Malware Monthly Update February - 2022

Malware Strikes

Strike ID Malware Platform Info MD5 External References
M22-M2010LokiBot_1d2700b8Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.1d2700b86c91366053aa4e57c2b667f7https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: f8448219df30254002bdb8ccf5745b3f2156f25b1b48209d69a451dca03968f2
SHA1: ee095e23db2ddad217b4e696949dac5cf0c6af87
MD5: 1d2700b86c91366053aa4e57c2b667f7
M22-M2020HermeticWiper_3f4a16b2Windows This strike sends a malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.3f4a16b29f2f0532b7ce3e7656799125https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
SHA1: 61b25d11392172e587d8da3045812a66c3385451
MD5: 3f4a16b29f2f0532b7ce3e7656799125
M22-M2040LokiBot_ad3e77eeWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.ad3e77ee78c0fa6b352b8c5ba99d3255https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: c02f78ea73a8f86ab721800af6bf9be1ba182a779a2b55fb7b583a1b79a63ce0
SHA1: 49027ed30ecc2ba15351e2541e94e355b81fd64e
MD5: ad3e77ee78c0fa6b352b8c5ba99d3255
M22-M2028TeslaCrypt_4d69c441Windows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.4d69c441231bad3e39da8230388920e5https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 27ebe5bf3aba1ad778dc43582f7468906007c5cbd40858294dfa9e1716c1b246
SHA1: 8a0c008f3f7657c159a8c911e6fb3bc256be0daf
MD5: 4d69c441231bad3e39da8230388920e5
M22-M2064DarkComet_015d482eWindows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has random strings (lorem ipsum) appended at the end of the file.015d482efe46a5aa054da29a11fd9d21https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 4b801548f17b062a443902c37e9ee23538c392520364e7f6fb7619cde3eb3057
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M2012
SSDEEP: 24576:ou6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JfvWYL:Cu0c++OCvkGs9Fa5YYL
SHA1: 4eff177bbe05cc2b416fa000f7e331c92c712e2d
MD5: 015d482efe46a5aa054da29a11fd9d21
M22-M2045LokiBot_b9697256Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.b969725644870466de0f63d8d67d5b1dhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: c110ae946c48f8f26287c7163cd1557bc4ad83abb93e26c10b32df856fe5c72e
SHA1: d5ad4dff4ab0de19a29431c6946e170eb7fa80d7
MD5: b969725644870466de0f63d8d67d5b1d
M22-M2077LokiBot_ad2af567Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has been packed using upx packer, with the default options.ad2af56777bc68b392ff58168defd2dbhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 1eaa936581ca623d8b34537a970ea1be712f12f8dd09ebbc9ff23f5d171dc600
https://attack.mitre.org/techniques/T1045/
PARENTID: M22-M2056
SSDEEP: 12288:n4qrg8b3ilvCu2Lj6RYLShqmRbMAEY5yQvu/SUhrYSV+mbhrGe:4B83ilK6RESrTE/QW/SVg+mrGe
SHA1: 159b1213c95c12ee738068f80556ace0374661cf
MD5: ad2af56777bc68b392ff58168defd2db
M22-M2070WhisperGateWindows This strike sends a polymorphic malware sample known as WhisperGate Downloader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the Downloader.The binary has the timestamp field updated in the PE file header.87037d614242a155e033dcf1a4e23edchttps://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
SHA256: d1094d24e15c134e1d060e7b22011c49ffc2123deeba6c55a0025e3d2bae1bb2
https://attack.mitre.org/techniques/T1099/
PARENTID: M22-M200a
SSDEEP: 3072:tf1GlJZUnjNbGgNQfYySIHiP1WLz4PcSOvG2jxZ:LbGoJ8iP19PjmGyf
SHA1: 13eda4c8d86b1f0bcd4862d139cbc63882ae689c
MD5: 87037d614242a155e033dcf1a4e23edc
M22-M205bWhisperKillWindows This strike sends a polymorphic malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.The binary has the checksum removed in the PE file format.4b0e0cfe7b043861ff2731a83a4b4df0https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
SHA256: 0f8d110d3ba07cd162a1bc34d1a92fb04baf1f4a0c112351749a54d594f432d1
https://arxiv.org/abs/1801.08917
PARENTID: M22-M201c
SSDEEP: 384:ick4phERK+NUl/9j5SddlEt4OIqXFKJBeht2FrGx:ickuhERW2wndVKPe2Fy
SHA1: b2f1e3399a0a89069d4d48b4ff73fb53cf79a81f
MD5: 4b0e0cfe7b043861ff2731a83a4b4df0
M22-M206fLokiBot_4389ba6fWindows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random strings (lorem ipsum) appended at the end of the file.4389ba6f50000c82a7118a2d1015eadfhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 5a38afc0c420ce4f9239c6f0e56cb83d2f837ef16286777f7ad882284dc5bd4d
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M2056
SSDEEP: 24576:h2aJkRtJ5kI3PytBh9TE/QW/SVg+mbGeC:h2a6tfQP9E8gE
SHA1: 7b878b7ca4182ab5af7d61dce27bc7736cfb3b85
MD5: 4389ba6f50000c82a7118a2d1015eadf
M22-M2080LokiBot_d837beebWindows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has a random section name renamed according to the PE format specification.d837beeb7c4e69aba79da8831e22ccd8https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 3732952014d674c25d941f3458d84dff02dc80fbe3aeca85f3543420b2aa25e8
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2056
SSDEEP: 24576:f2aJkRtJ5kI3PytBh9TE/QW/SVg+mbGeD:f2a6tfQP9E8g1
SHA1: bd6435ad611c630cd7b48b369e7694bc803d73e6
MD5: d837beeb7c4e69aba79da8831e22ccd8
M22-M2084TeslaCrypt_f61b3c14Windows This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary has random strings (lorem ipsum) appended at the end of the file.f61b3c14d032796e892fda0214bb6adahttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 88649ef2a4c82a767ec242bcf8f062699ae5a33bc0e7257616716c9ce498709e
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M203d
SSDEEP: 6144:vGE1/8ca6OYIJfw7Z81kaq0MdRuOt01le0JVSH/ISQT:vn10ca1Yt0knz/1SeaUfvQT
SHA1: f12b1150e6cdf5edb2cc2597caa12ffeebcec671
MD5: f61b3c14d032796e892fda0214bb6ada
M22-M2012DarkComet_215b14acWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.215b14ac07078cfc72774efca6bbbfc6https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 00c4d334768f563cced2a243cf640c592149cec38044bb8792e49945a23ee61b
SHA1: cebffdc7c8c3f88f24ab1f655ceb55de4f62aeb3
MD5: 215b14ac07078cfc72774efca6bbbfc6
M22-M204fZegost_d115a6dcWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.d115a6dc468be0e6dcb2421c88c2231ehttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 6036a45e9086675cc7ab4e1cf88ed2aeda988b457308e60882c98e7b7cb6c67e
SHA1: 3a08f7d4fb8692cc034e6c2824dc4bc60974b757
MD5: d115a6dc468be0e6dcb2421c88c2231e
M22-M206dWhisperKillWindows This strike sends a polymorphic malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.The binary has random bytes appended at the end of the file.724ee45952d709be7c79d7d1f1497ea2https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
SHA256: 134145910f3dc7af12eb5f18168dab8153daa94446764a5ebf3cc6dc04cdfea2
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M201c
SSDEEP: 384:6ck4phERK+NUl/9j5SddlEt4OIqXFKJBeht2FrGxC:6ckuhERW2wndVKPe2Fy0
SHA1: 78bf8afb2232cca106a16278a6286615ff82d5f5
MD5: 724ee45952d709be7c79d7d1f1497ea2
M22-M206aWhisperKillWindows This strike sends a polymorphic malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.The binary has random contents appended in one of the existing sections in the PE file format.75a007bf2b9b25e66bba3b10d3094511https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
