M21-jlzp1 | BlackMatter_e6b0276b | Windows |
This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details. | e6b0276bc3f541d8ff1ebb1b59c8bd29 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720SHA1: 295de44a0adbef57c51458978ccd71437aff0bf1MD5: e6b0276bc3f541d8ff1ebb1b59c8bd29 |
M21-rby71 | DarkComet_eb1de375 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | eb1de375f155cf314cd6f41f754ce930 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 302085c4d19e84b33f64b7f177dcb5bdf31a919917e27c54691e599b65ec550fSHA1: d561ebb09ec070733d63b8313554687451a4e55aMD5: eb1de375f155cf314cd6f41f754ce930 |
M21-ngxa1 | Trickbot_654b1a59 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 654b1a591b182b0665352dde68720652 | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 2224cc59bb76c875cfcf04df8ad82f6c3c4c5418ab0a281bd0cd1ba73d685a1fSHA1: 77a416f2f7898d7c5c542d8dff00aecc23b6be62MD5: 654b1a591b182b0665352dde68720652 |
M21-6oee1 | Qakbot_a3d6462c | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | a3d6462cdc162149e22502c694a7427c | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 07f0e31106f56a2af7eb4e283625b4b3408f0eeb74c09b1ade3840daa4d1b8bbSHA1: f99af91f1fd4cc539eb1d552f9160245a071a4b2MD5: a3d6462cdc162149e22502c694a7427c |
M21-sbf81 | Qakbot_4f2e59b6 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 4f2e59b6050e873fd41a0b369b354243 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 240e331b52966de8e05cea16155fb5cbf97ccc934af991f7d794107302665b4cSHA1: a603a8d095d6e0e95c1323b77e9fc748b05320c4MD5: 4f2e59b6050e873fd41a0b369b354243 |
M21-qp9u1 | Haron_731797d3 | Windows |
This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked. | 731797d30d8ff6eaf901e788bd4e6048 | https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4SHA256: 66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2SHA1: 9d38ce8e4c3ca5fbdfdfbed3ec452151041189c0MD5: 731797d30d8ff6eaf901e788bd4e6048 |
M21-ksoe1 | Qakbot_4989af5b | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 4989af5b16f7fdb9de808337dbdc0b3a | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 3383b0672661207be263722ba4cd2341bb90f680819359cb07c26c6b7dfcaa9bSHA1: 4357873c9c578632bc76a180a10d60002570b542MD5: 4989af5b16f7fdb9de808337dbdc0b3a |
M21-s16t1 | Ramnit_52efe8c8 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | 52efe8c8b4205a6c099ade4e32aeea32 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 72d4e7805d94785b9c95147f8a42e3700f2bfa56a79a46dfcf0791bd3a0f090dSHA1: c8d7c5629cf6775d7e6361c5756a0b3561f35429MD5: 52efe8c8b4205a6c099ade4e32aeea32 |
M21-ijkd1 | BlackMatter_98a3bee4 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has been packed using upx packer, with the default options. | 98a3bee4399116289036d0224aac78d7 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 5475378077eb6a5841515dd35c5b8e0ca9181000e3a06da4cb30f02c66fb1408https://attack.mitre.org/techniques/T1045/PARENTID: M21-mfzl1SSDEEP: 768:PNETtdX7D3UKhRmr6GRfIC7uSj9UBiXUO8vR3V8YZaAQ0hMTndaN/:qp1arxxum94eU1pnVQ0qdaNSHA1: 4bffcde1b205b8aba0b648006b89958891175a7cMD5: 98a3bee4399116289036d0224aac78d7 |
M21-obcm1 | BlackMatter_ac50d0bc | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the checksum removed in the PE file format. | ac50d0bc460a702822ebae99a86761b5 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 473e2f87064a676a943f2c62d25deb42032cdb1a31c0b765683da0c75f221d91https://arxiv.org/abs/1801.08917PARENTID: M21-73ke1SSDEEP: 1536:aICS4AgxwhjEO3r825exqkHYnKeGsXqsMt:Z2SN3mxYnKrSHA1: 4fcada52709b935f0bf968eaf52a806acfb006ceMD5: ac50d0bc460a702822ebae99a86761b5 |
M21-s1371 | Ramnit_4a7a546c | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | 4a7a546c94e0918c95ae5a4cc9575042 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 38953969ed21113318984529205154f47908974d18e791e04955386aaf4dadafSHA1: f5ead2a3a942288e4f1f80870eb64e97b6ca00d3MD5: 4a7a546c94e0918c95ae5a4cc9575042 |
M21-85jk1 | Qakbot_8f46946b | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 8f46946bc6fe6cd5843ca93c5b7d3045 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 03cb6dc235578dd1562851d4d06555af1cf9382353ba3f54306a27e37a5305a1SHA1: aeea21e79394c7cea389e818f55731563c589d28MD5: 8f46946bc6fe6cd5843ca93c5b7d3045 |
M21-ah8i1 | Trickbot_64a8dfe6 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 64a8dfe64ee1298325a8af441ae6abef | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 3359b593b46b2c55971ab4f5a10228ffd462a8f5fd8b9357a71955b6a1e1e477SHA1: cbf88ed990eebeb0f4179b70f126309b8b2b6aaeMD5: 64a8dfe64ee1298325a8af441ae6abef |
M21-45971 | BlackMatter_b73ff289 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary file has one more imports added in the import table. | b73ff289f910386f378a9b0a86b82fe9 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 2137b44db4676a8a9ccf838bb415cff759bfde9a116f894c99b72b9c7ad99779https://arxiv.org/abs/1702.05983PARENTID: M21-do2n1SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKvwZg3klyDV:qR7auJXSYZg3COSHA1: e42e493ca6e748ef4ea9f3548575a4be779ddcefMD5: b73ff289f910386f378a9b0a86b82fe9 |
M21-zsjp1 | BlackMatter_9d047a42 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random bytes appended at the end of the file. | 9d047a4230a677be7daf5268a075d7e2 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 9e2f23be87942756483bec3d374f6405dc77cb2f458e3f4d9439ac5e603dd15dhttps://attack.mitre.org/techniques/T1009/PARENTID: M21-73ke1SSDEEP: 1536:yICS4AgxwhjEO3r825exqkHYnKeGsXqsMtn:R2SN3mxYnKr5SHA1: f9ebc7f793d5ae05f058274ca1d993d03e968e5fMD5: 9d047a4230a677be7daf5268a075d7e2 |
