Malware Monthly Update April - 2021

Malware Strikes

Strike ID Malware Platform Info MD5 External References
M21-fd7z1Expiro_34c50d3bMixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.34c50d3baf3bfdc586c0a5127f2d1199https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 3d2cdbe5cd494a6ef592f20dd73c873036ea0350aea3d954f7774c372ed9a1b3
SHA1: 83874bf68bb617bdfb34ef6dad91cd366c84719b
MD5: 34c50d3baf3bfdc586c0a5127f2d1199
M21-rwly1Dofoil_1301e933Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.1301e933ffd26d973e2d92726a5cb165https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 1df87baeeac67f7eadf3875c0a12a610ec21b285e6b6be97bc0c6969b33277e7
SHA1: b15df6958f1f19ea62df0c4a3eb31b0c4142e9e4
MD5: 1301e933ffd26d973e2d92726a5cb165
M21-sup11Trickbot_09277e8aMixed This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has been packed using upx packer, with the default options.09277e8a44f4688f77dd958bb22d4380https://attack.mitre.org/techniques/T1045/
SHA256: 228da49149bb63a53c1fd38daf6fe22c1770c02d747c9dd09b47c31bb7311804
SHA1: ce6d6e08f36c64bd3b5219671f811541e3fce4a9
PARENTID: M21-7qla1
SSDEEP: 6144:O0ek78425ufcfIYHM/egni+yKxLMxy2VsZd1npQk/vZdo398f20:O0ek78NufcfbbKxLMxyd1nNvZ+uf20
MD5: 09277e8a44f4688f77dd958bb22d4380
M21-wu8j1Bifrost_88918aa9Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.88918aa93a7020accbf4cd82147f2d1dhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 0bbf08d0cda307470313eb0df62a3d98fcad269eb91a36560ced7dd2932ecd50
SHA1: 0017adffb17c14c5eb58b5be3d134818a21083e5
MD5: 88918aa93a7020accbf4cd82147f2d1d
M21-n28c1Expiro_4458b006Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.4458b00653b951bc82cb9e7319a287fdhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 16717154e740e73113cab232a58600906dd96c0c1b4847c04b534ce0976f3445
SHA1: 59ca5591fdaac0252b3e76844a8b79afb48adfdc
MD5: 4458b00653b951bc82cb9e7319a287fd
M21-5le11Trickbot_3e4fdfbbMixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.3e4fdfbb216a4919534246f749aab839https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 4af6c2550d9aa636c26f169479043bf950dcb7c7f64392ec17cec97c6b29362b
SHA1: 4972a7735bc3b0c9397bd122043beb4db5d48da1
MD5: 3e4fdfbb216a4919534246f749aab839
M21-zoq41Bifrost_f3695bb5Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.f3695bb57ee730b63a99285b3e58af03https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 09891f0d840b7f7fbcf046d95fcf8374d9dc59dc5f0a22daf9017afadfda2a6b
SHA1: 0cd7419b16e6de4b127cd1719151c3cb32abb4ff
MD5: f3695bb57ee730b63a99285b3e58af03
M21-d76z1Emotet_3e9f7bc3Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.3e9f7bc31ba3adb2638de4ebec51df91https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: f30553a6bca371b8ca323014524527771b09ad91de5ca29f7bb0c96590a4e9cf
SHA1: 3871cc3510bf552e0f31de82d08299bb8a2123ce
MD5: 3e9f7bc31ba3adb2638de4ebec51df91
M21-om701Dofoil_286321a5Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.286321a5c27acf660cdf4305ad33a661https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: c2bea2314e29228dc45397436380ce833cd456e95a36b04396da5bc512589a5b
SHA1: c42af99f955ad00e37f0566312dbdde9e9ff93c2
MD5: 286321a5c27acf660cdf4305ad33a661
M21-j5js1Trickbot_72593a33Mixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.72593a33eada2ecfac60ecf452ccfcb1https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 4aecc28c37f0cbca6bd0abdd1017a9f23fce02834b0cc442ebf6711b73036153
SHA1: 80d26d4c2c3065b44a244d1776b85fd177b160f8
MD5: 72593a33eada2ecfac60ecf452ccfcb1
M21-p4p41Bifrost_70c04126Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.70c04126abb95a5378868c486b91c453https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 036651a9fbc85ffd6027bcb89f99fa3c8cf1a36abedbc8808aa066aa90c3e972
SHA1: 0aa0d6047ab6ac484050f1fe4f09ccd04683e60e
MD5: 70c04126abb95a5378868c486b91c453
M21-1x841Emotet_3da1215cMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.3da1215cabb6bb88d9a1432f78df501ehttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 0ba291a889d3c24013aeda5a880ad0a0304a8bf1385f3997f96e9049d4bf1bf3
SHA1: 64d4a59561ce6f4168d0686d51ebdb96a4527e24
MD5: 3da1215cabb6bb88d9a1432f78df501e
M21-ygdr1Dofoil_e81d1b51Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.e81d1b51ee7a971cbbe4cb91f09a5d90https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 91b5b42102b2a55ccf2cf8644e6c310c85b4061ec9ecdc228929769d51cf9ee3
SHA1: 2582a807ecb7661bf032de796762b419f56cf7bf
MD5: e81d1b51ee7a971cbbe4cb91f09a5d90
M21-bq451Bifrost_399c3a89Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.399c3a89a43ab12f22d0218a717355echttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 07243c8b5c0cdd6505573399ab88a7aaaa314dc3958c73d18f783c96922dd26f
SHA1: 069d8f2b23a4d336fd49b39d5ff9c6247c3ae717
MD5: 399c3a89a43ab12f22d0218a717355ec
M21-scxu1Dofoil_abb7e72bMixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.abb7e72b41ed57f9c36c429e9c07fd56https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 11959868974ed014b69f572db4c68a1e7547121a759241e32856f208b64c88a8
SHA1: b0a025ee2a8c0217bcd7e27d5bd22ce7e0c466fb
MD5: abb7e72b41ed57f9c36c429e9c07fd56
M21-yp9q1Bifrost_b60f966aMixed This strike sends a polymorphic malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.The binary has random strings (lorem ipsum) appended at the end of the file.b60f966ae955ef8523dd28fdb5d252c0https://attack.mitre.org/techniques/T1009/
