Malware Monthly Update February - 2022 Release Notes

Malware Monthly Update February - 2022

Malware Strikes

Strike ID	Malware	Platform	Info	MD5	External References
M22-M2010	LokiBot_1d2700b8	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	1d2700b86c91366053aa4e57c2b667f7	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: f8448219df30254002bdb8ccf5745b3f2156f25b1b48209d69a451dca03968f2 SHA1: ee095e23db2ddad217b4e696949dac5cf0c6af87 MD5: 1d2700b86c91366053aa4e57c2b667f7
M22-M2020	HermeticWiper_3f4a16b2	Windows	This strike sends a malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.	3f4a16b29f2f0532b7ce3e7656799125	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 SHA1: 61b25d11392172e587d8da3045812a66c3385451 MD5: 3f4a16b29f2f0532b7ce3e7656799125
M22-M2040	LokiBot_ad3e77ee	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	ad3e77ee78c0fa6b352b8c5ba99d3255	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: c02f78ea73a8f86ab721800af6bf9be1ba182a779a2b55fb7b583a1b79a63ce0 SHA1: 49027ed30ecc2ba15351e2541e94e355b81fd64e MD5: ad3e77ee78c0fa6b352b8c5ba99d3255
M22-M2028	TeslaCrypt_4d69c441	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	4d69c441231bad3e39da8230388920e5	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 27ebe5bf3aba1ad778dc43582f7468906007c5cbd40858294dfa9e1716c1b246 SHA1: 8a0c008f3f7657c159a8c911e6fb3bc256be0daf MD5: 4d69c441231bad3e39da8230388920e5
M22-M2064	DarkComet_015d482e	Windows	This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has random strings (lorem ipsum) appended at the end of the file.	015d482efe46a5aa054da29a11fd9d21	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 4b801548f17b062a443902c37e9ee23538c392520364e7f6fb7619cde3eb3057 https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M2012 SSDEEP: 24576:ou6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JfvWYL:Cu0c++OCvkGs9Fa5YYL SHA1: 4eff177bbe05cc2b416fa000f7e331c92c712e2d MD5: 015d482efe46a5aa054da29a11fd9d21
M22-M2045	LokiBot_b9697256	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	b969725644870466de0f63d8d67d5b1d	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: c110ae946c48f8f26287c7163cd1557bc4ad83abb93e26c10b32df856fe5c72e SHA1: d5ad4dff4ab0de19a29431c6946e170eb7fa80d7 MD5: b969725644870466de0f63d8d67d5b1d
M22-M2077	LokiBot_ad2af567	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has been packed using upx packer, with the default options.	ad2af56777bc68b392ff58168defd2db	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 1eaa936581ca623d8b34537a970ea1be712f12f8dd09ebbc9ff23f5d171dc600 https://attack.mitre.org/techniques/T1045/ PARENTID: M22-M2056 SSDEEP: 12288:n4qrg8b3ilvCu2Lj6RYLShqmRbMAEY5yQvu/SUhrYSV+mbhrGe:4B83ilK6RESrTE/QW/SVg+mrGe SHA1: 159b1213c95c12ee738068f80556ace0374661cf MD5: ad2af56777bc68b392ff58168defd2db
M22-M2070	WhisperGate	Windows	This strike sends a polymorphic malware sample known as WhisperGate Downloader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the Downloader.The binary has the timestamp field updated in the PE file header.	87037d614242a155e033dcf1a4e23edc	https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine SHA256: d1094d24e15c134e1d060e7b22011c49ffc2123deeba6c55a0025e3d2bae1bb2 https://attack.mitre.org/techniques/T1099/ PARENTID: M22-M200a SSDEEP: 3072:tf1GlJZUnjNbGgNQfYySIHiP1WLz4PcSOvG2jxZ:LbGoJ8iP19PjmGyf SHA1: 13eda4c8d86b1f0bcd4862d139cbc63882ae689c MD5: 87037d614242a155e033dcf1a4e23edc
M22-M205b	WhisperKill	Windows	This strike sends a polymorphic malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.The binary has the checksum removed in the PE file format.	4b0e0cfe7b043861ff2731a83a4b4df0	https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine SHA256: 0f8d110d3ba07cd162a1bc34d1a92fb04baf1f4a0c112351749a54d594f432d1 https://arxiv.org/abs/1801.08917 PARENTID: M22-M201c SSDEEP: 384:ick4phERK+NUl/9j5SddlEt4OIqXFKJBeht2FrGx:ickuhERW2wndVKPe2Fy SHA1: b2f1e3399a0a89069d4d48b4ff73fb53cf79a81f MD5: 4b0e0cfe7b043861ff2731a83a4b4df0
M22-M206f	LokiBot_4389ba6f	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random strings (lorem ipsum) appended at the end of the file.	4389ba6f50000c82a7118a2d1015eadf	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 5a38afc0c420ce4f9239c6f0e56cb83d2f837ef16286777f7ad882284dc5bd4d https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M2056 SSDEEP: 24576:h2aJkRtJ5kI3PytBh9TE/QW/SVg+mbGeC:h2a6tfQP9E8gE SHA1: 7b878b7ca4182ab5af7d61dce27bc7736cfb3b85 MD5: 4389ba6f50000c82a7118a2d1015eadf
M22-M2080	LokiBot_d837beeb	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has a random section name renamed according to the PE format specification.	d837beeb7c4e69aba79da8831e22ccd8	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 3732952014d674c25d941f3458d84dff02dc80fbe3aeca85f3543420b2aa25e8 https://arxiv.org/abs/1801.08917 PARENTID: M22-M2056 SSDEEP: 24576:f2aJkRtJ5kI3PytBh9TE/QW/SVg+mbGeD:f2a6tfQP9E8g1 SHA1: bd6435ad611c630cd7b48b369e7694bc803d73e6 MD5: d837beeb7c4e69aba79da8831e22ccd8
M22-M2084	TeslaCrypt_f61b3c14	Windows	This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary has random strings (lorem ipsum) appended at the end of the file.	f61b3c14d032796e892fda0214bb6ada	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 88649ef2a4c82a767ec242bcf8f062699ae5a33bc0e7257616716c9ce498709e https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M203d SSDEEP: 6144:vGE1/8ca6OYIJfw7Z81kaq0MdRuOt01le0JVSH/ISQT:vn10ca1Yt0knz/1SeaUfvQT SHA1: f12b1150e6cdf5edb2cc2597caa12ffeebcec671 MD5: f61b3c14d032796e892fda0214bb6ada
M22-M2012	DarkComet_215b14ac	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.	215b14ac07078cfc72774efca6bbbfc6	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 00c4d334768f563cced2a243cf640c592149cec38044bb8792e49945a23ee61b SHA1: cebffdc7c8c3f88f24ab1f655ceb55de4f62aeb3 MD5: 215b14ac07078cfc72774efca6bbbfc6
M22-M204f	Zegost_d115a6dc	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	d115a6dc468be0e6dcb2421c88c2231e	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 6036a45e9086675cc7ab4e1cf88ed2aeda988b457308e60882c98e7b7cb6c67e SHA1: 3a08f7d4fb8692cc034e6c2824dc4bc60974b757 MD5: d115a6dc468be0e6dcb2421c88c2231e
M22-M206d	WhisperKill	Windows	This strike sends a polymorphic malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.The binary has random bytes appended at the end of the file.	724ee45952d709be7c79d7d1f1497ea2	https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine SHA256: 134145910f3dc7af12eb5f18168dab8153daa94446764a5ebf3cc6dc04cdfea2 https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M201c SSDEEP: 384:6ck4phERK+NUl/9j5SddlEt4OIqXFKJBeht2FrGxC:6ckuhERW2wndVKPe2Fy0 SHA1: 78bf8afb2232cca106a16278a6286615ff82d5f5 MD5: 724ee45952d709be7c79d7d1f1497ea2