M21-52731 | Qakbot_3f7f4d66 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 3f7f4d669ff9f912a8bceafc89f2b924 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 03fe14caddbd6902e265a566efcbeacda1a413065a98b66b4e74fa59cea083e4SHA1: 0ffd77b60f25c3324e79c1772615370c773c8b55MD5: 3f7f4d669ff9f912a8bceafc89f2b924 |
M21-mvvm1 | Qakbot_a896b96a | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | a896b96a31d0ece9e401e1d77b7d6567 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 1502723beda5c3fc95c3532d89ee16bdd3ad5ead9f323ee48be4d653474110bcSHA1: ca8bf9a73c90dbbbb8a202d7361327245b1554dfMD5: a896b96a31d0ece9e401e1d77b7d6567 |
M21-ienp1 | Ramnit_68464084 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | 68464084c82fbd09faebcbf040dfc7c4 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 01b7940f00b1fe720244be50cb1eaa65cf41d91d387b0009d7c3c02332c6d90aSHA1: 6d8c13cd8c7f1e0626e9e574204bc6f8495685c3MD5: 68464084c82fbd09faebcbf040dfc7c4 |
M21-taw21 | Qakbot_e5a95f5f | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | e5a95f5f45d3afd5f9f3d0f27692def5 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 3337b985888559a139cd62e925156264e64b8a1a8943bbb08ccb7a8c2684b570SHA1: e2011d84269cfa7ad06f4808ff5f5988259ff938MD5: e5a95f5f45d3afd5f9f3d0f27692def5 |
M21-78tz1 | Qakbot_86c75973 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 86c7597356d5b2a7e1c664b83d703efd | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 0d2aad6da1068580e457b85c1df14497b1f66870c73d9c7b60d387a8ecc587baSHA1: 187a83576f0e430af77e6e3243c498138d05687eMD5: 86c7597356d5b2a7e1c664b83d703efd |
M21-auio1 | Haron_af79a121 | Windows |
This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked. | af79a121a5c315f5a7b8a2180ccbea0f | https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4SHA256: caf815381680cfa6afedcd7c7af5a5c838788b1c7ec593ce817114a25ab63441SHA1: 5a1ffabbcb8709c5c29911a4bd09b48a79731968MD5: af79a121a5c315f5a7b8a2180ccbea0f |
M21-cvnq1 | Ramnit_bbb2d2c7 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | bbb2d2c7a02bb20e476ef9ea2483d575 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 191a8a81de6aee304ac908fccad0c138abccf5baf851714d8e28a3879300500fSHA1: 32921fe5277fd747d68567dc98fcef7b77863c0eMD5: bbb2d2c7a02bb20e476ef9ea2483d575 |
M21-oouo1 | Ramnit_ccbf0c65 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | ccbf0c6561f9f4cbd092bbcab0455734 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 03edf7d9493484932879614edd7f0649c8bbcf2a19cef53f602c3f28d92905abSHA1: 1dcced722886a65bb349c9208d05bdc9fb3de44fMD5: ccbf0c6561f9f4cbd092bbcab0455734 |
M21-exv21 | Ramnit_520c2909 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | 520c2909c35be0ed73fa17fc56f43aa4 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 5d5d522c80d90a077cedc1701b69bba4a0ec3b5c607de6802143f334a448d3c8SHA1: b1609b7be37aee877cc110073a0278eec6bcb3f8MD5: 520c2909c35be0ed73fa17fc56f43aa4 |
M21-lmo31 | Qakbot_b6f8b13c | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | b6f8b13c020450d5218ed523754b1b56 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 2c4541a8d520b195f8dda3f731584e6391f714e2c4b01f4f97523728511dfb5cSHA1: 4d0345630121c30d7536fcb1ae8ffebb3d8f1e1eMD5: b6f8b13c020450d5218ed523754b1b56 |
M21-3qpg1 | BlackMatter_50c49700 | Windows |
This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details. | 50c4970003a84cab1bf2634631fe39d7 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57SHA1: 721a749cbd6afcd765e07902c17d5ab949b04e4aMD5: 50c4970003a84cab1bf2634631fe39d7 |
M21-2x1j1 | BlackMatter_48f3e009 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random contents appended in one of the existing sections in the PE file format. | 48f3e0096689e5b981a7494f9373c466 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: a5ba6d746e383918f8e9177e0de823e843295fc52612679ed7aa31ef624dabfahttps://arxiv.org/abs/1801.08917PARENTID: M21-do2n1SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8ZgXkl/:qR7auJXSkZgXC/SHA1: 6cebe28f484bbc42da23e0051cf0cd1c5cfbdaffMD5: 48f3e0096689e5b981a7494f9373c466 |
M21-03o11 | BlackMatter_687e5999 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has a random section name renamed according to the PE format specification. | 687e599972236164dbcbd1c229d27087 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: b91a54d32e5f4625c25d1e0c2f24a9bab29140cad871a44a04ebb9f50c11b4a0https://arxiv.org/abs/1801.08917PARENTID: M21-73ke1SSDEEP: 1536:2ICS4AgxwhjEO3r825exqkHYnKeGsXqsMt:92SN3mxYnKrSHA1: 1dbace88ee6dc7d55657e3ce2dd0149a8263697eMD5: 687e599972236164dbcbd1c229d27087 |
M21-agjt1 | BlackMatter_4c146e1f | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the debug flag removed in the PE file format. | 4c146e1f99bbdc09ef5fcc8780b5b844 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 984192ecd4ddbbf484f7d26c4b63db9c79b1d0c2e08d969133ebea61f9a58491https://arxiv.org/abs/1801.08917PARENTID: M21-mfzl1SSDEEP: 1536:1zICS4AT6GxdEe+TOdincJXvKv8Zg3kl:WR7auJXSkZg3CSHA1: c31affeb0609eba44ef0af3983fd29293959a3daMD5: 4c146e1f99bbdc09ef5fcc8780b5b844 |
M21-ga7a1 | DarkComet_71be9b56 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 71be9b56b5d518b855fefbd3514bbc09 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 001276dd30093a56534c93cf39335eb23943ab0b532c9ab4bfac250485355b8eSHA1: 470a908d399dae1af0768726b3091e931b2f2470MD5: 71be9b56b5d518b855fefbd3514bbc09 |