SHA256: 6625ef549d939de8352519e1194e06ccc568d77551f1176230539fae62509ca4
SHA1: 820cefc9c0f1ce8f340c3b532aac58d65d259118
PARENTID: M21-q2r61
SSDEEP: 24576:dM9FUzQIyFfybd0nnbpfDYpY9OLSCR2Isb3ojRdhann6LjmHl25D+0ZpEo0Yv8al:qFmQIQ6x0nt7YbeO2Is3odK4OM5D+aJv
MD5: b60f966ae955ef8523dd28fdb5d252c0
M21-4o6j1Dofoil_17238a77Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.17238a77d4115a153200b352da8667e4https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 2047537c162e02f2135b3386f5cfec72c94a7dbe030c7ec12083a93e0a308d3b
SHA1: f4b65e5bb28e855f824e8c4356aa6a54500e9c1f
MD5: 17238a77d4115a153200b352da8667e4
M21-7wt21Dofoil_bc8169b8Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.bc8169b8f36da028c90537694d4dedf0https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: c8d5bef4f8a9c5ca0ae5fbeed8494952a2eb2068e716b075682d056b496493c6
SHA1: b0ba75389ce9ba4502c2126a1c5a2b353d4294bb
MD5: bc8169b8f36da028c90537694d4dedf0
M21-0szw1Emotet_c0c2630fMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.c0c2630f15827788f864b51ad4e66f2ehttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 7caba7cb01b4d53ec27d165e2910cfa79babd8d5f0a29eb236459d9eede5a040
SHA1: 439587c874fc262731d2ffa4cd18553adb03dca6
MD5: c0c2630f15827788f864b51ad4e66f2e
M21-rydf1Bifrost_90005a6eMixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.90005a6ee45152b570fd53742b878be7https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 0526c1ec541f196f5abc71044373be256a1073cb0b5f58820709a0f2c85eabf6
SHA1: 1298ccdbe057ec5573039bd118312fd2b5027afe
MD5: 90005a6ee45152b570fd53742b878be7
M21-3aka1Trickbot_90b291b0Mixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.90b291b0c3e284b4e64072330a8b9f59https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 413de3f8b19c0bbda810761cca2ecdf16735932baa3f0b916f3e61d7a97e49a0
SHA1: 12720bf6dfc3f8a2dac002616f26e0a015e4ac18
MD5: 90b291b0c3e284b4e64072330a8b9f59
M21-g1v11Expiro_e16a3cdfMixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.e16a3cdf66e2a3d2bbc0b512c79e5314https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 20f9e4557de5ed6a79576d5817b535d6edfe7f2584b5ff84f3fedcd41b551c1f
SHA1: 5b6cf1a8695df5047690480adf59caad4ac084c5
MD5: e16a3cdf66e2a3d2bbc0b512c79e5314
M21-xaxz1Bifrost_597907c7Mixed This strike sends a polymorphic malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.The Parent binary was packed using upx, hence this binary is the unpacked version generated using upx -d.597907c703cddcff731ac25dc8a8becchttps://attack.mitre.org/techniques/T1045/
SHA256: a57a7547994cbe3291c9feae7904a25c2c25d59ca9d8bb200c2ad2d4025b0283
SHA1: 3bdcc6cab14b89277c585fb9ec71c69182455975
PARENTID: M21-q2r61
SSDEEP: 49152:6UZug8M3/4JXQCirb/77lVha9bHTKZGCb9afCCD31k961UlMXJ:67MeMrbTfhuSLaF1LXJ
MD5: 597907c703cddcff731ac25dc8a8becc
M21-8xdb1Trickbot_0fdecabaMixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.0fdecabaa0d325922c0330049e68a826https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 4c4200de9e89d65e9da6d397719400e59ce391c5515e706e456138a01eed4192
SHA1: d4697abf47007b652c61f677dc78512c0c4503d9
MD5: 0fdecabaa0d325922c0330049e68a826
M21-fq5t1Bifrost_8799cf57Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.8799cf572264225b73066d118e6de76fhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 073269b833d4a7cb6d3467f7e4cf7d519aad1ece80a54b83125d1e9feda5990e
SHA1: 0ed6772c68c8d9393cb8736466a031197d9c9089
MD5: 8799cf572264225b73066d118e6de76f
M21-dgjo1Bifrost_2f0c11afMixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.2f0c11af00219f9eec567c45a1ae97ffhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 076941594cd31c57524f62f03b08acb901e3fdfb082635d36d40f4947227b7a2
SHA1: 04f73602956543f4096ea15bd4e6894d38990596
MD5: 2f0c11af00219f9eec567c45a1ae97ff
M21-t7gp1Emotet_e73d0b88Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.e73d0b8841158cc52a3f52c1162b4f1ahttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 9368f2b61d539e999e5f3e9bc812fef6f5b3110fdc28174b21125d204fa77418
SHA1: 3fe920bdb02799fe1c7aff4f298805366f528a9c
MD5: e73d0b8841158cc52a3f52c1162b4f1a
M21-q2r61Bifrost_796e5e8bMixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.796e5e8b154e8defa316ada29f9c6d4chttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 0b2603cb0c45cec83355196b186b3b71ce336fc96f5ffc5f796e89f00dd27821
SHA1: 12fd721d0ac5e8b04e64a3ab44b6a47cd018de10
MD5: 796e5e8b154e8defa316ada29f9c6d4c
M21-bfxc1Expiro_a9929ed0Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.a9929ed0a4b86f22d6773ba7f3a309f2https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 1cb113a94790adf51cc820f4490412a8f6e7404e70689a7348129529ce6f85e8
SHA1: 85ad9f26d6e4106b63bb784c4505c2b55087e04c
MD5: a9929ed0a4b86f22d6773ba7f3a309f2
M21-7qla1Trickbot_a40a1b35Mixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.a40a1b35110eb63c97b6552e8fe765adhttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: e7c8998b7196abde8112fbe3b1abe119f1337bc3ce69eaa94ac356681352b169
SHA1: 676d7c4909e15925a90f7143b8e928dace0f8286
MD5: a40a1b35110eb63c97b6552e8fe765ad
M21-jh561Bifrost_ce832708Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.ce832708d4933212087f74c828bbaaa5https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 070f2e267f5deb9d63c46699e72331e4d4f59730a13d0b58f4dd0bf2ff6a0da9