SHA256: 82d1ef02835b533134937e15f2c263f0498ba5b75ec84ffe56f0d52f7dfec76a
https://arxiv.org/abs/1801.08917
PARENTID: M22-M201c
SSDEEP: 384:6ck4phERK+NUl/9j5SddlEtnOIqXFKJBeht2FrGx:6ckuhERW2wOdVKPe2Fy
SHA1: 9b335ea07d29ac142de907ddae596e3763110e78
MD5: 75a007bf2b9b25e66bba3b10d3094511
M22-M204aZegost_c705646bWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.c705646bd19311dd646cc5c71a403e71https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 3817795d5fbe1e84cb7b4fd18ca58a394d5c46d418be2f32ea56f84139d8cb8f
SHA1: 300e7867a89f6034f192acd97bc662c5c5a800c6
MD5: c705646bd19311dd646cc5c71a403e71
M22-M2009Zusy_0ddad360Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.0ddad3606a7b0a0edf9220d1fe6a340bhttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 0b7202dc4423ddaee59eff6909185052bc8c0cbd3cbe4e5224db8e83b935ec23
SHA1: f0e0664b824d9b4ae3dc0df6abd0ec766a9a38e7
MD5: 0ddad3606a7b0a0edf9220d1fe6a340b
M22-M2018DarkComet_32ed49d7Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.32ed49d7aacbf433448690794ffa9cd0https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 21454d9e2f5e0c502b423ffadbbe802ae69f81a99fbc7c50817b1f80a083cf1a
SHA1: baeb9263bef0853ebf9a5fcf6ac5008208c56b7d
MD5: 32ed49d7aacbf433448690794ffa9cd0
M22-M204dZusy_cba5b2bbWindows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.cba5b2bb7a701a6900a05c75ff171e9ehttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 19af3fe3c191528c15b3c9f791e02edc82eadab9126881da5f4ea4baa234f8c2
SHA1: 2e46541f911372c6d8e1dcc9f132e475137964e4
MD5: cba5b2bb7a701a6900a05c75ff171e9e
M22-M205fDarkComet_5fdfd1edWindows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has random contents appended in one of the existing sections in the PE file format.5fdfd1edd86e6752cc76e9de5d5d17e1https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 985928908e3e74a75ca9e2511a37df3316e9d4b507d0ca2ea4f0229466f64af3
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2012
SSDEEP: 24576:ou6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JfCWYC:Cu0c++OCvkGs9Fa5jYC
SHA1: 281885861e6727a448b48ef5afd969c4fc1eba69
MD5: 5fdfd1edd86e6752cc76e9de5d5d17e1
M22-M207aHermeticWiper_bc0c5e0cWindows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the checksum removed in the PE file format.bc0c5e0c68b810559f552827f80b81c2https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: 165a77eb420073f2c552d04bdf12187aa434182c21ff0f1e53dbe0fc361ef5a9
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2020
SSDEEP: 1536:iBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqC:iBOoa7P2wxlPwV1qPkSuqC
SHA1: 8c79d721dc7f5680c93a1d205dc1e71fc50e15a9
MD5: bc0c5e0c68b810559f552827f80b81c2
M22-M2019Zusy_355c4601Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.355c4601a27a7a4b62b75b9ca171e6bfhttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 6a295f8b9884fd1587f933876681928e002a5d320e460d1a97597462e60ef8ad
SHA1: 3644f5430561253a0151c2c7835ab3f36812ca13
MD5: 355c4601a27a7a4b62b75b9ca171e6bf
M22-M2051TeslaCrypt_da37801eWindows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.da37801eb453924749147d77069cb557https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: e808cf87d4055be30c9144a5d053b6314483f7800e0158b3614fa2ad266671c7
SHA1: 662a641b5bbbe07655501cefbf3adabf8f75ecd9
MD5: da37801eb453924749147d77069cb557
M22-M203fZegost_ac8f541fWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.ac8f541ff183fc73e5a64b212ef95fffhttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 0df341a84058a607e05a87adbee0e3a4420629c64aa08c379909a471130114ca
SHA1: d3ad323d5418d33b4324c1ced923808cd67101af
MD5: ac8f541ff183fc73e5a64b212ef95fff
M22-M2085HermeticWiper_fdfbd04eWindows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has random strings (lorem ipsum) appended at the end of the file.fdfbd04e7ff74c3cddc315f739f241ffhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: 92cd84467344d9103d95490e71bc28c98d04032e5a138da3c28808e4fd5bfa16
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M2037
SSDEEP: 1536:lV3+WmNcWbwurilmw9BgjKu1sPPxaS5qx:lV3+WmjbwxlPwV1qPkS5qx
SHA1: 0c810028c1f4e2d5094948ab8246ff8d1894c0f1
MD5: fdfbd04e7ff74c3cddc315f739f241ff
M22-M2079HermeticWiper_baa339dfWindows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has random contents appended in one of the existing sections in the PE file format.baa339dfc70bd3094bed69f773db5338https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: 28ba388e2c0130e0f10efc26a789a97c3fff8f771c049f4892d30526737511e7
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2020
SSDEEP: 1536:sBOoa7Nn52wurilmw9BgjKu1sPPxaStyqC:sBOoa7P2wxlPwV1qPkSIqC
SHA1: c7450700fe024e0e35a49b01b39c7a5616104b6d
MD5: baa339dfc70bd3094bed69f773db5338
M22-M2063HermeticWiper_14f42b51Windows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the debug flag removed in the PE file format.14f42b516044fc2db11745ad9c557ed9https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: 0e9d82ea6402a564ebba6a03afce3846032e2c4d27a1f8f4857706b160728cfa
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2020
SSDEEP: 1536:MBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqC:MBOoa7P2wxlPwV1qPkSuqC
SHA1: a57c09ed4a4b766bd5d2f34e58d61d99489c16f0
MD5: 14f42b516044fc2db11745ad9c557ed9
M22-M200bDarkComet_156fcf96Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.156fcf96d11dc0072bad9750a07a4586https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: b17c1f8063ba70ecef31071a6c51117953dddf37d4b54c1a92b01525cb44c38f
SHA1: 92da949918bef107f4d777727dc142338adc4e80
MD5: 156fcf96d11dc0072bad9750a07a4586
M22-M2066DarkComet_37ca3c3bWindows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has the checksum removed in the PE file format.37ca3c3b0beed927bb5e6f8954975364https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 4f4ed94cd62f280d739a491af738785a35d27abdb062c3a5c63138067372287f
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2012
SSDEEP: 24576:8u6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JftWYC:mu0c++OCvkGs9Fa5iYC
SHA1: 9ab4cbda65f7e42be2175d0f52c51c19cd9ae18f
MD5: 37ca3c3b0beed927bb5e6f8954975364
M22-M2033LokiBot_757d1361Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.757d13617a9b81777d56e85544fc1855https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 7d00f5ccb1d443866e2d25a96377ea39787b825cf5dcd099cead7baa630e98a0
SHA1: 05bbe7c2deee5e5922fecf52bf97f85417a6c752
MD5: 757d13617a9b81777d56e85544fc1855
M22-M2082HermeticWiper_e19137f2Windows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has random bytes appended at the end of the file.e19137f2f707150493887c1504c3a794https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: e74f69c977d21ca0641190b3acfb9b6448251555347ab83d3dfa49081c2a5ac8
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M2037