M21-60ge1 | Ramnit_cf99487a | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | cf99487abb258b230c1ff2b484a6161a | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 604724f5db4975c1aa1eb88eaf1931e674a506b7da0e29f10344b8bb7ce7c15cSHA1: 8ed68926fd12bd3f4e4efd1ffeb156109b26dbb2MD5: cf99487abb258b230c1ff2b484a6161a |
M21-2oar1 | Ramnit_5e135573 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | 5e13557300fce99cd3f4176946f55461 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: ff7ca617a730a8d1f245142054b09a76341dc6b543a239ff7e1d3be28287d902SHA1: dac07404d30a5736072c5fa76e7e1777f3de95b5MD5: 5e13557300fce99cd3f4176946f55461 |
M21-gskn1 | DarkComet_eab4cfa5 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | eab4cfa5c8a4af29ee1727f9814dc806 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 4bff08590e863279e04681f752fac6770a3863b7000e8a49c0e9c9e1fd3c1863SHA1: bd5dfec9e308d9bb5345cfcea54850e3d46a6da3MD5: eab4cfa5c8a4af29ee1727f9814dc806 |
M21-m3q21 | Ramnit_04cbcba0 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | 04cbcba0a0651a66cdcca68366862617 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 5b2ca117e7bfddd8863b6a61520433488e50155db71f9c681f174819ff975034SHA1: bcbb4198cb7eb1f453b88acde49b3d50f86cc98dMD5: 04cbcba0a0651a66cdcca68366862617 |
M21-2pw31 | BlackMatter_ba375d06 | Windows |
This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details. | ba375d0625001102fc1f2ccb6f582d91 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99SHA1: 379ebd1eff6f8685f4ff72657626bf6df5383d87MD5: ba375d0625001102fc1f2ccb6f582d91 |
M21-tnzs1 | Trickbot_22409c5a | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 22409c5a370a8bb00faace48c76f67fb | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 27acdc8a6518e083365a5cebd518a98f5755fb2a4b588257b3f052ed3aca2b47SHA1: ff65f20a80b425ed1e773629a9738dd277c778e4MD5: 22409c5a370a8bb00faace48c76f67fb |
M21-0bby1 | DarkComet_eda137e5 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | eda137e5ecbae3a6e14adc9266ccf038 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 1845ebdef56daeb7edebc6677864436a036d3b043b7e1923b75c65594d4345a9SHA1: 7922c27a57c22667d03eb0aa1c62075b1c1d64b6MD5: eda137e5ecbae3a6e14adc9266ccf038 |
M21-xntt1 | Thanos_e01e11dc | Windows |
This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools. | e01e11dca5e8b08fc8231b1cb6e2048c | https://unit42.paloaltonetworks.com/thanos-ransomware/SHA256: 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171fSHA1: 4983d07f004436caa3f10b38adacbba6a4ede01aMD5: e01e11dca5e8b08fc8231b1cb6e2048c |
M21-b4tj1 | Trickbot_12b50245 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 12b5024549eb5412d5211cf9848b1bfb | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 14c0fd429ed69daddb8b66b41cc4d1630f7dbf5951b52ab1ced2289449fa1b55SHA1: 2957f592cebf00ce6fc41cddaa2edad4f6314e3aMD5: 12b5024549eb5412d5211cf9848b1bfb |
M21-3ft71 | Trickbot_68037c38 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 68037c38f6b16cdf60c8c2b0d29bfeab | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 284b939dbd6258063b3a4d43911635e28926667947435a9697b93661417884e8SHA1: 2814f8f46f27626301f34204d57df0c0d528a843MD5: 68037c38f6b16cdf60c8c2b0d29bfeab |
M21-hhwg1 | Ramnit_f457f41a | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | f457f41a6bd5a0a1e4608c8a097d6a43 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 731fc49dabea5962c6a00ef142a75a507415e2aae14d426e063f9e53a60355caSHA1: 35c5df0b662cf6093c5a2891f9e27e31728a09a6MD5: f457f41a6bd5a0a1e4608c8a097d6a43 |
M21-73ke1 | BlackMatter_1dd464cb | Windows |
This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details. | 1dd464cbb3fbd6881eef3f05b8b1fbd5 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1fSHA1: cafd8d20f2abaebbbfc367b4b4512107362f3758MD5: 1dd464cbb3fbd6881eef3f05b8b1fbd5 |
M21-6n8o1 | BlackMatter_c5ef4711 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has been packed using upx packer, with the default options. | c5ef4711b1b6303b622a8c73f4704430 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 5864517605fcaa6416bd2a4241b9f3a2b96c12a35f320859a95dabd9caaefbc6https://attack.mitre.org/techniques/T1045/PARENTID: M21-73ke1SSDEEP: 768:9Esd1Xkoqgm1lGG9MsmWpIowIx0Uko82MrKdzW5F8hMoZQUJkwjbP+9:BB8JlGUMlBho82RE38/ZQdubSHA1: 1be04991c3d57c641fd1e40e7ae37f12f744d744MD5: c5ef4711b1b6303b622a8c73f4704430 |
M21-rp6e1 | Thanos_d6d95626 | Windows |
This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools. | d6d956267a268c9dcf48445629d2803e | https://unit42.paloaltonetworks.com/thanos-ransomware/SHA256: c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850SHA1: cc0feae505dad9c140dd21d1b40b518d8e61b3a4MD5: d6d956267a268c9dcf48445629d2803e |
M21-gscf1 | Ramnit_3eb1a18b | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | 3eb1a18b4c1516e434c54d6ef8a151cc | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 021dc00f29097bae2e878dadd5aef152f6deb540b0cc7220cc61e9f782990f23SHA1: 581ffa02cee0ed85800d7437b4c23a97c7bd087aMD5: 3eb1a18b4c1516e434c54d6ef8a151cc |
M21-2hr11 | Trickbot_ea8ace01 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | ea8ace0142ab9a30a140134d558a43df | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 14c64c9047b71fce74225216653b3491861d8f9274afa3519ae1976f2b8d76a0SHA1: 952e147614595fc84fdf68a3a65eaf1c1698b013MD5: ea8ace0142ab9a30a140134d558a43df |