SHA1: 0c90b3b65a3bdb05707b374861f0fbd4938b34dd
MD5: ce832708d4933212087f74c828bbaaa5
M21-dpuk1Bifrost_51d44d8fMixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.51d44d8fcdd031a645e823d282e7d047https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 01563bf8352120e455b157eb6a976ef36805d7078d78e0d561af2d6967b9431d
SHA1: 0f49dca62ebbc3ca950f38d068a7be8be95324ae
MD5: 51d44d8fcdd031a645e823d282e7d047
M21-6eni1Expiro_5146796fMixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.5146796f105b5a619b59e6ded6b53fb3https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 217b940bffdcb10b56ec9f1fba455ff499cc36087bde3d12a4b6638313b8beaa
SHA1: 742b85699d62354c466c982e9476dc90a0e5f26b
MD5: 5146796f105b5a619b59e6ded6b53fb3
M21-kb7r1Emotet_91adac33Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.91adac33b6d93c6991e2cfb4530a6464https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 88146887d14178ba82c74f3d0eb7ef8370c2fbcb0e0ede3bbbac24d39c49c1cb
SHA1: 78308743d59ffa97e8487d5c864d55b42eff0359
MD5: 91adac33b6d93c6991e2cfb4530a6464
M21-xbyj1Dofoil_44aad9eeMixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.44aad9eeb8af28286b332ab628d28f95https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 4d11b045a577258f2ed62c1a56584c6ad8b0128398d19e2ad114c53dc091a734
SHA1: 61f23a050ea29cacad27fdebf376caa80f56e523
MD5: 44aad9eeb8af28286b332ab628d28f95
M21-g75r1Bifrost_df74478bMixed This strike sends a polymorphic malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.The binary has the timestamp field updated in the PE file header.df74478b8494a2a17157a8cd0cce6158https://attack.mitre.org/techniques/T1099/
SHA256: 5c6307296de9c30a309c16132a18bda9ea38c9ee09475edbc8fb996d57a9a923
SHA1: ae144d37e36136a6877b77fedecfd7e016bc95ab
PARENTID: M21-q2r61
SSDEEP: 24576:gM9FUzQIyFfybd0nnbpfDYpY9OLSCR2Isb3ojRdhann6LjmHl25D+0ZpEo0Yv8aU:VFmQIQ6x0nt7YbeO2Is3odK4OM5D+aJe
MD5: df74478b8494a2a17157a8cd0cce6158
M21-7kf21Bifrost_5797bcc3Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.5797bcc39cdc4731ceae5c87a9c673f1https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 07c6c3dfd9312096f5afc63ae43d1f550b1da2a034116a062564cda0371b14a0
SHA1: 13e3e2ea984425712cd3557e631864f70baa5566
MD5: 5797bcc39cdc4731ceae5c87a9c673f1
M21-p8cu1Expiro_4f42c310Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.4f42c3100de4b453ab5f13a1b66792b5https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 21e29cf941252b7027daed128c49c4639e1a880d96ad23577147e4a5f0e054e4
SHA1: a0214e924a3d48145935a8a5385dbe5ad2ca974e
MD5: 4f42c3100de4b453ab5f13a1b66792b5
M21-xllw1Bifrost_5f0e5fcfMixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.5f0e5fcf4039b92c816086ba6d0a7e70https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 0a55e423a2695d91190c31dc08c945839863c5ea59b98a3f8494f7fcc9379391
SHA1: 118fa0f66b3a0cc1fe20aa63fc47ee88519d84f4
MD5: 5f0e5fcf4039b92c816086ba6d0a7e70
M21-p9wv1Emotet_57674369Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.57674369f83c58d391eff88877f0fce2https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 224cc5e51285c9523bfaf67d7baf8ddc62eee0657797f39343409087a00a6c18
SHA1: 7505f2fe477cf679094f2c96bd93621d81105f5d
MD5: 57674369f83c58d391eff88877f0fce2
M21-4y1r1Bifrost_ef19d9ecMixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.ef19d9ec2a52269c50210d279066638ahttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 07182ebed691e51e974f25abe319401af0df574372a33393c2b01a10dba7af62
SHA1: 0f9cf0666a35b1c8634aa7ad73dfa7f3a75327bd
MD5: ef19d9ec2a52269c50210d279066638a
M21-204f1Trickbot_46b94155Mixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.46b941555f3008c0a72ae5688f6c1f9bhttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 3fecbe5f0b60d94a8a07e6bd2121968c3413d6be1be1909cc00f6ee1a1a180c3
SHA1: 484896ccccb6bfbc88ba068531e27683e10f3ebc
MD5: 46b941555f3008c0a72ae5688f6c1f9b
M21-g9pl1Trickbot_00dc9c34Mixed This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random bytes appended at the end of the file.00dc9c346cd84fa75d43ccae5bb86c4ahttps://attack.mitre.org/techniques/T1009/
SHA256: e7bfdbd6376496dbf0f25341a6b7fb0fdfa5ee975b900659d948d086bfa2b333
SHA1: 5c4d01490b652ebac9cf5276f65dc316cae304d9
PARENTID: M21-7qla1
SSDEEP: 6144:qmJK9dt1qaV//8N/ctawG1m3Ozse10puYfmsuv22eo:BJdc0wL410pDesu+ro
MD5: 00dc9c346cd84fa75d43ccae5bb86c4a
M21-xabs1Trickbot_81538286Mixed This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has random strings (lorem ipsum) appended at the end of the file.81538286e9c717293649effac6b84286https://attack.mitre.org/techniques/T1009/
SHA256: cf6c522f751c61a3c8be5acda60780daa0f915af630ff275c1292ab7cd8c663a
SHA1: d76c922d4f04d18fe93a8d06bd918139ad0ce216
PARENTID: M21-7qla1
SSDEEP: 6144:qmJK9dt1qaV//8N/ctawG1m3Ozse10puYfmsuv22eY:BJdc0wL410pDesu+rY
MD5: 81538286e9c717293649effac6b84286
M21-q1me1Emotet_64c5ac3eMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.64c5ac3e5f42ff74c1a174513517e894https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 556297f467fa407294459887692200c5dc04a6ee74b5ec974bbdfe0f62640cc6
SHA1: d58be09aa60e50540e8d5cf99f65b3060d3dea8f
MD5: 64c5ac3e5f42ff74c1a174513517e894
M21-99i61Emotet_4249fe0bMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.4249fe0bca2c3b5b5cb48d42814cefbbhttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 0fb01a55c22f907b3a4563bde5412ae15d75661e11f96bd679d6c4e59e2f8331