SSDEEP: 1536:lV3+WmNcWbwurilmw9BgjKu1sPPxaS5qB:lV3+WmjbwxlPwV1qPkS5qB
SHA1: abd212226f06035afbf14904f102e9417f2ff66c
MD5: e19137f2f707150493887c1504c3a794
M22-M2016Zegost_2e7bc9b2Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.2e7bc9b2ca377b14f5cb26fc719792dbhttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 838047d0b03b917a014790a9b9bffbbff55586c54dbcd9d280d8e2273e0772b9
SHA1: deb409fa743ed43d5364d973c665ffa2308f3490
MD5: 2e7bc9b2ca377b14f5cb26fc719792db
M22-M207cTeslaCrypt_c0fb9afcWindows This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary has the checksum removed in the PE file format.c0fb9afc7f80a40fc173f6ff0c42d227https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 20a7f9763e0fb48d09f5b3e296343945f4570b1cd2d38b81010578bee3cf953a
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2028
SSDEEP: 6144:Mh2e1caZ4pfJWlMmPaHzCygqIt1CtqmpRWhy:Mh2e1ca+RWlhEC9t1CPpiy
SHA1: e1d98253af21d8a605bcfbb5730e63aad4a94490
MD5: c0fb9afc7f80a40fc173f6ff0c42d227
M22-M2021Zegost_41c3eb41Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.41c3eb4117d78836fa43acbb3fd1a362https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 4719095e1edd925caacc1c3d3229d60d1459f21b89e6a2529e3c0e73fb8e7630
SHA1: e7566ec9eb4371a3443d024e6bca259410f32619
MD5: 41c3eb4117d78836fa43acbb3fd1a362
M22-M2072LokiBot_944824b4Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random contents appended in one of the existing sections in the PE file format.944824b422c4603b89cc48a8a68420f6https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 757eb9ec97107eab5d3306a507819280e7be37513e94cbf49c395185f4f76978
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2056
SSDEEP: 24576:42aJkRtJ5kI3PytBh9TE/QW/SVg+mbGeD:42a6tfQP9E8g1
SHA1: 8e2cd77b633e3a48817911568963005900fb5d42
MD5: 944824b422c4603b89cc48a8a68420f6
M22-M2030Zegost_67539483Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.6753948390a4c7be1624520222b28b58https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 3a6259022334a4b6e1be149d26f3455cb5b796fe1f5d897bb3b89af91af1cbec
SHA1: fa27fbb89ee75258d4e5673bf76d2bc1bfee4636
MD5: 6753948390a4c7be1624520222b28b58
M22-M2007Zegost_09e295bdWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.09e295bd6b7c1d6714e107f28e5414f5https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 8951fc109c179cecfa54dd57cf89e18221c1b4aeb9321c4589ed4c9b259a1bae
SHA1: 72ff1d122e6ab8c661089fdfa5489ff283453e44
MD5: 09e295bd6b7c1d6714e107f28e5414f5
M22-M202fTeslaCrypt_6266203eWindows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.6266203ec37b67ad31e71d3216f3fe90https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 498683c0be028065930ab7985b7cba9a1620a3724d4fa7424b7221a231f34bb1
SHA1: 1e0adc7cac2fac72314fab7477d5aafc5d5116e6
MD5: 6266203ec37b67ad31e71d3216f3fe90
M22-M207dHermeticWiper_c7eb0c34Windows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has been packed using upx packer, with the default options.c7eb0c341441550dd0743e6a992c4c3fhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: ff89c35022d7652a7b73741a7635ad3644dce2f515d8cacf2c649d9a7deb2b44
https://attack.mitre.org/techniques/T1045/
PARENTID: M22-M2037
SSDEEP: 768:8p/K6b01mzkpuZKVS7pK711znmwdfFFvVW1Lj5sVdO2ktC9WFG5BDtK92xiTSIBC:8p/Smzkpurmlmw9Bgj5u1suPxaSI2qY
SHA1: b784f1d19f5ff02569fdb3da858e7ed87614c1e9
MD5: c7eb0c341441550dd0743e6a992c4c3f
M22-M2005Zegost_06e1716aWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.06e1716af034046c88874d7d338afbe9https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 905d0ed169077965fe1d10c33041295edbb3717967c37512e5b602c1e54ca40b
SHA1: bf77dd347e1d28424f3230ea563817ac0e6716c8
MD5: 06e1716af034046c88874d7d338afbe9
M22-M200aWhisperGateWindows This strike sends a malware sample known as WhisperGate Downloader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the Downloader.14c8482f302b5e81e3fa1b18a509289dhttps://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
SHA256: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
SHA1: 16525cb2fd86dce842107eb1ba6174b23f188537
MD5: 14c8482f302b5e81e3fa1b18a509289d
M22-M204eZegost_d095518bWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.d095518bd11c6a6bb8737ae42a26fe4bhttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 16be4c10636f884b0d0f49c484c74cfff6ee3d1b1f1ac4efd5b73bd137b19207
SHA1: 1b32f006f029abf0099783b9cc96e146edd28bee
MD5: d095518bd11c6a6bb8737ae42a26fe4b
M22-M203dTeslaCrypt_a1606debWindows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.a1606deb54f2d523cf7d2266179fdf70https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 1db9c6e37a0b18ebe5aadba9aaea71467e05aebeaa67b065592bb46a04d76368
SHA1: e94f80c4b7eb29b82e41bd9a51b4071a1e335b19
MD5: a1606deb54f2d523cf7d2266179fdf70
M22-M2065WhisperKillWindows This strike sends a polymorphic malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.The binary has been packed using upx packer, with the default options.22bd9ed61d794576b42ccc477dc53e00https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
SHA256: 24e9b86b92918c3731fa6126c70532c79507c8041b8e6bf1e1c007aa8a9ac025
https://attack.mitre.org/techniques/T1045/
PARENTID: M22-M201c
SSDEEP: 192:V41yhRtPbZDqGOphy9kpysmAX1uFkbnjmNc05h8GHuo/RdBJwh9YF5te:210dbRqDhAsluFKiYkNJY9+5w
SHA1: 801c2bfe0c28b3b9c22b9e654e6ac1c51c89ab53
MD5: 22bd9ed61d794576b42ccc477dc53e00
M22-M2008Zusy_0c2339beWindows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.0c2339bed4022b2a2d241f14852eb426https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 17289d65e7d2101e7b65d329981ff99e71a0896222d3c81e77b0fc196d995c17
SHA1: 3881955d3ae41664351704017766774cee49f3b3
MD5: 0c2339bed4022b2a2d241f14852eb426
M22-M2061LokiBot_9a4c1fb2Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random bytes appended at the end of the file.9a4c1fb2d9f082a73e5bddc76573d1b3https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 3e6ef81533f4a048757186ba98c1426788980f6a964d56c96780d1c1cd630230
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M2056
SSDEEP: 24576:h2aJkRtJ5kI3PytBh9TE/QW/SVg+mbGe6:h2a6tfQP9E8gY
SHA1: 2c9460b7ffd428b6b5bc3e176c2706d28ae584fc
MD5: 9a4c1fb2d9f082a73e5bddc76573d1b3
M22-M2047Zusy_be37ac96Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.be37ac96a8cb08a2184662e533b5f5e4https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 72c7b16114c3154dde6f62ba063379a880c8aaac76f9778be5db9f4f3efc26fa
SHA1: 92b4455012c3a22d067f2a85bbf7043e33bdd96c
MD5: be37ac96a8cb08a2184662e533b5f5e4
M22-M2039Zusy_8e730c2eWindows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.8e730c2ea7244f28a948842fbe6f094ahttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 84f841117194485e3d6e26059e1b6336b45d02a9fa68a61cf611a2e54cd6f6a9
SHA1: d4e62d618b3da78c24dd437ebe715b4c007391e6
MD5: 8e730c2ea7244f28a948842fbe6f094a