M21-w90c1 | Trickbot_b638dabc | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | b638dabcf64b3233ea43318c981c536b | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 1afc3ee244bda23d65c3495c30a3ebad2b7a716f6eb62bc02b6ac036082af227SHA1: 5e3ec28c9c57af4defc98db4384d3c9517d340aeMD5: b638dabcf64b3233ea43318c981c536b |
M21-he5b1 | BlackMatter_1019e015 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the checksum removed in the PE file format. | 1019e0151d6c55eeecf06443fa6197c7 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714fhttps://arxiv.org/abs/1801.08917PARENTID: M21-mfzl1SSDEEP: 1536:jzICS4AT6GxdEe+TOdincJXvKv8Zg3kl:8R7auJXSkZg3CSHA1: 369445caaca7ba44bc684f9d9fd7651467ed5167MD5: 1019e0151d6c55eeecf06443fa6197c7 |
M21-y6d41 | DarkComet_096522f8 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 096522f8c09e14d2e70723bd8d0ecd21 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 4efae949b98bf76d42f3613a7864e3d70ada3d1b2824149b3a40a07a3654160dSHA1: d746956c2ef6a1756829efdaab0ce3defd519416MD5: 096522f8c09e14d2e70723bd8d0ecd21 |
M21-0iu61 | Qakbot_40155b0f | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 40155b0fba5d52eb6c3dc9b1164e6404 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 20d724fc562fa14b107c292020f6d03cb3c958d90a79ce3476e3f877f46ea0e8SHA1: 5b11840b071e4e69a021d10a8349b9c60768094fMD5: 40155b0fba5d52eb6c3dc9b1164e6404 |
M21-2vcp1 | BlackMatter_b492d118 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random bytes appended at the end of the file. | b492d118edc1f091d3371012c2463e57 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: bd2b55ffb7c8a10662e0946d3f0124294b421b2eafb82fd4f13dab95de6ae385https://attack.mitre.org/techniques/T1009/PARENTID: M21-mfzl1SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kl1:qR7auJXSkZg3C1SHA1: 52a17b1a3525365b6c84b6f28b42d9df20c68d41MD5: b492d118edc1f091d3371012c2463e57 |
M21-51dw1 | Thanos_1d45efc7 | Windows |
This strike sends a polymorphic malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.The binary has random strings (lorem ipsum) appended at the end of the file. | 1d45efc7078b10c28a1d606053d066af | https://unit42.paloaltonetworks.com/thanos-ransomware/SHA256: 36f584b8d76e4ddb40b3af735b9fc275783d7e0f27e1f238b9642cc23081eb77https://attack.mitre.org/techniques/T1009/PARENTID: M21-rp6e1SSDEEP: 1536:OXMLuZQG3KJ3QaIH9shR4fZcvr4C9u3MTIdD9mtthd9JovrgmqhtvM4CoLT6QPb4:gMLuZraJ3a0ehcvv9sM+9mtthd0gmWkHSHA1: 846fcbbbbcf1152b1c93dfa6583533b001e5b556MD5: 1d45efc7078b10c28a1d606053d066af |
M21-kwps1 | Qakbot_925bb382 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 925bb382d450c773a5585ccdf6f13884 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 16ad7701d366ef3dab53c0979741279b684f2f94fb52398a788071438921b31dSHA1: 6717f38fc8d211e7c2afa917030f2f1eff91a6d8MD5: 925bb382d450c773a5585ccdf6f13884 |
M21-bkdk1 | Thanos_18cec1f1 | Windows |
This strike sends a polymorphic malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools.The binary has a random section name renamed according to the PE format specification. | 18cec1f15061129aff9fa49bc639dbbe | https://unit42.paloaltonetworks.com/thanos-ransomware/SHA256: 5fc581f02abb01a666d8fb9200ad2d3fa11e9d0f4aaf11e5e26ba0fe463892b4https://arxiv.org/abs/1801.08917PARENTID: M21-ogcu1SSDEEP: 1536:TguHLgeS6umiCp31W4qYXgsLlOqrgB9GpF7LXdarTkCAKL5dsluhtvM4CoLT6QPg:86seqCp31Hgsp9a9GTrda8CAKLTsWkyISHA1: 497d83dff7465190d640b10e015024d4aeb45c20MD5: 18cec1f15061129aff9fa49bc639dbbe |
M21-vom11 | Qakbot_55abb44e | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 55abb44e737b2a7a27b0f424bb5d2ba5 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 3c4e2eb21f26dee76e957a5c46b0492a43bf4dd53651615b2a84940011257929SHA1: f403de4fc77e457f3a695dba08dc1376b7cd769cMD5: 55abb44e737b2a7a27b0f424bb5d2ba5 |
M21-r04g1 | Haron_e8f8e4eb | Windows |
This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked. | e8f8e4eb0d2c03f0b12fb1cf09932bbd | https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4SHA256: 81411c9010f2adcb4758bac5ed6128d5a76b24689d477f6ed2c3003fd57e4f3bSHA1: 8ae409a74a209c304233ce6c6f778915fc59264fMD5: e8f8e4eb0d2c03f0b12fb1cf09932bbd |
M21-4w111 | BlackMatter_cfacfde5 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the debug flag removed in the PE file format. | cfacfde557d2762c0b7932b03c683b8a | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: e05c2049e12dda3a36a21f6fa2acd3cb532743e61d5d11a2503f3069b38de3behttps://arxiv.org/abs/1801.08917PARENTID: M21-do2n1SSDEEP: 1536:1zICS4AT6GxdEe+TOdincJXvKv8Zg3kl/:WR7auJXSkZg3C/SHA1: ca9147e7086940b8520b6c8565d20e7452445bf3MD5: cfacfde557d2762c0b7932b03c683b8a |
M21-oig31 | Trickbot_c0f61798 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | c0f6179824cdd74331aa36aea17315a3 | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 19e74a92942859c1f9d23cf1a924d5232663226e44a64f90712f6d7653d03f25SHA1: 413cf8a13c6ca782a827dbf51d655e236ed1827eMD5: c0f6179824cdd74331aa36aea17315a3 |
M21-67v01 | BlackMatter_3317daac | Windows |
This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details. | 3317daace715dc332622d883091cf68b | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: e4fd947a781611c85ea2e5afa51b186de7f351026c28eb067ad70028acd72cdaSHA1: 02fa74523198ebc1db490bdc6f10a78a44c4e28bMD5: 3317daace715dc332622d883091cf68b |
M21-wlko1 | Haron_dedad693 | Windows |