M22-M206a	WhisperKill	Windows	This strike sends a polymorphic malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.The binary has random contents appended in one of the existing sections in the PE file format.	75a007bf2b9b25e66bba3b10d3094511	https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine SHA256: 82d1ef02835b533134937e15f2c263f0498ba5b75ec84ffe56f0d52f7dfec76a https://arxiv.org/abs/1801.08917 PARENTID: M22-M201c SSDEEP: 384:6ck4phERK+NUl/9j5SddlEtnOIqXFKJBeht2FrGx:6ckuhERW2wOdVKPe2Fy SHA1: 9b335ea07d29ac142de907ddae596e3763110e78 MD5: 75a007bf2b9b25e66bba3b10d3094511
M22-M204a	Zegost_c705646b	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	c705646bd19311dd646cc5c71a403e71	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 3817795d5fbe1e84cb7b4fd18ca58a394d5c46d418be2f32ea56f84139d8cb8f SHA1: 300e7867a89f6034f192acd97bc662c5c5a800c6 MD5: c705646bd19311dd646cc5c71a403e71
M22-M2009	Zusy_0ddad360	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	0ddad3606a7b0a0edf9220d1fe6a340b	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 0b7202dc4423ddaee59eff6909185052bc8c0cbd3cbe4e5224db8e83b935ec23 SHA1: f0e0664b824d9b4ae3dc0df6abd0ec766a9a38e7 MD5: 0ddad3606a7b0a0edf9220d1fe6a340b
M22-M2018	DarkComet_32ed49d7	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.	32ed49d7aacbf433448690794ffa9cd0	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 21454d9e2f5e0c502b423ffadbbe802ae69f81a99fbc7c50817b1f80a083cf1a SHA1: baeb9263bef0853ebf9a5fcf6ac5008208c56b7d MD5: 32ed49d7aacbf433448690794ffa9cd0
M22-M204d	Zusy_cba5b2bb	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	cba5b2bb7a701a6900a05c75ff171e9e	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 19af3fe3c191528c15b3c9f791e02edc82eadab9126881da5f4ea4baa234f8c2 SHA1: 2e46541f911372c6d8e1dcc9f132e475137964e4 MD5: cba5b2bb7a701a6900a05c75ff171e9e
M22-M205f	DarkComet_5fdfd1ed	Windows	This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has random contents appended in one of the existing sections in the PE file format.	5fdfd1edd86e6752cc76e9de5d5d17e1	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 985928908e3e74a75ca9e2511a37df3316e9d4b507d0ca2ea4f0229466f64af3 https://arxiv.org/abs/1801.08917 PARENTID: M22-M2012 SSDEEP: 24576:ou6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JfCWYC:Cu0c++OCvkGs9Fa5jYC SHA1: 281885861e6727a448b48ef5afd969c4fc1eba69 MD5: 5fdfd1edd86e6752cc76e9de5d5d17e1
M22-M207a	HermeticWiper_bc0c5e0c	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the checksum removed in the PE file format.	bc0c5e0c68b810559f552827f80b81c2	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: 165a77eb420073f2c552d04bdf12187aa434182c21ff0f1e53dbe0fc361ef5a9 https://arxiv.org/abs/1801.08917 PARENTID: M22-M2020 SSDEEP: 1536:iBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqC:iBOoa7P2wxlPwV1qPkSuqC SHA1: 8c79d721dc7f5680c93a1d205dc1e71fc50e15a9 MD5: bc0c5e0c68b810559f552827f80b81c2
M22-M2019	Zusy_355c4601	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	355c4601a27a7a4b62b75b9ca171e6bf	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 6a295f8b9884fd1587f933876681928e002a5d320e460d1a97597462e60ef8ad SHA1: 3644f5430561253a0151c2c7835ab3f36812ca13 MD5: 355c4601a27a7a4b62b75b9ca171e6bf
M22-M2051	TeslaCrypt_da37801e	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	da37801eb453924749147d77069cb557	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: e808cf87d4055be30c9144a5d053b6314483f7800e0158b3614fa2ad266671c7 SHA1: 662a641b5bbbe07655501cefbf3adabf8f75ecd9 MD5: da37801eb453924749147d77069cb557
M22-M203f	Zegost_ac8f541f	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	ac8f541ff183fc73e5a64b212ef95fff	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 0df341a84058a607e05a87adbee0e3a4420629c64aa08c379909a471130114ca SHA1: d3ad323d5418d33b4324c1ced923808cd67101af MD5: ac8f541ff183fc73e5a64b212ef95fff
M22-M2085	HermeticWiper_fdfbd04e	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has random strings (lorem ipsum) appended at the end of the file.	fdfbd04e7ff74c3cddc315f739f241ff	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: 92cd84467344d9103d95490e71bc28c98d04032e5a138da3c28808e4fd5bfa16 https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M2037 SSDEEP: 1536:lV3+WmNcWbwurilmw9BgjKu1sPPxaS5qx:lV3+WmjbwxlPwV1qPkS5qx SHA1: 0c810028c1f4e2d5094948ab8246ff8d1894c0f1 MD5: fdfbd04e7ff74c3cddc315f739f241ff
M22-M2079	HermeticWiper_baa339df	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has random contents appended in one of the existing sections in the PE file format.	baa339dfc70bd3094bed69f773db5338	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: 28ba388e2c0130e0f10efc26a789a97c3fff8f771c049f4892d30526737511e7 https://arxiv.org/abs/1801.08917 PARENTID: M22-M2020 SSDEEP: 1536:sBOoa7Nn52wurilmw9BgjKu1sPPxaStyqC:sBOoa7P2wxlPwV1qPkSIqC SHA1: c7450700fe024e0e35a49b01b39c7a5616104b6d MD5: baa339dfc70bd3094bed69f773db5338
M22-M2063	HermeticWiper_14f42b51	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the debug flag removed in the PE file format.	14f42b516044fc2db11745ad9c557ed9	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: 0e9d82ea6402a564ebba6a03afce3846032e2c4d27a1f8f4857706b160728cfa https://arxiv.org/abs/1801.08917 PARENTID: M22-M2020 SSDEEP: 1536:MBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqC:MBOoa7P2wxlPwV1qPkSuqC SHA1: a57c09ed4a4b766bd5d2f34e58d61d99489c16f0 MD5: 14f42b516044fc2db11745ad9c557ed9
M22-M200b	DarkComet_156fcf96	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.	156fcf96d11dc0072bad9750a07a4586	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: b17c1f8063ba70ecef31071a6c51117953dddf37d4b54c1a92b01525cb44c38f SHA1: 92da949918bef107f4d777727dc142338adc4e80 MD5: 156fcf96d11dc0072bad9750a07a4586
M22-M2066	DarkComet_37ca3c3b	Windows	This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has the checksum removed in the PE file format.	37ca3c3b0beed927bb5e6f8954975364	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 4f4ed94cd62f280d739a491af738785a35d27abdb062c3a5c63138067372287f https://arxiv.org/abs/1801.08917 PARENTID: M22-M2012 SSDEEP: 24576:8u6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JftWYC:mu0c++OCvkGs9Fa5iYC SHA1: 9ab4cbda65f7e42be2175d0f52c51c19cd9ae18f MD5: 37ca3c3b0beed927bb5e6f8954975364
M22-M2033	LokiBot_757d1361	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	757d13617a9b81777d56e85544fc1855	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 7d00f5ccb1d443866e2d25a96377ea39787b825cf5dcd099cead7baa630e98a0 SHA1: 05bbe7c2deee5e5922fecf52bf97f85417a6c752 MD5: 757d13617a9b81777d56e85544fc1855
