Malware Monthly Update March - 2022

Malware Strikes

Strike ID Malware Platform Info MD5 External References
M22-M304dMaze_64e4ae61Windows This strike sends a polymorphic malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has random strings (lorem ipsum) appended at the end of the file.64e4ae61550c249b0d4dfb649baa64fchttps://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 479bb7e83c554fe228f83d08fc8cc53babdb279765b7dfe80a35180d5c59864a
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M3033
SSDEEP: 6144:jx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd19pV50DEreNg/ydlb4fQ6wFMvMj:9MAwmMD/Ng6dNoQl+vS
SHA1: 3aa040ce302d16034e1b11cb058f82004b8aca1e
MD5: 64e4ae61550c249b0d4dfb649baa64fc
M22-M3042Emotet_fb3a1577Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.fb3a157718a1851fe9fccde52c5b7e11https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 1b2954317be1391fc7f46739f70e58a88364176a19b03f087472c73c41c6f8fc
SHA1: 31cd63c4f357ee63496ecb9f6c78c78cb6b33320
MD5: fb3a157718a1851fe9fccde52c5b7e11
M22-M3057Emotet_ef569bb3Windows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has been packed using upx packer, with the default options.ef569bb3d1670f0a4cbed0b8be1475fbhttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: c5ec9d2c7f1e19f26911ec06854656d6d274bc222f3e385ffe5787c49854789d
https://attack.mitre.org/techniques/T1045/
PARENTID: M22-M302f
SSDEEP: 6144:aQn7MiqHIvbxAjNFsOiTfFk5BSywNPRkH+3D:aQ7MdHFjNFsfb+SywNIyD
SHA1: a15ba707aac6edd209a9f015097b79cae5711d16
MD5: ef569bb3d1670f0a4cbed0b8be1475fb
M22-M3029Qakbot_906e7e71Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.906e7e7182eef7c85a0d3ebe8283ae36https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 2608b4e01cfd647dcc1b2690f63be9c4d22db47a9da3305ae8be563e2098b71e
SHA1: a69ae9079c8328c4216c6c2b158325724acfee96
MD5: 906e7e7182eef7c85a0d3ebe8283ae36
M22-M300dMaze_314d2715Windows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.314d27152364f25a27b57456ee6af2ffhttps://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 734e20c760cffc9ab1f48064ba44c42f65e2a557308e215409e3d2cb580326d2
SHA1: de154768279094afbb2df7652265d5aee11349c3
MD5: 314d27152364f25a27b57456ee6af2ff
M22-M3035Emotet_bd50c433Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.bd50c4330c3b2288a7fc014c14eab7e6https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 1a0476ed453a877ee6a756fb334ee843b7d5eeaf42a849045cebf1ae23688bc0
SHA1: dbe4b2280fd8646ed6f4787253fc9b55a02ab7a8
MD5: bd50c4330c3b2288a7fc014c14eab7e6
M22-M3037Qakbot_c6404685Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.c640468581a747f755c21a044bd30f77https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 2fafff6c8b26a0de2531150cb601111b0064f655c9bbba4ed9d7200172b04975
SHA1: d518b3ef93557786dcb432a3eb1d4ec4402e5d00
MD5: c640468581a747f755c21a044bd30f77
M22-M3058Emotet_fdb16564Windows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has random contents appended in one of the existing sections in the PE file format.fdb16564b8d78cc7b97715394e958c64https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 19af48f3d701f45e6f436f8eee2e15ff2efe9af2e078fc241e4ee0d37dd9d451
https://arxiv.org/abs/1801.08917
PARENTID: M22-M302f
SSDEEP: 6144:1x8FPmWqwcz68XkgP+iJW8g/UcFqPm0iXc5n4MEP:eqw4jGi9wZnLXc5nxEP
SHA1: a28f8ae4a367d2dc35bec81e3cb7e33fc0fc86fb
MD5: fdb16564b8d78cc7b97715394e958c64
M22-M3020Emotet_70601b3dWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.70601b3dfc803b1f79e85989da8354ffhttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 0787b3d94f969f9779f228f1009748a84592a014bda3681e1ce1d8db7db8ea44
SHA1: d7021fce8f571ab1e99cbaa4a8c516524537b97c
MD5: 70601b3dfc803b1f79e85989da8354ff
M22-M3044CaddyWiper_01fe1c58Windows This strike sends a polymorphic malware sample known as CaddyWiper. CaddyWiper is a Ukraine targeted, relatively small in size wiper malware with the purpose of destroying all the contents of a system's drives. Before erasing these files it checks that the machine is not a domain controller, and if it is it will halt execution. If it is not a dc it will continue by wiping files on each drive on the system.The binary has random bytes appended at the end of the file.01fe1c580fdd0837b8119953689aa1aehttps://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html
SHA256: 7d3f4f9715150aeb92d1030a4b6018aa9cb37bc00a52819d09cc1e55c087043e
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M3015
SSDEEP: 192:76f0CW5P2Io4evFrDv2ZRJzCn7URRsjVJaZFrz57T:76fPWl24evFrT2ZR5Cn7UR0VJoNz5f
SHA1: ee0cfa1887fbe6d48f0cfe5d9e9fa1a7a220c7fb
MD5: 01fe1c580fdd0837b8119953689aa1ae
M22-M3024Liberator_876b71d3Windows This strike sends a malware sample known as Liberator. Liberator is malware distributed by the group known as disBalancer as a tool that offers users the ability to perform DDoS attacks against Russian propaganda websites in an effort to help Ukraine. However unknown to users, these files once downloaded infect the system with malware like info-stealers designed to dump credentials and cryptocurrency-related information.876b71d32631eb0980cf48e839566204https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