M22-M2074LokiBot_a0294d29Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random strings (lorem ipsum) appended at the end of the file.a0294d29cced97c582a53fd7e42922eehttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: e25e3d5623348684b2108ffb86c4645638c47780676f41ab0e1375ca4a0efb27
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M2038
SSDEEP: 12288:UHWahqZ6LrIR5J+DWkmy/Q/xfXj58jBUfbYWa0mcVAMGtW+hU6hhhhhhhhhhhhhR:U2aJkRtJ5kI3PytBhUmbpdxQhvGeK
SHA1: dc04a7f3a2346e6716a1e7f8791dbc5e9e4a60ab
MD5: a0294d29cced97c582a53fd7e42922ee
M22-M202aTeslaCrypt_57b0420eWindows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.57b0420ebd965ccc489ab60cde9320a0https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: b2420aa8633408ef67a8c5e80df4a3aa061eb561649d887f5aa55481d350b655
SHA1: e8698075aacdcc79003a9decba4021f580c9c9dc
MD5: 57b0420ebd965ccc489ab60cde9320a0
M22-M2078WhisperGateWindows This strike sends a polymorphic malware sample known as WhisperGate Downloader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the Downloader.The binary has random strings (lorem ipsum) appended at the end of the file.ba93cdc021c860abd7015f933b4b795ehttps://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
SHA256: 74beb7e3c2702a70e2ee3c1a2c16be538ec98673429a8618c4121b3f2d5c97da
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M200a
SSDEEP: 3072:vf1GlJZUnjNbGgNQfYySIHiP1WLz4PcSOvG2jxg:FbGoJ8iP19PjmGyW
SHA1: 284a58ae64d707425ae1a1d7b595446aef0bed27
MD5: ba93cdc021c860abd7015f933b4b795e
M22-M2053WhisperGateWindows This strike sends a malware sample known as WhisperGate DLL Loader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the DLL Loader.e61518ae9454a563b8f842286bbdb87bhttps://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
SHA256: 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
SHA1: 82d29b52e35e7938e7ee610c04ea9daaf5e08e90
MD5: e61518ae9454a563b8f842286bbdb87b
M22-M203cZusy_9a973d35Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.9a973d3584fcc63bb12b28f2048da7afhttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 47bca02db3899ec836de3305355861f86a7dccca64710b3f0e7ae5c7a2588440
SHA1: deb734e8ec0918f70e8e26026ff2520123c8a486
MD5: 9a973d3584fcc63bb12b28f2048da7af
M22-M2017Zusy_32c78bb6Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.32c78bb6fafc6c41a529ba89f169d84fhttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 2f9b960d63a40d84ec185011dc06eaab64badb323f272c880934205e8a51819c
SHA1: 1d461e482dccdbd6fa8df00a294b01e288929f31
MD5: 32c78bb6fafc6c41a529ba89f169d84f
M22-M203bLokiBot_928bd458Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.928bd4584eac8e3b8393510bb010cd20https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: c197343a6c7b1581b2d200e85869d7751b13549ff109b70ae5abd3b838fdea3a
SHA1: da3f366e88c54cb85efaf88777f678df89b7d746
MD5: 928bd4584eac8e3b8393510bb010cd20
M22-M207eTeslaCrypt_c4644580Windows This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary file has one more imports added in the import table.c464458070c7909d7de471e5630592f0https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 9f060c5f82a9c5096ef96cad80a58c42026d5423bd5a69cf4b132a8d3e050eb9
https://arxiv.org/abs/1702.05983
PARENTID: M22-M203d
SSDEEP: 6144:VGE1/8ca6OYIJfw7Z81k/q0MdRuOt01le0JVSH/ISna:Vn10ca1Yt0kiz/1SeaUfvna
SHA1: ace4cd4e0cd1b3907892f3f14cd598baf69c5a0c
MD5: c464458070c7909d7de471e5630592f0
M22-M2026Zusy_4b742a09Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.4b742a093c100801a449d3fb2b040b85https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 01fe52b810897fec2b30b8d03bb5d08c44c03f8921c41f3252877a31bc250875
SHA1: 82ebabda64fa5137514e70ed3cc0889f6ecf18da
MD5: 4b742a093c100801a449d3fb2b040b85
M22-M2059Zegost_fb967cd2Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.fb967cd2599061cb0a3dab0cade0fc3chttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 353cc5166b6a6dd83a2972532af4fc0e14eb991e5539a8056b9ef2daebe8ad72
SHA1: b4f300f9795fe74bf8bc312a8b785b64025303a8
MD5: fb967cd2599061cb0a3dab0cade0fc3c
M22-M2032Zusy_747cc78cWindows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.747cc78c975baa2992b25d27838f2d46https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 1c774c5849f22f0660abf46fc8bc270f7d26b4c10cf619e71617c65933b1950b
SHA1: 5972ccc8de5fb9a53eddb1091ad9a491dd15a1da
MD5: 747cc78c975baa2992b25d27838f2d46
M22-M2048LokiBot_c102ca2eWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.c102ca2e4e64d11889524a1b56fcd4adhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: c081e8dc858925158f65aa758764781f07476edc4641dbbd1d3acdab4a590a87
SHA1: 8b524b6aed6c8ecedd41245f219e52f2ee8201ee
MD5: c102ca2e4e64d11889524a1b56fcd4ad
M22-M2054TeslaCrypt_e99bd4d8Windows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.e99bd4d8d715d93645c3850fc2c2e1d3https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: f17936397f6f9202ea8a728b07512ba8142fe7e224bf08cfbed0b247b3956ea4
SHA1: 57835afe231718783caee78e400ae22864d51ab5
MD5: e99bd4d8d715d93645c3850fc2c2e1d3
M22-M2067DarkComet_52dc384aWindows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has random bytes appended at the end of the file.52dc384a398e644786a67e03ce9011c7https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: d9a081d6787c4519f5847162dfca3160bbd57bc3f8fa4f495cc4df2547cb0992
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M2012
SSDEEP: 24576:ou6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JfvWYA:Cu0c++OCvkGs9Fa5YYA
SHA1: e703765a98b28d0e92d6aa615cd4547e59a68a59
MD5: 52dc384a398e644786a67e03ce9011c7
M22-M2057Zusy_f94938b4Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.f94938b4aae9ff3f4dc976d3f8dd50fchttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 44654adb36a0e86e49ece0f3d1193212d82779b5ac3a2f880a656cfddb52a2b9
SHA1: 6a5f443ec702c954602c73c8986458bc75a96746
MD5: f94938b4aae9ff3f4dc976d3f8dd50fc
M22-M2002Zegost_02293aeaWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.02293aead10c7195514fbbaa749ee2ddhttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 8df588dee532e623cf1d4f4611646cf0bc645a13fb83b30acadac9814311bb2a
SHA1: 3ea5ddd0793cfb75f861c5bafe325d9cd733dd44
MD5: 02293aead10c7195514fbbaa749ee2dd
M22-M2022DarkComet_43e6cebcWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.43e6cebc5006c35d2566de39f4e008cfhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 33302b6dfc2b669df38aab7a4a7e74c512ce31ba3a5a9151aea435a86c36b738
SHA1: f6a803a720e683fdc76eecdde9748e5362b4b50f
MD5: 43e6cebc5006c35d2566de39f4e008cf
M22-M204bZegost_c9c948c0Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.c9c948c02a6cb14c046f9497e66196fbhttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: a5ab1c7e194f1f5b1db207c3db41b3fac6d4a95f866ac6c109d5ab3c07e82581
SHA1: dbbf7098204ea8e25ec2533c2b1ef1644d58804d
MD5: c9c948c02a6cb14c046f9497e66196fb
M22-M2027TeslaCrypt_4bc07d04Windows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.4bc07d04b3a595d727461619e72b8af2https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: d4577b3a267501cbd003cbdb898c03fe81eb14f9ddc1a7e71a5a54fa48fa27e2