SHA1: 1c7e99c14ade3a98307fff41b03842eaec2d2eca
MD5: 4249fe0bca2c3b5b5cb48d42814cefbb
M21-bycj1Hades_9fa1ba3eMixed This strike sends a malware sample known as Hades. Hades is a ransomware created by the cyber-criminal group INDRIK SPIDER, also known as Evil Corp. It shares most of its functionality with WastedLocker and is thus considered a derivative of it.9fa1ba3e7d6e32f240c790753cdaaf8ehttps://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/
SHA256: fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA1: 7bcea3fbfcb4c170c57c9050499e1fae40f5d731
MD5: 9fa1ba3e7d6e32f240c790753cdaaf8e
M21-avst1Bifrost_175db028Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.175db028ffcd0b6c109d80b3d9cfa06fhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 06212381e4cf287bd20cc6b4db8f794afb237015191b3ced584709c8fb9d27e4
SHA1: 106ae81caf5c63bf999d95451daa03a84c8d573e
MD5: 175db028ffcd0b6c109d80b3d9cfa06f
M21-6vze1Bifrost_7ade2faaMixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.7ade2faad28324ad407b1e430fc0d4fdhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 00e7cdd19741cc41b53311925f0eed9d105bfb13dd7f3006f77c096fb358abb5
SHA1: 085ae71992ceac8a1134ffada06eabd20c24554c
MD5: 7ade2faad28324ad407b1e430fc0d4fd
M21-npdy1Emotet_5dba15aeMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.5dba15aec0800e03cac012455c47504chttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: cde952e9e44a1cab956bd6b0942d33ab23908ed090cc378946a8ca874744e3f2
SHA1: 141e7dd78494b194c95c021ab819cf4ec3734342
MD5: 5dba15aec0800e03cac012455c47504c
M21-uxtl1Bifrost_4c39d9a1Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.4c39d9a16e07a866fd6b34604cd32860https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 06ad224230699fab463da86b25bb30f80fb85fd0c94c969a4a2a1e174b175b24
SHA1: 0e3a9996e85505db346680ade18a0ee67cc129dd
MD5: 4c39d9a16e07a866fd6b34604cd32860
M21-bdsu1Expiro_c5877275Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.c5877275ffbfab064142094638cb4dc9https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 362e1a15f0db166301d978cc8cfdc0aa40f8f80da2658951cbd4c95ef07d631d
SHA1: 65c4f46136b9590cb59870d0dfa607b7dc2111f8
MD5: c5877275ffbfab064142094638cb4dc9
M21-45oq1Dofoil_d6b15dd2Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.d6b15dd2c82446ef06feb78f18ed6435https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: be801f78febf260293a7977dfd7f539f97faf3badbb8d21fe95ca894dd373e0e
SHA1: 37efd0e6bcbb2b46a2f0735c189a7d73d1ecc530
MD5: d6b15dd2c82446ef06feb78f18ed6435
M21-rpwh1Bifrost_b9d3c518Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.b9d3c5182f8dca8fb5006ca1f4e5f96ehttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 05211b35f49fba994db8781ee448c13f420ec81614faa2d9362df8b746c71dda
SHA1: 05d090e247bcdeade22e259cc92588d6c2799841
MD5: b9d3c5182f8dca8fb5006ca1f4e5f96e
M21-vywv1Expiro_f654a322Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.f654a322a5da0d94ca89ae517c421d00https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 3ef66b99897d50fed0647a6dbc6f9ac39ae43ad7dc6106b501c1fc0b1946b939
SHA1: 8e2cacb3ce853726fede6faa6bb6a79c2d85631a
MD5: f654a322a5da0d94ca89ae517c421d00
M21-ugm51Trickbot_0a92735eMixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.0a92735e7370e9c08f1b67480060ef8bhttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 957e347e4df5faa6a8324f7f101ca3bd7f5a4fd254e18e10600708b09e6b847e
SHA1: 84f658220497fb1a933d497c4def34b0dc3d4589
MD5: 0a92735e7370e9c08f1b67480060ef8b
M21-huwg1Dofoil_3584fb56Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.3584fb561a89745f5562f34ca6d2d90ehttps://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: aec1921b68b08b6524304f0857bf328c7a404f25fdac2cd9ee88aaa822be6567
SHA1: e511f26a984ab22712ced571e753be42b3280dcc
MD5: 3584fb561a89745f5562f34ca6d2d90e
M21-kggw1Emotet_6d7e080cMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.6d7e080c1ffd4194b7620d26cc77f6f3https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: aab15a7ace0d41bd1e7b13dcf9d030aa4fd558d588c328d1b97470e9059eb8c8
SHA1: fa63c2d3bd3ce5ba565b798f1198fc41484a128e
MD5: 6d7e080c1ffd4194b7620d26cc77f6f3
M21-4iag1Emotet_caf8cac0Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.caf8cac0abd6e928a6de6e4d618ca5b2https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: df15bb8e09ff23c5d5adec1a7315a628745cb56c71a1ca19d84693a23e1b600d
SHA1: f8bc83970091160ea077b9256d579a46fa972824
MD5: caf8cac0abd6e928a6de6e4d618ca5b2
M21-1v7h1Expiro_ab58a757Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.ab58a757aa734d1ee7beba9262ea851fhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 40ac0bc43296018eda50d2f5c7017a4ceebd1a0639dad9838adf434ec8047b1a
SHA1: 17e31f7c12adcca9e4a9c317d98049fae095485d
MD5: ab58a757aa734d1ee7beba9262ea851f
M21-0sys1Bifrost_6815b438Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.6815b438ef2c105a05bd5a3137da5b6chttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 03d8fbebbf69625c566cd95f140076f49c6dc9ec05cab41848b6ab8d8e5d1282
SHA1: 109831fcb515f2bdb72ea029a3a8346d9669b540
MD5: 6815b438ef2c105a05bd5a3137da5b6c