SHA256: eca6a8e08b30d190a4956e417f1089bde8987aa4377ca40300eea99794d298d6
SHA1: 6bf0b1b8a5a55ee7146ade30257c65b04922889c
MD5: 876b71d32631eb0980cf48e839566204
M22-M3050Liberator_a177262eWindows This strike sends a polymorphic malware sample known as Liberator. Liberator is malware distributed by the group known as disBalancer as a tool that offers users the ability to perform DDoS attacks against Russian propaganda websites in an effort to help Ukraine. However unknown to users, these files once downloaded infect the system with malware like info-stealers designed to dump credentials and cryptocurrency-related information.The binary has the timestamp field updated in the PE file header.a177262efae98183e97bd29357c9aad2https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
SHA256: d7e76137aa7d0c00cee3a07c9dde880ef65c97adee0b519884d6a1bbf23b511c
https://attack.mitre.org/techniques/T1099/
PARENTID: M22-M301e
SSDEEP: 98304:LNLN/quh1K8Hs46qTBG6J9gfDA5OCHxdWXAZWm5y1F/uMTMVWD/ML+dkYYvZN5eG:LT5c8HsWpJf0Qdo1DqMcN5efO
SHA1: c6c813f56de3045c429c9c1349864371cd70c776
MD5: a177262efae98183e97bd29357c9aad2
M22-M302bQakbot_9f45de46Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.9f45de469dd7fec59078d0fd0a76b033https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 0f8928f41391b40a1c440275689a59c9711d33bb29f8e333ebf02608a19f733c
SHA1: ef3ef42f2eac8666c22bc3cc92004a82a42337f5
MD5: 9f45de469dd7fec59078d0fd0a76b033
M22-M3009Qakbot_21745986Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.21745986c938cf7ce19211df7bc2217dhttps://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 168cb2f24c40ceaca3dd15347e2658f3e4aa69e0beb2759145204bcfb2e4b89b
SHA1: 37320b814097db775e42983a800a3b6746dfdce3
MD5: 21745986c938cf7ce19211df7bc2217d
M22-M3017Qakbot_531911a3Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.531911a31393a80fc654597d2e7b3abbhttps://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 243ad378e3050fb1269c63045fec3fffe72ea391ef3c214541dc2a1ad4da35a2
SHA1: 6dd255f5491a24c3bf0f5d2bfd6fe8c22ee3a60c
MD5: 531911a31393a80fc654597d2e7b3abb
M22-M3001Emotet_0333ae5dWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.0333ae5de2a0d61a36fcedfbbb28e977https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 0a434fa279fc7895486b05c3a94d174f2343432cb876592306b0fc3fef0e69fc
SHA1: 2505c222ede416ed915e699e1b3f6d822c726e8a
MD5: 0333ae5de2a0d61a36fcedfbbb28e977
M22-M303eLiberator_dd20876bWindows This strike sends a malware sample known as Liberator. Liberator is malware distributed by the group known as disBalancer as a tool that offers users the ability to perform DDoS attacks against Russian propaganda websites in an effort to help Ukraine. However unknown to users, these files once downloaded infect the system with malware like info-stealers designed to dump credentials and cryptocurrency-related information.dd20876bf25544aa55e0c3725103c666https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
SHA256: 33e5d605c1c13a995d4a2d7cb9dca9facda4c97c1c7b41dc349cc756bfc0bd67
SHA1: d00d689de9f35159188935d3bd93677c807ed655
MD5: dd20876bf25544aa55e0c3725103c666
M22-M303bMaze_d6e2396dWindows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.d6e2396df72ada10e2bbf0f48cb70462https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 18f03c65bf58549e8e230b8ef8595287fe51db0e5e411adfeaf261f87574543e
SHA1: 27b1fa00a1a1edce9d2aa976aff216466042c930
MD5: d6e2396df72ada10e2bbf0f48cb70462
M22-M3012Qakbot_412af7b4Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.412af7b412d0b758a78c788e48d480bdhttps://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 0b860e8a40437dabe41c89076fc54d472ef7841efef12464788a6cbd4c7739cf
SHA1: 3a56e1c6e3935dbfb9cddd0db66a98c739cb3112
MD5: 412af7b412d0b758a78c788e48d480bd
M22-M3006Emotet_1d6b71deWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.1d6b71ded16731da9f674977017a1b46https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 02675ec69c038e03b70cdeb79d8b770997f28f6384e41146a01890e220c09586
SHA1: 54ca509b62098e40205b053b0efa99e2b420bf6c
MD5: 1d6b71ded16731da9f674977017a1b46
M22-M3051Maze_b2e20c97Windows This strike sends a polymorphic malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has random bytes appended at the end of the file.b2e20c97cf72558517d227b7adaf8002https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 3b5d01f312ee84bde1d25f2911e2d019776422494c018e7c4ebcc5b1db70e78a
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M3033
SSDEEP: 6144:jx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd19pV50DEreNg/ydlb4fQ6wFMvM3:9MAwmMD/Ng6dNoQl+vW
SHA1: b429a93362433628d8dd5c46dfb6f7522db7ed75
MD5: b2e20c97cf72558517d227b7adaf8002
M22-M3026Qakbot_8a6837b6Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.8a6837b631b6b816867a216174b8a004https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 3ffd62eba858da0f4da41432a94857ec9b15169d4cef87e84509f2d47f179a7d
SHA1: b338641db46c6cab344711a5498c8c76c5c1b5c3
MD5: 8a6837b631b6b816867a216174b8a004
M22-M3003Qakbot_083ac8b9Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.083ac8b93aabdd9c11c15cc2e279d6f0https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 34738fa839fb1a46400c417d8f381c63e27b6eb9af7335de3560fb1c00d833d6