M22-M2082	HermeticWiper_e19137f2	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has random bytes appended at the end of the file.	e19137f2f707150493887c1504c3a794	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: e74f69c977d21ca0641190b3acfb9b6448251555347ab83d3dfa49081c2a5ac8 https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M2037 SSDEEP: 1536:lV3+WmNcWbwurilmw9BgjKu1sPPxaS5qB:lV3+WmjbwxlPwV1qPkS5qB SHA1: abd212226f06035afbf14904f102e9417f2ff66c MD5: e19137f2f707150493887c1504c3a794
M22-M2016	Zegost_2e7bc9b2	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	2e7bc9b2ca377b14f5cb26fc719792db	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 838047d0b03b917a014790a9b9bffbbff55586c54dbcd9d280d8e2273e0772b9 SHA1: deb409fa743ed43d5364d973c665ffa2308f3490 MD5: 2e7bc9b2ca377b14f5cb26fc719792db
M22-M207c	TeslaCrypt_c0fb9afc	Windows	This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary has the checksum removed in the PE file format.	c0fb9afc7f80a40fc173f6ff0c42d227	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 20a7f9763e0fb48d09f5b3e296343945f4570b1cd2d38b81010578bee3cf953a https://arxiv.org/abs/1801.08917 PARENTID: M22-M2028 SSDEEP: 6144:Mh2e1caZ4pfJWlMmPaHzCygqIt1CtqmpRWhy:Mh2e1ca+RWlhEC9t1CPpiy SHA1: e1d98253af21d8a605bcfbb5730e63aad4a94490 MD5: c0fb9afc7f80a40fc173f6ff0c42d227
M22-M2021	Zegost_41c3eb41	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	41c3eb4117d78836fa43acbb3fd1a362	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 4719095e1edd925caacc1c3d3229d60d1459f21b89e6a2529e3c0e73fb8e7630 SHA1: e7566ec9eb4371a3443d024e6bca259410f32619 MD5: 41c3eb4117d78836fa43acbb3fd1a362
M22-M2072	LokiBot_944824b4	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random contents appended in one of the existing sections in the PE file format.	944824b422c4603b89cc48a8a68420f6	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 757eb9ec97107eab5d3306a507819280e7be37513e94cbf49c395185f4f76978 https://arxiv.org/abs/1801.08917 PARENTID: M22-M2056 SSDEEP: 24576:42aJkRtJ5kI3PytBh9TE/QW/SVg+mbGeD:42a6tfQP9E8g1 SHA1: 8e2cd77b633e3a48817911568963005900fb5d42 MD5: 944824b422c4603b89cc48a8a68420f6
M22-M2030	Zegost_67539483	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	6753948390a4c7be1624520222b28b58	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 3a6259022334a4b6e1be149d26f3455cb5b796fe1f5d897bb3b89af91af1cbec SHA1: fa27fbb89ee75258d4e5673bf76d2bc1bfee4636 MD5: 6753948390a4c7be1624520222b28b58
M22-M2007	Zegost_09e295bd	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	09e295bd6b7c1d6714e107f28e5414f5	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 8951fc109c179cecfa54dd57cf89e18221c1b4aeb9321c4589ed4c9b259a1bae SHA1: 72ff1d122e6ab8c661089fdfa5489ff283453e44 MD5: 09e295bd6b7c1d6714e107f28e5414f5
M22-M202f	TeslaCrypt_6266203e	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	6266203ec37b67ad31e71d3216f3fe90	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 498683c0be028065930ab7985b7cba9a1620a3724d4fa7424b7221a231f34bb1 SHA1: 1e0adc7cac2fac72314fab7477d5aafc5d5116e6 MD5: 6266203ec37b67ad31e71d3216f3fe90
M22-M207d	HermeticWiper_c7eb0c34	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has been packed using upx packer, with the default options.	c7eb0c341441550dd0743e6a992c4c3f	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: ff89c35022d7652a7b73741a7635ad3644dce2f515d8cacf2c649d9a7deb2b44 https://attack.mitre.org/techniques/T1045/ PARENTID: M22-M2037 SSDEEP: 768:8p/K6b01mzkpuZKVS7pK711znmwdfFFvVW1Lj5sVdO2ktC9WFG5BDtK92xiTSIBC:8p/Smzkpurmlmw9Bgj5u1suPxaSI2qY SHA1: b784f1d19f5ff02569fdb3da858e7ed87614c1e9 MD5: c7eb0c341441550dd0743e6a992c4c3f
M22-M2005	Zegost_06e1716a	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	06e1716af034046c88874d7d338afbe9	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 905d0ed169077965fe1d10c33041295edbb3717967c37512e5b602c1e54ca40b SHA1: bf77dd347e1d28424f3230ea563817ac0e6716c8 MD5: 06e1716af034046c88874d7d338afbe9
M22-M200a	WhisperGate	Windows	This strike sends a malware sample known as WhisperGate Downloader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the Downloader.	14c8482f302b5e81e3fa1b18a509289d	https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine SHA256: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 SHA1: 16525cb2fd86dce842107eb1ba6174b23f188537 MD5: 14c8482f302b5e81e3fa1b18a509289d
M22-M204e	Zegost_d095518b	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	d095518bd11c6a6bb8737ae42a26fe4b	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 16be4c10636f884b0d0f49c484c74cfff6ee3d1b1f1ac4efd5b73bd137b19207 SHA1: 1b32f006f029abf0099783b9cc96e146edd28bee MD5: d095518bd11c6a6bb8737ae42a26fe4b
M22-M203d	TeslaCrypt_a1606deb	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	a1606deb54f2d523cf7d2266179fdf70	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 1db9c6e37a0b18ebe5aadba9aaea71467e05aebeaa67b065592bb46a04d76368 SHA1: e94f80c4b7eb29b82e41bd9a51b4071a1e335b19 MD5: a1606deb54f2d523cf7d2266179fdf70
M22-M2065	WhisperKill	Windows	This strike sends a polymorphic malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.The binary has been packed using upx packer, with the default options.	22bd9ed61d794576b42ccc477dc53e00	https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine SHA256: 24e9b86b92918c3731fa6126c70532c79507c8041b8e6bf1e1c007aa8a9ac025 https://attack.mitre.org/techniques/T1045/ PARENTID: M22-M201c SSDEEP: 192:V41yhRtPbZDqGOphy9kpysmAX1uFkbnjmNc05h8GHuo/RdBJwh9YF5te:210dbRqDhAsluFKiYkNJY9+5w SHA1: 801c2bfe0c28b3b9c22b9e654e6ac1c51c89ab53 MD5: 22bd9ed61d794576b42ccc477dc53e00
M22-M2008	Zusy_0c2339be	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	0c2339bed4022b2a2d241f14852eb426	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 17289d65e7d2101e7b65d329981ff99e71a0896222d3c81e77b0fc196d995c17 SHA1: 3881955d3ae41664351704017766774cee49f3b3 MD5: 0c2339bed4022b2a2d241f14852eb426
M22-M2061	LokiBot_9a4c1fb2	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random bytes appended at the end of the file.	9a4c1fb2d9f082a73e5bddc76573d1b3	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 3e6ef81533f4a048757186ba98c1426788980f6a964d56c96780d1c1cd630230 https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M2056 SSDEEP: 24576:h2aJkRtJ5kI3PytBh9TE/QW/SVg+mbGe6:h2a6tfQP9E8gY SHA1: 2c9460b7ffd428b6b5bc3e176c2706d28ae584fc MD5: 9a4c1fb2d9f082a73e5bddc76573d1b3
M22-M2047	Zusy_be37ac96	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	be37ac96a8cb08a2184662e533b5f5e4	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 72c7b16114c3154dde6f62ba063379a880c8aaac76f9778be5db9f4f3efc26fa SHA1: 92b4455012c3a22d067f2a85bbf7043e33bdd96c MD5: be37ac96a8cb08a2184662e533b5f5e4