M21-hx1h1Dofoil_f80691f4Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.f80691f47500b11ae90d642583a87781https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 1e7e024929426dc634eb67cdf25e1ea621bcaa437707f1956a96c62d66307c30
SHA1: 17cd5b44e24a926a16e177f5c1978e1bd2a5fde3
MD5: f80691f47500b11ae90d642583a87781
M21-341v1Bifrost_72f8e14eMixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.72f8e14ee194325d3390fa9d558b8349https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 02d2fb1816985fbaf7f90d3c44aac8a57c5fbf1b70f0af969c1ed299710831ec
SHA1: 07a1e82195d19c809f68f371f53a3fc963e44899
MD5: 72f8e14ee194325d3390fa9d558b8349
M21-0m9u1Expiro_d9a35ce3Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.d9a35ce3b7c6e201054527769d208dabhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 1453ff97ce2fca719c6041bfb74700e530bc580b64713b2b5697365741df3ec5
SHA1: 259d8475cf0c0993e84b32814d06a6f95fd16482
MD5: d9a35ce3b7c6e201054527769d208dab
M21-auiq1Trickbot_a67fcd6dMixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.a67fcd6db8f635da1bf4fe903199ccc8https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 0eeb131101c7687e7c5238e74c1104546db23ef58fa2be1b494d48683054903e
SHA1: e35a4e45e750eebeba659219c797f8d216115a4e
MD5: a67fcd6db8f635da1bf4fe903199ccc8
M21-fqgp1Emotet_bd57c86bMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.bd57c86b7951578d3a4a163b6d6da6c5https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 7989d1d090d3ff076ff23b5d9e796bf0ab5810c2cf83a0e2bd1fb22266a5b359
SHA1: 828ed81217f6941890de9eba2c616f568d722bb5
MD5: bd57c86b7951578d3a4a163b6d6da6c5
M21-1b191Emotet_553e53c9Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.553e53c975d2ff6346302210a2145b14https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 6cd2ce8b2839be56753bfe8ab166c793a6fafac873ed4169ad3fcc4dad6d520a
SHA1: 4b9bac7826ab1f141de2adfff8362950eab04701
MD5: 553e53c975d2ff6346302210a2145b14
M21-e2o01Dofoil_acdbed3aMixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.acdbed3ae6e2a055308a239fe9747eeahttps://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 1ebcb62975ca935c0c538d1a421fe94c35c42ca42ebae3fdddce3b23240899b0
SHA1: cb7d3b519fc0e70017ebda359f7e270c58d6e8d8
MD5: acdbed3ae6e2a055308a239fe9747eea
M21-xzx61Expiro_b45603d9Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.b45603d9ea29859e52e80cf2d5169ce7https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 347559db36d953aa093c91479a9dad8ca4fb655dd29b6028c3ea0b934e5bf564
SHA1: 4423f6cce0f6d6a1f4e57d95b8ed798c167f834c
MD5: b45603d9ea29859e52e80cf2d5169ce7
M21-58rz1Trickbot_e4751c1fMixed This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has the timestamp field updated in the PE file header.e4751c1f57c370d74ef96f814c1a1b06https://attack.mitre.org/techniques/T1099/
SHA256: 0793acdbefb25ad72d3551fe1d0a0afae96b74a10a0654ceffa77ef83ba125ca
SHA1: 46cbf5d3d9e4a5c754c085fb5cdbdc29ef48bc95
PARENTID: M21-7qla1
SSDEEP: 6144:xmJK9dt1qaV//8N/ctawG1m3Ozse10puYfmsuv22eh:MJdc0wL410pDesu+rh
MD5: e4751c1f57c370d74ef96f814c1a1b06
M21-08zh1Dofoil_945cb107Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.945cb1078a84c7ab1871fe5d7989dc8dhttps://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 8176f5b87011d4d4db43e23663350820ef7a8f31ab452cf5ceae53b49d51b41e
SHA1: 55940d51faa17bc48bc6286f8cef7d8ed073fb57
MD5: 945cb1078a84c7ab1871fe5d7989dc8d
M21-zm7g1Dofoil_5b7add55Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.5b7add55ea91cae73e7c851667f4f227https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 83f1e0aceccf0ee054b7f0a933f3ccea3b2306d5b3bea741ea9206c08428a58f
SHA1: ccd538a6cff51b360d118b89256ee343da9d2620
MD5: 5b7add55ea91cae73e7c851667f4f227
M21-126c1Emotet_c3b7af5bMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.c3b7af5b876b04e9e246d9e4e727807dhttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 21d13676ec24bbe21071be6ef56082744a3703904941d062ae1d59b38db2b394
SHA1: 2341941968f51dbd68de701fe0c973d933fbdd2f
MD5: c3b7af5b876b04e9e246d9e4e727807d
M21-dwpa1Bifrost_5a40d3acMixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.5a40d3ac2a6fe1eab16d1500ede4db8chttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 06588f3c7deebe0f4ea951e17ddb11ebea92712137aa971756f6102451da5539
SHA1: 03f20c4eba47173487e2b77597f8baf6a1a0ef70
MD5: 5a40d3ac2a6fe1eab16d1500ede4db8c
M21-y5tt1Emotet_a047e8bcMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.a047e8bc82f34dffefd1748eee7a7160https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 1f60fa927adf69656e2386239b01e6b5a22fbde11034a1561d462d480efc1c32
SHA1: be0860a33e72eba157a66080de7bb13a699a8f5e
MD5: a047e8bc82f34dffefd1748eee7a7160
M21-6v7w1Bifrost_4f86b517Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.4f86b517e0ff6130ae58d272476f5de8https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 095bbc10705d60a2cdc7c6aa3236914eef708da30fa2ec4053a6c3ffab3890f1
SHA1: 03378d809f6ddb26346437ca26a47cbec909ab24
MD5: 4f86b517e0ff6130ae58d272476f5de8
M21-k0gj1Expiro_2f1f1c29Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.2f1f1c29323c486eb5e256a8c1f16050https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 29305fc76610930fed67b93437d1f277ba5ee851f64b3de72b939d88395e50f5
SHA1: 6bd77555ca59834a6813be772cda4c4414f907c5
MD5: 2f1f1c29323c486eb5e256a8c1f16050