SHA1: 45cc3477cb850cc7a190161251c2b24d1d2e357f
MD5: 083ac8b93aabdd9c11c15cc2e279d6f0
M22-M301cEmotet_5ee3d0bbWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.5ee3d0bb7042031785c185e3402f8298https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 187356f3c7d0ac51f8b4392f84384b6203abcf323dacbc3149f374c3135a9439
SHA1: ca4365e0fbce3041dec7f2803bb38ef31ed5e7bd
MD5: 5ee3d0bb7042031785c185e3402f8298
M22-M3014CaddyWiper_42e2b6e4Windows This strike sends a malware sample known as CaddyWiper. CaddyWiper is a Ukraine targeted, relatively small in size wiper malware with the purpose of destroying all the contents of a system's drives. Before erasing these files it checks that the machine is not a domain controller, and if it is it will halt execution. If it is not a dc it will continue by wiping files on each drive on the system.42e2b6e4fba51ec71235e28ddff27a76https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html
SHA256: 1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176
SHA1: 4f3362ebac2503906179bd7c002f573886fa85a5
MD5: 42e2b6e4fba51ec71235e28ddff27a76
M22-M302fEmotet_ab6e5de9Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.ab6e5de935d30d6ecedccf1296cd4ba8https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 03c47580b274be16a91bca31ae9632f20e915fdb4e9f5b29d2714d1c629b30ef
SHA1: 136f5c26b1a3e5e0ed0009c0eb6f7d33b18366b4
MD5: ab6e5de935d30d6ecedccf1296cd4ba8
M22-M3041Maze_f83cef2bWindows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.f83cef2bf33a4d43e58b771e81af3ecchttps://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: bba288819f375cbdd1a274609924aeba786e1d1b43065846a85e30bc998d9015
SHA1: 12133b783cef924cbc2911deb11cba148d97dad4
MD5: f83cef2bf33a4d43e58b771e81af3ecc
M22-M3033Maze_b93616a1Windows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.b93616a1ea4f4a131cc0507e6c789f94https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 2a6c602769ac15bd837f9ff390acc443d023ee62f76e1be8236dd2dd957eef3d
SHA1: 0b97455143e682e818fc4a9b615f57349dc84894
MD5: b93616a1ea4f4a131cc0507e6c789f94
M22-M300bQakbot_291b6ad9Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.291b6ad955a0d64fae7c9aafbef2ac5ehttps://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 26cb0a447ab1b430aa58713e13e8f4a8a40612862a710e8a11693119161b96e2
SHA1: 2f964aed12de77782a27e197c89901afa32af801
MD5: 291b6ad955a0d64fae7c9aafbef2ac5e
M22-M300cMaze_2dc7d46aWindows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.2dc7d46a099972e5fabcaaea4cbcf3dahttps://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: e70c6f64f28e594d0c3d751d1b0c3c3b8aebfbf581eb23b4fc72f1ccbd8c17cf
SHA1: 07ac2dd21c9da8000b1f5d3ee92ad85e88acd888
MD5: 2dc7d46a099972e5fabcaaea4cbcf3da
M22-M3018Qakbot_53c3ad17Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.53c3ad170d9b83f584696e7f5507d7e3https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 4948ce48418a8478cfc87c488cc16bd9da27161d4e6bb48f61af8a4e028b2e34
SHA1: 4a156d18d766549d57c3560b91f7f0f4ee1403d8
MD5: 53c3ad170d9b83f584696e7f5507d7e3
M22-M301bQakbot_5e48d9b9Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.5e48d9b9341030080107f977b9ce9263https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 2857f7b66c7300d2c37a7ce9bdbd2ea16647f8b0c32b6a3eb78c62d0ff68cd27
SHA1: af04cae5fe6db5648c1378bcb8e58303430f2995
MD5: 5e48d9b9341030080107f977b9ce9263
M22-M3023Emotet_86c8733cWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.86c8733c7bbafc20abc4d91eab8faca5https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 0bac57995899762116d754da07e22d8325b0925b0df8f2daf50a94b3e3c794bb
SHA1: b352edd8de39b6efb98b3808187b27bca10ee347
MD5: 86c8733c7bbafc20abc4d91eab8faca5
M22-M3048CaddyWiper_3d2ef2efWindows This strike sends a polymorphic malware sample known as CaddyWiper. CaddyWiper is a Ukraine targeted, relatively small in size wiper malware with the purpose of destroying all the contents of a system's drives. Before erasing these files it checks that the machine is not a domain controller, and if it is it will halt execution. If it is not a dc it will continue by wiping files on each drive on the system.The binary has been packed using upx packer, with the default options.3d2ef2ef006e37aa4e7aed84d33f243chttps://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html
SHA256: 1c67471f3a5b464084d841ee7e6711d79218069826d9823b81da3a2384dcd546
https://attack.mitre.org/techniques/T1045/
PARENTID: M22-M3015
SSDEEP: 96:bOy+DusYEFJ1K9K3xY5tOEkfhsMwOXsuKiX+yq3TlBQ/rda8yP79ed8:iy+6XEsmEgSMwI1OTG8P7od8
SHA1: b250ce153e5574417906229360d74a9d051ca09e
MD5: 3d2ef2ef006e37aa4e7aed84d33f243c
M22-M3010CaddyWiper_3a4b1c1fWindows This strike sends a malware sample known as CaddyWiper. CaddyWiper is a Ukraine targeted, relatively small in size wiper malware with the purpose of destroying all the contents of a system's drives. Before erasing these files it checks that the machine is not a domain controller, and if it is it will halt execution. If it is not a dc it will continue by wiping files on each drive on the system.3a4b1c1f68811b38be74e99e572efae9https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html
