of the file.8c26763d51dcec8d6683558e395b7f17https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
SHA256: fbc019520b3ce65a52507428ed30c8fb3285da3e059afc11951a3e97f62b7216
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-2zn41
SSDEEP: 1536:xxd+ReKXU/MQaL7k0B/L7s+Zi+GrZxtQpfyHvtICS4A4UdZls8XzUXiWr4X5F4GF:xtchTojrZxtMhiiZHjUyWr4X5FTDUq
SHA1: d0638a70f6cf8e46f22279efa7d364b644207001
MD5: 8c26763d51dcec8d6683558e395b7f17
M21-oe031LockBit_9a246bf3Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.9a246bf39f3fab9c2d45f1003bdc6b45https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78
SHA1: f05e71ed0e4a779fc30c3d732b07e15d56f8e3bc
MD5: 9a246bf39f3fab9c2d45f1003bdc6b45
M21-c3kb1Bandidos_998462a8Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random contents appended in one of the existing sections in the PE file format.998462a846d496b57b30b5f39ee118b0https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: ee56f42edd410332cc062271a8a8c2caf659b643c648888c359993a761e3aff5
https://arxiv.org/abs/1801.08917
PARENTID: M21-2klg1
SSDEEP: 49152:d435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz:dhEfwk18A
SHA1: 4b8bf07db8a88b88a0eed09cc1fb535cb84c907b
MD5: 998462a846d496b57b30b5f39ee118b0
M21-o4oe1Hupigon_793c7c56Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.793c7c568ef53df8d3e838c1119b509ehttps://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 8db5854db9f3c732edc0d4ef3540b0635848abb70abdfc29049ca25dc4776f07
SHA1: b74402bc23cb607cf6f2ff9ad4031f77b26e3b82
MD5: 793c7c568ef53df8d3e838c1119b509e
M21-or3m1LokiBot_6c2cd24bWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.6c2cd24b96a7cf4f1a2d4e4ba2b05453https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: a49c4e4536a52bed7f8fdd16d8feb46a4e624472c9db4e60b0530ca070efd078
SHA1: a60787e3e509755f62558e812fa0a6ff76049ed8
MD5: 6c2cd24b96a7cf4f1a2d4e4ba2b05453
M21-y08v1Bandidos_80bda1f2Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has a random section name renamed according to the PE format specification.80bda1f2647c16ed8050162359401c28https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 9b232918a9ed4112b3f2961b44945864bf1b90d7b232a4631e4529b7f611212c
https://arxiv.org/abs/1801.08917
PARENTID: M21-i0lt1
SSDEEP: 24576:ffKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWW:fyytjKE3wh
SHA1: d30fa1dfe5f4055b376d0a864424226426dce2d3
MD5: 80bda1f2647c16ed8050162359401c28
M21-1wov1Formbook_fa710797Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.fa7107970a5b56d0d2c4b5692dbd9d33https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 058a2309d89e8b24502c3a7ba08882eacecafd2e2d419ddecbe91202f80504fe
SHA1: 5ac23d9dd1e4313568682c43516ca69fa9373503
MD5: fa7107970a5b56d0d2c4b5692dbd9d33
M21-xbz51LockBit_49250b4aWindows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.49250b4aa060299f0c8f67349c942d1chttps://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997
SHA1: 4d0e6d7af9a5edece5273f3c312fdd3b9c229409
MD5: 49250b4aa060299f0c8f67349c942d1c
M21-t5q81Hupigon_58303826Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.58303826aae3c74a9465e4df449426adhttps://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 0fff1aa47eb2da56333fa309de651adf025ff8d80c62c95cddd91a2e88a6dbf1
SHA1: 180a448c1d5b59e77098eab4e028206dcdab7ba2
MD5: 58303826aae3c74a9465e4df449426ad
M21-upqr1LockBit_c270ab0dWindows This strike sends a polymorphic malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.The binary has random strings (lorem ipsum) appended at the end of the file.c270ab0d2922947d199777adabf851bchttps://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 5cee6787e8c736c14d708ab9e2afd25856e8be12bcc822dbd1c468c30de58d7c
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-h4xy1
SSDEEP: 1536:e/0JJMzS/5uJup2KN/Z9SQ2illYOcJngsxmZ50fBbjpAeuwCU:e/qJMq5uJupjSQ2+1ctgY5bjpp5
SHA1: 24581d8b4ec25345315bbbd782b888361968a19f
MD5: c270ab0d2922947d199777adabf851bc
M21-zio51Hupigon_a8e0c1a2Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.a8e0c1a24ef3690eb2c8c79ea8fc880ahttps://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: a8964c9721dac56c6e77460f82e8c669012d3dbb9ee2629595facc13b1ea744d
SHA1: ef7094a262ea9813e5b1bd3fdd82826dc6016ca5
MD5: a8e0c1a24ef3690eb2c8c79ea8fc880a
M21-3dqx1Bandidos_4dc64170Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random strings (lorem ipsum) appended at the end of the file.4dc6417077e498a189e40dde2efd41dahttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 18b86ad7c385110e6b72e588bf85f6ec6a8862317963c35560a2c0020b636480
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-i0lt1
SSDEEP: 24576:ofKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWWY:oyytjKE3whi
SHA1: 15e6bed80f4b7efee0f20e0ed1575190a865241c
MD5: 4dc6417077e498a189e40dde2efd41da
M21-dfou1LockBit_5cc28691Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.5cc28691fdaa505b8f453e3500e3d690https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f
SHA1: cb3fb57b5c70c3a2f30aa3af078bbb1cfdd1bf02
MD5: 5cc28691fdaa505b8f453e3500e3d690
M21-fd741LockBit_0d03306eWindows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.0d03306ed6dd40407e8ae0fa3ffc181fhttps://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 6fedf83e76d76c59c8ad0da4c5af28f23a12119779f793fd253231b5e3b00a1a
SHA1: 39f5ec91f17f2dcee1c9fa124796439bc93a5120
MD5: 0d03306ed6dd40407e8ae0fa3ffc181f
M21-w70i1LokiBot_32270e69Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.32270e6929682c0ae0fbd255ff1ed6d5https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: b2214c05ad28423bce386338706021ca62da02d368f0a56844a89a250b562ccd
SHA1: 87e562b6f11720cd72a4c44e4ed3b1a0711d682e
MD5: 32270e6929682c0ae0fbd255ff1ed6d5
M21-vf0g1LokiBot_9ec2a2e6Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.9ec2a2e68f07d83c5904dde328c2f594https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 872f2db91242bcb9a559e485badafa100fddc0cffb41cfa4ca260a365b5f43f6
SHA1: 7ec6568a23ba57eb2bfee8ad47cacb7460874432
MD5: 9ec2a2e68f07d83c5904dde328c2f594
M21-83181Bandidos_fc89c12dWindows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has a random section name renamed according to the PE format specification.fc89c12d2438bf86a0983305e9b76ff4https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 5123e6be3ccce331f20a6d81850a6b73147c09febd3ff3347fb6b2f32680adf9
https://arxiv.org/abs/1801.08917
PARENTID: M21-wp9r1
SSDEEP: 24576:yEZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:yEFQ6k0TVkQxPQo9
SHA1: 30a68a861036fe74d4e5c2afc1ca4fd7b694940e
MD5: fc89c12d2438bf86a0983305e9b76ff4
M21-e0ts1LokiBot_f520c950Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.f520c950b540931fb502ad1fccc6e5echttps://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 32a3bb3048012ecb5c4cd1e9c307606e31235b7cf66d10e40a3faf820dd12554
SHA1: a917643bbc7497ebf51c898e20e8a6ac16d1eae6
MD5: f520c950b540931fb502ad1fccc6e5ec
M21-khbz1Hupigon_5e15f278Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.5e15f2784f98d21c45029623610e268ahttps://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 47740a648c13c4288b829d3d3f2242f1d9730a8af5a907de716871e2590b56a1
SHA1: df053239071a8b1088d27eea647b42a623ff9ecf
MD5: 5e15f2784f98d21c45029623610e268a
M21-gu481LockBit_e4179bcaWindows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.e4179bca5bf5b1fd51172d629f5521f8https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75
SHA1: 488e532e55100da68eaeee30ba342cc05810e296
MD5: e4179bca5bf5b1fd51172d629f5521f8
M21-be4c1Bandidos_b89e1cb9Mixed This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the PDF.b89e1cb9522fbf1a4b54450b0c0c8781https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
SHA256: 2519475a0d1465481294801e07692ecdf21bbe864d0a973e06fb86398ba9dd61
SHA1: f384bdd63d3541c45fad9d82ef7f36f6c380d4dd
MD5: b89e1cb9522fbf1a4b54450b0c0c8781
M21-f3na1Hupigon_e921af12Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.e921af128394bc17536506a9ea7f1c13https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: d800487b23a227def3770c846e4d8954e777caca74d0d2697c4ee20decaa946e
SHA1: 3bad123e07898791c3f4cec8df54f3ff79ba8bea
MD5: e921af128394bc17536506a9ea7f1c13
M21-mmnr1LockBit_5f504bb2Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.5f504bb22471157aafeb887b4412b5dehttps://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51
SHA1: 04fcf62555cf2cfaf4ed2d0ac7e973b3215b2de7
MD5: 5f504bb22471157aafeb887b4412b5de
M21-xdgf1Formbook_7c863257Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.7c863257a55bf029ffa58f2ed25ae22chttps://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 791bf882ea8aa1b2087f0882c7012170002fca93de56f191cbba27b2817a5007
SHA1: 096ba1fbd0ffd1d6067df44967a9127ee029855f
MD5: 7c863257a55bf029ffa58f2ed25ae22c
M21-juue1Formbook_857e3a6eWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.857e3a6ecbeada63ae04fc1471abffcdhttps://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 00b6af7edaa2b00729733a14bc2bc9c73decdc9af3de09b958585ec309db6730
SHA1: 3ff58f110f17f513b0c17e58288ab1ac58640f6a
MD5: 857e3a6ecbeada63ae04fc1471abffcd
M21-lla91LokiBot_ddd0e23fWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.ddd0e23fed0e19f7cd079acc1d6e546chttps://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 92ddf9f9142148776671e1cceda92ec02ba5a846778f08c9179d7a1a89d2b576
SHA1: b6f0beeec5532a777dbe61726b2c5031bf6d80d1
MD5: ddd0e23fed0e19f7cd079acc1d6e546c
M21-0ac11Formbook_800b669fWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.800b669f5722ce9be29327319cd98f03https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 1d84d1a99b7add79357e2b8470f97473ff2b7630853266a46f86b360dc23eb58
SHA1: 3f669fc8dc8713c807022539d5916641472337aa
MD5: 800b669f5722ce9be29327319cd98f03
M21-700j1Hupigon_1a979031Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.1a9790316f17c8a39dd67772f78ba2bdhttps://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 122a04e621b147df461f23cdc10ff45d877c18a5eb97c64f3a33ff2d713c7139
SHA1: 01e7714ceccf7f156bf3eb5311b6679c6f05c459
MD5: 1a9790316f17c8a39dd67772f78ba2bd
M21-7kgh1LockBit_a04a99d9Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.a04a99d946fb08b2f65ba664ad7faebdhttps://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869
SHA1: 1fe7e2f8fbd98d6b5505fd9ee66da5b4f11720a1
MD5: a04a99d946fb08b2f65ba664ad7faebd
M21-a09j1Formbook_4131d35eWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.4131d35ec6a865907eddcb8faa8cce33https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 7f98741e8dbf35c91d3a06b890343c392f90f43ada2765b9ebf5918581e35385
SHA1: eaf6e41431c6f4859133a6a49e483203c3ed49f5
MD5: 4131d35ec6a865907eddcb8faa8cce33
M21-yeks1Formbook_4d3c739bWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.4d3c739bab68b3eea8cd032aef303525https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 4ea09532da8004377ffcdc400fc8e96c90a836cc83caa394a62bfd865c8e7425
SHA1: a3da1e48715faa85a3fd813c186f7484d4073036
MD5: 4d3c739bab68b3eea8cd032aef303525
M21-gqwj1LokiBot_9a1f1689Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.9a1f1689b94d59c040af83f496ba5bbbhttps://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 478ef5fa2a46f98298605b91bd4fe42cb244afba3b4782e18bb12f6a084b9609
SHA1: 2d7446e076b1ce495f65ec6ee1f520f22835edaf
MD5: 9a1f1689b94d59c040af83f496ba5bbb
M21-62nr1LockBit_207718c9Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.207718c939673a5f674ce51f402cfc06https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739
SHA1: 791f60a24f9b6589a2afed48b3ec17fad43bc1db
MD5: 207718c939673a5f674ce51f402cfc06
M21-suhh1Bandidos_808ffbe3Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random contents appended in one of the existing sections in the PE file format.808ffbe38c037d877279779ea356e0a4https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 271f9ea13701efddee8d2c77080dcd54d02b2928d81a425963bb84bc0f56d6f5
https://arxiv.org/abs/1801.08917
PARENTID: M21-wp9r1
SSDEEP: 24576:wEZ4iqYQk5zZrikTtPUiwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:wEFQRk0TVkQxPQo9
SHA1: 832257a0c6a243da209e4a6bb8feb087d13e557d
MD5: 808ffbe38c037d877279779ea356e0a4
M21-y75j1Formbook_bea316e0Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.bea316e056c7db49d33b4fbfdc052504https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 85e2ee6d0a2fb9833421a85012326f028f291172b55ec3d0ce7c93464f238d58
SHA1: aae0ab12fa0cc86085e6d6354ad08edf6e988b07
MD5: bea316e056c7db49d33b4fbfdc052504
M21-pwf41LockBit_1f4f6abfWindows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.1f4f6abfced4c347ba951a04c8d86982https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18
SHA1: a4c486b0926f55e99d12f749135612602cc4bf64
MD5: 1f4f6abfced4c347ba951a04c8d86982
M21-87ek1Formbook_970841bdWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.970841bdc961619f7665e347ef1806b1https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 9e424316353fbc89681166a6ef69b2edd31739ae5d8d72a9ab7f516ce50c9b3c
SHA1: d67e1162c3dc43dc6390bb08d9fb043b72bece44
MD5: 970841bdc961619f7665e347ef1806b1
M21-zs0s1Hupigon_53b1c580Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.53b1c580939176a264a724ba4c2493bchttps://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: d18db2acffcf7dbd5d9ba8a3574b51b9d3d363dde772ab4232c4a59cf38116a5
SHA1: a7c282667b55d5c8ad3fd10c2f49f1cfe03d7a72
MD5: 53b1c580939176a264a724ba4c2493bc
M21-e76y1Hupigon_df66e570Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.df66e570b2140d6bd39e75c7bbf26ed9https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 0887cf712624021a19c81f7d56fd7f962a0c81711888f1dfbebc4e8362e4a4d3
SHA1: 70b00bb6c86a32de6175cf7b0a4457d3d7009bb0
MD5: df66e570b2140d6bd39e75c7bbf26ed9
M21-o19a1Formbook_8ec040b5Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.8ec040b599ca27c33a5503834d0b666fhttps://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 439341e4b6ef8081dace5531a98a018c31ba3b83a8b58c248db3f9aaa6248e79
SHA1: 0702bd3d9c535fe5a17b0ebb07703135f888c3d0
MD5: 8ec040b599ca27c33a5503834d0b666f
M21-puta1BabukWindows This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.cafe07d8c34108007372bd8df42d9ef9https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: 6103e26f6f9d5fd895d9c06e1f5e141ce74d8ebda999cda6a58a4393de5ed094
SHA1: f137ab4384d071ab51c746f9de976aeea81fb2e6
MD5: cafe07d8c34108007372bd8df42d9ef9
M21-wa9s1LokiBot_75aa607aWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.75aa607a9f8bf2af141de19a41b0bd94https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 9c260f46248c726184ce9eee75b5322d19e2cb82a0b8d51b32338b358b433168
SHA1: 56bd2e24a29e4328d1da2f16737679401267dda2
MD5: 75aa607a9f8bf2af141de19a41b0bd94
M21-gj2f1Hupigon_05fa4098Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.05fa4098d6102c38982ed2bb55ac21d6https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 972507d6a5e780d3428e330fd1df06fc30d90a7a5079b5e22100a46ed4be5e99
SHA1: 0ff99b174bd201322ab68d382258998483fa2ae7
MD5: 05fa4098d6102c38982ed2bb55ac21d6
M21-stnz1LokiBot_2c4b9f71Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.2c4b9f716576fd4687556af2aa882e1fhttps://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 7f6713ee87745196c893023e32b845a9c2d16994d0913d222a4dad64268c6bd0
SHA1: 1f2851384d0eb2750b1c9a14dad293250f180c7c
MD5: 2c4b9f716576fd4687556af2aa882e1f
M21-2lfa1Bandidos_c1a93313Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the checksum removed in the PE file format.c1a933139452f8672e4810333a3d43dbhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 8a741eabfe6e3a2da048e253cdbbb23b07d9970ad177a4a960aab30e50ca2b78
https://arxiv.org/abs/1801.08917
PARENTID: M21-wp9r1
SSDEEP: 24576:wEZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSb:wEFQ6k0TVkQxPQo9
SHA1: 7bf0ed9d4da54ab5f5e8ede94a0a292679213c98
MD5: c1a933139452f8672e4810333a3d43db
M21-4qzb1Hupigon_7937c41dWindows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.7937c41d346e489bbe34bc996fc11455https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 24925d89fa4f576a7e76aefcf1c58e78cfad728e03d2b6b12d663bcacb1427e5
SHA1: 18d705fab9d43925897b73a3944c623e15463063
MD5: 7937c41d346e489bbe34bc996fc11455
M21-8i9y1LockBit_c0cacc5bWindows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.c0cacc5bf97b854b6025fe0973dc076fhttps://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 15a7d528587ffc860f038bb5be5e90b79060fbba5948766d9f8aa46381ccde8a
SHA1: 0cc92cccebed351b1b5e6b28082af5e00da28678
MD5: c0cacc5bf97b854b6025fe0973dc076f
M21-zzdj1LokiBot_3d699bcfWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.3d699bcfc5b1f7f20ed2668c45e8ddcchttps://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 230a3f0ff1c9e59f20339884840ab9a55443ee8bde8c0a6abf136896339e78c3
SHA1: 8e5a166ca1828b69caf55ca4e89b9650b5aa047a
MD5: 3d699bcfc5b1f7f20ed2668c45e8ddcc
M21-a14w1LokiBot_f977b8f3Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.f977b8f3919dc992d6ffe3fd0505815ahttps://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: b388b10e26fee484e4fd855a95e917a00e1dabe7f626636a45d235c8749e80ce
SHA1: f7ce396d2d655220b87a762d42c88384771c2c0b
MD5: f977b8f3919dc992d6ffe3fd0505815a
M21-bfr31BabukWindows This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.ebe7bf69eceb80d155d7a16b8c61e15chttps://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: 678bfbf5d73d6cf38532e11b11dbed17668d94711e2e2ea27311dd46490201b7
SHA1: 5c8b0a23360420c33fb89e100fb996215a795a1f
MD5: ebe7bf69eceb80d155d7a16b8c61e15c
M21-ojyu1LockBit_1fbef2a9Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.1fbef2a9007eb0e32fb586e0fca3f0e7https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335
SHA1: 3e86304198d1185a36834e59147fc767315d8678
MD5: 1fbef2a9007eb0e32fb586e0fca3f0e7
M21-sl6h1Hupigon_1600de31Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.1600de312560e6b773d382413aa70e74https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 0c1f827e80c419173cb9d52ceb62a2e9d1a7388e296ab92d554d82c0ac935339
SHA1: be84852cd1897d65e79e3c669aeb8f0238e6e49b
MD5: 1600de312560e6b773d382413aa70e74
M21-woo21LockBit_0859a78bWindows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.0859a78bb06a77e7c6758276eafbefd9https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d
SHA1: a72e18efa33f1e3438dbb4451c335d487cbd4082
MD5: 0859a78bb06a77e7c6758276eafbefd9