M21-iib61Expiro_04e0b84bMixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.04e0b84b8474dcefbc68b7782cf61fa3https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 3366dbd762fc25c9517465349e74058f1ae080085cd3196f5626392b5884e233
SHA1: 3e0ca975108b86b1fb75bec187fde395c764274b
MD5: 04e0b84b8474dcefbc68b7782cf61fa3
M21-e8xw1Expiro_ee1389b2Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.ee1389b23c27eba03147d094e5da3355https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 28946810f7b8577132a0dcf57de19767a0cb4a8e2db1317fd63c98d44e538cb8
SHA1: 4e8a1f2d5b43a7407f9141bb83bb0ed90646ec44
MD5: ee1389b23c27eba03147d094e5da3355
M21-nrg21Expiro_eee03c27Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.eee03c2746f5188eb4b2dc0ede35e9e5https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 11672b01e740ce812e9488a5c30862848b58aaaab7019445c1e2ce14f1dfdd6c
SHA1: 85d36966385244ac3c014387ae75977cce40f210
MD5: eee03c2746f5188eb4b2dc0ede35e9e5
M21-rn2w1Trickbot_94e65f4aMixed This strike sends a polymorphic malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.The binary has a random section name renamed according to the PE format specification.94e65f4a15aacf78dbf61522bc83ed71https://arxiv.org/abs/1801.08917
SHA256: 181e774c9a5f6a0eef011f8f635d404056d17fd95cbc1a17d25e1262373e32ca
SHA1: 8c0294b3831da1a6664641d06ec90f4c7a1b4136
PARENTID: M21-7qla1
SSDEEP: 6144:AmJK9dt1qaV//8N/ctawG1m3Ozse10puYfmsuv22eh:zJdc0wL410pDesu+rh
MD5: 94e65f4a15aacf78dbf61522bc83ed71
M21-xnp01Bifrost_7b2cfdf1Mixed This strike sends a polymorphic malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.The binary has a random section name renamed according to the PE format specification.7b2cfdf149b30ce6f15c3771f77c7430https://arxiv.org/abs/1801.08917
SHA256: ab511f84960c1b9fdafa7e47ef1cc459d214590a9143fae40f39c5ba218ffadb
SHA1: ed5f6f66a297e908dfe3583dc619a6cda5c364ed
PARENTID: M21-q2r61
SSDEEP: 24576:pM9FUzQIyFfybd0nnbpfDYpY9OLSCR2Isb3ojRdhann6LjmHl25D+0ZpEo0Yv8aU:eFmQIQ6x0nt7YbeO2Is3odK4OM5D+aJe
MD5: 7b2cfdf149b30ce6f15c3771f77c7430
M21-pye11Emotet_524e824aMixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.524e824ac17c816c0bd50ffeae623507https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 0538f769fea2d8714add22948a753b8fc39e3e920c7d3b8d5431b05f7a699ed5
SHA1: 4886b4aacbd812cb08194b79bfce10b3e7a51769
MD5: 524e824ac17c816c0bd50ffeae623507
M21-g30n1Dofoil_a41b3582Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.a41b35821e750b19e71cdc5ece08b91fhttps://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: a8546a9766dec41398b77083033656665b0b2b456bafeef6787284e224edde7d
SHA1: 6935cbacefbb4bf931db6ccce992af238eda7f9e
MD5: a41b35821e750b19e71cdc5ece08b91f
M21-2uxv1Trickbot_118d0859Mixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.118d08599d7b68c09fb4c698d1a6a2f7https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 8aba45ca10552918328b739471cf92085b98411f47bd4c09ea385c7e24ddd830
SHA1: 4e5364c175d9438f9f8a975f34bf6af1a569827e
MD5: 118d08599d7b68c09fb4c698d1a6a2f7
M21-rb991Emotet_8cdace86Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.8cdace8642fe8dd4c649bf6a9dc6d632https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 6b9956c7c01261725ee15cb28a9b9c90170a3dd559c25f1f053d10db32b591b2
SHA1: 999417edf48bb5db9c9e5c592198c71b122dbe9d
MD5: 8cdace8642fe8dd4c649bf6a9dc6d632
M21-alii1Bifrost_50c35460Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.50c35460a0eb4151aee2ad125710ee03https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 09feb90ba24cf83b11b864527eb961a30d5f958f46cdb2b52f19ed789cef39b5
SHA1: 130846e960c6947efcebc906aa070995eaa3f06b
MD5: 50c35460a0eb4151aee2ad125710ee03
M21-klpc1Bifrost_7bfd93ceMixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.7bfd93ce9a580270c34f0ee1d96720dehttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 02c89c2a5e4723b104338e05aff1a4fdd61d3b7bdec2b22a38ef6fb37e3b82bd
SHA1: 09bf7c2d1ee5f4abc8cabe3172735909f142ff4a
MD5: 7bfd93ce9a580270c34f0ee1d96720de
M21-4zfk1Trickbot_91ff661eMixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.91ff661eecc2a978f43dd537ecc40212https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: a004e7f21a0a353ab8af5759fc610dd78ae69fdff944ec0a4652d4325b1908c7
SHA1: b8b3c7afa69f9feb2af3934185fd32f3c376eda0
MD5: 91ff661eecc2a978f43dd537ecc40212
M21-3a5t1Expiro_550cab38Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.550cab38c32073db8b332701584439fehttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 3408ccbdb816bc9f2e540f9cd90a5edd7a1f383518909edd50599545838bd072
SHA1: df14646f16649c57a4dbfef5bd66173c7d10641e
MD5: 550cab38c32073db8b332701584439fe
M21-vuue1Dofoil_7dd17081Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.7dd17081fb73d13df36e28ce13b0fc8chttps://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 0c451e42735fa72cb36d1cc6911cd78ff5a6605bbf104c5f43b90342b1cc38db
SHA1: 5d816f1f3d2ab9afee6a34c99db52f25f49b9110
MD5: 7dd17081fb73d13df36e28ce13b0fc8c
M21-yabp1Dofoil_77bbe1eeMixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.77bbe1ee50b49407d6d05afb4ca96ff7https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 62438d9ec56061fb81f514d6c8eff718f765d3101c16f70051c605deb3e4d788
SHA1: f0c0e7db4fceb57c2b34d819dbe9b4ae7f6678d9
MD5: 77bbe1ee50b49407d6d05afb4ca96ff7