M22-M2039	Zusy_8e730c2e	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	8e730c2ea7244f28a948842fbe6f094a	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 84f841117194485e3d6e26059e1b6336b45d02a9fa68a61cf611a2e54cd6f6a9 SHA1: d4e62d618b3da78c24dd437ebe715b4c007391e6 MD5: 8e730c2ea7244f28a948842fbe6f094a
M22-M2074	LokiBot_a0294d29	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random strings (lorem ipsum) appended at the end of the file.	a0294d29cced97c582a53fd7e42922ee	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: e25e3d5623348684b2108ffb86c4645638c47780676f41ab0e1375ca4a0efb27 https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M2038 SSDEEP: 12288:UHWahqZ6LrIR5J+DWkmy/Q/xfXj58jBUfbYWa0mcVAMGtW+hU6hhhhhhhhhhhhhR:U2aJkRtJ5kI3PytBhUmbpdxQhvGeK SHA1: dc04a7f3a2346e6716a1e7f8791dbc5e9e4a60ab MD5: a0294d29cced97c582a53fd7e42922ee
M22-M202a	TeslaCrypt_57b0420e	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	57b0420ebd965ccc489ab60cde9320a0	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: b2420aa8633408ef67a8c5e80df4a3aa061eb561649d887f5aa55481d350b655 SHA1: e8698075aacdcc79003a9decba4021f580c9c9dc MD5: 57b0420ebd965ccc489ab60cde9320a0
M22-M2078	WhisperGate	Windows	This strike sends a polymorphic malware sample known as WhisperGate Downloader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the Downloader.The binary has random strings (lorem ipsum) appended at the end of the file.	ba93cdc021c860abd7015f933b4b795e	https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine SHA256: 74beb7e3c2702a70e2ee3c1a2c16be538ec98673429a8618c4121b3f2d5c97da https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M200a SSDEEP: 3072:vf1GlJZUnjNbGgNQfYySIHiP1WLz4PcSOvG2jxg:FbGoJ8iP19PjmGyW SHA1: 284a58ae64d707425ae1a1d7b595446aef0bed27 MD5: ba93cdc021c860abd7015f933b4b795e
M22-M2053	WhisperGate	Windows	This strike sends a malware sample known as WhisperGate DLL Loader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the DLL Loader.	e61518ae9454a563b8f842286bbdb87b	https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ SHA256: 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d SHA1: 82d29b52e35e7938e7ee610c04ea9daaf5e08e90 MD5: e61518ae9454a563b8f842286bbdb87b
M22-M203c	Zusy_9a973d35	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	9a973d3584fcc63bb12b28f2048da7af	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 47bca02db3899ec836de3305355861f86a7dccca64710b3f0e7ae5c7a2588440 SHA1: deb734e8ec0918f70e8e26026ff2520123c8a486 MD5: 9a973d3584fcc63bb12b28f2048da7af
M22-M2017	Zusy_32c78bb6	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	32c78bb6fafc6c41a529ba89f169d84f	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 2f9b960d63a40d84ec185011dc06eaab64badb323f272c880934205e8a51819c SHA1: 1d461e482dccdbd6fa8df00a294b01e288929f31 MD5: 32c78bb6fafc6c41a529ba89f169d84f
M22-M203b	LokiBot_928bd458	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	928bd4584eac8e3b8393510bb010cd20	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: c197343a6c7b1581b2d200e85869d7751b13549ff109b70ae5abd3b838fdea3a SHA1: da3f366e88c54cb85efaf88777f678df89b7d746 MD5: 928bd4584eac8e3b8393510bb010cd20
M22-M207e	TeslaCrypt_c4644580	Windows	This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary file has one more imports added in the import table.	c464458070c7909d7de471e5630592f0	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 9f060c5f82a9c5096ef96cad80a58c42026d5423bd5a69cf4b132a8d3e050eb9 https://arxiv.org/abs/1702.05983 PARENTID: M22-M203d SSDEEP: 6144:VGE1/8ca6OYIJfw7Z81k/q0MdRuOt01le0JVSH/ISna:Vn10ca1Yt0kiz/1SeaUfvna SHA1: ace4cd4e0cd1b3907892f3f14cd598baf69c5a0c MD5: c464458070c7909d7de471e5630592f0
M22-M2026	Zusy_4b742a09	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	4b742a093c100801a449d3fb2b040b85	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 01fe52b810897fec2b30b8d03bb5d08c44c03f8921c41f3252877a31bc250875 SHA1: 82ebabda64fa5137514e70ed3cc0889f6ecf18da MD5: 4b742a093c100801a449d3fb2b040b85
M22-M2059	Zegost_fb967cd2	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	fb967cd2599061cb0a3dab0cade0fc3c	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 353cc5166b6a6dd83a2972532af4fc0e14eb991e5539a8056b9ef2daebe8ad72 SHA1: b4f300f9795fe74bf8bc312a8b785b64025303a8 MD5: fb967cd2599061cb0a3dab0cade0fc3c
M22-M2032	Zusy_747cc78c	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	747cc78c975baa2992b25d27838f2d46	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 1c774c5849f22f0660abf46fc8bc270f7d26b4c10cf619e71617c65933b1950b SHA1: 5972ccc8de5fb9a53eddb1091ad9a491dd15a1da MD5: 747cc78c975baa2992b25d27838f2d46
M22-M2048	LokiBot_c102ca2e	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	c102ca2e4e64d11889524a1b56fcd4ad	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: c081e8dc858925158f65aa758764781f07476edc4641dbbd1d3acdab4a590a87 SHA1: 8b524b6aed6c8ecedd41245f219e52f2ee8201ee MD5: c102ca2e4e64d11889524a1b56fcd4ad
M22-M2054	TeslaCrypt_e99bd4d8	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	e99bd4d8d715d93645c3850fc2c2e1d3	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: f17936397f6f9202ea8a728b07512ba8142fe7e224bf08cfbed0b247b3956ea4 SHA1: 57835afe231718783caee78e400ae22864d51ab5 MD5: e99bd4d8d715d93645c3850fc2c2e1d3
M22-M2067	DarkComet_52dc384a	Windows	This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has random bytes appended at the end of the file.	52dc384a398e644786a67e03ce9011c7	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: d9a081d6787c4519f5847162dfca3160bbd57bc3f8fa4f495cc4df2547cb0992 https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M2012 SSDEEP: 24576:ou6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JfvWYA:Cu0c++OCvkGs9Fa5YYA SHA1: e703765a98b28d0e92d6aa615cd4547e59a68a59 MD5: 52dc384a398e644786a67e03ce9011c7
M22-M2057	Zusy_f94938b4	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	f94938b4aae9ff3f4dc976d3f8dd50fc	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 44654adb36a0e86e49ece0f3d1193212d82779b5ac3a2f880a656cfddb52a2b9 SHA1: 6a5f443ec702c954602c73c8986458bc75a96746 MD5: f94938b4aae9ff3f4dc976d3f8dd50fc
M22-M2002	Zegost_02293aea	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	02293aead10c7195514fbbaa749ee2dd	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 8df588dee532e623cf1d4f4611646cf0bc645a13fb83b30acadac9814311bb2a SHA1: 3ea5ddd0793cfb75f861c5bafe325d9cd733dd44 MD5: 02293aead10c7195514fbbaa749ee2dd