SHA1: 46906f195e9ec04095cacfbd7ba393b7e2f4dd4b
MD5: 4bc07d04b3a595d727461619e72b8af2
M22-M203eZegost_a69a7a2eWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.a69a7a2eea907b80dd34b110efe6f09ahttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 3c9e8bc62d3af2c0e19d90638f49482f6fcecf830e9002ec2d2bdbc359841ba0
SHA1: 78e8efa5ef0e914333e6741128c56994a0f3d36c
MD5: a69a7a2eea907b80dd34b110efe6f09a
M22-M2011LokiBot_1f034f18Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.1f034f183595c871de3a55b22bed0720https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: daf3e154beeb32370cf0a5cda571b3a84959a53da4c530a77696ecd1c24ab485
SHA1: 21b30af9714bca1aa58b254fe5ff34058bb8b10e
MD5: 1f034f183595c871de3a55b22bed0720
M22-M2024TeslaCrypt_48e0d4d3Windows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.48e0d4d3fba9365813688afdf9bfbd1fhttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 2c956a9ce5e5964c8bcc0caf6be44ceed54c80e6c98f8b54aa2711904bb8dfa6
SHA1: 2e53cf0a23d64df1c51e3a89bfd8a9f7a75f2664
MD5: 48e0d4d3fba9365813688afdf9bfbd1f
M22-M2004Zusy_041d343dWindows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.041d343d2c16b009b6b5cd1612feae3chttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 4957c1f3ed393e71aa7875607d2b5e34c534058a81bd8709491ba809d8b208a0
SHA1: a7a1564bfb72917a53d805ff3528878907b0c9b0
MD5: 041d343d2c16b009b6b5cd1612feae3c
M22-M2046LokiBot_bce8d497Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.bce8d497ea21fe3fee999190ed628c98https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 12cf795390f0849bce4b21f1987e7fbcc92f812accdbb1a297d00638ee3e0004
SHA1: 73005836cba5d27885571b6f037ccf0c8818e928
MD5: bce8d497ea21fe3fee999190ed628c98
M22-M201dZusy_3c720563Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.3c720563ec1c728ad4f8646c2b991d17https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 818b73b6fcc1fdc0afab7e729a8ef3dda0f938450ea2c1533fe760d04f97d7d0
SHA1: f70f3c40e97ea464eb4bdb49717177db29b1360d
MD5: 3c720563ec1c728ad4f8646c2b991d17
M22-M202eZegost_5d8c75dfWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.5d8c75dfa07e5982d2d90a282378e4cbhttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 824b14272e7b677bde8d172e8e1c20700fe5b9b69281bce4c6339aca0a22237c
SHA1: c24bbb6d6b97d77f57b06004edfa62f3756b6349
MD5: 5d8c75dfa07e5982d2d90a282378e4cb
M22-M2037HermeticWiper_84ba0197Windows This strike sends a malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.84ba0197920fd3e2b7dfa719fee09d2fhttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
SHA1: 912342f1c840a42f6b74132f8a7c4ffe7d40fb77
MD5: 84ba0197920fd3e2b7dfa719fee09d2f
M22-M2060DarkComet_5ff45a27Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has a random section name renamed according to the PE format specification.5ff45a27e2c9d3708240303a78e0be6ehttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: d6d0aa8c6b08f6a53c4bc815ce40b769d279c9daab3b8c85a093eef3453bdec8
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2012
SSDEEP: 24576:Du6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JfvWYC:Nu0c++OCvkGs9Fa5YYC
SHA1: 199b6096bcaa4a88bab9c7d05ee9af72657da272
MD5: 5ff45a27e2c9d3708240303a78e0be6e
M22-M202bLokiBot_5c5ad7f3Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.5c5ad7f35533f46e30133dba9186d4b1https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: ccdc34aa16b23192f0260b9c21529919f47c3b0e2e59034d512184b94267adc2
SHA1: e5eb457a706f6932483e483cbce8e7ada408edcc
MD5: 5c5ad7f35533f46e30133dba9186d4b1
M22-M2049DarkComet_c35d5775Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.c35d5775dd66aab590f8e41ca16c1b4ahttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: b40e00192ed4d4cf0c90e3c03c11124dae8fc7f2182be609b2c3efcc585a00be
SHA1: 7f95b104ba268fedfb3565acefb71831276232d4
MD5: c35d5775dd66aab590f8e41ca16c1b4a
M22-M205eHermeticWiper_5d693a27Windows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has random bytes appended at the end of the file.5d693a277a0cd4ff86f2b43b193f8315https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: 38678e1368f88ec43c9bedd01573211950921823a072a5f99a84c7ede554f690
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M2020
SSDEEP: 1536:sBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqB:sBOoa7P2wxlPwV1qPkSuqB
SHA1: 20796d3509047fbdf77b00cfc3c5181521b21f2a
MD5: 5d693a277a0cd4ff86f2b43b193f8315
M22-M2058Zegost_f9e8a2f9Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.f9e8a2f913ea31aba2f95c04f997e12dhttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 01bcef8aef33c9fed5117010204765eb15935727f5bd2d033a75496b38b2f752
SHA1: 8df610b2e0c058ed98e50427d7b118a0e278486c
MD5: f9e8a2f913ea31aba2f95c04f997e12d
M22-M201eZusy_3d1be4d0Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.3d1be4d0b627ed1a301848bddfdbcc98https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 31ac7c0592bc741aad0745d85adb24db0766978a6111593fa46606c8d57bad83
SHA1: 47279d9e692cd9edec9b1b466ce763909073df9e
MD5: 3d1be4d0b627ed1a301848bddfdbcc98
M22-M201fLokiBot_3f2e9256Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.3f2e92568e3e77e88dc3a0fbb6755a79https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 52864c84c299b950f3de76f8b8387d6ebda6726ded21d64a8ad565c25d4e4d52
SHA1: 524f502183d8bc44b6737f2673af65cf17286330
MD5: 3f2e92568e3e77e88dc3a0fbb6755a79
M22-M2069LokiBot_67f5daf1Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has the checksum removed in the PE file format.67f5daf17df5a86d4a89d9318402b84dhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: c52285ad63b90190a97fb19a2f74f8baa9e2800604d925f436f95a12d73ce564
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2038
SSDEEP: 12288:HHWahqZ6LrIR5J+DWkmy/Q/xfXj58jBUfbYWa0mcVAMGtW+hU6hhhhhhhhhhhhh4:H2aJkRtJ5kI3PytBhUmbpdxQhvGe7
SHA1: f1c53ebfc541ec4c335ace016509b4066afd675d
MD5: 67f5daf17df5a86d4a89d9318402b84d
M22-M2034Zusy_75cad729Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.75cad729ca6a900e3b169f3b8376fb23https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 6ff434e99a93ca2f1cd000fcdadb7ee7122ad6bca1fc720304c1a4a08a1c0e6a
SHA1: 5975b96e2b8a75be6a3339d5cc406ed9753e5daf
MD5: 75cad729ca6a900e3b169f3b8376fb23
M22-M2056LokiBot_eb9603a9Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.eb9603a9904e78f85911398887281718https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 076c8cd6b128aff0be52736591e26777d73497ff0b36a2f5ee9966ca051adf43
SHA1: b1c7a8b87c8d419d644acb7258d10f39feb268d3
MD5: eb9603a9904e78f85911398887281718
M22-M207fDarkComet_cf9031f5Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has the debug flag removed in the PE file format.cf9031f5f60e4c6dc23faa0a3a1d5b9bhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 3250c659fef55eba1a3f59a27f0318a83c0e08f4a6c09e8feb2757634f4c249c
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2012
SSDEEP: 24576:Yu6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JftWYC:Su0c++OCvkGs9Fa5iYC