M21-1o0d1Bifrost_fa32787cMixed This strike sends a polymorphic malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.The binary has the checksum removed in the PE file format.fa32787cb971f620bed716b862ac6ed0https://arxiv.org/abs/1801.08917
SHA256: fcd995669be091cde67e3735fca549940276cfc5cb59eb0f57b8c56074c9ad5d
SHA1: e1683de04a7b0d5badf2538ae2fec338763469ca
PARENTID: M21-q2r61
SSDEEP: 24576:eM9FUzQIyFfybd0nnbpfDYpY9OLSCR2Isb3ojRdhann6LjmHl25D+0ZpEo0Yv8aU:7FmQIQ6x0nt7YbeO2Is3odK4OM5D+aJe
MD5: fa32787cb971f620bed716b862ac6ed0
M21-kc3n1Trickbot_d4350a2fMixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.d4350a2f7e1cad0ee465f0f8170f8ecfhttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 83bf6d1bc398ff7edcbdb3d3bfbca3ef8789c3eef2668eeaba3fdb436aa43f64
SHA1: f42ecc12a8a89c0b83d8d4c563441d09f0bab627
MD5: d4350a2f7e1cad0ee465f0f8170f8ecf
M21-03w41Expiro_cfec50d3Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.cfec50d3ddb50a9ebd752d069837ee2bhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 0dd0073d65e8985095d97de67bc5e38794d1c578af45d6a473a2ff84dab4e39f
SHA1: b71a8adf05938ded71cc556bf72c0dd5eab77460
MD5: cfec50d3ddb50a9ebd752d069837ee2b
M21-oh1p1Expiro_0e9dcdbaMixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.0e9dcdba66ee4d9753292f4112a4537bhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 09e2c7b6e3163c9aae91096dba1dd1faa25e9f0d652548112705fca9b9769b10
SHA1: 959ead9a980da4ffa8bbfed862581ebaddf0f6c9
MD5: 0e9dcdba66ee4d9753292f4112a4537b
M21-s3x81Trickbot_9dfac898Mixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.9dfac8989e68abdfda410a3513d9668ehttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 11179c3750414ddb59b561e6f67c79ecc1cb0b0bf0886f2c2b41eff8d3819a69
SHA1: 18a822ebb2a93f211489312d5477aa46e7d59644
MD5: 9dfac8989e68abdfda410a3513d9668e
M21-pvmk1Trickbot_29824072Mixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.298240723718547126344e86ac09f7d0https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 925a1279cf8207ff1256a6a382c151b75c1701debc924b6e29f74ec66189e416
SHA1: c64818187686483855a811a3f911383c8a59f548
MD5: 298240723718547126344e86ac09f7d0
M21-51931Emotet_caeb9d29Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.caeb9d29e22f04ae4c66b039c8fd650chttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: cd2c6d5071413fa5f112989c7164a9640643362ed8c6b74227f5506dd9ce3a6e
SHA1: 6779ec403dd1e4290b21d7757e595e329c7064b7
MD5: caeb9d29e22f04ae4c66b039c8fd650c
M21-wjfj1Expiro_01eeb5c6Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.01eeb5c6a9382fe8bc0691971dcda6dahttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 0aae3ca82b76371035d02163fd7cdd531181c925cb5f00c33abd858234c530e0
SHA1: 17f951b2f0842e9fc117b7180ea1032deab227f1
MD5: 01eeb5c6a9382fe8bc0691971dcda6da
M21-3jby1Expiro_86174a83Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.86174a83ca172ce4d48cc347c92f780bhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 3411f562655203024dbeaf365d15fcf4c93741790445068f4f9670dbbcad91bd
SHA1: acb64d90f9b44a9942aaa2ae3639856c3b7b534a
MD5: 86174a83ca172ce4d48cc347c92f780b
M21-ut771Bifrost_1208f352Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.1208f3526e1cd37fa37017c07bda23e9https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 04058a97246390c61befe641ff8c059c523bef02d760254025451c49573c55f8
SHA1: 0e094169c4a5fc2149fbdccd5726e7d71ac53b9a
MD5: 1208f3526e1cd37fa37017c07bda23e9
M21-8ecf1DarkSide_f87a2e1cMixed This strike sends a malware sample known as DarkSide. DarkSide is a ransomware that made headlines recently when it was attributed to the attack against CompuCom resulting in 20 million dollars in losses. DarkSide is known for its very specific approach to targeting victims. Each executable is carefully crafted for its intended target.f87a2e1c3d148a67eaeb696b1ab69133https://www.channelfutures.com/security/compucom-ransomware-attack-prompts-more-than-20-million-in-losses
https://www.insurancebusinessmag.com/ca/news/cyber/canadian-hardware-store-chain-gets-slammed-by-ransomware-attack-251259.aspx
https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/
SHA256: 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
SHA1: d1dfe82775c1d698dd7861d6dfa1352a74551d35
MD5: f87a2e1c3d148a67eaeb696b1ab69133
M21-eud31Dofoil_41cbc9f1Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.41cbc9f14ba35bc3fbc01fa373366684https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: d43fc5bd5ab07811b01def3be2a57a4bf0126fd6ced7b73e55f1bf2fe80b95b1
SHA1: 0cf7ecf3ba1952ac468b8c7600312a4b46cd00e7
MD5: 41cbc9f14ba35bc3fbc01fa373366684
M21-os8u1Expiro_0413d149Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.0413d149c8f13c37c59b4045d19e104bhttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 0a9cd6bd37c054cfde77225849e84f9c5dda52e6ccc41f1a8f7e2550208ab323
SHA1: 2cc968a06c6d1d3904244c71000c8d646654dceb
MD5: 0413d149c8f13c37c59b4045d19e104b
M21-2g6d1Expiro_56edfa30Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.56edfa303cfc02984450540bb6d5b664https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 08ca431a8a649b53efe585f4be86baedabe95cafaaf6bb794794d094b1fce99c
SHA1: 73657701fb4d6acb088ef4ff4ee210243c57bdcf
MD5: 56edfa303cfc02984450540bb6d5b664
M21-a0qt1Expiro_43d02938Mixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.43d0293877c77a8d6686fefe31c48e2ahttps://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 1c0923926a6798d84a3ae8df9cca7b7deb1c833d79b7e3597dff595fafc1cb17