M21-yf5g1REvil_835f242dWindows This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.835f242dde220cc76ee5544119562268https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
SHA256: dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
SHA1: 8118474606a68c03581eef85a05a90275aa1ec24
MD5: 835f242dde220cc76ee5544119562268
M21-z93m1REvil_ce1eefe4Windows This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has random contents appended in one of the existing sections in the PE file format.ce1eefe48010f4946cf45ffd6c4bebfahttps://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
SHA256: 1c72875191a80e6e69d6e6c2edda738ad206767979851cfbb18dc0398ea191e4
https://arxiv.org/abs/1801.08917
PARENTID: M21-2zn41
SSDEEP: 1536:Nxd+ReKXU/MQaL7k0B/L7s+Zi+GrZxtQpfyHvtICS4A4UdZls8XzUXiWr4X5F4GC:NtchTojrZxtMhiiZHjUyWr4X5FTDU
SHA1: 18522badae740c53c22b0b05f58a233d390caab6
MD5: ce1eefe48010f4946cf45ffd6c4bebfa
M21-14uf1Formbook_376dd288Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.376dd2886e40bf04651900326d436943https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 6d009d7e9c6efaf020a6336b3da9022ba552782794e36c112b67142a64394524
SHA1: 2a5cd3de009757e7d5521e0f746f0a0dddcdd39c
MD5: 376dd2886e40bf04651900326d436943
M21-mj1g1Hupigon_4c37493eWindows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.4c37493e8bd5bd0e734e252aa0be12e5https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 91fab5bfa3982e9ecc19cb3e82826706cf4c3ada3d3e0d7f0e222affd16aee8d
SHA1: e9f3d9b59ca3c2b1528cce323e463b0174f02b60
MD5: 4c37493e8bd5bd0e734e252aa0be12e5
M21-qlr01BabukWindows This strike sends a polymorphic malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.The binary has the timestamp field updated in the PE file header.61bf40aa7be7bac60efcec70058af30bhttps://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: 140bfc9a42927e502c03098d117b58b5b460177584981085a8f28f0065316197
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-uph51
SSDEEP: 1536:Esxl39LgCRQ1+N+srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2hV:EsD9LgWy+N+srQLOJgY8Zp8LHD4XWaN7
SHA1: 45d4bba2b22cf749bb7d57996f76b58b17424540
MD5: 61bf40aa7be7bac60efcec70058af30b
M21-bqce1BabukWindows This strike sends a polymorphic malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.The binary has random contents appended in one of the existing sections in the PE file format.cb95970ab2c06f8695a4741fe055ec25https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: 65b6fdf2b035df1519ee661179ba6b2e699841fafcde4efd2af122d364294ed4
https://arxiv.org/abs/1801.08917
PARENTID: M21-zzq81
SSDEEP: 1536:IK36UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:IKLhZ5YesrQLOJgY8Zp8LHD4XWaNH71m
SHA1: aade7e003de8cb530ebf80bb8a72f40a927772e6
MD5: cb95970ab2c06f8695a4741fe055ec25
M21-ot461LokiBot_92ccd05cWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.92ccd05c0b161385f503bd62c2f87995https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 18366411246d9657db902a2d554f01318c29b943986d69c7834e5c48cdbdac1f
SHA1: a669798255c6c96e020a302838ab708311c9e206
MD5: 92ccd05c0b161385f503bd62c2f87995
M21-5tad1REvil_b7ba5484Windows This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.b7ba5484a95ceec8374f49c21212853chttps://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
SHA256: 94379bb2c305a5754d60ae3d27daf5f7f4758ed3dad21ee1969640fd9e84e83f
SHA1: a942aec58910ad72eff293d926fe9943397eb1a7
MD5: b7ba5484a95ceec8374f49c21212853c
M21-esl01Hupigon_8d7a6e0aWindows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.8d7a6e0a188f39c414d6b8e40880a9cfhttps://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 03b0c0d7138eb07333b6561adb2f8c931a9a5df23773cdc743ac16eee97d2c72
SHA1: cdacd70f847e2dcabccaa29fd92e89b2b2d676ba
MD5: 8d7a6e0a188f39c414d6b8e40880a9cf
M21-b61d1Formbook_783a8f3aWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.783a8f3a3d9f1f92e310775bc1bc3bf3https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 66ce3bdcd391f238136f7b126f88bcbd6cebbebab1187083c4305bbb09ecfd55
SHA1: 423d3c2b4a235d0143a0d0177713f13073c4f5fc
MD5: 783a8f3a3d9f1f92e310775bc1bc3bf3
M21-z0zi1Bandidos_0f31bba7Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random bytes appended at the end of the file.0f31bba7e0fe074a70230e5504ab1bc0https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 17af5974523db986f957c30dd46f70d0505670c21e2fef49642315413ac9394f
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-2klg1
SSDEEP: 49152:u435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz0:uhEfwk18Ay
SHA1: 9121403287fa121646fbdc5c99d3a38b1ba3b1e0
MD5: 0f31bba7e0fe074a70230e5504ab1bc0
M21-hl0o1REvil_c3afcdffWindows This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.c3afcdffa4aeeee56b80cf2fd3c9758chttps://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
SHA256: 9b46d03b690bda0df57c0ebb8dae0aebdd1d131beb500242fa8fe59cb260eed1
SHA1: e405c212107696a579494a67531ca5877956fac0
MD5: c3afcdffa4aeeee56b80cf2fd3c9758c
M21-8cqv1LockBit_5761ee98Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.5761ee98b1c2fea31b5408516a8929eahttps://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76
SHA1: 4d043df23e55088bfc04c14dfb9ddb329a703cc1
MD5: 5761ee98b1c2fea31b5408516a8929ea
M21-sfz31REvil_eabb9030Windows This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has the timestamp field updated in the PE file header.eabb90300cc0e02299681a93ad1db181https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
SHA256: 60c689eedae4c93f8fe79ff356108897662cd0283bb2657c92e41b08a4abea27
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-x3mk1
SSDEEP: 24576:ZMz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:mfF7k4pB/JYPIsAE
SHA1: c84e3aac856dffe3e2831446e5461f7e205ee43b
MD5: eabb90300cc0e02299681a93ad1db181
M21-jjwa1Bandidos_eb5f7076Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random contents appended in one of the existing sections in the PE file format.eb5f7076a810e1dcd7797545f05e5664https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: bed5b6da3511ebc6f6cc295e840997065940c8b2d933c05f2bc2a3f88d9aeb65
https://arxiv.org/abs/1801.08917
PARENTID: M21-i0lt1
SSDEEP: 24576:AfKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWW:AyytjKE3wh
SHA1: d83dbde426b548e8bb9ebdceb7f9a9d6a57f7146
MD5: eb5f7076a810e1dcd7797545f05e5664
M21-fs4p1BabukWindows This strike sends a polymorphic malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.The binary has the debug flag removed in the PE file format.a8c465b971bb6ccfc517cf132a97f16dhttps://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: 0a5e95ab38058c4adb8b7bb3ed416c31b59a93d531356f6a7545fffcaa16a826
https://arxiv.org/abs/1801.08917
PARENTID: M21-uph51
SSDEEP: 1536:Ysxl39LgCRQ1+N+srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2hV:YsD9LgWy+N+srQLOJgY8Zp8LHD4XWaN7
SHA1: 9bb397ce7c04cbf84858cd85f5ee9b3b42249d37
MD5: a8c465b971bb6ccfc517cf132a97f16d
M21-uph51BabukWindows This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.d6fc9e993c69aceb7a5501641fc823fahttps://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76
SHA1: 7839b437b279d3f0ec22a57df7ea84ad01322c17
MD5: d6fc9e993c69aceb7a5501641fc823fa
M21-2rdr1LokiBot_0a698e88Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.0a698e8808618abeb1fbe9930d6d9fbchttps://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 2002aa11f9d36098b9546376a0e21d0fb05161c772831a9254d21324dc94e5a2
SHA1: 4a3c8e24f859de38025d4c8c162950eaa2e415b9
MD5: 0a698e8808618abeb1fbe9930d6d9fbc
M21-7lro1Bandidos_06d613ccWindows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random bytes appended at the end of the file.06d613ccf59608145e0ef7235f9ff4c6https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 018a10ecea6b4315e863e4dedf88169330facf0cd8a3245d2415f2673b88c6d8
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-i0lt1
SSDEEP: 24576:ofKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWWY:oyytjKE3whC
SHA1: 557f5ffc308635f71320c06fe5a1bfe16a96884c
MD5: 06d613ccf59608145e0ef7235f9ff4c6
M21-zzq81BabukWindows This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.b8e5bd86046b596d8cf43843f433bb5dhttps://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: bb31f235e86b0fda185e6580ef5327f80d6a6c754f78499e8647de5e229769cc
SHA1: e4934d730f999bc2bc0e05fec3b9afe324d8a32b
MD5: b8e5bd86046b596d8cf43843f433bb5d
M21-oej51LokiBot_5e0f32cbWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.5e0f32cb907fa23b7d4dc8c684e9720bhttps://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 82d97cc4feac447f269099b023427c00f457978c2c7131144872ce4e1b6fbaa5
SHA1: e42369d6191cf97afca367324a2dcf57550f25aa
MD5: 5e0f32cb907fa23b7d4dc8c684e9720b
M21-ws2v1Hupigon_1e9bbb20Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.1e9bbb205b4c79024fcc440bd1130726https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 4f6c2f4aa94bd6ce1311440e5ff3b70b1dd735269191cce1b6c646ecfc5c0847
SHA1: 022095d0e06eb9396104c85c1e4facbad552a71d
MD5: 1e9bbb205b4c79024fcc440bd1130726
M21-0sqm1Formbook_5742fec2Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.5742fec23905873e891ea7329acd3970https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: a7ad003a9a0d32f74833166178765af17cb09672095f96ad717b40983b2d4e49
SHA1: 5c665c1311b5d84d8eec0ae5bfeea30a177c9f18
MD5: 5742fec23905873e891ea7329acd3970
M21-y1hk1LokiBot_43b38e77Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.43b38e775099053f93f72ac9ab5bfc25https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: a72771be7b1f90d039e9a6f489c32f85779c9fb9411a33cc2e9012bc0b77f5d5
SHA1: 7952572e99d48dabf53ae98d2e902f7e4135d1f2
MD5: 43b38e775099053f93f72ac9ab5bfc25
M21-7ci91BabukWindows This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.f0d4c7d334633a72a3c7bd722e12c378https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: 1f2edda243404918b78aa6123aa1fc5b18dd9506e4042c7a1547b565334527e1
SHA1: 5240f71f60c473b5f9ba100d2ce1d6effdbc08c1
MD5: f0d4c7d334633a72a3c7bd722e12c378
M21-y41s1BabukWindows This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.567c8369e6ab695c9d65a629d6f45710https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: 6d4ced2e85587e81d6a09b147ec7cccc054bc0fbb92afc39586de1b2bf57f812
SHA1: e755a778896378a5375785736063d4b6831a10b4
MD5: 567c8369e6ab695c9d65a629d6f45710
M21-pw5z1Hupigon_d31fd664Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.d31fd6646d114a6c8b41772f82e3e38bhttps://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 869f6286a05cabb5b45ee25a84ac2a77b21813fec04d85a585ec4f6133890a58
SHA1: 20af79b138d20e4cd35c81a292954a4f493263d1
MD5: d31fd6646d114a6c8b41772f82e3e38b
M21-z2ro1Formbook_329f7e4eWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.329f7e4e00314e9cb074d15b2347df16https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 35ef714239b96dac502edee1da7c546039a67dfd31ff8751927cd4b9c86b83a7
SHA1: 6f80890e02149ad76e4c9ebf7b881acd92f7d08b
MD5: 329f7e4e00314e9cb074d15b2347df16
M21-1ww11Formbook_42e783c3Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.42e783c3fcea37f1ea7eaa89c45b31e6https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: a0f0cf9630816feae91a78847e7c2c95581e150d4d1c7804c9a88eef1d0393a5
SHA1: bc0a3dfcae3c5d954d7db8582a7ef0791fc75617
MD5: 42e783c3fcea37f1ea7eaa89c45b31e6
M21-4hk31Hupigon_2b6f5cd3Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.2b6f5cd3688abd349f4cfb94164562cbhttps://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 79b37f33abb6c24762b75c552ebe9e8e4a65f73d5abc87da06cf4e2a1e399bd0
SHA1: e249f08dda34e4e0c73973b077d39ff429501d1e
MD5: 2b6f5cd3688abd349f4cfb94164562cb
M21-dre81LokiBot_141c2a99Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.141c2a99ec6c365eebcfe39e8dd84be3https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 88fecf445479b1e72beb29df878e65c087deb1e9987ecde0ef9fe66d33c6f7e1
SHA1: f7be04cc45fc66587a546fb181310520e880ca48
MD5: 141c2a99ec6c365eebcfe39e8dd84be3
M21-bbom1Bandidos_a09d7cb6Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the timestamp field updated in the PE file header.a09d7cb6933ebc776f1321b9e41599a6https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: c5ac72a41c0bcb35aea8362dbad638a7b64fbf361ca82bcd12031eb5b6407dec
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-i0lt1
SSDEEP: 24576:SfKzZ9+FcgTEGJR93oWUZ54a09K1dghmcaGw74MWW:SyytjKE3wh
SHA1: 28eddbb3b05a00516b418c224798bf1244134ddd
MD5: a09d7cb6933ebc776f1321b9e41599a6
M21-x3mk1REvil_561cffbaWindows This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.561cffbaba71a6e8cc1cdceda990ead4https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
SHA256: d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
SHA1: 5162f14d75e96edb914d1756349d6e11583db0b0
MD5: 561cffbaba71a6e8cc1cdceda990ead4
M21-531i1Formbook_ed023da1Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.ed023da1556dcf73ce6657ae1642194ahttps://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 73e2f69e19e575c987a9004886e42129fc259758f19a48badaa52fcb7f9925cb
SHA1: 1c548d48108be141c8e6fbaedaefc24ac911c014
MD5: ed023da1556dcf73ce6657ae1642194a
M21-52zz1LockBit_fd902870Windows This strike sends a polymorphic malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.The binary has the checksum removed in the PE file format.fd902870de737723e6da1e0ba10f1385https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: e3d0df68fb6d028ffdd85bd0ebcb7ed04bc9c88c024c33ac0aaeb351f416b8bf
https://arxiv.org/abs/1801.08917
PARENTID: M21-h4xy1
SSDEEP: 1536:T/0JJMzS/5uJup2KN/Z9SQ2illYOcJngsxmZ50fBbjpAeuwC:T/qJMq5uJupjSQ2+1ctgY5bjpp
SHA1: 5f2fb4a4c47f8a9edf712bfe4898582d780478d3
MD5: fd902870de737723e6da1e0ba10f1385
M21-wp9r1Bandidos_695ebe3eWindows This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.695ebe3e45a89552d7dabbc2b972ed66https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057
SHA1: 89f1e932cc37e4515433696e3963bb3163cc4927
MD5: 695ebe3e45a89552d7dabbc2b972ed66
M21-ba5n1BabukWindows This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.4161cbe9722d98ffe53636e9efa874cahttps://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: b4be6b8acda97f36c448365751d5c9a9e1b91f47cedfde79e1de258413c3de71
SHA1: c81aa4a4a5ac0eb22b8e9bf3024f2cd3b4db7eaa
MD5: 4161cbe9722d98ffe53636e9efa874ca
M21-7mji1BabukWindows This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.dfaa9121f4165a9f38a8406d82f0ab71https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: a2b5ebfc52a447cde255e1ec1ac8797ad49b156ed427df8c292d6aeb4dad5523
SHA1: b592c787d347287efe410a43555e218e9ccfab10
MD5: dfaa9121f4165a9f38a8406d82f0ab71
M21-v70w1Formbook_49fa2aecWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.49fa2aecca84c2cccd83b20297143646https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 6111eeaab08838bc32e1f0ade3b5af96955c29d459a3702090369598a5a1d067
SHA1: d0cf9fb098f5a2fdc87b62ba9a794ecaa998e56b
MD5: 49fa2aecca84c2cccd83b20297143646
M21-8mz41LockBit_ec273b58Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.ec273b5841eadfc43b1908c9905e95a3https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677
SHA1: 71e7990c8c81ef6c4e265eae11030886c40cc8b0
MD5: ec273b5841eadfc43b1908c9905e95a3
M21-pz0i1REvil_f81958d7Windows This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has a random section name renamed according to the PE format specification.f81958d74101253e7d1f14fe4c6ff560https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
SHA256: 9aa82c72004ae8617f94d8105dbdc8df2e092c75556ae63eb2fa009cd08ed9a5
https://arxiv.org/abs/1801.08917
PARENTID: M21-x3mk1
SSDEEP: 24576:1Mz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:ifF7k4pB/JYPIsAE
SHA1: 82dde90c08793ebbc7b10b7204362a0ab92acf82
MD5: f81958d74101253e7d1f14fe4c6ff560
M21-h4xy1LockBit_9fe9f4eeWindows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.9fe9f4ee717bae3a5c9fdf1d380e015dhttps://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770
SHA1: 7df22f2fbe86a07070f262f94e233860b6ae66b2
MD5: 9fe9f4ee717bae3a5c9fdf1d380e015d
M21-qao81LockBit_265d02e0Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.265d02e0a563bbdbdb2883add41ff4bbhttps://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0
SHA1: 01890a3874787dcd74fc548d724b32ed9562abe4
MD5: 265d02e0a563bbdbdb2883add41ff4bb
M21-2zn41REvil_94d08716Windows This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.94d087166651c0020a9e6cc2fdacdc0chttps://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
SHA256: 9b11711efed24b3c6723521a7d7eb4a52e4914db7420e278aa36e727459d59dd
SHA1: 99be22569ba9b1e49d3fd36f65faa6795672fcc0
MD5: 94d087166651c0020a9e6cc2fdacdc0c
M21-2aer1Formbook_6127f5d1Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.6127f5d1a39a07a6a33155f9181bd5c4https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 191db0df191fa868b366cd9b221708bbf46680102decb2fe5bd9838d4edb6db9
SHA1: d0ca2af22b935484a1ba7ac15692143f39da89c1
MD5: 6127f5d1a39a07a6a33155f9181bd5c4
M21-kxbt1Formbook_ba6b36b0Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.ba6b36b03f1864c1adb63a87ae843ee3https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 70ae91fc903cf888459854bafc02aba096412e7d264a09720f9447d3d7bbf17c
SHA1: 99f482b4e848401e261e232a33de2b43231a3ada
MD5: ba6b36b03f1864c1adb63a87ae843ee3
M21-vc4l1REvil_18786bfaWindows This strike sends a malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.18786bfac1be0ddf23ff94c029ca4d63https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
SHA256: 1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e
SHA1: 3c2b0dcdb2a46fc1ec0a12a54309e35621caa925
MD5: 18786bfac1be0ddf23ff94c029ca4d63
M21-81av1Formbook_8fd89c48Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.8fd89c48fdacb3ba7a8cb003917c24c3https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 61e1b56481c68ffcd7be4b30ec427401c7385af1a64451e221a17eb70b4d5819
SHA1: a909214d1a5eacb7f7ea172e652414f02fb15e27
MD5: 8fd89c48fdacb3ba7a8cb003917c24c3
M21-hrdx1Bandidos_4ba8ccbdWindows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has been packed using upx packer, with the default options.4ba8ccbd73a0951cab9c156fea290a70https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: ce98ad8035f3b5f107eb7e7e7fde5da34d7992806fbd85ab9ecc5a12ba342c1a
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-i0lt1
SSDEEP: 24576:mBUWzGugqni0QP8AxdXH4MNHr6NNWst+G7MQUEi/fpm69NnSNzWCYigO:mBU56SP8AX5Wyf/kIN5FM
SHA1: 435b060140b839362e6c0c89473d77d9693f8bd1
MD5: 4ba8ccbd73a0951cab9c156fea290a70