SHA256: f1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902
SHA1: c22e17dd8f7b2687011cecc8b2208ceb6cf9b995
MD5: 3a4b1c1f68811b38be74e99e572efae9
M22-M300fMaze_35a4ba50Windows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.35a4ba50a7d6aac61fc36980a6153df2https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 33d489bbcc6f10df8c67eae9712d07c45ae7ca3d6405aa5814fa6edd7ae58181
SHA1: e51368fbd2c00cb84b84ef65aad179848d9bd564
MD5: 35a4ba50a7d6aac61fc36980a6153df2
M22-M3028Emotet_90198f7cWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.90198f7cc5a722554e939f84d8dcb97dhttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 05502ebba659cc3b0a23127f8d79b68fdfe83902b20b382a5085910500b0a8d5
SHA1: d1aa2be091baeb2580c2ab4c67abc4bd1c4224b4
MD5: 90198f7cc5a722554e939f84d8dcb97d
M22-M302aEmotet_93835135Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.938351350f6df43ec1aa024352175807https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 061b23881e85763e3efb0085878a2a589a6e90e4b6f4b1c6e3da9c47c0f5862e
SHA1: bb34150d0d71473778486d8f96417e3b66095b53
MD5: 938351350f6df43ec1aa024352175807
M22-M303fQakbot_f0d0539eWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.f0d0539ec7c89476a77c629d03014694https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 27b35c7fc337526a7f714e02bced75985040905d8fb3c5d0744c35aee9932c4e
SHA1: c0bb86aeb2fc7c733f37b3c93962b801e86fe3ec
MD5: f0d0539ec7c89476a77c629d03014694
M22-M3053Liberator_cc720105Windows This strike sends a polymorphic malware sample known as Liberator. Liberator is malware distributed by the group known as disBalancer as a tool that offers users the ability to perform DDoS attacks against Russian propaganda websites in an effort to help Ukraine. However unknown to users, these files once downloaded infect the system with malware like info-stealers designed to dump credentials and cryptocurrency-related information.The binary has random bytes appended at the end of the file.cc7201057f28437d8c1d32deb8bcf4b7https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
SHA256: 5d0405ecb8b3f93965a166d94d153965c77524acdfa3b652b49d023868f9a506
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M301e
SSDEEP: 98304:5NLN/quh1K8Hs46qTBG6J9gfDA5OCHxdWXAZWm5y1F/uMTMVWD/ML+dkYYvZN5e5:5T5c8HsWpJf0Qdo1DqMcN5efR
SHA1: 9931eb305da5ab395e67c870b6bcd8f189ee9f82
MD5: cc7201057f28437d8c1d32deb8bcf4b7
M22-M304fEmotet_9be366b8Windows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has random strings (lorem ipsum) appended at the end of the file.9be366b807f0599182773345a95fa466https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: f1fa355481e88c81794497293bff6c7fde5b057cb641823c48711a77f42db4de
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M302f
SSDEEP: 6144:1x8FPmWqwcz68XkgP+iUW8g/UcFqPm0iXc5n4MEPA:eqw4jGiCwZnLXc5nxEPA
SHA1: 32d579e3abb7138d80c398d5a099b980f9acfa8a
MD5: 9be366b807f0599182773345a95fa466
M22-M301eLiberator_62b9e5b4Windows This strike sends a malware sample known as Liberator. Liberator is malware distributed by the group known as disBalancer as a tool that offers users the ability to perform DDoS attacks against Russian propaganda websites in an effort to help Ukraine. However unknown to users, these files once downloaded infect the system with malware like info-stealers designed to dump credentials and cryptocurrency-related information.62b9e5b4b36511838fc8960202a88d45https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
SHA256: f297c69795af08fd930a3d181ac78df14d79e30ba8b802666605dbc66dffd994
SHA1: 2d71fedd9644bfe8437137b3e4b98d915cc5cfbb
MD5: 62b9e5b4b36511838fc8960202a88d45
M22-M3032Maze_b9078b6dWindows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.b9078b6db33deb83201c8d2cbb3ced4ehttps://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 8e2e8b266bf451bce36445ef9fe0284f2d171518b61ed4dc2e025799c7949e6e
SHA1: f4767c509c5c6b5b0ba97931f810bbf8a4d3e02b
MD5: b9078b6db33deb83201c8d2cbb3ced4e
M22-M3002Maze_07ba093cWindows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.07ba093cb068d944bb37d2818313bd22https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 981546610644efa23bf9322dd96ccb008278135689866cb54cb027de74496a3a
SHA1: 94e366da598bd5458becff39be0125248ef93049
MD5: 07ba093cb068d944bb37d2818313bd22
M22-M3027Emotet_8dde30a4Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.8dde30a43ef9d22ec22c1d7bcec31b20https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 1b8a701233084c541ad5988667ce83c36e03d102742b13d24240f00b7183d6f8
SHA1: 383a6d0b3588e9ee123f50c63028216336caeb62
MD5: 8dde30a43ef9d22ec22c1d7bcec31b20
M22-M3013Emotet_42a50d33Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.42a50d33c68d817c700f1bbbb79b6c83https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 01de908c657aeb4f521632b035316d3f85ffce8dd16186e9d37798a8fd50492b
SHA1: 5445c9b2b58ae49fbab546862667d592a162ee06
MD5: 42a50d33c68d817c700f1bbbb79b6c83