This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked. | dedad693898bba0e4964e6c9a749d380 | https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4SHA256: 6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209cSHA1: 0475d9d3485583090f00b1c37450771ccd0df00eMD5: dedad693898bba0e4964e6c9a749d380 |
M21-4x901 | Qakbot_70011104 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 70011104f678ba095188b3975d29aa6b | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 3136bf60107ecc6bcf659edd6e60cf01b3228fc7098a4bf2acf7d5a250ac3f29SHA1: 591a90474b8bfae7ddd33cf9620b827f7f13a876MD5: 70011104f678ba095188b3975d29aa6b |
M21-xeda1 | Qakbot_5b656068 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 5b6560682dbd9b107b0b8d3acb1f6267 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 40934bae7c322b0d6ae26a5a90dc17ad28f5d964a9c2032de0243043781c586dSHA1: faee87cf8b22bc93f93f8ce5ec9edd19fea9b8eaMD5: 5b6560682dbd9b107b0b8d3acb1f6267 |
M21-3ary1 | Ramnit_b4a403f5 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | b4a403f53da0d72524dd7600b7d68dca | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 70c417fcdd20459484733bc71379e11b17dbea93b4848e1a990dc68e928c04ceSHA1: 8b2906600c9c5e692ee1fbab39c7d816c008a4f6MD5: b4a403f53da0d72524dd7600b7d68dca |
M21-3h6h1 | BlackMatter_bff66be9 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has a random section name renamed according to the PE format specification. | bff66be9812f514e2ba8bd00746ef5cf | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 9bb22043e0551eaaa84efc99d21c0da1732d12f153104c72ccdbe0975d344d91https://arxiv.org/abs/1801.08917PARENTID: M21-do2n1SSDEEP: 1536:MzICS4AT6GxdEe+TOdincJXvKv8Zg3kl/:jR7auJXSkZg3C/SHA1: a69a48bd9004440b3bd9103424687da259b4e361MD5: bff66be9812f514e2ba8bd00746ef5cf |
M21-59y61 | DarkComet_0024d4df | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 0024d4df650a7d03dae83d24097cfa10 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 445d9223cdc386994df6089ab69340c195b06125cf30b9424d44c0eb24b0d502SHA1: b3cce32d5fcdcbc1d1b8413877a8d6a1a986ec86MD5: 0024d4df650a7d03dae83d24097cfa10 |
M21-np1r1 | Trickbot_b1313c41 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | b1313c41c879457c5c15bfefcce64f66 | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 057ffc3a33d129bbb509f49bbff396c750f0a5186b30633fee9b05ac544a1a52SHA1: b5e428ca952f590db676494799584e81be8b0a63MD5: b1313c41c879457c5c15bfefcce64f66 |
M21-xdp41 | Trickbot_11975ca9 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 11975ca9e9ebb3f66129e59d490fc257 | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 02dd2fe1cd74b60e822ae700a1c4be45139a6aa88a5f81ce5e9a6644d6b2d2d8SHA1: ff090427e7118382924b765e0ef1605b5b2ea8eeMD5: 11975ca9e9ebb3f66129e59d490fc257 |
M21-s87e1 | Haron_04ef9ed3 | Windows |
This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked. | 04ef9ed3902dadccabb678c9dad53f19 | https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4SHA256: cbdb04d23e395b270e16d7ca81cc6b734039fa069932989d4e4f4d4d266df28bSHA1: 39e30adae70f605e09db5c5a359a53e4e6f3a14aMD5: 04ef9ed3902dadccabb678c9dad53f19 |
M21-j7tl1 | Thanos_03b76a51 | Windows |
This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools. | 03b76a5130d0df8134a6bdea7fe97bcd | https://unit42.paloaltonetworks.com/thanos-ransomware/SHA256: ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75SHA1: 60053d661ed03cd2a07f6750532e6ef11abcc4e5MD5: 03b76a5130d0df8134a6bdea7fe97bcd |
M21-5e5r1 | Ramnit_b3632d95 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | b3632d958616bac3b775d19f3347f6cd | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 888368daa079dad1ba47d59f2ef8d7a5f9352f09004e59aea1e3c1118b72c524SHA1: fdd23efa8685d25ace96387d793a1822681f4c3bMD5: b3632d958616bac3b775d19f3347f6cd |
M21-vpb91 | BlackMatter_b5c9d7c1 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has a random section name renamed according to the PE format specification. | b5c9d7c157a3fffd0cab340313f1c5ec | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: da9d5213bc40b956f306b161eaa859b09bd9fe88101ee5d27503d9656337a4d7https://arxiv.org/abs/1801.08917PARENTID: M21-mfzl1SSDEEP: 1536:tzICS4AT6GxdEe+TOdincJXvKv8Zg3kl:+R7auJXSkZg3CSHA1: e7e1080eaaafc88cdc21f11e2e32283875b3aa01MD5: b5c9d7c157a3fffd0cab340313f1c5ec |
M21-jcvm1 | DarkComet_6d0ab127 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 6d0ab12741204e06e5b8ddcf1ebd4e76 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 0063112e85dfaf4331c73ad5a73856cfa5a29911ef8d80c12250a874f60c48baSHA1: 3288c15f4dafb1732150eb28e976d76dc7a5d122MD5: 6d0ab12741204e06e5b8ddcf1ebd4e76 |
M21-ds931 | BlackMatter_61d0a6a7 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has been packed using upx packer, with the default options. | 61d0a6a753435fdae8993473c083b872 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 83c0a6a905be917cac1c56b0a3688763543acade02ab73882e0f62782a661ebfhttps://attack.mitre.org/techniques/T1045/PARENTID: M21-do2n1SSDEEP: 768:BgwSZTs5PurwdYuWMni9LO7Tl76j/4T+m5CrfR:mPTs5Pur35Mn6S+8Cr5SHA1: 316d6a6f18272839eacb8a346be986cb8858a3ddMD5: 61d0a6a753435fdae8993473c083b872 |
M21-do2n1 | BlackMatter_d0512f20 | Windows |
This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details. | d0512f2063cbd79fb0f770817cc81ab3 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984SHA1: e324a2c8fae0d26b12f00ac859340f8d9945a9c1MD5: d0512f2063cbd79fb0f770817cc81ab3 |