M21-onpp1LockBit_12351122Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.123511227718f17b3dec5431d5ae87f3https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877
SHA1: 307088ae7027b55541311fd70a9337ff3709fccf
MD5: 123511227718f17b3dec5431d5ae87f3
M21-yr5o1LockBit_83b0fca1Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.83b0fca1bd3190c5badcea4d507b8c95https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: c8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871
SHA1: 4e4d24f5d231434b9b0219fd7c5142c0c2ca1f08
MD5: 83b0fca1bd3190c5badcea4d507b8c95
M21-qrxb1LockBit_612a58fdWindows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.612a58fd67717e45d091ed3c353c3263https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d
SHA1: f6e8feb1eb645e122de8bded0360ee9ecdafc823
MD5: 612a58fd67717e45d091ed3c353c3263
M21-60421Hupigon_5ed9157bWindows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.5ed9157b529b233195ba77a6c0f60807https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 363963520775929cb355a9e6adf0e7f710b4c6ab10e24522563b71e7cb0ec9ec
SHA1: 31dbeb25d8014ae05e253d44ea84d28772c046f6
MD5: 5ed9157b529b233195ba77a6c0f60807
M21-a6k51Hupigon_787230e2Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.787230e27a9cd49f59429a8b86636877https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: bea6048a599c5eed9d491f3b275f03447dd39231cbc76c1efe1cea68c37034aa
SHA1: f31f572759d99716e5230d14088138f81804a05b
MD5: 787230e27a9cd49f59429a8b86636877
M21-xz9m1LokiBot_59b388deWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.59b388dee247bcecd66795063b0c02d7https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 068dcc146fde443d327076ea1375496429539466ee8ff38a9b3d8c9c284b3327
SHA1: c7b4f39139d85a38ce087f8bb2ca3c154a1f2df2
MD5: 59b388dee247bcecd66795063b0c02d7
M21-3ei71Formbook_440e6d38Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.440e6d387a6a202fb695171cdd90e9f0https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 351ff4900300a3012cf567aadc1e025e27b385cd677ea9152517bdd271447326
SHA1: 4428ff59802d290047a86c62aebc21985562b927
MD5: 440e6d387a6a202fb695171cdd90e9f0
M21-ejxa1REvil_ffedad13Windows This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has the timestamp field updated in the PE file header.ffedad13fbd2cf0996cf728e8c1b4c11https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
SHA256: b52b2677c639e92fdd9985181bfdd2471072672911c0f74682e0dfede230fd29
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-yf5g1
SSDEEP: 24576:WJdzXxcwKjqd7kHeSyG/z35JCxvKtl9dfkV:AYg7aBgw9dfkV
SHA1: bfa28c6c8ef21fe277eb68feeb4d4ce79a83a8ad
MD5: ffedad13fbd2cf0996cf728e8c1b4c11
M21-yg181Hupigon_df65acf3Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.df65acf337ed114181b3c38deb258de5https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: d6100a3d983ed3af8c27aca8303b0d48b14f1db3729c3458051e1b4b7e5a85b5
SHA1: f5c58f185abe09bbf5b8ca4c88941c743f940d28
MD5: df65acf337ed114181b3c38deb258de5
M21-nmor1Hupigon_d6a6b2f9Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.d6a6b2f9bd1a53e3789bcf5b4865aa81https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: bc2183e23a1d6fc2c3f61d89a52d0ffa5f82e691e4fffd9c7363f3c98fdddbe1
SHA1: 18ac7adb0981e67756a56b95d8582f4cbf2bc7fd
MD5: d6a6b2f9bd1a53e3789bcf5b4865aa81
M21-72up1Formbook_ed588185Windows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.ed588185aacf2a9ea91b31af93642256https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 4b9450d76929aabf8390ad818fd3d40a735d76d679b0f4cfb58ff60ced2ee6fd
SHA1: c745ab22991ec1fd49c5ddf5fc3eadefab032e17
MD5: ed588185aacf2a9ea91b31af93642256
M21-dfah1Hupigon_78860c61Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.78860c61167bb648a081ab7371638247https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 00aed8bbca1c733cf29cb67c1d05b9f10cb4b2f44b3f88780fc478fc5aed2b79
SHA1: aac289a5d3e44f19e399ef63845b47642aded0c1
MD5: 78860c61167bb648a081ab7371638247
M21-w5hl1LockBit_8ab03752Windows This strike sends a malware sample known as LockBit. LockBit is a ransomware that once executed will encrypt the system files until a ransom payment has been made to the attacker. LockBit can scan and spread itself to all targets it finds on a network.8ab0375228416b89becff72a0ae40654https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/
SHA256: 5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db
SHA1: 75f06b636efe53360287c0ff1f51ea7de1e7c8b5
MD5: 8ab0375228416b89becff72a0ae40654
M21-k4qr1LokiBot_574ea378Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.574ea37878e74bbcf646402baf723ee4https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 63f3585c6d2914d6060f7bdef809063eaea115da6c7ada28cbac8f9f796d9cfa
SHA1: 6f7ae2e1b875ff0b1610e33d4b824921fc318cf7
MD5: 574ea37878e74bbcf646402baf723ee4
M21-fj3a1LokiBot_393264b4Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.393264b41d8cb7b93d7cc3e079556effhttps://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 9c425b2930a33567fb81e1a170f4a36222b19ac8b7be4f9d7fbe6e765f385fa3
SHA1: 1e15510afb6e09d236a1396f05c18381f0b6b982
MD5: 393264b41d8cb7b93d7cc3e079556eff
M21-2zln1Hupigon_a52d0b02Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.a52d0b02fc623f4d0ada0e5c5432c559https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 608a3f4ac2cefa53738e7aca0a0e5f0530a66984414e9f100f134af4039b47c9
SHA1: f5d8eaba3d2fa10770072d13bd15a76e36795bdf
MD5: a52d0b02fc623f4d0ada0e5c5432c559
M21-d7s81BabukWindows This strike sends a malware sample known as Babuk Locker. Babuk is a ransomware that first started appearing in early 2021. Recently a tool that was used in the creation of these ransomware samples has been detected in other attacks and is being called Babuk Locker.eacfeff2add22da202bc6ba34308989ehttps://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
SHA256: 54c82ad27174fd6ed72793b1ccf9d26613eb572960e847a63538420c69d06c5b
SHA1: 7b41f9077fba77d9a3115c3e8142c3f15c81d84a
MD5: eacfeff2add22da202bc6ba34308989e
M21-i0lt1Bandidos_10c4865eWindows This strike sends a malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.10c4865edac377dc12f14905c8bb3a46https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 51367cf1a79f11c5801c47f1fbe68c765c1e90602cb7ff49dc00af5e2701c9d5
SHA1: 124abf42098e644d172d9ea69b05af8ec45d6e49
MD5: 10c4865edac377dc12f14905c8bb3a46
M21-sdq21Bandidos_2d9afda2Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has the timestamp field updated in the PE file header.2d9afda2d563179aa8230116f916d227https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 505832595c9eaa4670a8a52f19b661a60399db365c737299935fc34ea0b5be35
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-2klg1
SSDEEP: 49152:j435mcqM2uL8Ujfwkrk2vts5Allzg2NZPnz:jhEfwk18A
SHA1: cf6e54cf5aba6ea885b407e577c5842f82380fc2
MD5: 2d9afda2d563179aa8230116f916d227
M21-9ycf1Formbook_a815304bWindows This strike sends a malware sample known as Formbook. This malicious sample is known as Formbook. Formbook is an information stealer that attempts to collect sensitive information from the target.a815304b1a9d216a410082490224e4d8https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
SHA256: 2f3ed7f2aa896961026bad2904d961dd8c45f30264a6ffdf9635aecdcfb3557b
SHA1: f8b33169fa1f8ee09fcb0238990fd1836613ae43
MD5: a815304b1a9d216a410082490224e4d8
M21-kge51Bandidos_bb861561Windows This strike sends a polymorphic malware sample known as Bandidos. Recently this campaign was largely found targeting Venezuela and Spanish speaking countries. Infection occurs when malicious emails are sent with a PDF document to their victims. Once the PDF is opened and the link clicked an archive is retrieved with a dropper that injects Bandook into Internet Explorer. The Bandidos payload has many features including manipulating files, taking screenshots, controlling the user cursor on screen, installing additional DLLs, uninstalling itself, and exfiltrating data. This sample is the Dropper.The binary has random bytes appended at the end of the file.bb8615619a3363acd508ca02384c1eadhttps://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/
https://thehackernews.com/2021/07/experts-uncover-malware-attacks.html
SHA256: 23cf8153cef986bb493b90c48bddc4d304016b043059dc4958bd769726354005
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-wp9r1
SSDEEP: 24576:5EZ4iqYQk5zZrikTtPUZwkC02g+fTqPUf/SWKfL7gg6PQVqa9qSbk:5EFQ6k0TVkQxPQo9X
SHA1: ed58d82a9e3b4dbad3f2a6068eaab66a6774013b
MD5: bb8615619a3363acd508ca02384c1ead
M21-s46d1LokiBot_d59102dcWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.d59102dcc956a859de8d5c6545b30bfdhttps://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
SHA256: 52dc80bfa7b84b98a0bc7dda49a01497e7b7deeb50850d14182895aa12e23092
SHA1: 7242662ebc8e38ce2ad7adf58485fa7dc0f4cf05
MD5: d59102dcc956a859de8d5c6545b30bfd
M21-1s781REvil_f31b13a0Windows This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software was carried out against multiple MSPs and their customers. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has a random section name renamed according to the PE format specification.f31b13a0c700a35bc36376da03419df9https://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
SHA256: 4e5657a23fb37961c73c6aac9fbe0723b3faeb13267d1b268e0ad4a6bee19b89
https://arxiv.org/abs/1801.08917
PARENTID: M21-2zn41
SSDEEP: 1536:Vxd+ReKXU/MQaL7k0B/L7s+Zi+GrZxtQpfyHvtICS4A4UdZls8XzUXiWr4X5F4GC:VtchTojrZxtMhiiZHjUyWr4X5FTDU
SHA1: 0629a47aa2995513531dd29d2a90d7690df93a16
MD5: f31b13a0c700a35bc36376da03419df9
M21-y65s1REvil_f6e2317bWindows This strike sends a polymorphic malware sample known as REvil. In July of 2021 a supply chain ransomware attack leveraging an SQL injection vulnerability in Kaseya VSA software against multiple MSPs and their customers was reported. The ransomware being used in this attack, REvil also known as Sodinokibi, was pushed via an automated malicious update to their customers.The binary has the checksum removed in the PE file format.f6e2317b5ed7878efd7e1160b3bfc93dhttps://securityscorecard.com/blog/agent-revil-unveiled-in-kaseya-vsa-ransomware-attack
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
SHA256: e898ca8d6f82544edbdd52d96ff1f4ac810e6f366a3d6e2b4c4dcc5bd139111e
https://arxiv.org/abs/1801.08917
PARENTID: M21-x3mk1
SSDEEP: 24576:5Mz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:GfF7k4pB/JYPIsAE
SHA1: 4fc08a7a467e611abc3f561348bb45dc7d1e3db6
MD5: f6e2317b5ed7878efd7e1160b3bfc93d
M21-28yz1Hupigon_d8b33080Windows This strike sends a malware sample known as Hupigon. The Hupigon malware are trojans that allow the remote user to execute commands on the system, such as to delete files and folders, download and execute files, and terminate processes.d8b33080023b54bebedaa8b29a2f088chttps://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
SHA256: 75c4cab4fd1de9ca44db0c3cd51c8d9dfa156ab2205a85924487c10965a12754
SHA1: 39ad2552b7215228f20b2f5953899f7bc4f6795f
MD5: d8b33080023b54bebedaa8b29a2f088c

Malware Strikes June - 2021

Back to top
Strike ID Malware Platform Info MD5 External References
M21-uuqg1REvil_5d8bf296Windows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi is a ransomware that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has random strings (lorem ipsum) appended at the end of the file.5d8bf296740b5399e0d6a70a5585a557https://threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/
https://twitter.com/VK_Intel/status/1402027278842961925
SHA256: 854930a525ef287ffb338107c50b78c57ff76fdfb0d44787c628b7065333f72f
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-kpqd1
SSDEEP: 1536:hxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6Ud0RkARjTJi33tUmgC:hMhQNDEtb3Ai0RpRpi33tUzW2q
SHA1: fca32aee8293a7fc3be9767636e8698c332bb4a0
MD5: 5d8bf296740b5399e0d6a70a5585a557
M21-gtmj1REvil_2c7ae560Windows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi is a ransomware that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has random contents appended in one of the existing sections in the PE file format.2c7ae560e8df6f5c6d698edc2c860e83https://threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/
https://twitter.com/VK_Intel/status/1402027278842961925
SHA256: da2b6740da5e66b2b9d598bdb865e57a93d1b89ef6b4ecaad938923baa6ab088
https://arxiv.org/abs/1801.08917
PARENTID: M21-kpqd1
SSDEEP: 1536:hxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4ADUd0RkARjTJi33tUmgf:hMhQNDEtb3li0RpRpi33tUzW2
SHA1: 1d4447407d0a9735565a19452a12306fa37618f7
MD5: 2c7ae560e8df6f5c6d698edc2c860e83
M21-9bv01Adrozek_85172625Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.8517262559ecf71f29621ba6a2fa79e9https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: e54fb4b85b5ede5ccbbdb4d245899dc98f5a83acb17a36e066a5d6a009f3aa52
SHA1: 9ad4e8c7d87c7f0b28ff609fc1dd8d3d5a041a2e
MD5: 8517262559ecf71f29621ba6a2fa79e9
M21-mw271Scar_e6511a4aWindows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.e6511a4aee70c7d7a9c5619167d925eehttps://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 380de4261374d646161ed28b7363af5431110f2974f04b22f95795daf583363a
SHA1: bd3d95d720f2de2922aa67a367f7f4012618d959
MD5: e6511a4aee70c7d7a9c5619167d925ee
M21-i1ce1DarkComet_f09ebc3eWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.f09ebc3e8c61f3cc45059c41857f36fbhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 8af940f8d26765f1f3b6bd2e2c21c29c127a5139afc100dbc4e565a04f217aa4
SHA1: 08a62beb9b0f4dc375493dbc319b52e61294b2ce
MD5: f09ebc3e8c61f3cc45059c41857f36fb
M21-rb831DarkComet_5288ee62Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.5288ee620e47eff39ba4db70e62e249bhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 5ba083bc4ba7e5035e723c186b3361fa972072d77de7f640cee396ceb2a2ffcc
SHA1: a798e0b67678f06d4dfc436432ab871930613ff1
MD5: 5288ee620e47eff39ba4db70e62e249b
M21-nf5k1Expiro_d40dd121Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.d40dd121d3362943bf820a1749dfb7d3https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: d1fd5987461ed40a0feed9983da5524d0aa929d1e3151a174e0c60a844e88ab8
SHA1: a9cc769683c974da2e7fd14bd71b52b40ab280a8
MD5: d40dd121d3362943bf820a1749dfb7d3
M21-e0m41Expiro_35e46887Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.35e46887a497633076821bc083f29dffhttps://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: 25231cc105f6a68131889260eb4149bcc4a1aec161e7485438de9b8176d2516f
SHA1: 92dea6a01a8ca30a1c5e2d652c6b1780137e2dbf
MD5: 35e46887a497633076821bc083f29dff
M21-d3zg1DarkComet_520f4745Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.520f4745b30071068ed610873843c165https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 2ff8aea2453cac540b24ec205968f370e3ca69ef8d3309e8633f32c8a6ada9a4
SHA1: 41f8068d658f0bba26ffed4e1f90e0ead657fb2d
MD5: 520f4745b30071068ed610873843c165
M21-p7ii1DarkComet_c2f62b1bWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.c2f62b1bcfae0de0c672cbe79e56064chttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 93e5685f6b1d5b5263c1266479e44a4d6f6f7f82b9a842b5e206735c082b9f81
SHA1: 28b0072e485fdcd58f2241ad4be2c587d9ba7cb8
MD5: c2f62b1bcfae0de0c672cbe79e56064c
M21-1z1x1Expiro_ff06b123Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.ff06b1238c898d4450611bbeb1947ff3https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: 90ab34cb1c7a39cae0187d3b586f294174893502e4682d4555dc96bca4a8bf8c
SHA1: e2b152028a5e5d331619185209d233de6325dce3
MD5: ff06b1238c898d4450611bbeb1947ff3
M21-45ke1Scar_8c15f415Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.8c15f415f158443db22461bb7b4dc62ehttps://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: ebbb412e53011de88fd5f69283ae1370eb1b89e86833e34bd1a4b60409ea098e
SHA1: 0f843f6676ac8c9b5797d7afacea12077bb7006b
MD5: 8c15f415f158443db22461bb7b4dc62e
M21-iw3g1REvil_2075566eWindows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi is a ransomware that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.2075566e7855679d66705741dabe82b4https://threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/
https://twitter.com/VK_Intel/status/1402027278842961925
SHA256: 12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39
SHA1: 136443e2746558b403ae6fc9d9b40bfa92b23420
MD5: 2075566e7855679d66705741dabe82b4
M21-1wv41DarkComet_46c9ea27Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.46c9ea27274f4a7685f801c47c08e5dfhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 3a69896675c61b49ae9bc53429bfd9e2385b167d61267d521af60c5fbb9fe022
SHA1: 293ae29b9f3d8c3e61d4cbc4206e294243ea7280
MD5: 46c9ea27274f4a7685f801c47c08e5df
M21-7px01DarkComet_9798305fWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.9798305f8ecb993465ae08c4fefc4688https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 3d197e47b245198870c23786b63cd2cd1781fdaf18c78766a2b25f18b73d4723
SHA1: b12911efdab36a9702ba0392fdf1c360ea62e8ac
MD5: 9798305f8ecb993465ae08c4fefc4688
M21-9vj21Scar_1ecbcd7cWindows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.1ecbcd7cb132b302d1987d6354639341https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 97eb8efcba3f1ea4de5ae8b92ffca9fcef30149d34ab46bee3273b2b0c27d1c3
SHA1: 446972b63f274df169368a29bf695b7bafd5646d
MD5: 1ecbcd7cb132b302d1987d6354639341
M21-iq911Adrozek_4c0b0223Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.4c0b0223e8703e5347038ca240c8f703https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 7d7c8697ad7cf150272bcc9122313beb6ac6bd8ab332d273a0c362d45a44942e
SHA1: d020ec3966d7d61cd4991c300c275620a6294fa9
MD5: 4c0b0223e8703e5347038ca240c8f703
M21-hmoy1Adrozek_37c8cd08Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.37c8cd0861e71380adf860424819b9f2https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 7593f048565f8f670235752d0eadd89283642914b0880b17a7d62e7d2828cdd4
SHA1: 5a5d370e5190de898d6e63d068a81012f7a3f94e
MD5: 37c8cd0861e71380adf860424819b9f2
M21-f3ww1Scar_6b1d7e40Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.6b1d7e4042b9a77daa058ae57dd4702ahttps://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 0de3e11f175808c17e473bc12213413853c718d6dcb11a2ca5710f143eed5ec8
SHA1: e02afc5fdd67fa4fa7009ada30530dbeba4e1552
MD5: 6b1d7e4042b9a77daa058ae57dd4702a
M21-t5261Adrozek_022fd996Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.022fd9966a974597ef3ea8a2053eebabhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 3875fc6e3943320f325744e333fbece600ae698bd487a35e3213ffb39a4a1d0d