M22-M2022	DarkComet_43e6cebc	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.	43e6cebc5006c35d2566de39f4e008cf	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 33302b6dfc2b669df38aab7a4a7e74c512ce31ba3a5a9151aea435a86c36b738 SHA1: f6a803a720e683fdc76eecdde9748e5362b4b50f MD5: 43e6cebc5006c35d2566de39f4e008cf
M22-M204b	Zegost_c9c948c0	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	c9c948c02a6cb14c046f9497e66196fb	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: a5ab1c7e194f1f5b1db207c3db41b3fac6d4a95f866ac6c109d5ab3c07e82581 SHA1: dbbf7098204ea8e25ec2533c2b1ef1644d58804d MD5: c9c948c02a6cb14c046f9497e66196fb
M22-M2027	TeslaCrypt_4bc07d04	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	4bc07d04b3a595d727461619e72b8af2	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: d4577b3a267501cbd003cbdb898c03fe81eb14f9ddc1a7e71a5a54fa48fa27e2 SHA1: 46906f195e9ec04095cacfbd7ba393b7e2f4dd4b MD5: 4bc07d04b3a595d727461619e72b8af2
M22-M203e	Zegost_a69a7a2e	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	a69a7a2eea907b80dd34b110efe6f09a	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 3c9e8bc62d3af2c0e19d90638f49482f6fcecf830e9002ec2d2bdbc359841ba0 SHA1: 78e8efa5ef0e914333e6741128c56994a0f3d36c MD5: a69a7a2eea907b80dd34b110efe6f09a
M22-M2011	LokiBot_1f034f18	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	1f034f183595c871de3a55b22bed0720	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: daf3e154beeb32370cf0a5cda571b3a84959a53da4c530a77696ecd1c24ab485 SHA1: 21b30af9714bca1aa58b254fe5ff34058bb8b10e MD5: 1f034f183595c871de3a55b22bed0720
M22-M2024	TeslaCrypt_48e0d4d3	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	48e0d4d3fba9365813688afdf9bfbd1f	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 2c956a9ce5e5964c8bcc0caf6be44ceed54c80e6c98f8b54aa2711904bb8dfa6 SHA1: 2e53cf0a23d64df1c51e3a89bfd8a9f7a75f2664 MD5: 48e0d4d3fba9365813688afdf9bfbd1f
M22-M2004	Zusy_041d343d	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	041d343d2c16b009b6b5cd1612feae3c	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 4957c1f3ed393e71aa7875607d2b5e34c534058a81bd8709491ba809d8b208a0 SHA1: a7a1564bfb72917a53d805ff3528878907b0c9b0 MD5: 041d343d2c16b009b6b5cd1612feae3c
M22-M2046	LokiBot_bce8d497	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	bce8d497ea21fe3fee999190ed628c98	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 12cf795390f0849bce4b21f1987e7fbcc92f812accdbb1a297d00638ee3e0004 SHA1: 73005836cba5d27885571b6f037ccf0c8818e928 MD5: bce8d497ea21fe3fee999190ed628c98
M22-M201d	Zusy_3c720563	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	3c720563ec1c728ad4f8646c2b991d17	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 818b73b6fcc1fdc0afab7e729a8ef3dda0f938450ea2c1533fe760d04f97d7d0 SHA1: f70f3c40e97ea464eb4bdb49717177db29b1360d MD5: 3c720563ec1c728ad4f8646c2b991d17
M22-M202e	Zegost_5d8c75df	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	5d8c75dfa07e5982d2d90a282378e4cb	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 824b14272e7b677bde8d172e8e1c20700fe5b9b69281bce4c6339aca0a22237c SHA1: c24bbb6d6b97d77f57b06004edfa62f3756b6349 MD5: 5d8c75dfa07e5982d2d90a282378e4cb
M22-M2037	HermeticWiper_84ba0197	Windows	This strike sends a malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.	84ba0197920fd3e2b7dfa719fee09d2f	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da SHA1: 912342f1c840a42f6b74132f8a7c4ffe7d40fb77 MD5: 84ba0197920fd3e2b7dfa719fee09d2f
M22-M2060	DarkComet_5ff45a27	Windows	This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has a random section name renamed according to the PE format specification.	5ff45a27e2c9d3708240303a78e0be6e	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: d6d0aa8c6b08f6a53c4bc815ce40b769d279c9daab3b8c85a093eef3453bdec8 https://arxiv.org/abs/1801.08917 PARENTID: M22-M2012 SSDEEP: 24576:Du6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JfvWYC:Nu0c++OCvkGs9Fa5YYC SHA1: 199b6096bcaa4a88bab9c7d05ee9af72657da272 MD5: 5ff45a27e2c9d3708240303a78e0be6e
M22-M202b	LokiBot_5c5ad7f3	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	5c5ad7f35533f46e30133dba9186d4b1	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: ccdc34aa16b23192f0260b9c21529919f47c3b0e2e59034d512184b94267adc2 SHA1: e5eb457a706f6932483e483cbce8e7ada408edcc MD5: 5c5ad7f35533f46e30133dba9186d4b1
M22-M2049	DarkComet_c35d5775	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.	c35d5775dd66aab590f8e41ca16c1b4a	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: b40e00192ed4d4cf0c90e3c03c11124dae8fc7f2182be609b2c3efcc585a00be SHA1: 7f95b104ba268fedfb3565acefb71831276232d4 MD5: c35d5775dd66aab590f8e41ca16c1b4a
M22-M205e	HermeticWiper_5d693a27	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has random bytes appended at the end of the file.	5d693a277a0cd4ff86f2b43b193f8315	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: 38678e1368f88ec43c9bedd01573211950921823a072a5f99a84c7ede554f690 https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M2020 SSDEEP: 1536:sBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqB:sBOoa7P2wxlPwV1qPkSuqB SHA1: 20796d3509047fbdf77b00cfc3c5181521b21f2a MD5: 5d693a277a0cd4ff86f2b43b193f8315
M22-M2058	Zegost_f9e8a2f9	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	f9e8a2f913ea31aba2f95c04f997e12d	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 01bcef8aef33c9fed5117010204765eb15935727f5bd2d033a75496b38b2f752 SHA1: 8df610b2e0c058ed98e50427d7b118a0e278486c MD5: f9e8a2f913ea31aba2f95c04f997e12d
M22-M201e	Zusy_3d1be4d0	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	3d1be4d0b627ed1a301848bddfdbcc98	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 31ac7c0592bc741aad0745d85adb24db0766978a6111593fa46606c8d57bad83 SHA1: 47279d9e692cd9edec9b1b466ce763909073df9e MD5: 3d1be4d0b627ed1a301848bddfdbcc98
M22-M201f	LokiBot_3f2e9256	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	3f2e92568e3e77e88dc3a0fbb6755a79	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 52864c84c299b950f3de76f8b8387d6ebda6726ded21d64a8ad565c25d4e4d52 SHA1: 524f502183d8bc44b6737f2673af65cf17286330 MD5: 3f2e92568e3e77e88dc3a0fbb6755a79
M22-M2069	LokiBot_67f5daf1	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has the checksum removed in the PE file format.	67f5daf17df5a86d4a89d9318402b84d	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: c52285ad63b90190a97fb19a2f74f8baa9e2800604d925f436f95a12d73ce564 https://arxiv.org/abs/1801.08917 PARENTID: M22-M2038 SSDEEP: 12288:HHWahqZ6LrIR5J+DWkmy/Q/xfXj58jBUfbYWa0mcVAMGtW+hU6hhhhhhhhhhhhh4:H2aJkRtJ5kI3PytBhUmbpdxQhvGe7 SHA1: f1c53ebfc541ec4c335ace016509b4066afd675d MD5: 67f5daf17df5a86d4a89d9318402b84d