M21-fp7f1 | DarkComet_e9398ac5 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | e9398ac53c135781e952477e91fbb02c | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 06cc9a66099e3a7b1cfb87a005501ec3410a280521e02fe39674bf31d4bc4c17SHA1: 7fbf8fbf093958a5d55a79e03465bffcb0263131MD5: e9398ac53c135781e952477e91fbb02c |
M21-3ba01 | Ramnit_c6d47278 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | c6d472784b73e47ea8af9f50ce45fb58 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 6788c4a2c0bc6d5f80dc8b5ecb7b37100f6c37d231a389ec906aae784cff529eSHA1: f9ce1342a8b5762c5b2125025a231eac28bbb536MD5: c6d472784b73e47ea8af9f50ce45fb58 |
M21-rws11 | Trickbot_11364049 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 11364049a6159e255dc03eae0dec6daf | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 0909cc85312268a10d2705100ea2ed5b95eb7ab5f765e41a3a6eb7e4dc5eeaf0SHA1: 150c97ce4733f82c4dfa7683c889a6ee50ff4c1eMD5: 11364049a6159e255dc03eae0dec6daf |
M21-fio31 | Trickbot_69f7682d | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 69f7682d754f01aecd9658f57f8670d0 | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 0abccd961e1dd93ab520cd88c2e07a7a2ec4e8a6138f7bcd714cd1cd2743be6fSHA1: f4f66df1861350bcbfdbadc2ea3afe9b46c4f259MD5: 69f7682d754f01aecd9658f57f8670d0 |
M21-yef71 | BlackMatter_3f9a28e8 | Linux |
This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details. | 3f9a28e8c057e7ea7ccf15a4db81f362 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502SHA1: 10d6d3c957facf06098771bf409b9593eea58c75MD5: 3f9a28e8c057e7ea7ccf15a4db81f362 |
M21-hg7r1 | Haron_6da3c779 | Windows |
This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked. | 6da3c7796bca2f47f11e8711a945cf1d | https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4SHA256: d29abe6ed086a5508c54df31010c36cc19fea3bdc5d521ee7c0d7063a51bb131SHA1: e65df27b70ba3206d216a49b43f6beb2095cfe1bMD5: 6da3c7796bca2f47f11e8711a945cf1d |
M21-0et61 | Qakbot_140712ed | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 140712ed211d973de5a3274608cf28c0 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 35150a082f7fc90418facbde01f262cee672ae4dfd34b0aae06da95ec064b580SHA1: 112bb65dbedbe728082bdd8988ca4c9e21a3a38eMD5: 140712ed211d973de5a3274608cf28c0 |
M21-ogcu1 | Thanos_be60e389 | Windows |
This strike sends a malware sample known as Thanos. Thanos ransomware offers the user the option to customize and include a variety of functions and capabilities. The Thanos builder code was recently made available and many variants have started to surface with its framework at the core. This version of Thanos includes the ability to overwrite the MBR and display the same ransom message, as well as the ability to detect and evade analysis tools. | be60e389a0108b2871dff12dfbb542ac | https://unit42.paloaltonetworks.com/thanos-ransomware/SHA256: 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693dSHA1: 14b4e0bfac64ec0f837f84ab1780ca7ced8d670dMD5: be60e389a0108b2871dff12dfbb542ac |
M21-ef1j1 | BlackMatter_9fa3cafb | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary file has one more imports added in the import table. | 9fa3cafbc2f1ded8fe92007408e7625d | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 6d4406e0636511dcff4e24aac5075e09c576e9198d53f0d1d7aa86b08d033f76https://arxiv.org/abs/1702.05983PARENTID: M21-mfzl1SSDEEP: 1536:xzICS4AT6GxdEe+TOdincJXvKvYZg3kl:KR7auJXSgZg3CSHA1: fcacc83dcf30b91634690ecc1d73d2df591760d7MD5: 9fa3cafbc2f1ded8fe92007408e7625d |
M21-2gx61 | Ramnit_0a48bae2 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | 0a48bae2ff4780521936d8b94d3b0ce0 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 8836d87dec16f04560a0ba2f9ab1423bbedcc69031a7b5d7a11cf4fed024a984SHA1: 851052f212450b674c34ad78a3f8dcfd490730a6MD5: 0a48bae2ff4780521936d8b94d3b0ce0 |
M21-b4y11 | Qakbot_e0c23898 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | e0c23898f4acf8a0fae7b430a3891b62 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 357be50930bd829907a4068b1017b945263a56bc12cc9728977d3c866c9a68a6SHA1: 08b63275867ae22788bafc5a0ed34b95b1efceb3MD5: e0c23898f4acf8a0fae7b430a3891b62 |
M21-ccj91 | Qakbot_5c00db17 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 5c00db1760ffd163c86597a1ac93a20b | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 209b3eeabd048f7cb2c634bf1e7414262ded407ae41b25d00db5db86008aa84fSHA1: 10b05f3ef3ca5703e397584d0df52e0b9fa8c165MD5: 5c00db1760ffd163c86597a1ac93a20b |
M21-wdry1 | Ramnit_d475fd84 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | d475fd848f01340ad4219ff55b6bc52e | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 42f1e9f830ef80f92e5abd3e2463e01c4bbce62342247c76c0ee4f1d87ec28b5SHA1: 331767d919e206de45a46fde3c2a6bbb70ff06bdMD5: d475fd848f01340ad4219ff55b6bc52e |
M21-cexl1 | Trickbot_4813b76a | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 4813b76a9400b62a0acaab0cb5c09bfe | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 27e3ba58cbb7ab7628e97dab88836edf3525a0137360056fc05e869dac57711aSHA1: f153407ef869810bd869a58b0d2b175d867d545dMD5: 4813b76a9400b62a0acaab0cb5c09bfe |
M21-vykk1 | Ramnit_3123ff95 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | 3123ff955e554c6ddfaaae2619fbf997 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 3ca3e6ac1fad0e004643a5512be7282935d6dbe98e088e256846ee6de2c390ceSHA1: 21f2a926592de040280c4557345e1238f033d32eMD5: 3123ff955e554c6ddfaaae2619fbf997 |
M21-mfzl1 | BlackMatter_598c53bf | Windows |