SHA1: cbe9ae693daacab2d8f3728151e716cadadcd52a
MD5: cf9031f5f60e4c6dc23faa0a3a1d5b9b
M22-M2050Zusy_d586ef3dWindows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.d586ef3d3ce938f2b02e8e6ee0d2c1a0https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 1fe69a46cf7b96bc518b01a4f44ad5bdcf2581ec25faa3c6033c90cf8a8c6ee6
SHA1: 9b6d01b9f7c0b74b37b602e1fd6ef4cfa357f073
MD5: d586ef3d3ce938f2b02e8e6ee0d2c1a0
M22-M206cTeslaCrypt_00658cacWindows This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary has random strings (lorem ipsum) appended at the end of the file.00658caca94f6d736a67b553302c7980https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 24c6d53c53c1f3a0fc422cdf507ac7d5f50ecf00055be2ab3160e62c5c6726ae
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M2028
SSDEEP: 6144:zh2e1caZ4pfJWlMmPaHzCygqIt1CtqmpRWhy2:zh2e1ca+RWlhEC9t1CPpiy2
SHA1: 02595b89063dc63043c76a1ab30094a464028a33
MD5: 00658caca94f6d736a67b553302c7980
M22-M2076HermeticWiper_aa86953fWindows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the debug flag removed in the PE file format.aa86953f2915b113252c5c0a937329b4https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: 89aa7b09dd3b723bdd7868cd4d9e1af669d41db0b6061ce989aeb152f2cdc79d
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2037
SSDEEP: 1536:VV3+WmNcWbwurilmw9BgjKu1sPPxaS5qY:VV3+WmjbwxlPwV1qPkS5qY
SHA1: d78fef0da8d27cd88c4d454f10b8dc61cd9eb33b
MD5: aa86953f2915b113252c5c0a937329b4
M22-M2035LokiBot_7a2ae5d5Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.7a2ae5d579597b4d8a6806011501e92ahttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 43fbaf28a8db23ce81f85286b3316b6d3a352af0948bb58f01f7e929631f9740
SHA1: 292f65de36b407a3028aa7ebf019cd741e169a39
MD5: 7a2ae5d579597b4d8a6806011501e92a
M22-M2068TeslaCrypt_55b87f03Windows This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary has been packed using upx packer, with the default options.55b87f0397e4600386250f2047c773c4https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 9b2a334ea23e4a9a15bce7aaedc5b460f0decabc6ab4408f2427342cc0a0d878
https://attack.mitre.org/techniques/T1045/
PARENTID: M22-M203d
SSDEEP: 3072:E0ODMDW33REr3AKRy1rqtIBgjTMuIoBOXnslp1cbsr9xA1xMKqMRlwJSJ15zkSD4:RAEr3AKRyVBIT2rnsCjxMK1RCJShzjva
SHA1: 5b986c1beeec968d4f0b58de27061e92cbcf103f
MD5: 55b87f0397e4600386250f2047c773c4
M22-M202dWhisperGateWindows This strike sends a malware sample known as WhisperGate MBR Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the MBR Wiper.5d5c99a08a7d927346ca2dafa7973fc1https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
SHA256: a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
SHA1: 189166d382c73c242ba45889d57980548d4ba37e
MD5: 5d5c99a08a7d927346ca2dafa7973fc1
M22-M2031Zegost_6da73d62Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.6da73d62e3ad95ae34801c12a79e113fhttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 31d6e5b67f7d3ff6e8999a57a61c3969682bedbd89203868b199d8d486c49729
SHA1: 6bf9a691710d7d90bf54e46178879cf8bc7495bb
MD5: 6da73d62e3ad95ae34801c12a79e113f
M22-M206eLokiBot_862e155bWindows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has a random section name renamed according to the PE format specification.862e155bf0110e49edb1f26847b9d4c0https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: e1259b8d2d6bf42377353115725c1d20a9f80a2d35f44f61db4ad9f3e90fd9c4
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2038
SSDEEP: 12288:THWahqZ6LrIR5J+DWkmy/Q/xfXj58jBUfbYWa0mcVAMGtW+hU6hhhhhhhhhhhhh4:T2aJkRtJ5kI3PytBhUmbpdxQhvGe7
SHA1: 6f2b29e7b6a4382398b794e51804720bd1b72f7c
MD5: 862e155bf0110e49edb1f26847b9d4c0
M22-M2001DarkComet_01a2e344Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.01a2e3440d5c65442c49fe708bf94003https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 2db522042954becd5b940edc0afbfc93f0039d3f4f775d4cfa45b7012587574e
SHA1: 4b8e8d8e4f1d2f0e19b5ce96bf24afcdf68e27b1
MD5: 01a2e3440d5c65442c49fe708bf94003
M22-M2013Zegost_21be8e77Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.21be8e778089b7bcbd8b9ab9b26197a6https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 3fd79e9c51e5a258a08f9afa295884375bda1f18355f9f8f510243413279f99e
SHA1: 324c9a3f4619760890b73e4c110064b98dde4b48
MD5: 21be8e778089b7bcbd8b9ab9b26197a6
M22-M202cZegost_5c6ef7c4Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.5c6ef7c40c341feec5ef105b2bea417chttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 0bf6287f4e3d3ab71affb5b8c93a0d64ef79302be7ba391b8e483e5978794d6c
SHA1: 26092eb627016fcbc2fd1a9e443a887f4f75e341
MD5: 5c6ef7c40c341feec5ef105b2bea417c
M22-M2041DarkComet_b2a17564Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.b2a17564d97ec1ca975dcd8ee222a987https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 19a57c2208ef58387cb38412b0db3060b1ddcaf4f02929213f5355c40776a98d
SHA1: 268b7619a53224e76b9af8e498240f1688ebd968
MD5: b2a17564d97ec1ca975dcd8ee222a987
M22-M2029LokiBot_572ee199Windows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.572ee199d9d6793f1b6f5a8696bb6532https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 17eb09a8fb7eae2aaa740a74234a75b47c072ca93a1b65cda00a175e25720c88
SHA1: bd04844983eb834f89eba2b855847c467371d565
MD5: 572ee199d9d6793f1b6f5a8696bb6532
M22-M2042WhisperGateMixed This strike sends a malware sample known as WhisperGate DLL Loader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the DLL Loader.b3370eb3c5ef6c536195b3bea0120929https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
SHA256: 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6
SHA1: b2d863fc444b99c479859ad7f012b840f896172e
MD5: b3370eb3c5ef6c536195b3bea0120929
M22-M205dLokiBot_4edfba05Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random bytes appended at the end of the file.4edfba05c275b53b5a4e569ea760160chttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 9ea8b74d78c14849f1863541e1b0b368679ec6737716a42f6d5a51e32bd44d79
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M2038
SSDEEP: 12288:UHWahqZ6LrIR5J+DWkmy/Q/xfXj58jBUfbYWa0mcVAMGtW+hU6hhhhhhhhhhhhhu:U2aJkRtJ5kI3PytBhUmbpdxQhvGeh
SHA1: 7aaa72970a07b5ce77ec4a52b2c7c751fd8efe3f
MD5: 4edfba05c275b53b5a4e569ea760160c
M22-M2014Zegost_28ae85d8Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.28ae85d88fed2184bba78d1af16827dahttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 1a36784e26051d7bbb42f84f58d256f304f76b84843c9a4eb0e131e94dcd417a
SHA1: db85c0c97abbbb07e0374814568446fc45001c81
MD5: 28ae85d88fed2184bba78d1af16827da
M22-M200cDarkComet_180f8ee1Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.180f8ee1842a3465cfc9bb2e1fedce8ehttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 37edc65fde51628d1604ddbf0c14f06035e8c6819b7d0bfac7fee8dd4bf30bc7
SHA1: 0e5e4e18c580060b17b7cbb613db1a42ef3fe800
MD5: 180f8ee1842a3465cfc9bb2e1fedce8e