M22-M2034	Zusy_75cad729	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	75cad729ca6a900e3b169f3b8376fb23	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 6ff434e99a93ca2f1cd000fcdadb7ee7122ad6bca1fc720304c1a4a08a1c0e6a SHA1: 5975b96e2b8a75be6a3339d5cc406ed9753e5daf MD5: 75cad729ca6a900e3b169f3b8376fb23
M22-M2056	LokiBot_eb9603a9	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	eb9603a9904e78f85911398887281718	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 076c8cd6b128aff0be52736591e26777d73497ff0b36a2f5ee9966ca051adf43 SHA1: b1c7a8b87c8d419d644acb7258d10f39feb268d3 MD5: eb9603a9904e78f85911398887281718
M22-M207f	DarkComet_cf9031f5	Windows	This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has the debug flag removed in the PE file format.	cf9031f5f60e4c6dc23faa0a3a1d5b9b	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 3250c659fef55eba1a3f59a27f0318a83c0e08f4a6c09e8feb2757634f4c249c https://arxiv.org/abs/1801.08917 PARENTID: M22-M2012 SSDEEP: 24576:Yu6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JftWYC:Su0c++OCvkGs9Fa5iYC SHA1: cbe9ae693daacab2d8f3728151e716cadadcd52a MD5: cf9031f5f60e4c6dc23faa0a3a1d5b9b
M22-M2050	Zusy_d586ef3d	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	d586ef3d3ce938f2b02e8e6ee0d2c1a0	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 1fe69a46cf7b96bc518b01a4f44ad5bdcf2581ec25faa3c6033c90cf8a8c6ee6 SHA1: 9b6d01b9f7c0b74b37b602e1fd6ef4cfa357f073 MD5: d586ef3d3ce938f2b02e8e6ee0d2c1a0
M22-M206c	TeslaCrypt_00658cac	Windows	This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary has random strings (lorem ipsum) appended at the end of the file.	00658caca94f6d736a67b553302c7980	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 24c6d53c53c1f3a0fc422cdf507ac7d5f50ecf00055be2ab3160e62c5c6726ae https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M2028 SSDEEP: 6144:zh2e1caZ4pfJWlMmPaHzCygqIt1CtqmpRWhy2:zh2e1ca+RWlhEC9t1CPpiy2 SHA1: 02595b89063dc63043c76a1ab30094a464028a33 MD5: 00658caca94f6d736a67b553302c7980
M22-M2076	HermeticWiper_aa86953f	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the debug flag removed in the PE file format.	aa86953f2915b113252c5c0a937329b4	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: 89aa7b09dd3b723bdd7868cd4d9e1af669d41db0b6061ce989aeb152f2cdc79d https://arxiv.org/abs/1801.08917 PARENTID: M22-M2037 SSDEEP: 1536:VV3+WmNcWbwurilmw9BgjKu1sPPxaS5qY:VV3+WmjbwxlPwV1qPkS5qY SHA1: d78fef0da8d27cd88c4d454f10b8dc61cd9eb33b MD5: aa86953f2915b113252c5c0a937329b4
M22-M2035	LokiBot_7a2ae5d5	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	7a2ae5d579597b4d8a6806011501e92a	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 43fbaf28a8db23ce81f85286b3316b6d3a352af0948bb58f01f7e929631f9740 SHA1: 292f65de36b407a3028aa7ebf019cd741e169a39 MD5: 7a2ae5d579597b4d8a6806011501e92a
M22-M2068	TeslaCrypt_55b87f03	Windows	This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary has been packed using upx packer, with the default options.	55b87f0397e4600386250f2047c773c4	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 9b2a334ea23e4a9a15bce7aaedc5b460f0decabc6ab4408f2427342cc0a0d878 https://attack.mitre.org/techniques/T1045/ PARENTID: M22-M203d SSDEEP: 3072:E0ODMDW33REr3AKRy1rqtIBgjTMuIoBOXnslp1cbsr9xA1xMKqMRlwJSJ15zkSD4:RAEr3AKRyVBIT2rnsCjxMK1RCJShzjva SHA1: 5b986c1beeec968d4f0b58de27061e92cbcf103f MD5: 55b87f0397e4600386250f2047c773c4
M22-M202d	WhisperGate	Windows	This strike sends a malware sample known as WhisperGate MBR Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the MBR Wiper.	5d5c99a08a7d927346ca2dafa7973fc1	https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine SHA256: a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 SHA1: 189166d382c73c242ba45889d57980548d4ba37e MD5: 5d5c99a08a7d927346ca2dafa7973fc1
M22-M2031	Zegost_6da73d62	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	6da73d62e3ad95ae34801c12a79e113f	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 31d6e5b67f7d3ff6e8999a57a61c3969682bedbd89203868b199d8d486c49729 SHA1: 6bf9a691710d7d90bf54e46178879cf8bc7495bb MD5: 6da73d62e3ad95ae34801c12a79e113f
M22-M206e	LokiBot_862e155b	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has a random section name renamed according to the PE format specification.	862e155bf0110e49edb1f26847b9d4c0	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: e1259b8d2d6bf42377353115725c1d20a9f80a2d35f44f61db4ad9f3e90fd9c4 https://arxiv.org/abs/1801.08917 PARENTID: M22-M2038 SSDEEP: 12288:THWahqZ6LrIR5J+DWkmy/Q/xfXj58jBUfbYWa0mcVAMGtW+hU6hhhhhhhhhhhhh4:T2aJkRtJ5kI3PytBhUmbpdxQhvGe7 SHA1: 6f2b29e7b6a4382398b794e51804720bd1b72f7c MD5: 862e155bf0110e49edb1f26847b9d4c0
M22-M2001	DarkComet_01a2e344	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.	01a2e3440d5c65442c49fe708bf94003	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 2db522042954becd5b940edc0afbfc93f0039d3f4f775d4cfa45b7012587574e SHA1: 4b8e8d8e4f1d2f0e19b5ce96bf24afcdf68e27b1 MD5: 01a2e3440d5c65442c49fe708bf94003
M22-M2013	Zegost_21be8e77	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	21be8e778089b7bcbd8b9ab9b26197a6	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 3fd79e9c51e5a258a08f9afa295884375bda1f18355f9f8f510243413279f99e SHA1: 324c9a3f4619760890b73e4c110064b98dde4b48 MD5: 21be8e778089b7bcbd8b9ab9b26197a6
M22-M202c	Zegost_5c6ef7c4	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	5c6ef7c40c341feec5ef105b2bea417c	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 0bf6287f4e3d3ab71affb5b8c93a0d64ef79302be7ba391b8e483e5978794d6c SHA1: 26092eb627016fcbc2fd1a9e443a887f4f75e341 MD5: 5c6ef7c40c341feec5ef105b2bea417c
M22-M2041	DarkComet_b2a17564	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.	b2a17564d97ec1ca975dcd8ee222a987	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 19a57c2208ef58387cb38412b0db3060b1ddcaf4f02929213f5355c40776a98d SHA1: 268b7619a53224e76b9af8e498240f1688ebd968 MD5: b2a17564d97ec1ca975dcd8ee222a987
M22-M2029	LokiBot_572ee199	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	572ee199d9d6793f1b6f5a8696bb6532	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 17eb09a8fb7eae2aaa740a74234a75b47c072ca93a1b65cda00a175e25720c88 SHA1: bd04844983eb834f89eba2b855847c467371d565 MD5: 572ee199d9d6793f1b6f5a8696bb6532
M22-M2042	WhisperGate	Mixed	This strike sends a malware sample known as WhisperGate DLL Loader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the DLL Loader.	b3370eb3c5ef6c536195b3bea0120929	https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ SHA256: 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 SHA1: b2d863fc444b99c479859ad7f012b840f896172e MD5: b3370eb3c5ef6c536195b3bea0120929