This strike sends a malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details. | 598c53bfef81e489375f09792e487f1a | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6SHA1: 80a29bd2c349a8588edf42653ed739054f9a10f5MD5: 598c53bfef81e489375f09792e487f1a |
M21-pf5o1 | BlackMatter_da66726c | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random strings (lorem ipsum) appended at the end of the file. | da66726c18cecc87d776623fb1a26344 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 978b92cde2fae00e5c49f0bd1ffca9f8d35b505bbf1436692979d6e07e243ab6https://attack.mitre.org/techniques/T1009/PARENTID: M21-do2n1SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kl2:qR7auJXSkZg3C2SHA1: 9dc8c171793421e9973d8dce9bc63670ca655c6fMD5: da66726c18cecc87d776623fb1a26344 |
M21-klix1 | Qakbot_672e642a | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 672e642af35cac2735e19f1e488be72f | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 2edf0dabcb16bde79ecddafaaa52644de1229db74ba8e1abf6fe868e8e1c4447SHA1: aa4bc6c41c710217bfceb2adad5b49482e54a65eMD5: 672e642af35cac2735e19f1e488be72f |
M21-go3s1 | DarkComet_5de32a2e | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 5de32a2ef97290585b28f4409384251a | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 0a4acb875e2052335654082e77210a8a30001d2847532ae2a58066efafb37c5eSHA1: b30660ce3aec157199736c9f47d127eef891e976MD5: 5de32a2ef97290585b28f4409384251a |
M21-kusc1 | DarkComet_7a7a2615 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | 7a7a261530db35879c9c080cc46084de | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 615453b9561c9c612ae38166917e9a34f67d5012ce0ed946a0eff07dbb9a7ae1SHA1: 23c16f29432cf04c87a587f8ae8a31633b753308MD5: 7a7a261530db35879c9c080cc46084de |
M21-ehog1 | Trickbot_d9ce38bc | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | d9ce38bc0aeac55de3ee8b579a68e177 | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 287a910ea787f13609d4c8002a0ac86b8068a6fca8bfadb0c1d2b1fb63436b96SHA1: 9ff572bcb26693f810c6763403e3feb8f8e12672MD5: d9ce38bc0aeac55de3ee8b579a68e177 |
M21-ji551 | Qakbot_a2f1f09d | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | a2f1f09d1bbe5bfc8630fab2187811ee | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 3b06eecb334b5f57bde24eeb0a7c4147fc01713c8c3e8f0a660a4e8a9a5df3e1SHA1: b6b1892d0180b9f2b255a1f9a15d2e370d66393bMD5: a2f1f09d1bbe5bfc8630fab2187811ee |
M21-vvac1 | Qakbot_9e4bb7c2 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 9e4bb7c2bff8cc4245bf1327e84f125b | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 23c3b45782c70bccb1ca807e59486247c5b9074228e14ce9b3994003b354919fSHA1: 4a261263c86c5c1182312f6264260071003ce940MD5: 9e4bb7c2bff8cc4245bf1327e84f125b |
M21-o9xj1 | Haron_92c2e2f6 | Windows |
This strike sends a polymorphic malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.The binary has the timestamp field updated in the PE file header. | 92c2e2f66b9717304aa67c9114b959c2 | https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4SHA256: da105ee43fb48770f296a5b325dc29c57a992f5ac36ee815ac88663571bef3b4https://attack.mitre.org/techniques/T1099/PARENTID: M21-wlko1SSDEEP: 1536:E3wWdw/3oHK8pEzgfIdmedUqPkYRzHKS396Fn2Y+aYxc13TpNw:EgWM32MOuPkc96Fnr+eQSHA1: 08834c273c66cfec1ed7b5433eaba575f2a2e6f3MD5: 92c2e2f66b9717304aa67c9114b959c2 |
M21-tl2b1 | Haron_27757047 | Windows |
This strike sends a malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked. | 277570474740f06232e009b5ff15d47a | https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4SHA256: 4852f22df095db43f2a92e99384ff7667020413e74f67fcbd42fca16f8f96f4cSHA1: 9cd9dee39f132cb398a3408cd16a53b98dafea7eMD5: 277570474740f06232e009b5ff15d47a |
M21-kg3n1 | Trickbot_fc0c2d9d | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | fc0c2d9dcb18806606d6e2673db4380a | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 32ed191361a69cf8d93f2431fe449a822e812a5f08c9c7e8bb04acc543443a92SHA1: e1bd9054f400bf10cf7d2baffe9643cd481feca9MD5: fc0c2d9dcb18806606d6e2673db4380a |
M21-g8w11 | Trickbot_713bb022 | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | 713bb022f264a713db52286227714a58 | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 2d465c82cfcd0f6121a68ff352d9f97aaa74c7c74527b6d8a9df2514a9ae0797SHA1: b7f5ad8b97687f791e8c04bab5423302543361dfMD5: 713bb022f264a713db52286227714a58 |
M21-zvav1 | Qakbot_d867d6d9 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | d867d6d9a9b8a1fdf2467f27088f5230 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 0ea2f761e10efb2a635185671de8ca90837745f5da186d84e6a3c564bd020903SHA1: 7dfa6639d37a754e7097fec864568847fb658551MD5: d867d6d9a9b8a1fdf2467f27088f5230 |
M21-e17h1 | Ramnit_2bef963c | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | 2bef963c0d8b3c5d796dac3541489c08 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 0da2d59d76684e3912a82d88c978e16b65e3a9f8aea0c43d269953cff6956a7eSHA1: 861a7e9a9dcc20911775b8c9e33f221826dfe9eeMD5: 2bef963c0d8b3c5d796dac3541489c08 |
M21-ujrx1 | Qakbot_76f0cfb3 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 76f0cfb3c8143fe677dae170a9804c66 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 0b77fdf610d7444d1fe1a7f5098d45152936fc48ca601b929281c587bb5133b8SHA1: 2f230e16fe8e3ac4726e627add2439a92a9ae8a9MD5: 76f0cfb3c8143fe677dae170a9804c66 |
M21-cjnm1 | DarkComet_d619583b | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | d619583b03bae980edca49feede8579c | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 42c2c565e5844ee30f45e046984956949aa7b4268fa79fa3bca325079a0199b5SHA1: c305d614c71d66208bf5bc3a378af9df5448b3e4MD5: d619583b03bae980edca49feede8579c |