M22-M2003Zegost_0408ff2aWindows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.0408ff2a2f67c7492a269a9a7d71b980https://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 562844e7860c52a2f4c9f41c4c376c90a00f5981f9476df4e159ba57dff98804
SHA1: c47e194bc67f61225b4ad898a52bd489fe9d233e
MD5: 0408ff2a2f67c7492a269a9a7d71b980
M22-M2055Zegost_eac003a4Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.eac003a405c720f1070d3fd2eaeed11dhttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 85734d17bd8a593181fb462bf13aab791bf389ff3e0c404c50fef1e4d79e8e3b
SHA1: 2bbac7f97f83e75f6ab8689368f345633420aeae
MD5: eac003a405c720f1070d3fd2eaeed11d
M22-M201bTeslaCrypt_38602df4Windows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.38602df4390dbda254d40126d7d992b2https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 46d94eb497a9700630719e781319d55d9c693b04ac13ca7f38d46f8ba9ade1b7
SHA1: 8f26a5f107b3a3d97606a24444862cc30ee26724
MD5: 38602df4390dbda254d40126d7d992b2
M22-M2025TeslaCrypt_4ae42e33Windows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.4ae42e33f8104a47ae1b19542607f753https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 7f0e6b707128faa8270fd5f291ba3c87cc685cfb48363f91220f74897140aebb
SHA1: 988e74eb7ca117bc3fb59c5c28935972bbc1558d
MD5: 4ae42e33f8104a47ae1b19542607f753
M22-M2052TeslaCrypt_dd587d20Windows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.dd587d20de9a14d86bdbc4ed94584038https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: e19fbf6376979c33bae2472ef372df206a23a21152ad7bb962ba653e0af75870
SHA1: 9cc43f679de78eb08ad454f5c234c64458a356a8
MD5: dd587d20de9a14d86bdbc4ed94584038
M22-M2036LokiBot_7ac770caWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.7ac770caa432948e3fccfe11d2e3b723https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: b73f8d8838c450977a85ba646b98db3d556b0e78a33a7b0f5126d8e698d00ba2
SHA1: b97be6693a99744fcfa3baafc3ef89cf59802e58
MD5: 7ac770caa432948e3fccfe11d2e3b723
M22-M2075WhisperKillWindows This strike sends a polymorphic malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.The binary file has one more imports added in the import table.a6615ab8fb6f99fd82569cbfa5762a5fhttps://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
SHA256: 1ae79028f9b2a6cdba3325730bbd9623399ed9733668edaab685d9bdd26a0b89
https://arxiv.org/abs/1702.05983
PARENTID: M22-M201c
SSDEEP: 384:Sck4phERK+NUl/9j5SddlEt4OIqXFKJBeBt2FrGxBQ63t2FrGx:SckuhERW2wndVKPeWFybyFy
SHA1: 4bdda2e55411d4067b66c6c6294e252317d3517a
MD5: a6615ab8fb6f99fd82569cbfa5762a5f
M22-M200fZegost_1d15f5f9Windows This strike sends a malware sample known as Zegost. Zegost, also known as Zusy, steals banking information. It displays a form to trick the user into submitting personal information when visiting a banking website.1d15f5f9360c8f1e3f1f871401f6599fhttps://blog.talosintelligence.com/2022/02/threat-roundup-0211-0218.html
SHA256: 405c030a29ba3040ede04fa451c2b27008537adb60a68ff00570025ba76cc633
SHA1: e67c0a3cb90b44dbd04bb058633314c63be1cb1d
MD5: 1d15f5f9360c8f1e3f1f871401f6599f
M22-M204cTeslaCrypt_cb7d4940Windows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.cb7d494023414e8d71f14a39b9819e3chttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 40b17868f4b695330684cbf35e9286eb0ec1086d16d4a02a069b8886f970bc41
SHA1: b3160682a14f68d0667c5430b7665aef1b5db577
MD5: cb7d494023414e8d71f14a39b9819e3c
M22-M2043DarkComet_b462b913Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.b462b9138b52341cd8db3aff6f7afee6https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 9a1056d1898a71f3b88c875ff08b5d465b549d03206cbe02efcb19c144582ee8
SHA1: ed7b0c898b400dbb2ecf2f080f1ac8a591330293
MD5: b462b9138b52341cd8db3aff6f7afee6
M22-M2081LokiBot_df3e2f50Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has been packed using upx packer, with the default options.df3e2f50ba42ae245bf30f052fb5ec48https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: bc9d80ebbabe20487675ae325bbabefaaf10a5b470011a8fbfb8fe1d71bf720b
https://attack.mitre.org/techniques/T1045/
PARENTID: M22-M2038
SSDEEP: 12288:AdcX+pnMcoDdrLC41mTN2JA7ghhhhhhhhhhhhhhh+8bp2vCQCRlJIye4RylhUVr3:scX6i44CkbpdxQhEGe
SHA1: 089bdb57f2ff6a80da674dd865b7d2a8c4ba263a
MD5: df3e2f50ba42ae245bf30f052fb5ec48
M22-M2006Zusy_07b49a96Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.07b49a968feacfa06f404be79213efcehttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 4db97c35f9f17f68431a8683d9db3a426cd93e2ae95b863c2a5fbb0f4536f40e
SHA1: f052b853592b4ef555a220820718d58ae3f5df7d
MD5: 07b49a968feacfa06f404be79213efce
M22-M206bTeslaCrypt_76f35d2eWindows This strike sends a polymorphic malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.The binary has random bytes appended at the end of the file.76f35d2e565f0d04ccafb16742520272https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 1adb2e4279feff742eba68e2198552e863deb1c1578c779f3daa91d7618b7c2e
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M203d
SSDEEP: 6144:vGE1/8ca6OYIJfw7Z81kaq0MdRuOt01le0JVSH/ISQe:vn10ca1Yt0knz/1SeaUfvQe
SHA1: 4021317048615bfb08e7564dcb59f75b911c66c9
MD5: 76f35d2e565f0d04ccafb16742520272
M22-M2073HermeticWiper_a70b4e3eWindows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has random strings (lorem ipsum) appended at the end of the file.a70b4e3e88f3fcc48b7ee8426aa8833ehttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: 019606b01d2ebee53d74c27d115728ae367b8b25614884ff03ebc3d42ddb2898
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M2020
SSDEEP: 1536:sBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqL:sBOoa7P2wxlPwV1qPkSuqL
SHA1: d3e07d8e27467abdc6c1cc708a8f0cd82d411fbd
MD5: a70b4e3e88f3fcc48b7ee8426aa8833e
M22-M201cWhisperKillWindows This strike sends a malware sample known as WhisperKill Wiper. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the final wiper.3907c7fbd4148395284d8e6e3c1dba5dhttps://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
SHA256: 34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907
SHA1: a67205dc84ec29eb71bb259b19c1a1783865c0fc
MD5: 3907c7fbd4148395284d8e6e3c1dba5d
M22-M2062HermeticWiper_9bc9babdWindows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the checksum removed in the PE file format.9bc9babd952fb816609e3031f8c136e3https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: 22534a0e884813020a508f89772e6b840eab3a48fd45075b9847694142fb7701
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2037
SSDEEP: 1536:wV3+WmNcWbwurilmw9BgjKu1sPPxaS5qY:wV3+WmjbwxlPwV1qPkS5qY
SHA1: 011b433b65cd65fcecff9c9ceab7d411ae332cec
MD5: 9bc9babd952fb816609e3031f8c136e3
M22-M200dDarkComet_19d34e15Windows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.19d34e15ccece451ec5c6cc8ca446a2chttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 461031f7db840c45b1c0b6644d2f8772105d57785b94fda069a5fbf921879da5
SHA1: 2a94a617b71d803483a8e6d58666bb3298e50dd3
MD5: 19d34e15ccece451ec5c6cc8ca446a2c