M22-M205d	LokiBot_4edfba05	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random bytes appended at the end of the file.	4edfba05c275b53b5a4e569ea760160c	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 9ea8b74d78c14849f1863541e1b0b368679ec6737716a42f6d5a51e32bd44d79 https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M2038 SSDEEP: 12288:UHWahqZ6LrIR5J+DWkmy/Q/xfXj58jBUfbYWa0mcVAMGtW+hU6hhhhhhhhhhhhhu:U2aJkRtJ5kI3PytBhUmbpdxQhvGeh SHA1: 7aaa72970a07b5ce77ec4a52b2c7c751fd8efe3f MD5: 4edfba05c275b53b5a4e569ea760160c
M22-M2014	Zegost_28ae85d8	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	28ae85d88fed2184bba78d1af16827da	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 1a36784e26051d7bbb42f84f58d256f304f76b84843c9a4eb0e131e94dcd417a SHA1: db85c0c97abbbb07e0374814568446fc45001c81 MD5: 28ae85d88fed2184bba78d1af16827da
M22-M200c	DarkComet_180f8ee1	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.	180f8ee1842a3465cfc9bb2e1fedce8e	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 37edc65fde51628d1604ddbf0c14f06035e8c6819b7d0bfac7fee8dd4bf30bc7 SHA1: 0e5e4e18c580060b17b7cbb613db1a42ef3fe800 MD5: 180f8ee1842a3465cfc9bb2e1fedce8e
M22-M2003	Zegost_0408ff2a	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	0408ff2a2f67c7492a269a9a7d71b980	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 562844e7860c52a2f4c9f41c4c376c90a00f5981f9476df4e159ba57dff98804 SHA1: c47e194bc67f61225b4ad898a52bd489fe9d233e MD5: 0408ff2a2f67c7492a269a9a7d71b980
M22-M2055	Zegost_eac003a4	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	eac003a405c720f1070d3fd2eaeed11d	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 85734d17bd8a593181fb462bf13aab791bf389ff3e0c404c50fef1e4d79e8e3b SHA1: 2bbac7f97f83e75f6ab8689368f345633420aeae MD5: eac003a405c720f1070d3fd2eaeed11d
M22-M201b	TeslaCrypt_38602df4	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	38602df4390dbda254d40126d7d992b2	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 46d94eb497a9700630719e781319d55d9c693b04ac13ca7f38d46f8ba9ade1b7 SHA1: 8f26a5f107b3a3d97606a24444862cc30ee26724 MD5: 38602df4390dbda254d40126d7d992b2
M22-M2025	TeslaCrypt_4ae42e33	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	4ae42e33f8104a47ae1b19542607f753	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 7f0e6b707128faa8270fd5f291ba3c87cc685cfb48363f91220f74897140aebb SHA1: 988e74eb7ca117bc3fb59c5c28935972bbc1558d MD5: 4ae42e33f8104a47ae1b19542607f753
M22-M2052	TeslaCrypt_dd587d20	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	dd587d20de9a14d86bdbc4ed94584038	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: e19fbf6376979c33bae2472ef372df206a23a21152ad7bb962ba653e0af75870 SHA1: 9cc43f679de78eb08ad454f5c234c64458a356a8 MD5: dd587d20de9a14d86bdbc4ed94584038
M22-M2036	LokiBot_7ac770ca	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	7ac770caa432948e3fccfe11d2e3b723	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: b73f8d8838c450977a85ba646b98db3d556b0e78a33a7b0f5126d8e698d00ba2 SHA1: b97be6693a99744fcfa3baafc3ef89cf59802e58 MD5: 7ac770caa432948e3fccfe11d2e3b723
M22-M2075	WhisperKill	Windows	This strike sends a polymorphic malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.The binary file has one more imports added in the import table.	a6615ab8fb6f99fd82569cbfa5762a5f	https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine SHA256: 1ae79028f9b2a6cdba3325730bbd9623399ed9733668edaab685d9bdd26a0b89 https://arxiv.org/abs/1702.05983 PARENTID: M22-M201c SSDEEP: 384:Sck4phERK+NUl/9j5SddlEt4OIqXFKJBeBt2FrGxBQ63t2FrGx:SckuhERW2wndVKPeWFybyFy SHA1: 4bdda2e55411d4067b66c6c6294e252317d3517a MD5: a6615ab8fb6f99fd82569cbfa5762a5f
M22-M200f	Zegost_1d15f5f9	Windows	This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.	1d15f5f9360c8f1e3f1f871401f6599f	https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html SHA256: 405c030a29ba3040ede04fa451c2b27008537adb60a68ff00570025ba76cc633 SHA1: e67c0a3cb90b44dbd04bb058633314c63be1cb1d MD5: 1d15f5f9360c8f1e3f1f871401f6599f
M22-M204c	TeslaCrypt_cb7d4940	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	cb7d494023414e8d71f14a39b9819e3c	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 40b17868f4b695330684cbf35e9286eb0ec1086d16d4a02a069b8886f970bc41 SHA1: b3160682a14f68d0667c5430b7665aef1b5db577 MD5: cb7d494023414e8d71f14a39b9819e3c
M22-M2043	DarkComet_b462b913	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.	b462b9138b52341cd8db3aff6f7afee6	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 9a1056d1898a71f3b88c875ff08b5d465b549d03206cbe02efcb19c144582ee8 SHA1: ed7b0c898b400dbb2ecf2f080f1ac8a591330293 MD5: b462b9138b52341cd8db3aff6f7afee6
M22-M2081	LokiBot_df3e2f50	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has been packed using upx packer, with the default options.	df3e2f50ba42ae245bf30f052fb5ec48	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: bc9d80ebbabe20487675ae325bbabefaaf10a5b470011a8fbfb8fe1d71bf720b https://attack.mitre.org/techniques/T1045/ PARENTID: M22-M2038 SSDEEP: 12288:AdcX+pnMcoDdrLC41mTN2JA7ghhhhhhhhhhhhhhh+8bp2vCQCRlJIye4RylhUVr3:scX6i44CkbpdxQhEGe SHA1: 089bdb57f2ff6a80da674dd865b7d2a8c4ba263a MD5: df3e2f50ba42ae245bf30f052fb5ec48
M22-M2006	Zusy_07b49a96	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	07b49a968feacfa06f404be79213efce	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 4db97c35f9f17f68431a8683d9db3a426cd93e2ae95b863c2a5fbb0f4536f40e SHA1: f052b853592b4ef555a220820718d58ae3f5df7d MD5: 07b49a968feacfa06f404be79213efce
M22-M206b	TeslaCrypt_76f35d2e	Windows	This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary has random bytes appended at the end of the file.	76f35d2e565f0d04ccafb16742520272	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 1adb2e4279feff742eba68e2198552e863deb1c1578c779f3daa91d7618b7c2e https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M203d SSDEEP: 6144:vGE1/8ca6OYIJfw7Z81kaq0MdRuOt01le0JVSH/ISQe:vn10ca1Yt0knz/1SeaUfvQe SHA1: 4021317048615bfb08e7564dcb59f75b911c66c9 MD5: 76f35d2e565f0d04ccafb16742520272
M22-M2073	HermeticWiper_a70b4e3e	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has random strings (lorem ipsum) appended at the end of the file.	a70b4e3e88f3fcc48b7ee8426aa8833e	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: 019606b01d2ebee53d74c27d115728ae367b8b25614884ff03ebc3d42ddb2898 https://attack.mitre.org/techniques/T1009/ PARENTID: M22-M2020 SSDEEP: 1536:sBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqL:sBOoa7P2wxlPwV1qPkSuqL SHA1: d3e07d8e27467abdc6c1cc708a8f0cd82d411fbd MD5: a70b4e3e88f3fcc48b7ee8426aa8833e
M22-M201c	WhisperKill	Windows	This strike sends a malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.	3907c7fbd4148395284d8e6e3c1dba5d	https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine SHA256: 34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 SHA1: a67205dc84ec29eb71bb259b19c1a1783865c0fc MD5: 3907c7fbd4148395284d8e6e3c1dba5d