SHA1: 3fecbd1837d1cb5924e9372555465db6b671bf41
MD5: 43d0293877c77a8d6686fefe31c48e2a
M21-ih6s1Dofoil_b4f02682Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.b4f02682465301d17d8658d1c69abe6dhttps://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 1dc196190e82a017a81937d0b42f96ecd86673b7cc4d4a5fcebe0b4c63495879
SHA1: fa416599f2a7a182ea956f08f8c3c183a0b1f4f8
MD5: b4f02682465301d17d8658d1c69abe6d
M21-soot1Expiro_a2f7ae1dMixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.a2f7ae1ddd9611233e0cd0b29202e653https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 14b29c62bc67865818adb29351da249dbaa100a75eefe0d767734d0b16bc0f12
SHA1: 375f20dd4f8c31da7c6bed1da6e4a66aa82877cc
MD5: a2f7ae1ddd9611233e0cd0b29202e653
M21-0eo21Expiro_3f71b02fMixed This strike sends a malware sample known as Expiro. Expiro or Xpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.3f71b02ff093f424563ddce686a2b6f4https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 1e47c3fb48c30915162b17d319d304d74916769d22d5f2699dd025d8652d7bbf
SHA1: f3721b248c9e4aee288b96dfa3eab33e4f6eaedf
MD5: 3f71b02ff093f424563ddce686a2b6f4
M21-s5rr1Bifrost_d9f9f3d3Mixed This strike sends a malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.d9f9f3d3ebf767b3219bf16b8c3e1b80https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
SHA256: 06fd9c2363806dae2cdc543f0d6d1541339ee756b7a56098414de31955a8cbff
SHA1: 0583573bef32475c5723ef99b6bc3ffc7a8c1d5c
MD5: d9f9f3d3ebf767b3219bf16b8c3e1b80
M21-ru0o1Dofoil_3fa850b7Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.3fa850b77ae570c62822109783db290ahttps://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 7f6ebd301c47243a0c909c8f59f1600eacfe56dba2ccfb2639b24d9b16c9ec92
SHA1: 3493d6c800786c0365b7cb932d5856c93b4be840
MD5: 3fa850b77ae570c62822109783db290a
M21-bvs01Dofoil_b0f774c3Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.b0f774c3bbb838aaafdaedae70b4e752https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 78568ae742d82478786a06e8639fac6a2da6fa032a576ba89bc85261771abb18
SHA1: b8d2f644544c648f2cec4dac0399d908a77efe76
MD5: b0f774c3bbb838aaafdaedae70b4e752
M21-dmch1Emotet_0ae74d12Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.0ae74d12e881daf1de8c05d48a6f5867https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 8ed73c6ac29afcebb066c7362806fd3157803af3338e39af7831e13dd1bf78cc
SHA1: 96fc89eb2757dce3b4aa1edcf00b2a7ef50bb4f1
MD5: 0ae74d12e881daf1de8c05d48a6f5867
M21-xkgz1Trickbot_439a3893Mixed This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.439a38934558b6a2a2d66d9891dc6584https://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: c2d3c394f6f56ad24c61383de4171d8ae8157b5284fa5f22bdf69a20091454bd
SHA1: 0bf1ecc6f528d5341ec2c53806f76ba0ba29f1c5
MD5: 439a38934558b6a2a2d66d9891dc6584
M21-3f311Emotet_23fe2956Mixed This strike sends a malware sample known as Emotet. Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.23fe29563e7cae4a432566c693bbc9cahttps://blog.talosintelligence.com/2021/04/threat-roundup-0409-0416.html
SHA256: 20bec3f93a046eabd36a038fd46ffce5fbdd0b91d2d1027dc357f36cd01a570f
SHA1: 5d7db79bdb46f6b2a2377b9b0827f5db66eed37d
MD5: 23fe29563e7cae4a432566c693bbc9ca
M21-hk3q1PhoenixMixed This strike sends a malware sample known as Phoenix Cryptolocker. Phoenix Cyrptolocker is a ransomware that made headlines when it was detected in an attack against CNA Financial. The malware is able to infiltrate by appearing to be a legitimate utility and coming signed with a digital certificate. After infection and file encryption, the malware deletes all traces of itself leaving behind only the ransom note with instructions for the victim.d86f451bbff804e59a549f9fb33d6e3fhttps://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/
https://blogs.blackberry.com/en/2021/04/threat-thursday-blackberry-protect-vs-phoenix-cryptolocker
SHA256: 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
SHA1: 3cb0cb07cc2542f1d98060adccda726ea865db98
MD5: d86f451bbff804e59a549f9fb33d6e3f
M21-apkd1Bifrost_4f1975b3Mixed This strike sends a polymorphic malware sample known as Bifrost. Bifrost is a backdoor that allows a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. It contains standard Remote Access Trojan capabilities including taking screenshots, camera monitoring, and keylogging.The binary has random bytes appended at the end of the file.4f1975b3411e631aa3340b0b278c6affhttps://attack.mitre.org/techniques/T1009/
SHA256: 78168756c961afe3b0d87e008a7d1cb840e4d84bff5b6187ac58f52fdbf8bbce
SHA1: f68210d5397dd89519b844480b08a38fad2718b1
PARENTID: M21-q2r61
SSDEEP: 24576:dM9FUzQIyFfybd0nnbpfDYpY9OLSCR2Isb3ojRdhann6LjmHl25D+0ZpEo0Yv8ai:qFmQIQ6x0nt7YbeO2Is3odK4OM5D+aJQ
MD5: 4f1975b3411e631aa3340b0b278c6aff
M21-ea5c1Dofoil_2ec070d0Mixed This strike sends a malware sample known as Dofoil. Dofoil also known as SmokeLoader is typicall used to download and execute various other malware. It has been associated with dropping and executing coin miners that mine cryptocurrency.2ec070d0df92af50a6f873e02c0afcdehttps://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html
SHA256: 1498e1536f2beb0d4e2ff9e1ace10e5c37fde536b3ed8d3ac2f6614ef37c9216
SHA1: 9a04d7e364dd6b4ef5694e2a83e3d9c4e70f7424
MD5: 2ec070d0df92af50a6f873e02c0afcde