M22-M3056Liberator_ee1b1be4Windows This strike sends a polymorphic malware sample known as Liberator. Liberator is malware distributed by the group known as disBalancer as a tool that offers users the ability to perform DDoS attacks against Russian propaganda websites in an effort to help Ukraine. However unknown to users, these files once downloaded infect the system with malware like info-stealers designed to dump credentials and cryptocurrency-related information.The binary has random strings (lorem ipsum) appended at the end of the file.ee1b1be464867edc5e847b3f219ab85bhttps://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
SHA256: 73f9ff8432d5e142b83de527d1b49016c2009435c335dfb7be8a90dd13ba3d46
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M301e
SSDEEP: 98304:5NLN/quh1K8Hs46qTBG6J9gfDA5OCHxdWXAZWm5y1F/uMTMVWD/ML+dkYYvZN5en:5T5c8HsWpJf0Qdo1DqMcN5eff
SHA1: 71f0649789c88b8d1c3bc0ae9743b7071ee94374
MD5: ee1b1be464867edc5e847b3f219ab85b
M22-M304aEmotet_5870c54fWindows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has the checksum removed in the PE file format.5870c54fd187968c3c347703bd59ab1dhttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 8132d011e0a7d5d0e629431215a65ccea952beb2d564cfd26116831d281b1cdb
https://arxiv.org/abs/1801.08917
PARENTID: M22-M302f
SSDEEP: 6144:Ax8FPmWqwcz68XkgP+iJW8g/UcFqPm0iXc5n4MEP:rqw4jGi9wZnLXc5nxEP
SHA1: 03af3f809635eb6038a6e9e28f77156190b5e29c
MD5: 5870c54fd187968c3c347703bd59ab1d
M22-M303cQakbot_da3b944dWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.da3b944da04513346d8eded4304fefc1https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 4dc3983e5af920472c15e49dcdc3437c5ac389c3a6a1e14d560a38bc4c9f8ac5
SHA1: 639f67954fa48ce5431204d8edc4d6d83687a3ac
MD5: da3b944da04513346d8eded4304fefc1
M22-M304bLiberator_5acdd854Windows This strike sends a polymorphic malware sample known as Liberator. Liberator is malware distributed by the group known as disBalancer as a tool that offers users the ability to perform DDoS attacks against Russian propaganda websites in an effort to help Ukraine. However unknown to users, these files once downloaded infect the system with malware like info-stealers designed to dump credentials and cryptocurrency-related information.The binary has the checksum removed in the PE file format.5acdd8541c6085cd0dc03670bb4cf157https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
SHA256: 3f911ee30ca7031266245c01829eda08e5416495c21465c1ab8785b6e1c61b06
https://arxiv.org/abs/1801.08917
PARENTID: M22-M301e
SSDEEP: 98304:RNLN/quh1K8Hs46qTBG6J9gfDA5OCHxdWXAZWm5y1F/uMTMVWD/ML+dkYYvZN5eG:RT5c8HsWpJf0Qdo1DqMcN5efO
SHA1: 42a7651f5da4c34b54fd16dc62178ab325a9498a
MD5: 5acdd8541c6085cd0dc03670bb4cf157
M22-M3047CaddyWiper_1dc1b969Windows This strike sends a polymorphic malware sample known as CaddyWiper. CaddyWiper is a Ukraine targeted, relatively small in size wiper malware with the purpose of destroying all the contents of a system's drives. Before erasing these files it checks that the machine is not a domain controller, and if it is it will halt execution. If it is not a dc it will continue by wiping files on each drive on the system.The binary has random strings (lorem ipsum) appended at the end of the file.1dc1b96929eda836f0461b13b23ef173https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html
SHA256: 3681f9936b9b50d347ad8f5abe744ddda139acadb23b59fd0dcb0acd659fda28
https://attack.mitre.org/techniques/T1009/
PARENTID: M22-M3015
SSDEEP: 192:76f0CW5P2Io4evFrDv2ZRJzCn7URRsjVJaZFUbU:76fPWl24evFrT2ZR5Cn7UR0VJoIU
SHA1: d828b29b3341b45f5cbc008a3a2a3216e8591de5
MD5: 1dc1b96929eda836f0461b13b23ef173
M22-M3036Qakbot_c378ead9Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.c378ead9fe62c17f0124b12246d9057bhttps://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 2f42bc6da8bc81d3aec30cf848a14b9a2f473213cce86d99afee302e37e95f1b
SHA1: 0b0f8467da75fd5eb9c1d89a080ab806bb9ac704
MD5: c378ead9fe62c17f0124b12246d9057b
M22-M3008Emotet_2082c7d3Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.2082c7d38e1a7296dd6c49582d1c5fd0https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 033bee773cc102d1d4ae1d72c2599154405865a52a8afb6a66c2d8cb456d0b00
SHA1: 2b461c21ac1a212fac606657f0bfc8873c685269
MD5: 2082c7d38e1a7296dd6c49582d1c5fd0
M22-M3038Emotet_ca12d7e7Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.ca12d7e789a88651cb742f0f5dc41e11https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 106d339edea1338ecb20ac2c3453208b05c5c5891a079d15a7d4d1a4ee21b3ea
SHA1: 0ed3e3901457169e361ec748677bb3114dfc2ee6
MD5: ca12d7e789a88651cb742f0f5dc41e11
M22-M3021Emotet_777fb72aWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.777fb72a680ea2ccb37c6d98d4ae427chttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 04834495862eb040ca9ab450f27b5530bcedaaa472973d7ea50f0f8343e27a98
SHA1: 288a2fee861650576b6be7c74e9806338c711282
MD5: 777fb72a680ea2ccb37c6d98d4ae427c
M22-M301fQakbot_6a65ec4bWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.6a65ec4b09b37ebdedfee5d38ffa1cbehttps://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 0aaca0bbf56e8fc19ba0265a7a36485e92e7a039748f291d21c6ab1797f52a40
SHA1: 2c1789dfee94981eef8ad2a3da17f6a4bf1d8df4
MD5: 6a65ec4b09b37ebdedfee5d38ffa1cbe