M22-M2062	HermeticWiper_9bc9babd	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the checksum removed in the PE file format.	9bc9babd952fb816609e3031f8c136e3	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: 22534a0e884813020a508f89772e6b840eab3a48fd45075b9847694142fb7701 https://arxiv.org/abs/1801.08917 PARENTID: M22-M2037 SSDEEP: 1536:wV3+WmNcWbwurilmw9BgjKu1sPPxaS5qY:wV3+WmjbwxlPwV1qPkS5qY SHA1: 011b433b65cd65fcecff9c9ceab7d411ae332cec MD5: 9bc9babd952fb816609e3031f8c136e3
M22-M200d	DarkComet_19d34e15	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.	19d34e15ccece451ec5c6cc8ca446a2c	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 461031f7db840c45b1c0b6644d2f8772105d57785b94fda069a5fbf921879da5 SHA1: 2a94a617b71d803483a8e6d58666bb3298e50dd3 MD5: 19d34e15ccece451ec5c6cc8ca446a2c
M22-M205a	DarkComet_3e6c1c04	Windows	This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has the timestamp field updated in the PE file header.	3e6c1c04f9810c8d0ae4a55753a5f304	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: b7966d5882a09965176788c4135fd05698530fcf8cb8396073e0378d0b8f23de https://attack.mitre.org/techniques/T1099/ PARENTID: M22-M2012 SSDEEP: 24576:Hu6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JfvWYC:Bu0c++OCvkGs9Fa5YYC SHA1: d8bf31944bbaf8e1cad1a9689d179455dcc26072 MD5: 3e6c1c04f9810c8d0ae4a55753a5f304
M22-M203a	Zusy_90afa5f3	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	90afa5f30c43d1968de6d9e3202ae7d2	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 039170d8ba2feeaac9c943aea7d3cf5709d2ed6fc1e3eaec8457ec13c631730b SHA1: 52c532369a540ccd798ef374751100904123fb64 MD5: 90afa5f30c43d1968de6d9e3202ae7d2
M22-M205c	HermeticWiper_4b1f04cf	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the timestamp field updated in the PE file header.	4b1f04cf967a73c4ce1e3ab3c492805e	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: d0d9c8c6008faf4e1c2ecf8dfb53aa454af34a0207c66b330e7c1826bde3d910 https://attack.mitre.org/techniques/T1099/ PARENTID: M22-M2037 SSDEEP: 1536:DV3+WmNcWbwurilmw9BgjKu1sPPxaS5qY:DV3+WmjbwxlPwV1qPkS5qY SHA1: 0ca8ea023370f3e307752ff29f7c4740de4d71e9 MD5: 4b1f04cf967a73c4ce1e3ab3c492805e
M22-M2083	HermeticWiper_ece4f943	Windows	This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the timestamp field updated in the PE file header.	ece4f943b6d5d11ff42b071fe775922e	https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html SHA256: aa1f8e7c08a1e0313850a3151a24e20e4f2922baba5490490a668a6d17198159 https://attack.mitre.org/techniques/T1099/ PARENTID: M22-M2020 SSDEEP: 1536:EBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqC:EBOoa7P2wxlPwV1qPkSuqC SHA1: 4160b89dc2b3f8854b8b40e32899aa80044ac867 MD5: ece4f943b6d5d11ff42b071fe775922e
M22-M2023	Zusy_47b78fd0	Windows	This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.	47b78fd02008e19783fd85846662b278	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: 0b95c110d12725fcd8d95bf203b0fd8bf1bc9e57646f8b283ea63a35c0d4a38d SHA1: 14d1d5d67a8db1109716005285b636e4c38e9624 MD5: 47b78fd02008e19783fd85846662b278
M22-M2071	DarkComet_415042b1	Windows	This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has been packed using upx packer, with the default options.	415042b1569d57425f241de1375e95ad	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: e21b1077e37c29ffbef7d209c24673055953e6d5a887562979e532babaddbe84 https://attack.mitre.org/techniques/T1045/ PARENTID: M22-M2012 SSDEEP: 24576:Ih+/6IbioUgOpzqgk0LMgjaxLBzp6G+OTwyIFn0G:tiI2oUt9N SHA1: 679b62589478a07db2c855603bbeee36dbf8c293 MD5: 415042b1569d57425f241de1375e95ad
M22-M200e	DarkComet_1cb232ad	Windows	This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.	1cb232ad0fd978eaa20c6d569d72cc64	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: b5201f282c7e067e5dca7de945ed48805af74c9dae94ec3f83ff93c151f83c39 SHA1: 3283418261944081d396e1b8217dde343d1e634e MD5: 1cb232ad0fd978eaa20c6d569d72cc64
M22-M2086	LokiBot_b6b1d041	Windows	This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random contents appended in one of the existing sections in the PE file format.	b6b1d0412d31a02bfa8c1a6a85ef8ffa	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 6a43fbf85521e9317ecc8e6d44fdf09aca42b7021a397ce52797136ab87b24de https://arxiv.org/abs/1801.08917 PARENTID: M22-M2038 SSDEEP: 12288:9HWahqZ6LrIR5J+DWkmy/Q/xfXj58jBUfbYWa0mcVAMGtW+hU6hhhhhhhhhhhhh4:92aJkRtJ5kI3PytBhUmbpdxQhvGe7 SHA1: 71c7cbe6f48c40a8bf877db3e7bb059ce7ad722b MD5: b6b1d0412d31a02bfa8c1a6a85ef8ffa
M22-M207b	WhisperGate	Windows	This strike sends a polymorphic malware sample known as WhisperGate Downloader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the Downloader.The binary has a random section name renamed according to the PE format specification.	bfb1c2c22ed861fb7435533378304574	https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/ https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine SHA256: 441ebd4513cedb202302ad82e8a2cf513a80daba210d3910ba2647367e18b6ca https://arxiv.org/abs/1801.08917 PARENTID: M22-M200a SSDEEP: 3072:gf1GlJZUnjNbGgNQfYySIHiP1WLz4PcSOvG2jxZ:GbGoJ8iP19PjmGyf SHA1: c08086e078cb2b1299f878dcbd5e7d392c22386b MD5: bfb1c2c22ed861fb7435533378304574
M22-M2044	TeslaCrypt_b6d8812f	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	b6d8812fc7198cf125d15e280e7ce8fc	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: eaa3afaaaf34a833299b7d35e0692008b4044409ff9146fb98d4c796abd5e5ea SHA1: 62ee2ec7b86115583e1cd7e48f03593ccd796fc8 MD5: b6d8812fc7198cf125d15e280e7ce8fc
M22-M2015	TeslaCrypt_2d4d0fa0	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	2d4d0fa03435636ea85e603be1055031	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: feb67d669021041850e1b323cc17a7c5915fa581c8d5b06dfd4a82d4db48cdb0 SHA1: 67dba2ffab90f6e30c7c60fd0e6d2b99ec20e523 MD5: 2d4d0fa03435636ea85e603be1055031
M22-M201a	TeslaCrypt_36b9c9f9	Windows	This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.	36b9c9f9f3e9b07ec4f9d5c273e3b9de	https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html SHA256: d5afbd5425464bb6594a458be218e5c24db5abf4e88e8c11e065e357a14c8e49 SHA1: 124a11dee81e4876ec7587eb74d5d5fb3b4f885d MD5: 36b9c9f9f3e9b07ec4f9d5c273e3b9de
M22-M2038	LokiBot_8cf06eab	Windows	This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.	8cf06eabe64b0230580550be88d4d5f5	https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html SHA256: 04f2512b1cbeeab43d96983222b5cfc15031481eed599ed39ecfca0fdf05838f SHA1: 6d962b53a899886495cd70e889c2f0db7afc2579 MD5: 8cf06eabe64b0230580550be88d4d5f5