SHA1: e0aeecb87260b270de67b99a95172ff96dde3c0e
MD5: 022fd9966a974597ef3ea8a2053eebab
M21-cqez1Scar_67bbf0d5Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.67bbf0d5bb33948dcfde61bf415fdb8chttps://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: a9bc5265b517e74e9f40ee3032a0e0d8bcaf9dfa2c47b3988bf7245d73a6ab34
SHA1: 99c90f1861d28285f7f49904208704805ae01a07
MD5: 67bbf0d5bb33948dcfde61bf415fdb8c
M21-kpqd1REvil_95eb5380Windows This strike sends a malware sample known as REvil. REvil malware also known as Sodinokibi is a ransomware that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.95eb5380f665c8f21795b5ef2716f86dhttps://threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/
https://twitter.com/VK_Intel/status/1402027278842961925
SHA256: 04419b76566142902680b2c44b216905b44a5743502530066e408bac72d20864
SHA1: ff2c2fcd062d1a878712823e0e9a5d38488710f9
MD5: 95eb5380f665c8f21795b5ef2716f86d
M21-xc8z1DarkComet_6b41728eWindows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has been packed using upx packer, with the default options.6b41728e3ab0def43977ee60eaea6efahttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: f9903d5f808f5470f2e92b4e29ed4d2fdce376cbb93b5b456e80aee716e65821
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-mpzo1
SSDEEP: 1536:1d+udEMIRgWQRQcLFjYlagx0Fft6TTvcAbvPOJQazxNCoZnoX4xFIhvmn23Somit:TdCGWCH1esfSNvPuQaOotnghFMka5mJ
SHA1: 85b66f83aea143560d303c734fc45fc22dbdc91b
MD5: 6b41728e3ab0def43977ee60eaea6efa
M21-rau21DarkComet_751f9f9dWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.751f9f9de9d38623fe0c1fd867e7782fhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: a75b9a10e13f21c0bc7d4f6fa3b4c4e4725e7930a777544d66a135cf488556c8
SHA1: 0f818fa373e7af98ea59dfada012a8e060a8e2b6
MD5: 751f9f9de9d38623fe0c1fd867e7782f
M21-7x7g1Expiro_a5106972Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.a51069723865a6aba2a58439c373801dhttps://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: 300e0593ce2eaba403829afcd4913c955db9dd1c526c745c3f2476258bdffee6
SHA1: 58b4749fb831a110c392b01d37d8032119df9b6b
MD5: a51069723865a6aba2a58439c373801d
M21-fvrm1DarkComet_f8fa861aWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.f8fa861a87d39fb63a9b0dff18a24d90https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 50164ae1061dcedf87dda17c8d2bae38cc190d313bcf15d269fcf9ef1c18ffec
SHA1: 3575f0a42ea118bec7d423de70e617ab6a4ac02b
MD5: f8fa861a87d39fb63a9b0dff18a24d90
M21-28za1Expiro_f92e78f0Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.f92e78f03a38b86402273707777ad553https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: 2193a6e1b9cddd381f5f6f9b416d9e91c2a0d63ea2c4b1aa8b74e6da57d96f56
SHA1: acc49407d54444271e4434cec1e29966ea5ba82b
MD5: f92e78f03a38b86402273707777ad553
M21-ieta1Scar_220ef7f4Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.220ef7f41f700600d04c3a8b64964900https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 509aeffe10ee5ef168782bd240adc2f4e19fc0067a8a2e7a7667a82ed11ca90c
SHA1: b167926b4cb9c2d532ed0e1151736e1c319294ef
MD5: 220ef7f41f700600d04c3a8b64964900
M21-40vj1Scar_c96441e8Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.c96441e8d833155cc125c819d4ef680fhttps://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: dc8e581065ecdd414e76d069f0d355e565f4cb6d0f4991ba51176042a9c445a1
SHA1: c91ff321e08a7e8e5217685bea687285710b703e
MD5: c96441e8d833155cc125c819d4ef680f
M21-xhhd1DarkComet_280678a2Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.280678a2509c1a6f5f95251ae64f8ea9https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: e9a6c94a8107475fe5069a28b9bbd076056ef4a77b6a295d376a79cec364c119
SHA1: 50c852c5afa01f5ea1426812843476e40b6cf465
MD5: 280678a2509c1a6f5f95251ae64f8ea9
M21-wske1Adrozek_195cbbfdWindows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.195cbbfd4bb76b0fe346ad80df06f627https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 08fd3bb559801fab985948ff60e1c401748f15f984cc97eba1b5df40d3ea7f3d
SHA1: dce0068cdb7c270d2c05a76aaa3933ed55979d82
MD5: 195cbbfd4bb76b0fe346ad80df06f627
M21-gmy71Scar_9adb6b64Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.9adb6b64a3edebaea039c4f45bee5befhttps://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 20b5e0c00a50f514047ae19df5058ce3d8802a635e710f0d7cc7394faa2109ac
SHA1: 11567d07303a4e3900a7a593de88ea24b5ee8e07
MD5: 9adb6b64a3edebaea039c4f45bee5bef
M21-xgmd1DarkComet_853a59fdWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.853a59fdea0237da61f6bd8119eaedfehttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: f1c0261b4ced400fe85a54b10310e8202fe685863ac1e56d007eca8f067f7719
SHA1: ca815fe6673017718cabff1f5b038fbcb6672a5a
MD5: 853a59fdea0237da61f6bd8119eaedfe
M21-llmu1DarkComet_6d8497e4Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.6d8497e484b8c215c417bea6db3b5550https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 6bb97d306df67a11a36fc5b749717199f4d8ad828962e558e36add96aeee7d6b
SHA1: bd4fb0c1cb4173c1893e5dc9dadc634664f73926
MD5: 6d8497e484b8c215c417bea6db3b5550
M21-kenm1Scar_d1133bb1Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.d1133bb179cf07980c1b118ae16c6b2fhttps://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 94fba396beffc62745de248d711f6d26bb6c8a7bbe0274a0035034997e561b32
SHA1: a635d1702c95f1ad8fb0cba858b272afe0b50226
MD5: d1133bb179cf07980c1b118ae16c6b2f
M21-2q071DarkComet_d6b4318eWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.d6b4318e91f5422c2a55a9b40228a365https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 2c17c9a5bd677dc0ed8c34cd1d67945e20d4815df50f62272817f50846bf43e0
SHA1: cb67c7af77cfbba28b2a92ba103eae7926e6e087
MD5: d6b4318e91f5422c2a55a9b40228a365
M21-nnhv1Expiro_40c756f6Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.40c756f6a8b4c1944540fa90b0658bcfhttps://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: 6c53baa9240daa1c0dba2db1fca9d0120e98be5a266b4dd24474be1e0f858ccf
SHA1: 56a66a3e709fcf1889dfba714a08e88caac7f55b
MD5: 40c756f6a8b4c1944540fa90b0658bcf
M21-ij7j1Adrozek_88bcf085Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.88bcf0852d8b458e5629596ef0c7871bhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: f81893efe49e8f32bc1c894530357ed6cb745ff4f4f3b4e8b68b6fae424befd3
SHA1: 05b0d80cbe3cb099e174a31118480acf099bc19f
MD5: 88bcf0852d8b458e5629596ef0c7871b
M21-adoi1DarkComet_6f2fdbdaWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.6f2fdbdadd5bc65bcda1a5450aafc7a3https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 6369abc9e939af548125e49aa17ac509a85af4f8add224a272d6a9c2d9a6956a
SHA1: 8ddd1672dd8209b3021370574153bd0ae104514f
MD5: 6f2fdbdadd5bc65bcda1a5450aafc7a3
M21-3ksj1DarkComet_e0ba1170Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.e0ba1170722739bd05a56e350eb08310https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 6ae94873b9d2e21ea9d7ccb6e935d360630d7e6ee0e3439193b9d50f4c2b4111
SHA1: c1571acfc949a1ca35eb8a10d347f3930682b91c
MD5: e0ba1170722739bd05a56e350eb08310
M21-mpzo1DarkComet_afa7e1cfWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.afa7e1cf7d0c1dcf3e55e57590286549https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: ac935ffa7c7f9b43b2edc3e79f88e0271bc6abe8e2a03c5efbf1d86a23070938
SHA1: 826385ae6f04762752e7f73af832aa5e1a9abc88
MD5: afa7e1cf7d0c1dcf3e55e57590286549
M21-a9e01Adrozek_f16f2431Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.f16f24310f498026a447286847b83c54https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 6aff8643efe69aecf3d4622625798b096d51b5fd059bc1951eeb7fcf6000bea4
SHA1: 27295c8990afd196333bcdd0cb008c1945c14a00
MD5: f16f24310f498026a447286847b83c54
M21-pcdt1Expiro_1f0e8f82Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.1f0e8f826901b1a0ee03d9f73f48609chttps://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: 4acd6c270a50e1abeb0ff1f978699101dfde225210538c4cf4ab3a7d44207307
SHA1: 0c5ae7e27e8323189cff0077fdf1916d82eca4c1
MD5: 1f0e8f826901b1a0ee03d9f73f48609c
M21-ifz51DarkComet_76771df5Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has the timestamp field updated in the PE file header.76771df5c70cdcfb31d6ac6d2eb0fe9chttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 3149b8144e64797941cdf7a86da72867d981757a83bd20c3af461a2193cc20c5
https://attack.mitre.org/techniques/T1099/
PARENTID: M21-mpzo1
SSDEEP: 3072:LnglhmBQH6ED/Hu7c1iqXwTV/pFYLxFxBotnghFMka5mJ:LKhmPIPYciqXwTV/wLotghyEJ
SHA1: a5834b531ada4f85f557e1b9e3b6babc1e6cf33e
MD5: 76771df5c70cdcfb31d6ac6d2eb0fe9c
M21-3lmb1Adrozek_3ff3ab8eWindows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.3ff3ab8ea667738e005cb419c51d1960https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 8314fcd8b479a297bfa032f346c9b756e9d7ad09e60f2dbc28c63c01568c34d8
SHA1: 840284abefbc5765190228b0f02c52e6d1693b95
MD5: 3ff3ab8ea667738e005cb419c51d1960
M21-vnce1Adrozek_12168815Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.12168815ad176df39aac31d8680e8e63https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 70f8c5bda086c2c7c57323a73cdd79733f96e6469425a64a3831220deb39e410
SHA1: f5603445b6f932e633974bc711fd70a766cb062a
MD5: 12168815ad176df39aac31d8680e8e63
M21-91bu1Adrozek_2ad72cabWindows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.2ad72cab2e2307bc31d2796f9b860f9fhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: c03bf4b9260aea99dffc7018f146e526d06c4223c0960569053f332c2eb0f85b
SHA1: 7b209cc1a203603264b17120ba52fd255d7d3e8d
MD5: 2ad72cab2e2307bc31d2796f9b860f9f
M21-wqxe1DarkComet_506f3057Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.506f3057b3a4ea70644ec59d6d591b81https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 6aca30d0d7f15f6f6b6c1a9f69f1acab06edacbb4955c4ef5f18f41ec7b17984
SHA1: f36a27abf923f26007010904dfc300f553505d8b
MD5: 506f3057b3a4ea70644ec59d6d591b81
M21-h63a1Clop_06198fedWindows This strike sends a malware sample known as Clop. Clop ransomware was originally detected as a variant of the CryptoMix ransomware family. It currently targets entire networks instead of individual machines and even attempts to disable Windows Defender and other security tools. Before it begins encryption of the system, it disables target processes, which can include debuggers, text editors, IDEs, as well as a host of Windows processes like Windows 10 and Microsoft applications.06198fed029adbc90796ca6d83a67789https://twitter.com/malwrhunterteam/status/1098578106112245760
https://twitter.com/VK_Intel/status/1405283994074189827
SHA256: 79b8c37a5e2a32e8f7e000822cec6f2f4e317620a2296f1aa3f35b2374c396ec
SHA1: d13ae07d65eb0457ba61d622a1bc1ac5f79df670
MD5: 06198fed029adbc90796ca6d83a67789
M21-aars1DarkComet_cb2776d1Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.The binary has a random section name renamed according to the PE format specification.cb2776d128575116707d78e3bd858fb2https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 920487e053112950b715f85f3343378e94a6cc49b66f4c077d5006c907a4de45
https://arxiv.org/abs/1801.08917
PARENTID: M21-mpzo1
SSDEEP: 3072:snglhmBQH6ED/Hu7c1iqXwTV/pFYLxFxBotnghFMka5mJ:sKhmPIPYciqXwTV/wLotghyEJ
SHA1: daf924ebebbda2c807fa9e6b3b17af18b9d38dc4
MD5: cb2776d128575116707d78e3bd858fb2
M21-l0c51Adrozek_6ab15660Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.6ab15660f883d6c313a84f3092c2af7chttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: d84613966bf88a906e11fbeaaa7fd3aa1b89fec4d1bb5fb56de42e5becf198e7
SHA1: 5bb78efa67c1b3eb2d96fceb5ddeb49d51a4fa13
MD5: 6ab15660f883d6c313a84f3092c2af7c
M21-hiw01Adrozek_512870c5Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.512870c58ca92bf9cf31969e6ff95233https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: d741991f7f94b13b60a425b7e08f9c23f0e7090b50043739faba65986765cd77
SHA1: b695230b692ce3e0caad8c1ed36b459a9652320b
MD5: 512870c58ca92bf9cf31969e6ff95233
M21-n33o1Adrozek_55499c0cWindows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.55499c0c9d2df98f821ed55071f5bc1chttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 335a85988d6bacc3a40953cf08bd6c4b566d9709047a88afe2a39853e4e1c100
SHA1: 746b5e1a56b022f9bc6b5d4d58595219f0d8dcfc
MD5: 55499c0c9d2df98f821ed55071f5bc1c
M21-6gmg1DarkComet_c8e7b11fWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.c8e7b11fa51f2ae03e9cb863b55df78dhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: e4faef951b3f224091290539faa2794ea7d4e0ba28f7d4b544778367c850681f
SHA1: c8f28f567bd53c72c959b2eba8f14f79566a504e
MD5: c8e7b11fa51f2ae03e9cb863b55df78d
M21-oacr1Adrozek_85120da5Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.85120da5492577b6e462bcaf567302c5https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: a7eb6746122f4956c799dc5a6867482d20d6283c236cdf365a3b798960e2b6a4
SHA1: c3f8f2f702870feb520a9ca9c705588363f786c7
MD5: 85120da5492577b6e462bcaf567302c5
M21-23zl1Expiro_506c9e8dWindows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.506c9e8dba60419f3956cd6f2860b60ahttps://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: f670b25c1e3b394beb0f6fcf9fb47481451fd9eafd7af02fb70ff1e9bd0c8a2c
SHA1: e79727fa7b17f8c9ff7a232ba2758788f1654449
MD5: 506c9e8dba60419f3956cd6f2860b60a
M21-t87s1Scar_f90256f5Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.f90256f556b2743291103bbaa4f66302https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: f3e82a5b81e904b06ad0a2eb487520d1cbdc322708795d3e6a640c6601c7b315
SHA1: 0f28365c3cf0f04fde1ffd116ba4482ab14eb6b4
MD5: f90256f556b2743291103bbaa4f66302
M21-wq4d1DarkComet_6246b3faWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.6246b3fab642506182bd3cfe2b08f071https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 61604334c548f33082a6554f21855ccd872d5d20a2c02b36959b805777eae92c
SHA1: ac23775208c296d2d2aa4ec71c0c2419678269cd
MD5: 6246b3fab642506182bd3cfe2b08f071
M21-xie91Adrozek_68fc74f9Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.68fc74f99d0665401261f7cb9d5967dbhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 38f59793db1d3bec60edc5ed713806c5da7849bf5d3f650ccae4a2401cf1a9d3
SHA1: 0f43eff1aac52807912733c002fd97e2e1d18aa5
MD5: 68fc74f99d0665401261f7cb9d5967db
M21-pj7f1Adrozek_ce83b6ceWindows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.ce83b6ce2230e9069de9e65310793aa6https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 9a08ad7762d034f89cd79ffe2572d2fab89afa2469e3e4f79cdba306692bfab7
SHA1: a649e6d1bb04aed4dd0eb4b65b39e34cec2971da
MD5: ce83b6ce2230e9069de9e65310793aa6
M21-xbyy1DarkComet_0a420405Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.0a4204058a34296805b9823fac136750https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 2438d98520bff9aa704d0c66af92f06bb1fa2301a23e3fe3a451ab11731d6cfa
SHA1: abcb2ff64d5c0ebff9fa982e151388716258ffd6
MD5: 0a4204058a34296805b9823fac136750
M21-6s201Scar_1951faf5Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.1951faf55309f61702bcda986e5229bfhttps://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: dfbe911d1380be0f7a078287ec87b0dad5dbefadd312bfb61905745396b168c2
SHA1: 1fd7c5b88792be90e9edbebf9b38edb113ac3d6a
MD5: 1951faf55309f61702bcda986e5229bf
M21-0wi61Adrozek_76dc151bWindows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.76dc151b8ef17e2b51180919e40e3d7fhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 34e9a6dc3305522fe0f7c2fc5b32470cb9b7030399540cfbd77c446c5e4deef5
SHA1: a26085342848ec2ebb818d4a8d5e5953268ba62a
MD5: 76dc151b8ef17e2b51180919e40e3d7f
M21-gj2h1REvil_31c17b36Windows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi is a ransomware that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has been packed using upx packer, with the default options.31c17b36a1392448458c41447c040639https://threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/
https://twitter.com/VK_Intel/status/1402027278842961925
SHA256: 286b5e3c2ac813c2505b01603afa50d961efecb0683dff4974e9319516a8d7d6
https://attack.mitre.org/techniques/T1045/
PARENTID: M21-kpqd1
SSDEEP: 1536:ewLa3puaUokvnp7Pu1bMJIKoW3GoeL2h41r5POE+5:pLMh8vp7BJ7oWWow2urY
SHA1: 6e4ea1933826688cc089f79e78b35c202893f449
MD5: 31c17b36a1392448458c41447c040639
M21-6c851Expiro_c7a25967Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.c7a259674474b0eab3a37fab1b08f826https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: bd43d101142ab04f22e04aac987430b53cc62c5a78e8e66b02c83c8b11f97b4f
SHA1: 6b54b338e0fc03393a5c0bbce5921c378bf59f57
MD5: c7a259674474b0eab3a37fab1b08f826
M21-fpcp1DarkComet_a6eafe7fWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.a6eafe7f3fa6053ef50baa7c167ace49https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 87f26093f674d95d8b56f5dc97fcda5dbc29c9c8d2e8f9283e53d2329a41af6c
SHA1: 1022b563792265c42ed4b41b98ca70696f68b09e
MD5: a6eafe7f3fa6053ef50baa7c167ace49
M21-zd1o1REvil_6e4e9299Windows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi is a ransomware that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has random bytes appended at the end of the file.6e4e92997bbb44ee50a69ff1e6f61ba7https://threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/
https://twitter.com/VK_Intel/status/1402027278842961925
SHA256: 748fdba889851594f0da3695ac60ec78e89323b10b8a1c840c2a549fd44bcd45
https://attack.mitre.org/techniques/T1009/
PARENTID: M21-kpqd1
SSDEEP: 1536:hxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6Ud0RkARjTJi33tUmgf:hMhQNDEtb3Ai0RpRpi33tUzW2n
SHA1: 94c2d2b550599c31d02c9e9ada4d9699101204d4
MD5: 6e4e92997bbb44ee50a69ff1e6f61ba7
M21-tbo11DarkComet_7a1a393eWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.7a1a393eb5215996cabd8346bcb7eb10https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 122e3fbcc83775250b7f82d371aea1a2ac5ab90bfa78d2fac7b0e86c51fdc00a
SHA1: 398d43cff7ffb7054d0ff7b71d9fd27e4e5e809b
MD5: 7a1a393eb5215996cabd8346bcb7eb10
M21-uvsh1DarkComet_be43f6c3Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.be43f6c3f4445ab4aa4d75cb1f2b1e9dhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 4b9b56ba115ddca985c105f715a69e33de0aca8269f142f56efeb74c9676da2a
SHA1: f0015d0f208a0b74543263e673fae44c548f9ee7
MD5: be43f6c3f4445ab4aa4d75cb1f2b1e9d
M21-1qya1Adrozek_807592e6Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.807592e6eb531ffeb53a27c0f62b71b7https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 91b8754b8cce45e799a6a0065aa40510b415685a4c2ef5cab481732e445c9c93