M22-M3007Maze_1d746808Windows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.1d74680891b4955ff98287f689d23016https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: fda037a68cb707b4609ae9d9f609ac73a3a2a53f279840983d1131eb04b5da9f
SHA1: 7a297b8a73f34d9600e0942b9e79ea03825d43bc
MD5: 1d74680891b4955ff98287f689d23016
M22-M3011CaddyWiper_3bac736dWindows This strike sends a malware sample known as CaddyWiper. CaddyWiper is a Ukraine targeted, relatively small in size wiper malware with the purpose of destroying all the contents of a system's drives. Before erasing these files it checks that the machine is not a domain controller, and if it is it will halt execution. If it is not a dc it will continue by wiping files on each drive on the system.3bac736dfc996976ebd089338cf38c8bhttps://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html
SHA256: ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72
SHA1: fc11fb670300addfd203da826c3d0c7b8b8efe24
MD5: 3bac736dfc996976ebd089338cf38c8b
M22-M3046Maze_15b1551eWindows This strike sends a polymorphic malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has the checksum removed in the PE file format.15b1551e3f04415a74af35e5313288c0https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 564ff414db83e5a27f8f68008f7921ff10ec4bc83a9fae3c22068e81cde9c55c
https://arxiv.org/abs/1801.08917
PARENTID: M22-M3033
SSDEEP: 6144:Hx0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd19pV50DEreNg/ydlb4fQ6wFMvM:hMAwmMD/Ng6dNoQl+v
SHA1: 1fd8a54f0dd516881ee42da3a3e8baf84f9f558f
MD5: 15b1551e3f04415a74af35e5313288c0
M22-M3059Emotet_4c5d5d22Windows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has the timestamp field updated in the PE file header.4c5d5d22aeec6ef3e98136bd9d3e20echttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 51233902a12d1b581816b0098b65fec7c568c050da69c0ef35869af572cedd03
https://attack.mitre.org/techniques/T1099/
PARENTID: M22-M302f
SSDEEP: 6144:mx8FPmWqwcz68XkgP+iUW8g/UcFqPm0iXc5n4MEP5:pqw4jGiCwZnLXc5nxEP5
SHA1: de6399f24c410bd297f17aaab7416aab7637aa9d
MD5: 4c5d5d22aeec6ef3e98136bd9d3e20ec
M22-M302eQakbot_aaf9db74Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.aaf9db74093b270f8742864361ba3a45https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 44d28956c8ca91b1a81492faa9f8358e543441642bb8be7d1d17c5bb3bc8c69f
SHA1: f9921915af95beea1ff4971617c23d89d8b7d32c
MD5: aaf9db74093b270f8742864361ba3a45
M22-M3015CaddyWiper_42e52b8dWindows This strike sends a malware sample known as CaddyWiper. CaddyWiper is a Ukraine targeted, relatively small in size wiper malware with the purpose of destroying all the contents of a system's drives. Before erasing these files it checks that the machine is not a domain controller, and if it is it will halt execution. If it is not a dc it will continue by wiping files on each drive on the system.42e52b8daf63e6e26c3aa91e7e971492https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html
SHA256: a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea
SHA1: 98b3fb74b3e8b3f9b05a82473551c5a77b576d54
MD5: 42e52b8daf63e6e26c3aa91e7e971492
M22-M300aMaze_2332f770Windows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.2332f770b014f21bcc63c7bee50d543ahttps://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da
SHA1: 21ef6f89c9604acdd15ec430343ada05640cb869
MD5: 2332f770b014f21bcc63c7bee50d543a
M22-M303dEmotet_dbf37811Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.dbf378111040a4cdbfea91d8743c332dhttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 18f7b09aeacae25461f2ec4a5253da88cc406efd221dbbbe09c36a1d63bbba9c
SHA1: 8909eb1a17a45354ee77fab24b224eb42dc723cd
MD5: dbf378111040a4cdbfea91d8743c332d
M22-M3043Qakbot_fc1fdfb4Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.fc1fdfb4cdda0f41bfb255359e442568https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 3a4c1d7cd0e016297101037c66f79f3cacae073b1d9e695d5a41ed9d26062132
SHA1: 20209fce5f296e25d5b829312169b85ab9674cec
MD5: fc1fdfb4cdda0f41bfb255359e442568
M22-M303aQakbot_d647b7bbWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.d647b7bb5d864949249f51d1a7927b47https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 290280575775ab86cd5e1e568148049969fd2acc258a9c70ce288e31728d9211
SHA1: 5f91d19d7c065a6af2cd633d0416c110056a0881
MD5: d647b7bb5d864949249f51d1a7927b47
M22-M304cMaze_5f1ca1b1Windows This strike sends a polymorphic malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has a random section name renamed according to the PE format specification.5f1ca1b153a69bdb23c814540ba0000dhttps://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 0d4c086b8b4ec20cd53c67467720281795a7308066bf843d4e631a96ae6d8cb5
https://arxiv.org/abs/1801.08917
PARENTID: M22-M3033
SSDEEP: 6144:Ux0s5c9jrLrLrLZMEQ9V6wZqEZw0eNsd19pV50DEreNg/ydlb4fQ6wFMvM:UMAwmMD/Ng6dNoQl+v
SHA1: edb14023dcc4cccba892ae301c4228ede4aae6b8
MD5: 5f1ca1b153a69bdb23c814540ba0000d
M22-M3022Maze_7f152df4Windows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.7f152df418bbb484337fc8ed1383b27dhttps://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: ac457fc7c907ca04a4aa2e243d4b5120c58d338b44771c84e0d282d625d463a0