M22-M205aDarkComet_3e6c1c04Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has the timestamp field updated in the PE file header.3e6c1c04f9810c8d0ae4a55753a5f304https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: b7966d5882a09965176788c4135fd05698530fcf8cb8396073e0378d0b8f23de
https://attack.mitre.org/techniques/T1099/
PARENTID: M22-M2012
SSDEEP: 24576:Hu6J33O0c+JY5UZ+XC0kGso6FaLIk0LMgjYxLBzp6q+OTwyI2JfvWYC:Bu0c++OCvkGs9Fa5YYC
SHA1: d8bf31944bbaf8e1cad1a9689d179455dcc26072
MD5: 3e6c1c04f9810c8d0ae4a55753a5f304
M22-M203aZusy_90afa5f3Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.90afa5f30c43d1968de6d9e3202ae7d2https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 039170d8ba2feeaac9c943aea7d3cf5709d2ed6fc1e3eaec8457ec13c631730b
SHA1: 52c532369a540ccd798ef374751100904123fb64
MD5: 90afa5f30c43d1968de6d9e3202ae7d2
M22-M205cHermeticWiper_4b1f04cfWindows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the timestamp field updated in the PE file header.4b1f04cf967a73c4ce1e3ab3c492805ehttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: d0d9c8c6008faf4e1c2ecf8dfb53aa454af34a0207c66b330e7c1826bde3d910
https://attack.mitre.org/techniques/T1099/
PARENTID: M22-M2037
SSDEEP: 1536:DV3+WmNcWbwurilmw9BgjKu1sPPxaS5qY:DV3+WmjbwxlPwV1qPkS5qY
SHA1: 0ca8ea023370f3e307752ff29f7c4740de4d71e9
MD5: 4b1f04cf967a73c4ce1e3ab3c492805e
M22-M2083HermeticWiper_ece4f943Windows This strike sends a polymorphic malware sample known as HermeticWiper. In February 2022 a new wave of wiper attacks against the country of Ukraine was detected. The malware HermeticWiper exhibits similar functionality to the previous wiper malware WhisperGate used in cyber attacks against Ukraine. Like WhisperGate this wiper malware will target the Master Boot Record and attempt to destroy it. It also includes a component that will enumerate the system partitions and wipe all files on the targeted system.The binary has the timestamp field updated in the PE file header.ece4f943b6d5d11ff42b071fe775922ehttps://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
SHA256: aa1f8e7c08a1e0313850a3151a24e20e4f2922baba5490490a668a6d17198159
https://attack.mitre.org/techniques/T1099/
PARENTID: M22-M2020
SSDEEP: 1536:EBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqC:EBOoa7P2wxlPwV1qPkSuqC
SHA1: 4160b89dc2b3f8854b8b40e32899aa80044ac867
MD5: ece4f943b6d5d11ff42b071fe775922e
M22-M2023Zusy_47b78fd0Windows This strike sends a malware sample known as Zusy. Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.47b78fd02008e19783fd85846662b278https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: 0b95c110d12725fcd8d95bf203b0fd8bf1bc9e57646f8b283ea63a35c0d4a38d
SHA1: 14d1d5d67a8db1109716005285b636e4c38e9624
MD5: 47b78fd02008e19783fd85846662b278
M22-M2071DarkComet_415042b1Windows This strike sends a polymorphic malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.The binary has been packed using upx packer, with the default options.415042b1569d57425f241de1375e95adhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: e21b1077e37c29ffbef7d209c24673055953e6d5a887562979e532babaddbe84
https://attack.mitre.org/techniques/T1045/
PARENTID: M22-M2012
SSDEEP: 24576:Ih+/6IbioUgOpzqgk0LMgjaxLBzp6G+OTwyIFn0G:tiI2oUt9N
SHA1: 679b62589478a07db2c855603bbeee36dbf8c293
MD5: 415042b1569d57425f241de1375e95ad
M22-M200eDarkComet_1cb232adWindows This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.1cb232ad0fd978eaa20c6d569d72cc64https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: b5201f282c7e067e5dca7de945ed48805af74c9dae94ec3f83ff93c151f83c39
SHA1: 3283418261944081d396e1b8217dde343d1e634e
MD5: 1cb232ad0fd978eaa20c6d569d72cc64
M22-M2086LokiBot_b6b1d041Windows This strike sends a polymorphic malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.The binary has random contents appended in one of the existing sections in the PE file format.b6b1d0412d31a02bfa8c1a6a85ef8ffahttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 6a43fbf85521e9317ecc8e6d44fdf09aca42b7021a397ce52797136ab87b24de
https://arxiv.org/abs/1801.08917
PARENTID: M22-M2038
SSDEEP: 12288:9HWahqZ6LrIR5J+DWkmy/Q/xfXj58jBUfbYWa0mcVAMGtW+hU6hhhhhhhhhhhhh4:92aJkRtJ5kI3PytBhUmbpdxQhvGe7
SHA1: 71c7cbe6f48c40a8bf877db3e7bb059ce7ad722b
MD5: b6b1d0412d31a02bfa8c1a6a85ef8ffa
M22-M207bWhisperGateWindows This strike sends a polymorphic malware sample known as WhisperGate Downloader. In January 2022 the WhisperGate malware was detected in cyber attacks being conducted against the Ukrainian Government. WhisperGate is a multi-stage malware that masquerades as ransomware. It downloads a payload that wipes the MBR, then downloads a malicious file from a Discord server. This last file drops and executes a final wiper payload that enumerates the drives on the system and proceeds to wipe all files with specific extensions. This sample is the Downloader.The binary has a random section name renamed according to the PE format specification.bfb1c2c22ed861fb7435533378304574https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/
https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
https://www.computerweekly.com/news/252512491/More-intel-emerges-on-WhisperGate-malware-that-hit-Ukraine
SHA256: 441ebd4513cedb202302ad82e8a2cf513a80daba210d3910ba2647367e18b6ca
https://arxiv.org/abs/1801.08917
PARENTID: M22-M200a
SSDEEP: 3072:gf1GlJZUnjNbGgNQfYySIHiP1WLz4PcSOvG2jxZ:GbGoJ8iP19PjmGyf
SHA1: c08086e078cb2b1299f878dcbd5e7d392c22386b
MD5: bfb1c2c22ed861fb7435533378304574
M22-M2044TeslaCrypt_b6d8812fWindows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.b6d8812fc7198cf125d15e280e7ce8fchttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: eaa3afaaaf34a833299b7d35e0692008b4044409ff9146fb98d4c796abd5e5ea
SHA1: 62ee2ec7b86115583e1cd7e48f03593ccd796fc8
MD5: b6d8812fc7198cf125d15e280e7ce8fc
M22-M2015TeslaCrypt_2d4d0fa0Windows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.2d4d0fa03435636ea85e603be1055031https://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: feb67d669021041850e1b323cc17a7c5915fa581c8d5b06dfd4a82d4db48cdb0
SHA1: 67dba2ffab90f6e30c7c60fd0e6d2b99ec20e523
MD5: 2d4d0fa03435636ea85e603be1055031
M22-M201aTeslaCrypt_36b9c9f9Windows This strike sends a malware sample known as TeslaCrypt. This ransomware demands Bitcoin in order to decrypt files from the system.36b9c9f9f3e9b07ec4f9d5c273e3b9dehttps://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html
SHA256: d5afbd5425464bb6594a458be218e5c24db5abf4e88e8c11e065e357a14c8e49
SHA1: 124a11dee81e4876ec7587eb74d5d5fb3b4f885d
MD5: 36b9c9f9f3e9b07ec4f9d5c273e3b9de
M22-M2038LokiBot_8cf06eabWindows This strike sends a malware sample known as LokiBot. Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.8cf06eabe64b0230580550be88d4d5f5https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
SHA256: 04f2512b1cbeeab43d96983222b5cfc15031481eed599ed39ecfca0fdf05838f
SHA1: 6d962b53a899886495cd70e889c2f0db7afc2579
MD5: 8cf06eabe64b0230580550be88d4d5f5