SHA1: 25f48be9e301ba52dff63ff41614924edffb5106
MD5: 807592e6eb531ffeb53a27c0f62b71b7
M21-znsk1Scar_ff9bd65fWindows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.ff9bd65f29492a559e2f630afbe9accdhttps://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: a7fb6b83e5212b86d3c6c898f0426fb568b3c170558108dd0eff8e0d7bb33e31
SHA1: 9c55d6f02bf943d049a36938be26a30d4fd5428b
MD5: ff9bd65f29492a559e2f630afbe9accd
M21-dhzt1DarkComet_3e0bc2a9Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.3e0bc2a9652485354c3eeae5cd098261https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 5376c102bf941a26d25ee42a66546b2600da62a6f2f5caa2742ea44894db2667
SHA1: ac362acc59ee9c951a0d87b5d0e4a7fba7aa7817
MD5: 3e0bc2a9652485354c3eeae5cd098261
M21-q3lk1Expiro_8bb30113Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.8bb301137c9cf0781df8dcd295d904dchttps://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: fe21a1fa1a0e2eaddb2c0bf1eb324c9ba188387ceb75b81a6074258c7a789aee
SHA1: 3e44bba2997ef9dcbfd8fad53b59f28d382136ae
MD5: 8bb301137c9cf0781df8dcd295d904dc
M21-j5sc1DarkComet_ef078a83Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.ef078a8364715c9e2c9ec6441db3aa0bhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 579d36a4d7bd44e868f5dec198050a727d093897e0395d456fe927c90a665fdf
SHA1: 827ec2f088857f94346d267f6b487f5d3876b60d
MD5: ef078a8364715c9e2c9ec6441db3aa0b
M21-wzz51Expiro_fd75e90eWindows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.fd75e90e1c0fd610860085c1c642bf9chttps://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: 8ab104c5aedbee37d22ddcc53fbc0b4344086f85c1321801102ab2772937b23f
SHA1: 3407e5c2237584e8f8dc84bcd420e864bf6b689b
MD5: fd75e90e1c0fd610860085c1c642bf9c
M21-pjym1Scar_50ef4e47Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.50ef4e475ee9ccf98e596a606d9d32e4https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 26a351eedcc2597880558caae3c502808d854f0d9c8fc263168b941927988fd1
SHA1: f53f333895bbe945658bf1776737cd66dc2471e8
MD5: 50ef4e475ee9ccf98e596a606d9d32e4
M21-pn2p1Scar_20a3ed89Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.20a3ed89cdf16707930a21217f912b97https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 9f2951d56edd918490349c68e9728a5cd6861c8816276141da807d0b4411ae28
SHA1: 1f2b86b577532275e703e430722098d67bf35889
MD5: 20a3ed89cdf16707930a21217f912b97
M21-9rnt1Adrozek_cc3ab50bWindows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.cc3ab50be1cfacb7860ee1f3776e57e0https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 4e9dd245afef951c71a630ec50aabdbc78a124ea4998a0c387a83d25c13a1534
SHA1: f83af47b3462bb5b9cf6df1c55da866878a1cb7c
MD5: cc3ab50be1cfacb7860ee1f3776e57e0
M21-qjqt1Scar_8628f5f1Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.8628f5f1d6593915cf23b60c46377cc1https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: d7536a536700237fbe1ce5612390c565055a59187866b7dcfedca6e5128da2d7
SHA1: e85c9f423d6bc35c5d0d5d17f8af635cdd992fb5
MD5: 8628f5f1d6593915cf23b60c46377cc1
M21-dob51DarkComet_9ddc588cWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.9ddc588c0382050b2a736c2a2ad6ccb0https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: b7f9e06d289e23cf2b1e6c3392c9cfab88444c4595b3a29bc109f578611b7c58
SHA1: 7eaa079ff297e6bf66e0cc3216bfee85eeaea29c
MD5: 9ddc588c0382050b2a736c2a2ad6ccb0
M21-55zt1Scar_d71c3fe6Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.d71c3fe641a6e1379ec2648d524de8f0https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: b14554f8e230b0eaff1a0a6c6c3b4032041cb1410a16d4b71b87edbe7de1f427
SHA1: c088b0bb038194937ba14bc209b7a8198b01beda
MD5: d71c3fe641a6e1379ec2648d524de8f0
M21-2elx1Expiro_7e379a9aWindows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.7e379a9a3a6a2bc52ac50157b6239c95https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: 036795412a7cbfc1f5f9bbb07f10da6c3bfd0633ba9df5c62b9b4daa59c714d4
SHA1: cbd8d083ef64e5284d58c7456c3d5c153f08f6e9
MD5: 7e379a9a3a6a2bc52ac50157b6239c95
M21-4teg1DarkComet_223524c6Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.223524c6bc8859c4f43b2965a5a52aa5https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 94b68fb51993400f1f80b3236973a839ec6aaee6611cc3412e19939dd8406c11
SHA1: 8dfd58de0fb7f3e6086c86354a329b3995ac73e6
MD5: 223524c6bc8859c4f43b2965a5a52aa5
M21-246o1Adrozek_fb187560Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.fb1875607626cab63dfd07273c45fc7fhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 343ac51ead89330503b44ae586bab14aac56eb79a66b516008bed071c8249b44
SHA1: 0e779fa9e07ba6171aa1f930523ae5687953d1a2
MD5: fb1875607626cab63dfd07273c45fc7f
M21-9mzk1Adrozek_55dd45f4Windows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.55dd45f49c6f87bc0e838313e29ed47fhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 36efdada787fd28c159aeed83f6b0705aef2500bdcd580e6cc99fae2c877bcdf
SHA1: 6e693e53262067e9b658f0752997b250961f5b68
MD5: 55dd45f49c6f87bc0e838313e29ed47f
M21-4fa91DarkComet_65a19a73Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.65a19a730f50c5daea17f95adf114c90https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: db42b08f61b945fa39065f62c1cf89b9c1cad5a3ae8a81820b6b76ac42da3a6c
SHA1: 08fe9e67bd6efcaf6ffb53acf9f306643a592d65
MD5: 65a19a730f50c5daea17f95adf114c90
M21-91zr1DarkComet_23d09c0cWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.23d09c0cd70265deb19ccc2d87c71145https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 19bea011f0b7cd8b007071076698db3f363af0117624ab2acecb445d0effc104
SHA1: 4429597b9079e5e7f0342aa9a1dec005c8f453e5
MD5: 23d09c0cd70265deb19ccc2d87c71145
M21-omoo1Scar_f8396a17Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.f8396a17869a29e9f125e8459327d954https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 57c40500eb80c9e4715261df8eb06d322943d93424a6c785db68d3208092577e
SHA1: d52aa986a30239cec14b6f2170ce9908095f6e0e
MD5: f8396a17869a29e9f125e8459327d954
M21-glme1Adrozek_dcb287afWindows This strike sends a malware sample known as Adrozek. Adrozek hooks into web browsers to inject ads on webpages and steals login credentials when users visit the webpage.dcb287aff31159ff8e4fc6d8b3343036https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: c0a51cea4eae1fe116c4ca31cb3894056cdb59b74297947b36e34dc6cf382ab0
SHA1: 0f55a578dea58564f2f1a34dd8053d6407a154b2
MD5: dcb287aff31159ff8e4fc6d8b3343036
M21-oiam1DarkComet_520560d0Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.520560d0a4f433a735ddc5c316fbcd24https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 7e89204ad455a0ec5d98b8cf85d64e4632ad4d924262f780d1b197705a088ef0
SHA1: 4c815847a5932fe210ee509ea117f42094eebe38
MD5: 520560d0a4f433a735ddc5c316fbcd24
M21-q8m91Expiro_ff731130Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.ff7311302542ef3e9acd37302823b586https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: 83b7d7e733d27f0a7199bb95dc03e9f5d0678ddb4eb431be451539d481da2f38
SHA1: 7e51b99abef76ce7c92b9d4d6a63a56314744d65
MD5: ff7311302542ef3e9acd37302823b586
M21-oh5z1Scar_ddd4f409Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.ddd4f4098ac6f562a1933aaeb3f764e6https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 7f9bf7e5dd287d63cd295f27c9ef83f5545ce28b7e2859d2a2573d4340915693
SHA1: 81e1b8fd6af76d74546026dafe741e05829bb351
MD5: ddd4f4098ac6f562a1933aaeb3f764e6
M21-cm351DarkComet_31cc19f2Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.31cc19f2cc08e7df9711899b6c27fd92https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: bd89f6e28818d522bf1a0c1b55606d406aea0b3ad5883c92ab422d061aa282e1
SHA1: db34e26a048421b373fa11f762f655052d23b21f
MD5: 31cc19f2cc08e7df9711899b6c27fd92
M21-06l61DarkComet_14c54f08Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.14c54f08e7b9421fc79e475494287e88https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 3f342b83a383083e518e0ba9691df2f3e63b9042e2564fe5fcdcf3198b58ae8c
SHA1: 17615b4cd78f742cf961ce35084d535ae432b5c8
MD5: 14c54f08e7b9421fc79e475494287e88
M21-rd2r1DarkComet_df4a6de4Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system.df4a6de44c1341c71251aa7b1930cf6fhttps://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
SHA256: 29203df0cc62299c95e3489bb1fc765221e9467c83196791d8d008525a2050e6
SHA1: 34bde56acf48ab2267ae36bfc5fe22d4dd4cbf35
MD5: df4a6de44c1341c71251aa7b1930cf6f
M21-kzpc1Expiro_02191a87Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.02191a875603620180d8e1ce5766176ahttps://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: 249d80e8dfbb29e545d50980ea31afad50f96ed8d94095e628cd90980a77089b
SHA1: 261221672cb572bb914c36dd20ab1bccbe2025c6
MD5: 02191a875603620180d8e1ce5766176a
M21-bncd1Scar_55932750Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.5593275031b345882d5e64aa7c9bb728https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 967172f2991b28400466f63a3179cbf12435a072b51704bc4b2de19f5b4e3a95
SHA1: 74010e7f2773fb9d6ce132f72e093c4553fc069f
MD5: 5593275031b345882d5e64aa7c9bb728
M21-ur631Scar_b1d50917Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.b1d50917fe432a627a56ad8045fa845chttps://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 24327e0c3c90b42e97e86beec792f72131c7d57488728cd1cd96e7d36a17bf09
SHA1: 6e279579af8fc5575246d4c56ff41dd2292c8395
MD5: b1d50917fe432a627a56ad8045fa845c
M21-y8cr1Expiro_3daea3b8Windows This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.3daea3b8bbb4ead9495ee4aff49b3a83https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
SHA256: 51b8e5b10da5e56bb55b6234e750230447ffdf598069f8fbd103250e2c70559f
SHA1: 7babdf39128d1193704c31f31f9818e73a4740a3
MD5: 3daea3b8bbb4ead9495ee4aff49b3a83
M21-j5fg1Scar_50e9db8dWindows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.50e9db8d9efe0597e7b8d9cbaa6d79c7https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: 37e2bb6a3010b997a3210811cc09eea13d5fbc927d28da60c98ce0fc820ce98f
SHA1: cc44664ff498d332dba890c6a78c9bab0d4f380c
MD5: 50e9db8d9efe0597e7b8d9cbaa6d79c7
M21-nm1g1Scar_36a91fe4Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.36a91fe472d4ddfff1c296a3e798deedhttps://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: fa54058a1ff9a1b549a264457440486c55ef120537c4b62cc213e5e80afd23d5
SHA1: e41cad42fe66cc2e685b4d3f1409e666acbbb644
MD5: 36a91fe472d4ddfff1c296a3e798deed
M21-knai1Scar_09b3dde0Windows This strike sends a malware sample known as Scar. Scar is a worm and will download files while also trying to spread to other machines by copying itself to removable media.09b3dde0483c4d3d61b29c4c9622fea6https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
SHA256: e9862e9d7ab96e635ad5a00f335dab84b4f243572ea268685c083ed74cfae78d
SHA1: 1d731884429a597570edecab33e96b4f371946da
MD5: 09b3dde0483c4d3d61b29c4c9622fea6
M21-r8qn1REvil_585d9cf2Windows This strike sends a polymorphic malware sample known as REvil. REvil malware also known as Sodinokibi is a ransomware that has recently been seen targeting law firms of A-list celebrities. The attackers not only pose the threat of losing all encrypted data but of also leaking stolen client data to the public.The binary has a random section name renamed according to the PE format specification.585d9cf2230ea8c331c911d1762db092https://threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/
https://twitter.com/VK_Intel/status/1402027278842961925
SHA256: e6b89a786c8582074e28f12194eecb1e50f690c4add14fa3c06af08f96a88757
https://arxiv.org/abs/1801.08917
PARENTID: M21-iw3g1
SSDEEP: 1536:kjxXC9jVwbhEW8z3w1R+KjJLRiOQJo0SoLCdpuOk2ICS4Ang6lUgvfYiFyRFywX/:5mV1wKdLoLC/OemUWYjfywpbPa
SHA1: dd23368a80d8205866db27a793ab74be36a9279c
MD5: 585d9cf2230ea8c331c911d1762db092

Malware Strikes May - 2021

Back to top
Strike ID Malware Platform Info MD5 External References
M21-lhrc1Dharma_272d8ad1Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has random strings (lorem ipsum) appended at the end of the file.272d8ad1848146eea7102aa423878083https://attack.mitre.org/techniques/T1009/
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-rp7g1
SSDEEP: 6144:QsCwu+mWhJifvtNP/7YXSLB80PqO/PhR3pxsv6hb8K0+oStB8hgh6mTK:NxmIJQvPkitEqZR3pxU6hgnQRTK
SHA256: a2ea48017feba98344a88f246634c830ad59da901b4c76e29a9816b940e18fa5
SHA1: 5de4a8a78d1285ab4cac2d37e2bd1e48fce97448
MD5: 272d8ad1848146eea7102aa423878083
M21-qp2m1DarkSide_130220f4Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.130220f4457b9795094a21482d5f104bhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: e0c0cbc50a9ed4d01a176497c8dba913cbbba515ea701a67ef00dcb7c8a84368
SHA1: 0231ec4bfa03db42f5486c425d47cf9aed5ce3e4
MD5: 130220f4457b9795094a21482d5f104b
M21-bel81Banload_dc2c2460Windows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has random strings (lorem ipsum) appended at the end of the file.dc2c2460f88c67ba4596bdfb34b2cbachttps://attack.mitre.org/techniques/T1009/
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 1d088c652e51ab4eed94495be3895d9d6fbf64693693ac6e15aae3ef462302d8
PARENTID: M21-0n2t1
SSDEEP: 24576:9iz9GBuV9wKwHajKw+HEr4HHQm14aoXSNAcRaz6rtHZJZN3nKb/5ArKPfa19DdyZ:9iBxVNLmuDz6ZT6b/mrKHarA9m25ujI3
SHA1: b29fc76f6558bcfcec026e953284817465d8afb8
MD5: dc2c2460f88c67ba4596bdfb34b2cbac
M21-bznh1Banload_098f304bWindows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.098f304b725e0c4139056cc20c7418e5https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 41e8a032e17fa6680bd44ac5ce4e056380787103007f26405474bc9ea11023b0
SHA1: bc54e53697b276cec8d5557d54e96761ceadcd3d
MD5: 098f304b725e0c4139056cc20c7418e5
M21-ffsa1Banload_5e5b471dWindows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.5e5b471dde3fa11cce485958858f6419https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 68ce5ea5e7f7ed94e7cfcb27ef56017541aac2b8f36160896de9cb6045c9689f
SHA1: 45c5462a1a978e23d3cddab301066adf5a041d06
MD5: 5e5b471dde3fa11cce485958858f6419
M21-eb551BazarLoader_aedbdc94Windows This strike sends a malware sample known as BazarLoader. BazarLoader is a malware loader with the function to install and download additional malware like Trickbot or Ryuk.aedbdc94d6c5cf73533f71ea8b5f5eeahttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: b4c28387b8574222f312657db88eaa1f2ee7f460821f717b92bd8ad1823c2684
SHA1: a576b60e2d85f203b207d4b0ca886b2d3e46cf01
MD5: aedbdc94d6c5cf73533f71ea8b5f5eea
M21-yuik1Banload_7a804fc3Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.7a804fc38cac8743b3484a3faf74a33bhttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 8e52d6d10c5c06ff2cd43ab5d0ee884eaa6a32787552f3bc3324470aae05c2cf
SHA1: b9cb3c1ff4cb931c4da3d9f03ecf57f19a76e188
MD5: 7a804fc38cac8743b3484a3faf74a33b
M21-b8se1Banload_793d4b0eWindows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has a random section name renamed according to the PE format specification.793d4b0ed7b759650ca4a7aeceff56c9https://arxiv.org/abs/1801.08917
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: f151fb18e724141cd5893a207763c6045ad26937cdfdf47e7a86063ee5cfc115
PARENTID: M21-udvy1
SSDEEP: 24576:xWIN1ZWrVwKTDyHrtEpGvmzl4tTI/K69HdWJdxotnKb/5ArKPfa19Ddy9yLZ2h9B:xWO1ZXJ4l9gDlb/mrKHarA9m25ujI
SHA1: e32bcc05d0007eab8ad06f752846327e3f278dda
MD5: 793d4b0ed7b759650ca4a7aeceff56c9
M21-ir7l1Trickbot_109cfe87Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.109cfe87591896f0e46d896713ff6368https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 1bcaef0d86d3fc9eef239fd55f9c9b17630c881426c38afc59af281694bbf3e7
SHA1: db202bb12122d5a70b62b0b2f8ef73cfe050a945
MD5: 109cfe87591896f0e46d896713ff6368
M21-e0ct1Dharma_3cdd778bWindows This strike sends a malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.3cdd778bd9a5342996dfc5107bf11ce2https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
SHA256: edef024abe48d6ed7b4757d63a8fd448a8ecf1ad15afd39cc97c97b27ed4498e
SHA1: 23ef76d2e4cec624821c9ca087376c2a4584db45
MD5: 3cdd778bd9a5342996dfc5107bf11ce2
M21-qpz61DarkSide_b3a6f3f4Mixed This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.b3a6f3f471728db2be40a2ff77b18fa4https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: becce918e158a9ecdc81d49badfeb7c5c5098f607485700cc45cab3c2211068a
SHA1: 80bb49d8ae3a30a48d140468b1f85144042342c6
MD5: b3a6f3f471728db2be40a2ff77b18fa4
M21-4plb1Banload_03dd8ecdWindows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.03dd8ecd823550d572e3cd6a1d8affdahttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 460aa14b4ca77d7cdd464b07e7a06e6793c96576a22cee1e2048e8036a050b8d
SHA1: a08a616bccea6e011b32713f27f08a9afcb039cf
MD5: 03dd8ecd823550d572e3cd6a1d8affda
M21-sz591DarkSide_2c79d66fWindows This strike sends a polymorphic malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.The binary has random contents appended in one of the existing sections in the PE file format.2c79d66f1dc05a065ad409813c60feebhttps://arxiv.org/abs/1801.08917
https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
PARENTID: M21-ci4y1
SSDEEP: 768:piN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/AfyKfIaJ/ZB49j9xOOLd9kvAx0:g4HHerjZX7pLVJKjSO5i
SHA256: af5fb1b448efc5b0883957230e32bf34719c595175bcf774a8a7084a6494c00a
SHA1: 267ac736328d4979dd9b13665b4f0f78440b7f7a
MD5: 2c79d66f1dc05a065ad409813c60feeb
M21-o3l51Trickbot_a3b99184Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.a3b99184f00044ae955f007961bf68f3https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 11d68417576c62a2a2b29ede70e41fee3a3ee193cf2ba8aff263cf9ba55c03e1
SHA1: 87526aff2e628176471749759b41815a5ddda561
MD5: a3b99184f00044ae955f007961bf68f3
M21-vy6i1Dharma_0e54c3aeWindows This strike sends a malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.0e54c3ae592f46def82c6b153bb642c8https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
SHA256: 5b420065bcd0653fb053045398dd6477ab8b6df270245c5d5d4590c2af30f329
SHA1: 54106f40c427afdee44dbbd6b5d9c6e96f99530a
MD5: 0e54c3ae592f46def82c6b153bb642c8
M21-pnq91Trickbot_c88c0d52Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.c88c0d5275862ccd9370c7c54e677b0bhttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 141cd9f188f0940ab2f844e14f21493e931133a4836ae2113bb3e0acd8b4a41e
SHA1: 174ae772c8c2e2145ea9493ede2a465fa61edcfd
MD5: c88c0d5275862ccd9370c7c54e677b0b
M21-tx321DarkSide_1a57e37dWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.1a57e37d4160446c7b5ec4991fd049a1https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: dc4b8dfff72ff08ec4daa8db4c096a350a9a1bf5434ba7796ab10ec1322ac38c