SHA1: fc433e7db24eb38690746575375d9890457e6711
MD5: 7f152df418bbb484337fc8ed1383b27d
M22-M3040Maze_f190f9beWindows This strike sends a malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.f190f9be2a9e5fca00029676722f3e78https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 585a23ba498d842a1087b164dfe4e325d7fb41d83bf84bf6256737df68c5fcaf
SHA1: 67b29dbade9e75b1735a1b81eacf82935d07051f
MD5: f190f9be2a9e5fca00029676722f3e78
M22-M304eMaze_7fdff4b0Windows This strike sends a polymorphic malware sample known as Maze. Maze, also known as ChaCha, is ransomware not only known for encrypting files on the targeted system but for releasing stolen victim information to the public if the ransom is not paid. The ransomware has been delivered via several methods including exploits kits, remote desktop connections and phishing emails. This malware also utilizes many anti reversing and analysis features that make examining it much more difficult.The binary has been packed using upx packer, with the default options.7fdff4b02371ce3739f8e47f97ad8568https://blog.talosintelligence.com/2022/03/threat-roundup-0304-0311.html
SHA256: 05664b902cd019d230816444e1f086ba7cec2c5947ed49763287dfa568587735
https://attack.mitre.org/techniques/T1045/
PARENTID: M22-M3033
SSDEEP: 6144:IUcefi4m/hXJdvBqptg9vQXgEfbaOylBz9iMWGnxfOh:NfirJJBqptvtfeOeBzsM1fO
SHA1: c04a4f5bb9e09830c5881dcd5abdd21fc606b6d3
MD5: 7fdff4b02371ce3739f8e47f97ad8568
M22-M3005Emotet_1a6995e8Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.1a6995e8668456e77f554af0dc360b7fhttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 11570acaf889061defb63717564fbb5b12e1df19a1ec09277939de2cf9c2de65
SHA1: cc5a87176107a47a4f71bb890209afd230242f3d
MD5: 1a6995e8668456e77f554af0dc360b7f
M22-M3004Qakbot_1330fdb5Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.1330fdb5121c445cb1bad6a2d04df63ehttps://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 4c70f64526f28d74ba969e89577ba242e12acf141a8bc0a96bc9e7dd33eadcfa
SHA1: 485209a850213cfe52324658efc7066db78378dc
MD5: 1330fdb5121c445cb1bad6a2d04df63e
M22-M3054Liberator_d60e2151Windows This strike sends a polymorphic malware sample known as Liberator. Liberator is malware distributed by the group known as disBalancer as a tool that offers users the ability to perform DDoS attacks against Russian propaganda websites in an effort to help Ukraine. However unknown to users, these files once downloaded infect the system with malware like info-stealers designed to dump credentials and cryptocurrency-related information.The binary has a random section name renamed according to the PE format specification.d60e2151cc438b1c6378d23aedd7f3b1https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
SHA256: 04ed4e243093e7b0d3bf91c217c349b38235f1a82ea55ed694df1427b0beb30a
https://arxiv.org/abs/1801.08917
PARENTID: M22-M301e
SSDEEP: 98304:jNLN/quh1K8Hs46qTBG6J9gfDA5OCHxdWXAZWm5y1F/uMTMVWD/ML+dkYYvZN5eG:jT5c8HsWpJf0Qdo1DqMcN5efO
SHA1: 838090fc0c254127a612b6758226d48c79144089
MD5: d60e2151cc438b1c6378d23aedd7f3b1
M22-M3039Emotet_cefea1e3Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.cefea1e3ce55f515d59c388b3ec1407chttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 1a5144a47a46d376e1b2cd4e9fa293242e8e450357f0a46382b4219b440b4037
SHA1: f4a478b2ef098a1312bd8575536594cacfbc021d
MD5: cefea1e3ce55f515d59c388b3ec1407c
M22-M3030Qakbot_b0ffde08Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.b0ffde08f15d2543caf52fc8863efbcahttps://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 2afe6f6d4dc8faa0eafc030f53e278fb5c0ea925681e6c3a74514662fd105774
SHA1: 4de3e5e1abd7b6a2eb5116cda8baccd78d99abb5
MD5: b0ffde08f15d2543caf52fc8863efbca
M22-M3045Emotet_1034405aWindows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has the debug flag removed in the PE file format.1034405a7a4f24541844597170e8467fhttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 3437536e7dd517bb69f29ac2e28fd2b0cf158d10022ef90c62c5e6fa67391a1c
https://arxiv.org/abs/1801.08917
PARENTID: M22-M302f
SSDEEP: 6144:rx8FPmWqwcz68XkgP+iJW8g/UcFqPm0iXc5n4MEP:Mqw4jGi9wZnLXc5nxEP
SHA1: 832a9e2413cf2e5f398f0f49a017fbfc7e1441d5
MD5: 1034405a7a4f24541844597170e8467f
M22-M301aLiberator_5c0693edMixed This strike sends a malware sample known as Liberator. Liberator is malware distributed by the group known as disBalancer as a tool that offers users the ability to perform DDoS attacks against Russian propaganda websites in an effort to help Ukraine. However unknown to users, these files once downloaded infect the system with malware like info-stealers designed to dump credentials and cryptocurrency-related information.5c0693ed5953c01ccf046b8a9461efa3https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
SHA256: 705380e21e1a27b7302637ae0e94ab37c906056ccbf06468e1d5ad63327123f9
SHA1: 24c748f725358f8559cc4295c52f0476ba911c5c
MD5: 5c0693ed5953c01ccf046b8a9461efa3
M22-M300eQakbot_32608feeWindows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.32608fee5f14e3733f1367a95abcf569https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 06b6236e6e96179c2bc7ee424225a4a4cde9aa5e231478f21c8589d18dbd6783