M21-z2da1 | Trickbot_d9547c4f | Windows |
This strike sends a malware sample known as Trickbot. Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. | d9547c4f1c13fac1a1c7e8f8f67df45b | https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.htmlSHA256: 307e3804d8a677f1c176534c8eb85e63f89421e6a1bf4477485c0a4e3eb9e9d1SHA1: df765949f9714454985b29c770e92a2b06ce014aMD5: d9547c4f1c13fac1a1c7e8f8f67df45b |
M21-lmxx1 | Qakbot_9d0ed878 | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 9d0ed8785c88f732ebfc7d11637a57c7 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 3a1e5884cf079fdca3cb5b8385c53f780dd4c17a3165ccb4148f9916c3740614SHA1: 4f046eb7ce469d0e97c98b54759b1cef56a3a365MD5: 9d0ed8785c88f732ebfc7d11637a57c7 |
M21-5wpg1 | Qakbot_988e391a | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | 988e391a7bd88b2d362e44d57e97a778 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 06d5ca9ab245e57ad65d2afa9633a2b7e11eca16555f5c5bf9f7a92d8f78e87dSHA1: e39f6a5faa08af6176494604a3a3d6f4ccab9876MD5: 988e391a7bd88b2d362e44d57e97a778 |
M21-rxic1 | BlackMatter_6fd84253 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has random strings (lorem ipsum) appended at the end of the file. | 6fd842539aa3f5fd2e0474f3b48f877a | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 234fb77f708ef2e34bff04de92e9b6e1995b54ebb083d1b8805a494d25617c94https://attack.mitre.org/techniques/T1009/PARENTID: M21-mfzl1SSDEEP: 1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kla:qR7auJXSkZg3CaSHA1: 790e12fea4dd5c10bda6b51eabd8f2a24eff3b6dMD5: 6fd842539aa3f5fd2e0474f3b48f877a |
M21-df611 | DarkComet_eceac426 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | eceac426ece31db82c011c3925d1561a | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 5174169e7a1ef4ba358189dafac7eb4c514e4c12ecdc9525e2fe6cb5b35265adSHA1: b0580608e253b296b588823f0ee9704a2c9a53ddMD5: eceac426ece31db82c011c3925d1561a |
M21-kt8f1 | Ramnit_156ff7ed | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | 156ff7ed174247ad7a7132fa51664949 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: d1f95a5223c6f4dc954e4ccbab6d58fa9e54ff9037c88f06c9814ab4a7877058SHA1: 5347f3766750fe3e4968fdee3230f8e364cb5951MD5: 156ff7ed174247ad7a7132fa51664949 |
M21-o1sv1 | BlackMatter_720f6799 | Windows |
This strike sends a polymorphic malware sample known as BlackMatter. BlackMatter is a Ransomware-as-a-Service or RaaS. It has followed in the footsteps of its predecessors DarkSide and REvil with a lot of the same functionality. It can elevate privileges, kill processes, and even steals the victim's details.The binary has the checksum removed in the PE file format. | 720f6799e6befa45cb4233b9631f4c82 | https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/SHA256: 9e18f6ebb169f6bc7ae18526f71e132f96b678809e7873df7c3bbb35d4d694eehttps://arxiv.org/abs/1801.08917PARENTID: M21-do2n1SSDEEP: 1536:jzICS4AT6GxdEe+TOdincJXvKv8Zg3kl/:8R7auJXSkZg3C/SHA1: 514b2d4a0747143989ec5458216723b78a93c919MD5: 720f6799e6befa45cb4233b9631f4c82 |
M21-8qhl1 | Ramnit_bf70c723 | Windows |
This strike sends a malware sample known as Ramnit. Ramnit is a banking trojan that has been around since 2010 and has recently been resuming activity. After infection, it scans files that have interesting keywords, such as "wallet", "passwords", or the names of the targeted banks. Ramnit uses malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler. | bf70c7230fb57e3732a87cc5b09defa3 | https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.htmlSHA256: 011597cdbf40d1f08a644d42c20e19175574a433a735eef887283c719ef8e63eSHA1: 9aae7d0c871579f122eb55b16aac785ef4c4e665MD5: bf70c7230fb57e3732a87cc5b09defa3 |
M21-2ddo1 | DarkComet_b84ab2c0 | Windows |
This strike sends a malware sample known as DarkComet. DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. | b84ab2c079ef2e9dad478abc81e3dee0 | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 0d08e3c0b2f6668387b90dc0d21ebd8fec5de6393580cff145cdff8a32c10ea6SHA1: b82b92d9f80fcf6e0196adac066ed123de3f2fc4MD5: b84ab2c079ef2e9dad478abc81e3dee0 |
M21-ew801 | Qakbot_ba811d0b | Windows |
This strike sends a malware sample known as Qakbot. Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. | ba811d0b025160b8c7766be010784dca | https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.htmlSHA256: 172b6ada107441489b8abc961f2548486487a15d5e3375417b9c6981e5d676e9SHA1: 410146de3cd295234c2a6b5a13a322ebf4be0ab0MD5: ba811d0b025160b8c7766be010784dca |
M21-wd911 | Haron_7806efea | Windows |
This strike sends a polymorphic malware sample known as Haron. Haron is a ransomware that is being considered a copy or derivative of the Avaddon and Thanos ransomware. It uses the Thanos framework to infect vicitims, which was made open source, and the Avaddon UI which was also leaked.The binary has a random section name renamed according to the PE format specification. | 7806efea649a3b312be91e609541359b | https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4SHA256: ae2168018a6b48e4e6bc61a042e40facc4260b138594cc22b0810e1b57e30803https://arxiv.org/abs/1801.08917PARENTID: M21-wlko1SSDEEP: 1536:13wWdw/3oHK8pEzgfIdmedUqPkYRzHKS396Fn2Y+aYxc13TpNw:1gWM32MOuPkc96Fnr+eQSHA1: 1c02c91cc5d63bf06e4c38965f6ec043d5fe221fMD5: 7806efea649a3b312be91e609541359b |