SHA1: 1f90eb879580faef3c37e10d0a0345465eebd4ee
MD5: 1a57e37d4160446c7b5ec4991fd049a1
M21-rp7a1Banload_17da0ba7Windows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has random contents appended in one of the existing sections in the PE file format.17da0ba7634ca9018ee19c56cb725985https://arxiv.org/abs/1801.08917
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 300665472dc9cca35589163774271b94427c6c785b9432848929a99e3bb504a3
PARENTID: M21-udvy1
SSDEEP: 24576:SWIN1ZWrVwKTDyHrtEpGvmzl4tTI/K69HdWJexotnKb/5ArKPfa19Ddy9yLZ2h9B:SWO1ZXJ4l9gIlb/mrKHarA9m25ujI
SHA1: f58e0da6711d7d1dd45be8c94e776eeb6ab92c06
MD5: 17da0ba7634ca9018ee19c56cb725985
M21-v7tr1DarkSide_f75ba194Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.f75ba194742c978239da2892061ba1b4https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: afb22b1ff281c085b60052831ead0a0ed300fac0160f87851dacc67d4e158178
SHA1: c43ee0cef6acee7d503f056764abc64d8f7ae9b9
MD5: f75ba194742c978239da2892061ba1b4
M21-ch2l1DarkSide_5ff75d33Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.5ff75d33080bb97a8e6b54875c221777https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff
SHA1: 810d6c70a96584486867cedde111a1087ed1ebe7
MD5: 5ff75d33080bb97a8e6b54875c221777
M21-by8i1Trickbot_ef04159cWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.ef04159c8fe8e551672f0a47425aa5a3https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 68d8bc5673819f1790975ad358586657e9e7bb6f2a17b53bf3143bb01ca6e675
SHA1: c80bb6b98f02c69cf4955c6049a552bac22b2d90
MD5: ef04159c8fe8e551672f0a47425aa5a3
M21-b99w1Trickbot_7ab7e4b6Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.7ab7e4b69ea3531bb62b2dc2b4b2698ehttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 69b8841de597bbf5b579d673279d5c4273e7cb85a5d574e9dd3b95b6bf94e542
SHA1: 97b1b9d4746dc25d0f7e9323c8d5c646381e2532
MD5: 7ab7e4b69ea3531bb62b2dc2b4b2698e
M21-4avr1DarkSide_c2fb8ddbMixed This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.c2fb8ddbbf2fc8527b5d7a5a2015e26ahttps://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 90dfcd6b2350a35c06519b2d1bd55e7a571724cb36213ea499d2905215dd0a7f
SHA1: f4d0c7794e7edb072ac199c425c0c6b817380b07
MD5: c2fb8ddbbf2fc8527b5d7a5a2015e26a
M21-ttwz1DarkSide_c8305125Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.c830512579b0e08f40bc1791fc10c582https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975
SHA1: 2fc8514367d4799d90311b1b1f277b3fca5ca731
MD5: c830512579b0e08f40bc1791fc10c582
M21-0rq21BazarLoader_4faef841Windows This strike sends a malware sample known as BazarLoader. BazarLoader is a malware loader with the function to install and download additional malware like Trickbot or Ryuk.4faef8417a45888b6a1b8ddadd4332c8https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 863f65a20c08c5aa58ef0dc5d1fda40f7885edb52e8516fb5a5d73966fc3d9bc
SHA1: 29c14284b6798eb3b198c1cab89c3f0b2fd6c1b8
MD5: 4faef8417a45888b6a1b8ddadd4332c8
M21-le062Dharma_09abc206Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has the debug flag removed in the PE file format.09abc206875e17ad67f96a78db948812https://arxiv.org/abs/1801.08917
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-rp7g1
SSDEEP: 6144:1sCwu+mWhJifvtNP/7YXSLB80PqO/PhR3pxsv6hb8K0+oStB8hgh6mT7:axmIJQvPkitEqZR3pxU6hgnQRT7
SHA256: ba51a0d29df9ede391e4900b31948253612305a5484d7f54ee66b35d14f0f44d
SHA1: 4701309c8cfb04c8efa766fb45a940a81ed76934
MD5: 09abc206875e17ad67f96a78db948812
M21-9s071DarkSide_904805c6Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.904805c6f368acaf024c1fe09279230chttps://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 46753892de2ae2a55d74b704813ba487af219a29f973c28aad7fda09ac6cfc2d
SHA1: 0686f215551c28b3b79b53ec4870d3d0a47066d3
MD5: 904805c6f368acaf024c1fe09279230c
M21-8szi1Banload_0bdc9790Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.0bdc979054ee50b70c462b2a3ad8bcb6https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 907e7d151bf71dc982d08b3dbe15c9fe602c02957058eddebe039bcea1b072b3
SHA1: 4294de738335223df9874a45d3cddd0435be262d
MD5: 0bdc979054ee50b70c462b2a3ad8bcb6
M21-aeqp1DarkSide_4d3471d8Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.4d3471d8513626e992936e4065b2d87dhttps://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: d490cd8d7de06c53d634ea0e199fbb2976ff4b5458c856bbe144bf5d894091db
SHA1: d5e7861489002dcd87f3f331a4ccfcfa117a4cf5
MD5: 4d3471d8513626e992936e4065b2d87d
M21-2a1d1DarkSide_29bcd459Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.29bcd459f5ddeeefad26fc098304e786https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: fb76b4a667c6d790c39fcc93a3aac8cd2a224f0eb9ece4ecfd7825f606c2a8b6
SHA1: 076d0d8d07368ef680aeb0c08f7f2e624c46cbc5
MD5: 29bcd459f5ddeeefad26fc098304e786
M21-pwcn1Banload_1efa5710Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.1efa5710fcab7a4f37edb10a305a8565https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 9e001e4c61965ec1e2a3c36c1c3fa744d4e10ef08ce6549c3983be80c3b0c853
SHA1: 1552284a53d8dd4788e58b2332f1a24816368647
MD5: 1efa5710fcab7a4f37edb10a305a8565
M21-jy211Banload_31b3d6d4Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.31b3d6d42570a7e46c9a49fc352496d4https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 17bb43e9e6aff6d5cfedbce550252bcf4ad85241915f47674688acbe8f7274f3
SHA1: b17fc5e26ac9e8483252c2dca0fe98f176c41bcc
MD5: 31b3d6d42570a7e46c9a49fc352496d4
M21-lske1Trickbot_365e7f1dWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.365e7f1dd0f16ca8144cef4bb6543d0bhttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 1381dc83bfd65a6a62e53090b308bd3bbbd2f8c8e45d0eb25ac4ece85dee700c
SHA1: 771f09d3da63ca81e7e932e8ce4db87b9797ea42
MD5: 365e7f1dd0f16ca8144cef4bb6543d0b
M21-dphq1Dharma_9a77e8beWindows This strike sends a malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.9a77e8be9dd41d0e9b8a77e9a2abf4dehttps://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
SHA256: 965315221716fa0b80f2cf88873b7d1f7e5b368a0ac01f52d2ade330328d04fe
SHA1: 47590740ec35cac25e1d3874b21e79861fbbda26
MD5: 9a77e8be9dd41d0e9b8a77e9a2abf4de
M21-1z2h1DarkSide_d6634959Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.d6634959e4f9b42dfc02b270324fa6d9https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: cc54647e8c3fe7b701d78a6fa072c52641ac11d395a6d2ffaf05f38f53112556
SHA1: bafb90827abb85a167d2d558e31008cf82be63e3
MD5: d6634959e4f9b42dfc02b270324fa6d9
M21-dv3t1Dharma_16335b82Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has a new section added in the PE file format with random contents.16335b825864a9c678c5fc316040f5f3https://arxiv.org/abs/1801.08917
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-vw9l1
SSDEEP: 6144:6sCwu+mWhJifvtNP/7YXSLB80PqO/PhR3pC5v6OyJ90clqC8hgh6mTR:/xmIJQvPkitEqZR3pCx6O4bDRTR
SHA256: 5202170dda8b10dad9409fec8237f8f49915de847f4d7a7ba5ad6f9ef57be393
SHA1: 7e60d4f4c85c3aaa033d687543c54fc8233657ab
MD5: 16335b825864a9c678c5fc316040f5f3
M21-01ca1BazarLoader_a8e44d19Windows This strike sends a malware sample known as BazarLoader. BazarLoader is a malware loader with the function to install and download additional malware like Trickbot or Ryuk.a8e44d190da9ca504c12f576fa9a417ahttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 3f7aa85550b112941e3e20b4dfb54fd1773d906bf5650a8107e49bdf731e3da6
SHA1: 756e1a6237769786dbd5da7db8c1037081efd034
MD5: a8e44d190da9ca504c12f576fa9a417a
M21-crf21DarkSide_b2011e98Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.b2011e987b85a8005d9bd3a33ff6e1b6https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 4edb883d1ac97824ee42d9f92917cc84b52995abcd17b2852a7e3d5bb567ffbe
SHA1: 996567f5e84b7666ff3182699da0de894e7ea662
MD5: b2011e987b85a8005d9bd3a33ff6e1b6
M21-trox1BazarLoader_6b77b33bWindows This strike sends a malware sample known as BazarLoader. BazarLoader is a malware loader with the function to install and download additional malware like Trickbot or Ryuk.6b77b33b880eda3a3527d489fb213d97https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 7955aaca8bb62eeb5e36a17da77db7e3c9c77d3087f9a6607062523700e7ef83
SHA1: 39f2a0b0979d61d52685d29655447cd3caa6369c
MD5: 6b77b33b880eda3a3527d489fb213d97
M21-rixj1Banload_e3117df8Windows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has a random section name renamed according to the PE format specification.e3117df8ed16e72bf66ef6b10e5e9b02https://arxiv.org/abs/1801.08917
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 3a1cb50971634d8455621cf0b1b0129d151a18fa2653f206425763ae7f636dca
PARENTID: M21-0n2t1
SSDEEP: 24576:siz9GBuV9wKwHajKw+HEr4HHQm14aoXSNAcRaz6rtHZJZN3nKb/5ArKPfa19Ddyv:siBxVNLmuDz6ZT6b/mrKHarA9m25ujI
SHA1: c3bf9a0d56cfa483c939080ac6edf180dda78615
MD5: e3117df8ed16e72bf66ef6b10e5e9b02
M21-cuiy1DarkSide_f00aded4Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.f00aded4c16c0e8c3b5adfc23d19c609https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
SHA1: 86ca4973a98072c32db97c9433c16d405e4154ac
MD5: f00aded4c16c0e8c3b5adfc23d19c609
M21-1ymi1Banload_27fbaf16Windows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has random bytes appended at the end of the file.27fbaf16b606687ee8e9e5a42c47ff4ehttps://attack.mitre.org/techniques/T1009/
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: cbcc0f23199d14d67a75cd4801a731189dff67c5160290b0b5513cab6c26abb3
PARENTID: M21-udvy1
SSDEEP: 24576:MWIN1ZWrVwKTDyHrtEpGvmzl4tTI/K69HdWJdxotnKb/5ArKPfa19Ddy9yLZ2h9O:MWO1ZXJ4l9gDlb/mrKHarA9m25ujI4
SHA1: 5cafab3a544c32f5d7d3ed67f790384883c85ff0
MD5: 27fbaf16b606687ee8e9e5a42c47ff4e
M21-ic2z1Banload_b942612eWindows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.b942612eebef0bf2cc17e649da42f645https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 656f59dfb57595ba84395ce632a0f0f11e19f5b0f7f73e97c0886c577d87aa7a
SHA1: 580b53af52791f7889e222879585e76f3ba447e5
MD5: b942612eebef0bf2cc17e649da42f645
M21-0n2t1Banload_1f9222f2Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.1f9222f29c3e53289a9242bb7aac87e2https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: c1f69f578496c2ef4b4f46fb3b9a77537a75dc9b147a561b4eab3389e04c5e0c
SHA1: 0f3206005fc6d3b212df0f2f58b8a49f480ca5fe
MD5: 1f9222f29c3e53289a9242bb7aac87e2
M21-fbui1DarkSide_e409ad05Mixed This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.e409ad05784d25f2714274db52fde8b7https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 05459376bbe170c277739cab4e425530aff0a15616297b63f0ad665c3ce0f18a
SHA1: c33110d13a318ce21d515d80249a03a09faa8dec
MD5: e409ad05784d25f2714274db52fde8b7
M21-bnex1Dharma_3752ab93Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has been packed using upx packer, with the default options.3752ab9389508c6a7f02673b89f21b52https://attack.mitre.org/techniques/T1045/
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-vw9l1
SSDEEP: 6144:IsZjQ0wfuODIMiAuesXs5bBoC5v6OyJ90clqC8hgh6mTR:3VUGoIMiAVsEbuCx6O4bDRTR
SHA256: 5eda69572bea452defe179d6f553e1cea5029fa570cd4f8060aa1e8801f7d0ac
SHA1: 5ce086eb3d44e226b09c8d41aaa6b6d2189b641e
MD5: 3752ab9389508c6a7f02673b89f21b52
M21-rp7g1Dharma_481f271dWindows This strike sends a malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.481f271dc162d97f4af7453359b5be23https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
SHA256: 47dc3672971c242154a36622145de7060f17f56af75d21e2130e4f57089f5e48
SHA1: 4576efe2b713b1fd1a967b9beec57bf66a6cdbf8
MD5: 481f271dc162d97f4af7453359b5be23
M21-wn9d1DarkSide_b9d04060Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.b9d04060842f71d1a8f3444316dc1843https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: d43b271fb4931263f8fa54b297e3cf60762a0fe5c50ed76999f276dcc3c283be
SHA1: 7e01305dd52b6c92d97e88c870410381577cad61
MD5: b9d04060842f71d1a8f3444316dc1843
M21-6yoh1DarkSide_b0fd4516Linux This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.b0fd45162c2219e14bdccab76f33946ehttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5
SHA1: c7b28fe059e944f883058450d5c77b03076b0ea1
MD5: b0fd45162c2219e14bdccab76f33946e
M21-sq231DarkSide_885fc8fbWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.885fc8fb590b899c1db7b42fe83dddc3https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d
SHA1: c104056f9a926d27a2082f0510c97b09cb0eb3e5
MD5: 885fc8fb590b899c1db7b42fe83dddc3
M21-ttev1Trickbot_142e8dc7Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.142e8dc74a62a93f3d083925b4c897d3https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: aafb0254458b330765d0bc9933051e4e21555487276ef0239491595cb2af0cd5
SHA1: 8db045f20998e2cd1e5ac9ef6809dfc09cf75015
MD5: 142e8dc74a62a93f3d083925b4c897d3
M21-u5zr1DarkSide_c4f1a1b7Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.c4f1a1b73e4af0fbb63af8ee89a5a7fehttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 3dabd40d564cf8a8163432abc38768b0a7d45f0fc1970d802dc33b9109feb6a6
SHA1: 5604a48ce74124fb478049976db48197896b6743
MD5: c4f1a1b73e4af0fbb63af8ee89a5a7fe
M21-jn921DarkSide_04fde434Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.04fde4340cc79cd9e61340d4c1e8ddfbhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc
SHA1: 88fc623483f7ffe57f986ed10789e6723083fcd8
MD5: 04fde4340cc79cd9e61340d4c1e8ddfb
M21-oh6c1Trickbot_101a4dd4Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.101a4dd4678daafbc91c14a2f9adaec7https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 0cc74e84ba475a15fb27ce28f85522fd99c1f199eca191494aabef3a03e5f7dc
SHA1: 592031ed907eae08e92665f116156585771e40dc
MD5: 101a4dd4678daafbc91c14a2f9adaec7
M21-fspp1Banload_49c1c132Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.49c1c1326133f028e89bded056d32b9chttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 8b1cd6d6181b837983fde17d7e3ee06e7bb4d610942dc245d905ad9af84032d3
SHA1: bb698609b54efb097fafb33257a746df71eafc7a
MD5: 49c1c1326133f028e89bded056d32b9c
M21-wd9a1DarkSide_1a700f84Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.1a700f845849e573ab3148daef1a3b0bhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 1667e1635736f2b2ba9727457f995a67201ddcd818496c9296713ffa18e17a43
SHA1: c91ff86a88038b00d9190ebb01e6f8c94b0c83e0
MD5: 1a700f845849e573ab3148daef1a3b0b
M21-vmr51DarkSide_ce7b2f70Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.ce7b2f7008ab93c659494f2931160147https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc
SHA1: ed2aec7ebbcb87059b707aa98bd300c8d75f3acd
MD5: ce7b2f7008ab93c659494f2931160147
M21-uq6o1DarkSide_84c15679Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.84c1567969b86089cc33dccf41562bcdhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b
SHA1: 53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2
MD5: 84c1567969b86089cc33dccf41562bcd
M21-iib01DarkSide_6e6278faWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.6e6278fa8eda2c2b2ce8fac2ba78cdcchttps://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 029c5d48e425206e2ae84a63d62bdbc80362702913b38618a423c541c8a0ed40
SHA1: 7457fe7a167bfc757435b544ce770986a02eb8ca
MD5: 6e6278fa8eda2c2b2ce8fac2ba78cdcc
M21-lylc1Dharma_48b09277Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has random contents appended in one of the existing sections in the PE file format.48b09277d82efbcaf25e6dbe5dad3c5chttps://arxiv.org/abs/1801.08917
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-vw9l1
SSDEEP: 6144:QsCwu+mWhJifvtNP/7YXSLB80JtqO/PhR3pJ5v6OyJ90clqC8hgh6mTR:NxmIJQvPkitHQqZR3pJx6O4bDRTR
SHA256: b015337823d9d81f8ffd1080a9dbf4ab89776d8e6412dd9cd18b06cbe87dc5e3
SHA1: dfef7b90b3caa6879a56f6322aa3469c6c6112ba
MD5: 48b09277d82efbcaf25e6dbe5dad3c5c
M21-42y01Dharma_7dfc8d87Windows This strike sends a malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.7dfc8d87189cce40176fc6310d08c69chttps://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
SHA256: b2d2f4ecbc680d590743044744b3ff33c38e4aeb0ada990b0ae7be8291368155
SHA1: e5f3330884a48c5fa462e0299f4bff261b4dbc80
MD5: 7dfc8d87189cce40176fc6310d08c69c
M21-oeqj1Banload_b49b6484Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.b49b64848bec6f371a87bb3299289fe6https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 55b9683748287549ed5e4af1e53a5eda957e230194febcae5ef9be04fcbaebff
SHA1: 91a7c49d262eb9ae92e8eae51f06dbf5fc221019
MD5: b49b64848bec6f371a87bb3299289fe6
M21-k3jk1DarkSide_0ed51a59Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.0ed51a595631e9b4d60896ab5573332fhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
SHA1: 7ae73b5e1622049380c9b615ce3b7f636665584b
MD5: 0ed51a595631e9b4d60896ab5573332f
M21-qs2h1Banload_0658bb95Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.0658bb95e633fdb10f56edabc5d3fa8ahttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 7c52a6d15f4df7dfabfbd864444cb91e710e6b3662f23c8718df1be3b9114a5f
SHA1: 173914e95c314e4ee1ea46b7aa26b8292e8af793
MD5: 0658bb95e633fdb10f56edabc5d3fa8a
M21-ck6i1DarkSide_edb56705Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.edb5670581d49771d180940c4d1179b1https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0
SHA1: e691a8ecda87157a9cf96fbe4df8f819922e34db
MD5: edb5670581d49771d180940c4d1179b1
M21-uvky1DarkSide_25b60dd7Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.25b60dd786811e7453cedef90558fba6https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: b9fa10f068530007845b84d97d5cd1cba9e69e832a8afd7b49dfddc33def257c
SHA1: 9533b7ad870ee5a8a72fc26cc803e683f26b75f4
MD5: 25b60dd786811e7453cedef90558fba6
M21-cupo1DarkSide_1c33dc87Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.1c33dc87c6fdb80725d732a5323341f9https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 6836ec8588b8049bcd57cd920b7a75f1e206e5e8bb316927784afadb634ea4d8
SHA1: 0aea126a9d01fc5faf06314529b4ff06fdc6f8cd
MD5: 1c33dc87c6fdb80725d732a5323341f9
M21-nr0w1Banload_95dd67c2Windows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has the timestamp field updated in the PE file header.95dd67c228fe6339411c6809cebfbb96https://attack.mitre.org/techniques/T1099/
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 9e38914c510a473427c47e4242adcc436f9ae870e30b7e7994f60cc9fa0bf001
PARENTID: M21-0n2t1
SSDEEP: 24576:Jiz9GBuV9wKwHajKw+HEr4HHQm14aoXSNAcRaz6rtHZJZN3nKb/5ArKPfa19Ddyv:JiBxVNLmuDz6ZT6b/mrKHarA9m25ujI
SHA1: ab289c5eaa2cfa623ad91f3a8a3335c428bdc0d0
MD5: 95dd67c228fe6339411c6809cebfbb96