SHA1: 05b76b372ec3593b9f606557a29eedc6e140b624
MD5: 32608fee5f14e3733f1367a95abcf569
M22-M3055CaddyWiper_da4ae5cfWindows This strike sends a polymorphic malware sample known as CaddyWiper. CaddyWiper is a Ukraine targeted, relatively small in size wiper malware with the purpose of destroying all the contents of a system's drives. Before erasing these files it checks that the machine is not a domain controller, and if it is it will halt execution. If it is not a dc it will continue by wiping files on each drive on the system.The binary has random contents appended in one of the existing sections in the PE file format.da4ae5cf38e4cef1113a7acc04830d2dhttps://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html
SHA256: f427055854e6f1544658e86d48656f256e7510fc9a762ca81b019b5c49ac7563
https://arxiv.org/abs/1801.08917
PARENTID: M22-M3015
SSDEEP: 192:76f0CW5P2Io4evFrDv2ZRJzCn7URRsjVJaZa:76fPWl24evFrT2ZR5Cn7UR0VJo
SHA1: 40f5cd9b177ca595f958178a99d9153724ca5918
MD5: da4ae5cf38e4cef1113a7acc04830d2d
M22-M302dEmotet_a30ba05cWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.a30ba05c61d91c62087ef7bbbb054f50https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 0171757dc2cb9afa28bcaa4b9dd5b0171f48aecaf7de49ac2d2c0b38bb525d9e
SHA1: 363ba0fc5fa58b8c6ce659855582a28c96b8b7a5
MD5: a30ba05c61d91c62087ef7bbbb054f50
M22-M3025Emotet_87ef8852Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.87ef88526bb7178f95a43099a8225dd0https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 112b0ad9bc9668209f119ced4722a79477e54cd360b903d5288d19fce336ce9c
SHA1: b4964852435a0d10b3ba911a02816c86231a829c
MD5: 87ef88526bb7178f95a43099a8225dd0
M22-M3016Emotet_4b9584eeWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.4b9584eec0429d422bca4eb61e3acd5ehttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 0cd18237a5a63c83bfb05aa547c4ad56d1e0a0151a469b0771eaa1ff79312a77
SHA1: 37c9c0a572b3e748ca5322ebc5298b7953804294
MD5: 4b9584eec0429d422bca4eb61e3acd5e
M22-M3052CaddyWiper_b8da675fWindows This strike sends a polymorphic malware sample known as CaddyWiper. CaddyWiper is a Ukraine targeted, relatively small in size wiper malware with the purpose of destroying all the contents of a system's drives. Before erasing these files it checks that the machine is not a domain controller, and if it is it will halt execution. If it is not a dc it will continue by wiping files on each drive on the system.The binary has a random section name renamed according to the PE format specification.b8da675f41ea93ea27c76db661bc095dhttps://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html
SHA256: 17528161d75d5c13b9a35bd523a1f4f36cb9554dcc2cc609755107f55b1cd45b
https://arxiv.org/abs/1801.08917
PARENTID: M22-M3015
SSDEEP: 192:t6f0CW5P2Io4evFrDv2ZRJzCn7URRsjVJaZF:t6fPWl24evFrT2ZR5Cn7UR0VJo
SHA1: 92bfaca3eddc06df24ae768793a07da10e7ca71a
MD5: b8da675f41ea93ea27c76db661bc095d
M22-M301dQakbot_5f428832Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.5f4288328492c707e1d6398224417a27https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 20839bc89ca241bcd77ea69a2e36e40d7c1bd0dd91952502de8cd1db6fe771e1
SHA1: 1af7047a115c1d098d3d5e1ea82580d7ea79b606
MD5: 5f4288328492c707e1d6398224417a27
M22-M3049Emotet_498307c2Windows This strike sends a polymorphic malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.The binary has a random section name renamed according to the PE format specification.498307c24d3857a0300974df6787faf0https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 290ea40d13a7cdd44b2a177fdf3e3bc617eb3a376e31d9fc933ea225515c7f23
https://arxiv.org/abs/1801.08917
PARENTID: M22-M302f
SSDEEP: 6144:2x8FPmWqwcz68XkgP+iUW8g/UcFqPm0iXc5n4MEP5:Zqw4jGiCwZnLXc5nxEP5
SHA1: 70522fffdfaea8602cb5924d5ab51fa0e3fdf8ff
MD5: 498307c24d3857a0300974df6787faf0
M22-M302cQakbot_a290eda0Windows This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.a290eda0a5a565042e2019ddc51610e9https://blog.talosintelligence.com/2022/03/threat-roundup-0318-0325.html
SHA256: 57b45bf71364f9f885bab3a7a1f6ccdbb60dc24c6a4d2d71a6af59954cb6d390
SHA1: 8d7693c8c62bbe122035c046d38f438393ca65c3
MD5: a290eda0a5a565042e2019ddc51610e9
M22-M3034Emotet_b9c7ae5bWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.b9c7ae5b0efad2fb73c47cb81c52d729https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 0970728c25babd07c157ef0bc965118df879161379c27bace0acbdd9f08ee1d6
SHA1: 035a83d69af8d997215a2c369e6ae8edc74753b3
MD5: b9c7ae5b0efad2fb73c47cb81c52d729
M22-M3031Emotet_b6c73e75Windows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.b6c73e75e309ca965c41e0d063224addhttps://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 18ae9f8ea5ef2e4272d574569d31208d327207611d5919496352eea444514e69
SHA1: 91e9e9092dc1c1c43ce67be784f7b33b67670644
MD5: b6c73e75e309ca965c41e0d063224add
M22-M3019Emotet_5ba6287eWindows This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.5ba6287e4ade00a379c143507cb72822https://blog.talosintelligence.com/2022/03/threat-roundup-0311-0318.html
SHA256: 0462f02bb4a67c54bc158b56586bad32ede3c57edee988a4f5179b41111283cb
SHA1: 79a35ed15a60037a0fbf5a208fd8bb8de4f7429e
MD5: 5ba6287e4ade00a379c143507cb72822