M21-2svi1Trickbot_31a7a475Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.31a7a4756aeb04493094f0f916eb9f68https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 9ab87de15c4d5c8d8be7a217e72b215fc92b0fcedc0971147c373a6aa2456fef
SHA1: ebca010bceaff9783b48f4574545a10f5beed1b0
MD5: 31a7a4756aeb04493094f0f916eb9f68
M21-4o181DarkSide_e5ca2d12Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.e5ca2d127e7300f28fbeb1e74d6a6858https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7
SHA1: d3495ac3b708caeceffab59949dbf8a9fa24ccef
MD5: e5ca2d127e7300f28fbeb1e74d6a6858
M21-7rg61DarkSide_dec3eb5cWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.dec3eb5c3db86ecbad95d50fea19adc1https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: cbbc7052fed8d0002d07736a68219f01a5a4e1c19ee50310e2381e96fa8836ed
SHA1: 0694f8da55bedb4f0e036341eb123f92fdd77e34
MD5: dec3eb5c3db86ecbad95d50fea19adc1
M21-vzh11Banload_21f7c59cWindows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.21f7c59c14c55dabd0b9dc42b2a13e65https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 91d3f095047326e4bf99208fe11cdb0a88701f178ab98ae89c49e818a084c386
SHA1: e69cea55a390e914afb4384099e918845ec0bb13
MD5: 21f7c59c14c55dabd0b9dc42b2a13e65
M21-ehys2Banload_08b7011cWindows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has random contents appended in one of the existing sections in the PE file format.08b7011cafcf2b3617b2c7a6eac91d51https://arxiv.org/abs/1801.08917
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: fc4873ffe8574231515fee3668906ecf9bc51ba2662db2c6ae1308baf9073f52
PARENTID: M21-0n2t1
SSDEEP: 24576:Eiz9GBuV9wKwHajKw+HEr4HHQm14aoXSNAcRaz6rtHZJRN3nKb/5ArKPfa19Ddyv:EiBxVNLmuDz6ZT6b/mrKHarA9m25ujI
SHA1: cbaaea52e72b4d103a14e377dddded9a8b97ff48
MD5: 08b7011cafcf2b3617b2c7a6eac91d51
M21-9ycv1Trickbot_3af15873Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.3af158732f544f7c268433efd8d1d486https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: a5b62e585fe7f810c2903d7dd095cd166db5c5f8ae2fd1479fb53d4c7f551994
SHA1: 7f145024fed3fe53e913ab1d4fa1f429b43f1b9f
MD5: 3af158732f544f7c268433efd8d1d486
M21-romy1Trickbot_1a06cde9Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.1a06cde9178e41846e85627bcf3c2178https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 83b0a05523df193ae83adb18353afb513ff52b53cfc1f520fedadf1db6f8035d
SHA1: d45a63ce174c39740b0c4b8b52587ae08d82be50
MD5: 1a06cde9178e41846e85627bcf3c2178
M21-0ga81Dharma_8adb0b8eWindows This strike sends a malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.8adb0b8eaf0c51c2550bd0192d3a44eehttps://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
SHA256: b0b8fd4f6ab383014ea225c2b7776735af059f526cd7c4fdbdcb2e99d074ade7
SHA1: 6fb1fb1641c1faf65b5d7c786b7ea0df0be14b4b
MD5: 8adb0b8eaf0c51c2550bd0192d3a44ee
M21-yzs11DarkSide_4ed7cd93Windows This strike sends a polymorphic malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.The binary has been packed using upx packer, with the default options.4ed7cd9394bba49ed36c657d2a7ca0a6https://attack.mitre.org/techniques/T1045/
https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
PARENTID: M21-ci4y1
SSDEEP: 768:fI8cApNgHVfXXwbsQkIuhndohNv+Mi4YkxjnO+U:Qz86HVfy5kIQohzYkxz
SHA256: 54dec67c591088e5f476f89f46fe1ae2f1996e3f799885abfb949d167ec10246
SHA1: 077e786c2c45ae1069e2c393d088e450e3cde713
MD5: 4ed7cd9394bba49ed36c657d2a7ca0a6
M21-30nx1Trickbot_186929c3Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.186929c3075e44f6a5dcb92da2c33a33https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 05f195725ee1a361ec60766fe747dcc42688cf8ad12a55eddd7a9c5136e59aab
SHA1: dca2b1d9f8c917a1f8e05408a8d9ed2162492701
MD5: 186929c3075e44f6a5dcb92da2c33a33
M21-ek051Dharma_425913c1Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has a random section name renamed according to the PE format specification.425913c1262d84268c1f03a3cde14a03https://arxiv.org/abs/1801.08917
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-rp7g1
SSDEEP: 6144:tsCwu+mWhJifvtNP/7YXSLB80PqO/PhR3pxsv6hb8K0+oStB8hgh6mT7:ixmIJQvPkitEqZR3pxU6hgnQRT7
SHA256: b979911105465feaf11d88ebbdb9d8840e5e6b2b240c2bb2e2c9490502bedc05
SHA1: 1c61355b42b98db550c7a3cb88f2f9c1838f5861
MD5: 425913c1262d84268c1f03a3cde14a03
M21-dwwu1Banload_aa0220fcWindows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has random strings (lorem ipsum) appended at the end of the file.aa0220fc966bd466016cb8d43aa157e9https://attack.mitre.org/techniques/T1009/
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 622bf40a412b6adab70b9a212a7fe5ae29fcc1c8b0c83a330de57953ef1533d7
PARENTID: M21-udvy1
SSDEEP: 24576:MWIN1ZWrVwKTDyHrtEpGvmzl4tTI/K69HdWJdxotnKb/5ArKPfa19Ddy9yLZ2h9f:MWO1ZXJ4l9gDlb/mrKHarA9m25ujIR
SHA1: 3be3e2524ac9dbeb9f80054c22d2f74b2fedafa2
MD5: aa0220fc966bd466016cb8d43aa157e9
M21-d2bt1DarkSide_91e28079Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.91e2807955c5004f13006ff795cb803chttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 06cfe7f5d88e82f7adda6d8333ca8b302debb22904c68a942188be5730e9b3c8
SHA1: a3e7561de73378b453186a6c33858bf47577d69c
MD5: 91e2807955c5004f13006ff795cb803c
M21-idbt1DarkSide_cfcfb689Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.cfcfb68901ffe513e9f0d76b17d02f96https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
SHA1: 766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
MD5: cfcfb68901ffe513e9f0d76b17d02f96
M21-ku0y1DarkSide_31ecfd98Windows This strike sends a polymorphic malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.The binary has random strings (lorem ipsum) appended at the end of the file.31ecfd9898a51b1b116d6805a7ed06b5https://attack.mitre.org/techniques/T1009/
https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
PARENTID: M21-ci4y1
SSDEEP: 768:piN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy8fIaJ/ZB49j9xOOLd9kvAx00U:g4HHerjZX7pLjJKjSO5iH
SHA256: 9b5ae115c44951b3ce1a744ca3b1596206de87ab171f8fc5c46c09f9b0ed302f
SHA1: 3bf609b90820fd21566e6bb851c70214ee4b0f2e
MD5: 31ecfd9898a51b1b116d6805a7ed06b5
M21-myfq1DarkSide_cee2fc1dWindows This strike sends a polymorphic malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.The binary file has one more imports added in the import table.cee2fc1d45b94d4c4ff5acbced664212https://arxiv.org/abs/1702.05983
https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
PARENTID: M21-ci4y1
SSDEEP: 768:hiN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/AfyITIaJ/ZB49j9xOOLd9kvAx0:o4HHerjZX7pLTJKjSO5i
SHA256: 0bdebb7c607bf4bc29d45c18d99391b4c9f78790c46223ef438844fbee6dda48
SHA1: 8de86ac3d399c1c17560119510f45c9689947350
MD5: cee2fc1d45b94d4c4ff5acbced664212
M21-ae701Dharma_96c198c5Windows This strike sends a malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.96c198c58939d40103a47b98431bc5dehttps://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
SHA256: 77cbab006cf6a801dbd1c752659bddf28562fb8681d20305dd1dc0b1e105c67a
SHA1: 15d4894e73dfe5f63061462a1bf6a9b5976457c2
MD5: 96c198c58939d40103a47b98431bc5de
M21-c4yj1Trickbot_9b902583Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.9b9025830322d872d0ecd63753f1e9b3https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 18d1287fb855580c959cd7101921360dd65e971ac91cc36e494de5209da125f0
SHA1: 28412aedde198607cd9fcbb123586e9a978f6267
MD5: 9b9025830322d872d0ecd63753f1e9b3
M21-eymz1DarkSide_0e178c48Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.0e178c4808213ce50c2540468ce409d3https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d
SHA1: 38b5aa765026dffbb603e323333294b5f5efa5ee
MD5: 0e178c4808213ce50c2540468ce409d3
M21-uf1s1DarkSide_e705dfb2Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.e705dfb2d66af2c64f03730f670f1d54https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: f73044fadb6ee95308c3de89692ac97f707f600e92cee6f217b2a9b657bdb64a
SHA1: 80e1fab71426c366b195c39616b7da73018a80f0
MD5: e705dfb2d66af2c64f03730f670f1d54
M21-0aph1DarkSide_39db5648Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.39db5648c2ddef913989f51c711b1356https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: ec153c3cb67f742b12a35a498d93cd80f47b19ea7b7eb0de217139f136ea0073
SHA1: 13abb1cfe8801256ef8e4f943eb4d9a224e13109
MD5: 39db5648c2ddef913989f51c711b1356
M21-soyk1DarkSide_47a4420aWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.47a4420ad26f60bb6bba5645326fa963https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134
SHA1: 7a29a8f5e14da1ce40365849eb59487dbb389d08
MD5: 47a4420ad26f60bb6bba5645326fa963
M21-o2ku1Banload_812ad9e9Windows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has been packed using upx packer, with the default options.812ad9e973bb20f736f9455578785570https://attack.mitre.org/techniques/T1045/
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 8514c70de082a327426ce9df0fc7abd332aea73f02daba6008f7a94d887030ec
PARENTID: M21-udvy1
SSDEEP: 24576:VK/C+KBJwfIlCRHXvIOenKb/5ArKPfa19Ddy9yLZ2h95ujon3o:oQwfI0p3b/mrKHarA9m25ujI
SHA1: 9f669ddf2cbb25bd2b13850dd92451eedd0f86dd
MD5: 812ad9e973bb20f736f9455578785570
M21-2hzj1Dharma_9b96be6cWindows This strike sends a malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.9b96be6c2ac05decb4b8d41469cb864ehttps://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
SHA256: a847fe149f3ff49b9234975c2e52176176e5aced6ebe1bc0b9db444fa14c55dd
SHA1: 4107d7aa64977f3a8ea1388540753687d4c8a95e
MD5: 9b96be6c2ac05decb4b8d41469cb864e
M21-swcc2Dharma_0b3f26d9Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has random strings (lorem ipsum) appended at the end of the file.0b3f26d996dc0326a7eb88f122c21e3chttps://attack.mitre.org/techniques/T1009/
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-vw9l1
SSDEEP: 6144:QsCwu+mWhJifvtNP/7YXSLB80PqO/PhR3pJ5v6OyJ90clqC8hgh6mTI:NxmIJQvPkitEqZR3pJx6O4bDRTI
SHA256: 0169d7b61eb7f42eff0c9e78e9e9061d8bf4c5a104f5dcfb22a76d1025ff798f
SHA1: 9305fbedc04c6b876ee02b0b9196cbdef7f686b0
MD5: 0b3f26d996dc0326a7eb88f122c21e3c
M21-nlns1DarkSide_3fd9b011Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.3fd9b0117a0e79191859630148dcdc6dhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f
SHA1: cf04fa736baf22a2ca4e67f1c7723f1776267e28
MD5: 3fd9b0117a0e79191859630148dcdc6d
M21-c2vg1DarkSide_f9fc1a1aWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.f9fc1a1a95d5723c140c2a8effc93722https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa
SHA1: ce2480dec2ee0a47549fad355c3cf154f9aab836
MD5: f9fc1a1a95d5723c140c2a8effc93722
M21-jdb61DarkSide_2201ca26Mixed This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.2201ca264fed0d997da6c5701af7e591https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: d0310c05af050555e9c7e4d005c28fc174cc288e41d44c3d919bfb1f5b88e486
SHA1: a789d1ae40515ffe6b85e6838ef99f13eb890ecf
MD5: 2201ca264fed0d997da6c5701af7e591
M21-akbp1DarkSide_b278d7ecWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.b278d7ec3681df16a541cf9e34d3b70ahttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: bafa2efff234303166d663f967037dae43701e7d63d914efc8c894b3e5be9408
SHA1: 666a451867ce40c1bd9442271ef3be424e2d9b17
MD5: b278d7ec3681df16a541cf9e34d3b70a
M21-qzbe1DarkSide_ac4b1759Windows This strike sends a polymorphic malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.The binary has the checksum removed in the PE file format.ac4b1759f73f6abc497decdbc53011cbhttps://arxiv.org/abs/1801.08917
https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
PARENTID: M21-ci4y1
SSDEEP: 768:1iN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy8fIaJ/ZB49j9xOOLd9kvAx0:k4HHerjZX7pLjJKjSO5i
SHA256: 177e7d3cfef850c85ba23522bde8398668cc4ff030280816edb027b9c0dba62d
SHA1: a83a18ece9ab5f052a5649666925cdfd78f59b30
MD5: ac4b1759f73f6abc497decdbc53011cb
M21-lj5s1Banload_54ba4069Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.54ba40694472ffb6b9ae416c9c48ba4dhttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 9b784fc190b973bd14b906402191c672a5e0a4eb202a04482cfe06b6353584bf
SHA1: 0ca70cd0866f93684cef7585264630e3d5d5ecb2
MD5: 54ba40694472ffb6b9ae416c9c48ba4d
M21-wc4m1Trickbot_fb145828Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.fb1458288b548f5c3c20c4fe985bd969https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 31bb9e87a0bb8fa3d72da620bb6805037fbba7a3e38e74e032239b83d890961b
SHA1: d92110f59d8e5b0b063319e165da8fdf3e030c78
MD5: fb1458288b548f5c3c20c4fe985bd969
M21-n8qn1DarkSide_68ada5f6Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.68ada5f6aa8e3c3969061e905ceb204chttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: ec368752c2cf3b23efbfa5705f9e582fc9d6766435a7b8eea8ef045082c6fbce
SHA1: 6fdd82160ccf88cf5adc39f851859034124fd7c9
MD5: 68ada5f6aa8e3c3969061e905ceb204c
M21-7u4z1Trickbot_b7a49cebWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.b7a49ceb3f714dbca3919e75e5428078https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 3166b8b9a3de793d80b189ebc9652a001c0879690c77fb05dab4f86a6cd9bf34
SHA1: 8fb985e0e2152eb027b0598d50160c7912ec6611
MD5: b7a49ceb3f714dbca3919e75e5428078
M21-nqnd1Dharma_c61e6887Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has a random section name renamed according to the PE format specification.c61e688710c50976d854b7eba9a55deahttps://arxiv.org/abs/1801.08917
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-vw9l1
SSDEEP: 6144:NsCwu+mWhJifvtNP/7YXSLB80PqO/PhR3pJ5v6OyJ90clqC8hgh6mTR:CxmIJQvPkitEqZR3pJx6O4bDRTR
SHA256: 79ab0e57c489b174c98226c15f3b75c7df5f14fb3743a1dc43c2222adddffcb8
SHA1: 0e0d4005d4358b21bdb505ff6059cfc2e912dae9
MD5: c61e688710c50976d854b7eba9a55dea
M21-7o1w1Banload_62d4cbbeWindows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has the timestamp field updated in the PE file header.62d4cbbee0dacd83933816350ff340e7https://attack.mitre.org/techniques/T1099/
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 198925bdc035d0f49f1e2160ade0d2c89df656b15f51db54cf57171185439670
PARENTID: M21-udvy1
SSDEEP: 24576:UWIN1ZWrVwKTDyHrtEpGvmzl4tTI/K69HdWJdxotnKb/5ArKPfa19Ddy9yLZ2h9B:UWO1ZXJ4l9gDlb/mrKHarA9m25ujI
SHA1: 729745ad865230c79b2d8d0a3685b402f879364d
MD5: 62d4cbbee0dacd83933816350ff340e7
M21-udvy1Banload_ab0d89d2Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.ab0d89d2a3aae61867d2f74734247be4https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: c72e274038f91b7375147ee0c63b290a369d7c4a82fadeb891e7c60b7bc9c19e
SHA1: 5b93d6434eb949cbc975b37ab18e3c548e7b69b4
MD5: ab0d89d2a3aae61867d2f74734247be4
M21-gee71DarkSide_0390938eWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.0390938e8a9df14af45e264a128a5bf8https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210
SHA1: f90f83c3dbcbe9b5437316a67a8abe6a101ef4c3
MD5: 0390938e8a9df14af45e264a128a5bf8
M21-z34f1DarkSide_e4445015Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.e44450150e8683a0addd5c686cd4d202https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5
SHA1: 8c482a0eed33c8a4542c3cb2715a242f2259343d
MD5: e44450150e8683a0addd5c686cd4d202
M21-7ayl1Banload_19b2502dWindows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.19b2502d914c566558be34907e3d6cc8https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 2c0e371df8026e3c58b45270a0b4034b4b7d3ea2a59d7bfa4ba27d104473a82a
SHA1: a61be2d67687a2fd0d946e4dddb27693855d7dfa
MD5: 19b2502d914c566558be34907e3d6cc8
M21-2quq1Banload_7fa2373eWindows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.7fa2373eb569259cda8c858bbd553e6dhttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 76a348c168c543e7c16099dbe86e942241de5daec83a59736717e60df84c9c9b
SHA1: 86bd8b014bfb4378c636bc8dacce1bdba89f7586
MD5: 7fa2373eb569259cda8c858bbd553e6d
M21-8pw21Banload_b0f6797fWindows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.b0f6797f35d9b0845d0208b5ee2b2d95https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 74cdc056e46b193f9e8addb360bfaaeffac251c454d6117126d571f58990bef7
SHA1: cbdcaf29cc3cf40e16d121e7df3175ad9e8d2354
MD5: b0f6797f35d9b0845d0208b5ee2b2d95
M21-homx1DarkSide_5d5a210cWindows This strike sends a polymorphic malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.The binary has a random section name renamed according to the PE format specification.5d5a210c1f095c039a5c2cb2411391achttps://arxiv.org/abs/1801.08917
https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
PARENTID: M21-ci4y1
SSDEEP: 768:xiN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy8fIaJ/ZB49j9xOOLd9kvAx0:44HHerjZX7pLjJKjSO5i
SHA256: e229a49749a0fbdd2303968050098341be5fd4b60c7f5692d206e3298d39a954
SHA1: 2e0d360a513302700b6fcdc92a104cf83abffd13
MD5: 5d5a210c1f095c039a5c2cb2411391ac
M21-s6p71DarkSide_69ec3d13Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.69ec3d1368adbe75f3766fc88bc64afchttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 508dd6f7ed6c143cf5e1ed6a4051dd8ee7b5bf4b7f55e0704d21ba785f2d5add
SHA1: 11936a92144ef1b53eef16566a57b9052d173291
MD5: 69ec3d1368adbe75f3766fc88bc64afc
M21-86hr1DarkSide_f913d43bWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.f913d43ba0a9f921b1376b26cd30fa34https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: b6855793aebdd821a7f368585335cb132a043d30cb1f8dccceb5d2127ed4b9a4
SHA1: fd18c95cba3d2c31976605f680ad4b4308090b55
MD5: f913d43ba0a9f921b1376b26cd30fa34
M21-ve771DarkSide_0240d59bWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.0240d59b0275e347fb5c3916cc8720e6https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 56e7b9c4b8962b6ff0d1e0162ca8515a07b576cd47ba90221354838733f8689a
SHA1: db0d2e3197da4944cc20b8b62be0d1750b796451
MD5: 0240d59b0275e347fb5c3916cc8720e6
M21-ci4y1DarkSide_979692cdWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.979692cd7fc638beea6e9d68c752f360https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9
SHA1: c511ae4d80aaa281c610190aa13630de61ca714c
MD5: 979692cd7fc638beea6e9d68c752f360
M21-lymb1DarkSide_9e779da8Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.9e779da82d86bcd4cc43ab29f929f73fhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7
SHA1: e6b47869caa776840ab79856b04096152103c71d
MD5: 9e779da82d86bcd4cc43ab29f929f73f
M21-ida41Trickbot_a900f134Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.a900f134cca712bb476a37c9ed234f03https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 4830421af66606a4751a2098d99d1c20148398f2e4cbdd2713510e96b8457b62
SHA1: 04466b318805e53aee2137781b2025564d178cc8
MD5: a900f134cca712bb476a37c9ed234f03
M21-ml4o1Trickbot_baf6c334Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.baf6c3344d807d2d8e5156c971343febhttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 131aa9aff24d5a6c2d70a07ac9db7dd2db43043a5ded152b84dd519585e274d3
SHA1: e569ead11893287e379ba8c9475bfb37f2573048
MD5: baf6c3344d807d2d8e5156c971343feb
M21-yokr1Trickbot_6b11ef83Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.6b11ef8347c8989e5109e50650282b3bhttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 5dc5970dccbc6a34b9d8d28c6e385140ba0d114342ec1bb83664f8d9273af3b8
SHA1: c78bf299e1467dfd434f5b05c23c549a5933fd9f
MD5: 6b11ef8347c8989e5109e50650282b3b
M21-4uet1Trickbot_d56493d8Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.d56493d83c2260a272e64263f7e17b51https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 3d1089ed07fae34ce76d713928f214cde6310a8d4a293e5a168a4f92caab6815
SHA1: 38414dcc5b6168db96a83ea3e678f342062f3093
MD5: d56493d83c2260a272e64263f7e17b51
M21-h1ei1DarkSide_c81dae5cWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.c81dae5c67fb72a2c2f24b178aea50b7https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a
SHA1: 4bd6437cd1dc77097a7951466531674f80c866c6
MD5: c81dae5c67fb72a2c2f24b178aea50b7
M21-2svj1Banload_64cada78Windows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has the checksum removed in the PE file format.64cada78fb8d2be8321c64030fb06347https://arxiv.org/abs/1801.08917
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: a79f5b6a3bd63e93607ea08822a7192812c7ffc5136871469ad2daf2801b33cb
PARENTID: M21-udvy1
SSDEEP: 24576:SWIN1ZWrVwKTDyHrtEpGvmzl4tTI/K69HdWJdxotnKb/5ArKPfa19Ddy9yLZ2h9B:SWO1ZXJ4l9gDlb/mrKHarA9m25ujI
SHA1: 1b093030a27753d4b3ef74516f961b5fa359fe19
MD5: 64cada78fb8d2be8321c64030fb06347
M21-izr91DarkSide_66ddb290Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.66ddb290df3d510a6001365c3a694de2https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: f764c49daffdacafa94aaece1d5094e0fac794639758e673440329b02c0fda39
SHA1: 77b9103d4af311ba76511144d47aed440ae6ce9f
MD5: 66ddb290df3d510a6001365c3a694de2
M21-vsqv1Banload_f9295e9dWindows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.f9295e9d59544554999c80a0be5ea322https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 1bc49fbaf79dd64dfa1444ef14942cfa09d3a908bd743490394cdf515306cdd1
SHA1: edcb5dd6982882ca1d52d3ff8b66a36233d965d5
MD5: f9295e9d59544554999c80a0be5ea322
M21-6s051Trickbot_dcb21aeeWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.dcb21aeef72429aec02c63e9185c9e68https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 0aa2bdac94440831075a26f053a7d87137f09d2774656c4968c7a74668506155
SHA1: e884d9cd5d17485f24ce3d951a161088ebefcb69
MD5: dcb21aeef72429aec02c63e9185c9e68
M21-9a3h1Dharma_6b579803Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has random bytes appended at the end of the file.6b5798035d7d54cfa82271799ddd12achttps://attack.mitre.org/techniques/T1009/
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-vw9l1
SSDEEP: 6144:QsCwu+mWhJifvtNP/7YXSLB80PqO/PhR3pJ5v6OyJ90clqC8hgh6mTR:NxmIJQvPkitEqZR3pJx6O4bDRTR
SHA256: 9b63931ed940e4d344c02418a3583afab0c5aed5bfe201eb9653a80d926dbe7f
SHA1: c8439d5e78909d8225da7c4a7c02441f0084d7b7
MD5: 6b5798035d7d54cfa82271799ddd12ac
M21-gwpj1Banload_23c1d4e3Windows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has been packed using upx packer, with the default options.23c1d4e3c2d7f46928ac7e09b19534dfhttps://attack.mitre.org/techniques/T1045/
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 98da5f1f9496d108a79ce4eff40778f7adcf1366cfccb7a00982520611c7fc83
PARENTID: M21-0n2t1
SSDEEP: 24576:c9UTINHkMvKgdNsYviwvVTnW/OwMNyavv15SmbRgG:cmw9KgviyWmwMNyw1cml
SHA1: c36af8203e63a082da573e7df7b1e7830e5fc51d
MD5: 23c1d4e3c2d7f46928ac7e09b19534df
M21-0wlo1DarkSide_88c02d90Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.88c02d9088cdd0bff565b294be887c69https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 976c584484439e923426502f11e0f4c22af249b7b2e889ec6432c4b4008d8abf
SHA1: c2bbdcd7e50ead11918052d49d840a02492ea940
MD5: 88c02d9088cdd0bff565b294be887c69
M21-qr6r1Banload_94a170cbWindows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.94a170cb5beb4d608e23d555333c86eehttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 166554cb48b210b46af9dac9741da40904c7827696eeaa36ea2cd2d05b57b964
SHA1: 38b11b7c06f62f8b48856a2b79d6913c9109b411
MD5: 94a170cb5beb4d608e23d555333c86ee
M21-xski1DarkSide_72a14a67Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.72a14a67df04b4c3b7423a4120082785https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 17ee406d40737e0d9e7ccaf17416461ab68fc77ec77758b4bcb4f782ae45a1b4
SHA1: 31a9cac048db48393b742bc2b15162efa0c46178
MD5: 72a14a67df04b4c3b7423a4120082785
M21-c7bs1Trickbot_1c70fc8cWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.1c70fc8c8afe9c9d468989442374bc18https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 33b5144bc41727680ed9e62e4444147607f222765b86c3d47ee073f498087fde
SHA1: db914250abe0d93f99bffb167f7b23c05ad43b2e
MD5: 1c70fc8c8afe9c9d468989442374bc18
M21-3yxd1DarkSide_4d419dc5Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.4d419dc50e3e4824c096f298e0fa885ahttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: ac092962654b46a670b030026d07f5b8161cecd2abd6eece52b7892965aa521b
SHA1: 304aa8ce88264f6e8db32ce3d3b267f64b426488
MD5: 4d419dc50e3e4824c096f298e0fa885a
M21-p3qb1DarkSide_a3d964aaWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.a3d964aaf642d626474f02ba3ae4f49bhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893
SHA1: a4e2deb65f97f657b50e48707b883ce2b138e787
MD5: a3d964aaf642d626474f02ba3ae4f49b
M21-p7px1Dharma_d154f03eWindows This strike sends a malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.d154f03e05aa319754f1648f6257e900https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
SHA256: ef5f2ce1a4d68d656400906ae906b0c7e7f61017f14840a7ac145d59ee69a4bd
SHA1: b7dc961e4485c967f43f1be6fbbe067a81cc2181
MD5: d154f03e05aa319754f1648f6257e900
M21-6i361Trickbot_e296c4a0Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.e296c4a0cc2e46b055003690dc5c229chttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: a1ca0df13e169d4370724f37f7a7651c45ca9fb447ee44fbd0f9e2282f3e7caa
SHA1: 1fef59c5046d7d53666268e06ddfbcc8f3486738
MD5: e296c4a0cc2e46b055003690dc5c229c
M21-f95q2Dharma_142d30b8Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has the timestamp field updated in the PE file header.142d30b8dc05ade27ad2707988a80495https://attack.mitre.org/techniques/T1099/
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-rp7g1
SSDEEP: 6144:3sCwu+mWhJifvtNP/7YXSLB80PqO/PhR3pxsv6hb8K0+oStB8hgh6mT7:cxmIJQvPkitEqZR3pxU6hgnQRT7
SHA256: 3d9decb0b149ad312f401b50fac05564be676c89070ab2250ced68d85e65b8aa
SHA1: 4dce85b44ee05d169f33a60e789230f3ca1c3e4a
MD5: 142d30b8dc05ade27ad2707988a80495
M21-i13h1Trickbot_30876c5fWindows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.30876c5f348002697792091b3ccb7b4ahttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: bd2638dcff5fce98d7a58e4c5ad12b88383a224d6ba659c19abcee9f03ff458c
SHA1: 2f4d137cca0c5d4093ad449b8c2c3795bcf969d3
MD5: 30876c5f348002697792091b3ccb7b4a
M21-votb1DarkSide_222792d2Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.222792d2e75782516d653d5cccfcf33bhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: adcb912694b1abcdf9c467b5d47abe7590b590777b88045d10992d34a27aa06e
SHA1: 2430f63c64d3e26b13ec4752d8976ff9c9dbbd1b
MD5: 222792d2e75782516d653d5cccfcf33b
M21-4zty1Dharma_ba67dd5aWindows This strike sends a malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.ba67dd5ab7d6061704f2903573cec303https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
SHA256: 6b1f4df924fb0e5067df18dfc5063d409f3bf2ee0d14b381b3f583e0d0da3ae5
SHA1: f7ca4a5d4c8d24083b86ff0a5b102ad68e0c9e34
MD5: ba67dd5ab7d6061704f2903573cec303
M21-nwze1Banload_c6780923Windows This strike sends a polymorphic malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.The binary has the checksum removed in the PE file format.c6780923def330192f69eb7826249c62https://arxiv.org/abs/1801.08917
https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 4c6a52a1af53790e16e45ce396c0e491e1d5a615e14a22716be5cfc4dc7f7aa1
PARENTID: M21-0n2t1
SSDEEP: 24576:Eiz9GBuV9wKwHajKw+HEr4HHQm14aoXSNAcRaz6rtHZJZN3nKb/5ArKPfa19Ddyv:EiBxVNLmuDz6ZT6b/mrKHarA9m25ujI
SHA1: a40d46b1fab58b02ec0b94fff758603d31692e2f
MD5: c6780923def330192f69eb7826249c62
M21-6wjf1DarkSide_c2764be5Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.c2764be55336f83a59aa0f63a0b36732https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0
SHA1: 0bfc26e7a035a143339516b877ac11eefbbeefb5
MD5: c2764be55336f83a59aa0f63a0b36732
M21-bc4b1DarkSide_2f31ce15Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.2f31ce153a8f1d9e30e8ee7305ee7a6ahttps://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: e0493b082077648eb33ca1294f2b26bc4c96d3820913c46330923e8bb3d73230
SHA1: 3e15a266535c117216faa3dedbe51e7f10b79a95
MD5: 2f31ce153a8f1d9e30e8ee7305ee7a6a
M21-u7zr1Banload_a2a81870Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.a2a81870c33b35d6cd0092e992f1b4c4https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 5fa8bb092e9f454fc712fbd294e5911ee815258494698ae0c295eac3e9c9d565
SHA1: 230e156ca8d6a225a559b0bab1895b8b8f81a19c
MD5: a2a81870c33b35d6cd0092e992f1b4c4
M21-lixi1Trickbot_a73478e7Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.a73478e7f62a5856aeed787188c8f777https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 6dc782f7f6f1354b5b582884bc77412771b0fcdfc1da92f83a4a34c60a8cd490
SHA1: a824abe0d60dbf253b8e76fe349645c45a128fe6
MD5: a73478e7f62a5856aeed787188c8f777
M21-au7t1DarkSide_a8690b73Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.a8690b739971d63318ad4895b9c41058https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: e9417cb1baec2826e3f5a6f64ade26c1374d74d8aa41bfabd29ea20ea5894b14
SHA1: 21145fd2cc8767878edbd7d1900c4c4f926a6d5b
MD5: a8690b739971d63318ad4895b9c41058
M21-4tk51DarkSide_6a7fdab1Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.6a7fdab1c7f6c5a5482749be5c4bf1a4https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb
SHA1: 4e6d303d96621769b491777209c237b4061e3285
MD5: 6a7fdab1c7f6c5a5482749be5c4bf1a4
M21-pvbt1DarkSide_01cef4d4Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.01cef4d4f9306177d42f221854ee552bhttps://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 124e83f0812629fbc7ee0330002d7e5026b0f79e29a7d42facd62dd67b83549a
SHA1: e06c0d3ae9eb341182e937f44906c240cff4c057
MD5: 01cef4d4f9306177d42f221854ee552b
M21-g5o21DarkSide_c363e327Windows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.c363e327287081251b820276cd9ce1f8https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: 1ef8db7e8bd3aaba8b1cef96cd52fde587871571b1719c5d40f9a9c98dd26f84
SHA1: 5a3d0fff6dda6121c379e2e4a5e756cb034b99e4
MD5: c363e327287081251b820276cd9ce1f8
M21-mq8z1Banload_c8181d11Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.c8181d11545ed27d3942832216d2baa8https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 9bd81f44138f38c7b175dab2bdaad7cc7498a9e457f87f744f39cd2c040592c0
SHA1: 7e13a8104e6458fbb3a832a14666d1fe7bb31baa
MD5: c8181d11545ed27d3942832216d2baa8
M21-3udh1Banload_48527475Windows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.485274755aeccfc2f3c577eb6aa61cc4https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 7abffe049c5c079319df8e85aaa8430fe08f629d52e34bf9a4d1d4defa6cfeca
SHA1: acff94bbfa0540ea46672e95f52d25be1b8be149
MD5: 485274755aeccfc2f3c577eb6aa61cc4
M21-455t1Dharma_2873a268Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has been packed using upx packer, with the default options.2873a26848097afd920b6e6bc9375a48https://attack.mitre.org/techniques/T1045/
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-rp7g1
SSDEEP: 6144:kPMQaNMtxWFfPbKBDo+sv6hb8K0+oStB8hgh6mT7:k6NSWVOB8+U6hgnQRT7
SHA256: 75b866f2396d8122b55bc571f7c1bed4074834c934f584f2daa824b9af1b8ff6
SHA1: a30a1375e0c0c949bbe717a9f8c42f778b463e05
MD5: 2873a26848097afd920b6e6bc9375a48
M21-hebd1BazarLoader_f6da98fdWindows This strike sends a malware sample known as BazarLoader. BazarLoader is a malware loader with the function to install and download additional malware like Trickbot or Ryuk.f6da98fd1bbbf7e2c0c5ef0718380e61https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 2014e44bbaff8abefaa0f6a251c9810cd77e3f109f6ec9f4d121a6dfc3fe462c
SHA1: 46a4707d2fbceaa6761f1645e5f8db1a63ee77fa
MD5: f6da98fd1bbbf7e2c0c5ef0718380e61
M21-lyt81Dharma_1fbd39b2Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has random bytes appended at the end of the file.1fbd39b295d2935420205e385d4495cfhttps://attack.mitre.org/techniques/T1009/
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-rp7g1
SSDEEP: 6144:QsCwu+mWhJifvtNP/7YXSLB80PqO/PhR3pxsv6hb8K0+oStB8hgh6mTf:NxmIJQvPkitEqZR3pxU6hgnQRTf
SHA256: 953c728ed0365ef654b75f329638aaf4d3128ad0d8f531de2d551b7f89721ad2
SHA1: ab0710a6f27ad0f36c10f9c87fd2e9e2c0c2dcc8
MD5: 1fbd39b295d2935420205e385d4495cf
M21-0kxd1DarkSide_9d418eccWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.9d418ecc0f3bf45029263b0944236884https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
SHA256: 151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
SHA1: eeb28144f39b275ee1ec008859e80f215710dc57
MD5: 9d418ecc0f3bf45029263b0944236884
M21-u6ig1Dharma_ad28ea90Windows This strike sends a polymorphic malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.The binary has a new section added in the PE file format with random contents.ad28ea90c494a147758db2dfe77f5751https://arxiv.org/abs/1801.08917
https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
PARENTID: M21-rp7g1
SSDEEP: 6144:isCwu+mWhJifvtNP/7YXSLB80PqO/PhR3pTsv6hb8K0+oStB8hgh6mT7:3xmIJQvPkitEqZR3pTU6hgnQRT7
SHA256: 85f042ad392d429f4bbe0370b55d1ca44495f027e413d092c07f41a826007806
SHA1: 574e3cfdedfe4d672141d60195f03e9192feead8
MD5: ad28ea90c494a147758db2dfe77f5751
M21-ixtz1DarkSide_ceed9ceeWindows This strike sends a polymorphic malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.The binary has random bytes appended at the end of the file.ceed9cee94852c38da142b4686c11560https://attack.mitre.org/techniques/T1009/
https://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
PARENTID: M21-ci4y1
SSDEEP: 768:piN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy8fIaJ/ZB49j9xOOLd9kvAx0WTu:g4HHerjZX7pLjJKjSO5iW6
SHA256: 3facef92503a7fcf33c9673bef461453efae3527faa02bfbfeb7ba571ed0fe32
SHA1: 555140ccb56a1910eb334d05fc9e53735baebbef
MD5: ceed9cee94852c38da142b4686c11560
M21-7dwl1DarkSide_b68be0daWindows This strike sends a malware sample known as DarkSide. DarkSide is a ransomware group that made headlines recently when it was attributed to the attack against CompuCom as well as an attack against the Colonial Pipeline, taking the major US fuel pipeline offline.The DarkSide group is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.b68be0dacf09904cd4a0fbe0aab3842ehttps://unit42.paloaltonetworks.com/darkside-ransomware/
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
SHA256: bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec
SHA1: 5212151679ce396651887edfe0e7d1f5eda4da29
MD5: b68be0dacf09904cd4a0fbe0aab3842e
M21-zgu01Banload_fa2ac90fWindows This strike sends a malware sample known as Banload. Banload is a banking trojan that has recently been infecting Latin American systems. This malware uses custom kernel drivers to evade detection.fa2ac90fe8bbfa7a11b40f18bf21045chttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: 221dd201de219cb0ad766e55fac3270660f138bfc1c1b79044cdfd7fb57e2f2f
SHA1: da67d3e40a884a8ca0cf4f7b932b0196856baabf
MD5: fa2ac90fe8bbfa7a11b40f18bf21045c
M21-74281Trickbot_c062e295Windows This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.c062e2956d1d8bfd382bd101289f198bhttps://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
SHA256: ad4858c6624e4cb863fcce1a85b542e50369b835f27cc877dbbecaf43e20595a
SHA1: 4f107b9561b5d8ace1346c218de3ada9342dd672
MD5: c062e2956d1d8bfd382bd101289f198b
M21-vw9l1Dharma_ef40a998Windows This strike sends a malware sample known as Dharma. Dharma also known as Crysis, is a trojanized ransomware in which the source code has been around for several years, leading to many variants being created. This availability and these variants lend to its popularity as a Ransomware as a Service model being adopted by cyber criminals. Dharma conceals itself inside the target system and encrypts files anytime they are added to the specified directory. Once the files are encrypted a ransom note is left providing the victim with email addresses to contact in order to pay for decryption.ef40a9988e3bd89190cba2bcb765b7b9https://www.varonis.com/blog/april-2021-malware-trends-report/
https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/?cmp=30728
SHA256: 3680b9e492f49abc108313c62ceb0f009d5ed232c874cae8828c99ebf201e075
SHA1: 1eea0f017bffa0a868605f373efa74b4858e1c37
MD5: ef40a9988e3bd89190cba2bcb765b7b9

Malware Strikes April - 2021

Back to top
Strike ID Malware Platform Info MD5 External References
M21-fd7z1Expiro_34c50d3bMixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.34c50d3baf3bfdc586c0a5127f2d1199https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 3d2cdbe5cd494a6ef592f20dd73c873036ea0350aea3d954f7774c372ed9a1b3
SHA1: 83874bf68bb617bdfb34ef6dad91cd366c84719b
MD5: 34c50d3baf3bfdc586c0a5127f2d1199
M21-rwly1Dofoil_1301e933Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.1301e933ffd26d973e2d92726a5cb165https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 1df87baeeac67f7eadf3875c0a12a610ec21b285e6b6be97bc0c6969b33277e7
SHA1: b15df6958f1f19ea62df0c4a3eb31b0c4142e9e4
MD5: 1301e933ffd26d973e2d92726a5cb165
M21-sup11Trickbot_09277e8aMixed This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has been packed using upx packer, with the default options.09277e8a44f4688f77dd958bb22d4380https://attack.mitre.org/techniques/T1045/
SHA256: 228da49149bb63a53c1fd38daf6fe22c1770c02d747c9dd09b47c31bb7311804
SHA1: ce6d6e08f36c64bd3b5219671f811541e3fce4a9
PARENTID: M21-7qla1
SSDEEP: 6144:O0ek78425ufcfIYHM/egni+yKxLMxy2VsZd1npQk/vZdo398f20:O0ek78NufcfbbKxLMxyd1nNvZ+uf20
MD5: 09277e8a44f4688f77dd958bb22d4380
M21-wu8j1Bifrost_88918aa9Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.88918aa93a7020accbf4cd82147f2d1dhttps://blog.talosintelligence.com/2021/04/